sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity
18,235 Commits 101 Branches 327 Tags
Commit Graph

18235 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
f62b942d6a Use wolfSSL 5.3.0 for tests 2022-05-06 12:03:48 +02:00
Tobias Brunner
af9c78d393 plugin-loader: Print an error message if plugin constructor is not found 2022-05-06 12:02:45 +02:00
Tobias Brunner
4de8b81dea keymat_v2: Fix error message if KDF can't be created 
Fixes: f619b833accf ("keymat_v2: Use plugin-provided KDF_PRF to derive SKEYSEED")
References strongswan/strongswan#1026
 2022-05-06 11:45:10 +02:00
Tobias Brunner
cc094c30d1 testing: Fix 'unsafe repository' error when accessing Git repository 
A recent security fix for Git added a fatal error if the directory that
contains the .git directory is not owned by the user that runs git in
that directory tree:

  Determine strongSwan version fatal: unsafe repository ('...' is owned by someone else)

To avoid this, we call the git commands as owner of the source
directory (the script has to run as root, so this is no problem).

The user/group ID and name is now also determined via `stat(1)` so it
directly depends on the actual source dir and should work even when not
using sudo.
 2022-05-02 11:09:14 +02:00
Tobias Brunner
d23c0ea81e enum: Fix compiler warning 
Closes strongswan/strongswan#1025
 2022-05-02 09:31:49 +02:00
Andreas Steffen
4cf8cd0321 Version bump to 5.9.6 5.9.6 2022-04-28 22:38:10 +02:00
Tobias Brunner
c9d471091f Use mallinfo2() if available 
mallinfo() is deprecated because it uses `int` for the members of the
returned struct, whereas mallinfo2() uses `size_t`.  It's available
since glibc 2.33.
 2022-04-25 14:16:20 +02:00
Tobias Brunner
8ce4105fca NEWS: Add news for 5.9.6 2022-04-22 10:55:55 +02:00
Tobias Brunner
a6a0fa980f tls-crypto: Initialize cipher suites arrays to avoid warnings 2022-04-22 09:49:37 +02:00
Tobias Brunner
352fa96dfc gcrypt: Initialize variables when en-/decrypting with RSA to avoid warnings 2022-04-22 09:49:37 +02:00
Tobias Brunner
2283a19b80 kdf: Fix Doxygen comments 2022-04-22 09:49:37 +02:00
Tobias Brunner
c508b904b8 openssl: Fix typo in comment 2022-04-21 11:06:30 +02:00
Tobias Brunner
f4d6539b49 ikev2: Maintain labels during make-before-break reauthentication 2022-04-20 14:45:41 +02:00
Tobias Brunner
312437bf6a github: Use run_number instead run_id as external-id for LGTM 
The external-id parameter takes an int32 and the generated run_id was
apparently not valid lately, resulting in undocumented 404 errors when
submitting patches (the API endpoint probably doesn't like negative numbers
because the last accepted id was 2059658094, rejected ids were e.g.
2167472705 or 2168792083).
 2022-04-19 18:28:38 +02:00
Andreas Steffen
7df710095e Version bump to 5.9.6rc1 5.9.6rc1 2022-04-16 10:23:35 +02:00
Tobias Brunner
9aa7e126b2 Merge branch 'openssl-3.0' 
This provides compatibility changes for OpenSSL 3.0.
 2022-04-14 19:06:12 +02:00
Tobias Brunner
a5cfa57134 github: Add a build against OpenSSL 3.0 2022-04-14 19:05:45 +02:00
Tobias Brunner
76ff49b761 unit-tests: Add environment variable to skip IPv6 stream tests 
This is an issue e.g. when running tests in default Docker containers.
 2022-04-14 19:05:45 +02:00
Tobias Brunner
7d99b29b99 unit-tests: Add support for more than one warning per test case 
Warnings are usually short (as compared to failures that contain data
dumps), so the buffer size can be reduced.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
a8bab0ee15 openssl: Move ENGINE-specific code into a separate file 
This way we can compile it with OPENSSL_SUPPRESS_DEPRECATED for
OpenSSL 3.0, which deprecated the ENGINE API.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
f26639de2c openssl: Remove checks and legacy compatibility code for OpenSSL < 1.0.2 
More of this code was already removed with previous commits.

