sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity
18,109 Commits 101 Branches 327 Tags
Commit Graph

18109 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
b6ed732c3c ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges 2021-12-31 17:50:22 +01:00
Tobias Brunner
97ba080a24 pubkey-authenticator: Handle IntAuth data 2021-12-31 17:50:22 +01:00
Tobias Brunner
ad7a5b3141 psk-authenticator: Handle IntAuth data 2021-12-31 17:50:22 +01:00
Tobias Brunner
eb8ab8bbba eap-authenticator: Handle IntAuth data 2021-12-31 17:50:22 +01:00
Tobias Brunner
ea86c65290 keymat_v2: Include optional IntAuth in signed octets 2021-12-31 17:50:22 +01:00
Tobias Brunner
140228a271 authenticator: Add optional method to set IntAuth data 2021-12-31 17:50:22 +01:00
Tobias Brunner
8c52556ca3 message: Add method to generate data to authenticate IKE_INTERMEDIATE exchanges 2021-12-31 17:50:22 +01:00
Tobias Brunner
55d2e10c57 generator: Make pointer to length field optional 
Only useful if we generate an IKE header.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
8836eb472e message: Fix payload type in last unprotected payload of a fragmented message 2021-12-31 17:50:22 +01:00
Tobias Brunner
6c23a531d3 keymat_v2: Add method to calculate IntAuth for IKE_INTERMEDIATE exchanges 2021-12-31 17:50:22 +01:00
Tobias Brunner
1c6ce56333 ike-rekey: Reset IKE_SA after processing CREATE_CHILD_SA request 
This probably didn't cause any problems, as there wasn't really anything
happening between the calls, but reset it anyway, just to be safe.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
1aad6a5ffe ikev2: Allow tasks to do work after processing requests/responses 2021-12-31 17:50:22 +01:00
Tobias Brunner
e9b6057f19 task: Add optional post_process() method 
This will allows tasks to do some work after a message has been
processed.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
36cec38f22 ikev2: Allow tasks to do work after generating requests/responses 2021-12-31 17:50:22 +01:00
Tobias Brunner
79ef080811 task: Add optional post_build() method 
This will allow tasks to do some work after the message has been
generated.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
8f390372bc ike-auth: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 2021-12-31 17:50:22 +01:00
Tobias Brunner
ee72206d23 child-create: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 2021-12-31 17:50:22 +01:00
Tobias Brunner
a8494b7d7c ike-mobike: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
This changes the MID of the first IKE_AUTH message.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
a06da8a526 ike-config: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
This changes the MID of the first IKE_AUTH message.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
7030cc7b7f ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH 
The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
8372508d32 ike-cert-pre: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
The first IKE_AUTH does not have MID 1 if that's the case.
 2021-12-31 17:50:22 +01:00
Tobias Brunner
8cf3206979 status: Add return_need_more() utility function 2021-12-31 17:50:22 +01:00
Tobias Brunner
8454d094d4 message: Add rules for IKE_FOLLOWUP_KE exchanges 2021-12-31 17:50:22 +01:00
Tobias Brunner
c2f5b7ade8 wip: ike-header: Add IKE_FOLLOWUP_KE exchange type 2021-12-31 17:50:22 +01:00
Tobias Brunner
a6c2589402 message: Add rules for IKE_INTERMEDIATE exchanges 2021-12-31 17:50:22 +01:00
Tobias Brunner
5f724cd2d4 wip: ike-header: Add IKE_INTERMEDIATE exchange type 2021-12-31 17:50:22 +01:00
Tobias Brunner
91ac2f5eff wip: notify-payload: Add notify types for multiple key exchanges 2021-12-31 17:50:22 +01:00
Tobias Brunner
0577bd291d wip: notify-payload: Add notify type for IKE_INTERMEDIATE exchange 2021-12-31 17:50:22 +01:00
Tobias Brunner
473cbd84d0 proposal-substructure: Encode additional key exchange methods 2021-12-31 17:50:22 +01:00
Tobias Brunner
55515a5753 child-cfg: Add method to check if an algorithm is proposed 2021-12-31 17:50:22 +01:00
Tobias Brunner
0c7412391a child-cfg: Generalize get_ke_method() method 2021-12-31 17:50:22 +01:00
Tobias Brunner
d30f1a6418 ike-cfg: Generalize get_ke_method() method 2021-12-31 17:50:22 +01:00
Tobias Brunner
4fa84482e7 proposal: Generalize KE methods 2021-12-31 17:50:22 +01:00
Tobias Brunner
6d18b11e54 proposal: Make all key exchange transforms optional in ESP/AH proposals 2021-12-31 17:50:22 +01:00
Tobias Brunner
3741499149 proposal: Skip all KE transforms if PROPOSAL_SKIP_KE given 2021-12-31 17:50:22 +01:00
Tobias Brunner
1d9d4866ed transform: Add helper to check if transform type negotiates key exchange 2021-12-31 17:50:22 +01:00
Tobias Brunner
2d00ef745c transform: Add additional key exchange transform types 2021-12-31 17:50:22 +01:00
Andreas Steffen
558003d269 Rename MODP_NONE to KE_NONE 2021-12-31 17:50:22 +01:00
Tobias Brunner
94ab8e11c2 Rename diffie_hellman_t to key_exchange_t and change the interface etc. 
This makes it more generic so we can use it for QSKE methods.
 2021-12-31 17:50:22 +01:00
Andreas Steffen
36c64589d8 Version bump to 5.9.5dr4 5.9.5dr4 2021-12-31 14:46:31 +01:00
Andreas Steffen
903c68e069 sw-collector: Iterate through history logs 
The logrotate function causes the apt history to be split into
several parts at arbitrary points in time. If history.log only
is parsed then some package installation changes stored in
zipped backup history files might get lost.

