sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
16,860 Commits 101 Branches 327 Tags
Commit Graph

16860 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
b959532f68 scripts: Include botan in dh_speed.sh and pubkey_speed.sh 
Also, using sudo is not necessary in dh_speed.sh.
 2018-10-31 15:50:36 +01:00
Tobias Brunner
8b4c2a1d8e openssl: Fix some const issues with OpenSSL 1.1.0 2018-10-31 15:50:36 +01:00
Tobias Brunner
fd3947d9e5 openssl: Don't use functions deprecated with OpenSSL 1.1.0 2018-10-31 15:50:36 +01:00
Andreas Steffen
0e80eb235d Version bump to 5.7.2dr2 5.7.2dr2 2018-10-31 14:22:03 +01:00
Andreas Steffen
9be6dee6a4 botan: SHA-3 support 2018-10-30 16:06:15 +01:00
Tobias Brunner
ae271810dc Use Botan 2.8.0 for tests 2018-10-30 15:08:31 +01:00
Tobias Brunner
a29f70e4fb testing: Use AES-GCM for SSH connections 
RC4, which was previously used for performance reasons, is not supported
anymore with newer versions of SSH (stretch still supports it, but it
requires explicit configuration on the guests when they act as clients
too - the version in Ubuntu 18.04 apparently doesn't support it anymore
at all).

AES-GCM should actually be faster (at least for larger amounts of data and
in particular with hardware acceleration).
 2018-10-30 15:06:57 +01:00
Tobias Brunner
67fd36e884 testing: Avoid unnecessary rebuilds of components built from Git repos 
Installing apparently changes the timestamp on the repo dir triggering make
to checkout and build the whole thing again.
 2018-10-30 15:06:47 +01:00
Tobias Brunner
3a4372c1eb testing: Disable predictable network interface names assigned by systemd/udev 2018-10-30 15:06:33 +01:00
Tobias Brunner
3fbeeef908 testing: Remove unused custom OIDs from openssl.cnf files 
ClientAuthentication is known in OpenSSL 1.1 and the redefinition, therefore,
causes an error.  These two OIDs are not used anyway in these config
files.
 2018-10-30 15:03:34 +01:00
Andreas Steffen
e660f4579b testing: Fixed evaluation in swanctl/rw-cert-pss scenario 2018-10-27 08:47:57 +02:00
Andreas Steffen
f5565683b9 Version bump to 5.7.2dr1 5.7.2dr1 2018-10-26 18:47:48 +02:00
Andreas Steffen
534ab34df6 testing: Added botan/net2net-ed25519 scenario 2018-10-26 18:46:59 +02:00
Tobias Brunner
d1acfeec7b NEWS: Add some recent changes 2018-10-26 15:27:15 +02:00
Tobias Brunner
ce381883a1 dhcp: Ignore DHCP OFFER messages without assigned address 
FreeRADIUS seems to respond that way if it can't allocate an address to
the client.
 2018-10-26 11:26:50 +02:00
Tobias Brunner
6e9cfe9751 vici: Properly handle absence of peer ID on mediation connections 
Fixes #2794.
 2018-10-26 11:25:31 +02:00
Tobias Brunner
46bea1add9 task-manager-v2: Reject requests for incomplete IKE_SAs as initiator 
Based on a patch by Thomas Egerer.
 2018-10-26 11:22:08 +02:00
Tobias Brunner
a61b1a6ee4 mysql: Don't release the connection if transactions are still using it 
Fixes #2779.
 2018-10-26 11:18:43 +02:00
Tobias Brunner
6c641377c3 Merge branch 'botan-algos' 
This adds wrappers for additional algorithms (Ed25519, ChaCha20/Poly1305,
AES-CCM) to the botan plugin and fixes some potential compile issues.
 2018-10-26 11:11:04 +02:00
Tobias Brunner
147363c169 botan: Fix build without specific asymmetric crypto 2018-10-26 11:06:45 +02:00
Tobias Brunner
37ae912271 botan: Fix build without AES and its modes 2018-10-26 11:06:45 +02:00
Tobias Brunner
3f960e38a1 botan: Add support for AES-CCM 2018-10-26 11:06:45 +02:00
Tobias Brunner
b1ab9782e2 test-vectors: Add another ChaCha20/Poly1305 test vector from RFC 7539 2018-10-26 11:06:45 +02:00
Tobias Brunner
cb7b83017d botan: Add support for ChaCha20/Poly1305 AEAD algorithm 2018-10-26 11:06:45 +02:00
Tobias Brunner
4bcc4bacd4 botan: Add support for Ed25519 keys 2018-10-26 11:06:45 +02:00
Tobias Brunner
5cd24d26e2 botan: Add helper function for signature verification 2018-10-26 11:06:45 +02:00
Tobias Brunner
8d8e7a9c8b Merge branch 'ssh-eddsa' 
This adds support for Ed25519/Ed448 SSH keys and their signatures via
agent plugin.
 2018-10-26 11:04:37 +02:00
Tobias Brunner
8f23e64ee5 agent: Support signatures with Ed25519/Ed448 keys 2018-10-26 11:01:10 +02:00
Tobias Brunner
87dd08b139 sshkey: Support encoding Ed25519/Ed448 SSH public keys 2018-10-26 11:01:10 +02:00
Tobias Brunner
7de0729357 sshkey: Add support for parsing Ed25519/Ed448 SSH keys 2018-10-26 11:01:10 +02:00
Tobias Brunner
20f74adbae curve25519: Support loading Ed25519 public keys from simple blobs 2018-10-26 11:01:10 +02:00
Tobias Brunner
b982473a86 charon-cmd: Print plugin list before parsing arguments 
Helps debugging e.g. failures to load certs/keys.
 2018-10-26 11:01:10 +02:00
Tobias Brunner
64adacc3c6 Merge commit 'key-sig-schemes' 
This adds the ability to return supported signature schemes (and
parameters) from a private key.

