7 months agogenerator: Don't print any tainted values in DBG3 messages for U_INT_4
Tobias Brunner [Mon, 18 Mar 2019 12:58:52 +0000 (13:58 +0100)]
generator: Don't print any tainted values in DBG3 messages for U_INT_4

The bits not written to are marked tainted by valgrind, don't print
them in the debug messages.  Also use more specific printf-specifiers
for other values.

7 months agotrap-manager: Wait for install to finish before uninstalling
Sheena Mira-ato [Wed, 20 Mar 2019 23:30:56 +0000 (12:30 +1300)]
trap-manager: Wait for install to finish before uninstalling

There was a race condition between install() and uninstall()
where one thread was in the process of installing a trap
entry, and had destroyed the child_sa, while the other
thread was uninstalling the same trap entry and ended up
trying to destroy the already destroyed child_sa, resulting
in a segmentation fault in the destroy_entry() function.

The uninstall() function needs to wait until all the threads
are done with the installing before proceeding to uninstall
a trap entry.

Closes strongswan/strongswan#131.

8 months agosql: Handle %any better when looking up shared secrets
Tobias Brunner [Mon, 25 Feb 2019 09:30:59 +0000 (10:30 +0100)]
sql: Handle %any better when looking up shared secrets

This can be the case for IKEv1 since 419ae9a20a0b ("ikev1: Default remote
identity to %any for PSK lookup if not configured").

Closes strongswan/strongswan#128.

8 months agoMerge branch 'nm-ipv6'
Tobias Brunner [Thu, 14 Mar 2019 12:46:33 +0000 (13:46 +0100)]
Merge branch 'nm-ipv6'

Adds support for IPv6 to the NetworkManager backend and plugin.

Fixes #1143, #2586.

8 months agonm: Remove deprecated variables from
Tobias Brunner [Fri, 25 Jan 2019 10:19:40 +0000 (11:19 +0100)]
nm: Remove deprecated variables from

8 months agocharon-nm: Add IPv6 support
Tobias Brunner [Fri, 25 Jan 2019 09:56:19 +0000 (10:56 +0100)]
charon-nm: Add IPv6 support

8 months agocharon-nm: Handle IPv6 DNS server attributes
Tobias Brunner [Tue, 27 Sep 2016 09:48:07 +0000 (11:48 +0200)]
charon-nm: Handle IPv6 DNS server attributes

8 months agocharon-nm: Set local address to %any so IPv6 may be used as outer address
Tobias Brunner [Tue, 27 Sep 2016 08:12:53 +0000 (10:12 +0200)]
charon-nm: Set local address to %any so IPv6 may be used as outer address

8 months agocharon-nm: Request virtual IPv6 address and appropriate TS
Tobias Brunner [Wed, 6 Nov 2013 10:36:31 +0000 (11:36 +0100)]
charon-nm: Request virtual IPv6 address and appropriate TS

8 months agonm: Enable IPv6 tab in NM connection dialog
Tobias Brunner [Wed, 6 Nov 2013 10:32:25 +0000 (11:32 +0100)]
nm: Enable IPv6 tab in NM connection dialog

8 months agoforecast: Only reinject packets that are marked or from the configured interface
Tobias Brunner [Tue, 5 Feb 2019 16:21:21 +0000 (17:21 +0100)]
forecast: Only reinject packets that are marked or from the configured interface

This seems to avoid broadcast loops (i.e. processing and reinjecting the
same broadcast packet over and over again) as the packets we send via
AF_PACKET socket are neither marked nor from that interface.

8 months agokernel-netlink: Use address labels instead of deprecation for IPv6 virtual IPs
Tobias Brunner [Tue, 3 Apr 2018 13:01:20 +0000 (15:01 +0200)]
kernel-netlink: Use address labels instead of deprecation for IPv6 virtual IPs

In order to avoid that the kernel uses virtual tunnel IPs for traffic
over physical interfaces we previously deprecated the virtual IP.  While
this is working it is not ideal.  This patch adds address labels for
virtual IPs, which should force the kernel to avoid such addresses to
reach any destination unless there is an explicit route that uses it as
source address.