Thus sw-collector now searches all backup history files until
a date older than the current event stored in the collector.db
database is found, so that no entries get overlooked.
 2021-12-31 14:33:22 +01:00
Andreas Steffen
0b76ca13ab libtpmtss: Some minor improvements 2021-12-19 13:50:07 +01:00
Andreas Steffen
dadcd9060e Version bump to 5.9.5dr3 5.9.5dr3 2021-12-11 16:39:34 +01:00
Andreas Steffen
8249e6afad libtpmtss: Establish session with TPM 2.0 
Using the trusted RSA or ECC Endorsement Key of the TPM 2.0 a
secure session is established via RSA public key encryption or
an ephemeral ECDH key exchange, respectively.

The session allows HMAC-based authenticated communication with
the TPM 2.0 and the exchanged parameters can be encrypted where
necessary to guarantee confidentiality.
 2021-12-11 16:21:59 +01:00
Tobias Brunner
b158c08c4b Merge branch 'openssl-providers' 
Optionally load the legacy provider in OpenSSL 3 (enabled, by default) to
make algorithms like MD4 and DES available, which we require for
EAP-MSCHAPv2.  Allow explicitly loading the fips provider via existing
fips_mode option.  The loaded providers, whether influenced by the above
options or not, are logged.

Closes strongswan/strongswan#759
 2021-12-08 11:34:46 +01:00
Tobias Brunner
910b7d1915 openssl: Log loaded providers 2021-12-08 11:34:22 +01:00
Tobias Brunner
3cd2e2ccc6 openssl: Make fips_mode option work with OpenSSL 3 2021-12-08 11:34:18 +01:00
Tobias Brunner
f556fce16b openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc. 
We still require these algorithms for e.g. EAP-MSCHAPv2, so the option is
enabled, by default.  To use other providers (e.g. fips or even custom
ones), the option can be disabled and the providers to load/activate can
be configured in openssl.cnf.  For instance, the following has the same
effect as enabling the option:

    openssl_conf = openssl_init

    [openssl_init]
    providers = providers

    [providers]
    default = activate
    legacy = activate

    [activate]
    activate = yes
 2021-12-08 11:34:13 +01:00
Tobias Brunner
8baa431501 Merge branch 'libtls-tests' 
Improves handling failures during unit tests of libtls and includes a
change for the openssl plugin so it only announces ECDH groups for which
the library provides the required ECC curve.

Closes strongswan/strongswan#752
 2021-12-08 11:33:32 +01:00
Tobias Brunner
46a6b06282 openssl: Only announce ECDH groups actually supported by OpenSSL 
Determined by whether the library provides curves for it or not.
For instance, in the OpenSSL 3 FIPS provider the Brainpool curves are
not included.  And in the Fedora package several weak curves are
explicitly patched out and the Brainpool curves are omitted even in
non-FIPS mode.
 2021-12-08 11:33:04 +01:00