strongswan.git
4 years agoatomics: Move atomics/recounting support to separate files
Martin Willi [Wed, 15 Apr 2015 13:48:17 +0000 (15:48 +0200)]
atomics: Move atomics/recounting support to separate files

4 years agounit-tests: Further increase the test vector testing timeout
Martin Willi [Thu, 16 Apr 2015 08:15:13 +0000 (10:15 +0200)]
unit-tests: Further increase the test vector testing timeout

Some build bots running make check seem to have longer for the DH testing.

4 years agotest-vectors: Define test vector symbols as extern
Martin Willi [Thu, 16 Apr 2015 07:38:14 +0000 (09:38 +0200)]
test-vectors: Define test vector symbols as extern

We don't actually define a vector, but only prototype the test vector
implemented in a different file. GCC uses the correct symbol during testing,
but clang correctly complains about duplicated symbols during linking.

4 years agoFix years in some copyright statements
Tobias Brunner [Thu, 16 Apr 2015 07:21:00 +0000 (09:21 +0200)]
Fix years in some copyright statements

4 years agoaesni: Fix doxygen groups
Martin Willi [Wed, 15 Apr 2015 15:29:56 +0000 (17:29 +0200)]
aesni: Fix doxygen groups

4 years agoMerge branch 'dh-test-vectors'
Martin Willi [Wed, 15 Apr 2015 12:44:33 +0000 (14:44 +0200)]
Merge branch 'dh-test-vectors'

Add a Diffie-Hellman backend test method, a set of test vectors and implement
testing of the gmp, openssl and gcrypt DH backend.

4 years agokernel-netlink: Don't mangle verbosity during test initialization
Martin Willi [Tue, 14 Apr 2015 07:34:09 +0000 (09:34 +0200)]
kernel-netlink: Don't mangle verbosity during test initialization

We now properly manage thread verbosity in the test framework, and don't need
to silence thread spawning messages.

4 years agounit-tests: Set test verbosity just after test suite loading
Martin Willi [Tue, 14 Apr 2015 07:26:17 +0000 (09:26 +0200)]
unit-tests: Set test verbosity just after test suite loading

We see any plugin startup messages during suite configuration, where
initialization is called once to query plugin features. No need to be verbose
and show these messages once again in the first test.

4 years agocrypto-factory: Remove obsolete transform testing functions
Martin Willi [Mon, 13 Apr 2015 16:25:27 +0000 (18:25 +0200)]
crypto-factory: Remove obsolete transform testing functions

4 years agounit-tests: Use progressive testing of transforms with test vectors
Martin Willi [Mon, 13 Apr 2015 16:23:58 +0000 (18:23 +0200)]
unit-tests: Use progressive testing of transforms with test vectors

This allows us to show which transform from which plugin failed. Also, we use
the new cleanup handler functionality that allows proper deinitialization on
failure or timeout.

4 years agotransform: Add a getter for the enum_names for a specific transform type
Martin Willi [Mon, 13 Apr 2015 16:23:25 +0000 (18:23 +0200)]
transform: Add a getter for the enum_names for a specific transform type

4 years agoenum-names: Fail gracefully when passing a NULL value as enum names
Martin Willi [Mon, 13 Apr 2015 16:22:49 +0000 (18:22 +0200)]
enum-names: Fail gracefully when passing a NULL value as enum names

4 years agocrypto-factory: Add enumerator method to support individual transform testing
Martin Willi [Mon, 13 Apr 2015 16:21:53 +0000 (18:21 +0200)]
crypto-factory: Add enumerator method to support individual transform testing

4 years agounit-tests: Invoke all registered thread cleanup handlers on test failure
Martin Willi [Tue, 14 Apr 2015 06:59:58 +0000 (08:59 +0200)]
unit-tests: Invoke all registered thread cleanup handlers on test failure

If a test fails in a timeout or a test failure, longjmp() is used to restore
the thread context and handle test failure. However, there might be unreleased
resources, namely locks, which prevent the library to clean up properly after
finishing the test.

