strongswan.git
13 months agobotan: Add helper function for signature verification
Tobias Brunner [Mon, 22 Oct 2018 15:12:26 +0000 (17:12 +0200)]
botan: Add helper function for signature verification

13 months agoMerge branch 'ssh-eddsa'
Tobias Brunner [Fri, 26 Oct 2018 09:01:24 +0000 (11:01 +0200)]
Merge branch 'ssh-eddsa'

This adds support for Ed25519/Ed448 SSH keys and their signatures via
agent plugin.

13 months agoagent: Support signatures with Ed25519/Ed448 keys
Tobias Brunner [Mon, 22 Oct 2018 13:15:13 +0000 (15:15 +0200)]
agent: Support signatures with Ed25519/Ed448 keys

13 months agosshkey: Support encoding Ed25519/Ed448 SSH public keys
Tobias Brunner [Mon, 22 Oct 2018 13:04:48 +0000 (15:04 +0200)]
sshkey: Support encoding Ed25519/Ed448 SSH public keys

13 months agosshkey: Add support for parsing Ed25519/Ed448 SSH keys
Tobias Brunner [Mon, 22 Oct 2018 12:37:01 +0000 (14:37 +0200)]
sshkey: Add support for parsing Ed25519/Ed448 SSH keys

13 months agocurve25519: Support loading Ed25519 public keys from simple blobs
Tobias Brunner [Mon, 22 Oct 2018 12:33:36 +0000 (14:33 +0200)]
curve25519: Support loading Ed25519 public keys from simple blobs

13 months agocharon-cmd: Print plugin list before parsing arguments
Tobias Brunner [Fri, 19 Oct 2018 13:35:56 +0000 (15:35 +0200)]
charon-cmd: Print plugin list before parsing arguments

Helps debugging e.g. failures to load certs/keys.

13 months agoMerge commit 'key-sig-schemes'
Tobias Brunner [Fri, 26 Oct 2018 08:58:36 +0000 (10:58 +0200)]
Merge commit 'key-sig-schemes'

This adds the ability to return supported signature schemes (and
parameters) from a private key.

This is useful for keys on a TPM 2.0 as these can be used only with a
particular scheme (the hash algorithm and for RSA even the padding scheme
is fixed).  For RSA with PSS padding there is an additional complication
because different TPMs use different salt lengths, which we have to know
beforehand to correctly produce e.g. a certificate request (the signature
covers the algorithm identifier that describes the signature scheme).

It turned out that the new method is also useful for the agent plugin.
Newer ssh/gpg-agents support SHA-256 and SHA-512 for RSA signatures, but
not SHA-384, which we can now convey to the pubkey authenticator.
Unfortunately, older agents ignore the flags that request a SHA2 signature
and just return one with SHA-1, in such scenarios IKEv2 signature
authentication has to be disabled.

13 months agoagent: Enumerate only the supported signature schemes for RSA keys
Tobias Brunner [Fri, 19 Oct 2018 07:26:29 +0000 (09:26 +0200)]
agent: Enumerate only the supported signature schemes for RSA keys

SHA-384 is not supported but is selected by signature_schemes_for_key()
for keys between 3072 and 7680 bits.

Since this is only called for IKEv2 signature authentication we don't
even provide SHA-1 anymore.  We always provide both schemes, though,
which is what pubkey-authenticator does too for RSA.

Older agents apparently just ignore the flags and always return a SHA-1
signature.  If that's the case, charon.signature_authentication has to
be disabled.

13 months agoagent: Add support for RSA signatures with SHA256 and SHA512
Tobias Brunner [Fri, 19 Oct 2018 07:17:39 +0000 (09:17 +0200)]
agent: Add support for RSA signatures with SHA256 and SHA512

13 months agopubkey-authenticator: Append RSAPSS salt length to debug output
Andreas Steffen [Wed, 17 Oct 2018 08:05:31 +0000 (10:05 +0200)]
pubkey-authenticator: Append RSAPSS salt length to debug output

13 months agotravis: Build tmp2-tss from sources
Tobias Brunner [Mon, 15 Oct 2018 14:33:34 +0000 (16:33 +0200)]
travis: Build tmp2-tss from sources

