Merge branch 'vici-alerts'

Exposes alerts via vici protocol.

Closes strongswan/strongswan#2894

.appveyor.yml

@@ -30,8 +30,8 @@ install:
       IF "%IMG%" == "2019" set OPENSSL=OpenSSL-v111
       set OPENSSL_DIR=/c/%OPENSSL%-%TEST%
       C:\%OPENSSL%-%TEST%\bin\openssl.exe version -a
-  # newer versions of msys2 don't provide autotools via base-devel anymore
-  - IF "%IMG%" == "2019" %MSYS_SH% --login -c ". /etc/profile && pacman --noconfirm -S --needed autotools"
+  # newer versions of msys2 don't provide autotools or gperf via base-devel anymore
+  - IF "%IMG%" == "2019" %MSYS_SH% --login -c ". /etc/profile && pacman --noconfirm -S --needed autotools gperf"
 
 build_script:
   - '%MSYS_SH% --login -c ". /etc/profile && cd $APPVEYOR_BUILD_FOLDER && ./scripts/test.sh deps"'

.cirrus.yml

@@ -1,11 +1,11 @@
-task:
+freebsd_task:
   matrix:
-    - name: FreeBSD 13.0
+    - name: FreeBSD 14.2
       freebsd_instance:
-        image_family: freebsd-13-0
-    - name: FreeBSD 12.3
+        image_family: freebsd-14-2
+    - name: FreeBSD 13.4
       freebsd_instance:
-        image_family: freebsd-12-3
+        image_family: freebsd-13-4
 
   env:
     TESTS_REDUCED_KEYLENGTHS: yes
@@ -16,3 +16,18 @@ task:
 
   install_script: ./scripts/test.sh deps
   script: ./scripts/test.sh
+
+alpine_task:
+  container:
+    image: alpine:latest
+
+  env:
+    TESTS_REDUCED_KEYLENGTHS: yes
+    TESTS_NO_IPV6: yes
+    LEAK_DETECTIVE: no
+    MONOLITHIC: no
+    TEST: alpine
+    OS_NAME: alpine
+
+  install_script: ./scripts/test.sh deps
+  script: ./scripts/test.sh

.codecov.yml

@@ -1,3 +1,3 @@
 ignore:
-  - "*/suites/*"
-  - "*/tests/*"
+  - "**/suites/"
+  - "**/tests/"

.github/ISSUE_TEMPLATE/bug_report.md

@@ -2,6 +2,7 @@
 name: "🐛 Bug report"
 about: Report a reproducible bug or regression
 labels: bug, new
+type: Bug
 ---
 
 <!--

.github/ISSUE_TEMPLATE/feature_request.md

@@ -2,6 +2,7 @@
 name: Feature request
 about: Suggest an idea for this project
 labels: enhancement, new
+type: Feature
 ---
 
 <!--

.github/actions/default/action.yml

@@ -5,9 +5,6 @@ runs:
     - name: "Install Dependencies"
       run: ./scripts/test.sh deps
       shell: bash
-    - name: "Install Python Dependencies"
-      run: ./scripts/test.sh pydeps
-      shell: bash
     - name: "Build Dependencies"
       run: ./scripts/test.sh build-deps
       shell: bash

.github/active-transforms/botan

@@ -0,0 +1,102 @@
+AES_ECB[botan]
+AES_ECB[botan]
+AES_ECB[botan]
+AES_CBC[botan]
+AES_CBC[botan]
+AES_CBC[botan]
+AES_CFB[botan]
+AES_CFB[botan]
+AES_CFB[botan]
+AES_GCM_16[botan]
+AES_GCM_16[botan]
+AES_GCM_16[botan]
+AES_GCM_12[botan]
+AES_GCM_12[botan]
+AES_GCM_12[botan]
+AES_GCM_8[botan]
+AES_GCM_8[botan]
+AES_GCM_8[botan]
+AES_CCM_16[botan]
+AES_CCM_16[botan]
+AES_CCM_16[botan]
+AES_CCM_12[botan]
+AES_CCM_12[botan]
+AES_CCM_12[botan]
+AES_CCM_8[botan]
+AES_CCM_8[botan]
+AES_CCM_8[botan]
+CHACHA20_POLY1305[botan]
+HMAC_SHA1_96[botan]
+HMAC_SHA1_96[hmac]
+HMAC_SHA1_128[botan]
+HMAC_SHA1_128[hmac]
+HMAC_SHA1_160[botan]
+HMAC_SHA1_160[hmac]
+HMAC_SHA2_256_128[botan]
+HMAC_SHA2_256_128[hmac]
+HMAC_SHA2_256_256[botan]
+HMAC_SHA2_256_256[hmac]
+HMAC_SHA2_384_192[botan]
+HMAC_SHA2_384_192[hmac]
+HMAC_SHA2_384_384[botan]
+HMAC_SHA2_384_384[hmac]
+HMAC_SHA2_512_256[botan]
+HMAC_SHA2_512_256[hmac]
+HMAC_SHA2_512_512[botan]
+HMAC_SHA2_512_512[hmac]
+HMAC_MD5_96[hmac]
+HMAC_MD5_128[hmac]
+HASH_MD5[botan]
+HASH_SHA1[botan]
+HASH_SHA2_224[botan]
+HASH_SHA2_256[botan]
+HASH_SHA2_384[botan]
+HASH_SHA2_512[botan]
+HASH_SHA3_224[botan]
+HASH_SHA3_256[botan]
+HASH_SHA3_384[botan]
+HASH_SHA3_512[botan]
+HASH_IDENTITY[botan]
+PRF_HMAC_SHA1[botan]
+PRF_HMAC_SHA1[hmac]
+PRF_HMAC_SHA2_256[botan]
+PRF_HMAC_SHA2_256[hmac]
+PRF_HMAC_SHA2_384[botan]
+PRF_HMAC_SHA2_384[hmac]
+PRF_HMAC_SHA2_512[botan]
+PRF_HMAC_SHA2_512[hmac]
+PRF_HMAC_MD5[hmac]
+KDF_PRF[botan]
+KDF_PRF_PLUS[botan]
+DRBG_CTR_AES256[drbg]
+DRBG_CTR_AES128[drbg]
+DRBG_CTR_AES192[drbg]
+DRBG_HMAC_SHA1[drbg]
+DRBG_HMAC_SHA256[drbg]
+DRBG_HMAC_SHA384[drbg]
+DRBG_HMAC_SHA512[drbg]
+RNG_WEAK[botan]
+RNG_STRONG[botan]
+RNG_TRUE[botan]
+MODP_3072[botan]
+MODP_4096[botan]
+MODP_6144[botan]
+MODP_8192[botan]
+MODP_2048[botan]
+MODP_2048_224[botan]
+MODP_2048_256[botan]
+MODP_1536[botan]
+MODP_1024[botan]
+MODP_1024_160[botan]
+MODP_768[botan]
+MODP_CUSTOM[botan]
+ECP_256[botan]
+ECP_384[botan]
+ECP_521[botan]
+ECP_256_BP[botan]
+ECP_384_BP[botan]
+ECP_512_BP[botan]
+CURVE_25519[botan]
+ML_KEM_512[botan]
+ML_KEM_768[botan]
+ML_KEM_1024[botan]

.github/active-transforms/gcrypt

@@ -0,0 +1,81 @@
+AES_CTR[gcrypt]
+AES_CTR[gcrypt]
+AES_CTR[gcrypt]
+AES_CBC[gcrypt]
+AES_CBC[gcrypt]
+AES_CBC[gcrypt]
+AES_ECB[gcrypt]
+AES_ECB[gcrypt]
+AES_ECB[gcrypt]
+AES_CFB[gcrypt]
+AES_CFB[gcrypt]
+AES_CFB[gcrypt]
+BLOWFISH_CBC[gcrypt]
+CAMELLIA_CTR[gcrypt]
+CAMELLIA_CTR[gcrypt]
+CAMELLIA_CTR[gcrypt]
+CAMELLIA_CBC[gcrypt]
+CAMELLIA_CBC[gcrypt]
+CAMELLIA_CBC[gcrypt]
+CAST_CBC[gcrypt]
+3DES_CBC[gcrypt]
+DES_CBC[gcrypt]
+DES_ECB[gcrypt]
+SERPENT_CBC[gcrypt]
+SERPENT_CBC[gcrypt]
+SERPENT_CBC[gcrypt]
+TWOFISH_CBC[gcrypt]
+TWOFISH_CBC[gcrypt]
+AES_GCM_8[gcm]
+AES_GCM_8[gcm]
+AES_GCM_8[gcm]
+AES_GCM_12[gcm]
+AES_GCM_12[gcm]
+AES_GCM_12[gcm]
+AES_GCM_16[gcm]
+AES_GCM_16[gcm]
+AES_GCM_16[gcm]
+HMAC_SHA1_96[hmac]
+HMAC_SHA1_128[hmac]
+HMAC_SHA1_160[hmac]
+HMAC_MD5_96[hmac]
+HMAC_MD5_128[hmac]
+HMAC_SHA2_256_128[hmac]
+HMAC_SHA2_256_256[hmac]
+HMAC_SHA2_384_192[hmac]
+HMAC_SHA2_384_384[hmac]
+HMAC_SHA2_512_256[hmac]
+HMAC_SHA2_512_512[hmac]
+HASH_MD4[gcrypt]
+HASH_MD5[gcrypt]
+HASH_SHA1[gcrypt]
+HASH_SHA2_224[gcrypt]
+HASH_SHA2_256[gcrypt]
+HASH_SHA2_384[gcrypt]
+HASH_SHA2_512[gcrypt]
+HASH_IDENTITY[curve25519]
+PRF_HMAC_SHA1[hmac]
+PRF_HMAC_MD5[hmac]
+PRF_HMAC_SHA2_256[hmac]
+PRF_HMAC_SHA2_384[hmac]
+PRF_HMAC_SHA2_512[hmac]
+KDF_PRF[kdf]
+KDF_PRF_PLUS[kdf]
+RNG_WEAK[gcrypt]
+RNG_STRONG[gcrypt]
+RNG_STRONG[random]
+RNG_TRUE[gcrypt]
+RNG_TRUE[random]
+MODP_3072[gcrypt]
+MODP_4096[gcrypt]
+MODP_6144[gcrypt]
+MODP_8192[gcrypt]
+MODP_2048[gcrypt]
+MODP_2048_224[gcrypt]
+MODP_2048_256[gcrypt]
+MODP_1536[gcrypt]
+MODP_1024[gcrypt]
+MODP_1024_160[gcrypt]
+MODP_768[gcrypt]
+MODP_CUSTOM[gcrypt]
+CURVE_25519[curve25519]

.github/active-transforms/openssl

@@ -0,0 +1,108 @@
+AES_ECB[openssl]
+AES_ECB[openssl]
+AES_ECB[openssl]
+AES_CBC[openssl]
+AES_CBC[openssl]
+AES_CBC[openssl]
+AES_CTR[openssl]
+AES_CTR[openssl]
+AES_CTR[openssl]
+AES_CFB[openssl]
+AES_CFB[openssl]
+AES_CFB[openssl]
+CAMELLIA_CBC[openssl]
+CAMELLIA_CBC[openssl]
+CAMELLIA_CBC[openssl]
+CAMELLIA_CTR[openssl]
+CAMELLIA_CTR[openssl]
+CAMELLIA_CTR[openssl]
+CAST_CBC[openssl]
+BLOWFISH_CBC[openssl]
+3DES_CBC[openssl]
+DES_CBC[openssl]
+DES_ECB[openssl]
+NULL[openssl]
+AES_GCM_16[openssl]
+AES_GCM_16[openssl]
+AES_GCM_16[openssl]
+AES_GCM_12[openssl]
+AES_GCM_12[openssl]
+AES_GCM_12[openssl]
+AES_GCM_8[openssl]
+AES_GCM_8[openssl]
+AES_GCM_8[openssl]
+AES_CCM_16[openssl]
+AES_CCM_16[openssl]
+AES_CCM_16[openssl]
+AES_CCM_12[openssl]
+AES_CCM_12[openssl]
+AES_CCM_12[openssl]
+AES_CCM_8[openssl]
+AES_CCM_8[openssl]
+AES_CCM_8[openssl]
+CHACHA20_POLY1305[openssl]
+HMAC_MD5_96[openssl]
+HMAC_MD5_128[openssl]
+HMAC_SHA1_96[openssl]
+HMAC_SHA1_128[openssl]
+HMAC_SHA1_160[openssl]
+HMAC_SHA2_256_128[openssl]
+HMAC_SHA2_256_256[openssl]
+HMAC_SHA2_384_192[openssl]
+HMAC_SHA2_384_384[openssl]
+HMAC_SHA2_512_256[openssl]
+HMAC_SHA2_512_512[openssl]
+HASH_MD4[openssl]
+HASH_MD5[openssl]
+HASH_SHA1[openssl]
+HASH_SHA2_224[openssl]
+HASH_SHA2_256[openssl]
+HASH_SHA2_384[openssl]
+HASH_SHA2_512[openssl]
+HASH_SHA3_224[openssl]
+HASH_SHA3_256[openssl]
+HASH_SHA3_384[openssl]
+HASH_SHA3_512[openssl]
+HASH_IDENTITY[openssl]
+PRF_KEYED_SHA1[openssl]
+PRF_HMAC_MD5[openssl]
+PRF_HMAC_SHA1[openssl]
+PRF_HMAC_SHA2_256[openssl]
+PRF_HMAC_SHA2_384[openssl]
+PRF_HMAC_SHA2_512[openssl]
+XOF_SHAKE128[openssl]
+XOF_SHAKE256[openssl]
+KDF_PRF[openssl]
+KDF_PRF_PLUS[openssl]
+DRBG_CTR_AES256[drbg]
+DRBG_CTR_AES128[drbg]
+DRBG_CTR_AES192[drbg]
+DRBG_HMAC_SHA1[drbg]
+DRBG_HMAC_SHA256[drbg]
+DRBG_HMAC_SHA384[drbg]
+DRBG_HMAC_SHA512[drbg]
+RNG_WEAK[openssl]
+RNG_STRONG[openssl]
+MODP_3072[openssl]
+MODP_4096[openssl]
+MODP_6144[openssl]
+MODP_8192[openssl]
+MODP_2048[openssl]
+MODP_2048_224[openssl]
+MODP_2048_256[openssl]
+MODP_1536[openssl]
+MODP_1024[openssl]
+MODP_1024_160[openssl]
+MODP_768[openssl]
+MODP_CUSTOM[openssl]
+ECP_256[openssl]
+ECP_384[openssl]
+ECP_521[openssl]
+ECP_224[openssl]
+ECP_192[openssl]
+ECP_256_BP[openssl]
+ECP_384_BP[openssl]
+ECP_512_BP[openssl]
+ECP_224_BP[openssl]
+CURVE_25519[openssl]
+CURVE_448[openssl]

.github/active-transforms/openssl-3

@@ -0,0 +1,111 @@
+AES_ECB[openssl]
+AES_ECB[openssl]
+AES_ECB[openssl]
+AES_CBC[openssl]
+AES_CBC[openssl]
+AES_CBC[openssl]
+AES_CTR[openssl]
+AES_CTR[openssl]
+AES_CTR[openssl]
+AES_CFB[openssl]
+AES_CFB[openssl]
+AES_CFB[openssl]
+CAMELLIA_CBC[openssl]
+CAMELLIA_CBC[openssl]
+CAMELLIA_CBC[openssl]
+CAMELLIA_CTR[openssl]
+CAMELLIA_CTR[openssl]
+CAMELLIA_CTR[openssl]
+CAST_CBC[openssl]
+BLOWFISH_CBC[openssl]
+3DES_CBC[openssl]
+DES_CBC[openssl]
+DES_ECB[openssl]
+NULL[openssl]
+AES_GCM_16[openssl]
+AES_GCM_16[openssl]
+AES_GCM_16[openssl]
+AES_GCM_12[openssl]
+AES_GCM_12[openssl]
+AES_GCM_12[openssl]
+AES_GCM_8[openssl]
+AES_GCM_8[openssl]
+AES_GCM_8[openssl]
+AES_CCM_16[openssl]
+AES_CCM_16[openssl]
+AES_CCM_16[openssl]
+AES_CCM_12[openssl]
+AES_CCM_12[openssl]
+AES_CCM_12[openssl]
+AES_CCM_8[openssl]
+AES_CCM_8[openssl]
+AES_CCM_8[openssl]
+CHACHA20_POLY1305[openssl]
+HMAC_MD5_96[openssl]
+HMAC_MD5_128[openssl]
+HMAC_SHA1_96[openssl]
+HMAC_SHA1_128[openssl]
+HMAC_SHA1_160[openssl]
+HMAC_SHA2_256_128[openssl]
+HMAC_SHA2_256_256[openssl]
+HMAC_SHA2_384_192[openssl]
+HMAC_SHA2_384_384[openssl]
+HMAC_SHA2_512_256[openssl]
+HMAC_SHA2_512_512[openssl]
+HASH_MD4[openssl]
+HASH_MD5[openssl]
+HASH_SHA1[openssl]
+HASH_SHA2_224[openssl]
+HASH_SHA2_256[openssl]
+HASH_SHA2_384[openssl]
+HASH_SHA2_512[openssl]
+HASH_SHA3_224[openssl]
+HASH_SHA3_256[openssl]
+HASH_SHA3_384[openssl]
+HASH_SHA3_512[openssl]
+HASH_IDENTITY[openssl]
+PRF_KEYED_SHA1[openssl]
+PRF_HMAC_MD5[openssl]
+PRF_HMAC_SHA1[openssl]
+PRF_HMAC_SHA2_256[openssl]
+PRF_HMAC_SHA2_384[openssl]
+PRF_HMAC_SHA2_512[openssl]
+XOF_SHAKE128[openssl]
+XOF_SHAKE256[openssl]
+KDF_PRF[openssl]
+KDF_PRF_PLUS[openssl]
+DRBG_CTR_AES256[drbg]
+DRBG_CTR_AES128[drbg]
+DRBG_CTR_AES192[drbg]
+DRBG_HMAC_SHA1[drbg]
+DRBG_HMAC_SHA256[drbg]
+DRBG_HMAC_SHA384[drbg]
+DRBG_HMAC_SHA512[drbg]
+RNG_WEAK[openssl]
+RNG_STRONG[openssl]
+MODP_3072[openssl]
+MODP_4096[openssl]
+MODP_6144[openssl]
+MODP_8192[openssl]
+MODP_2048[openssl]
+MODP_2048_224[openssl]
+MODP_2048_256[openssl]
+MODP_1536[openssl]
+MODP_1024[openssl]
+MODP_1024_160[openssl]
+MODP_768[openssl]
+MODP_CUSTOM[openssl]
+ML_KEM_512[openssl]
+ML_KEM_768[openssl]
+ML_KEM_1024[openssl]
+ECP_256[openssl]
+ECP_384[openssl]
+ECP_521[openssl]
+ECP_224[openssl]
+ECP_192[openssl]
+ECP_256_BP[openssl]
+ECP_384_BP[openssl]
+ECP_512_BP[openssl]
+ECP_224_BP[openssl]
+CURVE_25519[openssl]
+CURVE_448[openssl]

.github/active-transforms/openssl-awslc

@@ -0,0 +1,98 @@
+AES_ECB[openssl]
+AES_ECB[openssl]
+AES_ECB[openssl]
+AES_CBC[openssl]
+AES_CBC[openssl]
+AES_CBC[openssl]
+AES_CTR[openssl]
+AES_CTR[openssl]
+AES_CTR[openssl]
+AES_CFB[openssl]
+AES_CFB[openssl]
+AES_CFB[openssl]
+BLOWFISH_CBC[openssl]
+3DES_CBC[openssl]
+DES_CBC[openssl]
+DES_ECB[openssl]
+NULL[openssl]
+AES_GCM_16[openssl]
+AES_GCM_16[openssl]
+AES_GCM_16[openssl]
+AES_GCM_12[openssl]
+AES_GCM_12[openssl]
+AES_GCM_12[openssl]
+AES_GCM_8[openssl]
+AES_GCM_8[openssl]
+AES_GCM_8[openssl]
+AES_CCM_16[openssl]
+AES_CCM_16[openssl]
+AES_CCM_16[openssl]
+AES_CCM_12[openssl]
+AES_CCM_12[openssl]
+AES_CCM_12[openssl]
+AES_CCM_8[openssl]
+AES_CCM_8[openssl]
+AES_CCM_8[openssl]
+CHACHA20_POLY1305[openssl]
+HMAC_MD5_96[openssl]
+HMAC_MD5_128[openssl]
+HMAC_SHA1_96[openssl]
+HMAC_SHA1_128[openssl]
+HMAC_SHA1_160[openssl]
+HMAC_SHA2_256_128[openssl]
+HMAC_SHA2_256_256[openssl]
+HMAC_SHA2_384_192[openssl]
+HMAC_SHA2_384_384[openssl]
+HMAC_SHA2_512_256[openssl]
+HMAC_SHA2_512_512[openssl]
+HASH_MD4[openssl]
+HASH_MD5[openssl]
+HASH_SHA1[openssl]
+HASH_SHA2_224[openssl]
+HASH_SHA2_256[openssl]
+HASH_SHA2_384[openssl]
+HASH_SHA2_512[openssl]
+HASH_SHA3_224[openssl]
+HASH_SHA3_256[openssl]
+HASH_SHA3_384[openssl]
+HASH_SHA3_512[openssl]
+HASH_IDENTITY[openssl]
+PRF_KEYED_SHA1[openssl]
+PRF_HMAC_MD5[openssl]
+PRF_HMAC_SHA1[openssl]
+PRF_HMAC_SHA2_256[openssl]
+PRF_HMAC_SHA2_384[openssl]
+PRF_HMAC_SHA2_512[openssl]
+XOF_SHAKE128[openssl]
+XOF_SHAKE256[openssl]
+KDF_PRF[openssl]
+KDF_PRF_PLUS[openssl]
+DRBG_CTR_AES256[drbg]
+DRBG_CTR_AES128[drbg]
+DRBG_CTR_AES192[drbg]
+DRBG_HMAC_SHA1[drbg]
+DRBG_HMAC_SHA256[drbg]
+DRBG_HMAC_SHA384[drbg]
+DRBG_HMAC_SHA512[drbg]
+RNG_WEAK[openssl]
+RNG_STRONG[openssl]
+MODP_3072[openssl]
+MODP_4096[openssl]
+MODP_6144[openssl]
+MODP_8192[openssl]
+MODP_2048[openssl]
+MODP_2048_224[openssl]
+MODP_2048_256[openssl]
+MODP_1536[openssl]
+MODP_1024[openssl]
+MODP_1024_160[openssl]
+MODP_768[openssl]
+MODP_CUSTOM[openssl]
+ML_KEM_512[openssl]
+ML_KEM_768[openssl]
+ML_KEM_1024[openssl]
+ECP_256[openssl]
+ECP_384[openssl]
+ECP_521[openssl]
+ECP_224[openssl]
+CURVE_25519[openssl]

.github/active-transforms/wolfssl

@@ -0,0 +1,103 @@
+AES_ECB[wolfssl]
+AES_ECB[wolfssl]
+AES_ECB[wolfssl]
+AES_CTR[wolfssl]
+AES_CTR[wolfssl]
+AES_CTR[wolfssl]
+AES_CBC[wolfssl]
+AES_CBC[wolfssl]
+AES_CBC[wolfssl]
+AES_CFB[wolfssl]
+AES_CFB[wolfssl]
+AES_CFB[wolfssl]
+CAMELLIA_CBC[wolfssl]
+CAMELLIA_CBC[wolfssl]
+CAMELLIA_CBC[wolfssl]
+3DES_CBC[wolfssl]
+DES_CBC[wolfssl]
+DES_ECB[wolfssl]
+NULL[wolfssl]
+AES_GCM_16[wolfssl]
+AES_GCM_16[wolfssl]
+AES_GCM_16[wolfssl]
+AES_GCM_12[wolfssl]
+AES_GCM_12[wolfssl]
+AES_GCM_12[wolfssl]
+AES_GCM_8[wolfssl]
+AES_GCM_8[wolfssl]
+AES_GCM_8[wolfssl]
+AES_CCM_16[wolfssl]
+AES_CCM_16[wolfssl]
+AES_CCM_16[wolfssl]
+AES_CCM_12[wolfssl]
+AES_CCM_12[wolfssl]
+AES_CCM_12[wolfssl]
+AES_CCM_8[wolfssl]
+AES_CCM_8[wolfssl]
+AES_CCM_8[wolfssl]
+CHACHA20_POLY1305[wolfssl]
+HMAC_MD5_96[wolfssl]
+HMAC_MD5_128[wolfssl]
+HMAC_SHA1_96[wolfssl]
+HMAC_SHA1_128[wolfssl]
+HMAC_SHA1_160[wolfssl]
+HMAC_SHA2_256_128[wolfssl]
+HMAC_SHA2_256_256[wolfssl]
+HMAC_SHA2_384_192[wolfssl]
+HMAC_SHA2_384_384[wolfssl]
+HMAC_SHA2_512_256[wolfssl]
+HMAC_SHA2_512_512[wolfssl]
+HASH_MD5[wolfssl]
+HASH_SHA1[wolfssl]
+HASH_SHA2_224[wolfssl]
+HASH_SHA2_256[wolfssl]
+HASH_SHA2_384[wolfssl]
+HASH_SHA2_512[wolfssl]
+HASH_SHA3_224[wolfssl]
+HASH_SHA3_256[wolfssl]
+HASH_SHA3_384[wolfssl]
+HASH_SHA3_512[wolfssl]
+HASH_IDENTITY[wolfssl]
+PRF_KEYED_SHA1[wolfssl]
+PRF_HMAC_MD5[wolfssl]
+PRF_HMAC_SHA1[wolfssl]
+PRF_HMAC_SHA2_256[wolfssl]
+PRF_HMAC_SHA2_384[wolfssl]
+PRF_HMAC_SHA2_512[wolfssl]
+XOF_SHAKE256[wolfssl]
+KDF_PRF[wolfssl]
+KDF_PRF_PLUS[wolfssl]
+DRBG_CTR_AES256[drbg]
+DRBG_CTR_AES128[drbg]
+DRBG_CTR_AES192[drbg]
+DRBG_HMAC_SHA1[drbg]
+DRBG_HMAC_SHA256[drbg]
+DRBG_HMAC_SHA384[drbg]
+DRBG_HMAC_SHA512[drbg]
+RNG_WEAK[wolfssl]
+RNG_STRONG[wolfssl]
+ECP_256[wolfssl]
+ECP_384[wolfssl]
+ECP_521[wolfssl]
+ECP_224[wolfssl]
+ECP_256_BP[wolfssl]
+ECP_384_BP[wolfssl]
+ECP_512_BP[wolfssl]
+ECP_224_BP[wolfssl]
+MODP_3072[wolfssl]
+MODP_4096[wolfssl]
+MODP_6144[wolfssl]
+MODP_8192[wolfssl]
+MODP_2048[wolfssl]
+MODP_2048_224[wolfssl]
+MODP_2048_256[wolfssl]
+MODP_1536[wolfssl]
+MODP_1024[wolfssl]
+MODP_1024_160[wolfssl]
+MODP_768[wolfssl]
+MODP_CUSTOM[wolfssl]
+ML_KEM_512[wolfssl]
+ML_KEM_768[wolfssl]
+ML_KEM_1024[wolfssl]
+CURVE_25519[wolfssl]
+CURVE_448[wolfssl]

.github/codeql/config.yml

@@ -0,0 +1,11 @@
+queries:
+  - uses: ./.github/codeql/cpp-queries
+
+query-filters:
+  # don't explicitly point out FIXME comments
+  - exclude:
+      id: cpp/fixme-comment
+  # this rule produces too many false positives due to our custom specifiers and
+  # the use of void pointers in swanctl
+  - exclude:
+      id: cpp/wrong-type-format-argument

.github/codeql/cpp-queries/chunk_from_chars.ql

@@ -10,8 +10,7 @@
  * @precision very-high
  */
 import cpp
-import DataFlow::PathGraph
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow
 
 class ChunkFromChars extends Expr {
   ChunkFromChars() {
@@ -23,29 +22,30 @@ class ChunkFromChars extends Expr {
   }
 }
 
-class ChunkFromCharsUsage extends DataFlow::Configuration {
-  ChunkFromCharsUsage() { this = "ChunkFromCharsUsage" }
-
-  override predicate isSource(DataFlow::Node source) {
+module ChunkFromCharsConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source.asExpr() instanceof ChunkFromChars
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(sink.asExpr())
   }
 
-  override predicate isBarrierOut(DataFlow::Node node) {
+  predicate isBarrierOut(DataFlow::Node node) {
     /* don't track beyond function calls */
     exists(FunctionCall fc | node.asExpr().getParent*() = fc)
   }
 }
 
+module ChunkFromCharsFlow = DataFlow::Global<ChunkFromCharsConfig>;
+import ChunkFromCharsFlow::PathGraph
+
 BlockStmt enclosingBlock(BlockStmt b) {
   result = b.getEnclosingBlock()
 }
 
-from ChunkFromCharsUsage usage, DataFlow::PathNode source, DataFlow::PathNode sink
+from ChunkFromCharsFlow::PathNode source, ChunkFromCharsFlow::PathNode sink
 where
-  usage.hasFlowPath(source, sink)
+  ChunkFromCharsFlow::flowPath(source, sink)
   and not source.getNode().asExpr().getEnclosingBlock() = enclosingBlock*(sink.getNode().asExpr().getEnclosingBlock())
 select source, source, sink, "Invalid use of chunk_from_chars() result in sibling/parent block."

.github/codeql/cpp-queries/qlpack.yml

@@ -0,0 +1,3 @@
+name: strongswan/cpp-queries
+dependencies:
+  codeql/cpp-all: "*"

.github/workflows/android.yml

@@ -2,6 +2,10 @@ name: Android
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -18,7 +22,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content'
+          concurrent_skipping: 'same_content_newer'
 
   android:
     needs: pre-check
@@ -26,28 +30,39 @@ jobs:
     runs-on: ubuntu-latest
     env:
       TEST: android
-      # since the NDK is newly installed every time, we have to use this to avoid cache misses
+      # since the NDK might be newly installed, we have to use this to avoid cache misses
       CCACHE_COMPILERCHECK: content
     steps:
-      # even though we don't specify a specific version in our gradle files, the
-      # build fails without this because some arbitrary NDK version, that's
-      # weirdly not installed, is requested
+      - uses: actions/checkout@v4
+      # make sure the NDK we reference is installed and exported so we can use it to build OpenSSL
       - name: Install NDK
-        run: yes | sudo ${ANDROID_HOME}/tools/bin/sdkmanager --install 'ndk;21.0.6113669'
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+        id: ndk-install
+        run: |
+          NDK_VERSION=$(grep "ndkVersion" src/frontends/android/app/build.gradle | sed -e 's/.*"\(.*\)"/\1/')
+          echo Using NDK ${NDK_VERSION}
+          yes | ${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager --install "ndk;${NDK_VERSION}"
+          echo "ANDROID_NDK_ROOT=${ANDROID_HOME}/ndk/${NDK_VERSION}" >> "$GITHUB_OUTPUT"
+      - uses: actions/cache@v4
         with:
-          path: ~/.ccache
+          path: ~/.cache/ccache
           key: ccache-android-${{ github.sha }}
           restore-keys: |
             ccache-android-
+      # necessary for newer versions of the Gradle plugin
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          cache: 'gradle'
       - run: |
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
       - uses: ./.github/actions/default
+        env:
+          ANDROID_NDK_ROOT: ${{ steps.ndk-install.outputs.ANDROID_NDK_ROOT }}
       - run: ccache -s
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: Lint Results
-          path: src/frontends/android/app/build/reports/lint-results.xml
+          path: src/frontends/android/app/build/reports/lint-results*.xml

.github/workflows/codeql.yml

@@ -0,0 +1,78 @@
+name: "CodeQL"
+
+on: [push, pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+  # CodeQL currently doesn't support ccache
+  CCACHE_DISABLE: true
+  OS_NAME: linux
+
+jobs:
+  pre-check:
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip-check.outputs.should_skip }}
+    steps:
+      - id: skip-check
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          concurrent_skipping: 'same_content_newer'
+
+  analyze:
+    needs: pre-check
+    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python', 'ruby' ]
+    steps:
+    - uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/config.yml
+
+    - if: matrix.language == 'python' || matrix.language == 'ruby'
+      name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # this follows the steps of the Linux workflow
+    - if: matrix.language == 'cpp'
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/ccache
+        key: ccache-ubuntu-latest-gcc-codeql-${{ github.sha }}
+        restore-keys: |
+          ccache-ubuntu-latest-gcc-codeql
+          ccache-ubuntu-latest-gcc-all-${{ github.sha }}
+          ccache-ubuntu-latest-gcc-all-
+          ccache-ubuntu-latest-gcc-
+    - if: matrix.language == 'cpp'
+      run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+    - if: matrix.language == 'cpp'
+      env:
+        TEST: codeql
+      uses: ./.github/actions/default
+    - if: matrix.language == 'cpp'
+      run: ccache -s
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/lgtm.yml

@@ -1,37 +0,0 @@
-name: lgtm.com
-
-on: [push]
-
-env:
-  OS_NAME: linux
-
-jobs:
-  pre-check:
-    runs-on: ubuntu-latest
-    outputs:
-      should_skip: ${{ steps.skip-check.outputs.should_skip }}
-    steps:
-      - id: skip-check
-        uses: fkirc/skip-duplicate-actions@master
-        with:
-          concurrent_skipping: 'same_content'
-
-  lgtm:
-    needs: pre-check
-    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-latest
-    env:
-      TEST: lgtm
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      # we don't use github/codeql-action because we can't exclude queries there,
-      # so we continue to use the approach we used on Travis
-      - env:
-          LGTM_TOKEN: ${{ secrets.LGTM_TOKEN }}
-          LGTM_PROJECT: ${{ secrets.LGTM_PROJECT }}
-          BUILD_NUMBER: ${{ github.run_number }}
-          COMMIT_ID: ${{ github.sha }}
-          COMMIT_BASE: ${{ github.event.before }}
-        uses: ./.github/actions/default

.github/workflows/linux.yml

@@ -2,6 +2,10 @@ name: Linux
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   # this test case does not actually test anything but tries to access system
   # directories that might be inaccessible on build hosts
@@ -21,12 +25,12 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content'
+          concurrent_skipping: 'same_content_newer'
 
   latest:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     strategy:
       matrix:
         test: [ all, default, printf-builtin ]
@@ -44,7 +48,13 @@ jobs:
           - test: apidoc
           - test: coverage
           - test: dist
-          - test: nm-no-glib
+          - test: nm
+          - test: no-dbg
+          - test: no-dbg
+            compiler: clang
+          - test: no-testable-ke
+          - test: no-testable-ke
+            compiler: clang
           - test: fuzzing
             compiler: clang
             monolithic: yes
@@ -54,18 +64,18 @@ jobs:
       CC: ${{ matrix.compiler || 'gcc' }}
       TEST: ${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
         with:
-          path: ~/.ccache
+          path: ~/.cache/ccache
           # with regards to ccache, monolithic builds don't differ from regular
           # builds and, similarly, builds with leak-detective only differ in two
           # files (LD itself and library.c); but different tests build different
           # dependencies, so different caches are needed
-          key: ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
+          key: ccache-ubuntu-latest-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
           restore-keys: |
-            ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-
-            ccache-${{ runner.os }}-${{ env.CC }}-
+            ccache-ubuntu-latest-${{ env.CC }}-${{ matrix.test }}-
+            ccache-ubuntu-latest-${{ env.CC }}-
       - run: |
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
@@ -73,74 +83,109 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ success() && matrix.test == 'coverage' }}
-        run: bash <(curl -s https://codecov.io/bash)
+        uses: codecov/codecov-action@v4
+        with:
+          disable_search: true
+          fail_ci_if_error: true
+          file: coverage/coverage.cleaned.info
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Logs ${{ github.job }}
           path: config.log
           retention-days: 5
 
-  crypto-plugins:
+  crypto:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        test: [ botan, wolfssl, openssl, openssl-3, gcrypt ]
+        test: [ botan, wolfssl, openssl, openssl-3, openssl-awslc, gcrypt ]
+        os: [ ubuntu-latest, ubuntu-22.04 ]
         leak-detective: [ no, yes ]
-    env:
-      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
-      TEST: ${{ matrix.test }}
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
-        with:
-          path: ~/.ccache
-          key: ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
-          restore-keys: |
-            ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-
-            ccache-${{ runner.os }}-${{ env.CC }}-
-            ccache-${{ runner.os }}-${{ env.CC }}-all-${{ github.sha }}
-            ccache-${{ runner.os }}-${{ env.CC }}-all-
-            ccache-${{ runner.os }}-${{ env.CC }}-
-      - run: |
-          sudo apt-get install -qq ccache
-          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
-          ccache -z
-      - uses: ./.github/actions/default
-      - run: ccache -s
-      - if: ${{ failure() }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: Logs ${{ github.job }}
-          path: config.log
-          retention-days: 5
-
-  bionic:
-    needs: pre-check
-    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-18.04
-    strategy:
-      matrix:
-        test: [ all ]
-        compiler: [ gcc, clang ]
-        include:
-          - test: nm
+        exclude:
+          # test custom-built libs only on the latest platform
+          - os: ubuntu-22.04
+            test: botan
+          - os: ubuntu-22.04
+            test: wolfssl
+          - os: ubuntu-22.04
+            test: openssl-3
+          - os: ubuntu-22.04
+            test: openssl-awslc
     env:
       LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
       CC: ${{ matrix.compiler || 'gcc' }}
       TEST: ${{ matrix.test }}
-      UBUNTU_BIONIC: yes
+      ACTIVE_TRANSFORMS_REF: .github/active-transforms/${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
         with:
-          path: ~/.ccache
-          key: ccache-bionic-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
+          # path is different on newer systems
+          path: |
+            ~/.cache/ccache
+            ~/.ccache
+          key: ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
           restore-keys: |
-            ccache-bionic-${{ env.CC }}-${{ matrix.test }}-
-            ccache-bionic-${{ env.CC }}-
+            ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-
+            ccache-${{ matrix.os }}-${{ env.CC }}-all-${{ github.sha }}
+            ccache-${{ matrix.os }}-${{ env.CC }}-all-
+            ccache-${{ matrix.os }}-${{ env.CC }}-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+          echo "TESTS_ACTIVE_TRANSFORMS=$HOME/active-transforms.log" >> $GITHUB_ENV
+      - uses: ./.github/actions/default
+      - name: Upload active transforms
+        uses: actions/upload-artifact@v4
+        with:
+          name: active-transforms-${{ matrix.test }}-${{ matrix.os }}-${{ matrix.leak-detective }}
+          path: ${{ env.TESTS_ACTIVE_TRANSFORMS }}
+          retention-days: 5
+      - name: Verify active transforms
+        run: |
+          test ! -f $ACTIVE_TRANSFORMS_REF || diff -u --color=always $ACTIVE_TRANSFORMS_REF $TESTS_ACTIVE_TRANSFORMS
+      - run: ccache -s
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: Logs ${{ github.job }}
+          path: config.log
+          retention-days: 5
+
+  older:
+    needs: pre-check
+    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-22.04 ]
+        test: [ all, nm ]
+        compiler: [ gcc, clang ]
+        exclude:
+          - test: nm
+            compiler: clang
+    env:
+      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
+      CC: ${{ matrix.compiler || 'gcc' }}
+      TEST: ${{ matrix.test }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        with:
+          # path is different on newer systems
+          path: |
+            ~/.cache/ccache
+            ~/.ccache
+          key: ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
+          restore-keys: |
+            ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-
+            ccache-${{ matrix.os }}-${{ env.CC }}-
       - run: |
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
@@ -148,7 +193,7 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Logs ${{ github.job }}
           path: config.log

.github/workflows/macos.yml

@@ -2,6 +2,10 @@ name: macOS
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   TESTS_REDUCED_KEYLENGTHS: yes
   CCACHE_BASEDIR: ${{ github.workspace }}
@@ -18,22 +22,28 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content'
+          concurrent_skipping: 'same_content_newer'
 
   macos:
+    strategy:
+      matrix:
+        os: [macos-latest, macos-14]
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: macos-latest
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
     env:
       TEST: macos
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
         with:
           path: ~/Library/Caches/ccache
           key: ccache-${{ runner.os }}-${{ github.sha }}
           restore-keys: |
             ccache-${{ runner.os }}-
+      # workaround for conflict between Python installed in the image and via brew
+      - run: find /usr/local/bin -lname '*/Library/Frameworks/Python.framework/*' -delete -print
       - run: |
           brew install ccache
           echo "PATH=$(brew --prefix)/opt/ccache/libexec:$PATH" >> $GITHUB_ENV
@@ -41,7 +51,7 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Logs ${{ github.job }}
           path: config.log

.github/workflows/sonarcloud.yml

@@ -2,6 +2,10 @@ name: SonarCloud
 
 on: [push]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -17,7 +21,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content'
+          concurrent_skipping: 'same_content_newer'
 
   sonarcloud:
     needs: pre-check
@@ -26,14 +30,13 @@ jobs:
     env:
       TEST: sonarcloud
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         with:
           path: |
-            ~/.ccache
-            ~/.sonar-cache
+            ~/.cache/ccache
           key: ccache-sonarcloud-${{ github.sha }}
           restore-keys: |
             ccache-sonarcloud-
@@ -41,24 +44,17 @@ jobs:
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
-      # using SonarSource/sonarcloud-github-action is currently not recommended
-      # for C builds, so we follow the "any CI" instructions
-      - name: Install sonar-scanner
+      - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6.0.0
+      - run: |
+          echo "BUILD_WRAPPER_OUT_DIR=$HOME/bw-output" >> $GITHUB_ENV
+      - uses: ./.github/actions/default
+      - uses: SonarSource/sonarqube-scan-action@v6.0.0
         env:
-          SONAR_SCANNER_VERSION: 4.6.2.2472
-        run: |
-          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
-          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
-          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
-          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
-          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
-          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
-          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
-      - env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BUILD_NUMBER: ${{ github.run_id }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
-          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
-        uses: ./.github/actions/default
+        with:
+          args: >
+            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT }}
+            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
+            -Dsonar.cfamily.threads=2
+            -Dsonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
       - run: ccache -s