By using thread cleanup handlers, we can release any test subject internal or
test specific external resources on test failure. We do so by calling all
registered cleanup handlers.

4 years agothread: Add a function to pop and call all registered cleanup handlers
Martin Willi [Tue, 14 Apr 2015 06:59:01 +0000 (08:59 +0200)]
thread: Add a function to pop and call all registered cleanup handlers

4 years agothread: Don't acquire lock for thread_cleanup_push/pop
Martin Willi [Wed, 15 Apr 2015 08:53:27 +0000 (10:53 +0200)]
thread: Don't acquire lock for thread_cleanup_push/pop

This is called only by the thread for its own thread_t, and does not need
synchronization.

4 years agotravis: Run a gcrypt test with leak-detective
Martin Willi [Mon, 13 Apr 2015 10:13:56 +0000 (12:13 +0200)]
travis: Run a gcrypt test with leak-detective

And also enable gcrypt in the all tests with leak-detective enabled.

4 years agogcrypt: Explicitly initialize RNG backend to allocate static data
Martin Willi [Mon, 13 Apr 2015 15:12:49 +0000 (17:12 +0200)]
gcrypt: Explicitly initialize RNG backend to allocate static data

The libgcrypt RNG implementation uses static buffer allocation which it does
not free. There is no symbol we can catch in leak-detective, hence we explicitly
initialize the RNG during the whitelisted gcrypt_plugin_create() function.

4 years agoleak-detective: Whitelist gcrypt_plugin_create()
Martin Willi [Mon, 13 Apr 2015 10:02:07 +0000 (12:02 +0200)]
leak-detective: Whitelist gcrypt_plugin_create()

gcry_check_version() does not free statically allocated resources. However,
we can't whitelist it in some versions, as it is not a resolvable symbol name.
Instead, whitelist our own plugin constructor function.

4 years agounit-tests: Add a TESTS_PLUGINS environment variable
Martin Willi [Mon, 13 Apr 2015 09:36:05 +0000 (11:36 +0200)]
unit-tests: Add a TESTS_PLUGINS environment variable

This is often more convenient than specifying plugins in a configuration file.

4 years agounit-tests: Use a larger timeout for test vector testing
Martin Willi [Mon, 13 Apr 2015 10:27:35 +0000 (12:27 +0200)]
unit-tests: Use a larger timeout for test vector testing

As we test DH calculations this now takes more time. If multiple DH backends
are enabled, we likely hit the default test timeout.

4 years agogcrypt: Support setting private value and testing of DH backend
Martin Willi [Mon, 13 Apr 2015 10:12:09 +0000 (12:12 +0200)]
gcrypt: Support setting private value and testing of DH backend

4 years agoopenssl: Support setting ECDH private values
Martin Willi [Thu, 9 Apr 2015 13:05:16 +0000 (15:05 +0200)]
openssl: Support setting ECDH private values

4 years agoopenssl: Support setting private Diffie-Hellman values
Martin Willi [Mon, 13 Apr 2015 12:48:23 +0000 (14:48 +0200)]
openssl: Support setting private Diffie-Hellman values

4 years agogmp: Support setting Diffie-Hellman private values
Martin Willi [Thu, 9 Apr 2015 12:59:04 +0000 (14:59 +0200)]
gmp: Support setting Diffie-Hellman private values

4 years agotest-vectors: Add DH vectors for Brainpool groups
Martin Willi [Thu, 9 Apr 2015 12:48:35 +0000 (14:48 +0200)]
test-vectors: Add DH vectors for Brainpool groups

4 years agotest-vectors: Add DH vectors for ECDH groups
Martin Willi [Thu, 9 Apr 2015 12:20:47 +0000 (14:20 +0200)]
test-vectors: Add DH vectors for ECDH groups

4 years agotest-vectors: Add DH vectors for subgroup MODP groups
Martin Willi [Thu, 9 Apr 2015 11:35:10 +0000 (13:35 +0200)]
test-vectors: Add DH vectors for subgroup MODP groups