13 months agolibtpmtss: Generalize AIK keys to signature keys
Andreas Steffen [Tue, 23 Oct 2018 16:55:16 +0000 (18:55 +0200)]
libtpmtss: Generalize AIK keys to signature keys

13 months agotpm: Check FIPS-140-2 and FIPS-186-4 compliance
Andreas Steffen [Tue, 23 Oct 2018 16:30:55 +0000 (18:30 +0200)]
tpm: Check FIPS-140-2 and FIPS-186-4 compliance

13 months agotpm: Return signature schemes supported by the key if TSS supports it
Tobias Brunner [Mon, 15 Oct 2018 11:16:44 +0000 (13:16 +0200)]
tpm: Return signature schemes supported by the key if TSS supports it

13 months agolibtpmtss: Add enumeration of supported signature schemes to TSS2 implementations
Tobias Brunner [Mon, 15 Oct 2018 11:28:51 +0000 (13:28 +0200)]
libtpmtss: Add enumeration of supported signature schemes to TSS2 implementations

13 months agolibtpmtss: TSS can optionally return signature schemes supported by a key
Tobias Brunner [Mon, 15 Oct 2018 11:16:06 +0000 (13:16 +0200)]
libtpmtss: TSS can optionally return signature schemes supported by a key

13 months agosignature-params: Provide option for maximum RSA/PSS salt length
Tobias Brunner [Fri, 12 Oct 2018 10:11:51 +0000 (12:11 +0200)]
signature-params: Provide option for maximum RSA/PSS salt length

However, the length now has to be resolved early, so we don't operate on
the negative constant values e.g. when generating the encoding.

13 months agopki: Query private key for supported signature schemes
Tobias Brunner [Fri, 12 Oct 2018 09:35:09 +0000 (11:35 +0200)]
pki: Query private key for supported signature schemes

13 months agopubkey-authenticator: Query private key for supported signature schemes
Tobias Brunner [Fri, 12 Oct 2018 09:14:05 +0000 (11:14 +0200)]
pubkey-authenticator: Query private key for supported signature schemes

13 months agoprivate-key: Add optional method that returns supported signature schemes
Tobias Brunner [Fri, 12 Oct 2018 08:35:04 +0000 (10:35 +0200)]
private-key: Add optional method that returns supported signature schemes

13 months agoMerge branch 'openssl-keyid'
Tobias Brunner [Wed, 24 Oct 2018 08:07:49 +0000 (10:07 +0200)]
Merge branch 'openssl-keyid'

Closes strongswan/strongswan#116.

13 months agoopenssl: Remove extra semicolon
ambiso [Tue, 23 Oct 2018 21:20:17 +0000 (23:20 +0200)]
openssl: Remove extra semicolon

13 months agoopenssl: Remove arbitrary keyid length check
ambiso [Tue, 23 Oct 2018 21:20:17 +0000 (23:20 +0200)]
openssl: Remove arbitrary keyid length check

13 months agoopenssl: Fix invalid keyid length check
ambiso [Tue, 23 Oct 2018 21:20:17 +0000 (23:20 +0200)]
openssl: Fix invalid keyid length check

Check was designed for base64 conversion, however a hex conversion is
being performed, which requires more memory.

13 months agolibtpmtss: Fixed inclusion of tcti-tabrmd.h header file
Andreas Steffen [Fri, 19 Oct 2018 08:46:08 +0000 (10:46 +0200)]
libtpmtss: Fixed inclusion of tcti-tabrmd.h header file

13 months agolibvici: Wrap header in extern "C" to include it from C++
Tobias Brunner [Thu, 11 Oct 2018 16:57:00 +0000 (18:57 +0200)]
libvici: Wrap header in extern "C" to include it from C++

Fixes #2795.

13 months agoandroid: New release after fixing DNS leak and some bugs
Tobias Brunner [Wed, 17 Oct 2018 10:08:47 +0000 (12:08 +0200)]
android: New release after fixing DNS leak and some bugs

13 months agoandroid: Force the two line button to be focusable
Tobias Brunner [Thu, 4 Oct 2018 09:48:45 +0000 (11:48 +0200)]
android: Force the two line button to be focusable

On newer Android versions (8+) this does not seem to be necessary (adding
the onClick handler also sets "clickable" and that in turn seems to make
it focusable), however, for older releases it is (tested with 7.1.1
keyboard navigation just skips over the button).  This was seen on a
Fire TV stick.