.github/workflows/tkm.yml

@@ -2,6 +2,10 @@ name: TKM
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   CCACHE_DIR: ${{ github.workspace }}/.ccache
   CCACHE_CONTAINER: /root/.ccache
@@ -18,7 +22,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content'
+          concurrent_skipping: 'same_content_newer'
 
   tkm:
     needs: pre-check
@@ -27,8 +31,8 @@ jobs:
     env:
       TEST: tkm
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
         with:
           path: ${{ env.CCACHE_DIR }}
           key: ccache-tkm-${{ github.sha }}
@@ -54,9 +58,9 @@ jobs:
             autoreconf -i /strongswan || exit 1
             CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror" \
             /strongswan/configure --disable-defaults --enable-silent-rules \
-              --enable-ikev2 --enable-kernel-netlink --enable-openssl \
-              --enable-pem --enable-socket-default --enable-swanctl \
-              --enable-tkm || exit 1
+              --enable-ikev2 --enable-kernel-netlink --enable-pem --enable-pkcs1 \
+              --enable-random --enable-sha1 --enable-socket-default --enable-swanctl \
+              --enable-tkm --enable-x509 || exit 1
             # run tests without TKM first
             make -j check TESTS_RUNNERS=tkm || exit 1
 

.github/workflows/windows.yml

@@ -2,6 +2,10 @@ name: Windows
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   TESTS_REDUCED_KEYLENGTHS: yes
   CCACHE_BASEDIR: ${{ github.workspace }}
@@ -21,7 +25,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content'
+          concurrent_skipping: 'same_content_newer'
 
   cross-compile:
     needs: pre-check
@@ -34,10 +38,10 @@ jobs:
       OS_NAME: linux
       TEST: ${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
         with:
-          path: ~/.ccache
+          path: ~/.cache/ccache
           key: ccache-${{ runner.os }}-${{ matrix.test }}-${{ github.sha }}
           restore-keys: |
             ccache-${{ runner.os }}-${{ matrix.test }}-
@@ -48,7 +52,7 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Logs ${{ github.job }}
           path: config.log

.gitignore

@@ -27,6 +27,7 @@ libtool
 y.tab.[ch]
 lex.yy.c
 *keywords.c
+!proposal_keywords.c
 plugin_constructors.c
 Doxyfile
 apidoc/
@@ -38,6 +39,7 @@ fuzzing-corpora/
 *.tar.bz2
 *.tar.gz
 .DS_Store
+._.DS_Store
 coverage/
 *.gcno
 *.gcda
@@ -53,3 +55,4 @@ coverage/
 /*.includes
 test-driver
 nbproject/
+*.[si]

.lgtm.yml

@@ -1,46 +0,0 @@
-queries:
-  - exclude: cpp/fixme-comment
-  # this rule produces too many false positives due to our custom specifiers and
-  # the use of void pointers in swanctl
-  - exclude: cpp/wrong-type-format-argument
-
-extraction:
-  cpp:
-    prepare:
-      packages:
-        # for tss2
-        - libssl-dev
-        - libjson-c-dev
-        - libcurl4-openssl-dev
-    after_prepare:
-      - export DEPS_BUILD_DIR=$LGTM_WORKSPACE/deps
-      - mkdir -p $DEPS_BUILD_DIR
-      - export DEPS_PREFIX=$DEPS_BUILD_DIR/usr
-      - mkdir -p $DEPS_PREFIX
-      - export PKG_CONFIG_PATH="$DEPS_PREFIX/lib/pkgconfig:$PKG_CONFIG_PATH"
-      - export LD_LIBRARY_PATH="$DEPS_PREFIX/lib:$LD_LIBRARY_PATH"
-      - mkdir -p $LGTM_WORKSPACE/bin
-      # sudo doesn't work on the build hosts
-      - ln -s /usr/bin/nice $LGTM_WORKSPACE/bin/sudo
-      # for ldconfig we don't have enough permissions
-      - ln -s /bin/true $LGTM_WORKSPACE/bin/ldconfig
-      # likewise for apt-get
-      - ln -s /bin/echo $LGTM_WORKSPACE/bin/apt-get
-      - export PATH=$LGTM_WORKSPACE/bin:$PATH
-      - export TEST=all
-      - ./scripts/test.sh build-deps
-      - rm $LGTM_WORKSPACE/bin/*
-    configure:
-      command:
-        # follows the "all" build in test.sh (without custom-compiled stuff)
-        - ./autogen.sh
-        - ./configure --enable-all --disable-android-dns --disable-android-log
-            --disable-kernel-pfroute --disable-keychain
-            --disable-lock-profiler --disable-padlock --disable-fuzzing
-            --disable-osx-attr --disable-tkm --disable-uci
-            --disable-unwind-backtraces
-            --disable-svc --disable-dbghelp-backtraces --disable-socket-win
-            --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
-            --disable-af-alg --disable-coverage
-            --disable-python-eggs-install
-            --disable-monolithic --disable-leak-detective

.lsan.suppressions

@@ -0,0 +1,8 @@
+leak:EVP_CIPHER_fetch
+leak:EVP_KEYEXCH_fetch
+leak:EVP_KEYMGMT_fetch
+leak:EVP_RAND_fetch
+leak:OSSL_DECODER_do_all_provided
+leak:OSSL_ENCODER_do_all_provided
+leak:OSSL_PROVIDER_load
+leak:OSSL_PROVIDER_try_load

Android.mk

@@ -7,12 +7,9 @@ include $(CLEAR_VARS)
 # possible executables are
 #   starter - allows to control and configure the daemon from the command line
 #   charon - the IKE daemon
-#   scepclient - SCEP client
 
-# if you enable starter or scepclient (see above) uncomment the proper
-# lines here
+# if you enable starter (see above) uncomment the following line
 # strongswan_BUILD_STARTER := true
-# strongswan_BUILD_SCEPCLIENT := true
 
 # this is the list of plugins that are built into libstrongswan and charon
 # also these plugins are loaded by default (if not changed in strongswan.conf)
@@ -20,17 +17,8 @@ strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
 	pkcs1 pkcs8 pem xcbc hmac kdf kernel-netlink socket-default android-dns \
 	stroke eap-identity eap-mschapv2 eap-md5 eap-gtc
 
-ifneq ($(strongswan_BUILD_SCEPCLIENT),)
-# plugins loaded by scepclient
-strongswan_SCEPCLIENT_PLUGINS := openssl curl fips-prf random pkcs1 pkcs7 pem
-endif
-
-strongswan_STARTER_PLUGINS := kernel-netlink
-
 # list of all plugins - used to enable them with the function below
-strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \
-	$(strongswan_STARTER_PLUGINS) \
-	$(strongswan_SCEPCLIENT_PLUGINS))
+strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS))
 
 include $(LOCAL_PATH)/Android.common.mk
 
@@ -106,10 +94,5 @@ strongswan_BUILD += \
 	ipsec
 endif
 
-ifneq ($(strongswan_BUILD_SCEPCLIENT),)
-strongswan_BUILD += \
-	scepclient
-endif
-
 include $(addprefix $(LOCAL_PATH)/src/,$(addsuffix /Android.mk, \
 		$(sort $(strongswan_BUILD))))

CONTRIBUTING.md

@@ -1,3 +1,3 @@
-Please refer to the [developer documentation](https://docs.strongswan.org/docs/5.9/devs/devs.html)
+Please refer to the [developer documentation](https://docs.strongswan.org/docs/latest/devs/devs.html)
 in our documentation for details regarding **code style** and
-[**contribution requirements**](https://docs.strongswan.org/docs/5.9/devs/contributions.html).
+[**contribution requirements**](https://docs.strongswan.org/docs/latest/devs/contributions.html).

HACKING

@@ -14,7 +14,6 @@ the code, you need the following tools:
     - autoconf
     - libtool
     - pkg-config
-    - gettext
     - perl
     - python
     - lex/flex

INSTALL

@@ -144,4 +144,4 @@ Contents
 
     For a more up-to-date list of recommended modules refer to:
 
-      * https://docs.strongswan.org/docs/5.9/install/kernelModules.html
+      * https://docs.strongswan.org/docs/latest/install/kernelModules.html

Makefile.am

@@ -65,10 +65,11 @@ cov-reset: cov-reset-common
 cov-report:
 		@mkdir $(top_builddir)/coverage
 		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
-			 --rc lcov_branch_coverage=1
+			 --rc branch_coverage=1
 		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \
+			 '*proposal_keywords_static.*' \
 			 -o $(abs_top_builddir)/coverage/coverage.cleaned.info \
-			 --rc lcov_branch_coverage=1
+			 --rc branch_coverage=1
 		genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
 				-t "$(PACKAGE_STRING)" \
 				-o $(top_builddir)/coverage/html \

NEWS

@@ -1,3 +1,389 @@
+strongswan-6.0.2
+----------------
+
+- Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+).
+
+- Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+).
+
+- POSIX regular expressions can be used to match remote identities.
+
+- Switching configs based on EAP-Identities is supported. Setting
+  `remote.eap_id` now always initiates an EAP-Identity exchange.
+
+- On Linux, sequence numbers from acquires are used when installing SAs. This
+  allows handling narrowing properly.
+
+- During rekeying, the narrowed traffic selectors are now proposed instead of
+  the configured ones.
+
+- The default AH/ESP proposals contain all supported key exchange methods plus
+  `none` to make PFS optional and accept proposals of older peers.
+
+- GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance
+  if the esp4|6_offload modules are loaded.
+
+- charon-nm sets the VPN connection as persistent, preventing NetworkManager
+  from tearing down the connection if the network connectivity changes.
+
+- ML-KEM is supported via OpenSSL 3.5+.
+
+- The wolfssl plugin is now compatible to wolfSSL's FIPS module.
+
+- The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported
+  anymore.
+
+- The long defunct uci plugin has been removed.
+
+- Log messages by watcher_t are now logged in a separate log group (`wch`).
+
+
+strongswan-6.0.1
+----------------
+
+- The ha plugin supports IKE and Child SAs with multiple key exchanges.
+  Incomplete IKE_SAs are now destroyed during a failover.
+
+- The new `interface_receive` option for the dhcp plugin allows binding the
+  receive socket to a different interface than the send socket. Also fixed a
+  regression if the DHCP server is running on the same host.
+
+- The new `source` option for the eap-radius plugin allows sending RADIUS
+  messages from a specific IP address.
+
+- Self-signed root CAs without policies are now excluded from policy validation.
+
+- Inbound traffic on IPsec SAs is now ignored when sending DPDs unless
+  UDP-encapsulation is used.
+
+- Send IKE_SA_INIT from NAT-T socket if not connecting to port 500.
+
+- Local traffic selectors can be configured for charon-nm. Its default
+  retransmission settings have been set to those of the Android app.
+
+- The vici Python wheel is now built via `build` frontend instead of calling
+  setup.py directly if --enable-python-wheels is used (the option to build eggs
+  has been removed). There is no option to automatically install the wheel (use
+  pip instead) and the --enable-python-eggs-install option has been removed.
+
+
+strongswan-6.0.0
+----------------
+
+- Support of multiple post-quantum (and classic) key exchanges using the
+  IKE_INTERMEDIATE exchange (RFC 9242) and the Additional Key Exchange
+  transform types 1..7 (RFC 9370).
+
+- ML-KEM is provided by the botan, wolfssl, openssl (only via AWS-LC) and the
+  new ml plugins.
+
+- Handling of CHILD_SA rekey collisions has been improved, which makes CHILD_SAs
+  properly trackable via chiled_rekey() hook.
+
+- The behavior when reloading or unloading connections that include `start` in
+  their `start_action` has been improved.
+
+- The default identity is now the subject DN instead of the IP address if a
+  certificate is available.
+
+- The file logger supports logging as JSON objects and can add timestamps
+  in microseconds.
+
+- The cert-enroll script now supports three generations of CA certificates.
+
+- charon-nm uses a different routing table than the regular IKE daemon to avoid
+  conflicts if both are running.
+
+- AF_VSOCK sockets are supported on Linux to communicate with a daemon that runs
+  in a VM.
+
+- TUN devices can properly handle IPv6 addresses.
+
+- For compatibility with older SCEP implementations, challenge passwords in
+  PKCS#10 containers are again encoded as PrintableString if possible.
+
+- The legacy stroke plugin is no longer enabled by default.
+
+- The openssl plugin is now enabled by default, while the following crypto
+  plugins are no longer enabled by default: aes, curve25519, des, fips-prf, gmp,
+  hmac, md5, pkcs12, rc2, sha1, sha2.
+
+- The following deprecated plugins have been removed: bliss, newhope, ntru.
+
+- charon.make_before_break is now enabled by default.
+
+
+strongswan-5.9.14
+-----------------
+
+- Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows
+  peers to request and send OCSP responses directly in IKEv2.
+
+- Validation of X.509 name constraints in the constraints plugin has been
+  refactored to align with RFC 5280.
+
+- The dhcp plugin has been ported to FreeBSD/macOS.
+
+- The openssl plugin is now compatible with AWS-LC.
+
+- Overflows of unique identifiers (e.g. Netlink sequence numbers or reqids) are
+  now handled gracefully.
+
+- Updated the pkcs11.h header based on the latest OpenSC version in order to
+  include new algorithm and struct definitions for the pkcs11 plugin.
+  Added support for PSS padding in smartcard-based RSA signatures using either
+  on-chip or external data hashing.
+
+- Added keyid and certid handles in the pki --ocsp command so that keys and/or
+  certificates can be stored on a smartcard or in a TPM 2.0 device.
+
+- Fail SA installation on Linux if replay protection is disabled while ESN is
+  enabled, which the kernel currently doesn't support.
+
+
+strongswan-5.9.13
+-----------------
+
+- Fixes a regression with handling OCSP error responses and adds a new
+  option to specify the length of nonces in OCSP requests.  Also adds some
+  other improvements for OCSP handling and fuzzers for OCSP
+  requests/responses.
+
+
+strongswan-5.9.12
+-----------------
+
+- Fixed a vulnerability in charon-tkm related to processing DH public values
+  that can lead to a buffer overflow and potentially remote code execution.
+  This vulnerability has been registered as CVE-2023-41913.
+
+- The new `pki --ocsp` command produces OCSP responses based on certificate
+  status information provided by plugins.
+
+  Two sources are currently available, the openxpki plugin that directly
+  accesses the OpenXPKI database and the `--index` argument, which reads
+  certificate status information from OpenSSL-style index.txt files.
+
+- The cert-enroll script handles the initial enrollment of an X.509 host
+  certificate with a PKI server via the EST or SCEP protocols.
+
+  Run as a systemd timer or via a crontab entry the script daily checks the
+  expiration date of the host certificate. When a given deadline is reached,
+  the host certificate is automatically renewed via EST or SCEP re-enrollment
+  based on the possession of the old private key and the matching certificate.
+
+- The --priv argument for charon-cmd allows using any type of private key.
+
+- Support for nameConstraints of type iPAddress has been added (the openssl
+  plugin previously didn't support nameConstraints at all).
+
+- SANs of type uniformResourceIdentifier can now be encoded in certificates.
+
+- Password-less PKCS#12 and PKCS#8 files are supported.
+
+- A new global option allows preventing peers from authenticating with trusted
+  end-entity certificates (i.e. local certificates).
+
+- ECDSA public keys that encode curve parameters explicitly are now rejected by
+  all plugins that support ECDSA.
+
+- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
+  also use the name in connection.interface-name.
+
+- The resolve plugin tries to maintain the order of installed DNS servers.
+
+- The kernel-libipsec plugin always installs routes even if no address is found
+  in the local traffic selectors.
+
+- Increased the default receive buffer size for Netlink sockets to 8 MiB and
+  simplified its configuration.
+
+- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
+  always generating a hash of the subjectPublicKey.
+
+- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
+  timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
+  unrelated traffic selectors.
+
+- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
+  instead callbacks are always invoked even if only errors are signaled.
+
+- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
+  handling invalid messages.
+
+- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
+
+- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
+  CHILD_SA is not found during rekeying.
+
+- The testing environment is now based on Debian 12 (bookworm), by default.
+
+
+strongswan-5.9.11
+-----------------
+
+- A deadlock in the vici plugin has been fixed that could get triggered when
+  multiple connections were initiated/terminated concurrently and control-log
+  events were raised by the watcher_t component.
+
+- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
+  encoded (even if it's a CA), or a CA certificate without keyUsage extension.
+
+- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
+
+- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
+  openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
+
+- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
+  earlier that was introduced with 5.9.10.
+
+- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
+
+- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
+  gained support for trap policies.
+
+- The dhcp plugin uses an alternate method to determine the source address
+  for unicast DHCP requests that's not affected by interface filtering.
+
+- Certificate and trust chain selection as initiator has been improved in case
+  the local trust chain is incomplete and an unrelated certreq is received.
+
+- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
+
+- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
+  policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
+
+- Stale OCSP responses are now replace in-place in the certificate cache.
+
+- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.
+
+
+strongswan-5.9.10
+-----------------
+
+- Fixed a vulnerability related to certificate verification in TLS-based EAP
+  methods that leads to an authentication bypass followed by an expired pointer
+  dereference that results in a denial of service and possibly even remote code
+  execution.
+  This vulnerability has been registered as CVE-2023-26463.
+
+- Added support for full packet hardware offload for IPsec SAs and policies with
+  Linux 6.2 kernels to the kernel-netlink plugin.
+
+- TLS-based EAP methods now use the standardized key derivation when used
+  with TLS 1.3.
+
+- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
+  implementing the "protected success indication".
+
+- With the `prefer` value for the `childless` setting, initiators will create
+  a childless IKE_SA if the responder supports the extension.
+
+- Routes via XFRM interfaces can optionally be installed automatically by
+  enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
+
+- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
+  issues with name resolution if they are supported by the kernel.
+
+- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
+  PKCS#10 certificate signing request.
+
+- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
+  (replace them completely, or adding/removing specific flags).
+
+- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
+  IPsec SAs instead of the policies.
+
+- For libcurl with MultiSSL support, the curl plugin provides an option to
+  select the SSL/TLS backend.
+
+
+strongswan-5.9.9
+----------------
+
+- The charon.reqid_base setting allows specifying the first reqid that's
+  automatically assigned to a CHILD_SA.
+
+- The path/command for resolvconf(8) used by the resolve plugin is now
+  configurable.
+
+- The resolve plugin doesn't generate unique interface names for name servers
+  anymore. Instead, all available name servers are associated with a single,
+  configurable interface name.
+
+- Serial numbers of certificates and CRLs are now always returned in canonical
+  form (i.e. without leading zeros).
+
+- The kernel-netlink plugin now logs extended ACK error/warning messages.
+
+
+strongswan-5.9.8
+----------------
+
+- Fixed a vulnerability related to accessing untrusted OCSP URIs and CDPs in
+  certificates that could lead to a denial-of-service attack.
+  This vulnerability has been registered as CVE-2022-40617.
+
+- The pki --scep|--scepca commands support the HTTP-based "Simple Certificate
+  Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated
+  scepclient that has been removed.
+
+- The pki --est|estca commands support the HTTPS-based "Enrollment over Secure
+  Transport" (RFC 7030 EST) protocol.
+
+- The pki --req command can create a certificate request based on an existing
+  PKCS#10 template by replacing the public key and re-generating the signature
+  with the new private key.
+
+- For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED
+  are now triggered after all IKE-related tasks are done.
+
+- The ike_cfg_t object is now always replaced together with the peer_cfg_t
+  object that's set on an IKE_SA during authentication.
+
+- The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests
+  can be completed successfully with just the default plugins.
+
+- The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP
+  sockets, so an error is triggered if e.g. two daemons (e.g. charon and
+  charon-systemd) are running concurrently using the same ports.
+
+- The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier with
+  explicit trailerField.
+
+
+strongswan-5.9.7
+----------------
+
+- The IKEv2 key derivation is now delayed until the keys are actually needed for
+  the next message. Instead of deriving the keys while processing an IKE_SA_INIT
+  request, it's delayed until the corresponding IKE_AUTH request is received.
+  DH implementations now must do costly public key validation and the key
+  derivation in get_shared_secret().
+
+- Inbound IKEv2 messages are not parsed immediately anymore, instead we first
+  check a request's MID and compare its hash to that of the previous request to
+  decide if it's a valid retransmit (for fragmented message we only keep track
+  of the first fragment, so we don't have to wait for all fragments and
+  reconstruct the message, which we did before).
+
+- The retransmission logic in the dhcp plugin has been fixed so that four
+  retransmits are sent per DHCP request over a total of 15 seconds (previously,
+  it could happen that all were sent within the same second without any time
+  to actually wait for a response).
+
+- The connmark plugin now considers configured masks in installed firewall
+  rules, which allows using the upper parts of the mark value for other
+  purposes.  Just consider that the daemon might have to be restarted regularly
+  to reset the global unique mark counter as that's unaware of any masks.
+
+- Child config selection has been improved as responder in cases where multiple
+  children use transport mode traffic selectors.
+
+- The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings.
+
+- The openssl plugin supports AES and Camellia in CTR mode.
+
+
 strongswan-5.9.6
 ----------------
 
@@ -90,7 +476,7 @@ strongswan-5.9.4
   salt lengths.
   This vulnerability has been registered as CVE-2021-41990.
 
-- Fixed a denial-of-service vulnerabililty in the in-memory certificate cache
+- Fixed a denial-of-service vulnerability in the in-memory certificate cache
   if certificates are replaced and a very large random value caused an integer
   overflow.
   This vulnerability has been registered as CVE-2021-41991.
@@ -1502,7 +1888,7 @@ strongswan-5.0.3
   PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
 
 - The charon systime-fix plugin can disable certificate lifetime checks on
-  embedded systems if the system time is obviously out of sync after bootup.
+  embedded systems if the system time is obviously out of sync after boot-up.
   Certificates lifetimes get checked once the system time gets sane, closing
   or reauthenticating connections using expired certificates.
 

README.md

@@ -566,7 +566,7 @@ to generate a traditional 3072 bit RSA key and store it in binary DER format.
 As an alternative a **TPM 2.0** *Trusted Platform Module* available on every
 recent Intel platform could be used as a virtual smartcard to securely store an
 RSA or ECDSA private key. For details, refer to the TPM 2.0
-[HOWTO](https://docs.strongswan.org/docs/5.9/tpm/tpm2.html).
+[HOWTO](https://docs.strongswan.org/docs/latest/tpm/tpm2.html).
 
 In a next step the command
 

conf/Makefile.am

@@ -16,11 +16,11 @@ options = \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
+	options/iptfs.opt \
 	options/manager.opt \
 	options/medsrv.opt \
 	options/pki.opt \
 	options/pool.opt \
-	options/scepclient.opt \
 	options/starter.opt \
 	options/swanctl.opt \
 	options/tnc.opt \
@@ -32,7 +32,6 @@ plugins = \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
-	plugins/bliss.opt \
 	plugins/botan.opt \
 	plugins/bypass-lan.opt \
 	plugins/certexpire.opt \
@@ -78,8 +77,8 @@ plugins = \
 	plugins/kernel-pfroute.opt \
 	plugins/load-tester.opt \
 	plugins/lookip.opt \
-	plugins/ntru.opt \
 	plugins/openssl.opt \
+	plugins/openxpki.opt \
 	plugins/osx-attr.opt \
 	plugins/p-cscf.opt \
 	plugins/pkcs11.opt \

conf/format-options.py

@@ -55,14 +55,6 @@ man pages) the following format can be used:
 
 full.section.name.include files/to/include
 	Description of this include statement
-
-Dots in section/option names may be escaped with a backslash.  For instance,
-with the following section description
-
-charon.filelog./var/log/daemon\.log {}
-	Section to define logging into /var/log/daemon.log
-
-/var/log/daemon.log will be the name of the last section.
 """
 
 import sys
@@ -74,10 +66,10 @@ from functools import cmp_to_key, total_ordering
 @total_ordering
 class ConfigOption:
 	"""Representing a configuration option or described section in strongswan.conf"""
-	def __init__(self, path, default = None, section = False, commented = False, include = False):
-		self.path = path
-		self.name = path[-1]
-		self.fullname = '.'.join(path)
+	def __init__(self, fullname, default = None, section = False, commented = False, include = False):
+		self.path = fullname.split('.')
+		self.name = self.path[-1]
+		self.fullname = fullname
 		self.default = default
 		self.section = section
 		self.commented = commented
@@ -141,8 +133,7 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			path = self.__split_name(m.group('name'))
-			self.__current = ConfigOption(path, m.group('default'),
+			self.__current = ConfigOption(m.group('name'), m.group('default'),
 										  commented = not m.group('assign'))
 			return
 		# section definition
@@ -150,8 +141,7 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			path = self.__split_name(m.group('name'))
-			self.__current = ConfigOption(path, section = True,
+			self.__current = ConfigOption(m.group('name'), section = True,
 										  commented = m.group('comment'))
 			return
 		# include definition
@@ -159,8 +149,7 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			path = self.__split_name(m.group('name'))
-			self.__current = ConfigOption(path, m.group('pattern'), include = True)
+			self.__current = ConfigOption(m.group('name'), m.group('pattern'), include = True)
 			return
 		# paragraph separator
 		m = re.match(r'^\s*$', line)
@@ -171,10 +160,6 @@ class Parser:
 		if m and self.__current:
 			self.__current.add(m.group('text'))
 
-	def __split_name(self, name):
-		"""Split the given full name in a list of section/option names"""
-		return [x.replace('\.', '.') for x in re.split(r'(?<!\\)\.', name)]
-
 	def __add_option(self, option):
 		"""Adds the given option to the abstract storage"""
 		option.desc = [desc for desc in option.desc if len(desc)]
@@ -194,12 +179,14 @@ class Parser:
 		"""Searches/Creates the option (section) based on a list of section names"""
 		option = None
 		options = self.options
-		for i, name in enumerate(path, 1):
+		fullname = ""
+		for name in path:
+			fullname += '.' + name if len(fullname) else name
 			option = next((x for x in options if x.name == name and x.section), None)
 			if not option:
 				if not create:
 					break
-				option = ConfigOption(path[:i], section = True)
+				option = ConfigOption(fullname, section = True)
 				options.append(option)
 				if self.sort:
 					options.sort()
@@ -208,7 +195,7 @@ class Parser:
 
 	def get_option(self, name):
 		"""Retrieves the option with the given name"""
-		return self.__get_option(self.__split_name(name))
+		return self.__get_option(name.split('.'))
 
 class TagReplacer:
 	"""Replaces formatting tags in text"""
@@ -254,6 +241,7 @@ class GroffTagReplacer(TagReplacer):
 			if not punct:
 				punct = ''
 			text = re.sub(r'[\r\n\t]', ' ', m.group('text'))
+			text = re.sub(r'"', '""', text)
 			return '{0}.R{1} "{2}" "{3}" "{4}"\n'.format(nl, format, brack, text, punct)
 		return replacer
 
@@ -318,7 +306,8 @@ class ManFormatter:
 	def __groffize(self, text):
 		"""Encode text as groff text"""
 		text = self.__tags.replace(text)
-		text = re.sub(r'(?<!\\)-', r'\\-', text)
+		text = re.sub(r'\\(?!-)', '\\[rs]', text)
+		text = re.sub(r'(?<!\\)-', '\\-', text)
 		# remove any leading whitespace
 		return re.sub(r'^\s+', '', text, flags = re.MULTILINE)
 

conf/options/charon-logging.opt

@@ -26,8 +26,18 @@ charon.filelog.<name>.flush_line = no
 	Enabling this option disables block buffering and enables line buffering.
 
 charon.filelog.<name>.ike_name = no
-	Prefix each log entry with the connection name and a unique numerical
-	identifier for each IKE_SA.
+	Add the connection name and a unique numerical identifier for the current
+	IKE_SA to each log entry if available.
+
+charon.filelog.<name>.json = no
+	If enabled, each log entry is written to the file as a JSON object.
+
+	Enables writing each log entry as a JSON object to the file. The properties
+	are "time" (if `time_format` is set), "thread", "group", "level" and "msg".
+	Newlines, double quotes and backslashes are escaped in the latter. If
+	`ike_name` is enabled, "ikesa-uniqueid" and "ikesa-name" are added to the
+	object if available. The `log_level` option does not apply if this is
+	enabled.
 
 charon.filelog.<name>.log_level = no
 	Add the log level of each message after the subsystem (e.g. [IKE2]).
@@ -36,9 +46,10 @@ charon.filelog.<name>.time_format
 	Prefix each log entry with a timestamp. The option accepts a format string
 	as passed to **strftime**(3).
 
-charon.filelog.<name>.time_add_ms = no
-	Adds the milliseconds within the current second after the timestamp
-	(separated by a dot, so _time_format_ should end with %S or %T).
+charon.filelog.<name>.time_precision =
+	Add the milliseconds (_ms_) or microseconds (_us_) within the current second
+	after the timestamp (separated by a dot, so _time_format_ should end
+	with %S or %T). By default, nothing is added.
 
 charon.syslog {}
 	Section to define syslog loggers, see LOGGER CONFIGURATION in

conf/options/charon-nm.opt

@@ -1,3 +1,55 @@
+charon-nm {}
+	Section with settings specific to the NetworkManager backend `charon-nm`.
+	Settings from the `charon` section are not inherited, but many can be used
+	here as well. Defaults for some settings are chosen very deliberately and
+	should only be changed in case of conflicts.
+
 charon-nm.ca_dir = <default>
 	Directory from which to load CA certificates if no certificate is
 	configured.
+
+charon-nm.install_virtual_ip_on = lo
+	Interface on which virtual IP addresses are installed. Note that NM
+	also installs the virtual IPs on the XFRM interface.
+
+charon-nm.mtu = 1400
+	MTU for XFRM interfaces created by the NM plugin.
+
+charon-nm.port = 0
+	Source port when sending packets to port 500. Defaults to an ephemeral
+	port. May be set to 500 if firewall rules require a static port.
+
+charon-nm.port_nat_t = 0
+	Source port when sending packets to port 4500 or a custom server port.
+	Defaults to an ephemeral port. May be set to e.g. 4500 if firewall rules
+	require a static port.
+
+charon-nm.retransmit_base = 1.4
+	Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+	in **strongswan.conf**(5). Default retransmission settings for charon-nm are
+	deliberately lower to fail and possibly reestablish SAs more quickly.
+
+charon-nm.retransmit_timeout = 2.0
+	Timeout in seconds before sending first retransmit.
+
+charon-nm.retransmit_tries = 3
+	Number of times to retransmit a packet before giving up.
+
+charon-nm.routing_table = 210
+	Table where routes via XFRM interface are installed. Should be different
+	than the table used for the regular IKE daemon due to the mark.
+
+charon-nm.routing_table_prio = 210
+	Priority of the routing table. Higher than the default priority used for the
+	regular IKE daemon.
+
+charon-nm.plugins.kernel-netlink.fwmark = !210
+	Make packets with this mark ignore the routing table. Must be the same mark
+	set in charon-nm.plugins.socket-default.fwmark.
+
+charon-nm.plugins.socket-default.fwmark = 210
+	Mark applied to IKE and ESP packets to ignore the routing table and avoid
+	routing loops when using XFRM interfaces.
+
+charon-nm.syslog.daemon.default = 1
+	Default to logging via syslog's daemon facility on level 1.

conf/options/charon.opt

@@ -38,8 +38,8 @@ charon.cert_cache = yes
 charon.cache_crls = no
 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
 	be saved under a unique file name derived from the public key of the
-	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
-	**/etc/swanctl/x509crl** (vici), respectively.
+	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
+	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
 
 charon.check_current_path = no
 	Whether to use DPD to check if the current path still works after any
@@ -154,8 +154,16 @@ charon.fragment_size = 1280
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
 	when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
 	to 1280 (use 0 for address family specific default values, which uses a
-	lower value for IPv4).  If specified this limit is used for both IPv4 and
-	IPv6.
+	lower value for IPv4).  Unless overridden, this limit is used for both IPv4
+	and IPv6 if specified.
+
+charon.fragment_size_v4 = charon.fragment_size
+	Maximum size (complete IPv4 datagram size in bytes) of a sent IKE fragment
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation.
+
+charon.fragment_size_v6 = charon.fragment_size
+	Maximum size (complete IPv6 datagram size in bytes) of a sent IKE fragment
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation.
 
 charon.group
 	Name of the group the daemon changes to after startup.
@@ -283,7 +291,7 @@ charon.max_ikev1_exchanges = 3
 charon.max_packet = 10000
 	Maximum packet size accepted by charon.
 
-charon.make_before_break = no
+charon.make_before_break = yes
 	Initiate IKEv2 reauthentication with a make-before-break scheme.
 
 	Initiate IKEv2 reauthentication with a make-before-break instead of a
@@ -302,6 +310,13 @@ charon.nbns1
 charon.nbns2
 	WINS servers assigned to peer via configuration payload (CP).
 
+charon.ocsp_nonce_len = 32
+	Length of nonces in OCSP requests (1-32).
+
+	Length of nonces in OCSP requests. According to RFC 8954, valid values are
+	between 1 and 32, with new clients required to use 32. Some servers might
+	not support that so lowering the value to e.g. 16 might be necessary.
+
 charon.port = 500
 	UDP port used locally. If set to 0 a random port will be allocated.
 
@@ -372,9 +387,16 @@ charon.receive_delay_request = yes
 charon.receive_delay_type = 0
 	Specific IKEv2 message type to delay, 0 for any.
 
+charon.reject_trusted_end_entity = no
+	Reject peers that use trusted end-entity certificates (i.e. local
+	certificates).
+
 charon.replay_window = 32
 	Size of the AH/ESP replay window, in packets.
 
+charon.reqid_base = 1
+	Value of the first reqid to be automatically assigned to a CHILD_SA.
+
 charon.retransmit_base = 1.8
 	Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 	in **strongswan.conf**(5).
@@ -392,7 +414,7 @@ charon.retransmit_jitter = 0
 charon.retransmit_limit = 0
 	Upper limit in seconds for calculated retransmission timeout (0 to disable).
 
-charon.retry_initiate_interval = 0
+charon.retry_initiate_interval = 0s
 	Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
 	resolution failed), 0 to disable retries.
 
@@ -408,6 +430,10 @@ charon.routing_table_prio
 charon.rsa_pss = no
 	Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
 
+charon.rsa_pss_trailerfield = no
+	Whether to encode an explicit trailerField value of 0x01 in the RSA-PSS
+	algorithmIdentifier (CONTEXT3) or using the DEFAULT value by omitting it.
+
 charon.send_delay = 0
 	Delay in ms for sending packets, to simulate larger RTT.
 

conf/options/iptfs.opt

@@ -0,0 +1,38 @@
+charon.iptfs {}
+	Global settings for IP-TFS (RFC 9347). The Linux kernel supports this mode
+	since 6.14. However, it currently only supports aggregation/fragmentation of
+	tunneled IP packets in ESP/AGGFRAG packets. It doesn't yet support other
+	IP-TFS features like sending packets at a constant rate or congestion control.
+
+charon.iptfs.drop_time = 1000000
+	Time in microseconds to wait for out-of-order packets when processing
+	inbound traffic.
+
+charon.iptfs.reorder_window = 3
+	Number of packets that may arrive out of order when processing inbound
+	traffic.
+
+charon.iptfs.init_delay = 0
+	Time in microseconds to wait for subsequent packets to aggregate together
+	when sending outbound traffic. Only relevant if no packets are already
+	queued to be sent.
+
+charon.iptfs.max_queue_size = 1048576
+	Maximum number of bytes allowed to be queued for sending on the tunnel
+	(default 1 MiB). If the queue is full, packets are dropped.
+
+charon.iptfs.packet_size = 0
+	Maximum outer packet size (layer 3) when sending packets. The default of 0
+	will use the PMTU as packet size. Note that the kernel currently doesn't
+	pad smaller packets.
+
+charon.iptfs.accept_fragments = yes
+	Whether fragments of inner packets across multiple AGGFRAG payloads are
+	accepted. This is an IKEv2 option, so if the peer doesn't adhere to this
+	request and still sends such fragments, they will be processed by the
+	kernel.
+
+charon.iptfs.dont_frag = no
+	Force disabling fragmenting inner packets across multiple AGGFRAG payloads
+	when sending outbound traffic (fragmentation is automatically disabled if
+	the peer indicates that it doesn't support handling such packets).

conf/options/pki.opt

@@ -1,2 +1,12 @@
 pki.load =
-	Plugins to load in ipsec pki tool.
+	Plugins to load in the pki tool.
+
+pki.scep.http_bind
+	Source IP address to bind for HTTP operations.
+
+pki.scep.http_timeout = 30s
+	Timeout for HTTP operations.
+
+pki.scep.renewal_via_pkcs_req = no
+	Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal
+	via messageType PKCSReq (19) instead of RenewalReq (17).

conf/options/scepclient.opt

@@ -1,2 +0,0 @@
-scepclient.load =
-	Plugins to load in ipsec scepclient tool.

conf/plugins/bliss.opt

@@ -1,2 +0,0 @@
-charon.plugins.bliss.use_bliss_b = yes
-	Use the enhanced BLISS-B key generation and signature algorithm.

conf/plugins/curl.opt

@@ -1,3 +1,11 @@
 charon.plugins.curl.redir = -1
 	Maximum number of redirects followed by the plugin, set to 0 to disable
 	following redirects, set to -1 for no limit.
+
+charon.plugins.curl.tls_backend =
+	The SSL/TLS backend to configure in curl if multiple are available.
+
+	The SSL/TLS backend to configure in curl if multiple are available (requires
+	libcurl 7.56 or newer). A list of available options is logged on level 2 if
+	nothing is configured. Similar but on level 1 if the selected backend isn't
+	available.

conf/plugins/dhcp.opt

@@ -36,3 +36,13 @@ charon.plugins.dhcp.interface
 	Interface name the plugin uses for address allocation. The default is to
 	bind to any (0.0.0.0) and let the system decide which way to route the
 	packets to the DHCP server.
+
+charon.plugins.dhcp.interface_receive = charon.plugins.dhcp.interface
+	Interface name the plugin uses to bind its receive socket.
+
+	Interface name the plugin uses to bind its receive socket. The default is
+	to use the same interface as the send socket. Set it to the empty string
+	to avoid binding the receive socket to any interface while the send socket
+	is bound to one. If the	server runs on the same host and the send socket is
+	bound to an interface, it might be necessary to set this to `lo` or the
+	empty string.

conf/plugins/eap-peap.opt

@@ -11,7 +11,8 @@ charon.plugins.eap-peap.phase2_method = mschapv2
 	Phase2 EAP client authentication method.
 
 charon.plugins.eap-peap.phase2_piggyback = no
-	Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+	Phase2 EAP Identity request piggybacked by server onto TLS Finished message,
+	relevant only if TLS 1.2 or earlier is negotiated.
 
 charon.plugins.eap-peap.phase2_tnc = no
 	Start phase2 EAP TNC protocol after successful client authentication.

conf/plugins/eap-radius.opt

@@ -5,7 +5,7 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes
 	Close the IKE_SA if there is a timeout during interim RADIUS accounting
 	updates.
 
-charon.plugins.eap-radius.accounting_interval = 0
+charon.plugins.eap-radius.accounting_interval = 0s
 	Interval in seconds for interim RADIUS accounting updates, if not specified
 	by the RADIUS server in the Access-Accept message.
 
@@ -84,6 +84,9 @@ charon.plugins.eap-radius.secret =
 charon.plugins.eap-radius.server =
 	IP/Hostname of RADIUS server.
 
+charon.plugins.eap-radius.source =
+	Optional specific source IP to use.
+
 charon.plugins.eap-radius.retransmit_base = 1.4
 	Base to use for calculating exponential back off.
 
@@ -96,12 +99,12 @@ charon.plugins.eap-radius.retransmit_tries = 4
 charon.plugins.eap-radius.servers {}
 	Section to specify multiple RADIUS servers.
 
-	Section to specify multiple RADIUS servers. The **nas_identifier**,
-	**secret**, **sockets** and **port** (or **auth_port**) options can be
-	specified for each server. A server's IP/Hostname can be configured using
-	the **address** option. The **acct_port** [1813] option can be used to
-	specify the port used for RADIUS accounting. For each RADIUS server a
-	priority can be specified using the **preference** [0] option. The
+	Section to specify multiple RADIUS servers. The **source**,
+	**nas_identifier**,	**secret**, **sockets** and **port** (or **auth_port**)
+	options can be specified for each server. A server's IP/Hostname can be
+	configured using the **address** option. The **acct_port** [1813] option can
+	be used to specify the port used for RADIUS accounting. For each RADIUS
+	server a priority can be specified using the **preference** [0] option. The
 	retransmission time for each server can set set using **retransmit_base**,
 	**retransmit_timeout** and **retransmit_tries**.
 

conf/plugins/kernel-libipsec.opt

@@ -5,3 +5,10 @@ charon.plugins.kernel-libipsec.allow_peer_ts = no
 	installed for such traffic (via TUN device) usually prevents further IKE
 	traffic. The fwmark options for the _kernel-netlink_ and _socket-default_
 	plugins can be used to circumvent that problem.
+
+charon.plugins.kernel-libipsec.fwmark = charon.plugins.socket-default.fwmark
+	Firewall mark to set on outbound raw ESP packets.
+
+charon.plugins.kernel-libipsec.raw_esp = no
+	Whether to send and receive ESP packets without UDP encapsulation if
+	supported on this platform and no NAT is detected.

conf/plugins/kernel-netlink.opt

@@ -1,14 +1,6 @@
 charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
 	Buffer size for received Netlink messages.
 