4 years agotest-vectors: Add DH vectors for normal MODP groups
Martin Willi [Thu, 9 Apr 2015 10:17:13 +0000 (12:17 +0200)]
test-vectors: Add DH vectors for normal MODP groups

4 years agotest-vectors: Support testing DH groups
Martin Willi [Thu, 9 Apr 2015 10:16:25 +0000 (12:16 +0200)]
test-vectors: Support testing DH groups

4 years agocrypto-tester: Support testing DH groups using DH test vectors
Martin Willi [Thu, 9 Apr 2015 08:47:03 +0000 (10:47 +0200)]
crypto-tester: Support testing DH groups using DH test vectors

4 years agodiffie-hellman: Introduce an optional setter for the private value
Martin Willi [Thu, 9 Apr 2015 08:02:24 +0000 (10:02 +0200)]
diffie-hellman: Introduce an optional setter for the private value

This allows us to work with deterministic values for testing purposes.

4 years agoMerge branch 'aesni'
Martin Willi [Wed, 15 Apr 2015 12:33:45 +0000 (14:33 +0200)]
Merge branch 'aesni'

Add an aesni plugin providing CBC, CTR, XCBC, CMAC, CCM and GCM modes for
for AES-128/192/256 based on AES-NI/PCLMULQDQ intrinsics.

4 years agoNEWS: Add aesni plugin news
Martin Willi [Tue, 31 Mar 2015 16:09:22 +0000 (18:09 +0200)]
NEWS: Add aesni plugin news

4 years agoaesni: Avoid loading AES/GHASH round keys into local variables
Martin Willi [Tue, 14 Apr 2015 10:38:18 +0000 (12:38 +0200)]
aesni: Avoid loading AES/GHASH round keys into local variables

The performance impact is not measurable, as the compiler loads these variables
in xmm registers in unrolled loops anyway.

However, we avoid loading these sensitive keys onto the stack. This happens for
larger key schedules, where the register count is insufficient. If that key
material is not on the stack, we can avoid to wipe it explicitly after
crypto operations.

4 years agoaesni: Align all class instances to 16 byte boundaries
Martin Willi [Tue, 31 Mar 2015 15:28:12 +0000 (17:28 +0200)]
aesni: Align all class instances to 16 byte boundaries

While the required members are aligned in the struct as required, on 32-bit
platforms the allocator aligns the structures itself to 8 bytes only. This
results in non-aligned struct members, and invalid memory accesses.

4 years agoutils: Provide aligning variants of INIT/INIT_EXTRA macros
Martin Willi [Tue, 31 Mar 2015 15:27:30 +0000 (17:27 +0200)]
utils: Provide aligning variants of INIT/INIT_EXTRA macros

4 years agounit-tests: Pass stringyfied assertion statement as non-format string argument
Martin Willi [Wed, 15 Apr 2015 10:02:45 +0000 (12:02 +0200)]
unit-tests: Pass stringyfied assertion statement as non-format string argument

If the assertion contains a modulo (%) operation, test_fail_msg() handles
this as printf() format specifier. Pass the assertion string as argument for
an explicit "%s" in the format string, instead.

4 years agoutils: Add malloc/free wrappers returning aligned data
Martin Willi [Tue, 31 Mar 2015 15:25:05 +0000 (17:25 +0200)]
utils: Add malloc/free wrappers returning aligned data

While we could use posix_memalign(3), that is not fully portable. Further, it
might be difficult on some platforms to properly catch it in leak-detective,
which results in invalid free()s when releasing such memory.

We instead use a simple wrapper, which allocates larger data, and saves the
padding size in the allocated header. This requires that memory is released
using a dedicated function.

To reduce the risk of invalid free() when working on corrupted data, we fill up
all the padding with the padding length, and verify it during free_align().