13 months agoandroid: Avoid DNS leak due to blocking TUN device without DNS servers
Tobias Brunner [Fri, 21 Sep 2018 13:07:44 +0000 (15:07 +0200)]
android: Avoid DNS leak due to blocking TUN device without DNS servers

It looks like Android 9 incorrectly continues to use the regular DNS
servers after the blocking TUN device is replaced with the actual
interface.  Setting DNS servers prevents that (since all traffic is
blocked, which ones doesn't really matter but local/loopback addresses
are rejected).
Interestingly, if the VPN server later does not assign any DNS servers, there
is no fallback to the non-VPN DNS servers for some reason (that's definitely
not as documented).  This could potentially be a problem as we don't
offer an option to configure DNS servers in the VPN profile.

Neither issue is seen on older Android versions (only tested on 7.1.1).

13 months agoandroid: Update Gradle plugin
Tobias Brunner [Fri, 21 Sep 2018 13:07:25 +0000 (15:07 +0200)]
android: Update Gradle plugin

13 months agoandroid: Make sure we actually have a tile when updating it
Tobias Brunner [Fri, 6 Jul 2018 14:01:34 +0000 (16:01 +0200)]
android: Make sure we actually have a tile when updating it

Not sure when this happens exactly, in particular because the reported
stack traces look like this

java.lang.NullPointerException:
  at org.strongswan.android.ui.VpnTileService.updateTile (VpnTileService.java:220)
  at org.strongswan.android.ui.VpnTileService.onStartListening (VpnTileService.java:97)
  at android.service.quicksettings.TileService$H.handleMessage (TileService.java:407)

which violates the API documentation for getQsTile(), which states:

  This tile is only valid for updates between onStartListening() and
  onStopListening().

But apparently that's not always the case. There have been two reports
of such a crash, both on Android 8.0 and on Xiaomi Mi 5/6 devices, so
maybe it's a bug in that particular image.

13 months agoandroid: Fix profile selection/edit when the device is rotated
Tobias Brunner [Fri, 6 Jul 2018 13:54:45 +0000 (15:54 +0200)]
android: Fix profile selection/edit when the device is rotated

The previous code lost track of the selected profile IDs, but the
widgets maintained their state (i.e. the list item was still selected and the
edit button still enabled).  Clicking the edit button then caused a crash when
trying to get the first item in the set.

13 months agoikev1: Log traffic selectors for missing child configs
Thomas Egerer [Tue, 2 Oct 2018 13:11:16 +0000 (15:11 +0200)]
ikev1: Log traffic selectors for missing child configs

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
13 months agotask-manager-v1: Clear retransmit alert on request retransmit
Thomas Egerer [Tue, 2 Oct 2018 13:02:59 +0000 (15:02 +0200)]
task-manager-v1: Clear retransmit alert on request retransmit

The task manager for IKEv1 issues a retransmit send alert in the
retransmit_packet() function. The corresponding retransmit cleared alert
however is only issued for exchanges we initiated after processing the
response in process_response().

For quick mode exchanges we may retransmit the second packet if the peer
(the initiator) does not send the third message in a timely manner. In
this case the retransmit send alert may never be cleared.

With this patch the retransmit cleared alert is issued for packets that
were retransmitted also when we are the responding party when we receive
the outstanding response.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
14 months agosec-updater.sh: Support of Debian 9.0 and Ubuntu 18.04
Andreas Steffen [Sun, 7 Oct 2018 08:14:20 +0000 (10:14 +0200)]
sec-updater.sh: Support of Debian 9.0 and Ubuntu 18.04

14 months agotravis: Don't build botan twice if installing dependencies is retried
Tobias Brunner [Tue, 2 Oct 2018 14:13:26 +0000 (16:13 +0200)]
travis: Don't build botan twice if installing dependencies is retried

14 months agofuzzing: Add -lm to LDFLAGS if the coverage sanitizer is used
Tobias Brunner [Tue, 2 Oct 2018 08:58:40 +0000 (10:58 +0200)]
fuzzing: Add -lm to LDFLAGS if the coverage sanitizer is used

libFuzzer apparently uses math functions (e.g. ceilf) for that sanitizer.