8 months agoMerge branch 'android-updates'
Tobias Brunner [Thu, 14 Mar 2019 09:56:07 +0000 (10:56 +0100)]
Merge branch 'android-updates'

Adds a copy function for VPN profiles and an option to set custom DNS

8 months agotesting: Prolonged Duck end entity certificate
Andreas Steffen [Wed, 13 Mar 2019 17:37:20 +0000 (18:37 +0100)]
testing: Prolonged Duck end entity certificate

8 months agoVersion bump to 5.8.0dr1
Andreas Steffen [Wed, 13 Mar 2019 17:36:45 +0000 (18:36 +0100)]
Version bump to 5.8.0dr1

8 months agochild-create: Add missing space in DH retry log message
Tobias Brunner [Wed, 13 Mar 2019 09:30:49 +0000 (10:30 +0100)]
child-create: Add missing space in DH retry log message

8 months agoandroid: New release after adding copy function and DNS server config
Tobias Brunner [Fri, 8 Mar 2019 16:08:11 +0000 (17:08 +0100)]
android: New release after adding copy function and DNS server config

8 months agoMerge branch 'openssl-chapoly'
Tobias Brunner [Fri, 8 Mar 2019 14:56:01 +0000 (15:56 +0100)]
Merge branch 'openssl-chapoly'

Adds support for ChaCha20-Poly1305 via OpenSSL.

Fixes #2946.

8 months agoopenssl: Add support for ChaCha20-Poly1305
Tobias Brunner [Mon, 4 Mar 2019 16:55:41 +0000 (17:55 +0100)]
openssl: Add support for ChaCha20-Poly1305

It's available since OpenSSL 1.1.0.

8 months agoopenssl: Generalize the GCM implementation a bit
Tobias Brunner [Mon, 4 Mar 2019 16:31:28 +0000 (17:31 +0100)]
openssl: Generalize the GCM implementation a bit

This will allow us to use the implementation also for other algorithms.

8 months agoMerge branch 'ikev1-redundant-updown'
Tobias Brunner [Fri, 8 Mar 2019 14:50:14 +0000 (15:50 +0100)]
Merge branch 'ikev1-redundant-updown'

Avoids calling updown script for redundant CHILD_SAs after IKEv1 rekey

Fixes #2902.

8 months agoikev1: Don't trigger updown event and close action for redundant CHILD_SAs
Tobias Brunner [Fri, 1 Feb 2019 11:05:55 +0000 (12:05 +0100)]
ikev1: Don't trigger updown event and close action for redundant CHILD_SAs

8 months agotask-manager-v1: Add utility function to check if CHILD_SA is redundant
Tobias Brunner [Fri, 1 Feb 2019 10:53:48 +0000 (11:53 +0100)]
task-manager-v1: Add utility function to check if CHILD_SA is redundant

8 months agovici: Correctly parse inactivity timeout as uint32_t
Tobias Brunner [Wed, 6 Mar 2019 17:39:28 +0000 (18:39 +0100)]
vici: Correctly parse inactivity timeout as uint32_t

Using parse_time() directly actually overwrites the next member in the
child_cfg_create_t struct, which is start_action, which can cause
incorrect configs if inactivity is parsed after start_action.

Fixes #2954.

8 months agoswanctl: Fix documentation of default value of hostaccess
Tobias Brunner [Thu, 7 Mar 2019 17:49:29 +0000 (18:49 +0100)]
swanctl: Fix documentation of default value of hostaccess

8 months agoandroid: Use helper to parse IP addresses where appropriate
Tobias Brunner [Tue, 5 Mar 2019 18:02:05 +0000 (19:02 +0100)]
android: Use helper to parse IP addresses where appropriate

8 months agoandroid: Add helper to parse IP addresses from strings
Tobias Brunner [Tue, 5 Mar 2019 17:47:33 +0000 (18:47 +0100)]
android: Add helper to parse IP addresses from strings

Using InetAddress.fromName() is not ideal as it might result in a DNS
resolution, which causes an exception if we do it from the main thread.