-charon.plugins.kernel-netlink.force_receive_buffer_size = no
-	Force maximum Netlink receive buffer on Netlink socket.
-
-	If the maximum Netlink socket receive buffer in bytes set by
-	_receive_buffer_size_ exceeds the system-wide maximum from
-	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
-	Enabling this option requires special privileges (CAP_NET_ADMIN).
-
 charon.plugins.kernel-netlink.fwmark =
 	Firewall mark to set on the routing rule that directs traffic to our routing
 	table.
@@ -28,6 +20,16 @@ charon.plugins.kernel-netlink.hw_offload_feature_interface = lo
 	cannot be used to obtain the appropriate feature flag, this option can
 	be used to specify an alternative interface for offload feature detection.
 
+charon.plugins.kernel-netlink.install_routes_xfrmi = no
+	Whether to install routes for SAs that reference XFRM interfaces.
+
+	Whether routes via XFRM interfaces are automatically installed for SAs that
+	reference such an interface via _if_id_out_.  If the traffic selectors
+	include the IKE traffic to the peer, this requires special care (e.g.
+	installing bypass policies and/or routes, or setting a mark on the IKE
+	socket and excluding such packets from the configured routing table via
+	_fwmark_ option).
+
 charon.plugins.kernel-netlink.mss = 0
 	MSS to set on installed routes, 0 to disable.
 
@@ -64,14 +66,16 @@ charon.plugins.kernel-netlink.process_rules = no
 	currently only useful if the kernel based route lookup is used (i.e. if
 	route installation is disabled or an inverted fwmark match is configured).
 
-charon.plugins.kernel-netlink.receive_buffer_size = 0
+charon.plugins.kernel-netlink.receive_buffer_size = 8388608
 	Maximum Netlink socket receive buffer in bytes.
 
 	Maximum Netlink socket receive buffer in bytes. This value controls how many
-	bytes of Netlink messages can be received on a Netlink socket. The default
-	value is set by /proc/sys/net/core/rmem_default. The specified value cannot
-	exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
-	_force_receive_buffer_size_	is enabled.
+	bytes of Netlink messages can be queued to a Netlink socket. If set to 0,
+	the default from /proc/sys/net/core/rmem_default will apply. Note that the
+	kernel doubles the configured value to account for overhead. To exceed the
+	system-wide	maximum from /proc/sys/net/core/rmem_max, special privileges
+	(CAP_NET_ADMIN) are necessary, otherwise, the kernel silently caps the
+	value.
 
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.

conf/plugins/ntru.opt

@@ -1,4 +0,0 @@
-charon.plugins.ntru.parameter_set = optimum
-	The following parameter sets are available: **x9_98_speed**,
-	**x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not
-	being part of the X9.98 standard but having the best performance.

conf/plugins/openxpki.opt

@@ -0,0 +1,4 @@
+charon.plugins.openxpki.database =
+	Database URI connecting to the OpenXPKI **certificate** database. If it
+	contains a password, make sure to adjust the permissions of the config
+	file accordingly.

conf/plugins/pkcs11.opt

@@ -30,3 +30,8 @@ charon.plugins.pkcs11.use_pubkey = no
 
 charon.plugins.pkcs11.use_rng = no
 	Whether the PKCS#11 modules should be used as RNG.
+
+charon.plugins.pkcs11.use_rsa_pss_hashers = no
+	Whether the PKCS#11 modules should try to use internal hashing for RSA-PSS
+	signatures (some PKCS#11 libraries don't implement internal hashing
+	in conjunction with RSA-PSS correctly).

conf/plugins/resolve.opt

@@ -1,11 +1,20 @@
 charon.plugins.resolve.file = /etc/resolv.conf
-	File where to add DNS server entries.
+	File where to add DNS server entries if not using resolvconf(8).
 
-charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec.
-	Prefix used for interface names sent to resolvconf(8).
+charon.plugins.resolve.resolvconf.iface = lo.ipsec
+	Interface name/protocol sent to resolvconf(8).
 
-	Prefix used for interface names sent to **resolvconf**(8). The nameserver
-	address is appended to this prefix to make it unique.  The result has to be
-	a valid interface name according to the rules defined by resolvconf.  Also,
-	it should have a high priority according to the order defined in
-	**interface-order**(5).
+	The interface name and protocol sent to **resolvconf**(8). This has to be a
+	valid interface name according to the rules defined by resolvconf.  Also, it
+	should have a high priority according to the order defined in
+	**interface-order**(5) if relevant on the system.
+
+charon.plugins.resolve.resolvconf.path = /sbin/resolvconf
+	Path/command for resolvconf(8).
+
+	Path/command for **resolvconf**(8). The command is executed by a shell, so
+	"resolvconf" will work if it's in $PATH of the daemon.
+
+	If not configured, **resolvconf**(8) will be used if found at the default
+	location.  Otherwise, the file in _charon.plugins.resolve.file_ will be
+	modified directly.

conf/plugins/revocation.opt

@@ -4,4 +4,5 @@ charon.plugins.revocation.enable_ocsp = yes
 charon.plugins.revocation.enable_crl = yes
 	Whether CRL validation should be enabled.
 
-
+charon.plugins.revocation.timeout = 10s
+	Timeout used when fetching OCSP/CRL.

conf/plugins/unbound.opt

@@ -1,7 +1,7 @@
 charon.plugins.unbound.resolv_conf = /etc/resolv.conf
 	File to read DNS resolver configuration from.
 
-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
 	File to read DNSSEC trust anchors from (usually root zone KSK).
 
 	File to read DNSSEC trust anchors from (usually root zone KSK). The format

conf/strongswan.conf.5.head.in

@@ -59,6 +59,27 @@ An example file in this format might look like this:
 .PP
 Indentation is optional, you may use tabs or spaces.
 
+.SH NUMBER FORMATS
+Options that define an integer value can be specified as decimal (the default)
+or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted).
+Locale-dependent strings (e.g. the thousands separator of the current locale)
+may also be accepted in locales other than "C".
+.PP
+Options that define a floating-point value can be specified as decimal (the
+default) or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted).
+The radix character (decimal separator) in either case is locale-dependent,
+usually ".".
+
+.SH TIME FORMATS
+Unless stated otherwise, options that define a time are specified in seconds.
+The "s", "m", "h" and "d" suffixes may be used to automatically convert values
+given in seconds, minutes, hours or days (for instance, instead of configuring
+a rekey time of 4 hours as "14400" seconds, "4h" may be used).
+.PP
+There are some global options that don't accept these suffixes as they are
+configured as integer values in seconds or milliseconds, or even as
+floating-point numbers (e.g. the retransmission timeout). Options that accept
+the suffixes have a corresponding default value.
 
 .SH REFERENCING OTHER SECTIONS
 It is possible to inherit settings and sections from another section. This

conf/strongswan.conf.5.tail.in

@@ -458,6 +458,7 @@ The variables used above are configured as follows:
 .na
 ${piddir}               @piddir@
 ${prefix}               @prefix@
+${sysconfdir}           @sysconfdir@
 ${random_device}        @random_device@
 ${urandom_device}       @urandom_device@
 .ad
@@ -467,18 +468,19 @@ ${urandom_device}       @urandom_device@
 .
 .nf
 .na
-/etc/strongswan.conf       configuration file
-/etc/strongswan.d/         directory containing included config snippets
-/etc/strongswan.d/charon/  plugin specific config snippets
+@sysconfdir@/strongswan.conf       configuration file
+@sysconfdir@/strongswan.d/         directory containing included config snippets
+@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
 .ad
 .fi
 .
 .SH SEE ALSO
+\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
 \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
 
 .SH HISTORY
 Written for the
-.UR http://www.strongswan.org
+.UR https://www.strongswan.org
 strongSwan project
 .UE
 by Tobias Brunner, Andreas Steffen and Martin Willi.

configure.ac

@@ -1,6 +1,6 @@
 #
-# Copyright (C) 2007-2017 Tobias Brunner
-# Copyright (C) 2006-2019 Andreas Steffen
+# Copyright (C) 2007-2022 Tobias Brunner
+# Copyright (C) 2006-2022 Andreas Steffen
 # Copyright (C) 2006-2014 Martin Willi
 #
 # Copyright (C) secunet Security Networks AG
@@ -20,7 +20,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.9.7dr2])
+AC_INIT([strongSwan],[6.0.3dr1])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -33,21 +33,18 @@ AM_INIT_AUTOMAKE(m4_esyscmd([
 	esac
 ]))
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
-AC_CONFIG_MACRO_DIR([m4/config])
+AC_CONFIG_MACRO_DIRS([m4/config m4/macros])
 AC_CONFIG_HEADERS([config.h])
 AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
 AC_DISABLE_STATIC
 PKG_PROG_PKG_CONFIG
 
-m4_include(m4/macros/split-package-version.m4)
 SPLIT_PACKAGE_VERSION
 
 # =================================
 #  check --enable-xxx & --with-xxx
 # =================================
 
-m4_include(m4/macros/with.m4)
-
 ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
 ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
 ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
@@ -70,7 +67,7 @@ ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
 ARG_WITH_SET([printf-hooks],         [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
 ARG_WITH_SET([rubygemdir],           ["gem environment gemdir"], [path to install ruby gems to])
-ARG_WITH_SET([pythoneggdir],         ["main site-packages directory"], [path to install python eggs to to])
+ARG_WITH_SET([testable-ke],          [yes], [make key exchange implementations testable by providing a set_seed() method])
 
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@@ -129,42 +126,38 @@ fi
 # convert script name to uppercase
 AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
 
-m4_include(m4/macros/enable-disable.m4)
-
 # crypto plugins
-ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
+ARG_ENABL_SET([aes],            [enable AES software implementation plugin.])
 ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
-ARG_ENABL_SET([bliss],          [enable BLISS software implementation plugin.])
 ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
 ARG_ENABL_SET([botan],          [enables the Botan crypto plugin.])
 ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([chapoly],        [enables the ChaCha20/Poly1305 AEAD plugin.])
 ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
 ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
-ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
+ARG_ENABL_SET([des],            [enable DES/3DES software implementation plugin.])
 ARG_DISBL_SET([drbg],           [disable the NIST Deterministic Random Bit Generator plugin.])
-ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
-ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([fips-prf],       [enable FIPS PRF software implementation plugin.])
+ARG_ENABL_SET([gcm],            [enable the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
-ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
-ARG_DISBL_SET([curve25519],     [disable Curve25519 Diffie-Hellman plugin.])
-ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
+ARG_ENABL_SET([gmp],            [enable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_ENABL_SET([curve25519],     [enable Curve25519 Diffie-Hellman plugin.])
+ARG_ENABL_SET([hmac],           [enable HMAC crypto implementation plugin.])
 ARG_DISBL_SET([kdf],            [disable KDF (prf+) implementation plugin.])
 ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
-ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ARG_ENABL_SET([md5],            [enable MD5 software implementation plugin.])
 ARG_ENABL_SET([mgf1],           [enable the MGF1 software implementation plugin.])
-ARG_ENABL_SET([newhope],        [enable New Hope crypto plugin.])
+ARG_ENABL_SET([ml],             [enable Module-Lattice-based crypto (ML-KEM) plugin.])
 ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
-ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
-ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
+ARG_DISBL_SET([openssl],        [disable the OpenSSL crypto plugin.])
 ARG_ENABL_SET([wolfssl],        [enables the wolfSSL crypto plugin.])
 ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
-ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([rc2],            [enable RC2 software implementation plugin.])
 ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
 ARG_ENABL_SET([aesni],          [enable Intel AES-NI crypto plugin.])
-ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
-ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
+ARG_ENABL_SET([sha1],           [enable SHA1 software implementation plugin.])
+ARG_ENABL_SET([sha2],           [enable SHA256/SHA384/SHA512 software implementation plugin.])
 ARG_ENABL_SET([sha3],           [enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin.])
 ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
 # encoding/decoding plugins
@@ -174,10 +167,11 @@ ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
 ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
-ARG_DISBL_SET([pkcs12],         [disable PKCS12 container support plugin.])
+ARG_ENABL_SET([pkcs12],         [enable PKCS12 container support plugin.])
 ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([sshkey],         [disable SSH key decoding plugin.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
+ARG_ENABL_SET([openxpki],       [enable OCSP responder accessing OpenXPKI certificate database.])
 # fetcher/resolver plugins
 ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
 ARG_ENABL_SET([files],          [enable simple file:// URI fetcher.])
@@ -236,10 +230,9 @@ ARG_DISBL_SET([socket-default], [disable default socket implementation for charo
 ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
 ARG_ENABL_SET([socket-win],     [enable Winsock2 based socket implementation for charon])
 # configuration/control plugins
-ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
+ARG_ENABL_SET([stroke],         [enable the stroke configuration backend.])
 ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
 ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
-ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_DISBL_SET([vici],           [disable strongSwan IKE generic IPC interface plugin.])
 # attribute provider/consumer plugins
 ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
@@ -302,12 +295,12 @@ ARG_ENABL_SET([medcli],         [enable mediation client configuration database
 ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
 ARG_DISBL_SET([pki],            [disable pki certificate utility.])
-ARG_DISBL_SET([scepclient],     [disable SCEP client tool.])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
 ARG_ENABL_SET([svc],            [enable charon Windows service.])
 ARG_ENABL_SET([systemd],        [enable systemd specific IKE daemon charon-systemd.])
 ARG_DISBL_SET([swanctl],        [disable swanctl configuration and control tool.])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
+ARG_ENABL_SET([cert-enroll],    [enable automatic certificate enrollment via EST or SCEP.])
 # optional features
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
 ARG_ENABL_SET([dbghelp-backtraces],[use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults.])
@@ -319,21 +312,24 @@ ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
 ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
 ARG_ENABL_SET([ruby-gems],      [enable build of provided ruby gems.])
 ARG_ENABL_SET([ruby-gems-install],[enable installation of provided ruby gems.])
-ARG_ENABL_SET([python-eggs],    [enable build of provided python eggs.])
-ARG_ENABL_SET([python-eggs-install],[enable installation of provided python eggs.])
+ARG_ENABL_SET([python-wheels],  [enable build of provided python wheels.])
+ARG_ENABL_SET([python-eggs],    [legacy alias for --enable-python-wheels.])
 ARG_ENABL_SET([perl-cpan],      [enable build of provided perl CPAN module.])
 ARG_ENABL_SET([perl-cpan-install],[enable installation of provided CPAN module.])
 ARG_ENABL_SET([selinux],        [enable SELinux support for labeled IPsec.])
 ARG_ENABL_SET([tss-trousers],   [enable the use of the TrouSerS Trusted Software Stack])
 ARG_ENABL_SET([tss-tss2],       [enable the use of the TSS 2.0 Trusted Software Stack])
+ARG_ENABL_SET([cert-enroll-timer],[enable installation of cert-enroll as a systemd timer.])
 
 # compile options
+ARG_ENABL_SET([asan],           [enable build with AddressSanitizer (ASan).])
 ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
 ARG_ENABL_SET([git-version],    [use output of 'git describe' as version information in executables.])
 ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
 ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
 ARG_ENABL_SET([log-thread-ids], [use thread ID, if available, instead of an incremented value starting from 1, to identify threads.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([warnings],       [enable extended compiler warnings and -Werror (auto-enabled when building from the repository).])
 
 # ===================================
 #  option to disable default options
@@ -366,7 +362,7 @@ fi
 # ===========================
 
 if test -z "$CFLAGS"; then
-	CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign"
+	CFLAGS="-g -O2"
 fi
 AC_SUBST(PLUGIN_CFLAGS)
 AC_PROG_CC
@@ -383,7 +379,7 @@ LT_INIT
 AC_PROG_INSTALL
 AC_PROG_EGREP
 AC_PROG_AWK
-AC_PROG_LEX
+AC_PROG_LEX(noyywrap)
 AC_PROG_YACC
 AM_PATH_PYTHON(,,[:])
 AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
@@ -452,7 +448,7 @@ if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_
 	tnc_tnccs=true;
 fi
 
-if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue -o x$tnc_tnccs = xtrue; then
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue -o x$tnc_tnccs = xtrue -o x$pki = xtrue; then
 	tls=true;
 fi
 
@@ -466,6 +462,10 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
+if test x$pkcs12 = xtrue; then
+	rc2=true;
+fi
+
 if test x$swanctl = xtrue; then
 	vici=true
 fi
@@ -491,8 +491,8 @@ if test x$ruby_gems_install = xtrue; then
 	ruby_gems=true
 fi
 
-if test x$python_eggs_install = xtrue; then
-	python_eggs=true
+if test x$python_eggs = xtrue; then
+	python_wheels=true
 fi
 
 if test x$perl_cpan_install = xtrue; then
@@ -507,28 +507,51 @@ if test x$tpm = xtrue; then
 	tss_tss2=true
 fi
 
-if test x$gmp = xtrue -o x$ntru = xtrue -o x$bliss = xtrue; then
+if test x$gmp = xtrue; then
 	mgf1=true
 fi
 
-if test x$stroke = xtrue; then
+if test x$stroke = xtrue -o x$vici = xtrue; then
 	counters=true
 fi
 
+if test x$cert_enroll = xtrue; then
+	pki=true
+fi
+
 if test x$kdf = xfalse; then
+	openssl_hkdf=false
+	if test x$openssl = xtrue; then
+		AC_MSG_CHECKING(for OpenSSL >= 3.0 for HKDF)
+		AC_COMPILE_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#include <openssl/opensslv.h>]],
+				[[#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_IS_AWSLC)
+					#error OpenSSL version unusable
+				  #endif]])],
+			[AC_MSG_RESULT([yes]); openssl_hkdf=true],
+			[AC_MSG_RESULT([no])]
+		)
+	fi
 	if test x$aesni = xtrue -o x$cmac = xtrue -o x$xcbc = xtrue; then
 		AC_MSG_WARN(m4_normalize([
 			kdf plugin is required for possible use of PRF_AES128_XCBC/CMAC
 			by one of these plugins: aesni, cmac, xcbc]))
 		kdf=true
-	elif test x$botan = xfalse -a x$openssl = xfalse -a x$wolfssl = xfalse; then
+	elif test x$botan = xfalse -a x$openssl_hkdf = xfalse -a x$wolfssl = xfalse; then
 		AC_MSG_WARN(m4_normalize([
 			kdf plugin is required because none of the following plugins is
-			enabled: botan, openssl, wolfssl]))
+			enabled or usable: botan, openssl, wolfssl]))
 		kdf=true
 	fi
 fi
 
+# enable warnings and -Werror by default when building from the repo (check with
+# -e as .git is a file in worktrees)
+if test x$warnings_given = xfalse -a -e "$srcdir"/.git; then
+	warnings=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -581,6 +604,10 @@ AC_LINK_IFELSE(
 AC_SUBST(ATOMICLIB)
 
 LIBS=$saved_LIBS
+
+# Some platforms require explicit linking to use POSIX regular expressions
+AC_SEARCH_LIBS([regcomp], [regex], [AC_DEFINE([HAVE_REGEX], [], [have regcomp() etc.])])
+
 # ------------------------------------------------------
 
 AC_MSG_CHECKING(for dladdr)
@@ -699,6 +726,11 @@ AC_CHECK_HEADERS([netinet/ip6.h linux/fib_rules.h], [], [],
 	#include <sys/types.h>
 	#include <netinet/in.h>
 ])
+AC_CHECK_HEADERS([linux/vm_sockets.h], [have_vm_sockets=true], [],
+[
+	#include <sys/socket.h>
+])
+AM_CONDITIONAL(USE_VM_SOCKETS, [test "x$have_vm_sockets" = xtrue])
 
 AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
 [
@@ -737,7 +769,7 @@ AC_COMPILE_IFELSE(
 		  #include <sys/types.h>
 		  #include <sys/socket.h>
 		  #include <netinet/in.h>]],
-		[[struct in6_pktinfo pi;
+		[[struct in6_pktinfo pi = {};
 		  if (pi.ipi6_ifindex)
 		  {
 		    return 0;
@@ -1012,7 +1044,7 @@ if test x$unbound = xtrue; then
 fi
 
 if test x$soup = xtrue; then
-	PKG_CHECK_MODULES(soup, [libsoup-2.4])
+	PKG_CHECK_MODULES(soup, [libsoup-3.0])
 	AC_SUBST(soup_CFLAGS)
 	AC_SUBST(soup_LIBS)
 fi
@@ -1023,14 +1055,16 @@ if test x$xml = xtrue; then
 	AC_SUBST(xml_LIBS)
 fi
 
-if test x$systemd = xtrue; then
+if test x$systemd = xtrue -o x$cert_enroll_timer = xtrue; then
 	AC_MSG_CHECKING([for systemd system unit directory])
 	if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
 		AC_MSG_RESULT([$systemdsystemunitdir])
 	else
 		AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)])
 	fi
+fi
 
+if test x$systemd = xtrue; then
 	PKG_CHECK_MODULES(systemd, [libsystemd >= 209],
 		[AC_SUBST(systemd_CFLAGS)
 		 AC_SUBST(systemd_LIBS)],
@@ -1162,7 +1196,7 @@ if test x$openssl = xtrue; then
 	if test "x$windows" = xtrue; then
 		openssl_lib=eay32
 		AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"],
-			[AC_MSG_RESULT([no]);openssl_lib=""],[$DLLIB])
+			[openssl_lib=""],[$DLLIB])
 	fi
 	if test -z "$openssl_lib"; then
 		openssl_lib=crypto
@@ -1200,15 +1234,10 @@ if test x$botan = xtrue; then
 	AC_SUBST(botan_LIBS)
 	saved_LIBS=$LIBS
 	LIBS="$botan_LIBS"
-	AC_CHECK_FUNCS(botan_rng_init_custom)
+	AC_CHECK_FUNCS(botan_rng_init_custom botan_pubkey_ecc_key_used_explicit_encoding)
 	LIBS=$saved_LIBS
 fi
 
-if test x$uci = xtrue; then
-	AC_CHECK_LIB([uci],[uci_alloc_context],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
-	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
-fi
-
 if test x$android_dns = xtrue; then
 	AC_CHECK_LIB([cutils],[property_get],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
 	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
@@ -1316,14 +1345,16 @@ if test x$unwind_backtraces = xtrue; then
 	AC_SUBST(UNWINDLIB)
 fi
 
+if test "x$testable_ke" = xyes; then
+	AC_DEFINE([TESTABLE_KE], [1], [Define to 1 if key exchange methods should be testable.])
+fi
+
 AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno])
 if test x$dev_headers = xyes; then
 	dev_headers="$includedir/strongswan"
 fi
 AC_SUBST(dev_headers)
 
-CFLAGS="$CFLAGS -include `pwd`/config.h"
-
 if test x$tkm = xtrue; then
 	AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 	if test x$GPRBUILD = x; then
@@ -1341,7 +1372,7 @@ if test x$coverage = xtrue; then
 		AC_MSG_ERROR([genhtml not found])
 	fi
 
-	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage"
+	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage -fprofile-update=atomic"
 	COVERAGE_LDFLAGS="-fprofile-arcs"
 	AC_SUBST(COVERAGE_CFLAGS)
 	AC_SUBST(COVERAGE_LDFLAGS)
@@ -1374,6 +1405,27 @@ if test x$fuzzing = xtrue; then
 	esac
 fi
 
+if test x$asan = xtrue; then
+	# adding this here and not earlier or passed to the script avoids issues
+	# e.g. with libpthread (libasan provides stubs for its functions but no full
+	# implementation so configure does not detect that -lpthread is required
+	# when GCC is used, clang always adds -lpthread)
+	CFLAGS="$CFLAGS -fsanitize=address -fno-omit-frame-pointer"
+	# this is necessary so AddressSanitizer can resolve symbols e.g. for
+	# C++ exceptions that are used in libbotan
+	if test x$botan = xtrue; then
+		LDFLAGS="$LDFLAGS -lstdc++"
+	fi
+	if test x$openssl = xtrue; then
+		# we need to suppress some leaks with OpenSSL 3 as we don't deinitialze
+		# it properly
+		AC_SUBST(LSAN_OPTIONS, [suppressions=\${abs_top_srcdir}/.lsan.suppressions])
+		# use this instead of AM_TESTS_ENVIRONMENT as we don't use the parallel
+		# test harness
+		AC_SUBST(TESTS_ENVIRONMENT, ['export LSAN_OPTIONS="$(LSAN_OPTIONS)";'])
+	fi
+fi
+
 if test x$ruby_gems = xtrue; then
 	AC_PATH_PROG([GEM], [gem], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 	if test x$GEM = x; then
@@ -1386,24 +1438,12 @@ if test x$ruby_gems = xtrue; then
 fi
 AM_CONDITIONAL(RUBY_GEMS_INSTALL, [test "x$ruby_gems_install" = xtrue])
 
-if test x$python_eggs = xtrue; then
+if test x$python_wheels = xtrue; then
 	PYTHON_PACKAGE_VERSION=`echo "$PACKAGE_VERSION" | $SED 's/dr/.dev/'`
 	AC_SUBST([PYTHON_PACKAGE_VERSION])
-	if test x$python_eggs_install = xtrue; then
-		AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-		if test x$EASY_INSTALL = x; then
-			AC_MSG_ERROR(Python easy_install not found)
-		fi
-	fi
-	if test "x$pythoneggdir" = "xmain site-packages directory"; then
-		AC_SUBST(PYTHONEGGINSTALLDIR, "")
-	else
-		AC_SUBST(PYTHONEGGINSTALLDIR, "--install-dir $pythoneggdir")
-	fi
 	AC_PATH_PROG([TOX], [tox], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 	AC_PATH_PROG([PY_TEST], [py.test], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 fi
-AM_CONDITIONAL(PYTHON_EGGS_INSTALL, [test "x$python_eggs_install" = xtrue])
 
 AM_CONDITIONAL(PERL_CPAN_INSTALL, [test "x$perl_cpan_install" = xtrue])
 
@@ -1441,18 +1481,44 @@ if test x$git_version = xtrue -a "$GIT_VERSION" != "UNKNOWN"; then
 	AC_DEFINE_UNQUOTED(VERSION, ["$GIT_VERSION"])
 fi
 
+# modify CFLAGS as needed, do this late so we don't affect configure checks
+CFLAGS="$CFLAGS -include $(pwd)/config.h"
+
+AC_MSG_CHECKING([for use of -Werror and additional warnings])
+WARN_CFLAGS=
+if test x$warnings = xtrue; then
+	WARN_CFLAGS="-Werror -Wall -Wextra"
+	AC_MSG_RESULT([yes])
+else
+	AC_MSG_RESULT([no])
+fi
+# disable some warnings, whether explicitly enabled above or by default
+# these are not compatible with our custom printf specifiers
+WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
+WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
+# we generally use comments, but GCC doesn't seem to recognize many of them
+WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"
+# we often omit fields when initializing structs (e.g. when using INIT)
+WARN_CFLAGS="$WARN_CFLAGS -Wno-missing-field-initializers"
+# allow assigning char* to u_char* (e.g. in chunk_create())
+WARN_CFLAGS="$WARN_CFLAGS -Wno-pointer-sign"
+# allow comparing e.g. int with chunk_t::len or countof(...)
+WARN_CFLAGS="$WARN_CFLAGS -Wno-sign-compare"
+# allow defensive checks like e.g. unsigned_var < CONST(= currently 0)
+WARN_CFLAGS="$WARN_CFLAGS -Wno-type-limits"
+# we often don't use function parameters when implementing interfaces
+WARN_CFLAGS="$WARN_CFLAGS -Wno-unused-parameter"
+# add the flags before existing CFLAGS so warning flags can be overridden
+CFLAGS="$WARN_CFLAGS $CFLAGS"
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
 
-m4_include(m4/macros/add-plugin.m4)
-
 # plugin lists for all components
 charon_plugins=
-starter_plugins=
 pool_plugins=
 attest_plugins=
-scepclient_plugins=
 pki_plugins=
 scripts_plugins=
 fuzz_plugins=
@@ -1469,48 +1535,48 @@ s_plugins=
 t_plugins=
 p_plugins=
 
-ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
+ADD_PLUGIN([test-vectors],         [s charon pki])
 ADD_PLUGIN([unbound],              [s charon scripts])
-ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
+ADD_PLUGIN([ldap],                 [s charon scripts nm cmd])
 ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
 ADD_PLUGIN([tpm],                  [p charon pki nm cmd])
-ADD_PLUGIN([aesni],                [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([blowfish],             [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([rc2],                  [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([sha3],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([md4],                  [s charon scepclient pki nm cmd])
-ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd aikgen])
-ADD_PLUGIN([mgf1],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([random],               [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([aesni],                [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([aes],                  [s charon pki scripts nm cmd])
+ADD_PLUGIN([des],                  [s charon pki scripts nm cmd])
+ADD_PLUGIN([blowfish],             [s charon pki scripts nm cmd])
+ADD_PLUGIN([rc2],                  [s charon pki scripts nm cmd])
+ADD_PLUGIN([sha2],                 [s charon pki scripts medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([sha3],                 [s charon pki scripts medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([sha1],                 [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([md4],                  [s charon pki nm cmd])
+ADD_PLUGIN([md5],                  [s charon pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([mgf1],                 [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([rdrand],               [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([random],               [s charon pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([nonce],                [s charon nm cmd aikgen])
-ADD_PLUGIN([x509],                 [s charon scepclient pki scripts attest nm cmd aikgen fuzz])
+ADD_PLUGIN([x509],                 [s charon pki scripts attest nm cmd aikgen fuzz])
 ADD_PLUGIN([revocation],           [s charon pki nm cmd])
-ADD_PLUGIN([constraints],          [s charon nm cmd])
+ADD_PLUGIN([constraints],          [s charon pki nm cmd])
 ADD_PLUGIN([acert],                [s charon])
 ADD_PLUGIN([pubkey],               [s charon pki cmd aikgen])
-ADD_PLUGIN([pkcs1],                [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([pkcs7],                [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([pkcs12],               [s charon scepclient pki scripts cmd])
+ADD_PLUGIN([pkcs1],                [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([pkcs7],                [s charon pki scripts nm cmd])
+ADD_PLUGIN([pkcs12],               [s charon pki scripts cmd])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon pki])
 ADD_PLUGIN([sshkey],               [s charon pki nm cmd])
 ADD_PLUGIN([dnscert],              [c charon])
 ADD_PLUGIN([ipseckey],             [c charon])
-ADD_PLUGIN([pem],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([pem],                  [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
 ADD_PLUGIN([padlock],              [s charon])
-ADD_PLUGIN([openssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([wolfssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([botan],                [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([pkcs8],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([openssl],              [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([wolfssl],              [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([gcrypt],               [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([botan],                [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([pkcs8],                [s charon pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg],               [s charon pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([fips-prf],             [s charon nm cmd])
-ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([gmp],                  [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
 ADD_PLUGIN([curve25519],           [s charon pki scripts nm cmd])
 ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
@@ -1522,26 +1588,25 @@ ADD_PLUGIN([kdf],                  [s charon pki scripts nm cmd])
 ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
-ADD_PLUGIN([ntru],                 [s charon scripts nm cmd])
+ADD_PLUGIN([ml],                   [s charon scripts nm cmd])
 ADD_PLUGIN([drbg],                 [s charon pki scripts nm cmd])
-ADD_PLUGIN([newhope],              [s charon scripts nm cmd])
-ADD_PLUGIN([bliss],                [s charon pki scripts nm cmd])
-ADD_PLUGIN([curl],                 [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([files],                [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([curl],                 [s charon pki scripts nm cmd])
+ADD_PLUGIN([files],                [s charon pki scripts nm cmd])
 ADD_PLUGIN([winhttp],              [s charon pki scripts])
 ADD_PLUGIN([soup],                 [s charon pki scripts nm cmd])
-ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
-ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
+ADD_PLUGIN([mysql],                [s charon pki pool manager medsrv attest])
+ADD_PLUGIN([sqlite],               [s charon pki pool manager medsrv attest])
+ADD_PLUGIN([openxpki],             [s pki])
 ADD_PLUGIN([attr],                 [c charon])
 ADD_PLUGIN([attr-sql],             [c charon])
 ADD_PLUGIN([load-tester],          [c charon])
 ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
 ADD_PLUGIN([kernel-wfp],           [c charon])
 ADD_PLUGIN([kernel-iph],           [c charon])
-ADD_PLUGIN([kernel-pfkey],         [c charon starter nm cmd])
-ADD_PLUGIN([kernel-pfroute],       [c charon starter nm cmd])
-ADD_PLUGIN([kernel-netlink],       [c charon starter nm cmd])
-ADD_PLUGIN([selinux],              [c charon starter nm cmd])
+ADD_PLUGIN([kernel-pfkey],         [c charon nm cmd])
+ADD_PLUGIN([kernel-pfroute],       [c charon nm cmd])
+ADD_PLUGIN([kernel-netlink],       [c charon nm cmd])
+ADD_PLUGIN([selinux],              [c charon nm cmd])
 ADD_PLUGIN([resolve],              [c charon cmd])
 ADD_PLUGIN([save-keys],            [c])
 ADD_PLUGIN([socket-default],       [c charon nm cmd])
@@ -1605,16 +1670,13 @@ ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
 ADD_PLUGIN([radattr],              [c charon])
-ADD_PLUGIN([uci],                  [c charon])
 ADD_PLUGIN([addrblock],            [c charon])
 ADD_PLUGIN([unity],                [c charon])
 ADD_PLUGIN([counters],             [c charon])
 
 AC_SUBST(charon_plugins)
-AC_SUBST(starter_plugins)
 AC_SUBST(pool_plugins)
 AC_SUBST(attest_plugins)
-AC_SUBST(scepclient_plugins)
 AC_SUBST(pki_plugins)
 AC_SUBST(scripts_plugins)
 AC_SUBST(fuzz_plugins)
@@ -1668,6 +1730,7 @@ AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
 AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
 AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
 AM_CONDITIONAL(USE_PKCS12, test x$pkcs12 = xtrue)
+AM_CONDITIONAL(USE_OPENXPKI, test x$openxpki = xtrue)
 AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
 AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
 AM_CONDITIONAL(USE_SSHKEY, test x$sshkey = xtrue)
@@ -1692,10 +1755,8 @@ AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
 AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
-AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
-AM_CONDITIONAL(USE_NEWHOPE, test x$newhope = xtrue)
-AM_CONDITIONAL(USE_BLISS, test x$bliss = xtrue)
 AM_CONDITIONAL(USE_DRBG, test x$drbg = xtrue)
+AM_CONDITIONAL(USE_ML, test x$ml = xtrue)
 
 #  charon plugins
 # ----------------
@@ -1703,7 +1764,6 @@ AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_VICI, test x$vici = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
-AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
 AM_CONDITIONAL(USE_P_CSCF, test x$p_cscf = xtrue)
 AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
@@ -1790,6 +1850,7 @@ AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
 AM_CONDITIONAL(USE_COUNTERS, test x$counters = xtrue)
 AM_CONDITIONAL(USE_SELINUX, test x$selinux = xtrue)
+AM_CONDITIONAL(USE_PF_HANDLER, test x$dhcp = xtrue -o x$farp = xtrue)
 
 #  other options
 # ---------------
@@ -1807,20 +1868,18 @@ AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_PKI, test x$pki = xtrue)
-AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_FUZZING, test x$fuzzing = xtrue)
 AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
-AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm = xtrue -o x$aikgen = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
-AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue)
+AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr)
 AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin)
@@ -1842,8 +1901,10 @@ AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
 AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
 AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
 AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno)
+AM_CONDITIONAL(USE_CERT_ENROLL, test x$cert_enroll = xtrue)
+AM_CONDITIONAL(USE_CERT_ENROLL_TIMER, test x$cert_enroll_timer = xtrue)
 AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue)
-AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue)
+AM_CONDITIONAL(USE_PYTHON_WHEELS, test x$python_wheels = xtrue)
 AM_CONDITIONAL(USE_PERL_CPAN, test x$perl_cpan = xtrue)
 AM_CONDITIONAL(USE_TOX, test "x$TOX" != x)
 AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x -a "x$TOX" = x)
@@ -1888,15 +1949,16 @@ strongswan_options=
 
 AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
 AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
-AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
+AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging iptfs"])
 AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
 AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"])
-AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"])
+AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv imv_policy_manager"])
+AM_COND_IF([USE_IMC_SWIMA], [strongswan_options=${strongswan_options}" sw-collector"])
 AM_COND_IF([USE_IMV_SWIMA], [strongswan_options=${strongswan_options}" sec-updater"])
 AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"])
 AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"])
 AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"])
-AM_COND_IF([USE_SCEPCLIENT], [strongswan_options=${strongswan_options}" scepclient"])
+AM_COND_IF([USE_NM], [strongswan_options=${strongswan_options}" charon-nm"])
 AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"])
 AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"])
 AM_COND_IF([USE_SYSTEMD], [strongswan_options=${strongswan_options}" charon-systemd"])
@@ -1918,8 +1980,6 @@ AC_CONFIG_FILES([
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
-	src/libstrongswan/math/libnttfft/Makefile
-	src/libstrongswan/math/libnttfft/tests/Makefile
 	src/libstrongswan/plugins/aes/Makefile
 	src/libstrongswan/plugins/cmac/Makefile
 	src/libstrongswan/plugins/des/Makefile
@@ -1950,6 +2010,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/pkcs7/Makefile
 	src/libstrongswan/plugins/pkcs8/Makefile
 	src/libstrongswan/plugins/pkcs12/Makefile
+	src/libstrongswan/plugins/openxpki/Makefile
 	src/libstrongswan/plugins/pgp/Makefile
 	src/libstrongswan/plugins/dnskey/Makefile
 	src/libstrongswan/plugins/sshkey/Makefile
@@ -1976,11 +2037,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/gcm/Makefile
 	src/libstrongswan/plugins/af_alg/Makefile
 	src/libstrongswan/plugins/drbg/Makefile
-	src/libstrongswan/plugins/ntru/Makefile
-	src/libstrongswan/plugins/bliss/Makefile
-	src/libstrongswan/plugins/bliss/tests/Makefile
-	src/libstrongswan/plugins/newhope/Makefile
-	src/libstrongswan/plugins/newhope/tests/Makefile
+	src/libstrongswan/plugins/ml/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/tests/Makefile
 	src/libipsec/Makefile
@@ -2061,7 +2118,6 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/medcli/Makefile
 	src/libcharon/plugins/addrblock/Makefile
 	src/libcharon/plugins/unity/Makefile
-	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/kernel_netlink/Makefile
 	src/libcharon/plugins/kernel_pfkey/Makefile
@@ -2103,7 +2159,6 @@ AC_CONFIG_FILES([
 	src/starter/Makefile
 	src/starter/tests/Makefile
 	src/_updown/Makefile
-	src/scepclient/Makefile
 	src/aikgen/Makefile
 	src/tpm_extendpcr/Makefile
 	src/pki/Makefile
@@ -2118,6 +2173,7 @@ AC_CONFIG_FILES([
 	src/sw-collector/Makefile
 	src/sec-updater/Makefile
 	src/swanctl/Makefile
+	src/cert-enroll/Makefile
 	src/xfrmi/Makefile
 	scripts/Makefile
 	testing/Makefile
@@ -2136,14 +2192,19 @@ AC_CONFIG_FILES([
 	src/pki/man/pki.1
 	src/pki/man/pki---acert.1
 	src/pki/man/pki---dn.1
+	src/pki/man/pki---est.1
+	src/pki/man/pki---estca.1
 	src/pki/man/pki---gen.1
 	src/pki/man/pki---issue.1
 	src/pki/man/pki---keyid.1
+	src/pki/man/pki---ocsp.1
 	src/pki/man/pki---pkcs12.1
 	src/pki/man/pki---pkcs7.1
 	src/pki/man/pki---print.1
 	src/pki/man/pki---pub.1
 	src/pki/man/pki---req.1
+	src/pki/man/pki---scep.1
+	src/pki/man/pki---scepca.1
 	src/pki/man/pki---self.1
 	src/pki/man/pki---signcrl.1
 	src/pki/man/pki---verify.1
@@ -2153,6 +2214,7 @@ AC_CONFIG_FILES([
 	src/pt-tls-client/pt-tls-client.1
 	src/sw-collector/sw-collector.8
 	src/sec-updater/sec-updater.8
+	src/cert-enroll/cert-enroll.8
 ])
 