14 months agotravis: Only build sonarcloud target if the token is available
Tobias Brunner [Tue, 2 Oct 2018 07:38:00 +0000 (09:38 +0200)]
travis: Only build sonarcloud target if the token is available

That's not the case for pull requests that don't have access to
encrypted tokens/environment variables.

14 months agoswanctl: Fix typos in usage for swanctl rekey/terminate commands
Matt Selsky [Tue, 2 Oct 2018 04:56:31 +0000 (00:56 -0400)]
swanctl: Fix typos in usage for swanctl rekey/terminate commands

Closes strongswan/strongswan#113.

14 months agoVersion bump to 5.7.1 5.7.1
Andreas Steffen [Mon, 1 Oct 2018 15:46:17 +0000 (17:46 +0200)]
Version bump to 5.7.1

14 months agoNEWS: Add info about CVE-2018-17540
Tobias Brunner [Mon, 1 Oct 2018 08:26:08 +0000 (10:26 +0200)]
NEWS: Add info about CVE-2018-17540

14 months agogmp: Fix buffer overflow with very small RSA keys
Tobias Brunner [Tue, 25 Sep 2018 12:50:08 +0000 (14:50 +0200)]
gmp: Fix buffer overflow with very small RSA keys

Because `keylen` is unsigned the subtraction results in an integer
underflow if the key length is < 11 bytes.

This is only a problem when verifying signatures with a public key (for
private keys the plugin enforces a minimum modulus length) and to do so
we usually only use trusted keys.  However, the x509 plugin actually
calls issued_by() on a parsed certificate to check if it is self-signed,
which is the reason this issue was found by OSS-Fuzz in the first place.
So, unfortunately, this can be triggered by sending an invalid client
cert to a peer.

Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them")
Fixes: CVE-2018-17540

14 months agotravis: Don't build tags separately
Tobias Brunner [Fri, 21 Sep 2018 16:49:09 +0000 (18:49 +0200)]
travis: Don't build tags separately

Travis treats tags just like branches (which sonarcloud does too) and the
tagged commit is built anyway.

14 months agoVersion bump to 5.7.0 5.7.0
Andreas Steffen [Mon, 24 Sep 2018 09:10:12 +0000 (11:10 +0200)]
Version bump to 5.7.0

14 months agoNEWS: Add info about CVE-2018-16151/52
Tobias Brunner [Mon, 3 Sep 2018 12:39:52 +0000 (14:39 +0200)]
NEWS: Add info about CVE-2018-16151/52

14 months agogmp: Don't parse PKCS1 v1.5 RSA signatures to verify them
Tobias Brunner [Tue, 28 Aug 2018 09:26:24 +0000 (11:26 +0200)]
gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them

Instead we generate the expected signature encoding and compare it to the
decrypted value.

Due to the lenient nature of the previous parsing code (minimum padding
length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary
data after OIDs and in the parameters field etc.) it was susceptible to
Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed
forging signatures for keys that use low public exponents (i.e. e=3).

Since the public exponent is usually set to 0x10001 (65537) since quite a
while, the flaws in the previous code should not have had that much of a
practical impact in recent years.

Fixes: CVE-2018-16151, CVE-2018-16152

14 months agotravis: Run long-running tests first to reduce overall build time
Tobias Brunner [Tue, 18 Sep 2018 14:55:38 +0000 (16:55 +0200)]
travis: Run long-running tests first to reduce overall build time

Moving the manual matrix inclusions further up would be even better but
that doesn't seem possible.

14 months agoandroid: Disable capabilities in the android app
Tobias Brunner [Fri, 21 Sep 2018 08:58:51 +0000 (10:58 +0200)]
android: Disable capabilities in the android app

capset/capget are not in the NDK headers anymore, but we didn't use them
in the app anyway.