8 months agoandroid: Make DNS servers configurable in the GUI
Tobias Brunner [Tue, 5 Mar 2019 16:53:57 +0000 (17:53 +0100)]
android: Make DNS servers configurable in the GUI

8 months agoandroid: Import DNS servers
Tobias Brunner [Tue, 5 Mar 2019 16:44:48 +0000 (17:44 +0100)]
android: Import DNS servers

8 months agoandroid: Use configured custom DNS servers
Tobias Brunner [Tue, 5 Mar 2019 16:26:26 +0000 (17:26 +0100)]
android: Use configured custom DNS servers

8 months agoandroid: Add properties for DNS servers
Tobias Brunner [Tue, 5 Mar 2019 15:51:21 +0000 (16:51 +0100)]
android: Add properties for DNS servers

8 months agoandroid: Add menu option to copy a profile
Tobias Brunner [Tue, 5 Mar 2019 15:40:20 +0000 (16:40 +0100)]
android: Add menu option to copy a profile

Some users requests something like that to use different server IPs.
Interestingly, it's actually also possible to configure multiple
hostnames/IPs, separated by commas, as server address in the profile, which
are then tried one after another.

It's also useful when testing stuff to quickly compare the behavior with
some setting changed between two otherwise identical profiles.

8 months agoandroid: Remove buildToolsVersion
Tobias Brunner [Mon, 4 Mar 2019 16:34:30 +0000 (17:34 +0100)]
android: Remove buildToolsVersion

Finally a default is configured and we don't have to update this

8 months agoandroid: Update Gradle plugin
Tobias Brunner [Mon, 4 Mar 2019 16:34:12 +0000 (17:34 +0100)]
android: Update Gradle plugin

8 months agochild-sa: Remove temporary DROP policy using same parameters as when added
Carl Smith [Mon, 4 Mar 2019 01:43:00 +0000 (14:43 +1300)]
child-sa: Remove temporary DROP policy using same parameters as when added

A temporary DROP policy is added to avoid traffic leak
while the SA is being updated. It is added with
manual_prio set but when the temporary policy is removed
it is removed with manual_prio parameter set to 0.
The call to del_policies_outbound does not match the original
policy and we end up with an ever increasing refcount.

If we try to manually remove the policy, it is not removed
due to the positive refcount. Then new SA requests fail with
"unable to install policy out for reqid 1618,
the same policy for reqid 1528 exists"

Fixes: 35ef1b032d24 ("child-sa: Install drop policies while updating IPsec SAs and policies")
Closes strongswan/strongswan#129.

8 months agoload-tester: Update expired CA certificate
Tobias Brunner [Fri, 8 Feb 2019 08:58:03 +0000 (09:58 +0100)]
load-tester: Update expired CA certificate

Closes strongswan/strongswan#126.

8 months agotravis: OpenSSL version bump
Tobias Brunner [Tue, 26 Feb 2019 15:03:28 +0000 (16:03 +0100)]
travis: OpenSSL version bump

8 months agoagent: Don't keep socket to ssh/gpg-agent open
Tobias Brunner [Fri, 1 Feb 2019 08:48:43 +0000 (09:48 +0100)]
agent: Don't keep socket to ssh/gpg-agent open

Instead, create a socket when necessary.  Apparently, it can prevent
the agent from getting terminated (e.g. during system shutdown) if e.g.
charon-nm is still running with an open connection to the agent.

8 months agovici: Fix wrong argument order for terminate_ike() in clear_start_action()
Shmulik Ladkani [Tue, 19 Feb 2019 11:31:11 +0000 (13:31 +0200)]
vici: Fix wrong argument order for terminate_ike() in clear_start_action()

In 7b7290977 ("controller: Add option to force destruction of an IKE_SA")
the 'force' option was added as 3rd parameter to controller_t::terminate_ike.

However in vici's 'clear_start_action', the argument was incorrectly
placed as the 2nd parameter - constantly sending 0 (FALSE) as the
'unique_id' to terminate, rendering calls to 'handle_start_actions'
having undo=TRUE being unable to terminate the relevant conn.