 AC_OUTPUT

doc/standards/draft-sheffer-ikev2-gtc-00.txt

@@ -1,505 +0,0 @@
-
-
-
-Network Working Group                                         Y. Sheffer
-Internet-Draft                                               Check Point
-Intended status: Informational                              July 6, 2008
-Expires: January 7, 2009
-
-
-         Using EAP-GTC for Simple User Authentication in IKEv2
-                     draft-sheffer-ikev2-gtc-00.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 7, 2009.
-
-Abstract
-
-   Despite many years of effort, simple username-password authentication
-   is still prevalent.  In many cases a password is the only credential
-   available to the end user.  IKEv2 uses EAP as a sub-protocol for user
-   authentication.  This provides a well-specified and extensible
-   architecture.  To this day EAP does not provide a simple password-
-   based authentication method.  The only existing password
-   authentication methods either require the peer to know the password
-   in advance (EAP-MD5), or are needlessly complex when used within
-   IKEv2 (e.g.  PEAP).  This document codifies the common practice of
-   using EAP-GTC for this type of authentication, with the goal of
-   achieving maximum interoperability.  The various security issues are
-   extensively analyzed.
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 1]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-Table of Contents
-
-   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
-   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
-   3.  Alternatives to EAP-GTC in IKEv2  . . . . . . . . . . . . . . . 4
-     3.1.  Non-password credentials  . . . . . . . . . . . . . . . . . 4
-     3.2.  Using the IKE preshared secret  . . . . . . . . . . . . . . 4
-     3.3.  EAP-MD5 , EAP-MSCHAPv2 and mutual authentication
-           schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 4
-   4.  Using EAP-GTC in IKE: Details . . . . . . . . . . . . . . . . . 5
-   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
-   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
-     6.1.  Key generation and MITM protection  . . . . . . . . . . . . 6
-     6.2.  Protection of credentials between the IKE gateway and
-           the AAA server  . . . . . . . . . . . . . . . . . . . . . . 6
-     6.3.  Server authentication . . . . . . . . . . . . . . . . . . . 6
-   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
-   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
-     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
-     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
-   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . . . 8
-     A.1.  -00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
-   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
-   Intellectual Property and Copyright Statements  . . . . . . . . . . 9
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 2]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-1.  Introduction
-
-   "Oh dear!  It's possible that we have added EAP to IKE to support a
-   case that EAP can't support." -- C. Kaufman.
-
-   Despite many years of effort, simple username-password authentication
-   is still prevalent.  In many cases a password is the only credential
-   available to the end user.
-
-   IKEv2 [RFC4306] uses the Extensible Authentication Protocol (EAP) as
-   a sub-protocol for user authentication.  This provides a well-
-   specified and extensible architecture and enables useful capabilities
-   like SIM authentication.  Unfortunately, for a number of reasons EAP
-   still does not provide a simple password-based authentication method.
-   The only existing password authentication methods either require the
-   peer to know the password in advance (EAP-MD5), or are needlessly
-   complex when used within IKEv2 (e.g.  PEAP).
-
-   Technically, the IKE preshared secret authentication mode can be used
-   for password authentication.  In fact even the IKEv2 RFC winks at
-   this practice.  But this use jeopardizes the protocol's security and
-   should clearly be avoided (more details below).
-
-   EAP is used in IKEv2 at a stage when the remote access gateway has
-   already been authenticated.  At this point the user has a high enough
-   level of trust to send his or her password to the gateway.  Such an
-   exchange is enabled by the EAP Generic Token Card (GTC) method, which
-   is a simple text transport between the two EAP peers.  To quote
-   [RFC3748]:
-
-      The EAP GTC method is intended for use with the Token Cards
-      supporting challenge/response authentication and MUST NOT be used
-      to provide support for cleartext passwords in the absence of a
-      protected tunnel with server authentication.
-
-   IKEv2 does indeed provide "a protected tunnel with server
-   authentication".  The current document updates [RFC3748] by making an
-   exception and allowing the use of GTC to carry secret credentials, in
-   this specific situation.  Section 6 further elaborates on the
-   security properties of this solution.
-
-   Other protocols provide a similar protected tunnel, for example TLS-
-   EAP, described in [I-D.nir-tls-eap].  These protocols however are out
-   of scope for this document.
-
-
-
-
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 3]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-2.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-
-3.  Alternatives to EAP-GTC in IKEv2
-
-   This section presents a few of the alternatives to EAP-GTC, and
-   explains why they are either insecure or impractical given today's
-   common identity management infrastructure.
-
-3.1.  Non-password credentials
-
-   Certificate-based authentication, especially when combined with
-   hardware protection (e.g. a hardware token), can be deployed in a
-   more secure manner than the form of password authentication which we
-   discuss.  However, due to a host of issues to do with cost,
-   inconvenience and reliability this solution has not gained wide
-   market acceptance over the last 10 years.
-
-3.2.  Using the IKE preshared secret
-
-   Sec. 2.15 of RFC 4306 points out that the generation of the IKE
-   preshared secret from a weak password is insecure.  Such use is
-   vulnerable to off line password guessing by an active attacker.  All
-   the attacker needs to do is respond correctly to the first IKE_INIT
-   message, and then record the third IKE message.  This is then
-   followed by a dictionary attack to obtain the password.
-
-3.3.  EAP-MD5 , EAP-MSCHAPv2 and mutual authentication schemes
-
-   Challenge-response schemes, like EAP-MD5 and EAP-MSCHAPv2, have a
-   clear security advantage over sending the plaintext password to the
-   gateway.  Password-based mutual authentication schemes like SRP have
-   a further advantage in that the gateway's authentication is much
-   stronger than when using certificates alone, since the AAA server
-   proves its knowledge of a per-client credential, and the gateway
-   proves that it has been authorized by the AAA server for that
-   particular client.
-
-   Unfortunately all of these methods also suffer from a major drawback:
-   the gateway must have a priori access to the plaintext password.
-   While many RADIUS servers may indeed have such access, other very
-   common deployments do not provide it.  One typical example is when
-   the gateway directly accesses an LDAP directory (or a Microsoft
-   Active Directory) to authenticate the user.  The usual way to do that
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 4]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-   is by issuing an LDAP Bind operation into the directory, using the
-   just-received plaintext password.  Often in this case it is the IKE
-   gateway that terminates the EAP protocol, and it needs a way to
-   obtain the raw password.
-
-   An additional issue with mutual authentication schemes is their heavy
-   IP encumbrance, which has resulted in a scarcity of standards using
-   them and a low rate of market adoption.
-
-
-4.  Using EAP-GTC in IKE: Details
-
-   EAP-GTC is specified in [RFC3748], Sec. 5.6.  This section is non-
-   normative, and is merely an interpretation of this specification in
-   the context of IKEv2.
-
-   Simple authentication requires a non secret identity ("user name")
-   and a secret credential ("password").  Both of these are arbitrary
-   Unicode strings, although implementations may impose length
-   constraints.
-
-   In the case of EAP-GTC, the user name is conveyed in the IKE IDi
-   payload.  According to [RFC4718], Sec. 3.4, the user name can be
-   encoded in one of two ways: as a simple user name, in which case the
-   ID_KEY_ID identification type is used; or as a combination user name
-   plus realm, in which case the format is a NAI [RFC4282] and the
-   identification type is ID_RFC822_ADDR.  In either case, the user name
-   is a Unicode string encoded as UTF-8.  Using the EAP Identity payload
-   is redundant, and if it is used, it should be identical to the IDi
-   payload.
-
-   EAP-GTC consists of a simple 2-message exchange.  The contents of the
-   Type-Data field in the Request should not be interpreted in any way,
-   and should be displayed to the user.  This field contains a Unicode
-   string, encoded as UTF-8.
-
-   The password is sent in the EAP Response.  The Type-Data field of the
-   Response is also a Unicode string encoded as UTF-8.  Note that none
-   of the IDi payload, the EAP Request or the EAP Response is null-
-   terminated.
-
-   If either or both the user name and the password are non-ASCII, they
-   should be normalized by the IKE client before the IKE/EAP message is
-   constructed.  The normalization method is SASLprep, [RFC4013].
-
-
-
-
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 5]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-5.  IANA Considerations
-
-   This document does not require any action by IANA.
-
-
-6.  Security Considerations
-
-6.1.  Key generation and MITM protection
-
-   Modern EAP methods generate a key shared between the two protocol
-   peers.  GTC does not (and cannot) generate such a key.  RFC 4306
-   mandates that:
-
-      EAP methods that do not establish a shared key SHOULD NOT be used,
-      as they are subject to a number of man-in-the-middle attacks
-      [EAPMITM] if these EAP methods are used in other protocols that do
-      not use a server-authenticated tunnel.
-
-   However GTC must never be used in such a situation, since the client
-   would be sending its credentials openly to an unauthenticated server.
-   When using GTC with IKEv2, the implementation (or local
-   administrators) MUST ensure that the same credentials are never used
-   in such a manner.
-
-6.2.  Protection of credentials between the IKE gateway and the AAA
-      server
-
-   In the proposed solution, the raw credentials are sent from the IKE
-   gateway to a AAA server, typically a RADIUS server.  These
-   credentials and the associated messaging MUST be strongly protected.
-   Some of the existing options include:
-   o  An IPsec tunnel between the gateway and the AAA server.
-   o  RADIUS over TCP with TLS, [I-D.winter-radsec].
-   o  RADIUS over UDP with DTLS, [I-D.dekok-radext-dtls] (expired).
-   The legacy RADIUS security mechanism (Sec. 5.2 of [RFC2865]) is
-   considered weak and SHOULD NOT be used when better alternatives are
-   available.
-
-6.3.  Server authentication
-
-   The client may only send its cleartext credentials after it has
-   positively authenticated the server.  This authentication is
-   specified, albeit rather vaguely, in [RFC4306] and is out of scope of
-   the current document.  Unauthenticated (BTNS) derivatives of IKE MUST
-   NOT be used with EAP-GTC.
-
-
-
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 6]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-7.  Acknowledgments
-
-   I would like to thank Yoav Nir and Charlie Kaufman for their helpful
-   comments.
-
-
-8.  References
-
-8.1.  Normative References
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC3748]  Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
-              Levkowetz, "Extensible Authentication Protocol (EAP)",
-              RFC 3748, June 2004.
-
-   [RFC4013]  Zeilenga, K., "SASLprep: Stringprep Profile for User Names
-              and Passwords", RFC 4013, February 2005.
-
-   [RFC4306]  Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
-              RFC 4306, December 2005.
-
-8.2.  Informative References
-
-   [EAPMITM]  Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
-              in Tunneled Authentication Protocols", November 2002,
-              <http://eprint.iacr.org/2002/163>.
-
-   [I-D.dekok-radext-dtls]
-              DeKok, A., "DTLS as a Transport Layer for RADIUS",
-              draft-dekok-radext-dtls-00 (work in progress),
-              February 2007.
-
-   [I-D.nir-tls-eap]
-              Nir, Y., Tschofenig, H., and P. Gutmann, "TLS using EAP
-              Authentication", draft-nir-tls-eap-03 (work in progress),
-              April 2008.
-
-   [I-D.winter-radsec]
-              Winter, S., McCauley, M., and S. Venaas, "RadSec Version 2
-              - A Secure and Reliable Transport for the RADIUS
-              Protocol", draft-winter-radsec-01 (work in progress),
-              February 2008.
-
-   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
-              "Remote Authentication Dial In User Service (RADIUS)",
-              RFC 2865, June 2000.
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 7]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-   [RFC4282]  Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
-              Network Access Identifier", RFC 4282, December 2005.
-
-   [RFC4718]  Eronen, P. and P. Hoffman, "IKEv2 Clarifications and
-              Implementation Guidelines", RFC 4718, October 2006.
-
-
-Appendix A.  Change Log
-
-A.1.  -00
-
-   Initial version.
-
-
-Author's Address
-
-   Yaron Sheffer
-   Check Point Software Technologies Ltd.
-   5 Hasolelim St.
-   Tel Aviv  67897
-   Israel
-
-   Email: yaronf@checkpoint.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 8]
-
-Internet-Draft              EAP-GTC in IKEv2                   July 2008
-
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2008).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-
-
-
-
-
-
-
-
-Sheffer                  Expires January 7, 2009                [Page 9]
-
-

doc/standards/rfc1994.txt

@@ -1,732 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         W. Simpson
-Request for Comments: 1994                                    DayDreamer
-Obsoletes: 1334                                              August 1996
-Category: Standards Track
-
-
-         PPP Challenge Handshake Authentication Protocol (CHAP)
-
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Abstract
-
-   The Point-to-Point Protocol (PPP) [1] provides a standard method for
-   transporting multi-protocol datagrams over point-to-point links.
-
-   PPP also defines an extensible Link Control Protocol, which allows
-   negotiation of an Authentication Protocol for authenticating its peer
-   before allowing Network Layer protocols to transmit over the link.
-
-   This document defines a method for Authentication using PPP, which
-   uses a random Challenge, with a cryptographically hashed Response
-   which depends upon the Challenge and a secret key.
-
-Table of Contents
-
-     1.     Introduction ..........................................    1
-        1.1       Specification of Requirements ...................    1
-        1.2       Terminology .....................................    2
-     2.     Challenge-Handshake Authentication Protocol ...........    2
-        2.1       Advantages ......................................    3
-        2.2       Disadvantages ...................................    3
-        2.3       Design Requirements .............................    4
-     3.     Configuration Option Format ...........................    5
-     4.     Packet Format .........................................    6
-        4.1       Challenge and Response ..........................    7
-        4.2       Success and Failure .............................    9
-     SECURITY CONSIDERATIONS ......................................   10
-     ACKNOWLEDGEMENTS .............................................   11
-     REFERENCES ...................................................   12
-     CONTACTS .....................................................   12
-
-
-
-
-Simpson                                                         [Page i]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-1.  Introduction
-
-   In order to establish communications over a point-to-point link, each
-   end of the PPP link must first send LCP packets to configure the data
-   link during Link Establishment phase.  After the link has been
-   established, PPP provides for an optional Authentication phase before
-   proceeding to the Network-Layer Protocol phase.
-
-   By default, authentication is not mandatory.  If authentication of
-   the link is desired, an implementation MUST specify the
-   Authentication-Protocol Configuration Option during Link
-   Establishment phase.
-
-   These authentication protocols are intended for use primarily by
-   hosts and routers that connect to a PPP network server via switched
-   circuits or dial-up lines, but might be applied to dedicated links as
-   well.  The server can use the identification of the connecting host
-   or router in the selection of options for network layer negotiations.
-
-   This document defines a PPP authentication protocol.  The Link
-   Establishment and Authentication phases, and the Authentication-
-   Protocol Configuration Option, are defined in The Point-to-Point
-   Protocol (PPP) [1].
-
-
-1.1.  Specification of Requirements
-
-   In this document, several words are used to signify the requirements
-   of the specification.  These words are often capitalized.
-
-   MUST      This word, or the adjective "required", means that the
-             definition is an absolute requirement of the specification.
-
-   MUST NOT  This phrase means that the definition is an absolute
-             prohibition of the specification.
-
-   SHOULD    This word, or the adjective "recommended", means that there
-             may exist valid reasons in particular circumstances to
-             ignore this item, but the full implications must be
-             understood and carefully weighed before choosing a
-             different course.
-
-   MAY       This word, or the adjective "optional", means that this
-             item is one of an allowed set of alternatives.  An
-             implementation which does not include this option MUST be
-             prepared to interoperate with another implementation which
-             does include the option.
-
-
-
-
-Simpson                                                         [Page 1]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-1.2.  Terminology
-
-   This document frequently uses the following terms:
-
-   authenticator
-             The end of the link requiring the authentication.  The
-             authenticator specifies the authentication protocol to be
-             used in the Configure-Request during Link Establishment
-             phase.
-
-   peer      The other end of the point-to-point link; the end which is
-             being authenticated by the authenticator.
-
-   silently discard
-             This means the implementation discards the packet without
-             further processing.  The implementation SHOULD provide the
-             capability of logging the error, including the contents of
-             the silently discarded packet, and SHOULD record the event
-             in a statistics counter.
-
-
-
-
-2.  Challenge-Handshake Authentication Protocol
-
-   The Challenge-Handshake Authentication Protocol (CHAP) is used to
-   periodically verify the identity of the peer using a 3-way handshake.
-   This is done upon initial link establishment, and MAY be repeated
-   anytime after the link has been established.
-
-   1.    After the Link Establishment phase is complete, the
-         authenticator sends a "challenge" message to the peer.
-
-   2.    The peer responds with a value calculated using a "one-way
-         hash" function.
-
-   3.    The authenticator checks the response against its own
-         calculation of the expected hash value.  If the values match,
-         the authentication is acknowledged; otherwise the connection
-         SHOULD be terminated.
-
-   4.    At random intervals, the authenticator sends a new challenge to
-         the peer, and repeats steps 1 to 3.
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 2]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-2.1.  Advantages
-
-   CHAP provides protection against playback attack by the peer through
-   the use of an incrementally changing identifier and a variable
-   challenge value.  The use of repeated challenges is intended to limit
-   the time of exposure to any single attack.  The authenticator is in
-   control of the frequency and timing of the challenges.
-
-   This authentication method depends upon a "secret" known only to the
-   authenticator and that peer.  The secret is not sent over the link.
-
-   Although the authentication is only one-way, by negotiating CHAP in
-   both directions the same secret set may easily be used for mutual
-   authentication.
-
-   Since CHAP may be used to authenticate many different systems, name
-   fields may be used as an index to locate the proper secret in a large
-   table of secrets.  This also makes it possible to support more than
-   one name/secret pair per system, and to change the secret in use at
-   any time during the session.
-
-
-2.2.  Disadvantages
-
-   CHAP requires that the secret be available in plaintext form.
-   Irreversably encrypted password databases commonly available cannot
-   be used.
-
-   It is not as useful for large installations, since every possible
-   secret is maintained at both ends of the link.
-
-      Implementation Note: To avoid sending the secret over other links
-      in the network, it is recommended that the challenge and response
-      values be examined at a central server, rather than each network
-      access server.  Otherwise, the secret SHOULD be sent to such
-      servers in a reversably encrypted form.  Either case requires a
-      trusted relationship, which is outside the scope of this
-      specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 3]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-2.3.  Design Requirements
-
-   The CHAP algorithm requires that the length of the secret MUST be at
-   least 1 octet.  The secret SHOULD be at least as large and
-   unguessable as a well-chosen password.  It is preferred that the
-   secret be at least the length of the hash value for the hashing
-   algorithm chosen (16 octets for MD5).  This is to ensure a
-   sufficiently large range for the secret to provide protection against
-   exhaustive search attacks.
-
-   The one-way hash algorithm is chosen such that it is computationally
-   infeasible to determine the secret from the known challenge and
-   response values.
-
-   Each challenge value SHOULD be unique, since repetition of a
-   challenge value in conjunction with the same secret would permit an
-   attacker to reply with a previously intercepted response.  Since it
-   is expected that the same secret MAY be used to authenticate with
-   servers in disparate geographic regions, the challenge SHOULD exhibit
-   global and temporal uniqueness.
-
-   Each challenge value SHOULD also be unpredictable, least an attacker
-   trick a peer into responding to a predicted future challenge, and
-   then use the response to masquerade as that peer to an authenticator.
-
-   Although protocols such as CHAP are incapable of protecting against
-   realtime active wiretapping attacks, generation of unique
-   unpredictable challenges can protect against a wide range of active
-   attacks.
-
-   A discussion of sources of uniqueness and probability of divergence
-   is included in the Magic-Number Configuration Option [1].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 4]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-3.  Configuration Option Format
-
-   A summary of the Authentication-Protocol Configuration Option format
-   to negotiate the Challenge-Handshake Authentication Protocol is shown
-   below.  The fields are transmitted from left to right.
-
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |     Type      |    Length     |     Authentication-Protocol   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   Algorithm   |
-   +-+-+-+-+-+-+-+-+
-
-   Type
-
-      3
-
-   Length
-
-      5
-
-   Authentication-Protocol
-
-      c223 (hex) for Challenge-Handshake Authentication Protocol.
-
-   Algorithm
-
-      The Algorithm field is one octet and indicates the authentication
-      method to be used.  Up-to-date values are specified in the most
-      recent "Assigned Numbers" [2].  One value is required to be
-      implemented:
-
-         5       CHAP with MD5 [3]
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 5]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-4.  Packet Format
-
-   Exactly one Challenge-Handshake Authentication Protocol packet is
-   encapsulated in the Information field of a PPP Data Link Layer frame
-   where the protocol field indicates type hex c223 (Challenge-Handshake
-   Authentication Protocol).  A summary of the CHAP packet format is
-   shown below.  The fields are transmitted from left to right.
-
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |     Code      |  Identifier   |            Length             |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |    Data ...
-   +-+-+-+-+
-
-   Code
-
-      The Code field is one octet and identifies the type of CHAP
-      packet.  CHAP Codes are assigned as follows:
-
-         1       Challenge
-         2       Response
-         3       Success
-         4       Failure
-
-   Identifier
-
-      The Identifier field is one octet and aids in matching challenges,
-      responses and replies.
-
-   Length
-
-      The Length field is two octets and indicates the length of the
-      CHAP packet including the Code, Identifier, Length and Data
-      fields.  Octets outside the range of the Length field should be
-      treated as Data Link Layer padding and should be ignored on
-      reception.
-
-   Data
-
-      The Data field is zero or more octets.  The format of the Data
-      field is determined by the Code field.
-
-
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 6]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-4.1.  Challenge and Response
-
-   Description
-
-      The Challenge packet is used to begin the Challenge-Handshake
-      Authentication Protocol.  The authenticator MUST transmit a CHAP
-      packet with the Code field set to 1 (Challenge).  Additional
-      Challenge packets MUST be sent until a valid Response packet is
-      received, or an optional retry counter expires.
-
-      A Challenge packet MAY also be transmitted at any time during the
-      Network-Layer Protocol phase to ensure that the connection has not
-      been altered.
-
-      The peer SHOULD expect Challenge packets during the Authentication
-      phase and the Network-Layer Protocol phase.  Whenever a Challenge
-      packet is received, the peer MUST transmit a CHAP packet with the
-      Code field set to 2 (Response).
-
-      Whenever a Response packet is received, the authenticator compares
-      the Response Value with its own calculation of the expected value.
-      Based on this comparison, the authenticator MUST send a Success or
-      Failure packet (described below).
-
-         Implementation Notes: Because the Success might be lost, the
-         authenticator MUST allow repeated Response packets during the
-         Network-Layer Protocol phase after completing the
-         Authentication phase.  To prevent discovery of alternative
-         Names and Secrets, any Response packets received having the
-         current Challenge Identifier MUST return the same reply Code
-         previously returned for that specific Challenge (the message
-         portion MAY be different).  Any Response packets received
-         during any other phase MUST be silently discarded.
-
-         When the Failure is lost, and the authenticator terminates the
-         link, the LCP Terminate-Request and Terminate-Ack provide an
-         alternative indication that authentication failed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 7]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-   A summary of the Challenge and Response packet format is shown below.
-   The fields are transmitted from left to right.
-
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |     Code      |  Identifier   |            Length             |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |  Value-Size   |  Value ...
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |  Name ...
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   Code
-
-      1 for Challenge;
-
-      2 for Response.
-
-   Identifier
-
-      The Identifier field is one octet.  The Identifier field MUST be
-      changed each time a Challenge is sent.
-
-      The Response Identifier MUST be copied from the Identifier field
-      of the Challenge which caused the Response.
-
-   Value-Size
-
-      This field is one octet and indicates the length of the Value
-      field.
-
-   Value
-
-      The Value field is one or more octets.  The most significant octet
-      is transmitted first.
-
-      The Challenge Value is a variable stream of octets.  The
-      importance of the uniqueness of the Challenge Value and its
-      relationship to the secret is described above.  The Challenge
-      Value MUST be changed each time a Challenge is sent.  The length
-      of the Challenge Value depends upon the method used to generate
-      the octets, and is independent of the hash algorithm used.
-
-      The Response Value is the one-way hash calculated over a stream of
-      octets consisting of the Identifier, followed by (concatenated
-      with) the "secret", followed by (concatenated with) the Challenge
-      Value.  The length of the Response Value depends upon the hash
-      algorithm used (16 octets for MD5).
-
-
-
-
-Simpson                                                         [Page 8]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-   Name
-
-      The Name field is one or more octets representing the
-      identification of the system transmitting the packet.  There are
-      no limitations on the content of this field.  For example, it MAY
-      contain ASCII character strings or globally unique identifiers in
-      ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.
-      The size is determined from the Length field.
-
-
-4.2.  Success and Failure
-
-   Description
-
-      If the Value received in a Response is equal to the expected
-      value, then the implementation MUST transmit a CHAP packet with
-      the Code field set to 3 (Success).
-
-      If the Value received in a Response is not equal to the expected
-      value, then the implementation MUST transmit a CHAP packet with
-      the Code field set to 4 (Failure), and SHOULD take action to
-      terminate the link.
-
-   A summary of the Success and Failure packet format is shown below.
-   The fields are transmitted from left to right.
-
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |     Code      |  Identifier   |            Length             |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |  Message  ...
-   +-+-+-+-+-+-+-+-+-+-+-+-+-
-
-   Code
-
-      3 for Success;
-
-      4 for Failure.
-
-   Identifier
-
-      The Identifier field is one octet and aids in matching requests
-      and replies.  The Identifier field MUST be copied from the
-      Identifier field of the Response which caused this reply.
-
-
-
-
-
-
-
-
-Simpson                                                         [Page 9]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-   Message
-
-      The Message field is zero or more octets, and its contents are
-      implementation dependent.  It is intended to be human readable,
-      and MUST NOT affect operation of the protocol.  It is recommended
-      that the message contain displayable ASCII characters 32 through
-      126 decimal.  Mechanisms for extension to other character sets are
-      the topic of future research.  The size is determined from the
-      Length field.
-
-
-
-Security Considerations
-
-   Security issues are the primary topic of this RFC.
-
-   The interaction of the authentication protocols within PPP are highly
-   implementation dependent.  This is indicated by the use of SHOULD
-   throughout the document.
-
-   For example, upon failure of authentication, some implementations do
-   not terminate the link.  Instead, the implementation limits the kind
-   of traffic in the Network-Layer Protocols to a filtered subset, which
-   in turn allows the user opportunity to update secrets or send mail to
-   the network administrator indicating a problem.
-
-   There is no provision for re-tries of failed authentication.
-   However, the LCP state machine can renegotiate the authentication
-   protocol at any time, thus allowing a new attempt.  It is recommended
-   that any counters used for authentication failure not be reset until
-   after successful authentication, or subsequent termination of the
-   failed link.
-
-   There is no requirement that authentication be full duplex or that
-   the same protocol be used in both directions.  It is perfectly
-   acceptable for different protocols to be used in each direction.
-   This will, of course, depend on the specific protocols negotiated.
-
-   The secret SHOULD NOT be the same in both directions.  This allows an
-   attacker to replay the peer's challenge, accept the computed
-   response, and use that response to authenticate.
-
-   In practice, within or associated with each PPP server, there is a
-   database which associates "user" names with authentication
-   information ("secrets").  It is not anticipated that a particular
-   named user would be authenticated by multiple methods.  This would
-   make the user vulnerable to attacks which negotiate the least secure
-   method from among a set (such as PAP rather than CHAP).  If the same
-
-
-
-Simpson                                                        [Page 10]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-   secret was used, PAP would reveal the secret to be used later with
-   CHAP.
-
-   Instead, for each user name there should be an indication of exactly
-   one method used to authenticate that user name.  If a user needs to
-   make use of different authentication methods under different
-   circumstances, then distinct user names SHOULD be employed, each of
-   which identifies exactly one authentication method.
-
-   Passwords and other secrets should be stored at the respective ends
-   such that access to them is as limited as possible.  Ideally, the
-   secrets should only be accessible to the process requiring access in
-   order to perform the authentication.
-
-   The secrets should be distributed with a mechanism that limits the
-   number of entities that handle (and thus gain knowledge of) the
-   secret.  Ideally, no unauthorized person should ever gain knowledge
-   of the secrets.  Such a mechanism is outside the scope of this
-   specification.
-
-
-Acknowledgements
-
-   David Kaufman, Frank Heinrich, and Karl Auerbach used a challenge
-   handshake at SDC when designing one of the protocols for a "secure"
-   network in the mid-1970s.  Tom Bearson built a prototype Sytek
-   product ("Poloneous"?) on the challenge-response notion in the 1982-
-   83 timeframe.  Another variant is documented in the various IBM SNA
-   manuals.  Yet another variant was implemented by Karl Auerbach in the
-   Telebit NetBlazer circa 1991.
-
-   Kim Toms and Barney Wolff provided useful critiques of earlier
-   versions of this document.
-
-   Special thanks to Dave Balenson, Steve Crocker, James Galvin, and
-   Steve Kent, for their extensive explanations and suggestions.  Now,
-   if only we could get them to agree with each other.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Simpson                                                        [Page 11]
-
-RFC 1994                        PPP CHAP                     August 1996
-
-
-References
-
-   [1]   Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD
-         51, RFC 1661, DayDreamer, July 1994.
-
-   [2]   Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
-         1700, USC/Information Sciences Institute, October 1994.
-
-   [3]   Rivest, R., and S. Dusse, "The MD5 Message-Digest Algorithm",
-         MIT Laboratory for Computer Science and RSA Data Security,
-         Inc., RFC 1321, April 1992.
-
-
-
-Contacts
-
-   Comments should be submitted to the ietf-ppp@merit.edu mailing list.
-
-   This document was reviewed by the Point-to-Point Protocol Working
-   Group of the Internet Engineering Task Force (IETF).  The working
-   group can be contacted via the current chair:
-
-      Karl Fox
-      Ascend Communications
-      3518 Riverside Drive, Suite 101
-      Columbus, Ohio 43221
-
-          karl@MorningStar.com
-          karl@Ascend.com
-
-
-   Questions about this memo can also be directed to:
-
-      William Allen Simpson
-      DayDreamer
-      Computer Systems Consulting Services
-      1384 Fontaine
-      Madison Heights, Michigan  48071
-
-          wsimpson@UMich.edu
-          wsimpson@GreenDragon.com (preferred)
-
-
-
-
-
-
-
-
-
-
-Simpson                                                        [Page 12]
-
-

doc/standards/rfc4307.txt

@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        J. Schiller
-Request for Comments: 4307         Massachusetts Institute of Technology
-Category: Standards Track                                  December 2005
-
-
-                Cryptographic Algorithms for Use in the
-                Internet Key Exchange Version 2 (IKEv2)
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   The IPsec series of protocols makes use of various cryptographic
-   algorithms in order to provide security services.  The Internet Key
-   Exchange (IKE (RFC 2409) and IKEv2) provide a mechanism to negotiate
-   which algorithms should be used in any given association.  However,
-   to ensure interoperability between disparate implementations, it is
-   necessary to specify a set of mandatory-to-implement algorithms to
-   ensure that there is at least one algorithm that all implementations
-   will have available.  This document defines the current set of
-   algorithms that are mandatory to implement as part of IKEv2, as well
-   as algorithms that should be implemented because they may be promoted
-   to mandatory at some future time.
-
-1.  Introduction
-
-   The Internet Key Exchange protocol provides for the negotiation of
-   cryptographic algorithms between both endpoints of a cryptographic
-
-   association.  Different implementations of IPsec and IKE may provide
-   different algorithms.  However, the IETF desires that all
-   implementations should have some way to interoperate.  In particular,
-   this requires that IKE define a set of mandatory-to-implement
-   algorithms because IKE itself uses such algorithms as part of its own
-   negotiations.  This requires that some set of algorithms be specified
-   as "mandatory-to-implement" for IKE.
-
-
-
-
-
-Schiller                    Standards Track                     [Page 1]
-
-RFC 4307             IKEv2 Cryptographic Algorithms        December 2005
-
-
-   The nature of cryptography is that new algorithms surface
-   continuously and existing algorithms are continuously attacked.  An
-   algorithm believed to be strong today may be demonstrated to be weak
-   tomorrow.  Given this, the choice of mandatory-to-implement algorithm
-   should be conservative so as to minimize the likelihood of it being
-   compromised quickly.  Thought should also be given to performance
-   considerations as many uses of IPsec will be in environments where
-   performance is a concern.
-
-   Finally, we need to recognize that the mandatory-to-implement
-   algorithm(s) may need to change over time to adapt to the changing
-   world.  For this reason, the selection of mandatory-to-implement
-   algorithms was removed from the main IKEv2 specification and placed
-   in this document.  As the choice of algorithm changes, only this
-   document should need to be updated.
-
-   Ideally, the mandatory-to-implement algorithm of tomorrow should
-   already be available in most implementations of IPsec by the time it
-   is made mandatory.  To facilitate this, we will attempt to identify
-   those algorithms (that are known today) in this document.  There is
-   no guarantee that the algorithms we believe today may be mandatory in
-   the future will in fact become so.  All algorithms known today are
-   subject to cryptographic attack and may be broken in the future.
-
-2.  Requirements Terminology
-
-   Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", and
-   "MAY" that appear in this document are to be interpreted as described
-   in [RFC2119].
-
-   We define some additional terms here:
-
-   SHOULD+    This term means the same as SHOULD.  However, it is likely
-              that an algorithm marked as SHOULD+ will be promoted at
-              some future time to be a MUST.
-
-   SHOULD-    This term means the same as SHOULD.  However, an algorithm
-              marked as SHOULD- may be deprecated to a MAY in a future
-              version of this document.
-
-   MUST-      This term means the same as MUST.  However, we expect at
-              some point that this algorithm will no longer be a MUST in
-              a future document.  Although its status will be determined
-              at a later time, it is reasonable to expect that if a
-              future revision of a document alters the status of a MUST-
-              algorithm, it will remain at least a SHOULD or a SHOULD-.
-
-
-
-
-
-Schiller                    Standards Track                     [Page 2]
-
-RFC 4307             IKEv2 Cryptographic Algorithms        December 2005
-
-
-3.  Algorithm Selection
-
-3.1.  IKEv2 Algorithm Selection
-
-3.1.1.  Encrypted Payload Algorithms
-
-   The IKEv2 Encrypted Payload requires both a confidentiality algorithm
-   and an integrity algorithm.  For confidentiality, implementations
-   MUST- implement 3DES-CBC and SHOULD+ implement AES-128-CBC.  For
-   integrity, HMAC-SHA1 MUST be implemented.
-
-3.1.2.  Diffie-Hellman Groups
-
-   There are several Modular Exponential (MODP) groups that are defined
-   for use in IKEv2.  They are defined in both the [IKEv2] base document
-   and in the MODP extensions document.  They are identified by group
-   number.  Any groups not listed here are considered as "MAY be
-   implemented".
-
-      Group Number        Bit Length            Status     Defined
-      2                   1024 MODP Group       MUST-      [RFC2409]
-      14                  2048 MODP Group       SHOULD+    [RFC3526]
-
-3.1.3.  IKEv2 Transform Type 1 Algorithms
-
-   IKEv2 defines several possible algorithms for Transfer Type 1
-   (encryption).  These are defined below with their implementation
-   status.
-
-      Name                     Number    Defined In      Status
-      RESERVED                 0
-      ENCR_3DES                3         [RFC2451]       MUST-
-      ENCR_NULL                11        [RFC2410]       MAY
-      ENCR_AES_CBC             12        [AES-CBC]       SHOULD+
-      ENCR_AES_CTR             13        [AES-CTR]       SHOULD
-
-3.1.4.  IKEv2 Transform Type 2 Algorithms
-
-   Transfer Type 2 Algorithms are pseudo-random functions used to
-   generate random values when needed.
-
-      Name                Number     Defined In   Status
-      RESERVED            0
-      PRF_HMAC_MD5        1          [RFC2104]    MAY
-      PRF_HMAC_SHA1       2          [RFC2104]    MUST
-      PRF_AES128_CBC      4          [AESPRF]     SHOULD+
-
-
-
-
-
-Schiller                    Standards Track                     [Page 3]
-
-RFC 4307             IKEv2 Cryptographic Algorithms        December 2005
-
-
-3.1.5.  IKEv2 Transform Type 3 Algorithms
-
-   Transfer Type 3 Algorithms are Integrity algorithms used to protect
-   data against tampering.
-
-      Name                     Number       Defined In           Status
-      NONE                     0
-      AUTH_HMAC_MD5_96         1            [RFC2403]            MAY
-      AUTH_HMAC_SHA1_96        2            [RFC2404]            MUST
-      AUTH_AES_XCBC_96         5            [AES-MAC]            SHOULD+
-
-4.  Security Considerations
-
-   The security of cryptographic-based systems depends on both the
-   strength of the cryptographic algorithms chosen and the strength of
-   the keys used with those algorithms.  The security also depends on
-   the engineering of the protocol used by the system to ensure that
-   there are no non-cryptographic ways to bypass the security of the
-   overall system.
-
-   This document concerns itself with the selection of cryptographic
-   algorithms for the use of IKEv2, specifically with the selection of
-   "mandatory-to-implement" algorithms.  The algorithms identified in
-   this document as "MUST implement" or "SHOULD implement" are not known
-   to be broken at the current time, and cryptographic research so far
-   leads us to believe that they will likely remain secure into the
-   foreseeable future.  However, this isn't necessarily forever.  We
-   would therefore expect that new revisions of this document will be
-   issued from time to time that reflect the current best practice in
-   this area.
-
-5.  Normative References
-
-   [RFC2409]    Harkins, D. and D. Carrel, "The Internet Key Exchange
-                (IKE)", RFC 2409, November 1998.
-
-   [IKEv2]      Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
-                Protocol", RFC 4306, December 2005.
-
-   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
-                Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC3526]    Kivinen, T. and M. Kojo, "More Modular Exponential
-                (MODP) Diffie-Hellman groups for Internet Key Exchange
-                (IKE)", RFC 3526, May 2003.
-
-   [RFC2451]    Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher
-                Algorithms", RFC 2451, November 1998.
-
-
-
-Schiller                    Standards Track                     [Page 4]
-
-RFC 4307             IKEv2 Cryptographic Algorithms        December 2005
-
-
-   [RFC2410]    Glenn, R. and S. Kent, "The NULL Encryption Algorithm
-                and Its Use With IPsec", RFC 2410, November 1998.
-
-   [AES-CBC]    Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC
-                Cipher Algorithm and Its Use with IPsec", RFC 3602,
-                September 2003.
-
-   [AES-CTR]    Housley, R., "Using Advanced Encryption Standard (AES)
-                Counter Mode With IPsec Encapsulating Security Payload
-                (ESP)", RFC 3686, January 2004.
-
-   [RFC2104]    Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
-                Keyed-Hashing for Message Authentication", RFC 2104,
-                February 1997.
-
-   [AESPRF]     Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the
-                Internet Key Exchange Protocol (IKE)", RFC 3664, January
-                2004.
-
-   [RFC2403]    Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
-                ESP and AH", RFC 2403, November 1998.
-
-   [RFC2404]    Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96
-                within ESP and AH", RFC 2404, November 1998.
-
-   [AES-MAC]    Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96
-                Algorithm and Its Use With IPsec", RFC 3566, September
-                2003.
-
-Author's Address
-
-   Jeffrey I. Schiller
-   Massachusetts Institute of Technology
-   Room W92-190
-   77 Massachusetts Avenue
-   Cambridge, MA 02139-4307
-   USA
-
-   Phone: +1 (617) 253-0161
-   EMail: jis@mit.edu
-
-
-
-
-
-
-
-
-
-
-
-Schiller                    Standards Track                     [Page 5]
-
-RFC 4307             IKEv2 Cryptographic Algorithms        December 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Schiller                    Standards Track                     [Page 6]
-

doc/standards/rfc4478.txt

@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                             Y. Nir
-Request for Comments: 4478                                   Check Point
-Category: Experimental                                        April 2006
-
-
-   Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
-
-Status of This Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  It does not specify an Internet standard of any kind.
-   Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document extends the Internet Key Exchange (IKEv2) Protocol
-   document [IKEv2].  With some IPsec peers, particularly in the remote
-   access scenario, it is desirable to repeat the mutual authentication
-   periodically.  The purpose of this is to limit the time that security
-   associations (SAs) can be used by a third party who has gained
-   control of the IPsec peer.  This document describes a mechanism to
-   perform this function.
-
-1.  Introduction
-
-   In several cases, such as the remote access scenario, policy dictates
-   that the mutual authentication needs to be repeated periodically.
-   Repeated authentication can usually be achieved by simply repeating
-   the Initial exchange by whichever side has a stricter policy.
-
-   However, in the remote access scenario it is usually up to a human
-   user to supply the authentication credentials, and often Extensible
-   Authentication Protocol (EAP) is used for authentication, which makes
-   it unreasonable or impossible for the remote access gateway to
-   initiate the IKEv2 exchange.
-
-   This document describes a new notification that the original
-   Responder can send to the original Initiator with the number of
-   seconds before the authentication needs to be repeated.  The
-   Initiator SHOULD repeat the Initial exchange before that time is
-   expired.  If the Initiator fails to do so, the Responder may close
-   all Security Associations.
-
-
-
-
-Nir                           Experimental                      [Page 1]
-
-RFC 4478            Repeated Authentication in IKEv2          April 2006
-
-
-   Repeated authentication is not the same as IKE SA rekeying, and need
-   not be tied to it.  The key words "MUST", "MUST NOT", "SHOULD",
-   "SHOULD NOT", and "MAY" in this document are to be interpreted as
-   described in [RFC2119].
-
-2.  Authentication Lifetime
-
-   The Responder in an IKEv2 negotiation MAY be configured to limit the
-   time that an IKE SA and the associated IPsec SAs may be used before
-   the peer is required to repeat the authentication, through a new
-   Initial Exchange.
-
-   The Responder MUST send this information to the Initiator in an
-   AUTH_LIFETIME notification either in the last message of an IKE_AUTH
-   exchange, or in an INFORMATIONAL request, which may be sent at any
-   time.
-
-   When sent as part of the IKE SA setup, the AUTH_LIFETIME notification
-   is used as follows:
-
-      Initiator                            Responder
-      -------------------------------      -----------------------------
-      HDR, SAi1, KEi, Ni              -->
-                                      <--  HDR, SAr1, KEr, Nr, [CERTREQ]
-      HDR, SK {IDi, [CERT,] [CERTREQ,]
-         [IDr,] AUTH, SAi2, TSi, TSr} -->
-                                      <--  HDR, SK {IDr, [CERT,] AUTH,
-                                                    SAr2, TSi, TSr,
-                                                     N(AUTH_LIFETIME)}
-
-   The separate Informational exchange is formed as follows:
-
-                                      <--  HDR, SK {N(AUTH_LIFETIME)}
-      HDR  SK {}                      -->
-
-   The AUTH_LIFETIME notification is described in Section 3.
-
-   The original Responder that sends the AUTH_LIFETIME notification
-   SHOULD send a DELETE notification soon after the end of the lifetime
-   period, unless the IKE SA is deleted before the lifetime period
-   elapses.  If the IKE SA is rekeyed, then the time limit applies to
-   the new SA.
-
-   An Initiator that received an AUTH_LIFETIME notification SHOULD
-   repeat the Initial exchange within the time indicated in the
-   notification.  The time is measured from the time that the original
-   Initiator receives the notification.
-
-
-
-
-Nir                           Experimental                      [Page 2]
-
-RFC 4478            Repeated Authentication in IKEv2          April 2006
-
-
-   A special case is where the notification is sent in an Informational
-   exchange, and the lifetime is zero.  In that case, the original
-   responder SHOULD allow a reasonable time for the repeated
-   authentication to occur.
-
-   The AUTH_LIFETIME notification MUST be protected and MAY be sent by
-   the original Responder at any time.  If the policy changes, the
-   original Responder MAY send it again in a new Informational.
-
-   The new Initial exchange is not altered.  The initiator SHOULD delete
-   the old IKE SA within a reasonable time of the new Auth exchange.
-
-3.  AUTH_LIFETIME Notification
-
-   The AUTH_LIFETIME message is a notification payload formatted as
-   follows:
-
-                           1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      ! Next Payload  !C!  RESERVED   !         Payload Length        !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !  Protocol ID  !   SPI Size    !      Notify Message Type      !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !                           Lifetime                            !
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-      o  Payload Length is 12.
-      o  Protocol ID (1 octet) MUST be 0.
-      o  SPI size is 0 (SPI is in message header).
-      o  Notify Message type is 16403 by IANA.
-      o  Lifetime is the amount of time (in seconds) left before the
-         peer should repeat the Initial exchange.  A zero value
-         signifies that the Initial exchange should begin immediately.
-         It is usually not reasonable to set this value to less than 300
-         (5 minutes) since that is too cumbersome for a user.
-         It is also usually not reasonable to set this value to more
-         than 86400 (1 day) as that would negate the security benefit of
-         repeating the authentication.
-
-4.  Interoperability with Non-Supporting IKEv2 Implementations
-
-   IKEv2 implementations that do not support the AUTH_LIFETIME
-   notification will ignore it and will not repeat the authentication.
-   In that case the original Responder will send a Delete notification
-   for the IKE SA in an Informational exchange.  Such implementations
-   may be configured manually to repeat the authentication periodically.
-
-
-
-
-Nir                           Experimental                      [Page 3]
-
-RFC 4478            Repeated Authentication in IKEv2          April 2006
-
-
-   Non-supporting Responders are not a problem because they will simply
-   not send these notifications.  In that case, there is no requirement
-   that the original Initiator re-authenticate.
-
-5.  Security Considerations
-
-   The AUTH_LIFETIME notification sent by the Responder does not
-   override any security policy on the Initiator.  In particular, the
-   Initiator may have a different policy regarding re-authentication,
-   requiring more frequent re-authentication.  Such an Initiator can
-   repeat the authentication earlier then is required by the
-   notification.
-
-   An Initiator MAY set reasonable limits on the amount of time in the
-   AUTH_LIFETIME notification.  For example, an authentication lifetime
-   of less than 300 seconds from SA initiation may be considered
-   unreasonable.
-
-6.  IANA Considerations
-
-   The IANA has assigned a notification payload type for the
-   AUTH_LIFETIME notifications from the IKEv2 Notify Message Types
-   registry.
-
-7.  Normative References
-
-   [IKEv2]    Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
-              4306, December 2005.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-Author's Address
-
-   Yoav Nir
-   Check Point Software Technologies
-
-   EMail: ynir@checkpoint.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-Nir                           Experimental                      [Page 4]
-
-RFC 4478            Repeated Authentication in IKEv2          April 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Nir                           Experimental                      [Page 5]
-