14 months agoandroid: Fix implementation of change_state() method in Android IMC
Tobias Brunner [Fri, 21 Sep 2018 08:55:34 +0000 (10:55 +0200)]
android: Fix implementation of change_state() method in Android IMC

The signature was changed with 731e043c8e07 ("libimcv: Reset of IMC state for
new measurement cycle").

14 months agoVersion bump to 5.7.0rc2 5.7.0rc2
Andreas Steffen [Tue, 18 Sep 2018 14:03:23 +0000 (16:03 +0200)]
Version bump to 5.7.0rc2

14 months agoswanctl: Document PPKs
Tobias Brunner [Tue, 18 Sep 2018 08:12:45 +0000 (10:12 +0200)]
swanctl: Document PPKs

14 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 17 Sep 2018 16:36:22 +0000 (18:36 +0200)]
Fixed some typos, courtesy of codespell

14 months agosettings: Clarify that a key/value-pair can only occur once
Tobias Brunner [Mon, 17 Sep 2018 15:58:09 +0000 (17:58 +0200)]
settings: Clarify that a key/value-pair can only occur once

14 months agosettings-test: Remove unused variable in printf() call
Tobias Brunner [Mon, 17 Sep 2018 15:43:18 +0000 (17:43 +0200)]
settings-test: Remove unused variable in printf() call

14 months agovici: Fix syntax error in Ruby bindings
Tobias Brunner [Mon, 17 Sep 2018 15:05:23 +0000 (17:05 +0200)]
vici: Fix syntax error in Ruby bindings

I guess nobody uses these.

Fixes: 2c7cfe76303b ("vici:  flush-certs command flushes certificate cache")

14 months agoimv-attestation: Don't use comma to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:59:43 +0000 (16:59 +0200)]
imv-attestation: Don't use comma to separate statements

14 months agoimv-agent: Don't use comma to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:59:11 +0000 (16:59 +0200)]
imv-agent: Don't use comma to separate statements

14 months agoxauth-pam: Don't use comma to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:58:14 +0000 (16:58 +0200)]
xauth-pam: Don't use comma to separate statements

14 months agotnc-pdp: Don't use comma to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:57:43 +0000 (16:57 +0200)]
tnc-pdp: Don't use comma to separate statements

14 months agoreceiver: Don't use commas to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:56:25 +0000 (16:56 +0200)]
receiver: Don't use commas to separate statements

Maybe was in the INIT statement at some point.

14 months agomanager: Restore direct return if database URI is not defined
Tobias Brunner [Mon, 17 Sep 2018 14:30:51 +0000 (16:30 +0200)]
manager: Restore direct return if database URI is not defined

There was an exit anyway because storage_create() returns NULL if the
database can't be created.

14 months agoimv-os-agent: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:44:47 +0000 (16:44 +0200)]
imv-os-agent: Remove useless assignment

`eval` will never be TNC_IMV_EVALUATION_RESULT_DONT_KNOW so we can
remove the if statement too.

14 months agopts: Remove commented call of inexistent function
Tobias Brunner [Mon, 17 Sep 2018 14:43:32 +0000 (16:43 +0200)]
pts: Remove commented call of inexistent function

14 months agocounters: Fix exit status in error case
Tobias Brunner [Mon, 17 Sep 2018 14:13:22 +0000 (16:13 +0200)]
counters: Fix exit status in error case

14 months agosigncrl: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:11:05 +0000 (16:11 +0200)]
signcrl: Remove useless assignment

14 months agoasn1: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:07:59 +0000 (16:07 +0200)]
asn1: Remove useless assignment

14 months agomode-config: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:02:24 +0000 (16:02 +0200)]
mode-config: Remove useless assignment

14 months agokeymat_v1: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:00:11 +0000 (16:00 +0200)]
keymat_v1: Remove useless assignment

14 months agokernel-netlink: Check return value of both halfs when installing default route in...
Tobias Brunner [Mon, 17 Sep 2018 13:56:48 +0000 (15:56 +0200)]
kernel-netlink: Check return value of both halfs when installing default route in main table

14 months agobotan: Fix leak if hasher initialization fails
Tobias Brunner [Mon, 17 Sep 2018 15:59:55 +0000 (17:59 +0200)]
botan: Fix leak if hasher initialization fails