For example, this is log of such a bogus 'unload-conn':

  strongswan[498]: 13[CFG] vici client 96 requests: unload-conn
  strongswan[498]: 13[CFG] closing IKE_SA #9
  strongswan[498]: 13[IKE] unable to terminate IKE_SA: ID 0 not found
  strongswan[498]: 09[CFG] vici client 96 disconnected

here, the unloaded conn's IKE id was 9, alas 'terminate_ike_execute'
reports failure to terminate "ID 0".

Fix by passing 'id, FALSE' arguments in the correct order.

Fixes: 7b7290977 ("controller: Add option to force destruction of an IKE_SA")
Signed-off-by: Shmulik Ladkani <>
Closes strongswan/strongswan#127.

9 months agolibimcv: Add Debian 9.7 to IMV database
Tobias Brunner [Wed, 30 Jan 2019 11:26:19 +0000 (12:26 +0100)]
libimcv: Add Debian 9.7 to IMV database

9 months agokernel-netlink: Fix compilation on old kernels (< 2.6.39)
Tobias Brunner [Fri, 18 Jan 2019 10:00:14 +0000 (11:00 +0100)]
kernel-netlink: Fix compilation on old kernels (< 2.6.39)

9 months agolibtpmtss: Read RSA public key exponent instead of assuming its value
krinfels [Sun, 20 Jan 2019 13:39:08 +0000 (14:39 +0100)]
libtpmtss: Read RSA public key exponent instead of assuming its value

Up to now it was assumed that the RSA public key exponent is equal to 2^16+1.
Although this is probably true in most if not all cases, it is not correct
according to the TPM 2.0 specification.

This patch fixes that by reading the exponent from the structure returned
by TPM2_ReadPublic.

Closes strongswan/strongswan#121.

9 months agounit-tests: Verify that E and emailAddress result in the same ID
Tobias Brunner [Fri, 18 Jan 2019 10:15:16 +0000 (11:15 +0100)]
unit-tests: Verify that E and emailAddress result in the same ID

9 months agoUse Botan 2.9.0 for tests
Tobias Brunner [Wed, 16 Jan 2019 16:11:46 +0000 (17:11 +0100)]
Use Botan 2.9.0 for tests

10 months agoVersion bump to 5.7.2 5.7.2
Andreas Steffen [Thu, 27 Dec 2018 11:11:49 +0000 (12:11 +0100)]
Version bump to 5.7.2

10 months agoUse https:// for URLs in documents
Tobias Brunner [Thu, 20 Dec 2018 15:06:00 +0000 (16:06 +0100)]
Use https:// for URLs in documents

Also adds contribution guidelines (for Github) with links to the wiki.

10 months agoVersion bump to 5.7.2rc1 5.7.2rc1
Andreas Steffen [Wed, 19 Dec 2018 12:21:48 +0000 (13:21 +0100)]
Version bump to 5.7.2rc1

10 months agoNEWS: More news for 5.7.2
Tobias Brunner [Tue, 18 Dec 2018 13:48:18 +0000 (14:48 +0100)]
NEWS: More news for 5.7.2

10 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Tue, 18 Dec 2018 10:14:19 +0000 (11:14 +0100)]
Fixed some typos, courtesy of codespell

10 months agoMerge branch 'radius-accounting-unclaimed'
Tobias Brunner [Tue, 18 Dec 2018 09:34:17 +0000 (10:34 +0100)]
Merge branch 'radius-accounting-unclaimed'

Adds all IPs to RADIUS Accounting-Stop messages even those not claimed by
a client.  For instance, if the connection fails with FAILED_CP_REQUIRED,
adding the unclaimed addresses allows the RADIUS server to release the
leases early.

Fixes #2856.

10 months agoeap-radius: Don't clear unclaimed IPs early if accounting is enabled
Tobias Brunner [Tue, 11 Dec 2018 10:46:18 +0000 (11:46 +0100)]
eap-radius: Don't clear unclaimed IPs early if accounting is enabled

10 months agoeap-radius: Add unclaimed IPs to Accounting-Stop messages
Tobias Brunner [Tue, 11 Dec 2018 10:07:05 +0000 (11:07 +0100)]
eap-radius: Add unclaimed IPs to Accounting-Stop messages

Some RADIUS servers may use these to release them early.