doc/standards/rfc4543.txt

@@ -1,787 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          D. McGrew
-Request for Comments: 4543                           Cisco Systems, Inc.
-Category: Standards Track                                       J. Viega
-                                                            McAfee, Inc.
-                                                                May 2006
-
-
-        The Use of Galois Message Authentication Code (GMAC) in
-                            IPsec ESP and AH
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This memo describes the use of the Advanced Encryption Standard (AES)
-   Galois Message Authentication Code (GMAC) as a mechanism to provide
-   data origin authentication, but not confidentiality, within the IPsec
-   Encapsulating Security Payload (ESP) and Authentication Header (AH).
-   GMAC is based on the Galois/Counter Mode (GCM) of operation, and can
-   be efficiently implemented in hardware for speeds of 10 gigabits per
-   second and above, and is also well-suited to software
-   implementations.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 1]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-Table of Contents
-
-   1. Introduction ....................................................2
-      1.1. Conventions Used in This Document ..........................3
-   2. AES-GMAC ........................................................3
-   3. The Use of AES-GMAC in ESP ......................................3
-      3.1. Initialization Vector ......................................4
-      3.2. Nonce Format ...............................................4
-      3.3. AAD Construction ...........................................5
-      3.4. Integrity Check Value (ICV) ................................6
-      3.5. Differences with AES-GCM-ESP ...............................6
-      3.6. Packet Expansion ...........................................7
-   4. The Use of AES-GMAC in AH .......................................7
-   5. IKE Conventions .................................................8
-      5.1. Phase 1 Identifier .........................................8
-      5.2. Phase 2 Identifier .........................................8
-      5.3. Key Length Attribute .......................................9
-      5.4. Keying Material and Salt Values ............................9
-   6. Test Vectors ....................................................9
-   7. Security Considerations ........................................10
-   8. Design Rationale ...............................................11
-   9. IANA Considerations ............................................11
-   10. Acknowledgements ..............................................11
-   11. References ....................................................12
-      11.1. Normative References .....................................12
-      11.2. Informative References ...................................12
-1.  Introduction
-
-   This document describes the use of AES-GMAC mode (AES-GMAC) as a
-   mechanism for data origin authentication in ESP [RFC4303] and AH
-   [RFC4302].  We refer to these methods as ENCR_NULL_AUTH_AES_GMAC and
-   AUTH_AES_GMAC, respectively.  ENCR_NULL_AUTH_AES_GMAC is a companion
-   to the AES Galois/Counter Mode ESP [RFC4106], which provides
-   authentication as well as confidentiality.  ENCR_NULL_AUTH_AES_GMAC
-   is intended for cases in which confidentiality is not desired.  Like
-   GCM, GMAC is efficient and secure, and is amenable to high-speed
-   implementations in hardware.  ENCR_NULL_AUTH_AES_GMAC and
-   AUTH_AES_GMAC are designed so that the incremental cost of
-   implementation, given an implementation is AES-GCM-ESP, is small.
-
-   This document does not cover implementation details of GCM or GMAC.
-   Those details can be found in [GCM], along with test vectors.
-
-
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 2]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-1.1.  Conventions Used in This Document
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2.  AES-GMAC
-
-   GMAC is a block cipher mode of operation providing data origin
-   authentication.  It is defined in terms of the GCM authenticated
-   encryption operation as follows.  The GCM authenticated encryption
-   operation has four inputs: a secret key, an initialization vector
-   (IV), a plaintext, and an input for additional authenticated data
-   (AAD).  It has two outputs, a ciphertext whose length is identical to
-   the plaintext and an authentication tag.  GMAC is the special case of
-   GCM in which the plaintext has a length of zero.  The (zero-length)
-   ciphertext output is ignored, of course, so that the only output of
-   the function is the Authentication Tag.  In the following, we
-   describe how the GMAC IV and AAD are formed from the ESP and AH
-   fields, and how the ESP and AH packets are formed from the
-   Authentication Tag.
-
-   Below we refer to the AES-GMAC IV input as a nonce, in order to
-   distinguish it from the IV fields in the packets.  The same nonce and
-   key combination MUST NOT be used more than once, since reusing a
-   nonce/key combination destroys the security guarantees of AES-GMAC.
-
-   Because of this restriction, it can be difficult to use this mode
-   securely when using statically configured keys.  For the sake of good
-   security, implementations MUST use an automated key management
-   system, such as the Internet Key Exchange (IKE) (either version two
-   [RFC4306] or version one [RFC2409]), to ensure that this requirement
-   is met.
-
-3.  The Use of AES-GMAC in ESP
-
-   The AES-GMAC algorithm for ESP is defined as an ESP "combined mode"
-   algorithm (see Section 3.2.3 of [RFC4303]), rather than an ESP
-   integrity algorithm.  It is called ENCR_NULL_AUTH_AES_GMAC to
-   highlight the fact that it performs no encryption and provides no
-   confidentiality.
-
-      Rationale: ESP makes no provision for integrity transforms to
-      place an initialization vector within the Payload field; only
-      encryption transforms are expected to use IVs.  Defining GMAC as
-      an encryption transform avoids this issue, and allows GMAC to
-      benefit from the same pipelining as does GCM.
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 3]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-   Like all ESP combined modes, it is registered in IKEv2 as an
-   encryption transform, or "Type 1" transform.  It MUST NOT be used in
-   conjunction with any other ESP encryption transform (within a
-   particular ESP encapsulation).  If confidentiality is desired, then
-   GCM ESP [RFC4106] SHOULD be used instead.
-
-3.1.  Initialization Vector
-
-   With ENCR_NULL_AUTH_AES_GMAC, an explicit Initialization Vector (IV)
-   is included in the ESP Payload, at the outset of that field.  The IV
-   MUST be eight octets long.  For a given key, the IV MUST NOT repeat.
-   The most natural way to meet this requirement is to set the IV using
-   a counter, but implementations are free to set the IV field in any
-   way that guarantees uniqueness, such as a linear feedback shift
-   register (LFSR).  Note that the sender can use any IV generation
-   method that meets the uniqueness requirement without coordinating
-   with the receiver.
-
-3.2.  Nonce Format
-
-   The nonce passed to the AES-GMAC authentication algorithm has the
-   following layout:
-
-    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                             Salt                              |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                     Initialization Vector                     |
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-                        Figure 1: Nonce Format
-
-   The components of the nonce are as follows:
-
-   Salt
-      The salt field is a four-octet value that is assigned at the
-      beginning of the security association, and then remains constant
-      for the life of the security association.  The salt SHOULD be
-      unpredictable (i.e., chosen at random) before it is selected, but
-      need not be secret.  We describe how to set the salt for a
-      Security Association established via the Internet Key Exchange in
-      Section 5.4.
-
-   Initialization Vector
-      The IV field is described in Section 3.1.
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 4]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-3.3.  AAD Construction
-
-   Data integrity and data origin authentication are provided for the
-   SPI, (Extended) Sequence Number, Authenticated Payload, Padding, Pad
-   Length, and Next Header fields.  This is done by including those
-   fields in the AES-GMAC Additional Authenticated Data (AAD) field.
-   Two formats of the AAD are defined: one for 32-bit sequence numbers,
-   and one for 64-bit extended sequence numbers.  The format with 32-bit
-   sequence numbers is shown in Figure 2, and the format with 64-bit
-   extended sequence numbers is shown in Figure 3.
-
-    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                               SPI                             |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                     32-bit Sequence Number                    |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               |
-   ~                Authenticated Payload (variable)               ~
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                    Padding (0-255 bytes)                      |
-   +                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                               |  Pad Length   | Next Header   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-            Figure 2: AAD Format with 32-bit Sequence Number
-
-    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                               SPI                             |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                 64-bit Extended Sequence Number               |
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               |
-   ~                Authenticated Payload (variable)               ~
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                    Padding (0-255 bytes)                      |
-   +                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                               |  Pad Length   | Next Header   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-        Figure 3: AAD Format with 64-bit Extended Sequence Number
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 5]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-   The use of 32-bit sequence numbers vs. 64-bit extended sequence
-   numbers is determined by the security association (SA) management
-   protocol that is used to create the SA.  For IKEv2 [RFC4306] this is
-   negotiated via Transform Type 5, and the default for ESP is to use
-   64-bit extended sequence numbers in the absence of negotiation (e.g.,
-   see Section 2.2.1 of [RFC4303]).
-
-3.4.  Integrity Check Value (ICV)
-
-   The ICV consists solely of the AES-GMAC Authentication Tag.  The
-   Authentication Tag MUST NOT be truncated, so the length of the ICV is
-   16 octets.
-
-3.5.  Differences with AES-GCM-ESP
-
-   In this section, we highlight the differences between this
-   specification and AES-GCM-ESP [RFC4106].  The essential difference is
-   that in this document, the AAD consists of the SPI, Sequence Number,
-   and ESP Payload, and the AES-GCM plaintext is zero-length, while in
-   AES-GCM-ESP, the AAD consists only of the SPI and Sequence Number,
-   and the AES-GCM plaintext consists of the ESP Payload.  These
-   differences are illustrated in Figure 4.  This figure shows the case
-   in which the Extended Sequence Number option is not used.  When that
-   option is exercised, the Sequence Number field in the figure would be
-   replaced with the Extended Sequence Number.
-
-   Importantly, ENCR_NULL_AUTH_AES_GMAC is *not* equivalent to AES-GCM-
-   ESP with encryption "turned off".  However, the ICV computations
-   performed in both cases are similar because of the structure of the
-   GHASH function [GCM].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 6]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-                     +-> +-----------------------+ <-+
-      AES-GCM-ESP    |   |          SPI          |   |
-          AAD -------+   +-----------------------+   |
-                     |   |    Sequence Number    |   |
-                     +-> +-----------------------+   |
-                         |    Authentication     |   |
-                         |          IV           |   |
-                  +->+-> +-----------------------+   +
-      AES-GCM-ESP |      |                       |   |
-       Plaintext -+      ~       ESP Payload     ~   |
-                  |      |                       |   |
-                  |      +-----------+-----+-----+   |
-                  |      | Padding   |  PL | NH  |   |
-                  +----> +-----------+-----+-----+ <-+
-                                                     |
-                       ENCR_NULL_AUTH_AES_GMAC AAD --+
-
-   Figure 4: Differences between ENCR_NULL_AUTH_AES_GMAC and AES-GCM-ESP
-
-3.6.  Packet Expansion
-
-   The IV adds an additional eight octets to the packet and the ICV adds
-   an additional 16 octets.  These are the only sources of packet
-   expansion, other than the 10-13 bytes taken up by the ESP SPI,
-   Sequence Number, Padding, Pad Length, and Next Header fields (if the
-   minimal amount of padding is used).
-
-4.  The Use of AES-GMAC in AH
-
-   In AUTH_AES_GMAC, the AH Authentication Data field consists of the IV
-   and the Authentication Tag, as shown in Figure 5.  Unlike the usual
-   AH case, the Authentication Data field contains both an input to the
-   authentication algorithm (the IV) and the output of the
-   authentication algorithm (the tag).  No padding is required in the
-   Authentication Data field, because its length is a multiple of 64
-   bits.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 7]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                    Initialization Vector (IV)                 |
-   |                            (8 octets)                         |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               |
-   |             Integrity Check Value (ICV) (16 octets)           |
-   |                                                               |
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-       Figure 5: The AUTH_AES_GMAC Authentication Data Format
-
-   The IV is as described in Section 3.1.  The Integrity Check Value
-   (ICV) is as described in Section 3.4.
-
-   The GMAC Nonce input is formed as described in Section 3.2.  The GMAC
-   AAD input consists of the authenticated data as defined in Section
-   3.1 of [RFC4302].  These values are provided as to that algorithm,
-   along with the secret key, and the resulting authentication tag given
-   as output is used to form the ICV.
-
-5.  IKE Conventions
-
-   This section describes the conventions used to generate keying
-   material and salt values for use with ENCR_NULL_AUTH_AES_GMAC and
-   AUTH_AES_GMAC using the Internet Key Exchange (IKE) versions one
-   [RFC2409] and two [RFC4306].
-
-5.1.  Phase 1 Identifier
-
-   This document does not specify the conventions for using AES-GMAC for
-   IKE Phase 1 negotiations.  For AES-GMAC to be used in this manner, a
-   separate specification would be needed, and an Encryption Algorithm
-   Identifier would need to be assigned.  Implementations SHOULD use an
-   IKE Phase 1 cipher that is at least as strong as AES-GMAC.  The use
-   of AES-CBC [RFC3602] with the same AES key size as used by
-   ENCR_NULL_AUTH_AES_GMAC or AUTH_AES_GMAC is RECOMMENDED.
-
-5.2.  Phase 2 Identifier
-
-   For IKE Phase 2 negotiations, IANA has assigned identifiers as
-   described in Section 9.
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 8]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-5.3.  Key Length Attribute
-
-   AES-GMAC can be used with any of the three AES key lengths.  The way
-   that the key length is indicated is different for AH and ESP.
-
-   For AH, each key length has its own separate integrity transform
-   identifier and algorithm name (Section 9).  The IKE Key Length
-   attribute MUST NOT be used with these identifiers.  This transform
-   MUST NOT be used with ESP.
-
-   For ESP, there is a single encryption transform identifier (which
-   represents the combined transform) (Section 9).  The IKE Key Length
-   attribute MUST be used with each use of this identifier to indicate
-   the key length.  The Key Length attribute MUST have a value of 128,
-   192, or 256.
-
-5.4.  Keying Material and Salt Values
-
-   IKE makes use of a pseudo-random function (PRF) to derive keying
-   material.  The PRF is used iteratively to derive keying material of
-   arbitrary size, called KEYMAT.  Keying material is extracted from the
-   output string without regard to boundaries.
-
-   The size of the KEYMAT for the ENCR_NULL_AUTH_AES_GMAC and
-   AUTH_AES_GMAC MUST be four octets longer than is needed for the
-   associated AES key.  The keying material is used as follows:
-
-   ENCR_NULL_AUTH_AES_GMAC with a 128-bit key and AUTH_AES_128_GMAC
-      The KEYMAT requested for each AES-GMAC key is 20 octets.  The
-      first 16 octets are the 128-bit AES key, and the remaining four
-      octets are used as the salt value in the nonce.
-
-   ENCR_NULL_AUTH_AES_GMAC with a 192-bit key and AUTH_AES_192_GMAC
-      The KEYMAT requested for each AES-GMAC key is 28 octets.  The
-      first 24 octets are the 192-bit AES key, and the remaining four
-      octets are used as the salt value in the nonce.
-
-   ENCR_NULL_AUTH_AES_GMAC with a 256-bit key and AUTH_AES_256_GMAC
-      The KEYMAT requested for each AES-GMAC key is 36 octets.  The
-      first 32 octets are the 256-bit AES key, and the remaining four
-      octets are used as the salt value in the nonce.
-
-6.  Test Vectors
-
-   Appendix B of [GCM] provides test vectors that will assist
-   implementers with AES-GMAC.
-
-
-
-
-
-McGrew & Viega              Standards Track                     [Page 9]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-7.  Security Considerations
-
-   Since the authentication coverage is different between AES-GCM-ESP
-   and this specification (see Figure 4), it is worth pointing out that
-   both specifications are secure.  In ENCR_NULL_AUTH_AES_GMAC, the IV
-   is not included in either the plaintext or the additional
-   authenticated data.  This does not adversely affect security, because
-   the IV field only provides an input to the GMAC IV, which is not
-   required to be authenticated (see [GCM]).  In AUTH_AES_GMAC, the IV
-   is included in the additional authenticated data.  This fact has no
-   adverse effect on security; it follows from the property that GMAC is
-   secure even against attacks in which the adversary can manipulate
-   both the IV and the message.  Even an adversary with these powerful
-   capabilities cannot forge an authentication tag for any message
-   (other than one that was submitted to the chosen-message oracle).
-   Since such an adversary could easily choose messages that contain the
-   IVs with which they correspond, there are no security problems with
-   the inclusion of the IV in the AAD.
-
-   GMAC is provably secure against adversaries that can adaptively
-   choose plaintexts, ICVs and the AAD field, under standard
-   cryptographic assumptions (roughly, that the output of the underlying
-   cipher under a randomly chosen key is indistinguishable from a
-   randomly selected output).  Essentially, this means that, if used
-   within its intended parameters, a break of GMAC implies a break of
-   the underlying block cipher.  The proof of security is available in
-   [GCMP].
-
-   The most important security consideration is that the IV never
-   repeats for a given key.  In part, this is handled by disallowing the
-   use of AES-GMAC when using statically configured keys, as discussed
-   in Section 2.
-
-   When IKE is used to establish fresh keys between two peer entities,
-   separate keys are established for the two traffic flows.  If a
-   different mechanism is used to establish fresh keys, one that
-   establishes only a single key to protect packets, then there is a
-   high probability that the peers will select the same IV values for
-   some packets.  Thus, to avoid counter block collisions, ESP or AH
-   implementations that permit use of the same key for protecting
-   packets with the same peer MUST ensure that the two peers assign
-   different salt values to the security association (SA).
-
-   The other consideration is that, as with any block cipher mode of
-   operation, the security of all data protected under a given security
-   association decreases slightly with each message.
-
-
-
-
-
-McGrew & Viega              Standards Track                    [Page 10]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-   To protect against this problem, implementations MUST generate a
-   fresh key before processing 2^64 blocks of data with a given key.
-   Note that it is impossible to reach this limit when using 32-bit
-   Sequence Numbers.
-
-   Note that, for each message, GMAC calls the block cipher only once.
-
-8.  Design Rationale
-
-   This specification was designed to be as similar to AES-GCM-ESP
-   [RFC4106] as possible.  We re-use the design and implementation
-   experience from that specification.  We include all three AES key
-   sizes since AES-GCM-ESP supports all of those sizes, and the larger
-   key sizes provide future users with more high-security options.
-
-9.  IANA Considerations
-
-   IANA has assigned the following IKEv2 parameters.  For the use of AES
-   GMAC in AH, the following integrity (type 3) transform identifiers
-   have been assigned:
-
-       "9" for AUTH_AES_128_GMAC
-
-      "10" for AUTH_AES_192_GMAC
-
-      "11" for AUTH_AES_256_GMAC
-
-   For the use of AES-GMAC in ESP, the following encryption (type 1)
-   transform identifier has been assigned:
-
-      "21" for ENCR_NULL_AUTH_AES_GMAC
-
-10.  Acknowledgements
-
-   Our discussions with Fabio Maino and David Black significantly
-   improved this specification, and Tero Kivinen provided us with useful
-   comments.  Steve Kent provided guidance on ESP interactions.  This
-   work is closely modeled after AES-GCM, which itself is closely
-   modeled after Russ Housley's AES-CCM transform [RFC4309].
-   Additionally, the GCM mode of operation was originally conceived as
-   an improvement to the CWC mode [CWC] in which Doug Whiting and Yoshi
-   Kohno participated.  We express our thanks to Fabio, David, Tero,
-   Steve, Russ, Doug, and Yoshi.
-
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                    [Page 11]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-11.  References
-
-11.1.  Normative References
-
-   [GCM]      McGrew, D. and J. Viega, "The Galois/Counter Mode of
-              Operation (GCM)", Submission to NIST. http://
-              csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/
-              gcm-spec.pdf, January 2004.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC3602]  Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher
-              Algorithm and Its Use with IPsec", RFC 3602, September
-              2003.
-
-11.2.  Informative References
-
-   [CWC]      Kohno, T., Viega, J., and D. Whiting, "CWC: A high-
-              performance conventional authenticated encryption mode",
-              Fast Software Encryption.
-              http://eprint.iacr.org/2003/106.pdf, February 2004.
-
-   [GCMP]     McGrew, D. and J. Viega, "The Security and Performance of
-              the Galois/Counter Mode (GCM)", Proceedings of INDOCRYPT
-              '04, http://eprint.iacr.org/2004/193, December 2004.
-
-   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
-              (IKE)", RFC 2409, November 1998.
-
-   [RFC4106]  Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
-              (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC
-              4106, June 2005.
-
-   [RFC4302]  Kent, S., "IP Authentication Header", RFC 4302, December
-              2005.
-
-   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
-              4303, December 2005.
-
-   [RFC4306]  Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
-              4306, December 2005.
-
-   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
-              Mode with IPsec Encapsulating Security Payload (ESP)", RFC
-              4309, December 2005.
-
-
-
-
-
-McGrew & Viega              Standards Track                    [Page 12]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-Authors' Addresses
-
-   David A. McGrew
-   Cisco Systems, Inc.
-   510 McCarthy Blvd.
-   Milpitas, CA  95035
-   US
-
-   Phone: (408) 525 8651
-   EMail: mcgrew@cisco.com
-   URI:   http://www.mindspring.com/~dmcgrew/dam.htm
-
-
-   John Viega
-   McAfee, Inc.
-   1145 Herndon Parkway, Suite 500
-   Herndon, VA 20170
-
-   EMail: viega@list.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                    [Page 13]
-
-RFC 4543                GMAC in IPsec ESP and AH                May 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-McGrew & Viega              Standards Track                    [Page 14]
-

doc/standards/rfc4739.txt

@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          P. Eronen
-Request for Comments: 4739                                         Nokia
-Category: Experimental                                       J. Korhonen
-                                                             TeliaSonera
-                                                           November 2006
-
-
-                   Multiple Authentication Exchanges
-             in the Internet Key Exchange (IKEv2) Protocol
-
-Status of This Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  It does not specify an Internet standard of any kind.
-   Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The IETF Trust (2006).
-
-Abstract
-
-   The Internet Key Exchange (IKEv2) protocol supports several
-   mechanisms for authenticating the parties, including signatures with
-   public-key certificates, shared secrets, and Extensible
-   Authentication Protocol (EAP) methods.  Currently, each endpoint uses
-   only one of these mechanisms to authenticate itself.  This document
-   specifies an extension to IKEv2 that allows the use of multiple
-   authentication exchanges, using either different mechanisms or the
-   same mechanism.  This extension allows, for instance, performing
-   certificate-based authentication of the client host followed by an
-   EAP authentication of the user.  When backend authentication servers
-   are used, they can belong to different administrative domains, such
-   as the network access provider and the service provider.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 1]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-Table of Contents
-
-   1. Introduction ....................................................3
-      1.1. Usage Scenarios ............................................4
-      1.2. Terminology ................................................5
-   2. Solution ........................................................5
-      2.1. Solution Overview ..........................................5
-      2.2. Example 1: Multiple EAP Authentications ....................6
-      2.3. Example 2: Mixed EAP and Certificate Authentications .......7
-      2.4. Example 3: Multiple Initiator Certificates .................8
-      2.5. Example 4: Multiple Responder Certificates .................8
-   3. Payload Formats .................................................9
-      3.1. MULTIPLE_AUTH_SUPPORTED Notify Payload .....................9
-      3.2. ANOTHER_AUTH_FOLLOWS Notify Payload ........................9
-   4. IANA Considerations .............................................9
-   5. Security Considerations .........................................9
-   6. Acknowledgments ................................................10
-   7. References .....................................................10
-      7.1. Normative References ......................................10
-      7.2. Informative References ....................................10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 2]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-1.  Introduction
-
-   IKEv2 [IKEv2] supports several mechanisms for parties involved in the
-   IKE_SA (IKE security association).  These include signatures with
-   public-key certificates, shared secrets, and Extensible
-   Authentication Protocol (EAP) methods.
-
-   Currently, each endpoint uses only one of these mechanisms to
-   authenticate itself.  However, there are scenarios where making the
-   authorization decision in IKEv2 (whether to allow access or not)
-   requires using several of these methods.
-
-   For instance, it may be necessary to authenticate both the host
-   (machine) requesting access, and the user currently using the host.
-   These two authentications would use two separate sets of credentials
-   (such as certificates and associated private keys) and might even use
-   different authentication mechanisms.
-
-   To take another example, when an operator is hosting a Virtual
-   Private Network (VPN) gateway service for a third party, it may be
-   necessary to authenticate the client to both the operator (for
-   billing purposes) and the third party's Authentication,
-   Authorization, and Accounting (AAA) server (for authorizing access to
-   the third party's internal network).
-
-   This document specifies an extension to IKEv2 that allows the use of
-   multiple authentication exchanges, using either different mechanisms
-   or the same mechanism.  This extension allows, for instance,
-   performing certificate-based authentication of the client host
-   followed by an EAP authentication of the user.
-
-   Each authentication exchange requiring communication with backend AAA
-   servers may be directed to different backend AAA servers, located
-   even in different administrative domains.  However, details of the
-   communication between the IKEv2 gateway and the backend
-   authentication servers are beyond the scope of this document.  In
-   particular, this document does not specify any changes to existing
-   AAA protocols, and it does not require the use of any particular AAA
-   protocol.
-
-   In case of several EAP authentications, it is important to notice
-   that they are not a "sequence" (as described in Section 2.1 of
-   [EAP]), but separate independent EAP conversations, which are usually
-   also terminated in different EAP servers.  Multiple authentication
-   methods within a single EAP conversation are still prohibited as
-   described in Section 2.1 of [EAP].  Using multiple independent EAP
-   conversations is similar to the separate Network Access Provider
-   (NAP) and Internet Service Provider (ISP) authentication exchanges
-
-
-
-Eronen & Korhonen             Experimental                      [Page 3]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-   planned for [PANA].  The discovery of the appropriate EAP server for
-   each EAP authentication conversation is based on AAA routing.
-
-1.1.  Usage Scenarios
-
-   Figure 1 shows an example architecture of an operator-hosted VPN
-   scenario that could benefit from a two-phase authentication within
-   the IKEv2 exchange.  First, the client authenticates towards the
-   Network Access Provider (NAP) and gets access to the NAP-hosted VPN
-   gateway.  The first-phase authentication involves the backend AAA
-   server of the NAP.  After the first authentication, the client
-   initiates the second authentication round that also involves the
-   Third Party's backend AAA server.  If both authentications succeed,
-   the required IPsec tunnels are set up and the client can access
-   protected networks behind the Third Party.
-
-
-       Client                         *Network Access Provider*
-     +---------+                    +---------+              +-----+
-     |         |                    |  NAP's  |              | NAP |
-     |Protected|     IPsec SAs      | Tunnel  | AAA Protocol | AAA |
-     |Endpoint |<------------------>|Endpoint |<------------>|Serv/|
-     |         |                    |         |              |Proxy|
-     +---------+                    +---------+              +-----+
-                                       ^                        ^
-                            IPsec or  /                  AAA    |
-                        Leased Line  /                 Protocol |
-                                    /                           |
-                                   v                            |
-                           +---------+    *Third Party*         v
-                           |3rd Party|                       +-----+
-            Protected      | Tunnel  |                       | 3rd |
-               Subnet <----|Endpoint |                       |Party|
-                           |         |                       | AAA |
-                           +---------+                       +-----+
-
-          Figure 1: Two-phase authentication used to gain access to
-          the Third Party network via Network Access Provider.  AAA
-          traffic goes through NAP's AAA server.
-
-   The NAP's AAA server can be used to proxy the AAA traffic to the
-   Third Party's backend AAA server.  Alternatively, the AAA traffic
-   from the NAP's tunnel endpoint could go directly to the Third Party's
-   backend AAA servers.  However, this is more or less an AAA routing
-   issue.
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 4]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-1.2.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [KEYWORDS].
-
-   The terms and abbreviations "authenticator", "backend authentication
-   server", "EAP server", and "peer" in this document are to be
-   interpreted as described in [EAP].
-
-   When messages containing IKEv2 payloads are described, optional
-   payloads are shown in brackets (for instance, "[FOO]"), and a plus
-   sign indicates that a payload can be repeated one or more times (for
-   instance, "FOO+").
-
-2.  Solution
-
-2.1.  Solution Overview
-
-   The peers announce support for this IKEv2 extension by including a
-   MULTIPLE_AUTH_SUPPORTED notification in the IKE_SA_INIT response
-   (responder) and the first IKE_AUTH request (initiator).
-
-   If both peers support this extension, either of them can announce
-   that it wishes to have a second authentication by including an
-   ANOTHER_AUTH_FOLLOWS notification in any IKE_AUTH message that
-   contains an AUTH payload.  This indicates that the peer sending the
-   ANOTHER_AUTH_FOLLOWS wishes to authenticate another set of
-   credentials to the other peer.  The next IKE_AUTH message sent by
-   this peer will contain a second identity payload (IDi or IDr) and
-   starts another authentication exchange.  The IKE_AUTH phase is
-   considered successful only if all the individual authentication
-   exchanges complete successfully.
-
-   It is assumed that both peers know what credentials they want to
-   present; there is no negotiation about, for instance, what type of
-   authentication is to be done.  As in IKEv2, EAP-based authentication
-   is always requested by the initiator (by omitting the AUTH payload).
-
-   The AUTH payloads are calculated as specified in [IKEv2] Sections
-   2.15 and 2.16, where IDi' refers to the latest IDi payload sent by
-   the initiator, and IDr' refers to the latest IDr payload sent by the
-   responder.  If EAP methods that do not generate shared keys are used,
-   it is possible that several AUTH payloads with identical contents are
-   sent.  When such EAP methods are used, the purpose of the AUTH
-   payload is simply to delimit the authentication exchanges, and ensure
-   that the IKE_SA_INIT request/response messages were not modified.
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 5]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-2.2.  Example 1: Multiple EAP Authentications
-
-   This example shows certificate-based authentication of the responder
-   followed by an EAP authentication exchange (messages 1-10).  When the
-   first EAP exchange is ending (the initiator is sending its AUTH
-   payload), the initiator announces that it wishes to have a second
-   authentication exchange by including an ANOTHER_AUTH_FOLLOWS
-   notification (message 9).
-
-   After this, a second authentication exchange begins.  The initiator
-   sends a new IDi payload but no AUTH payload (message 11), indicating
-   that EAP will be used.  After that, another EAP authentication
-   exchange follows (messages 12-18).
-
-      Initiator                   Responder
-     -----------                 -----------
-      1. HDR, SA, KE, Ni -->
-                             <--  2. HDR, SA, KE, Nr, [CERTREQ],
-                                          N(MULTIPLE_AUTH_SUPPORTED)
-      3. HDR, SK { IDi, [CERTREQ+], [IDr],
-                   SA, TSi, TSr, N(MULTIPLE_AUTH_SUPPORTED) }  -->
-                             <--  4. HDR, SK { IDr, [CERT+], AUTH,
-                                               EAP(Request) }
-      5. HDR, SK { EAP(Response) }  -->
-                             <--  6. HDR, SK { EAP(Request) }
-      7. HDR, SK { EAP(Response) }  -->
-                             <--  8. HDR, SK { EAP(Success) }
-      9. HDR, SK { AUTH,
-                   N(ANOTHER_AUTH_FOLLOWS) }  -->
-                             <--  10. HDR, SK { AUTH }
-      11. HDR, SK { IDi }  -->
-                             <--  12. HDR, SK { EAP(Request) }
-      13. HDR, SK { EAP(Response) }  -->
-                             <--  14. HDR, SK { EAP(Request) }
-      15. HDR, SK { EAP(Response) }  -->
-                             <--  16. HDR, SK { EAP(Success) }
-      17. HDR, SK { AUTH }  -->
-                             <--  18. HDR, SK { AUTH, SA, TSi, TSr }
-
-          Example 1: Certificate-based authentication of the
-          responder, followed by two EAP authentication exchanges.
-
-
-
-
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 6]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-2.3.  Example 2: Mixed EAP and Certificate Authentications
-
-   Another example is shown below: here both the initiator and the
-   responder are first authenticated using certificates (or shared
-   secrets); this is followed by an EAP authentication exchange.
-
-      Initiator                   Responder
-     -----------                 -----------
-      1. HDR, SA, KE, Ni -->
-                             <--  2. HDR, SA, KE, Nr, [CERTREQ],
-                                          N(MULTIPLE_AUTH_SUPPORTED)
-      3. HDR, SK { IDi, [CERT+], [CERTREQ+], [IDr], AUTH,
-                   SA, TSi, TSr, N(MULTIPLE_AUTH_SUPPORTED),
-                   N(ANOTHER_AUTH_FOLLOWS) }  -->
-                             <--  4. HDR, SK { IDr, [CERT+], AUTH }
-      5. HDR, SK { IDi }  -->
-                             <--  6. HDR, SK { EAP(Request) }
-      7. HDR, SK { EAP(Response) }  -->
-                             <--  8. HDR, SK { EAP(Request) }
-      9. HDR, SK { EAP(Response) }  -->
-                             <--  10. HDR, SK { EAP(Success) }
-      11. HDR, SK { AUTH }  -->
-                             <--  12. HDR, SK { AUTH, SA, TSi, TSr }
-
-             Example 2: Certificate-based (or shared-secret-based)
-             authentication of the initiator and the responder,
-             followed by an EAP authentication exchange.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 7]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-2.4.  Example 3: Multiple Initiator Certificates
-
-   This example shows yet another possibility: the initiator has two
-   different certificates (and associated private keys), and
-   authenticates both of them to the responder.
-
-      Initiator                   Responder
-     -----------                 -----------
-      1. HDR, SA, KE, Ni -->
-                             <--  2. HDR, SA, KE, Nr, [CERTREQ],
-                                          N(MULTIPLE_AUTH_SUPPORTED)
-      3. HDR, SK { IDi, [CERT+], [CERTREQ+], [IDr], AUTH,
-                   SA, TSi, TSr, N(MULTIPLE_AUTH_SUPPORTED),
-                   N(ANOTHER_AUTH_FOLLOWS) }  -->
-                             <--  4. HDR, SK { IDr, [CERT+], AUTH }
-      5. HDR, SK { IDi, [CERT+], AUTH }  -->
-                             <--  6. HDR, SK { SA, TSi, TSr }
-
-          Example 3: Two certificate-based authentications of the
-          initiator, and one certificate-based authentication
-          of the responder.
-
-2.5.  Example 4: Multiple Responder Certificates
-
-   This example shows yet another possibility: the responder has two
-   different certificates (and associated private keys), and
-   authenticates both of them to the initiator.
-
-      Initiator                   Responder
-     -----------                 -----------
-      1. HDR, SA, KE, Ni -->
-                             <--  2. HDR, SA, KE, Nr, [CERTREQ],
-                                          N(MULTIPLE_AUTH_SUPPORTED)
-      3. HDR, SK { IDi, [CERT+], [CERTREQ+], [IDr], AUTH,
-                   SA, TSi, TSr, N(MULTIPLE_AUTH_SUPPORTED) }  -->
-                             <--  4. HDR, SK { IDr, [CERT+], AUTH,
-                                               N(ANOTHER_AUTH_FOLLOWS) }
-      5. HDR, SK { }  -->
-                             <--  6. HDR, SK { IDr, [CERT+], AUTH,
-                                               SA, TSi, TSr }
-
-          Example 4: Two certificate-based authentications of the
-          responder, and one certificate-based authentication
-          of the initiator.
-
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 8]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-3.  Payload Formats
-
-3.1.  MULTIPLE_AUTH_SUPPORTED Notify Payload
-
-   The MULTIPLE_AUTH_SUPPORTED notification is included in the
-   IKE_SA_INIT response or the first IKE_AUTH request to indicate that
-   the peer supports this specification.  The Notify Message Type is
-   MULTIPLE_AUTH_SUPPORTED (16404).  The Protocol ID and SPI Size fields
-   MUST be set to zero, and there is no data associated with this Notify
-   type.
-
-3.2.  ANOTHER_AUTH_FOLLOWS Notify Payload
-
-   The ANOTHER_AUTH_FOLLOWS notification payload is included in an
-   IKE_AUTH message containing an AUTH payload to indicate that the peer
-   wants to continue with another authentication exchange.  The Notify
-   Message Type is ANOTHER_AUTH_FOLLOWS (16405).  The Protocol ID and
-   SPI Size fields MUST be set to zero, and there is no data associated
-   with this Notify type.
-
-4.  IANA Considerations
-
-   This document defines two new IKEv2 notifications,
-   MULTIPLE_AUTH_SUPPORTED and ANOTHER_AUTH_FOLLOWS, whose values are
-   allocated from the "IKEv2 Notify Message Types" namespace defined in
-   [IKEv2].
-
-   This document does not define any new namespaces to be managed by
-   IANA.
-
-5.  Security Considerations
-
-   Security considerations for IKEv2 are discussed in [IKEv2].  The
-   reader is encouraged to pay special attention to considerations
-   relating to the use of EAP methods that do not generate shared keys.
-   However, the use of multiple authentication exchanges results in at
-   least one new security consideration.
-
-   In normal IKEv2, the responder authenticates the initiator before
-   revealing its identity (except when EAP is used).  When multiple
-   authentication exchanges are used to authenticate the initiator, the
-   responder has to reveal its identity before all of the initiator
-   authentication exchanges have been completed.
-
-
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                      [Page 9]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-6.  Acknowledgments
-
-   The authors would like to thank Bernard Aboba, Jari Arkko, Spencer
-   Dawkins, Lakshminath Dondeti, Henry Haverinen, Russ Housley, Mika
-   Joutsenvirta, Charlie Kaufman, Tero Kivinen, Yoav Nir, Magnus
-   Nystrom, Mohan Parthasarathy, and Juha Savolainen for their valuable
-   comments.
-
-7.  References
-
-7.1.  Normative References
-
-   [IKEv2]     Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
-               RFC 4306, December 2005.
-
-   [KEYWORDS]  Bradner, S., "Key words for use in RFCs to Indicate
-               Requirement Levels", RFC 2119, March 1997.
-
-7.2.  Informative References
-
-   [EAP]       Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
-               Levkowetz, "Extensible Authentication Protocol (EAP)",
-               RFC 3748, June 2004.
-
-   [PANA]      Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C.
-               Wang, "Protocol for Carrying Authentication for Network
-               Access (PANA) Requirements", RFC 4058, May 2005.
-
-Authors' Addresses
-
-   Pasi Eronen
-   Nokia Research Center
-   P.O. Box 407
-   FIN-00045 Nokia Group
-   Finland
-
-   EMail: pasi.eronen@nokia.com
-
-
-   Jouni Korhonen
-   TeliaSonera
-   P.O. Box 970
-   FIN-00051 Sonera
-   Finland
-
-   EMail: jouni.korhonen@teliasonera.com
-
-
-
-
-
-Eronen & Korhonen             Experimental                     [Page 10]
-
-RFC 4739           Multiple Auth. Exchanges in IKEv2       November 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST,
-   AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
-   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
-   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
-   IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
-   PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-Eronen & Korhonen             Experimental                     [Page 11]
-