14 months agobotan: Share code to generate RSA EMSA PSS signature identifier strings
Tobias Brunner [Mon, 17 Sep 2018 10:57:25 +0000 (12:57 +0200)]
botan: Share code to generate RSA EMSA PSS signature identifier strings

14 months agobotan: Remove unnecessary nested blocks and simplify keyid allocation
Tobias Brunner [Mon, 17 Sep 2018 10:33:09 +0000 (12:33 +0200)]
botan: Remove unnecessary nested blocks and simplify keyid allocation

14 months agodaemon: Remove redundant assignment to time_format
Tobias Brunner [Fri, 14 Sep 2018 14:10:46 +0000 (16:10 +0200)]
daemon: Remove redundant assignment to time_format

14 months agoVersion bump to 5.7.0rc1 5.7.0rc1
Andreas Steffen [Sun, 16 Sep 2018 07:30:09 +0000 (09:30 +0200)]
Version bump to 5.7.0rc1

14 months agotesting: Extended Botan scenarios
Andreas Steffen [Wed, 12 Sep 2018 15:21:21 +0000 (17:21 +0200)]
testing: Extended Botan scenarios

15 months agoNEWS: Added some news for 5.7.0
Tobias Brunner [Wed, 12 Sep 2018 16:41:53 +0000 (18:41 +0200)]
NEWS: Added some news for 5.7.0

15 months agotravis: Silence `git checkout` for Botan
Tobias Brunner [Wed, 12 Sep 2018 15:18:15 +0000 (17:18 +0200)]
travis: Silence `git checkout` for Botan

15 months agoMerge branch 'botan-plugin'
Tobias Brunner [Wed, 12 Sep 2018 14:25:07 +0000 (16:25 +0200)]
Merge branch 'botan-plugin'

Adds a wrapper plugin for the Botan crypto library.

Closes strongswan/strongswan#109.

15 months agotravis: Use a fix revision for Botan and speed up subsequent builds via ccache
Tobias Brunner [Wed, 12 Sep 2018 13:51:08 +0000 (15:51 +0200)]
travis: Use a fix revision for Botan and speed up subsequent builds via ccache

15 months agotravis: Use amalgamation build for Botan and build outside our source tree
Tobias Brunner [Wed, 12 Sep 2018 11:12:44 +0000 (13:12 +0200)]
travis: Use amalgamation build for Botan and build outside our source tree

This merges all source files into botan_all.cpp, which reduces the build
time by almost 50%. Building outside the strongSwan tree avoids analyzing
Botan with sonarqube.

15 months agogcrypt: Make generic DH constructor static
Tobias Brunner [Wed, 12 Sep 2018 10:56:11 +0000 (12:56 +0200)]
gcrypt: Make generic DH constructor static

15 months agotravis: Build botan plugin also in the tests that build everything
Tobias Brunner [Wed, 12 Sep 2018 10:05:14 +0000 (12:05 +0200)]
travis: Build botan plugin also in the tests that build everything

15 months agotravis: Only add the sonarcloud addon for that build
Tobias Brunner [Wed, 12 Sep 2018 10:02:41 +0000 (12:02 +0200)]
travis: Only add the sonarcloud addon for that build

15 months agotesting: Added botan/rw-cert scenario
Andreas Steffen [Wed, 5 Sep 2018 06:07:06 +0000 (08:07 +0200)]
testing: Added botan/rw-cert scenario

15 months agotesting: Enable Botan and the plugin
Tobias Brunner [Thu, 30 Aug 2018 15:47:43 +0000 (17:47 +0200)]
testing: Enable Botan and the plugin

ldconfig is required, otherwise the library won't be found by
strongSwan in the same session.

Should later be changed to 2.8.0 or a newer stable release.