10 months agoeap-radius: Add method to explicitly clear unclaimed IPs
Tobias Brunner [Tue, 11 Dec 2018 10:00:59 +0000 (11:00 +0100)]
eap-radius: Add method to explicitly clear unclaimed IPs

Instead of just enumerating them, removing and then destroying the entry
avoids having to keep the mutex locked.

10 months agoeap-radius: Add RADIUS Accounting session ID to Access-Request messages
Tobias Brunner [Fri, 14 Dec 2018 08:26:51 +0000 (09:26 +0100)]
eap-radius: Add RADIUS Accounting session ID to Access-Request messages

This allows e.g. associating database entries for IP leases and
accounting directly from the start.

Fixes #2853.

11 months agoswanctl: Make credential directories relative to swanctl.conf
Tobias Brunner [Wed, 12 Dec 2018 10:30:09 +0000 (11:30 +0100)]
swanctl: Make credential directories relative to swanctl.conf

All directories are now considered relative to the loaded swanctl.conf
file, in particular, when loading it from a custom location via --file
argument.  The base directory, which is used if no custom location for
swanctl.conf is specified, is now also configurable at runtime via
SWANCTL_DIR environment variable.

Closes strongswan/strongswan#120.

11 months agoopenssl: Make sure to release the functional ENGINE reference
Tobias Brunner [Tue, 11 Dec 2018 13:53:23 +0000 (14:53 +0100)]
openssl: Make sure to release the functional ENGINE reference

The functional reference created by ENGINE_init() was never released,
only the structural one created by ENGINE_by_id().  The functional
reference includes an implicit structural reference, which is also
released by ENGINE_finish().

Closes strongswan/strongswan#119.

11 months agoVersion bump to 5.7.2dr4 5.7.2dr4
Andreas Steffen [Sun, 9 Dec 2018 18:53:31 +0000 (19:53 +0100)]
Version bump to 5.7.2dr4

11 months agolibimcv: Updated openssl version in IMV database
Andreas Steffen [Sun, 9 Dec 2018 18:53:05 +0000 (19:53 +0100)]
libimcv: Updated openssl version in IMV database

11 months agotesting: Migrated ikev2 scenarios to swanctl
Andreas Steffen [Thu, 15 Nov 2018 15:05:56 +0000 (16:05 +0100)]
testing: Migrated ikev2 scenarios to swanctl

11 months agoMerge branch 'ikev1-adopt-child-tasks'
Tobias Brunner [Fri, 7 Dec 2018 09:38:32 +0000 (10:38 +0100)]
Merge branch 'ikev1-adopt-child-tasks'

Makes sure to adopt active and queued Quick Mode tasks if the peer
reauthenticates the IKE_SA while creating lots of CHILD_SAs.

Closes strongswan/strongswan#117.

11 months agoike: Implement adopt_child_tasks() outside task managers
Tobias Brunner [Wed, 28 Nov 2018 14:21:44 +0000 (15:21 +0100)]
ike: Implement adopt_child_tasks() outside task managers

11 months agoadopt-children-job: Adopt child-creating tasks from the old IKE_SA
Tobias Brunner [Wed, 28 Nov 2018 14:09:55 +0000 (15:09 +0100)]
adopt-children-job: Adopt child-creating tasks from the old IKE_SA

11 months agoike-sa: Expose task_manager_t::remove_task()
Tobias Brunner [Wed, 28 Nov 2018 13:54:31 +0000 (14:54 +0100)]
ike-sa: Expose task_manager_t::remove_task()

11 months agotask-manager: Add method to remove a task from a queue
Tobias Brunner [Wed, 28 Nov 2018 13:50:09 +0000 (14:50 +0100)]
task-manager: Add method to remove a task from a queue

11 months agoike-sa-manager: Migrate child creating tasks during IKEv1 reauth
Tobias Brunner [Tue, 20 Nov 2018 09:49:07 +0000 (10:49 +0100)]
ike-sa-manager: Migrate child creating tasks during IKEv1 reauth