This is useful for keys on a TPM 2.0 as these can be used only with a
particular scheme (the hash algorithm and for RSA even the padding scheme
is fixed).  For RSA with PSS padding there is an additional complication
because different TPMs use different salt lengths, which we have to know
beforehand to correctly produce e.g. a certificate request (the signature
covers the algorithm identifier that describes the signature scheme).

It turned out that the new method is also useful for the agent plugin.
Newer ssh/gpg-agents support SHA-256 and SHA-512 for RSA signatures, but
not SHA-384, which we can now convey to the pubkey authenticator.
Unfortunately, older agents ignore the flags that request a SHA2 signature
and just return one with SHA-1, in such scenarios IKEv2 signature
authentication has to be disabled.
 2018-10-26 10:59:38 +02:00
Tobias Brunner
153eb8199a agent: Enumerate only the supported signature schemes for RSA keys 
SHA-384 is not supported but is selected by signature_schemes_for_key()
for keys between 3072 and 7680 bits.

Since this is only called for IKEv2 signature authentication we don't
even provide SHA-1 anymore.  We always provide both schemes, though,
which is what pubkey-authenticator does too for RSA.

Older agents apparently just ignore the flags and always return a SHA-1
signature.  If that's the case, charon.signature_authentication has to
be disabled.
 2018-10-26 09:55:08 +02:00
Tobias Brunner
5e03675a19 agent: Add support for RSA signatures with SHA256 and SHA512 2018-10-26 09:55:07 +02:00
Andreas Steffen
1b510c0467 pubkey-authenticator: Append RSAPSS salt length to debug output 2018-10-26 09:55:07 +02:00
Tobias Brunner
7b46089ea7 travis: Build tmp2-tss from sources 2018-10-26 09:55:07 +02:00
Andreas Steffen
3150bd2b81 libtpmtss: Generalize AIK keys to signature keys 2018-10-26 09:55:07 +02:00
Andreas Steffen
526c5abd0f tpm: Check FIPS-140-2 and FIPS-186-4 compliance 2018-10-26 09:55:07 +02:00
Tobias Brunner
b158404c5f tpm: Return signature schemes supported by the key if TSS supports it 2018-10-26 09:03:27 +02:00
Tobias Brunner
7ca3b3daee libtpmtss: Add enumeration of supported signature schemes to TSS2 implementations 2018-10-26 09:03:27 +02:00
Tobias Brunner
532cd488e3 libtpmtss: TSS can optionally return signature schemes supported by a key 2018-10-26 09:03:26 +02:00
Tobias Brunner
ecfe67550d signature-params: Provide option for maximum RSA/PSS salt length 
However, the length now has to be resolved early, so we don't operate on
the negative constant values e.g. when generating the encoding.
 2018-10-26 09:03:26 +02:00
Tobias Brunner
dd4bd21c5a pki: Query private key for supported signature schemes 2018-10-26 09:03:26 +02:00
Tobias Brunner
b88f2b3815 pubkey-authenticator: Query private key for supported signature schemes 2018-10-26 09:03:09 +02:00
Tobias Brunner
1c4738325d private-key: Add optional method that returns supported signature schemes 2018-10-25 17:21:32 +02:00
Tobias Brunner
9b5b55b026 Merge branch 'openssl-keyid' 
Closes strongswan/strongswan#116.
 2018-10-24 10:07:49 +02:00
ambiso
6b3dfe9c38 openssl: Remove extra semicolon 2018-10-24 09:49:25 +02:00
ambiso
b9e45b5b4a openssl: Remove arbitrary keyid length check 2018-10-24 09:49:18 +02:00
ambiso
b148517c6b openssl: Fix invalid keyid length check 
Check was designed for base64 conversion, however a hex conversion is
being performed, which requires more memory.
 2018-10-24 09:48:56 +02:00