15 months agobotan: Add support for X25519
Tobias Brunner [Tue, 11 Sep 2018 09:05:21 +0000 (11:05 +0200)]
botan: Add support for X25519

15 months agobotan: Simplify DH/ECDH key derivation
Tobias Brunner [Tue, 11 Sep 2018 08:58:42 +0000 (10:58 +0200)]
botan: Simplify DH/ECDH key derivation

15 months agotest-vectors: Add the actual test vector from RFC 8031 for x25519
Tobias Brunner [Tue, 11 Sep 2018 08:32:50 +0000 (10:32 +0200)]
test-vectors: Add the actual test vector from RFC 8031 for x25519

The existing test vector is from RFC 8037.

15 months agoike-init: Fix leak if KE payload creation fails
Tobias Brunner [Thu, 30 Aug 2018 12:48:34 +0000 (14:48 +0200)]
ike-init: Fix leak if KE payload creation fails

15 months agoleak-detective: Add an option to ignore frees of unknown memory blocks
Tobias Brunner [Wed, 8 Aug 2018 15:06:15 +0000 (17:06 +0200)]
leak-detective: Add an option to ignore frees of unknown memory blocks

This also changes how unknown/corrupted memory is handled in the free()
and realloc() hooks in general.

Incorporates changes provided by Thomas Egerer who ran into a similar
issue.

15 months agotravis: Add Botan build
Tobias Brunner [Wed, 8 Aug 2018 09:35:46 +0000 (11:35 +0200)]
travis: Add Botan build

We build Botan directly from the master branch until 2.8.0 is released.

15 months agoleak-detective: Whitelist some Botan functions
Tobias Brunner [Wed, 8 Aug 2018 09:41:36 +0000 (11:41 +0200)]
leak-detective: Whitelist some Botan functions

Due to the mangled C++ function names it's tricky to be more specific.  The
"leaked" allocations are from a static hashtable containing EC groups.

There is another leak caused by the locking allocator singleton
(triggered by the first function that uses it, usually initialization of
 a cipher, but could be a hasher in other test runners), but we can avoid
that with a Botan config option.

15 months agobotan: Adhere to configured DH exponent length
Tobias Brunner [Fri, 10 Aug 2018 15:04:09 +0000 (17:04 +0200)]
botan: Adhere to configured DH exponent length

15 months agobotan: Encode private keys as PKCS#8
Tobias Brunner [Fri, 10 Aug 2018 07:02:26 +0000 (09:02 +0200)]
botan: Encode private keys as PKCS#8

Since we can now parse that encoding directly we can simplify the private
key export and stick to PKCS#8.

15 months agobotan: Load public/private keys generically
Tobias Brunner [Thu, 9 Aug 2018 11:00:50 +0000 (13:00 +0200)]
botan: Load public/private keys generically

Simplifies public key loading and this way unencrypted PKCS#8-encoded
keys can be loaded directly without pkcs8 plugin (code for encrypted
keys could probably later be added, if necessary).

It also simplifies the implementation of private_key_t::get_public_key()
a lot.

15 months agobotan: Encode curve OID and public key in EC private key
Tobias Brunner [Wed, 8 Aug 2018 16:23:11 +0000 (18:23 +0200)]
botan: Encode curve OID and public key in EC private key

Without OID we can't generate an algorithmIdentifier when loading the
key again. And older versions of OpenSSL insist on a public key when
e.g. converting a key to PKCS#8.

Simply unwrapping the ECPrivateKey structure avoids log messages when
parsing other keys in the KEY_ANY case.

15 months agopkcs1: Accept EC private keys without public key but make sure of an OID
Tobias Brunner [Thu, 9 Aug 2018 06:45:48 +0000 (08:45 +0200)]
pkcs1: Accept EC private keys without public key but make sure of an OID

15 months agobotan: Fixes, code style changes plus some refactorings
Tobias Brunner [Mon, 6 Aug 2018 15:46:54 +0000 (17:46 +0200)]
botan: Fixes, code style changes plus some refactorings

Some changes rely on newly added FFI functions in Botan's master
branch.

15 months agobotan: Add MD5 support to Botan hasher
René Korthaus [Fri, 27 Jul 2018 07:33:39 +0000 (09:33 +0200)]
botan: Add MD5 support to Botan hasher

Support MD5 in the Botan plugin if supported by Botan.
MD5 is required for RADIUS and obviously EAP-MD5,
and also for non-PKCS#8 encoded, encrypted private keys.