11 months agoike-sa: Expose task_manager_t::adopt_child_tasks()
Tobias Brunner [Tue, 20 Nov 2018 09:48:01 +0000 (10:48 +0100)]
ike-sa: Expose task_manager_t::adopt_child_tasks()

11 months agocharon-cmd: Register atexit() handler for libcharon_deinit twice
Tobias Brunner [Thu, 6 Dec 2018 14:01:52 +0000 (15:01 +0100)]
charon-cmd: Register atexit() handler for libcharon_deinit twice

Similar to cbe9e575eef5, this avoids issues with libraries that are
pulled in via plugins and register their own atexit() handlers.

11 months agoikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth
Tobias Brunner [Wed, 5 Dec 2018 11:24:55 +0000 (12:24 +0100)]
ikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth

Fixes: 745714307256 ("During reauthentication reestablish IKE_SA even if deleting the old one fails.")
Fixes #2847.

11 months agoikev2: Ignore COOKIE notifies we already received
Tobias Brunner [Wed, 28 Nov 2018 14:52:27 +0000 (15:52 +0100)]
ikev2: Ignore COOKIE notifies we already received

This could be due to a delayed response to an IKE_SA_INIT retransmit.

Fixes #2837.

11 months agoha: Add auth method for HA IKEv1 key derivation
Thomas Egerer [Thu, 22 Nov 2018 17:08:51 +0000 (18:08 +0100)]
ha: Add auth method for HA IKEv1 key derivation

Signed-off-by: Thomas Egerer <>
11 months agoMerge branch 'ha-pool-offset'
Tobias Brunner [Fri, 7 Dec 2018 09:16:21 +0000 (10:16 +0100)]
Merge branch 'ha-pool-offset'

Ensure an even distribution of a pool's addresses among all segments.

Fixes #2828.

11 months agoha: Divide virtual IPs evenly among all segments
Tobias Brunner [Tue, 20 Nov 2018 15:40:21 +0000 (16:40 +0100)]
ha: Divide virtual IPs evenly among all segments

11 months agoha: Add getter for the number of segments
Tobias Brunner [Tue, 20 Nov 2018 15:39:04 +0000 (16:39 +0100)]
ha: Add getter for the number of segments

11 months agoha: Improve distribution of pool addresses over segments
Tobias Brunner [Tue, 20 Nov 2018 11:50:05 +0000 (12:50 +0100)]
ha: Improve distribution of pool addresses over segments

This is particularly important for higher number of segments, but even
with small numbers there is a significant difference.  For instance,
with 4 segments the fourth segment had no IPs assigned with the old
code, no matter how large the pool, because none of the eight bits used
for the segment check hashed/mapped to it.

11 months agokernel-pfkey: Read reqid directly from acquire if possible
Tobias Brunner [Mon, 22 Oct 2018 08:12:25 +0000 (10:12 +0200)]
kernel-pfkey: Read reqid directly from acquire if possible

Upcoming versions of FreeBSD will include an SADB_X_EXT_SA2 extension in
acquires that contains the reqid set on the matching policy.  This allows
handling acquires even when no policies are installed (e.g. to work with
FreeBSD's implementation of VTI interfaces, which manage policies

11 months agoikev2: Only set STAT_INBOUND for valid and expected messages
Tobias Brunner [Mon, 19 Nov 2018 09:18:27 +0000 (10:18 +0100)]
ikev2: Only set STAT_INBOUND for valid and expected messages

11 months agoscepclient: Don't use a block-scope buffer for the default DN
Tobias Brunner [Fri, 30 Nov 2018 09:28:50 +0000 (10:28 +0100)]
scepclient: Don't use a block-scope buffer for the default DN

The correct behavior will depend on the compiler.

Fixes #2843.

11 months agoMerge branch 'openssl-25519/448'
Tobias Brunner [Fri, 30 Nov 2018 15:45:47 +0000 (16:45 +0100)]
Merge branch 'openssl-25519/448'

Adds support for X25519/448 and Ed25519/448 via OpenSSL 1.1.1.

