sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
18,200 Commits 101 Branches 327 Tags
Commit Graph

18200 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
5aa4ba7f22 keymat_v2: Proper cleanup if derive_ike_keys() is called multiple times 2022-03-14 10:19:07 +01:00
Tobias Brunner
dbc411a772 ike-sa-manager: Log SPIs when checking in an IKE_SA 2022-03-14 10:19:07 +01:00
Tobias Brunner
d983d3de8b ikev2: Use hashes to detect retransmits 
We avoid parsing messages with unexpected message IDs.  This allows us to
process and detect retransmits of messages for which we don't have the keys
anymore (i.e. IKE_INTERMEDIATE after IKE_SA_INIT and changing the keys).

This also changes how retransmits for fragmented messages are triggered,
previously we waited for all fragments and reconstructed the message
before retransmitting the response.  Now we only track the first
fragment and if we receive a retransmit of it respond immediately
without waiting for other fragments (which are now ignored).  This is in
compliance with RFC 7383, section 2.6.1.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
2518ff8e02 ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges 2022-03-14 10:19:07 +01:00
Tobias Brunner
c830756f7d pubkey-authenticator: Handle IntAuth data 2022-03-14 10:19:07 +01:00
Tobias Brunner
fd2bc92201 psk-authenticator: Handle IntAuth data 2022-03-14 10:19:07 +01:00
Tobias Brunner
6ed497c4f5 eap-authenticator: Handle IntAuth data 2022-03-14 10:19:07 +01:00
Tobias Brunner
4a4cd569e5 keymat_v2: Include optional IntAuth in signed octets 2022-03-14 10:19:07 +01:00
Tobias Brunner
33fd1cc6a4 authenticator: Add optional method to set IntAuth data 2022-03-14 10:19:07 +01:00
Tobias Brunner
ebe2cd2958 message: Add method to generate data to authenticate IKE_INTERMEDIATE exchanges 2022-03-14 10:19:07 +01:00
Tobias Brunner
55ff82eb5a generator: Make pointer to length field optional 
Only useful if we generate an IKE header.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
26f1544e21 message: Fix payload type in last unprotected payload of a fragmented message 2022-03-14 10:19:07 +01:00
Tobias Brunner
dfc7d18659 keymat_v2: Add method to calculate IntAuth for IKE_INTERMEDIATE exchanges 2022-03-14 10:19:07 +01:00
Tobias Brunner
f9fe0f4e9b ike-rekey: Reset IKE_SA after processing CREATE_CHILD_SA request 
This probably didn't cause any problems, as there wasn't really anything
happening between the calls, but reset it anyway, just to be safe.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
8cd146d296 ikev2: Allow tasks to do work after processing requests/responses 2022-03-14 10:19:07 +01:00
Tobias Brunner
abafe33c68 task: Add optional post_process() method 
This will allows tasks to do some work after a message has been
processed.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
5807d1d5df ikev2: Allow tasks to do work after generating requests/responses 2022-03-14 10:19:07 +01:00
Tobias Brunner
cba4cd90cc task: Add optional post_build() method 
This will allow tasks to do some work after the message has been
generated.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
03467858f3 ike-auth: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 2022-03-14 10:19:07 +01:00
Tobias Brunner
03d7d011b6 child-create: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 2022-03-14 10:19:07 +01:00
Tobias Brunner
97adf79ea3 ike-mobike: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
This changes the MID of the first IKE_AUTH message.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
484b01c621 ike-config: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
This changes the MID of the first IKE_AUTH message.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
698bdabbee ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH 
The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
