sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity
17,728 Commits 101 Branches 327 Tags
Commit Graph

17728 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andreas Steffen
a05dfdc3ff Version bump to 6.0dr5 6.0dr5 2020-12-08 10:22:03 +01:00
Andreas Steffen
60acf6d635 test-vectors: No changes for Saber KE NIST Round 3 tests 2020-12-08 10:22:03 +01:00
Andreas Steffen
b61384a726 oqs: Support for HQC key exchange algorithm 2020-12-07 15:27:36 +01:00
Andreas Steffen
ecd11f4e7e test-vectors: Upgraded Kyber KE tests to NIST Round 3 2020-12-07 13:32:56 +01:00
Andreas Steffen
680b0c57a6 test-vectors: Upgraded NTRU KE tests to NIST Round 3 2020-12-07 13:32:56 +01:00
Andreas Steffen
3920dd2d01 scripts: Fixed NIST KAT scripts 2020-12-07 13:32:56 +01:00
Andreas Steffen
626bb3a74d Version bump to 6.0dr4 2020-12-07 13:32:56 +01:00
Andreas Steffen
b543779df8 oqs: Support of Falcon signature algorithms 2020-12-07 13:32:56 +01:00
Andreas Steffen
b7d59aea45 oqs: Complete post-quantum signature support 2020-12-07 13:32:56 +01:00
Andreas Steffen
a063ed27ef ntru: Removed legacy NTRU key exchange method 2020-12-07 13:32:56 +01:00
Andreas Steffen
f93e11dcc3 newhope: Removed legacy Newhope key exchange method 2020-12-07 13:32:56 +01:00
Andreas Steffen
27ce834d59 bliss: Removed legacy BLISS signatures 2020-12-07 13:32:56 +01:00
Andreas Steffen
b644e19147 Version bump to 6.0dr3 2020-12-07 13:32:56 +01:00
Andreas Steffen
03f09be502 oqs: Added signature tests 2020-12-07 13:32:56 +01:00
Andreas Steffen
d94e34d86f scripts: Added nist_sig_kat script 2020-12-07 13:32:56 +01:00
Andreas Steffen
551ff1604e oqs: Postponed freeing of kem object 2020-12-07 13:32:56 +01:00
Andreas Steffen
49afc2ddeb oqs: Support of Dilithium signature algorithms 2020-12-07 13:32:56 +01:00
Andreas Steffen
efdf9f151b Version bump to 6.0dr2 2020-12-07 13:32:56 +01:00
Andreas Steffen
8d9620e05e Version bump to 6.0dr1 2020-12-07 13:32:56 +01:00
Andreas Steffen
f87adab953 oqs: Update to NIST round 3 KEM candidates 2020-12-07 13:32:56 +01:00
Andreas Steffen
e4c4d37241 oqs: Removed BIKE round 1 version including test vectors 2020-12-07 13:32:56 +01:00
Andreas Steffen
5bbc92fa6c testing: Added swanctl/rw-cert-qske scenario 2020-12-07 13:32:56 +01:00
Andreas Steffen
801613bf8d wip: ikev2: Change multi-KE codepoints for testing 2020-12-07 13:32:56 +01:00
Andreas Steffen
9325489241 vici: List additional key exchanges 
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
 2020-12-07 13:32:56 +01:00
Andreas Steffen
5296a25c8d frodo: FrodoKEM KE method 2020-12-07 13:32:56 +01:00
Andreas Steffen
9ebbcc4be0 oqs: Added post-quantum KEM methods based on liboqs 2020-12-07 13:32:56 +01:00
Andreas Steffen
c7dd2ef715 nist_kem_kat: Added script formating NIST KEM KAT records into ke_test vectors 2020-12-07 13:32:56 +01:00
Andreas Steffen
a6e9489d6e test-vectors: Added NIST KEM test vectors 2020-12-07 13:32:56 +01:00
Andreas Steffen
6a37ff01d1 key-exchange: Joint ke_test_vector format for DH and KEM 
Both Diffie-Hellman (DH) and Key Encapsulation Mechanism (KEM) based
key exchange methods use a common ke_test_vector format. The
set_seed() function is used to provide deterministic private key
material for the crypto tests.
 2020-12-07 13:32:56 +01:00
Andreas Steffen
d05e72eed5 key-exchange: Added NIST round 2 submission KEM candidates 2020-12-07 13:32:56 +01:00
Tobias Brunner
aad8af60a5 wip: ike-init: Indicate support for IKE_INTERMEDIATE 
wip: Not strictly necessary. I guess we should also add some checks if
the notify was not received.
 2020-12-07 13:32:56 +01:00
Tobias Brunner
198ba8f259 proposal: Add helper to check if additional key exchanges are contained 2020-12-07 13:32:56 +01:00
Tobias Brunner
c63899f9b5 proposal: Accept NONE for additional key exchanges also for IKE proposals 2020-12-07 13:32:56 +01:00
Tobias Brunner
2894ed17cc unit-tests: Add tests for CHILD_SA rekeying with multiple key exchanges 2020-12-07 13:32:56 +01:00
Tobias Brunner
c74fdd936b unit-tests: Add tests for CHILD_SA creation with multiple key exchanges 2020-12-07 13:32:56 +01:00
Tobias Brunner
6d0fea7c8e unit-tests: Tests for additional key exchanges 2020-12-07 13:32:56 +01:00
Tobias Brunner
23402b29f3 unit-tests: Support multiple proposals in exchange tests 2020-12-07 13:32:56 +01:00
Tobias Brunner
bf7b64e6da unit-tests: Hand out an actual shared secret in mock KE implementation 
Makes key derivation a bit more realistic.
 2020-12-07 13:32:56 +01:00
Tobias Brunner
55ab7e1949 proposal: Add prefix for additional key exchanges when logging proposals 2020-12-07 13:32:56 +01:00
Tobias Brunner
9aff25ad47 key-exchange: Add dynamic parser for additional key exchange methods 2020-12-07 13:32:56 +01:00
Tobias Brunner
e7ffc02292 child-rekey: Support CHILD_SA rekeying with multiple key exchanges 2020-12-07 13:32:51 +01:00
Tobias Brunner
187c2bb6ea child-sa: Cache and forward actual initiator flag for outbound SA 
Kernel interfaces (e.g. TKM) might rely on this flag to be correct.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
2f6eb395bc unit-tests: Fix CHILD_SA rekey tests after INVALID_KE_PAYLOAD handling changes 
The responder doesn't create a CHILD_SA and allocate an SPI anymore
when responding with an INVALID_KE_PAYLOAD notify.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
87b2ed3ce7 child-create: Add support for multiple key exchanges 2020-12-07 13:28:34 +01:00
Tobias Brunner
e93cde6ea6 ike-rekey: Support IKE_SA rekeying with multiple key exchanges 2020-12-07 13:28:34 +01:00
Tobias Brunner
9e8418f050 ikev2: Send deletes also for rekeyed SAs 
This way we can use the IKE_REKEYED state for both redundant and old SAs
to suppress ike_updown().