11 months agotravis: Don't run sonarcloud in forked repositories
Tobias Brunner [Fri, 23 Nov 2018 08:37:07 +0000 (09:37 +0100)]
travis: Don't run sonarcloud in forked repositories

11 months agotravis: Use the latest OpenSSL release for unit tests
Tobias Brunner [Thu, 22 Nov 2018 14:38:49 +0000 (15:38 +0100)]
travis: Use the latest OpenSSL release for unit tests

But also run the unit tests against the 1.0 version installed with
Ubuntu 16.04.

11 months agotravis: Only use GCC for crypto plugin tests
Tobias Brunner [Thu, 22 Nov 2018 17:30:46 +0000 (18:30 +0100)]
travis: Only use GCC for crypto plugin tests

They are already build-tested with Clang via "all" and others.

11 months agounit-tests: Add test suite for Ed448
Tobias Brunner [Fri, 16 Nov 2018 10:44:17 +0000 (11:44 +0100)]
unit-tests: Add test suite for Ed448

Same issue with signature malleability as with Ed25519 and apparently
OpenSSL doesn't even explicitly verify that the most significant 10 bits
are all zero.

11 months agounit-tests: Add fingerprint test vectors for Ed25519
Tobias Brunner [Fri, 30 Nov 2018 14:34:32 +0000 (15:34 +0100)]
unit-tests: Add fingerprint test vectors for Ed25519

11 months agocurve25519: Prevent Ed25519 signature malleability
Tobias Brunner [Fri, 16 Nov 2018 14:48:56 +0000 (15:48 +0100)]
curve25519: Prevent Ed25519 signature malleability

As per RFC 8032, section 5.1.7 (and section 8.4) we have to make sure s, which
is the scalar in the second half of the signature value, is smaller than L.
Without that check, L can be added to most signatures at least once to create
another valid signature for the same public key and message.

This could be problematic if, for instance, a blacklist is based on hashes
of certificates.  A new certificate could be created with a different
signature (without knowing the signature key) by simply adding L to s.

Currently, both OpenSSL 1.1.1 and Botan 2.8.0 are vulnerable to this, which is
why the unit test currently only warns about it.

11 months agoopenssl: Use separate DRBG for RNG_STRONG and RNG_TRUE with OpenSSL 1.1.1
Tobias Brunner [Fri, 16 Nov 2018 10:11:27 +0000 (11:11 +0100)]
openssl: Use separate DRBG for RNG_STRONG and RNG_TRUE with OpenSSL 1.1.1

OpenSSL 1.1.1 introduces DRGBs and provides two sources (same security
profile etc. but separate internal state), which allows us to use one for
RNG_WEAK (e.g. for nonces that are directly publicly visible) and the other
for stronger random data like keys.

11 months agoleak-detective: Whitelist functions added in OpenSSL 1.1.1
Tobias Brunner [Fri, 16 Nov 2018 09:57:50 +0000 (10:57 +0100)]
leak-detective: Whitelist functions added in OpenSSL 1.1.1

11 months agoopenssl: Add support for Ed25519/Ed448
Tobias Brunner [Thu, 15 Nov 2018 14:54:05 +0000 (15:54 +0100)]
openssl: Add support for Ed25519/Ed448

11 months agodh-speed: Add curve448 keyword
Tobias Brunner [Thu, 15 Nov 2018 10:25:06 +0000 (11:25 +0100)]
dh-speed: Add curve448 keyword

11 months agotest-vectors: Add vector for X448
Tobias Brunner [Thu, 15 Nov 2018 10:24:53 +0000 (11:24 +0100)]
test-vectors: Add vector for X448

11 months agoopenssl: Add support for X25519 and X448
Tobias Brunner [Thu, 15 Nov 2018 09:20:45 +0000 (10:20 +0100)]
openssl: Add support for X25519 and X448

While X25519 was already added with 1.1.0a, its use would be a lot more
complicated, as the helpers like EVP_PKEY_new_raw_public_key() were only
added in 1.1.1, which also added X448.