While versions < 1.1.1 are not officially supported anymore, 1.0.2 might
still be in use because before 3.x that was the latest version with
official FIPS support (OpenSSL apparently also provides extended commercial
support for it).
 2022-04-14 19:05:44 +02:00
Tobias Brunner
db0c53c207 openssl: Fixes for HMAC with OpenSSL 3.0 2022-04-14 19:05:44 +02:00
Tobias Brunner
293a912c7d openssl: Fixes for ECDSA with OpenSSL 3.0 2022-04-14 19:05:44 +02:00
Tobias Brunner
be0ce6db93 configure: Move pkcs8 plugin after plugins that can parse PKCS#8 directly 
With such plugins we only need the pkcs8 plugin to load encrypted files.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
544fb1cf92 pkcs8: Parse the decrypted PKCS#8 structure via regular builders 
This allows other plugins to parse such structures directly.  The pkcs8
plugin is called recursively again if necessary.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
21b586c61c openssl: Fixes for RSA with OpenSSL 3.0 2022-04-14 19:05:44 +02:00
Tobias Brunner
36cf74f5d9 openssl: Fixes for DH with OpenSSL 3.0 
While we could assign the DH object to a EVP_PKEY object, this won't work
with BoringSSL as it doesn't seem to support EVP_PKEY_derive() for DH.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
f5710c9ccb openssl: Fixes for ECDH with OpenSSL 3.0 
Uses new and non-deprecated APIs to create/generate key pairs.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
13efce489e openssl: PRF_KEYED_SHA1 might not be supported 
The old API has been deprecated with OpenSSL 3 and direct access to the
state isn't possible via EVP API.  In the future we might just remove this
implementation but we'd probably have to implement EAP-AKA' first, which
uses HMAC-SHA-256 with IKEv2's prf+ construct to derive keys instead
of this weird construct (plus what fips-prf builds around it) that's used
by EAP-AKA.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
519bc22091 leak-detective: Whitelist OpenSSL 3.0 functions 2022-04-14 19:05:44 +02:00
Tobias Brunner
1c1213f4b6 openssl: Move shared secret calculation to get_shared_secret() 
This is a change from the multi-KE branch.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
94a3563c68 Merge branch 'ikev2-kdf-modularization' 
This modularizes the IKEv2 key derivation, which makes certification (e.g.
FIPS) easier because it allows the two steps (PRF/prf+) to be implemented
by already certified third-party libraries.

For the existing third-party libraries, the two KDFs are implemented via
the respective library's HKDF implementation.  A generic implementation,
based on existing PRFs, is provided by the new kdf plugin.
 2022-04-14 19:03:03 +02:00
Tobias Brunner
f619b833ac keymat_v2: Use plugin-provided KDF_PRF to derive SKEYSEED 2022-04-14 19:02:56 +02:00
Tobias Brunner
743b486118 unit-tests: Hand out an actual shared secret and pubkey in mock KE implementation 
Makes this a bit more realistic and makes key derivation via OpenSSL's
HKDF work during tests.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
56afc6e298 wolfssl: Implement HMAC-based IKEv2 PRFs via wolfSSL's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
7498769aba botan: Implement HMAC-based IKEv2 PRFs via Botan's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
e0fc786ecd openssl: Implement HMAC-based IKEv2 PRFs via OpenSSL's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
0339ce34f6 kdf: Implement wrapper for IKEv2 PRFs 2022-04-14 19:02:56 +02:00
Tobias Brunner
ad0e94b6ed test-vectors: Add vectors for HMAC-based IKEv2 PRFs 2022-04-14 19:02:56 +02:00
Tobias Brunner
37dbc87960 crypto: Add new KDF type for IKEv2 PRFs 2022-04-14 19:02:56 +02:00
Tobias Brunner
7bde56a9bc crypto: Adapt kdf_t interface to support KDFs with fixed output length 2022-04-14 19:02:56 +02:00
Tobias Brunner
96c7692661 wolfssl: Implement prf+ via wolfSSL's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
cb8f924051 botan: Implement prf+ via Botan's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
f535f1ed53 crypto: Remove unused prf_plus_t 2022-04-14 19:02:56 +02:00
Tobias Brunner
f0957d1250 kdf: Implement prf+ directly without relying on prf_plus_t 2022-04-14 19:02:56 +02:00
Tobias Brunner
9cb3c10418 keymat_v1: Derive CHILD_SA keys without using prf_plus_t 
We already expand skeyid_e in a similar fashion so do this analogous
without relying on prf_plus_t.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
be07b9dc01 unit-tests: Use plugin-provided prf+ in unit test 
This tests the params API and the counter overflow.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
df16d7902a tls-hkdf: Use plugin-provided prf+ 2022-04-14 19:02:56 +02:00
Tobias Brunner
7161c87617 keymat_v2: Use plugin-provided prf+ to derive keys 2022-04-14 19:02:56 +02:00
Tobias Brunner
08e31138bd appveyor: Enable kdf plugin on old images with OpenSSL 1.0.2/1.1.0 
HKDF with expand-only mode is only available since OpenSSL 1.1.1.
 2022-04-14 19:02:56 +02:00