doc/standards/rfc4806.txt

@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                           M. Myers
-Request for Comments: 4806                       TraceRoute Security LLC
-Category: Standards Track                                  H. Tschofenig
-                                           Siemens Networks GmbH & Co KG
-                                                           February 2007
-
-
-     Online Certificate Status Protocol (OCSP) Extensions to IKEv2
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The IETF Trust (2006).
-
-Abstract
-
-   While the Internet Key Exchange Protocol version 2 (IKEv2) supports
-   public key based authentication, the corresponding use of in-band
-   Certificate Revocation Lists (CRL) is problematic due to unbounded
-   CRL size.  The size of an Online Certificate Status Protocol (OCSP)
-   response is however well-bounded and small.  This document defines
-   the "OCSP Content" extension to IKEv2.  A CERTREQ payload with "OCSP
-   Content" identifies zero or more trusted OCSP responders and is a
-   request for inclusion of an OCSP response in the IKEv2 handshake.  A
-   cooperative recipient of such a request responds with a CERT payload
-   containing the appropriate OCSP response.  This content is
-   recognizable via the same "OCSP Content" identifier.
-
-   When certificates are used with IKEv2, the communicating peers need a
-   mechanism to determine the revocation status of the peer's
-   certificate.  OCSP is one such mechanism.  This document applies when
-   OCSP is desired and security policy prevents one of the IKEv2 peers
-   from accessing the relevant OCSP responder directly.  Firewalls are
-   often deployed in a manner that prevents such access by IKEv2 peers
-   outside of an enterprise network.
-
-
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 1]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  Extension Definition . . . . . . . . . . . . . . . . . . . . .  4
-     3.1.  OCSP Request . . . . . . . . . . . . . . . . . . . . . . .  4
-     3.2.  OCSP Response  . . . . . . . . . . . . . . . . . . . . . .  5
-   4.  Extension Requirements . . . . . . . . . . . . . . . . . . . .  5
-     4.1.  Request for OCSP Support . . . . . . . . . . . . . . . . .  5
-     4.2.  Response to OCSP Support . . . . . . . . . . . . . . . . .  6
-   5.  Examples and Discussion  . . . . . . . . . . . . . . . . . . .  6
-     5.1.  Peer to Peer . . . . . . . . . . . . . . . . . . . . . . .  6
-     5.2.  Extended Authentication Protocol (EAP) . . . . . . . . . .  7
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
-   9.  Normative References . . . . . . . . . . . . . . . . . . . . .  9
-
-1.  Introduction
-
-   Version 2 of the Internet Key Exchange (IKE) protocol [IKEv2]
-   supports a range of authentication mechanisms, including the use of
-   public key based authentication.  Confirmation of certificate
-   reliability is essential in order to achieve the security assurances
-   public key cryptography provides.  One fundamental element of such
-   confirmation is reference to certificate revocation status (see
-   [RFC3280] for additional detail).
-
-   The traditional means of determining certificate revocation status is
-   through the use of Certificate Revocation Lists (CRLs).  IKEv2 allows
-   CRLs to be exchanged in-band via the CERT payload.
-
-   However, CRLs can grow unbounded in size.  Many real-world examples
-   exist to demonstrate the impracticality of including a multi-megabyte
-   file in an IKE exchange.  This constraint is particularly acute in
-   bandwidth-limited environments (e.g., mobile communications).  The
-   net effect is exclusion of in-band CRLs in favor of out-of-band (OOB)
-   acquisition of these data, should they even be used at all.
-
-   Reliance on OOB methods can be further complicated if access to
-   revocation data requires use of IPsec (and therefore IKE) to
-   establish secure and authorized access to the CRLs of an IKE
-   participant.  Such network access deadlock further contributes to a
-   reduced reliance on the status of certificate revocations in favor of
-   blind trust.
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 2]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-   OCSP [RFC2560] offers a useful alternative.  The size of an OCSP
-   response is bounded and small and therefore suitable for in-band
-   IKEv2 signaling of a certificate's revocation status.
-
-   This document defines an extension to IKEv2 that enables the use of
-   OCSP for in-band signaling of certificate revocation status.  A new
-   content encoding is defined for use in the CERTREQ and CERT payloads.
-   A CERTREQ payload with "OCSP Content" identifies zero or more trusted
-   OCSP responders and is a request for inclusion of an OCSP response in
-   the IKEv2 handshake.  A cooperative recipient of such a request
-   responds with a CERT payload containing the appropriate OCSP
-   response.  This content is recognizable via the same "OCSP Content"
-   identifier.
-
-2.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-   This document defines the following terms:
-
-   OCSP request:
-
-      An OCSP request refers to the CERTREQ payload that contains a new
-      content encoding, referred to as OCSP Content, that conforms to
-      the definition and behavior specified in Section 3.1.
-
-   OCSP response:
-
-      An OCSP response refers to the CERT payload that contains a new
-      content encoding, referred to as OCSP Content, that conforms to
-      the definition and behavior specified in Section 3.2.
-
-   OCSP responder:
-
-      The term OCSP responder refers to the entity that accepts requests
-      from an OCSP client and returns responses as defined in [RFC2560].
-      Note that the OCSP responder does not refer to the party that
-      sends the CERT message.
-
-
-
-
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 3]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-3.  Extension Definition
-
-   With reference to Section 3.6 of [IKEv2], the values for the Cert
-   Encoding field of the CERT payload are extended as follows (see also
-   the IANA Considerations section of this document):
-
-               Certificate Encoding               Value
-               --------------------               -----
-               OCSP Content                        14
-
-3.1.  OCSP Request
-
-   A value of OCSP Content (14) in the Cert Encoding field of a CERTREQ
-   Payload indicates the presence of zero or more OCSP responder
-   certificate hashes in the Certificate Authority field of the CERTREQ
-   payload.  Section 2.2 of [RFC2560] defines responses, which belong to
-   one of the following three groups:
-
-   (a) the CA who issued the certificate
-
-   (b) a Trusted Responder whose public key is trusted by the requester
-
-   (c) a CA Designated Responder (Authorized Responder) who holds a
-       specially marked certificate issued directly by the CA,
-       indicating that the responder may issue OCSP responses for that
-       CA
-
-   In case of (a), the use of hashes in the CERTREQ message is not
-   needed since the OCSP response is signed by the CA who issued the
-   certificate.  In case of (c), the OCSP response is signed by the CA
-   Designated Responder whereby the sender of the CERTREQ message does
-   not know the public key in advance.  The presence of OCSP Content in
-   a CERTREQ message will identify one or more OCSP responders trusted
-   by the sender in case of (b).
-
-   The presence of OCSP Content (14) in a CERTREQ message:
-
-   1.  identifies zero or more OCSP responders trusted by the sender;
-
-   2.  notifies the recipient of sender's support for the OCSP extension
-       to IKEv2; and
-
-   3.  notifies the recipient of sender's desire to receive OCSP
-       confirmation in a subsequent CERT payload.
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 4]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-3.2.  OCSP Response
-
-   A value of OCSP Content (14) in the Cert Encoding field of a CERT
-   Payload indicates the presence of an OCSP response in the Certificate
-   Data field of the CERT payload.
-
-   Correlation between an OCSP response CERT payload and a corresponding
-   CERT payload carrying a certificate can be achieved by matching the
-   OCSP response CertID field to the certificate.  See [RFC2560] for the
-   definition of OCSP response content.
-
-4.  Extension Requirements
-
-4.1.  Request for OCSP Support
-
-   Section 3.7 of [IKEv2] allows for the concatenation of trust anchor
-   hashes as the Certification Authority value of a single CERTREQ
-   message.  There is no means however to indicate which among those
-   hashes, if present, relates to the certificate of a trusted OCSP
-   responder.
-
-   Therefore, an OCSP request, as defined in Section 3.1 above, is
-   transmitted separate from any other CERTREQ payloads in an IKEv2
-   exchange.
-
-   Where it is useful to identify more than one trusted OCSP responder,
-   each such identification SHALL be concatenated in a manner identical
-   to the method documented in Section 3.7 of [IKEv2] regarding the
-   assembly of multiple trust anchor hashes.
-
-   The Certification Authority value in an OCSP request CERTREQ SHALL be
-   computed and produced in a manner identical to that of trust anchor
-   hashes as documented in Section 3.7 of [IKEv2].
-
-   Upon receipt of an OCSP response CERT payload corresponding to a
-   prior OCSP request CERTREQ, the CERTREQ sender SHALL incorporate the
-   OCSP response into path validation logic defined by [RFC3280].
-
-   Note that the lack of an OCSP response CERT payload after sending an
-   OCSP request CERT payload might be an indication that this OCSP
-   extension is not supported.  As a result, it is recommended that
-   nodes be configured to require a response only if it is known that
-   all peers do in fact support this extension.  Otherwise, it is
-   recommended that the nodes be configured to try OCSP and, if there is
-   no response, attempt to determine certificate revocation status by
-   some other means.
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 5]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-4.2.  Response to OCSP Support
-
-   Upon receipt of an OCSP request CERTREQ payload, the recipient SHOULD
-   acquire the related OCSP-based assertion and produce and transmit an
-   OCSP response CERT payload corresponding to the certificate needed to
-   verify its signature on IKEv2 payloads.
-
-   An OCSP response CERT payload is transmitted separate from any other
-   CERT payload in an IKEv2 exchange.
-
-   The means by which an OCSP response may be acquired for production of
-   an OCSP response CERT payload is out of scope of this document.
-
-   The Certificate Data field of an OCSP response CERT payload SHALL
-   contain a DER-encoded OCSPResponse structure as defined in [RFC2560].
-
-5.  Examples and Discussion
-
-   This section shows the standard IKEv2 message examples with both
-   peers, the initiator and the responder, using public key based
-   authentication, CERTREQ and CERT payloads.  The first instance
-   corresponds to Section 1.2 of [IKEv2], the illustrations of which are
-   reproduced below for reference.
-
-5.1.  Peer to Peer
-
-   Application of the IKEv2 extensions defined in this document to the
-   peer-to-peer exchange defined in Section 1.2 of [IKEv2] is as
-   follows.  Messages are numbered for ease of reference.
-
-        Initiator                             Responder
-        -----------                           -----------
-   (1)  HDR, SAi1, KEi, Ni              -->
-
-   (2)                                  <-- HDR, SAr1, KEr, Nr,
-                                            CERTREQ(OCSP Request)
-   (3)  HDR, SK {IDi, CERT(certificate),-->
-        CERT(OCSP Response),
-        CERTREQ(OCSP Request),
-        [IDr,] AUTH, SAi2, TSi, TSr}
-
-   (4)                                  <-- HDR, SK {IDr,
-                                            CERT(certificate),
-                                            CERT(OCSP Response),
-                                            AUTH, SAr2, TSi, TSr}
-
-                     OCSP Extensions to Baseline IKEv2
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 6]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-   In (2), Responder sends an OCSP request CERTREQ payload identifying
-   zero or more OCSP responders trusted by the Responder.  In response,
-   Initiator sends in (3) both a CERT payload carrying its certificate
-   and an OCSP response CERT payload covering that certificate.  In (3),
-   Initiator also requests an OCSP response via the OCSP request CERTREQ
-   payload.  In (4), the Responder returns its certificate and a
-   separate OCSP response CERT payload covering that certificate.
-
-   It is important to note that in this scenario, the Responder in (2)
-   does not yet possess the Initiator's certificate and therefore cannot
-   form an OCSP request as defined in [RFC2560].  To bypass this
-   problem, hashes are used as defined in Section 4.1.  In such
-   instances, OCSP Requests are simply index values into these data.
-   Thus, it is easily inferred that OCSP responses can be produced in
-   the absence of a corresponding request (provided that OCSP nonces are
-   not used, see Section 6).
-
-   It is also important in extending IKEv2 toward OCSP in this scenario
-   that the Initiator has certain knowledge that the Responder is
-   capable of and willing to participate in the extension.  Yet the
-   Responder will only trust one or more OCSP responder signatures.
-   These factors motivate the definition of OCSP responder hash
-   extension.
-
-5.2.  Extended Authentication Protocol (EAP)
-
-   Another scenario of pressing interest is the use of EAP to
-   accommodate multiple end users seeking enterprise access to an IPsec
-   gateway.  Note that OCSP is used for the certificate status check of
-   the server side IKEv2 certificate and not for certificates that may
-   be used within EAP methods (either by the EAP peer or the EAP
-   server).  As with the preceding section, the following illustration
-   is extracted from [IKEv2].  In the event of a conflict between this
-   document and [IKEv2] regarding these illustrations, [IKEv2] SHALL
-   dominate.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 7]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-        Initiator                            Responder
-        -----------                          -----------
-   (1)  HDR, SAi1, KEi, Ni              -->
-   (2)                                  <-- HDR, SAr1, KEr, Nr
-   (3)  HDR, SK {IDi,                   -->
-        CERTREQ(OCSP Request),
-        [IDr,] AUTH, SAi2, TSi, TSr}
-   (4)                                  <-- HDR, SK {IDr,
-                                            CERT(certificate),
-                                            CERT(OCSP Response),
-                                            AUTH, EAP}
-   (5)       HDR, SK {EAP}              -->
-
-   (6)                                  <-- HDR, SK {EAP (success)}
-
-   (7)       HDR, SK {AUTH}             -->
-
-   (8)                                  <-- HDR, SK {AUTH, SAr2, TSi,
-                                            TSr }
-
-                      OCSP Extensions to EAP in IKEv2
-
-   In the EAP scenario, messages (5) through (8) are not relevant to
-   this document.
-
-6.  Security Considerations
-
-   For the reasons noted above, an OCSP request, as defined in Section
-   3.1, is used in place of an OCSP request syntax to trigger production
-   and transmission of an OCSP response.  OCSP, as defined in [RFC2560],
-   may contain a nonce request extension to improve security against
-   replay attacks (see Section 4.4.1 of [RFC2560] for further details).
-   The OCSP request defined by this document cannot accommodate nonces.
-   [RFC2560] deals with this aspect by allowing pre-produced responses.
-
-   [RFC2560] points to this replay vulnerability and indicates: "The use
-   of precomputed responses allows replay attacks in which an old (good)
-   response is replayed prior to its expiration date but after the
-   certificate has been revoked.  Deployments of OCSP should carefully
-   evaluate the benefit of precomputed responses against the probability
-   of a replay attack and the costs associated with its successful
-   execution."  Nodes SHOULD make the required freshness of an OCSP
-   response configurable.
-
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 8]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-7.  IANA Considerations
-
-   This document defines one new field type for use in the IKEv2 Cert
-   Encoding field of the Certificate Payload format.  Official
-   assignment of the "OCSP Content" extension to the Cert Encoding table
-   of Section 3.6 of [IKEv2] has been acquired from IANA.
-
-               Certificate Encoding               Value
-               --------------------               -----
-               OCSP Content                        14
-
-8.  Acknowledgements
-
-   The authors would like to thank Russ Housley for his support.
-   Additionally, we would like to thank Pasi Eronen, Nicolas Williams,
-   Liqiang (Larry) Zhu, Lakshminath Dondeti, and Paul Hoffman for their
-   review.  Pasi gave us invaluable last-call comments.  We would also
-   like to thank Tom Taylor for his Gen-ART review.  Jari Arkko gave us
-   IESG review comments.
-
-9.  Normative References
-
-   [IKEv2]    Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
-              RFC 4306, December 2005.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
-              Adams, "X.509 Internet Public Key Infrastructure Online
-              Certificate Status Protocol - OCSP", RFC 2560, June 1999.
-
-   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
-              X.509 Public Key Infrastructure Certificate and
-              Certificate Revocation List (CRL) Profile", RFC 3280,
-              April 2002.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                     [Page 9]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-Authors' Addresses
-
-   Michael Myers
-   TraceRoute Security LLC
-
-   EMail: mmyers@fastq.com
-
-
-   Hannes Tschofenig
-   Siemens Networks GmbH & Co KG
-   Otto-Hahn-Ring 6
-   Munich, Bavaria  81739
-   Germany
-
-   EMail: Hannes.Tschofenig@siemens.com
-   URI:   http://www.tschofenig.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                    [Page 10]
-
-RFC 4806                OCSP Extensions to IKEv2           February 2007
-
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2007).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Myers & Tschofenig          Standards Track                    [Page 11]
-

doc/standards/rfc5998.txt

@@ -1,899 +0,0 @@
-
-
-
-
-
-
-Internet Engineering Task Force (IETF)                         P. Eronen
-Request for Comments: 5998                                   Independent
-Updates: 5996                                              H. Tschofenig
-Category: Standards Track                         Nokia Siemens Networks
-ISSN: 2070-1721                                               Y. Sheffer
-                                                             Independent
-                                                          September 2010
-
-
-           An Extension for EAP-Only Authentication in IKEv2
-
-Abstract
-
-   IKEv2 specifies that Extensible Authentication Protocol (EAP)
-   authentication must be used together with responder authentication
-   based on public key signatures.  This is necessary with old EAP
-   methods that provide only unilateral authentication using, e.g., one-
-   time passwords or token cards.
-
-   This document specifies how EAP methods that provide mutual
-   authentication and key agreement can be used to provide extensible
-   responder authentication for IKEv2 based on methods other than public
-   key signatures.
-
-Status of This Memo
-
-   This is an Internet Standards Track document.
-
-   This document is a product of the Internet Engineering Task Force
-   (IETF).  It represents the consensus of the IETF community.  It has
-   received public review and has been approved for publication by the
-   Internet Engineering Steering Group (IESG).  Further information on
-   Internet Standards is available in Section 2 of RFC 5741.
-
-   Information about the current status of this document, any errata,
-   and how to provide feedback on it may be obtained at
-   http://www.rfc-editor.org/info/rfc5998.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 1]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-Copyright Notice
-
-   Copyright (c) 2010 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (http://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.  Code Components extracted from this document must
-   include Simplified BSD License text as described in Section 4.e of
-   the Trust Legal Provisions and are provided without warranty as
-   described in the Simplified BSD License.
-
-   This document may contain material from IETF Documents or IETF
-   Contributions published or made publicly available before November
-   10, 2008.  The person(s) controlling the copyright in some of this
-   material may not have granted the IETF Trust the right to allow
-   modifications of such material outside the IETF Standards Process.
-   Without obtaining an adequate license from the person(s) controlling
-   the copyright in such materials, this document may not be modified
-   outside the IETF Standards Process, and derivative works of it may
-   not be created outside the IETF Standards Process, except to format
-   it for publication as an RFC or to translate it into languages other
-   than English.
-
-1.  Introduction
-
-   The Extensible Authentication Protocol (EAP), defined in [RFC3748],
-   is an authentication framework that supports multiple authentication
-   mechanisms.  Today, EAP has been implemented at end hosts and routers
-   that connect via switched circuits or dial-up lines using PPP
-   [RFC1661], IEEE 802 wired switches [IEEE8021X], and IEEE 802.11
-   wireless access points [IEEE80211i].
-
-   One of the advantages of the EAP architecture is its flexibility.
-   EAP is used to select a specific authentication mechanism, typically
-   after the authenticator requests more information in order to
-   determine the specific authentication method to be used.  Rather than
-   requiring the authenticator (e.g., wireless LAN access point) to be
-   updated to support each new authentication method, EAP permits the
-   use of a backend authentication server that may implement some or all
-   authentication methods.
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 2]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   IKEv2 ([RFC4306] and [RFC5996]) is a component of IPsec used for
-   performing mutual authentication and establishing and maintaining
-   Security Associations (SAs) for IPsec ESP and Authentication Header
-   (AH).  In addition to supporting authentication using public key
-   signatures and shared secrets, IKEv2 also supports EAP
-   authentication.
-
-   IKEv2 provides EAP authentication since it was recognized that public
-   key signatures and shared secrets are not flexible enough to meet the
-   requirements of many deployment scenarios.  By using EAP, IKEv2 can
-   leverage existing authentication infrastructure and credential
-   databases, since EAP allows users to choose a method suitable for
-   existing credentials, and also makes separation of the IKEv2
-   responder (VPN gateway) from the EAP authentication endpoint (backend
-   Authentication, Authorization, and Accounting (AAA) server) easier.
-
-   Some older EAP methods are designed for unilateral authentication
-   only (that is, EAP peer to EAP server).  These methods are used in
-   conjunction with IKEv2 public-key-based authentication of the
-   responder to the initiator.  It is expected that this approach is
-   especially useful for "road warrior" VPN gateways that use, for
-   instance, one-time passwords or token cards to authenticate the
-   clients.
-
-   However, most newer EAP methods, such as those typically used with
-   IEEE 802.11i wireless LANs, provide mutual authentication and key
-   agreement.  Currently, IKEv2 specifies that these EAP methods must
-   also be used together with responder authentication based on public
-   key signatures.
-
-   In order for the public key signature authentication of the gateway
-   to be effective, a deployment of Public Key Infrastructure (PKI) is
-   required, which has to include management of trust anchors on all
-   supplicants.  In many environments, this is not realistic, and the
-   security of the gateway public key is the same as the security of a
-   self-signed certificate.  Mutually authenticating EAP methods alone
-   can provide a sufficient level of security in many circumstances, and
-   in fact, in some deployments, IEEE 802.11i uses EAP without any PKI
-   for authenticating the Wireless Local Area Network (WLAN) access
-   points.
-
-   This document specifies how EAP methods that offer mutual
-   authentication and key agreement can be used to provide responder
-   authentication in IKEv2 completely based on EAP.
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 3]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-1.1.  Terminology
-
-   All notation in this protocol extension is taken from [RFC4306].
-
-   Numbered messages refer to the IKEv2 message sequence when using EAP.
-
-   Thus:
-
-   o  Message 1 is the request message of IKE_SA_INIT.
-
-   o  Message 2 is the response message of IKE_SA_INIT.
-
-   o  Message 3 is the first request of IKE_AUTH.
-
-   o  Message 4 is the first response of IKE_AUTH.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2.  Scenarios
-
-   In this section, we describe two scenarios for extensible
-   authentication within IKEv2.  These scenarios are intended to be
-   illustrative examples rather than specifying how things should be
-   done.
-
-   Figure 1 shows a configuration where the EAP and the IKEv2 endpoints
-   are co-located.  Authenticating the IKEv2 responder using both EAP
-   and public key signatures is redundant.  Offering EAP-based
-   authentication has the advantage that multiple different
-   authentication and key exchange protocols are available with EAP with
-   different security properties (such as strong password-based
-   protocols, protocols offering user identity confidentiality, and many
-   more).
-
-          +------+-----+                            +------------+
-     O    |   IKEv2    |                            |   IKEv2    |
-    /|\   | Initiator  |<---////////////////////--->| Responder  |
-    / \   +------------+          IKEv2             +------------+
-    User  |  EAP Peer  |          Exchange          | EAP Server |
-          +------------+                            +------------+
-
-             Figure 1: EAP and IKEv2 Endpoints Are Co-Located
-
-   Figure 2 shows a typical corporate network access scenario.  The
-   initiator (client) interacts with the responder (VPN gateway) in the
-   corporate network.  The EAP exchange within IKE runs between the
-
-
-
-Eronen, et al.               Standards Track                    [Page 4]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   client and the home AAA server.  As a result of a successful EAP
-   authentication protocol run, session keys are established and sent
-   from the AAA server to the VPN gateway, and then used to authenticate
-   the IKEv2 SA with AUTH payloads.
-
-   The protocol used between the VPN gateway and AAA server could be,
-   for instance, Diameter [RFC4072] or RADIUS [RFC3579].  See Section 6
-   for related security considerations.
-
-                                +-------------------------------+
-                                |       Corporate network       |
-                                |                               |
-                           +-----------+            +--------+  |
-                           |   IKEv2   |     AAA    |  Home  |  |
-     IKEv2      +////----->+ Responder +<---------->+  AAA   |  |
-     Exchange   /          | (VPN GW)  |  (RADIUS/  | Server |  |
-                /          +-----------+  Diameter) +--------+  |
-                /               |        carrying EAP           |
-                |               |                               |
-                |               +-------------------------------+
-                v
-         +------+-----+
-     o   |   IKEv2    |
-    /|\  | Initiator  |
-    / \  | VPN client |
-   User  +------------+
-
-                    Figure 2: Corporate Network Access
-
-3.  Solution
-
-   IKEv2 specifies that when the EAP method establishes a shared secret
-   key, that key is used by both the initiator and responder to generate
-   an AUTH payload (thus authenticating the IKEv2 SA set up by messages
-   1 and 2).
-
-   When used together with public key responder authentication, the
-   responder is, in effect, authenticated using two different methods:
-   the public key signature AUTH payload in message 4, and the EAP-based
-   AUTH payload later.
-
-   If the initiator does not wish to use public-key-based responder
-   authentication, it includes an EAP_ONLY_AUTHENTICATION notification
-   payload (16417) in message 3.  The Protocol ID and Security Parameter
-   Index (SPI) size fields are set to zero, and there is no additional
-   data associated with this notification.
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 5]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   If the responder supports this notification and chooses to use it, it
-   omits the public-key-based AUTH payload and CERT payloads from
-   message 4.
-
-   If the responder does not support the EAP_ONLY_AUTHENTICATION
-   notification or does not wish to use it, it ignores the notification
-   payload, and includes the AUTH payload in message 4.  In this case,
-   the initiator MUST verify that payload and any associated
-   certificates, as per [RFC4306].
-
-   When receiving message 4, the initiator MUST verify that the proposed
-   EAP method is allowed by this specification, and MUST abort the
-   protocol immediately otherwise.
-
-   Both the initiator and responder MUST verify that the EAP method
-   actually used provided mutual authentication and established a shared
-   secret key.  The AUTH payloads sent after EAP Success MUST use the
-   EAP-generated key, and MUST NOT use SK_pi or SK_pr (see Section 2.15
-   of [RFC5996]).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 6]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   An IKEv2 message exchange with this modification is shown below:
-
-      Initiator                   Responder
-     -----------                 -----------
-      HDR, SAi1, KEi, Ni,
-           [N(NAT_DETECTION_SOURCE_IP),
-            N(NAT_DETECTION_DESTINATION_IP)]  -->
-
-                            <--   HDR, SAr1, KEr, Nr, [CERTREQ],
-                                       [N(NAT_DETECTION_SOURCE_IP),
-                                        N(NAT_DETECTION_DESTINATION_IP)]
-
-      HDR, SK { IDi, [IDr], SAi2, TSi, TSr,
-                N(EAP_ONLY_AUTHENTICATION),
-                [CP(CFG_REQUEST)] }  -->
-
-                            <--   HDR, SK { IDr, EAP(Request) }
-
-      HDR, SK { EAP(Response) }  -->
-
-                            <--   HDR, SK { EAP(Request) }
-
-      HDR, SK { EAP(Response) }  -->
-
-                            <--   HDR, SK { EAP(Success) }
-
-      HDR, SK { AUTH }  -->
-
-                            <--   HDR, SK { AUTH, SAr2, TSi, TSr,
-                                            [CP(CFG_REPLY] }
-
-   Note: all notation in the above protocol sequence and elsewhere in
-   this specification is as defined in [RFC4306], and see in particular
-   Sec. 1.2 of [RFC4306] for payload types.
-
-   The NAT detection and Configuration payloads are shown for
-   informative purposes only; they do not change how EAP authentication
-   works.
-
-   An IKE SA that was set up with this extension can be resumed using
-   the mechanism described in [RFC5723].  However, session resumption
-   does not change the authentication method.  Therefore, during the
-   IKE_AUTH exchange of the resumed session, this extension MUST NOT be
-   sent by the initiator.
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 7]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-4.  Safe EAP Methods
-
-   EAP methods to be used with this extension MUST have the following
-   properties:
-
-   1.  The method provides mutual authentication of the peers.
-
-   2.  The method is key-generating.
-
-   3.  The method is resistant to dictionary attacks.
-
-   The authors believe that the following EAP methods are secure when
-   used with the current extension.  The list is not inclusive, and
-   there are likely other safe methods that have not been listed here.
-
-   +-------------------------------+-------------------+---------------+
-   | Method Name                   | Allows Channel    | Reference     |
-   |                               | Binding?          |               |
-   +-------------------------------+-------------------+---------------+
-   | EAP-SIM                       | No                | [RFC4186]     |
-   | EAP-AKA                       | Yes               | [RFC4187]     |
-   | EAP-AKA'                      | Yes               | [RFC5448]     |
-   | EAP-GPSK                      | Yes               | [RFC5433]     |
-   | EAP-pwd                       | No                | [RFC5931]     |
-   | EAP-EKE                       | Yes               | [EMU-EAP-EKE] |
-   | EAP-PAX                       | Yes               | [RFC4746]     |
-   | EAP-SAKE                      | No                | [RFC4763]     |
-   | EAP-SRP                       | No                | [EAP-SRP]     |
-   | EAP-POTP (mutual              | Yes               | [RFC4793]     |
-   | authentication variant)       |                   |               |
-   | EAP-TLS                       | No                | [RFC5216]     |
-   | EAP-FAST                      | No                | [RFC4851]     |
-   | EAP-TTLS                      | No                | [RFC5281]     |
-   +-------------------------------+-------------------+---------------+
-
-   The "Allows channel binding?" column denotes protocols where
-   protected identity information may be sent between the EAP endpoints.
-   This third, optional property of the method provides protection
-   against certain types of attacks (see Section 6.2 for an
-   explanation), and therefore in some scenarios, methods that allow for
-   channel binding are to be preferred.  It is noted that at the time of
-   writing, even when such capabilities are provided, they are not fully
-   specified in an interoperable manner.  In particular, no RFC
-   specifies what identities should be sent under the protection of the
-   channel binding mechanism, or what policy is to be used to correlate
-   identities at the different layers.
-
-
-
-
-
-Eronen, et al.               Standards Track                    [Page 8]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-5.  IANA Considerations
-
-   This document defines a new IKEv2 Notification Payload type,
-   EAP_ONLY_AUTHENTICATION, described in Section 3.  This payload has
-   been assigned the type number 16417 from the "Status Types" range.
-
-6.  Security Considerations
-
-   Security considerations applicable to all EAP methods are discussed
-   in [RFC3748].  The EAP Key Management Framework [RFC5247] deals with
-   issues that arise when EAP is used as a part of a larger system.
-
-6.1.  Authentication of IKEv2 SA
-
-   It is important to note that the IKEv2 SA is not authenticated by
-   just running an EAP conversation: the crucial step is the AUTH
-   payload based on the EAP-generated key.  Thus, EAP methods that do
-   not provide mutual authentication or establish a shared secret key
-   MUST NOT be used with the modifications presented in this document.
-
-6.2.  Authentication with Separated IKEv2 Responder / EAP Server
-
-   As described in Section 2, the EAP conversation can terminate either
-   at the IKEv2 responder or at a backend AAA server.
-
-   If the EAP method is terminated at the IKEv2 responder, then no key
-   transport via the AAA infrastructure is required.  Pre-shared secret
-   and public-key-based authentication offered by IKEv2 is then replaced
-   by a wider range of authentication and key exchange methods.
-
-   However, typically EAP will be used with a backend AAA server.  See
-   [RFC5247] for a more complete discussion of the related security
-   issues; here we provide only a short summary.
-
-   When a backend server is used, there are actually two authentication
-   exchanges: the EAP method between the client and the AAA server, and
-   another authentication between the AAA server and IKEv2 gateway.  The
-   AAA server authenticates the client using the selected EAP method,
-   and they establish a session key.  The AAA server then sends this key
-   to the IKEv2 gateway over a connection authenticated using, e.g.,
-   IPsec or Transport Layer Security (TLS).
-
-   Some EAP methods do not have any concept of pass-through
-   authenticator (e.g., Network Access Server (NAS) or IKEv2 gateway)
-   identity, and these two authentications remain quite independent of
-   each other.  That is, after the client has verified the AUTH payload
-   sent by the IKEv2 gateway, it knows that it is talking to SOME
-   gateway trusted by the home AAA server, but not which one.  The
-
-
-
-Eronen, et al.               Standards Track                    [Page 9]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   situation is somewhat similar if a single cryptographic hardware
-   accelerator, containing a single private key, would be shared between
-   multiple IKEv2 gateways (perhaps in some kind of cluster
-   configuration).  In particular, if one of the gateways is
-   compromised, it can impersonate any of the other gateways towards the
-   user (until the compromise is discovered and access rights revoked).
-
-   In some environments it is not desirable to trust the IKEv2 gateways
-   this much (also known as the "Lying NAS Problem").  EAP methods that
-   provide what is called "connection binding" or "channel binding"
-   transport some identity or identities of the gateway (or WLAN access
-   point / NAS) inside the EAP method.  Then the AAA server can check
-   that it is indeed sending the key to the gateway expected by the
-   client.  A potential solution is described in [EAP-SERVICE], see also
-   [EMU-AAAPAY].
-
-   In some deployment configurations, AAA proxies may be present between
-   the IKEv2 gateway and the backend AAA server.  These AAA proxies MUST
-   be trusted for secure operation, and therefore SHOULD be avoided when
-   possible; see Section 2.3.4 of [RFC4072] and Section 4.3.7 of
-   [RFC3579] for more discussion.
-
-6.3.  Protection of EAP Payloads
-
-   Although the EAP payloads are encrypted and integrity protected with
-   SK_e/SK_a, this does not provide any protection against active
-   attackers.  Until the AUTH payload has been received and verified, a
-   man-in-the-middle can change the KEi/KEr payloads and eavesdrop or
-   modify the EAP payloads.
-
-   In IEEE 802.11i wireless LANs, the EAP payloads are neither encrypted
-   nor integrity protected (by the link layer), so EAP methods are
-   typically designed to take that into account.
-
-   In particular, EAP methods that are vulnerable to dictionary attacks
-   when used in WLANs are still vulnerable (to active attackers) when
-   run inside IKEv2.
-
-   The rules in Section 4 are designed to avoid this potential
-   vulnerability.
-
-
-
-
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                   [Page 10]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-6.4.  Identities and Authenticated Identities
-
-   When using this protocol, each of the peers sends two identity
-   values:
-
-   1.  An identity contained in the IKE ID payload.
-
-   2.  An identity transferred within the specific EAP method's
-       messages.
-
-   (IKEv2 omits the EAP Identity request/response pair, see Section 3.16
-   of [RFC5996].)  The first identity value can be used by the recipient
-   to route AAA messages and/or to select authentication and EAP types.
-   But it is only the second identity that is directly authenticated by
-   the EAP method.  The reader is referred to Section 2.16 of [RFC5996]
-   regarding the need to base IPsec policy decisions on the
-   authenticated identity.  In the context of the extension described
-   here, this guidance on IPsec policy applies both to the
-   authentication of the client by the gateway and vice versa.
-
-6.5.  User Identity Confidentiality
-
-   IKEv2 provides confidentiality for the initiator identity against
-   passive eavesdroppers, but not against active attackers.  The
-   initiator announces its identity first (in message 3), before the
-   responder has been authenticated.  The usage of EAP in IKEv2 does not
-   change this situation, since the ID payload in message 3 is used
-   instead of the EAP Identity Request/Response exchange.  This is
-   somewhat unfortunate since when EAP is used with public key
-   authentication of the responder, it would be possible to provide
-   active user identity confidentiality for the initiator.
-
-   IKEv2 protects the responder's identity even against active attacks.
-   This property cannot be provided when using EAP.  If public key
-   responder authentication is used in addition to EAP, the responder
-   reveals its identity before authenticating the initiator.  If only
-   EAP is used (as proposed in this document), the situation depends on
-   the EAP method used (in some EAP methods, the server reveals its
-   identity first).
-
-   Hence, if active user identity confidentiality for the responder is
-   required then EAP methods that offer this functionality have to be
-   used (see [RFC3748], Section 7.3).
-
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                   [Page 11]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-7.  Acknowledgments
-
-   This document borrows some text from [RFC3748], [RFC4306], and
-   [RFC4072].  We would also like to thank Hugo Krawczyk for interesting
-   discussions about this topic, Dan Harkins, and David Harrington for
-   their comments.
-
-8.  References
-
-8.1.  Normative References
-
-   [RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
-                  Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC3748]      Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
-                  H. Levkowetz, "Extensible Authentication Protocol
-                  (EAP)", RFC 3748, June 2004.
-
-   [RFC4306]      Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
-                  RFC 4306, December 2005.
-
-   [RFC5723]      Sheffer, Y. and H. Tschofenig, "Internet Key Exchange
-                  Protocol Version 2 (IKEv2) Session Resumption",
-                  RFC 5723, January 2010.
-
-   [RFC5996]      Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
-                  "Internet Key Exchange Protocol Version 2 (IKEv2)",
-                  RFC 5996, September 2010.
-
-8.2.  Informative References
-
-   [EAP-SERVICE]  Arkko, J. and P. Eronen, "Authenticated Service
-                  Information for the Extensible Authentication Protocol
-                  (EAP)", Work in Progress, October 2005.
-
-   [EAP-SRP]      Carlson, J., Aboba, B., and H. Haverinen, "EAP SRP-
-                  SHA1 Authentication Protocol", Work in Progress,
-                  July 2001.
-
-   [EMU-AAAPAY]   Clancy, C., Lior, A., Zorn, G., and K. Hoeper, "EAP
-                  Method Support for Transporting AAA Payloads", Work
-                  in Progress, May 2010.
-
-   [EMU-EAP-EKE]  Sheffer, Y., Zorn, G., Tschofenig, H., and S. Fluhrer,
-                  "An EAP Authentication Method Based on the EKE
-                  Protocol", Work in Progress, August 2010.
-
-
-
-
-
-Eronen, et al.               Standards Track                   [Page 12]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   [IEEE80211i]   Institute of Electrical and Electronics Engineers,
-                  "IEEE Standard for Information technology -
-                  Telecommunications and information exchange between
-                  systems - Local and metropolitan area networks -
-                  Specific requirements - Part 11: Wireless Medium
-                  Access Control (MAC) and Physical Layer (PHY)
-                  specifications: Amendment 6: Medium Access Control
-                  (MAC) Security Enhancements", IEEE Standard 802.11i-
-                  2004, July 2004.
-
-   [IEEE8021X]    Institute of Electrical and Electronics Engineers,
-                  "Local and Metropolitan Area Networks: Port-Based
-                  Network Access Control", IEEE Standard 802.1X-2001,
-                  2001.
-
-   [RFC1661]      Simpson, W., "The Point-to-Point Protocol (PPP)",
-                  STD 51, RFC 1661, July 1994.
-
-   [RFC3579]      Aboba, B. and P. Calhoun, "RADIUS (Remote
-                  Authentication Dial In User Service) Support For
-                  Extensible Authentication Protocol (EAP)", RFC 3579,
-                  September 2003.
-
-   [RFC4072]      Eronen, P., Hiller, T., and G. Zorn, "Diameter
-                  Extensible Authentication Protocol (EAP) Application",
-                  RFC 4072, August 2005.
-
-   [RFC4186]      Haverinen, H. and J. Salowey, "Extensible
-                  Authentication Protocol Method for Global System for
-                  Mobile Communications (GSM) Subscriber Identity
-                  Modules (EAP-SIM)", RFC 4186, January 2006.
-
-   [RFC4187]      Arkko, J. and H. Haverinen, "Extensible Authentication
-                  Protocol Method for 3rd Generation Authentication and
-                  Key Agreement (EAP-AKA)", RFC 4187, January 2006.
-
-   [RFC4746]      Clancy, T. and W. Arbaugh, "Extensible Authentication
-                  Protocol (EAP) Password Authenticated Exchange",
-                  RFC 4746, November 2006.
-
-   [RFC4763]      Vanderveen, M. and H. Soliman, "Extensible
-                  Authentication Protocol Method for Shared-secret
-                  Authentication and Key Establishment (EAP-SAKE)",
-                  RFC 4763, November 2006.
-
-   [RFC4793]      Nystroem, M., "The EAP Protected One-Time Password
-                  Protocol (EAP-POTP)", RFC 4793, February 2007.
-
-
-
-
-Eronen, et al.               Standards Track                   [Page 13]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   [RFC4851]      Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou,
-                  "The Flexible Authentication via Secure Tunneling
-                  Extensible Authentication Protocol Method (EAP-FAST)",
-                  RFC 4851, May 2007.
-
-   [RFC5216]      Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
-                  Authentication Protocol", RFC 5216, March 2008.
-
-   [RFC5247]      Aboba, B., Simon, D., and P. Eronen, "Extensible
-                  Authentication Protocol (EAP) Key Management
-                  Framework", RFC 5247, August 2008.
-
-   [RFC5281]      Funk, P. and S. Blake-Wilson, "Extensible
-                  Authentication Protocol Tunneled Transport Layer
-                  Security Authenticated Protocol Version 0 (EAP-
-                  TTLSv0)", RFC 5281, August 2008.
-
-   [RFC5433]      Clancy, T. and H. Tschofenig, "Extensible
-                  Authentication Protocol - Generalized Pre-Shared Key
-                  (EAP-GPSK) Method", RFC 5433, February 2009.
-
-   [RFC5448]      Arkko, J., Lehtovirta, V., and P. Eronen, "Improved
-                  Extensible Authentication Protocol Method for 3rd
-                  Generation Authentication and Key Agreement (EAP-
-                  AKA')", RFC 5448, May 2009.
-
-   [RFC5931]      Harkins, D. and G. Zorn, "Extensible Authentication
-                  Protocol (EAP) Authentication Using Only A Password",
-                  RFC 5931, August 2010.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                   [Page 14]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-Appendix A.  Alternative Approaches
-
-   In this section, we list alternatives that have been considered
-   during the work on this document.  We concluded that the solution
-   presented in Section 3 seems to fit better into IKEv2.
-
-A.1.  Ignore AUTH Payload at the Initiator
-
-   With this approach, the initiator simply ignores the AUTH payload in
-   message 4 (but obviously must check the second AUTH payload later!).
-   The main advantage of this approach is that no protocol modifications
-   are required and no signature verification is required.  A
-   significant disadvantage is that the EAP method to be used cannot be
-   selected to take this behavior into account.
-
-   The initiator could signal to the responder (using a notification
-   payload) that it did not verify the first AUTH payload.
-
-A.2.  Unauthenticated Public Keys in AUTH Payload (Message 4)
-
-   Another solution approach suggests the use of unauthenticated public
-   keys in the public key signature AUTH payload (for message 4).
-
-   That is, the initiator verifies the signature in the AUTH payload,
-   but does not verify that the public key indeed belongs to the
-   intended party (using certificates) -- since it doesn't have a PKI
-   that would allow this.  This could be used with X.509 certificates
-   (the initiator ignores all other fields of the certificate except the
-   public key), or "Raw RSA Key" CERT payloads.
-
-   This approach has the advantage that initiators that wish to perform
-   certificate-based responder authentication (in addition to EAP) may
-   do so, without requiring the responder to handle these cases
-   separately.  A disadvantage here, again, is that the EAP method
-   selection cannot take into account the incomplete validation of the
-   responder's certificate.
-
-   If using RSA, the overhead of signature verification is quite small,
-   compared to the g^xy calculation required by the Diffie-Hellman
-   exchange.
-
-A.3.  Using EAP Derived Session Keys for IKEv2
-
-   It has been proposed that when using an EAP method that provides
-   mutual authentication and key agreement, the IKEv2 Diffie-Hellman
-   exchange could also be omitted.  This would mean that the session
-   keys for IPsec SAs established later would rely only on EAP-provided
-   keys.
-
-
-
-Eronen, et al.               Standards Track                   [Page 15]
-
-RFC 5998               Extension for EAP in IKEv2         September 2010
-
-
-   It seems the only benefit of this approach is saving some computation
-   time (g^xy calculation).  This approach requires designing a
-   completely new protocol (which would not resemble IKEv2 anymore); we
-   do not believe that it should be considered.  Nevertheless, we
-   include it for completeness.
-
-Authors' Addresses
-
-   Pasi Eronen
-   Independent
-
-   EMail: pe@iki.fi
-
-
-   Hannes Tschofenig
-   Nokia Siemens Networks
-   Linnoitustie 6
-   Espoo  02600
-   Finland
-
-   Phone: +358 (50) 4871445
-   EMail: Hannes.Tschofenig@gmx.net
-   URI:   http://www.tschofenig.priv.at
-
-
-   Yaron Sheffer
-   Independent
-
-   EMail: yaronf.ietf@gmail.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eronen, et al.               Standards Track                   [Page 16]
-

fuzz/.gitignore

@@ -1,5 +1,7 @@
 fuzz_certs
 fuzz_crls
+fuzz_ocsp_req
+fuzz_ocsp_rsp
 fuzz_ids
 fuzz_pa_tnc
 fuzz_pb_tnc

fuzz/Makefile.am

@@ -11,7 +11,7 @@ AM_CPPFLAGS = @CPPFLAGS@ \
 
 fuzz_ldflags = ${libfuzzer} \
 	$(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \
-	-Wl,-Bstatic -lgmp -Wl,-Bdynamic \
+	-Wl,-Bstatic -lcrypto -Wl,-Bdynamic \
 	@FUZZING_LDFLAGS@
 
 pa_tnc_ldflags = \
@@ -25,7 +25,8 @@ pb_tnc_ldflags = \
 	$(top_builddir)/src/libtncif/.libs/libtncif.a \
 	$(fuzz_ldflags)
 
-FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_ids fuzz_pa_tnc fuzz_pb_tnc
+FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_ocsp_req fuzz_ocsp_rsp \
+	fuzz_ids fuzz_pa_tnc fuzz_pb_tnc
 
 all-local: $(FUZZ_TARGETS)
 
@@ -37,6 +38,12 @@ fuzz_certs: fuzz_certs.c ${libfuzzer}
 fuzz_crls: fuzz_crls.c ${libfuzzer}
 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
 
+fuzz_ocsp_req: fuzz_ocsp_req.c ${libfuzzer}
+	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
+
+fuzz_ocsp_rsp: fuzz_ocsp_rsp.c ${libfuzzer}
+	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
+
 fuzz_ids: fuzz_ids.c ${libfuzzer}
 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
 
@@ -53,7 +60,7 @@ libFuzzerLocal_a_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 check: all
 	for f in $(FUZZ_TARGETS); do \
 		corpus=$${f#fuzz_}; \
-		./$$f $(FUZZING_CORPORA)/$${corpus}/*; \
+		./$$f $(FUZZING_CORPORA)/$${corpus}/* || exit 1; \
 		crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \
-		test ! -d $${crashes} || ./$$f $${crashes}/*; \
+		test ! -d $${crashes} || ./$$f $${crashes}/* || exit 1; \
 	done

fuzz/fuzz_ocsp_req.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2023 Tobias Brunner
  *
  * Copyright (C) secunet Security Networks AG
  *
@@ -14,30 +14,28 @@
  * for more details.
  */
 
-#include "bliss_huffman_code.h"
+#include <library.h>
+#include <utils/debug.h>
 
-extern bliss_huffman_code_t bliss_huffman_code_1;
-extern bliss_huffman_code_t bliss_huffman_code_3;
-extern bliss_huffman_code_t bliss_huffman_code_4;
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+	certificate_t *cert;
+	chunk_t chunk;
 
-/**
- * See header.
- */
-bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id)
+	dbg_default_set_level(-1);
+	library_init(NULL, "fuzz_ocsp_req");
+	plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+	if (!lib->plugins->load(lib->plugins, PLUGINS))
 	{
-	switch (id)
-	{
-		case BLISS_I:
-		case BLISS_B_I:
-			return &bliss_huffman_code_1;
-		case BLISS_III:
-		case BLISS_B_III:
-			return &bliss_huffman_code_3;
-		case BLISS_IV:
-		case BLISS_B_IV:
-			return &bliss_huffman_code_4;
-		default:
-			return NULL;
-	}
+		return 1;
 	}
 
+	chunk = chunk_create((u_char*)buf, len);
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+							  BUILD_BLOB, chunk, BUILD_END);
+	DESTROY_IF(cert);
+
+	lib->plugins->unload(lib->plugins);
+	library_deinit();
+	return 0;
+}

fuzz/fuzz_ocsp_rsp.c

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2023 Tobias Brunner
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <utils/debug.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+	certificate_t *cert;
+	chunk_t chunk;
+
+	dbg_default_set_level(-1);
+	library_init(NULL, "fuzz_ocsp_rsp");
+	plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
+	if (!lib->plugins->load(lib->plugins, PLUGINS))
+	{
+		return 1;
+	}
+
+	chunk = chunk_create((u_char*)buf, len);
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+							  BUILD_BLOB, chunk, BUILD_END);
+	DESTROY_IF(cert);
+
+	lib->plugins->unload(lib->plugins);
+	library_deinit();
+	return 0;
+}

init/Makefile.am

@@ -2,10 +2,12 @@
 SUBDIRS =
 
 if USE_LEGACY_SYSTEMD
+if USE_FILE_CONFIG
 if USE_CHARON
   SUBDIRS += systemd-starter
 endif
 endif
+endif
 
 if USE_SYSTEMD
 if USE_SWANCTL

init/systemd-starter/strongswan-starter.service.in

@@ -1,6 +1,7 @@
 [Unit]
 Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
 After=syslog.target network-online.target
+Wants=syslog.target network-online.target
 
 [Service]
 ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork

init/systemd/strongswan.service.in

@@ -1,6 +1,7 @@
 [Unit]
 Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
 After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=notify

m4/macros/host-cpu-c-abi.m4

@@ -0,0 +1,532 @@
+# host-cpu-c-abi.m4
+# serial 20
+dnl Copyright (C) 2002-2025 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+dnl This file is offered as-is, without any warranty.
+
+dnl From Bruno Haible and Sam Steingold.
+
+dnl Sets the HOST_CPU variable to the canonical name of the CPU.
+dnl Sets the HOST_CPU_C_ABI variable to the canonical name of the CPU with its
+dnl C language ABI (application binary interface).
+dnl Also defines __${HOST_CPU}__ and __${HOST_CPU_C_ABI}__ as C macros in
+dnl config.h.
+dnl
+dnl This canonical name can be used to select a particular assembly language
+dnl source file that will interoperate with C code on the given host.
+dnl
+dnl For example:
+dnl * 'i386' and 'sparc' are different canonical names, because code for i386
+dnl   will not run on SPARC CPUs and vice versa. They have different
+dnl   instruction sets.
+dnl * 'sparc' and 'sparc64' are different canonical names, because code for
+dnl   'sparc' and code for 'sparc64' cannot be linked together: 'sparc' code
+dnl   contains 32-bit instructions, whereas 'sparc64' code contains 64-bit
+dnl   instructions. A process on a SPARC CPU can be in 32-bit mode or in 64-bit
+dnl   mode, but not both.
+dnl * 'mips' and 'mipsn32' are different canonical names, because they use
+dnl   different argument passing and return conventions for C functions, and
+dnl   although the instruction set of 'mips' is a large subset of the
+dnl   instruction set of 'mipsn32'.
+dnl * 'mipsn32' and 'mips64' are different canonical names, because they use
+dnl   different sizes for the C types like 'int' and 'void *', and although
+dnl   the instruction sets of 'mipsn32' and 'mips64' are the same.
+dnl * The same canonical name is used for different endiannesses. You can
+dnl   determine the endianness through preprocessor symbols:
+dnl   - 'arm': test __ARMEL__.
+dnl   - 'mips', 'mipsn32', 'mips64': test _MIPSEB vs. _MIPSEL.
+dnl   - 'powerpc64': test __BIG_ENDIAN__ vs. __LITTLE_ENDIAN__.
+dnl * The same name 'i386' is used for CPUs of type i386, i486, i586
+dnl   (Pentium), AMD K7, Pentium II, Pentium IV, etc., because
+dnl   - Instructions that do not exist on all of these CPUs (cmpxchg,
+dnl     MMX, SSE, SSE2, 3DNow! etc.) are not frequently used. If your
+dnl     assembly language source files use such instructions, you will
+dnl     need to make the distinction.
+dnl   - Speed of execution of the common instruction set is reasonable across
+dnl     the entire family of CPUs. If you have assembly language source files
+dnl     that are optimized for particular CPU types (like GNU gmp has), you
+dnl     will need to make the distinction.
+dnl   See <https://en.wikipedia.org/wiki/X86_instruction_listings>.
+AC_DEFUN([gl_HOST_CPU_C_ABI],
+[
+  AC_REQUIRE([AC_CANONICAL_HOST])
+  AC_REQUIRE([gl_C_ASM])
+  AC_CACHE_CHECK([host CPU and C ABI], [gl_cv_host_cpu_c_abi],
+    [case "$host_cpu" in
+
+changequote(,)dnl
+       i[34567]86 )
+changequote([,])dnl
+         gl_cv_host_cpu_c_abi=i386
+         ;;
+
+       x86_64 )
+         # On x86_64 systems, the C compiler may be generating code in one of
+         # these ABIs:
+         # - 64-bit instruction set, 64-bit pointers, 64-bit 'long': x86_64.
+         # - 64-bit instruction set, 64-bit pointers, 32-bit 'long': x86_64
+         #   with native Windows (mingw, MSVC).
+         # - 64-bit instruction set, 32-bit pointers, 32-bit 'long': x86_64-x32.
+         # - 32-bit instruction set, 32-bit pointers, 32-bit 'long': i386.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if (defined __x86_64__ || defined __amd64__ \
+                     || defined _M_X64 || defined _M_AMD64)
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [AC_COMPILE_IFELSE(
+              [AC_LANG_SOURCE(
+                 [[#if defined __ILP32__ || defined _ILP32
+                    int ok;
+                   #else
+                    error fail
+                   #endif
+                 ]])],
+              [gl_cv_host_cpu_c_abi=x86_64-x32],
+              [gl_cv_host_cpu_c_abi=x86_64])],
+           [gl_cv_host_cpu_c_abi=i386])
+         ;;
+
+changequote(,)dnl
+       alphaev[4-8] | alphaev56 | alphapca5[67] | alphaev6[78] )
+changequote([,])dnl
+         gl_cv_host_cpu_c_abi=alpha
+         ;;
+
+       arm* | aarch64 )
+         # Assume arm with EABI.
+         # On arm64 systems, the C compiler may be generating code in one of
+         # these ABIs:
+         # - aarch64 instruction set, 64-bit pointers, 64-bit 'long': arm64.
+         # - aarch64 instruction set, 32-bit pointers, 32-bit 'long': arm64-ilp32.
+         # - 32-bit instruction set, 32-bit pointers, 32-bit 'long': arm or armhf.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#ifdef __aarch64__
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [AC_COMPILE_IFELSE(
+              [AC_LANG_SOURCE(
+                [[#if defined __ILP32__ || defined _ILP32
+                   int ok;
+                  #else
+                   error fail
+                  #endif
+                ]])],
+              [gl_cv_host_cpu_c_abi=arm64-ilp32],
+              [gl_cv_host_cpu_c_abi=arm64])],
+           [# Don't distinguish little-endian and big-endian arm, since they
+            # don't require different machine code for simple operations and
+            # since the user can distinguish them through the preprocessor
+            # defines __ARMEL__ vs. __ARMEB__.
+            # But distinguish arm which passes floating-point arguments and
+            # return values in integer registers (r0, r1, ...) - this is
+            # gcc -mfloat-abi=soft or gcc -mfloat-abi=softfp - from arm which
+            # passes them in float registers (s0, s1, ...) and double registers
+            # (d0, d1, ...) - this is gcc -mfloat-abi=hard. GCC 4.6 or newer
+            # sets the preprocessor defines __ARM_PCS (for the first case) and
+            # __ARM_PCS_VFP (for the second case), but older GCC does not.
+            echo 'double ddd; void func (double dd) { ddd = dd; }' > conftest.c
+            # Look for a reference to the register d0 in the .s file.
+            AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS $gl_c_asm_opt conftest.c) >/dev/null 2>&1
+            if LC_ALL=C grep 'd0,' conftest.$gl_asmext >/dev/null; then
+              gl_cv_host_cpu_c_abi=armhf
+            else
+              gl_cv_host_cpu_c_abi=arm
+            fi
+            rm -fr conftest*
+           ])
+         ;;
+
+       hppa1.0 | hppa1.1 | hppa2.0* | hppa64 )
+         # On hppa, the C compiler may be generating 32-bit code or 64-bit
+         # code. In the latter case, it defines _LP64 and __LP64__.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#ifdef __LP64__
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [gl_cv_host_cpu_c_abi=hppa64],
+           [gl_cv_host_cpu_c_abi=hppa])
+         ;;
+
+       ia64* )
+         # On ia64 on HP-UX, the C compiler may be generating 64-bit code or
+         # 32-bit code. In the latter case, it defines _ILP32.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#ifdef _ILP32
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [gl_cv_host_cpu_c_abi=ia64-ilp32],
+           [gl_cv_host_cpu_c_abi=ia64])
+         ;;
+
+       mips* )
+         # We should also check for (_MIPS_SZPTR == 64), but gcc keeps this
+         # at 32.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if defined _MIPS_SZLONG && (_MIPS_SZLONG == 64)
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [gl_cv_host_cpu_c_abi=mips64],
+           [# In the n32 ABI, _ABIN32 is defined, _ABIO32 is not defined (but
+            # may later get defined by <sgidefs.h>), and _MIPS_SIM == _ABIN32.
+            # In the 32 ABI, _ABIO32 is defined, _ABIN32 is not defined (but
+            # may later get defined by <sgidefs.h>), and _MIPS_SIM == _ABIO32.
+            AC_COMPILE_IFELSE(
+              [AC_LANG_SOURCE(
+                 [[#if (_MIPS_SIM == _ABIN32)
+                    int ok;
+                   #else
+                    error fail
+                   #endif
+                 ]])],
+              [gl_cv_host_cpu_c_abi=mipsn32],
+              [gl_cv_host_cpu_c_abi=mips])])
+         ;;
+
+       powerpc* )
+         # Different ABIs are in use on AIX vs. Mac OS X vs. Linux,*BSD.
+         # No need to distinguish them here; the caller may distinguish
+         # them based on the OS.
+         # On powerpc64 systems, the C compiler may still be generating
+         # 32-bit code. And on powerpc-ibm-aix systems, the C compiler may
+         # be generating 64-bit code.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if defined __powerpc64__ || defined __LP64__
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [# On powerpc64, there are two ABIs on Linux: The AIX compatible
+            # one and the ELFv2 one. The latter defines _CALL_ELF=2.
+            AC_COMPILE_IFELSE(
+              [AC_LANG_SOURCE(
+                 [[#if defined _CALL_ELF && _CALL_ELF == 2
+                    int ok;
+                   #else
+                    error fail
+                   #endif
+                 ]])],
+              [gl_cv_host_cpu_c_abi=powerpc64-elfv2],
+              [gl_cv_host_cpu_c_abi=powerpc64])
+           ],
+           [gl_cv_host_cpu_c_abi=powerpc])
+         ;;
+
+       rs6000 )
+         gl_cv_host_cpu_c_abi=powerpc
+         ;;
+
+       riscv32 | riscv64 )
+         # There are 2 architectures (with variants): rv32* and rv64*.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if __riscv_xlen == 64
+                  int ok;
+                #else
+                  error fail
+                #endif
+              ]])],
+           [cpu=riscv64],
+           [cpu=riscv32])
+         # There are 6 ABIs: ilp32, ilp32f, ilp32d, lp64, lp64f, lp64d.
+         # Size of 'long' and 'void *':
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if defined __LP64__
+                  int ok;
+                #else
+                  error fail
+                #endif
+              ]])],
+           [main_abi=lp64],
+           [main_abi=ilp32])
+         # Float ABIs:
+         # __riscv_float_abi_double:
+         #   'float' and 'double' are passed in floating-point registers.
+         # __riscv_float_abi_single:
+         #   'float' are passed in floating-point registers.
+         # __riscv_float_abi_soft:
+         #   No values are passed in floating-point registers.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if defined __riscv_float_abi_double
+                  int ok;
+                #else
+                  error fail
+                #endif
+              ]])],
+           [float_abi=d],
+           [AC_COMPILE_IFELSE(
+              [AC_LANG_SOURCE(
+                 [[#if defined __riscv_float_abi_single
+                     int ok;
+                   #else
+                     error fail
+                   #endif
+                 ]])],
+              [float_abi=f],
+              [float_abi=''])
+           ])
+         gl_cv_host_cpu_c_abi="${cpu}-${main_abi}${float_abi}"
+         ;;
+
+       s390* )
+         # On s390x, the C compiler may be generating 64-bit (= s390x) code
+         # or 31-bit (= s390) code.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if defined __LP64__ || defined __s390x__
+                  int ok;
+                #else
+                  error fail
+                #endif
+              ]])],
+           [gl_cv_host_cpu_c_abi=s390x],
+           [gl_cv_host_cpu_c_abi=s390])
+         ;;
+
+       sparc | sparc64 )
+         # UltraSPARCs running Linux have `uname -m` = "sparc64", but the
+         # C compiler still generates 32-bit code.
+         AC_COMPILE_IFELSE(
+           [AC_LANG_SOURCE(
+              [[#if defined __sparcv9 || defined __arch64__
+                 int ok;
+                #else
+                 error fail
+                #endif
+              ]])],
+           [gl_cv_host_cpu_c_abi=sparc64],
+           [gl_cv_host_cpu_c_abi=sparc])
+         ;;
+
+       *)
+         gl_cv_host_cpu_c_abi="$host_cpu"
+         ;;
+     esac
+    ])
+
+  dnl In most cases, $HOST_CPU and $HOST_CPU_C_ABI are the same.
+  HOST_CPU=`echo "$gl_cv_host_cpu_c_abi" | sed -e 's/-.*//'`
+  HOST_CPU_C_ABI="$gl_cv_host_cpu_c_abi"
+  AC_SUBST([HOST_CPU])
+  AC_SUBST([HOST_CPU_C_ABI])
+
+  # This was
+  #   AC_DEFINE_UNQUOTED([__${HOST_CPU}__])
+  #   AC_DEFINE_UNQUOTED([__${HOST_CPU_C_ABI}__])
+  # earlier, but KAI C++ 3.2d doesn't like this.
+  sed -e 's/-/_/g' >> confdefs.h <<EOF
+#ifndef __${HOST_CPU}__
+#define __${HOST_CPU}__ 1
+#endif
+#ifndef __${HOST_CPU_C_ABI}__
+#define __${HOST_CPU_C_ABI}__ 1
+#endif
+EOF
+  AH_TOP([/* CPU and C ABI indicator */
+#ifndef __i386__
+#undef __i386__
+#endif
+#ifndef __x86_64_x32__
+#undef __x86_64_x32__
+#endif
+#ifndef __x86_64__
+#undef __x86_64__
+#endif
+#ifndef __alpha__
+#undef __alpha__
+#endif
+#ifndef __arm__
+#undef __arm__
+#endif
+#ifndef __armhf__
+#undef __armhf__
+#endif
+#ifndef __arm64_ilp32__
+#undef __arm64_ilp32__
+#endif
+#ifndef __arm64__
+#undef __arm64__
+#endif
+#ifndef __hppa__
+#undef __hppa__
+#endif
+#ifndef __hppa64__
+#undef __hppa64__
+#endif
+#ifndef __ia64_ilp32__
+#undef __ia64_ilp32__
+#endif
+#ifndef __ia64__
+#undef __ia64__
+#endif
+#ifndef __loongarch32__
+#undef __loongarch32__
+#endif
+#ifndef __loongarch64__
+#undef __loongarch64__
+#endif
+#ifndef __m68k__
+#undef __m68k__
+#endif
+#ifndef __mips__
+#undef __mips__
+#endif
+#ifndef __mipsn32__
+#undef __mipsn32__
+#endif
+#ifndef __mips64__
+#undef __mips64__
+#endif
+#ifndef __powerpc__
+#undef __powerpc__
+#endif
+#ifndef __powerpc64__
+#undef __powerpc64__
+#endif
+#ifndef __powerpc64_elfv2__
+#undef __powerpc64_elfv2__
+#endif
+#ifndef __riscv32__
+#undef __riscv32__
+#endif
+#ifndef __riscv64__
+#undef __riscv64__
+#endif
+#ifndef __riscv32_ilp32__
+#undef __riscv32_ilp32__
+#endif
+#ifndef __riscv32_ilp32f__
+#undef __riscv32_ilp32f__
+#endif
+#ifndef __riscv32_ilp32d__
+#undef __riscv32_ilp32d__
+#endif
+#ifndef __riscv64_ilp32__
+#undef __riscv64_ilp32__
+#endif
+#ifndef __riscv64_ilp32f__
+#undef __riscv64_ilp32f__
+#endif
+#ifndef __riscv64_ilp32d__
+#undef __riscv64_ilp32d__
+#endif
+#ifndef __riscv64_lp64__
+#undef __riscv64_lp64__
+#endif
+#ifndef __riscv64_lp64f__
+#undef __riscv64_lp64f__
+#endif
+#ifndef __riscv64_lp64d__
+#undef __riscv64_lp64d__
+#endif
+#ifndef __s390__
+#undef __s390__
+#endif
+#ifndef __s390x__
+#undef __s390x__
+#endif
+#ifndef __sh__
+#undef __sh__
+#endif
+#ifndef __sparc__
+#undef __sparc__
+#endif
+#ifndef __sparc64__
+#undef __sparc64__
+#endif
+])
+
+])
+
+
+dnl Sets the HOST_CPU_C_ABI_32BIT variable to 'yes' if the C language ABI
+dnl (application binary interface) is a 32-bit one, to 'no' if it is a 64-bit
+dnl one.
+dnl This is a simplified variant of gl_HOST_CPU_C_ABI.
+AC_DEFUN([gl_HOST_CPU_C_ABI_32BIT],
+[
+  AC_REQUIRE([AC_CANONICAL_HOST])
+  AC_CACHE_CHECK([32-bit host C ABI], [gl_cv_host_cpu_c_abi_32bit],
+    [case "$host_cpu" in
+
+       # CPUs that only support a 32-bit ABI.
+       arc \
+       | bfin \
+       | cris* \
+       | csky \
+       | epiphany \
+       | ft32 \
+       | h8300 \
+       | m68k \
+       | microblaze | microblazeel \
+       | nds32 | nds32le | nds32be \
+       | nios2 | nios2eb | nios2el \
+       | or1k* \
+       | or32 \
+       | sh | sh[1234] | sh[1234]e[lb] \
+       | tic6x \
+       | xtensa* )
+         gl_cv_host_cpu_c_abi_32bit=yes
+         ;;
+
+       # CPUs that only support a 64-bit ABI.
+changequote(,)dnl
+       alpha | alphaev[4-8] | alphaev56 | alphapca5[67] | alphaev6[78] \
+       | mmix )
+changequote([,])dnl
+         gl_cv_host_cpu_c_abi_32bit=no
+         ;;
+
+       *)
+         if test -n "$gl_cv_host_cpu_c_abi"; then
+           dnl gl_HOST_CPU_C_ABI has already been run. Use its result.
+           case "$gl_cv_host_cpu_c_abi" in
+             i386 | x86_64-x32 | arm | armhf | arm64-ilp32 | hppa | ia64-ilp32 | loongarch32 | mips | mipsn32 | powerpc | riscv*-ilp32* | s390 | sparc)
+               gl_cv_host_cpu_c_abi_32bit=yes ;;
+             x86_64 | alpha | arm64 | aarch64c | hppa64 | ia64 | loongarch64 | mips64 | powerpc64 | powerpc64-elfv2 | riscv*-lp64* | s390x | sparc64 )
+               gl_cv_host_cpu_c_abi_32bit=no ;;
+             *)
+               gl_cv_host_cpu_c_abi_32bit=unknown ;;
+           esac
+         else
+           gl_cv_host_cpu_c_abi_32bit=unknown
+         fi
+         if test $gl_cv_host_cpu_c_abi_32bit = unknown; then
+           AC_COMPILE_IFELSE(
+             [AC_LANG_SOURCE(
+                [[int test_pointer_size[sizeof (void *) - 5];
+                ]])],
+             [gl_cv_host_cpu_c_abi_32bit=no],
+             [gl_cv_host_cpu_c_abi_32bit=yes])
+         fi
+         ;;
+     esac
+    ])
+
+  HOST_CPU_C_ABI_32BIT="$gl_cv_host_cpu_c_abi_32bit"
+])

m4/macros/lib-prefix.m4

@@ -0,0 +1,334 @@
+# lib-prefix.m4
+# serial 23
+dnl Copyright (C) 2001-2005, 2008-2025 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+dnl This file is offered as-is, without any warranty.
+
+dnl From Bruno Haible.
+
+dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed
+dnl to access previously installed libraries. The basic assumption is that
+dnl a user will want packages to use other packages he previously installed
+dnl with the same --prefix option.
+dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate
+dnl libraries, but is otherwise very convenient.
+AC_DEFUN([AC_LIB_PREFIX],
+[
+  AC_BEFORE([$0], [AC_LIB_LINKFLAGS])
+  AC_REQUIRE([AC_PROG_CC])
+  AC_REQUIRE([AC_CANONICAL_HOST])
+  AC_REQUIRE([AC_LIB_PREPARE_MULTILIB])
+  AC_REQUIRE([AC_LIB_PREPARE_PREFIX])
+  dnl By default, look in $includedir and $libdir.
+  use_additional=yes
+  AC_LIB_WITH_FINAL_PREFIX([
+    eval additional_includedir=\"$includedir\"
+    eval additional_libdir=\"$libdir\"
+  ])
+  AC_ARG_WITH([lib-prefix],
+[[  --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
+  --without-lib-prefix    don't search for libraries in includedir and libdir]],
+[
+    if test "X$withval" = "Xno"; then
+      use_additional=no
+    else
+      if test "X$withval" = "X"; then
+        AC_LIB_WITH_FINAL_PREFIX([
+          eval additional_includedir=\"$includedir\"
+          eval additional_libdir=\"$libdir\"
+        ])
+      else
+        additional_includedir="$withval/include"
+        additional_libdir="$withval/$acl_libdirstem"
+      fi
+    fi
+])
+  if test $use_additional = yes; then
+    dnl Potentially add $additional_includedir to $CPPFLAGS.
+    dnl But don't add it
+    dnl   1. if it's the standard /usr/include,
+    dnl   2. if it's already present in $CPPFLAGS,
+    dnl   3. if it's /usr/local/include and we are using GCC on Linux,
+    dnl   4. if it doesn't exist as a directory.
+    if test "X$additional_includedir" != "X/usr/include"; then
+      haveit=
+      for x in $CPPFLAGS; do
+        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
+        if test "X$x" = "X-I$additional_includedir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_includedir" = "X/usr/local/include"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_includedir"; then
+            dnl Really add $additional_includedir to $CPPFLAGS.
+            CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
+          fi
+        fi
+      fi
+    fi
+    dnl Potentially add $additional_libdir to $LDFLAGS.
+    dnl But don't add it
+    dnl   1. if it's the standard /usr/lib,
+    dnl   2. if it's already present in $LDFLAGS,
+    dnl   3. if it's /usr/local/lib and we are using GCC on Linux,
+    dnl   4. if it doesn't exist as a directory.
+    if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
+      haveit=
+      for x in $LDFLAGS; do
+        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
+        if test "X$x" = "X-L$additional_libdir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux*) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_libdir"; then
+            dnl Really add $additional_libdir to $LDFLAGS.
+            LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
+          fi
+        fi
+      fi
+    fi
+  fi
+])
+
+dnl AC_LIB_PREPARE_PREFIX creates variables acl_final_prefix,
+dnl acl_final_exec_prefix, containing the values to which $prefix and
+dnl $exec_prefix will expand at the end of the configure script.
+AC_DEFUN([AC_LIB_PREPARE_PREFIX],
+[
+  dnl Unfortunately, prefix and exec_prefix get only finally determined
+  dnl at the end of configure.
+  if test "X$prefix" = "XNONE"; then
+    acl_final_prefix="$ac_default_prefix"
+  else
+    acl_final_prefix="$prefix"
+  fi
+  if test "X$exec_prefix" = "XNONE"; then
+    acl_final_exec_prefix='${prefix}'
+  else
+    acl_final_exec_prefix="$exec_prefix"
+  fi
+  acl_saved_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
+  prefix="$acl_saved_prefix"
+])
+
+dnl AC_LIB_WITH_FINAL_PREFIX([statement]) evaluates statement, with the
+dnl variables prefix and exec_prefix bound to the values they will have
+dnl at the end of the configure script.
+AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX],
+[
+  acl_saved_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_saved_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  $1
+  exec_prefix="$acl_saved_exec_prefix"
+  prefix="$acl_saved_prefix"
+])
+
+dnl AC_LIB_PREPARE_MULTILIB creates
+dnl - a function acl_is_expected_elfclass, that tests whether standard input
+dnl;   has a 32-bit or 64-bit ELF header, depending on the host CPU ABI,
+dnl - 3 variables acl_libdirstem, acl_libdirstem2, acl_libdirstem3, containing
+dnl   the basename of the libdir to try in turn, either "lib" or "lib64" or
+dnl   "lib/64" or "lib32" or "lib/sparcv9" or "lib/amd64" or similar.
+AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
+[
+  dnl There is no formal standard regarding lib, lib32, and lib64.
+  dnl On most glibc systems, the current practice is that on a system supporting
+  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
+  dnl $prefix/lib64 and 32-bit libraries go under $prefix/lib. However, on
+  dnl Arch Linux based distributions, it's the opposite: 32-bit libraries go
+  dnl under $prefix/lib32 and 64-bit libraries go under $prefix/lib.
+  dnl We determine the compiler's default mode by looking at the compiler's
+  dnl library search path. If at least one of its elements ends in /lib64 or
+  dnl points to a directory whose absolute pathname ends in /lib64, we use that
+  dnl for 64-bit ABIs. Similarly for 32-bit ABIs. Otherwise we use the default,
+  dnl namely "lib".
+  dnl On Solaris systems, the current practice is that on a system supporting
+  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
+  dnl $prefix/lib/64 (which is a symlink to either $prefix/lib/sparcv9 or
+  dnl $prefix/lib/amd64) and 32-bit libraries go under $prefix/lib.
+  AC_REQUIRE([AC_CANONICAL_HOST])
+  AC_REQUIRE([gl_HOST_CPU_C_ABI_32BIT])
+
+  AC_CACHE_CHECK([for ELF binary format], [gl_cv_elf],
+    [AC_EGREP_CPP([Extensible Linking Format],
+       [#if defined __ELF__ || (defined __linux__ && (defined __EDG__ || defined __SUNPRO_C))
+        Extensible Linking Format
+        #endif
+       ],
+       [gl_cv_elf=yes],
+       [gl_cv_elf=no])
+    ])
+  if test $gl_cv_elf = yes; then
+    # Extract the ELF class of a file (5th byte) in decimal.
+    # Cf. https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#File_header
+    if od -A x < /dev/null >/dev/null 2>/dev/null; then
+      # Use POSIX od.
+      func_elfclass ()
+      {
+        od -A n -t d1 -j 4 -N 1
+      }
+    else
+      # Use BSD hexdump.
+      func_elfclass ()
+      {
+        dd bs=1 count=1 skip=4 2>/dev/null | hexdump -e '1/1 "%3d "'
+        echo
+      }
+    fi
+    # Use 'expr', not 'test', to compare the values of func_elfclass, because on
+    # Solaris 11 OpenIndiana and Solaris 11 OmniOS, the result is 001 or 002,
+    # not 1 or 2.
+changequote(,)dnl
+    case $HOST_CPU_C_ABI_32BIT in
+      yes)
+        # 32-bit ABI.
+        acl_is_expected_elfclass ()
+        {
+          expr "`func_elfclass | sed -e 's/[ 	]//g'`" = 1 > /dev/null
+        }
+        ;;
+      no)
+        # 64-bit ABI.
+        acl_is_expected_elfclass ()
+        {
+          expr "`func_elfclass | sed -e 's/[ 	]//g'`" = 2 > /dev/null
+        }
+        ;;
+      *)
+        # Unknown.
+        acl_is_expected_elfclass ()
+        {
+          :
+        }
+        ;;
+    esac
+changequote([,])dnl
+  else
+    acl_is_expected_elfclass ()
+    {
+      :
+    }
+  fi
+
+  dnl Allow the user to override the result by setting acl_cv_libdirstems.
+  AC_CACHE_CHECK([for the common suffixes of directories in the library search path],
+    [acl_cv_libdirstems],
+    [dnl Try 'lib' first, because that's the default for libdir in GNU, see
+     dnl <https://www.gnu.org/prep/standards/html_node/Directory-Variables.html>.
+     acl_libdirstem=lib
+     acl_libdirstem2=
+     acl_libdirstem3=
+     case "$host_os" in
+       solaris*)
+         dnl See Solaris 10 Software Developer Collection > Solaris 64-bit Developer's Guide > The Development Environment
+         dnl <https://docs.oracle.com/cd/E19253-01/816-5138/dev-env/index.html>.
+         dnl "Portable Makefiles should refer to any library directories using the 64 symbolic link."
+         dnl But we want to recognize the sparcv9 or amd64 subdirectory also if the
+         dnl symlink is missing, so we set acl_libdirstem2 too.
+         if test $HOST_CPU_C_ABI_32BIT = no; then
+           acl_libdirstem2=lib/64
+           case "$host_cpu" in
+             sparc*)        acl_libdirstem3=lib/sparcv9 ;;
+             i*86 | x86_64) acl_libdirstem3=lib/amd64 ;;
+           esac
+         fi
+         ;;
+       netbsd*)
+         dnl On NetBSD/sparc64, there is a 'sparc' subdirectory that contains
+         dnl 32-bit libraries.
+         if test $HOST_CPU_C_ABI_32BIT != no; then
+           case "$host_cpu" in
+             sparc*) acl_libdirstem2=lib/sparc ;;
+           esac
+         fi
+         ;;
+       *)
+         dnl If $CC generates code for a 32-bit ABI, the libraries are
+         dnl surely under $prefix/lib or $prefix/lib32, not $prefix/lib64.
+         dnl Similarly, if $CC generates code for a 64-bit ABI, the libraries
+         dnl are surely under $prefix/lib or $prefix/lib64, not $prefix/lib32.
+         dnl Find the compiler's search path. However, non-system compilers
+         dnl sometimes have odd library search paths. But we can't simply invoke
+         dnl '/usr/bin/gcc -print-search-dirs' because that would not take into
+         dnl account the -m32/-m31 or -m64 options from the $CC or $CFLAGS.
+         searchpath=`(LC_ALL=C $CC $CPPFLAGS $CFLAGS -print-search-dirs) 2>/dev/null \
+                     | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+         if test $HOST_CPU_C_ABI_32BIT != no; then
+           # 32-bit or unknown ABI.
+           if test -d /usr/lib32; then
+             acl_libdirstem2=lib32
+           fi
+         fi
+         if test $HOST_CPU_C_ABI_32BIT != yes; then
+           # 64-bit or unknown ABI.
+           if test -d /usr/lib64; then
+             acl_libdirstem3=lib64
+           fi
+         fi
+         if test -n "$searchpath"; then
+           acl_saved_IFS="${IFS= 	}"; IFS=":"
+           for searchdir in $searchpath; do
+             if test -d "$searchdir"; then
+               case "$searchdir" in
+                 */lib32/ | */lib32 ) acl_libdirstem2=lib32 ;;
+                 */lib64/ | */lib64 ) acl_libdirstem3=lib64 ;;
+                 */../ | */.. )
+                   # Better ignore directories of this form. They are misleading.
+                   ;;
+                 *) searchdir=`cd "$searchdir" && pwd`
+                    case "$searchdir" in
+                      */lib32 ) acl_libdirstem2=lib32 ;;
+                      */lib64 ) acl_libdirstem3=lib64 ;;
+                    esac ;;
+               esac
+             fi
+           done
+           IFS="$acl_saved_IFS"
+           if test $HOST_CPU_C_ABI_32BIT = yes; then
+             # 32-bit ABI.
+             acl_libdirstem3=
+           fi
+           if test $HOST_CPU_C_ABI_32BIT = no; then
+             # 64-bit ABI.
+             acl_libdirstem2=
+           fi
+         fi
+         ;;
+     esac
+     test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
+     test -n "$acl_libdirstem3" || acl_libdirstem3="$acl_libdirstem"
+     acl_cv_libdirstems="$acl_libdirstem,$acl_libdirstem2,$acl_libdirstem3"
+    ])
+  dnl Decompose acl_cv_libdirstems into acl_libdirstem, acl_libdirstem2, and
+  dnl acl_libdirstem3.
+changequote(,)dnl
+  acl_libdirstem=`echo "$acl_cv_libdirstems" | sed -e 's/,.*//'`
+  acl_libdirstem2=`echo "$acl_cv_libdirstems" | sed -e 's/^[^,]*,//' -e 's/,.*//'`
+  acl_libdirstem3=`echo "$acl_cv_libdirstems" | sed -e 's/^[^,]*,[^,]*,//' -e 's/,.*//'`
+changequote([,])dnl
+])

man/ipsec.conf.5.in

@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
 .BR leftcert " = <path>"
 the path to the left participant's X.509 certificate. The file can be encoded
 either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
 are accepted. By default
 .B leftcert
 sets
@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
 the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
 respectively.
 Also accepted is the path to a file containing the public key in PEM, DER or SSH
-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
 are accepted.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
 .SH "CA SECTIONS"
 These are optional sections that can be used to assign special
 parameters to a Certification Authority (CA). Because the daemons
-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
 there is no need to explicitly add them with a CA section, unless you
 want to assign special parameters (like a CRL) to a CA.
 .TP
@@ -1235,7 +1235,7 @@ currently can have either the value
 .TP
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
 .br
 A value in the form
 .B %smartcard[<slot nr>[@<module>]]:<keyid>
@@ -1284,7 +1284,7 @@ section are:
 .BR cachecrls " = yes | " no
 if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
 be cached in
-.I /etc/ipsec.d/crls/
+.I @sysconfdir@/ipsec.d/crls/
 under a unique file name derived from the certification authority's public key.
 .TP
 .BR charondebug " = <debug list>"
@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
 
 .SH FILES
 .nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
+@sysconfdir@/ipsec.conf
+@sysconfdir@/ipsec.d/aacerts
+@sysconfdir@/ipsec.d/acerts
+@sysconfdir@/ipsec.d/cacerts
+@sysconfdir@/ipsec.d/certs
+@sysconfdir@/ipsec.d/crls
 
 .SH SEE ALSO
 strongswan.conf(5), ipsec.secrets(5), ipsec(8)

man/ipsec.secrets.5.in

@@ -15,7 +15,7 @@ Here is an example.
 .LP
 .RS
 .nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
 
 : RSA moonKey.pem
@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
 .TQ
 .B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
 can be used which then causes the daemon to ask the user for the password
@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
 .TP
 .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
 For the PKCS#12 file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the container is
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
 can be used which then causes the daemon to ask the user for the password
@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
-/etc/ipsec.secrets
+@sysconfdir@/ipsec.secrets
 .SH SEE ALSO
 ipsec.conf(5), strongswan.conf(5), ipsec(8)
 .br

scripts/.gitignore

@@ -17,3 +17,4 @@ thread_analysis
 tls_test
 timeattack
 os_info
+nist_kem_kat

scripts/Makefile.am

@@ -7,7 +7,7 @@ AM_CPPFLAGS = \
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
 	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
-	dnssec malloc_speed aes-test settings-test timeattack
+	dnssec malloc_speed aes-test settings-test timeattack nist_kem_kat
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -31,6 +31,7 @@ malloc_speed_SOURCES = malloc_speed.c
 fetch_SOURCES = fetch.c
 dnssec_SOURCES = dnssec.c
 timeattack_SOURCES = timeattack.c
+nist_kem_kat_SOURCES = nist_kem_kat.c
 
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -46,6 +47,7 @@ dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
+nist_kem_kat_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 if USE_IMCV
   AM_CPPFLAGS += -I$(top_srcdir)/src/libimcv

scripts/dh_speed.c

@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2023-2024 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  *
  * Copyright (C) secunet Security Networks AG
@@ -23,34 +24,10 @@
 
 static void usage()
 {
-	printf("usage: dh_speed plugins rounds group1 [group2 [...]]\n");
+	printf("usage: dh_speed plugins rounds ke1 [ke2 [...]]\n");
 	exit(1);
 }
 