11 months agobypass-lan: Compare interface for unchanged policies
Tobias Brunner [Thu, 8 Nov 2018 11:02:04 +0000 (12:02 +0100)]
bypass-lan: Compare interface for unchanged policies

In case a subnet is moved from one interface to another the policies can
remain as is but the route has to change.  This currently doesn't happen
automatically and there is no option to update the policy or route so
removing and reinstalling the policies is the only option.

Fixes #2820.

11 months agochild-delete: Don't send delete for expired CHILD_SAs that were already rekeyed
Tobias Brunner [Tue, 6 Nov 2018 11:13:35 +0000 (12:13 +0100)]
child-delete: Don't send delete for expired CHILD_SAs that were already rekeyed

The peer might not have seen the CREATE_CHILD_SA response yet, receiving a
DELETE for the SA could then trigger it to abort the rekeying, causing
the deletion of the newly established SA (it can't know whether the
DELETE was sent due to an expire or because the user manually deleted
it).  We just treat this SA as if we received a DELETE for it.  This is
not an ideal situation anyway, as it causes some traffic to get dropped,
so it should usually be avoided by setting appropriate soft and hard limits.

References #2815.

11 months agokernel-netlink: Update SA selector if it contains changed IP address(es)
Tobias Brunner [Wed, 31 Oct 2018 14:43:46 +0000 (15:43 +0100)]
kernel-netlink: Update SA selector if it contains changed IP address(es)

11 months agoAvoid inclusion of unistd.h in generated lexers
Tobias Brunner [Mon, 22 Oct 2018 08:38:53 +0000 (10:38 +0200)]
Avoid inclusion of unistd.h in generated lexers

Because the file is not available on all platforms the inclusion comes
after the user options in order to disable including it.  But that means
the inclusion also follows after the defined scanner states, which are
generated as simple #defines to numbers.  If the included unistd.h e.g.
uses variables in function definitions with the same names this could
result in compilation errors.

Interactive mode has to be disabled too as it relies on isatty() from
unistd.h.  Since we don't use the scanners interactively, this is not a
problem and might even make the scanners a bit faster.

Fixes #2806.

11 months agoMerge branch 'travis-xenial'
Tobias Brunner [Wed, 21 Nov 2018 13:40:00 +0000 (14:40 +0100)]
Merge branch 'travis-xenial'

Run builds on Travis on Ubuntu Xenial (16.04) images.

11 months agotravis: Use ccache for MinGW builds
Tobias Brunner [Tue, 13 Nov 2018 17:59:38 +0000 (18:59 +0100)]
travis: Use ccache for MinGW builds

11 months agotravis: Use manual matrix expansion to improve overall run time
Tobias Brunner [Tue, 13 Nov 2018 17:31:21 +0000 (18:31 +0100)]
travis: Use manual matrix expansion to improve overall run time

The sonarcloud build runs a long time now (the win32/64 builds are also
a lot slower on xenial), which increases the overall time a build takes
because we can't run these before regular matrix jobs run.  So we do a
manual matrix expansion to control the order of jobs (slower first).
This also removes the TEST=default build with GCC as that's basically
what TEST=dist does (except for forcing the printf implementation)

11 months agotravis: Simplify explicitly included jobs
Tobias Brunner [Tue, 13 Nov 2018 15:46:10 +0000 (16:46 +0100)]
travis: Simplify explicitly included jobs

The first value for the compiler array (gcc) is inherited.

11 months agotravis: Start with sonarcloud job first
Tobias Brunner [Tue, 13 Nov 2018 15:42:44 +0000 (16:42 +0100)]
travis: Start with sonarcloud job first

Also change the condition, the environment variable is apparently still
around when the decision to run it is made.

11 months agotravis: Use two threads to analyze C code with SonarQube
Tobias Brunner [Tue, 13 Nov 2018 11:08:43 +0000 (12:08 +0100)]
travis: Use two threads to analyze C code with SonarQube

On Nov 12, the scanner was updated and now takes a lot more time (about
3 times as much).  Using two threads reduces it a bit (by about 25%).
Using even more threads doesn't help or even increases the time again.