f72ff67446 ike-cert-pre: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
The first IKE_AUTH does not have MID 1 if that's the case.
 2022-03-14 10:19:07 +01:00
Tobias Brunner
d4ca8caf47 status: Add return_need_more() utility function 2022-03-14 10:19:07 +01:00
Tobias Brunner
f5e3c857f9 message: Add rules for IKE_FOLLOWUP_KE exchanges 2022-03-14 10:19:07 +01:00
Tobias Brunner
fc8d3c4672 wip: ike-header: Add IKE_FOLLOWUP_KE exchange type 2022-03-14 10:19:07 +01:00
Tobias Brunner
6fbd251d52 message: Add rules for IKE_INTERMEDIATE exchanges 2022-03-14 10:19:07 +01:00
Tobias Brunner
c61b3c677c wip: ike-header: Add IKE_INTERMEDIATE exchange type 2022-03-14 10:19:07 +01:00
Tobias Brunner
020e838a5a wip: notify-payload: Add notify types for multiple key exchanges 2022-03-14 10:19:07 +01:00
Tobias Brunner
555b0d78ed wip: notify-payload: Add notify type for IKE_INTERMEDIATE exchange 2022-03-14 10:19:07 +01:00
Tobias Brunner
087c535c01 proposal-substructure: Encode additional key exchange methods 2022-03-14 10:19:07 +01:00
Tobias Brunner
f84435520e child-cfg: Add method to check if an algorithm is proposed 2022-03-14 10:19:06 +01:00
Tobias Brunner
3a66faf6cf child-cfg: Generalize get_ke_method() method 2022-03-14 10:19:06 +01:00
Tobias Brunner
b55d287f7e ike-cfg: Generalize get_ke_method() method 2022-03-14 10:19:06 +01:00
Tobias Brunner
2c97aad469 proposal: Generalize KE methods 2022-03-14 10:19:06 +01:00
Tobias Brunner
f33bcfc333 proposal: Make all key exchange transforms optional in ESP/AH proposals 2022-03-14 10:19:06 +01:00
Tobias Brunner
db1755ba36 proposal: Skip all KE transforms if PROPOSAL_SKIP_KE given 2022-03-14 10:19:06 +01:00
Tobias Brunner
6506bed9f8 transform: Add helper to check if transform type negotiates key exchange 2022-03-14 10:19:06 +01:00
Tobias Brunner
7e0dbced49 transform: Add additional key exchange transform types 2022-03-14 10:19:06 +01:00
Andreas Steffen
ce9283be73 Rename MODP_NONE to KE_NONE 2022-03-14 10:19:06 +01:00
Tobias Brunner
d8f61d6338 Rename diffie_hellman_t to key_exchange_t and change the interface etc. 
This makes it more generic so we can use it for QSKE methods.
 2022-03-14 10:19:06 +01:00
Tobias Brunner
c8045f86a3 testing: Increase memory on winnetou even more 2022-03-01 10:10:37 +01:00
Tobias Brunner
2ade4311bc tls-server: Use correct error alerts if client doesn't send a certificate 
TLS 1.3 defines a specific alert for this and for TLS 1.2, RFC 5246,
section 7.4.6 defines handshake_failure as correct response.
 2022-03-01 10:05:26 +01:00
Tobias Brunner
3eecd40cec openssl: Don't unload providers 
There is a conflict between atexit() handlers registered by OpenSSL and
some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
Because plugins are usually loaded after atexit() has been called, the
handler registered by OpenSSL will run before our handler.  So when the
latter destroys the plugins it's a bad idea to try to access any OpenSSL
objects as they might already be invalid.

Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
Closes strongswan/strongswan#921
 2022-02-24 15:03:09 +01:00
Tobias Brunner
e69438450f Use wolfSSL 5.2.0 for tests 2022-02-22 09:35:01 +01:00
Tobias Brunner
9e3978259e mgf1: Fix Doxygen group for XOF implementation 2022-02-17 16:34:56 +01:00
Tobias Brunner
963adc7637 xof: Fix typo in documentation for set_seed() 2022-02-17 16:34:56 +01:00
Tobias Brunner
eccfd27f03 tls-peer: Simplify identity check for server certificate 
has_subject() already matches the identity against the subject DN and
all the SANs (it actually already did when this check was added with
c81147998619 ("Strictly check if the server certificate matches the TLS
server identity")).
 2022-02-15 16:54:39 +01:00
Tobias Brunner
42704f6a61 tls-test: Add option to specify a specific remote identity 2022-02-15 16:54:39 +01:00