-struct {
-	char *name;
-	key_exchange_method_t group;
-} groups[] = {
-	{"modp768",			MODP_768_BIT},
-	{"modp1024",		MODP_1024_BIT},
-	{"modp1024s160",	MODP_1024_160},
-	{"modp1536",		MODP_1536_BIT},
-	{"modp2048",		MODP_2048_BIT},
-	{"modp2048s224",	MODP_2048_224},
-	{"modp2048s256",	MODP_2048_256},
-	{"modp3072",		MODP_3072_BIT},
-	{"modp4096",		MODP_4096_BIT},
-	{"modp6144",		MODP_6144_BIT},
-	{"modp8192",		MODP_8192_BIT},
-	{"ecp256",			ECP_256_BIT},
-	{"ecp384",			ECP_384_BIT},
-	{"ecp521",			ECP_521_BIT},
-	{"ecp192",			ECP_192_BIT},
-	{"ecp224",			ECP_224_BIT},
-	{"curve25519",		CURVE_25519},
-	{"curve448",		CURVE_448},
-};
-
 static void start_timing(struct timespec *start)
 {
 	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
@@ -65,61 +42,71 @@ static double end_timing(struct timespec *start)
 			(end.tv_sec - start->tv_sec) * 1.0;
 }
 
-static void run_test(key_exchange_method_t group, int rounds)
+static void run_test(key_exchange_method_t method, int rounds)
 {
-	key_exchange_t *l[rounds], *r;
-	chunk_t chunk, chunks[rounds], lsecrets[rounds], rsecrets[rounds];
+	key_exchange_t *l[rounds], *r[rounds];
+	chunk_t lpublic[rounds], rpublic[rounds], lsecret[rounds], rsecret[rounds];
 	struct timespec timing;
 	int round;
 
-	r = lib->crypto->create_ke(lib->crypto, group);
-	if (!r)
+	r[0] = lib->crypto->create_ke(lib->crypto, method);
+	if (!r[0])
 	{
-		printf("skipping %N, not supported\n", key_exchange_method_names,
-			   group);
+		fprintf(stderr, "skipping %N, not supported\n", key_exchange_method_names,
+				method);
 		return;
 	}
+	for (round = 1; round < rounds; round++)
+	{
+		r[round] = lib->crypto->create_ke(lib->crypto, method);
+	}
 
-	printf("%N:\t", key_exchange_method_names, group);
+	/* make sure to use the method call order documented in the
+	 * key_exchange_t header file */
+
+	printf("%N:\t", key_exchange_method_names, method);
 
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
-		l[round] = lib->crypto->create_ke(lib->crypto, group);
-		assert(l[round]->get_public_key(l[round], &chunks[round]));
+		l[round] = lib->crypto->create_ke(lib->crypto, method);
+		assert(l[round]->get_public_key(l[round], &lpublic[round]));
 	}
 	printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
 
-	for (round = 0; round < rounds; round++)
-	{
-		assert(r->set_public_key(r, chunks[round]));
-		assert(r->get_shared_secret(r, &rsecrets[round]));
-		chunk_free(&chunks[round]);
-	}
-
-	assert(r->get_public_key(r, &chunk));
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
-		assert(l[round]->set_public_key(l[round], chunk));
-		assert(l[round]->get_shared_secret(l[round], &lsecrets[round]));
+		assert(r[round]->set_public_key(r[round], lpublic[round]));
+		assert(r[round]->get_public_key(r[round], &rpublic[round]));
+		assert(r[round]->get_shared_secret(r[round], &rsecret[round]));
+	}
+	printf(" | S = A^b/s: %8.1f", rounds / end_timing(&timing));
+
+	start_timing(&timing);
+	for (round = 0; round < rounds; round++)
+	{
+		assert(l[round]->set_public_key(l[round], rpublic[round]));
+		assert(l[round]->get_shared_secret(l[round], &lsecret[round]));
 	}
 	printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
-	chunk_free(&chunk);
 
 	for (round = 0; round < rounds; round++)
 	{
-		assert(chunk_equals(rsecrets[round], lsecrets[round]));
-		free(lsecrets[round].ptr);
-		free(rsecrets[round].ptr);
+		assert(chunk_equals(rsecret[round], lsecret[round]));
+		chunk_free(&lsecret[round]);
+		chunk_free(&rsecret[round]);
+		chunk_free(&lpublic[round]);
+		chunk_free(&rpublic[round]);
 		l[round]->destroy(l[round]);
+		r[round]->destroy(r[round]);
 	}
-	r->destroy(r);
 }
 
 int main(int argc, char *argv[])
 {
-	int rounds, i, j;
+	const proposal_token_t *token;
+	int rounds, i;
 
 	if (argc < 4)
 	{
@@ -134,20 +121,19 @@ int main(int argc, char *argv[])
 
 	for (i = 3; i < argc; i++)
 	{
-		bool found = FALSE;
+		token = lib->proposal->get_token(lib->proposal, argv[i]);
+		if (!token)
+		{
+			fprintf(stderr, "KE method '%s' not found\n", argv[i]);
+			return 1;
+		}
+		else if (token->type != KEY_EXCHANGE_METHOD)
+		{
+			fprintf(stderr, "'%s' is not a KE method\n", argv[i]);
+			return 1;
+		}
 
-		for (j = 0; j < countof(groups); j++)
-		{
-			if (streq(groups[j].name, argv[i]))
-			{
-				run_test(groups[j].group, rounds);
-				found = TRUE;
-			}
-		}
-		if (!found)
-		{
-			printf("group %s not found\n", argv[i]);
-		}
+		run_test(token->algorithm, rounds);
 	}
 	return 0;
 }

scripts/dh_speed.sh

@@ -24,8 +24,17 @@ modptest "gcrypt"
 echo "testing openssl"
 modptest "openssl"
 $DIR/dh_speed "openssl" 300 ecp192 ecp192 ecp224 ecp256 ecp384 ecp521 | tail -n 5
+$DIR/dh_speed "openssl" 300 ecp224bp ecp224bp ecp256bp ecp384bp ecp512bp | tail -n 4
+$DIR/dh_speed "openssl" 300 curve25519 curve25519 curve448 | tail -n 2
+
+echo "testing wolfssl"
+modptest "wolfssl"
+$DIR/dh_speed "wolfssl" 300 ecp224 ecp224 ecp256 ecp384 ecp521 | tail -n 4
+$DIR/dh_speed "wolfssl" 300 ecp224bp ecp224bp ecp256bp ecp384bp ecp512bp | tail -n 4
+$DIR/dh_speed "wolfssl" 300 curve25519 curve25519 curve448 | tail -n 2
 
 echo "testing botan"
 modptest "botan"
 $DIR/dh_speed "botan" 300 ecp256 ecp256 ecp384 ecp521 | tail -n 3
+$DIR/dh_speed "botan" 300 ecp256bp ecp256bp ecp384bp ecp512bp | tail -n 3
 $DIR/dh_speed "botan" 300 curve25519 curve25519 | tail -n 1

scripts/git-version

@@ -5,7 +5,7 @@ TARBALL=$SRCDIR/.tarball-git-version
 
 if test -f $TARBALL; then
 	V=$(cat $TARBALL)
-elif test -d $SRCDIR/.git; then
+elif test -e $SRCDIR/.git; then
 	V=$(git -C $SRCDIR describe --exclude 'android-*' --tags HEAD 2>/dev/null)
 fi
 

scripts/nist_kem_kat.c

@@ -0,0 +1,189 @@
+/*
+ * Copyright (C) 2019-2020 Andreas Steffen
+ *
+ * Copyright (C) secunet Security Networks AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <errno.h>
+
+#include <library.h>
+
+static void usage(FILE *out, char *name)
+{
+	fprintf(out, "Convert NIST KEM KAT file into struct\n");
+	fprintf(out, "%s [OPTIONS]\n\n", name);
+	fprintf(out, "Options:\n");
+	fprintf(out, "  -h, --help          print this help.\n");
+	fprintf(out, "  -m, --method        KEM method.\n");
+	fprintf(out, "  -c, --count         number of structs (default 4).\n");
+	fprintf(out, "  -i, --in=FILE       request file (default STDIN).\n");
+	fprintf(out, "  -o, --out=FILE      response file (default STDOUT).\n");
+	fprintf(out, "\n");
+}
+
+int main(int argc, char *argv[])
+{
+	FILE *in = stdin;
+	FILE *out = stdout;
+	char line[90000], *method = "", *pos, *eol, *param, *value;
+	size_t param_len, value_len;
+	int count = 4, n;
+
+	library_init(NULL, "nist-kem-kat");
+	atexit(library_deinit);
+
+	while (true)
+	{
+		struct option long_opts[] = {
+			{"help",	no_argument,		NULL,	'h' },
+			{"method",	required_argument,	NULL,	'm' },
+			{"count",	required_argument,	NULL,	'c' },
+			{"in",		required_argument,	NULL,	'i' },
+			{"out",		required_argument,	NULL,	'o' },
+			{0,0,0,0 },
+		};
+		switch (getopt_long(argc, argv, "h:m:c:i:o:", long_opts, NULL))
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage(stdout, argv[0]);
+				return 0;
+			case 'm':
+				method = optarg;
+				continue;
+			case 'c':
+				count = atoi(optarg);
+				continue;
+			case 'i':
+				in = fopen(optarg, "r");
+				if (!in)
+				{
+					fprintf(stderr, "failed to open '%s': %s\n", optarg,
+							strerror(errno));
+					usage(stderr, argv[0]);
+					return 1;
+				}
+				continue;
+			case 'o':
+				out = fopen(optarg, "w");
+				if (!out)
+				{
+					fprintf(stderr, "failed to open '%s': %s\n", optarg,
+							strerror(errno));
+					usage(stderr, argv[0]);
+					return 1;
+				}
+				continue;
+			default:
+				usage(stderr, argv[0]);
+				return 1;
+		}
+		break;
+	}
+
+	while (fgets(line, sizeof(line), in))
+	{
+		pos = strchr(line, '=');
+		if (!pos)
+		{
+			continue;
+		}
+
+		/*remove preceding whitespace from value */
+		value = pos + 1;
+		eol = strchr(value, '\n');
+		if (!eol)
+		{
+			fprintf(stderr, "eol not found\n");
+			break;
+		}
+		value_len = eol - value;
+		while (value_len && *value == ' ')
+		{
+			value++;
+			value_len--;
+		}
+
+		/* remove trailing whitespace from param */
+		param = line;
+		param_len = pos - line;
+		while (param_len && *(--pos) == ' ')
+		{
+			param_len--;
+		}
+		param[param_len] = '\0';
+
+		if (streq(param, "sk"))
+		{
+			continue;
+		}
+
+		if (streq(param, "count"))
+		{
+			if (count == 0)
+			{
+				break;
+			}
+			fprintf(out, "/** count = %.*s */\n", (int)value_len, value);
+			fprintf(out, "{\n");
+			fprintf(out, "\t.method = %s,\n", method);
+			count--;
+		}
+		else
+		{
+			fprintf(out, "\t.%s = chunk_from_chars(", param);
+			n = 0;
+
+			while (value_len > 1)
+			{
+				if (n > 0)
+				{
+					fprintf(out, ",");
+					if (n % 100 == 0)
+					{
+						fprintf(out, " /* %d */\n", n);
+					}
+				}
+				if (n % 10 == 0)
+				{
+					fprintf(out, "\n\t\t");
+				}
+				fprintf(out, "0x%.2s", value);
+				value += 2;
+				value_len -= 2;
+				n++;
+			}
+			fprintf(out, "),\n");
+			if (streq(param, "ss"))
+			{
+				fprintf(out, "},\n");
+			}
+		}
+	}
+
+	if (in != stdin)
+	{
+		fclose(in);
+	}
+	if (out != stdout)
+	{
+		fclose(out);
+	}
+	return 0;
+}

scripts/pubkey_speed.c

@@ -20,12 +20,12 @@
 #include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
-void start_timing(struct timespec *start)
+static void start_timing(struct timespec *start)
 {
 	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
 }
 
-double end_timing(struct timespec *start)
+static double end_timing(struct timespec *start)
 {
 	struct timespec end;
 
@@ -128,7 +128,7 @@ int main(int argc, char *argv[])
 			printf("creating signature failed\n");
 			exit(1);
 		}
-	};
+	}
 	printf("sign()/s: %8.1f   ", rounds / end_timing(&timing));
 
 	public = private->get_public_key(private);

scripts/test.sh

@@ -4,7 +4,7 @@
 build_botan()
 {
 	# same revision used in the build recipe of the testing environment
-	BOTAN_REV=2.19.1
+	BOTAN_REV=3.7.1
 	BOTAN_DIR=$DEPS_BUILD_DIR/botan
 
 	if test -d "$BOTAN_DIR"; then
@@ -21,15 +21,17 @@ build_botan()
 		BOTAN_CONFIG="--without-os-features=threads
 					  --disable-modules=locking_allocator"
 	fi
-	# disable some larger modules we don't need for the tests
+	# disable some larger modules we don't need for the tests and deprecated
+	# ones, except for MD5, which we need for TLS 1.0/1.1
 	BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
+				  --disable-deprecated-features --enable-modules=md5
 				  --prefix=$DEPS_PREFIX"
 
 	git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
 	cd $BOTAN_DIR &&
 	git checkout -qf $BOTAN_REV &&
-	python ./configure.py --amalgamation $BOTAN_CONFIG &&
-	make -j4 libs >/dev/null &&
+	./configure.py --amalgamation $BOTAN_CONFIG &&
+	make -j$(nproc) libs >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@@ -37,7 +39,7 @@ build_botan()
 
 build_wolfssl()
 {
-	WOLFSSL_REV=v5.3.0-stable
+	WOLFSSL_REV=v5.8.2-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 
 	if test -d "$WOLFSSL_DIR"; then
@@ -47,21 +49,22 @@ build_wolfssl()
 	echo "$ build_wolfssl()"
 
 	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
-					-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
+					-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8 \
+					-DRSA_MIN_SIZE=1024"
 	WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
 					--disable-crypttests --disable-examples
-					--enable-aesccm --enable-aesctr --enable-camellia
+					--enable-aesccm --enable-aesctr --enable-aescfb --enable-camellia
 					--enable-curve25519 --enable-curve448 --enable-des3
 					--enable-ecccustcurves --enable-ed25519 --enable-ed448
-					--enable-keygen --enable-md4 --enable-rsapss --enable-sha3
-					--enable-shake256"
+					--enable-keygen --enable-mlkem --with-max-rsa-bits=8192
+					--enable-md4 --enable-rsapss --enable-sha3 --enable-shake256"
 
 	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
 	cd $WOLFSSL_DIR &&
 	git checkout -qf $WOLFSSL_REV &&
 	./autogen.sh &&
 	./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
-	make -j4 >/dev/null &&
+	make -j$(nproc) >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@@ -69,7 +72,7 @@ build_wolfssl()
 
 build_tss2()
 {
-	TSS2_REV=2.4.3
+	TSS2_REV=3.2.3
 	TSS2_PKG=tpm2-tss-$TSS2_REV
 	TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
 	TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
@@ -83,7 +86,7 @@ build_tss2()
 	curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
 	cd $TSS2_DIR &&
 	./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
-	make -j4 >/dev/null &&
+	make -j$(nproc) >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@@ -91,32 +94,64 @@ build_tss2()
 
 build_openssl()
 {
-	SSL_REV=3.0.2
-	SSL_PKG=openssl-$SSL_REV
-	SSL_DIR=$DEPS_BUILD_DIR/$SSL_PKG
-	SSL_SRC=https://www.openssl.org/source/$SSL_PKG.tar.gz
+	SSL_REV=openssl-3.6.0
+	SSL_DIR=$DEPS_BUILD_DIR/openssl
 	SSL_INS=$DEPS_PREFIX/ssl
-	SSL_OPT="shared no-tls no-dtls no-ssl3 no-zlib no-comp no-idea no-psk no-srp
-			 no-stdio no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
+	SSL_OPT="-d shared no-dtls no-ssl3 no-zlib no-idea no-psk
+			 no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
 
 	if test -d "$SSL_DIR"; then
 		return
 	fi
 
-	# insist on compiling with gcc and debug information as symbols are otherwise not found
 	if test "$LEAK_DETECTIVE" = "yes"; then
-		SSL_OPT="$SSL_OPT CC=gcc -d"
+		# insist on compiling with gcc and debug information as symbols are
+		# otherwise not found, but we can disable SRP (see below)
+		SSL_OPT="$SSL_OPT no-srp CC=gcc -d"
+	elif test "$CC" != "clang"; then
+		# when using ASan with clang, llvm-symbolizer is used to resolve symbols
+		# and this tool links libcurl, which in turn requires SRP, so we can
+		# only disable it when not building with clang
+		SSL_OPT="$SSL_OPT no-srp"
 	fi
 
 	echo "$ build_openssl()"
 
-	curl -L $SSL_SRC | tar xz -C $DEPS_BUILD_DIR &&
+	git clone https://github.com/openssl/openssl.git --depth 1 -b $SSL_REV $SSL_DIR || exit $?
+
+	if [ "$TEST" = "android" ]; then
+		OPENSSL_SRC=${SSL_DIR} \
+		NO_DOCKER=1 src/frontends/android/openssl/build.sh || exit $?
+	else
 		cd $SSL_DIR &&
 		./config --prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib $SSL_OPT &&
-	make -j4 >/dev/null &&
+		make -j$(nproc) >/dev/null &&
 		sudo make install_sw >/dev/null &&
 		sudo ldconfig || exit $?
 		cd -
+	fi
+}
+
+build_awslc()
+{
+	LC_REV=1.61.1
+	LC_PKG=aws-lc-$LC_REV
+	LC_DIR=$DEPS_BUILD_DIR/$LC_PKG
+	LC_SRC=https://github.com/aws/aws-lc/archive/refs/tags/v${LC_REV}.tar.gz
+	LC_BUILD=$LC_DIR/build
+	LC_INS=$DEPS_PREFIX/ssl
+
+	mkdir -p $LC_BUILD
+
+	echo "$ build_awslc()"
+
+	curl -L $LC_SRC | tar xz -C $DEPS_BUILD_DIR || exit $?
+
+	cd $LC_BUILD &&
+	cmake -GNinja -DCMAKE_INSTALL_PREFIX=$LC_INS .. &&
+	ninja &&
+	sudo ninja install || exit $?
+	cd -
 }
 
 use_custom_openssl()
@@ -125,10 +160,51 @@ use_custom_openssl()
 	export LDFLAGS="$LDFLAGS -L$DEPS_PREFIX/ssl/lib"
 	export LD_LIBRARY_PATH="$DEPS_PREFIX/ssl/lib:$LD_LIBRARY_PATH"
 	if test "$1" = "build-deps"; then
+		case "$TEST" in
+			openssl-awslc)
+				build_awslc
+				;;
+			*)
 				build_openssl
+				;;
+		esac
 	fi
 }
 
+system_uses_openssl3()
+{
+	pkg-config --atleast-version=3.0.0 libcrypto
+	return $?
+}
+
+prepare_system_openssl()
+{
+	# On systems that ship OpenSSL 3 (e.g. Ubuntu 22.04+), we require debug
+	# symbols to whitelist leaks
+	if test "$1" = "deps"; then
+		echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted
+			deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted
+			deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted" | \
+			sudo tee -a /etc/apt/sources.list.d/ddebs.list
+		sudo apt-get install -qq ubuntu-dbgsym-keyring
+		if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "24.04" ]; then
+			DEPS="$DEPS libssl3t64-dbgsym"
+		else
+			DEPS="$DEPS libssl3-dbgsym"
+		fi
+	fi
+	if test "$LEAK_DETECTIVE" = "yes"; then
+		# make sure we can properly whitelist functions with leak detective
+		DEPS="$DEPS binutils-dev"
+		CONFIG="$CONFIG --enable-bfd-backtraces"
+	elif [ "$ID" = "ubuntu" -a "$VERSION_ID" != "24.04" ]; then
+		# with ASan we have to use the (extremely) slow stack unwind as the
+		# shipped version of the library is built with -fomit-frame-pointer
+		export ASAN_OPTIONS=fast_unwind_on_malloc=0
+	fi
+}
+
+: ${SRC_DIR=$PWD}
 : ${BUILD_DIR=$PWD}
 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
 : ${DEPS_PREFIX=/usr/local}
@@ -143,42 +219,49 @@ TARGET=check
 
 DEPS="libgmp-dev"
 
-CFLAGS="-g -O2 -Wall -Wno-format -Wno-format-security -Wno-pointer-sign -Werror"
+CFLAGS="-g -O2"
 
 case "$TEST" in
 default)
 	# should be the default, but lets make sure
 	CONFIG="--with-printf-hooks=glibc"
+	if system_uses_openssl3; then
+		prepare_system_openssl $1
+	fi
 	;;
 openssl*)
-	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
-	export TESTS_PLUGINS="test-vectors pem openssl!"
+	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem --enable-drbg"
+	export TESTS_PLUGINS="test-vectors openssl! pem drbg"
 	DEPS="libssl-dev"
 	if test "$TEST" = "openssl-3"; then
 		DEPS=""
 		use_custom_openssl $1
+	elif test "$TEST" = "openssl-awslc"; then
+		DEPS="cmake ninja-build golang"
+		use_custom_openssl $1
+	elif system_uses_openssl3; then
+		prepare_system_openssl $1
+	else
+		# the kdf plugin is necessary to build against older OpenSSL versions
+		TESTS_PLUGINS="$TESTS_PLUGINS kdf"
 	fi
 	;;
 gcrypt)
-	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-pkcs1 --enable-pkcs8"
-	export TESTS_PLUGINS="test-vectors pkcs1 pkcs8 gcrypt!"
-	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
+	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-random --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-gcm --enable-hmac --enable-kdf -enable-curve25519 --enable-x509 --enable-constraints"
+	export TESTS_PLUGINS="test-vectors gcrypt! random pem pkcs1 pkcs8 gcm hmac kdf curve25519 x509 constraints"
 	DEPS="libgcrypt20-dev"
-	else
-		DEPS="libgcrypt11-dev"
-	fi
 	;;
 botan)
-	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem"
-	export TESTS_PLUGINS="test-vectors pem botan!"
+	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem --enable-hmac --enable-x509 --enable-constraints --enable-drbg"
+	export TESTS_PLUGINS="test-vectors botan! pem hmac x509 constraints drbg"
 	DEPS=""
 	if test "$1" = "build-deps"; then
 		build_botan
 	fi
 	;;
 wolfssl)
-	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem"
-	export TESTS_PLUGINS="test-vectors pem wolfssl!"
+	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-x509 --enable-constraints --enable-drbg"
+	export TESTS_PLUGINS="test-vectors wolfssl! pem pkcs1 pkcs8 x509 constraints drbg"
 	# build with custom options to enable all the features the plugin supports
 	DEPS=""
 	if test "$1" = "build-deps"; then
@@ -187,42 +270,63 @@ wolfssl)
 	;;
 printf-builtin)
 	CONFIG="--with-printf-hooks=builtin"
-	;;
-all|coverage|sonarcloud)
-	if [ "$TEST" = "sonarcloud" ]; then
-		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
-			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
-				 "environment variables are required to run this test"
-			exit 1
+	if system_uses_openssl3; then
+		prepare_system_openssl $1
 	fi
+	;;
+all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
+	if [ "$TEST" = "codeql" ]; then
+		# don't run tests, only analyze built code
+		TARGET=
+	fi
+	if [ "$TEST" = "no-dbg" ]; then
+		CFLAGS="$CFLAGS -DDEBUG_LEVEL=-1"
 	fi
 	CONFIG="--enable-all --disable-android-dns --disable-android-log
 			--disable-kernel-pfroute --disable-keychain
 			--disable-lock-profiler --disable-padlock --disable-fuzzing
-			--disable-osx-attr --disable-tkm --disable-uci
+			--disable-osx-attr --disable-tkm
 			--disable-unwind-backtraces
 			--disable-svc --disable-dbghelp-backtraces --disable-socket-win
-			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp
-			--disable-python-eggs-install"
+			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp"
 	# not enabled on the build server
 	CONFIG="$CONFIG --disable-af-alg"
 	if test "$TEST" != "coverage"; then
 		CONFIG="$CONFIG --disable-coverage"
 	else
-		# not actually required but configure checks for it
 		DEPS="$DEPS lcov"
+		TARGET="coverage"
 	fi
-	DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
+	if [ "$TEST" = "no-testable-ke" ]; then
+		CONFIG="$CONFIG --without-testable-ke"
+	fi
+	DEPS="$DEPS libcurl4-gnutls-dev libsoup-3.0-dev libunbound-dev libldns-dev
 		  libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
 		  libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
-		  libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev
-		  libselinux1-dev"
-	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
-		DEPS="$DEPS libiptc-dev"
-	else
-		DEPS="$DEPS iptables-dev python3-setuptools"
+		  libgcrypt20-dev libjson-c-dev libtspi-dev libsystemd-dev
+		  libselinux1-dev libiptc-dev ruby-rubygems python3-build tox"
+	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "22.04" -a "$1" = "build-deps" ]; then
+		# python3-build is broken on 22.04 with venv (https://bugs.launchpad.net/ubuntu/+source/python-build/+bug/1992108)
+		# while installing python3-virtualenv should help, it doesn't. as even
+		# after uninstalling python3-venv, build prefers the latter
+		sudo python3 -m pip install --upgrade build
+	fi
+	if [ "$TEST" = "alpine" ]; then
+		# override the whole list for alpine
+		DEPS="git gmp-dev openldap-dev curl-dev ldns-dev unbound-dev libsoup3-dev
+			  libxml2-dev tpm2-tss-dev tpm2-tss-sys mariadb-dev wolfssl-dev
+			  libgcrypt-dev botan3-dev pcsc-lite-dev networkmanager-dev
+			  linux-pam-dev iptables-dev libselinux-dev binutils-dev libunwind-dev
+			  ruby py3-setuptools py3-build py3-tox"
+		# musl does not provide backtrace(), so use libunwind
+		CONFIG="$CONFIG --enable-unwind-backtraces"
+		# alpine doesn't have systemd
+		CONFIG="$CONFIG --disable-systemd --disable-cert-enroll-timer"
+		# no TrouSerS either
+		CONFIG="$CONFIG --disable-tss-trousers --disable-aikgen"
+		# and no Clearsilver
+		CONFIG="$CONFIG --disable-fast --disable-manager --disable-medsrv"
 	fi
-	PYDEPS="tox"
 	if test "$1" = "build-deps"; then
 		build_botan
 		build_wolfssl
@@ -236,6 +340,7 @@ win*)
 			--enable-constraints --enable-revocation --enable-pem --enable-pkcs1
 			--enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
 			--enable-eap-tnc --enable-eap-ttls --enable-eap-identity
+			--enable-eap-radius
 			--enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
 			--enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
 			--enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
@@ -245,17 +350,16 @@ win*)
 	if test "$APPVEYOR" != "True"; then
 		TARGET=
 	else
-		case "$IMG" in
-		2015|2017)
-			# old OpenSSL versions don't provide HKDF
-			CONFIG="$CONFIG --enable-kdf"
-			;;
-		esac
 		CONFIG="$CONFIG --enable-openssl"
 		CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
+		LDFLAGS="-L$OPENSSL_DIR/lib"
+		case "$IMG" in
+		2015)
+			# gcc/ld might be too old to find libeay32 via .lib instead of .dll
 			LDFLAGS="-L$OPENSSL_DIR"
+			;;
+		esac
 		export LDFLAGS
-
 	fi
 	CFLAGS="$CFLAGS -mno-ms-bitfields"
 	DEPS="gcc-mingw-w64-base"
@@ -273,9 +377,8 @@ win*)
 	esac
 	;;
 android)
-	if test "$1" = "deps"; then
-		git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
-			src/frontends/android/app/src/main/jni/openssl
+	if test "$1" = "build-deps"; then
+		build_openssl
 	fi
 	TARGET=distdir
 	;;
@@ -285,19 +388,19 @@ macos)
 	# use the same options as in the Homebrew Formula
 	CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
 			--enable-curl --enable-eap-gtc --enable-eap-identity
-			--enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
-			--enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
+			--enable-eap-md5 --enable-eap-mschapv2 --enable-eap-peap
+			--enable-dhcp --enable-farp --enable-ikev1 --enable-ikev2
+			--enable-kernel-libipsec --enable-kernel-pfkey
 			--enable-kernel-pfroute --enable-nonce --enable-openssl
 			--enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
-			--enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
-			--enable-scepclient --enable-socket-default --enable-sshkey
+			--enable-pkcs8 --enable-pkcs11 --enable-pki --enable-pubkey
+			--enable-revocation --enable-socket-default --enable-sshkey
 			--enable-stroke --enable-swanctl --enable-unity --enable-updown
-			--enable-x509 --enable-xauth-generic"
-	DEPS="automake autoconf libtool bison gettext openssl@1.1 curl"
+			--enable-x509 --enable-xauth-generic --enable-drbg"
+	DEPS="automake autoconf libtool bison gperf pkgconf openssl@3 curl"
 	BREW_PREFIX=$(brew --prefix)
 	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
-	export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
-	for pkg in openssl@1.1 curl
+	for pkg in openssl@3 curl
 	do
 		PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
 		CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
@@ -324,9 +427,7 @@ freebsd)
 			--enable-unbound --enable-unity --enable-xauth-eap --enable-xauth-pam
 			--with-printf-hooks=builtin --enable-attr-sql --enable-sql
 			--enable-farp"
-	DEPS="git gmp openldap24-client libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
-	export GPERF=/usr/local/bin/gperf
-	export LEX=/usr/local/bin/flex
+	DEPS="git gmp libxml2 mysql80-client sqlite3 unbound ldns tpm2-tss"
 	;;
 fuzzing)
 	CFLAGS="$CFLAGS -DNO_CHECK_MEMWIPE"
@@ -350,14 +451,13 @@ fuzzing)
 			symbolize=1:handle_segv=1:fast_unwind_on_fatal=0:external_symbolizer_path=/usr/bin/llvm-symbolizer-3.5
 	fi
 	;;
-nm|nm-no-glib)
+nm)
 	DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
-	if test "$TEST" = "nm"; then
-		DEPS="$DEPS libnm-glib-vpn-dev libnm-gtk-dev"
-	else
-		CONFIG="$CONFIG --without-libnm-glib"
+	ORIG_SRC_DIR="$SRC_DIR"
+	SRC_DIR="$ORIG_SRC_DIR/src/frontends/gnome"
+	if [ "$ORIG_SRC_DIR" = "$BUILD_DIR" ]; then
+		BUILD_DIR="$SRC_DIR"
 	fi
-	cd src/frontends/gnome
 	# don't run ./configure with ./autogen.sh
 	export NOCONFIGURE=1
 	;;
@@ -369,68 +469,6 @@ apidoc)
 	CONFIG="--disable-defaults"
 	TARGET=apidoc
 	;;
-lgtm)
-	if [ -z "$LGTM_PROJECT" -o -z "$LGTM_TOKEN" ]; then
-		echo "The LGTM_PROJECT and LGTM_TOKEN environment variables" \
-			 "are required to run this test"
-		exit 0
-	fi
-	DEPS="jq"
-	if test -z "$1"; then
-		base=$COMMIT_BASE
-		# after rebases or for new/duplicate branches, the passed base commit
-		# ID might not be valid
-		git rev-parse -q --verify $base^{commit}
-		if [ $? != 0 ]; then
-			# this will always compare against master, while via base we
-			# otherwise only contains "new" commits
-			base=$(git merge-base origin/master ${COMMIT_ID})
-		fi
-		base=$(git rev-parse $base)
-
-		echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
-		git diff --binary $base > lgtm.patch || exit $?
-		curl -s -X POST --data-binary @lgtm.patch \
-			"https://lgtm.com/api/v1.0/codereviews/${LGTM_PROJECT}?base=${base}&external-id=${BUILD_NUMBER}" \
-			-H 'Content-Type: application/octet-stream' \
-			-H 'Accept: application/json' \
-			-H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
-		lgtm_check_url=$(jq -r '."task-result-url"' lgtm.res)
-		if [ -z "$lgtm_check_url" -o "$lgtm_check_url" = "null" ]; then
-			cat lgtm.res
-			exit 1
-		fi
-		lgtm_url=$(jq -r '."task-result"."results-url"' lgtm.res)
-		echo "Progress and full results: ${lgtm_url}"
-
-		echo -n "Waiting for completion: "
-		lgtm_status=pending
-		while [ "$lgtm_status" = "pending" ]; do
-			sleep 15
-			curl -s -X GET "${lgtm_check_url}" \
-				-H 'Accept: application/json' \
-				-H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res
-			if [ $? != 0 ]; then
-				echo -n "-"
-				continue
-			fi
-			echo -n "."
-			lgtm_status=$(jq -r '.status' lgtm.res)
-		done
-		echo ""
-
-		if [ "$lgtm_status" != "success" ]; then
-			lgtm_message=$(jq -r '.["status-message"]' lgtm.res)
-			echo "Code review failed: ${lgtm_message}"
-			exit 1
-		fi
-		lgtm_new=$(jq -r '.languages[].new' lgtm.res | awk '{t+=$1} END {print t}')
-		lgtm_fixed=$(jq -r '.languages[].fixed' lgtm.res | awk '{t+=$1} END {print t}')
-		echo -n "Code review complete: "
-		printf "%b\n" "\e[1;31m${lgtm_new}\e[0m new alerts, \e[1;32m${lgtm_fixed}\e[0m fixed"
-		exit $lgtm_new
-	fi
-	;;
 *)
 	echo "$0: unknown test $TEST" >&2
 	exit 1
@@ -441,8 +479,12 @@ case "$1" in
 deps)
 	case "$OS_NAME" in
 	linux)
-		sudo apt-get update -qq && \
-		sudo apt-get install -qq bison flex gperf gettext $DEPS
+		sudo apt-get update -y && \
+		sudo apt-get install -y automake autoconf libtool pkgconf bison flex gperf $DEPS
+		;;
+	alpine)
+		apk add --no-cache build-base automake autoconf libtool pkgconfig && \
+		apk add --no-cache bison flex gperf tzdata $DEPS
 		;;
 	macos)
 		brew update && \
@@ -450,15 +492,11 @@ deps)
 		;;
 	freebsd)
 		pkg install -y automake autoconf libtool pkgconf && \
-		pkg install -y bison flex gperf gettext $DEPS
+		pkg install -y bison flex gperf $DEPS
 		;;
 	esac
 	exit $?
 	;;
-pydeps)
-	test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
-	exit $?
-	;;
 build-deps)
 	exit
 	;;
@@ -473,10 +511,29 @@ CONFIG="$CONFIG
 	--enable-monolithic=${MONOLITHIC-no}
 	--enable-leak-detective=${LEAK_DETECTIVE-no}"
 
+case "$TEST" in
+	alpine|codeql|coverage|freebsd|fuzzing|sonarcloud|win*)
+		# don't use AddressSanitizer if it's not available or causes conflicts
+		CONFIG="$CONFIG --disable-asan"
+		;;
+	*)
+		if [ "$LEAK_DETECTIVE" != "yes" ]; then
+			CONFIG="$CONFIG --enable-asan"
+		else
+			CONFIG="$CONFIG --disable-asan"
+		fi
+		;;
+esac
+
+cd $SRC_DIR
+if [ ! -f ./configure ]; then
 	echo "$ ./autogen.sh"
 	./autogen.sh || exit $?
+fi
+
+cd $BUILD_DIR
 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
-CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
+CC="$CC" CFLAGS="$CFLAGS" $SRC_DIR/configure $CONFIG || exit $?
 
 case "$TEST" in
 apidoc)
@@ -491,10 +548,10 @@ case "$TEST" in
 sonarcloud)
 	# without target, coverage is currently not supported anyway because
 	# sonarqube only supports gcov, not lcov
-	build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
+	build-wrapper-linux-x86-64 --out-dir $BUILD_WRAPPER_OUT_DIR make -j$(nproc) || exit $?
 	;;
 *)
-	make -j4 $TARGET || exit $?
+	make -j$(nproc) $TARGET || exit $?
 	;;
 esac
 
@@ -506,30 +563,17 @@ apidoc)
 	fi
 	rm make.warnings
 	;;
-sonarcloud)
-	sonar-scanner \
-		-Dsonar.host.url=https://sonarcloud.io \
-		-Dsonar.projectKey=${SONAR_PROJECT} \
-		-Dsonar.organization=${SONAR_ORGANIZATION} \
-		-Dsonar.login=${SONAR_TOKEN} \
-		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
-		-Dsonar.sources=. \
-		-Dsonar.cfamily.threads=2 \
-		-Dsonar.cfamily.cache.enabled=true \
-		-Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
-		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
-	rm -r bw-output .scannerwork
-	;;
 android)
 	rm -r strongswan-*
-	cd src/frontends/android
+	cd $SRC_DIR/src/frontends/android
 	echo "$ ./gradlew build"
-	NDK_CCACHE=ccache ./gradlew build || exit $?
+	NDK_CCACHE=ccache ./gradlew build --info || exit $?
 	;;
 *)
 	;;
 esac
 
+cd $SRC_DIR
 # ensure there are no unignored build artifacts (or other changes) in the Git repo
 unclean="$(git status --porcelain)"
 if test -n "$unclean"; then

sonar-project.properties

@@ -1,3 +1,5 @@
+sonar.sources=.
+
 # exclude these files completely
 sonar.exclusions=\
 	src/manager/templates/static/jquery.js, \
@@ -29,14 +31,25 @@ sonar.issue.ignore.allfile.a2.fileRegexp=made by GNU Bison
 sonar.issue.ignore.allfile.a3.fileRegexp=produced by gperf
 
 # ignore some rules
-sonar.issue.ignore.multicriteria=m1,m2,m3,m4,m5
-sonar.issue.ignore.multicriteria.m1.ruleKey=c:SingleDeclarationPerStatement
+sonar.issue.ignore.multicriteria=m1,m2,m3,m4,m5,m6,m7
+# Multiple variables should not be declared on the same line
+sonar.issue.ignore.multicriteria.m1.ruleKey=c:S1659
 sonar.issue.ignore.multicriteria.m1.resourceKey=**/*
-sonar.issue.ignore.multicriteria.m2.ruleKey=c:FunctionEllipsis
+# Functions should not be defined with a variable number of arguments
+sonar.issue.ignore.multicriteria.m2.ruleKey=c:S923
 sonar.issue.ignore.multicriteria.m2.resourceKey=**/*
+# Function names should be used either as a call with a parameter list or with the "&" operator
 sonar.issue.ignore.multicriteria.m3.ruleKey=c:S936
 sonar.issue.ignore.multicriteria.m3.resourceKey=**/*
+# Unused function parameters should be removed
 sonar.issue.ignore.multicriteria.m4.ruleKey=c:S1172
 sonar.issue.ignore.multicriteria.m4.resourceKey=**/*
+# Single line comments should start with "--"
 sonar.issue.ignore.multicriteria.m5.ruleKey=plsql:SingleLineCommentsSyntaxCheck
 sonar.issue.ignore.multicriteria.m5.resourceKey=**/*
+# User-defined types should not be passed as variadic arguments
+sonar.issue.ignore.multicriteria.m6.ruleKey=c:S5270
+sonar.issue.ignore.multicriteria.m6.resourceKey=**/*
+# Loop variables should be declared in the minimal possible scope
+sonar.issue.ignore.multicriteria.m7.ruleKey=c:S5955
+sonar.issue.ignore.multicriteria.m7.resourceKey=**/*

src/Makefile.am

@@ -75,10 +75,6 @@ if USE_UPDOWN
   SUBDIRS += _updown
 endif
 
-if USE_SCEPCLIENT
-  SUBDIRS += scepclient
-endif
-
 if USE_PKI
   SUBDIRS += pki
 endif
@@ -146,3 +142,7 @@ endif
 if USE_LIBTPMTSS
   SUBDIRS += tpm_extendpcr
 endif
+
+if USE_CERT_ENROLL
+  SUBDIRS += cert-enroll
+endif

src/cert-enroll/.gitignore

@@ -0,0 +1,5 @@
+cert-enroll
+cert-enroll.8
+cert-enroll.service
+cert-install-swanctl
+cert-install-ipsec

src/cert-enroll/Makefile.am

@@ -0,0 +1,61 @@
+REPLACE_TARGETS = \
+	cert-enroll \
+	cert-install-swanctl \
+	cert-install-ipsec \
+	cert-enroll.service
+
+$(REPLACE_TARGETS) : Makefile
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@SYSCONFDIR@:$(sysconfdir):" \
+	-e "s:@SBINDIR@:$(sbindir):" \
+	-e "s:@BINDIR@:$(bindir):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
+	$(srcdir)/$@.in > $@
+
+sbin_SCRIPTS = cert-enroll
+
+cert-enroll : cert-enroll.in
+
+cert_enrolldir = $(sysconfdir)/cert-enroll.d
+cert_enroll_DATA = cert-enroll.conf
+
+install-data-local:
+	test -e "$(DESTDIR)$(cert_enrolldir)/cert-install.d" || \
+	$(INSTALL) -d "$(DESTDIR)$(cert_enrolldir)/cert-install.d" || true
+
+cert_install_availabledir = $(sysconfdir)/cert-enroll.d/cert-install-available
+cert_install_available_DATA = \
+	cert-install-ssl \
+	cert-install-sssd \
+	cert-install-ldaputils \
+	cert-install-cockpit \
+	cert-install-dirsrv \
+	cert-install-lighttpd \
+	cert-install-openxpki \
+	cert-install-gitea \
+	cert-install-ipsec \
+	cert-install-swanctl
+
+cert-install-swanctl : cert-install-swanctl.in
+
+cert-install-ipsec : cert-install-ipsec.in
+
+EXTRA_DIST = \
+	cert-enroll.conf cert-enroll.in cert-enroll.service.in cert-enroll.timer \
+	cert-install-cockpit cert-install-dirsrv cert-install-gitea \
+	cert-install-ipsec.in cert-install-ldaputils cert-install-lighttpd \
+	cert-install-openxpki cert-install-ssl cert-install-sssd \
+	cert-install-swanctl.in
+
+man8_MANS = cert-enroll.8
+
+CLEANFILES = cert-enroll cert-install-swanctl cert-install-ipsec
+
+if USE_CERT_ENROLL_TIMER
+systemdsystemunit_DATA = cert-enroll.service cert-enroll.timer
+
+cert-enroll.service : cert-enroll.service.in
+
+CLEANFILES += cert-enroll.service
+endif