In the ike-delete task we don't suppress events in state IKE_REKEYING as
that's the case when we delete an SA the peer is currently rekeying with
multiple key exchanges.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
350f1a81f6 ikev2: Let ike/child-rekey tasks indicate if the passive task was adopted 
This gives us more flexibility with tasks that return NEED_MORE (currently
none of the colliding tasks do, but that will change with multi-KE
rekeyings).  The active task has to check itself if the passive task is
done and should be removed from the task manager.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
bbbdc8fb68 ike-rekey: Remove collision task type checks 
Since f67199378df9 ("ike-rekey: Handle undetected collisions also if
delete is delayed") we only ever track tasks of type TASK_IKE_REKEY, so
there is no need to check the type or use the generic task_t interface.

Also changed some of the comments to clarify collision handling.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
09f4f7fcb8 ike-rekey: Don't actively rekey already rekeyed SAs 
If the peer successfully rekeyed the SA it gets marked as IKE_REKEYED
and it remains until the peer deletes it (or a timeout).  There is no
point in rekeying such SAs again.

IKE_REKEYING will be relevant if we have multi-KE rekeyings and are
waiting for followup key exchanges for a passive rekeying.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
a63cfb9785 ike-init: Ignore COOKIE payloads during rekeying 
This ensures that process_i() only returns NEED_MORE due to multiple
key exchanges or an INVALID_KE_PAYLOAD notify.
 2020-12-07 13:28:34 +01:00