4 years agoaesni: Calculate GHASH for 4 blocks of associated data in parallel
Martin Willi [Tue, 31 Mar 2015 08:57:04 +0000 (10:57 +0200)]
aesni: Calculate GHASH for 4 blocks of associated data in parallel

While associated data is usually not that large, in some specific cases
this can bring a significant performance boost.

4 years agoaesni: Calculate GHASH for 4 blocks of encryption data in parallel
Martin Willi [Tue, 31 Mar 2015 08:00:33 +0000 (10:00 +0200)]
aesni: Calculate GHASH for 4 blocks of encryption data in parallel

Increases performance by another ~30%.

4 years agoaesni: Use 4-way parallel en/decryption in GCM
Martin Willi [Mon, 30 Mar 2015 16:55:36 +0000 (18:55 +0200)]
aesni: Use 4-way parallel en/decryption in GCM

Increases overall performance by ~25%.

4 years agoaesni: Use dedicated key size specific en-/decryption functions in GCM
Martin Willi [Mon, 30 Mar 2015 16:37:02 +0000 (18:37 +0200)]
aesni: Use dedicated key size specific en-/decryption functions in GCM

This gives not much more than ~5% increase in performance, but allows us to
improve further.

4 years agoaesni: Add a GCM AEAD based on the AES-NI key schedule
Martin Willi [Mon, 30 Mar 2015 15:58:29 +0000 (17:58 +0200)]
aesni: Add a GCM AEAD based on the AES-NI key schedule

4 years agoaesni: Implement CMAC mode to provide a signer/prf
Martin Willi [Fri, 27 Mar 2015 16:36:12 +0000 (17:36 +0100)]
aesni: Implement CMAC mode to provide a signer/prf

Compared to the cmac plugin using AESNI-CBC as backend, this improves
performance of AES-CMAC by ~45%.

4 years agoaesni: Implement XCBC mode to provide a signer/prf
Martin Willi [Fri, 27 Mar 2015 12:51:24 +0000 (13:51 +0100)]
aesni: Implement XCBC mode to provide a signer/prf

Compared to the xcbc plugin using AESNI-CBC as backend, this improves
performance of AES-XCBC by ~45%.

4 years agoaesni: Partially use separate code paths for different key sizes in CCM
Martin Willi [Thu, 26 Mar 2015 18:07:21 +0000 (19:07 +0100)]
aesni: Partially use separate code paths for different key sizes in CCM

Due to the serial nature of the CBC mac, this brings only a marginal speedup.

4 years agoaesni: Add a CCM AEAD reusing the key schedule
Martin Willi [Thu, 26 Mar 2015 16:43:50 +0000 (17:43 +0100)]
aesni: Add a CCM AEAD reusing the key schedule

4 years agoaesni: Use 4-way parallel AES-NI instructions for CTR en/decryption
Martin Willi [Thu, 26 Mar 2015 10:26:51 +0000 (11:26 +0100)]
aesni: Use 4-way parallel AES-NI instructions for CTR en/decryption

CTR can be parallelized, and we do so by queueing instructions to the processor
pipeline. While we have enough registers for 128-bit decryption, the register
count is insufficient to hold all variables with larger key sizes. Nonetheless
is 4-way parallelism faster, depending on key size between ~10% and ~25%.

4 years agoaesni: Use dedicated round count specific encryption functions in CTR mode
Martin Willi [Thu, 26 Mar 2015 09:58:04 +0000 (10:58 +0100)]
aesni: Use dedicated round count specific encryption functions in CTR mode

This allows us to unroll loops and hold the key schedule in local (register)
variables. This brings an impressive speedup of ~45%.

4 years agoaesni: Implement a AES-NI based CTR crypter using the key schedule
Martin Willi [Thu, 26 Mar 2015 09:37:03 +0000 (10:37 +0100)]
aesni: Implement a AES-NI based CTR crypter using the key schedule

4 years agoaesni: Use 4-way parallel AES-NI instructions for CBC decryption
Martin Willi [Thu, 26 Mar 2015 07:34:00 +0000 (08:34 +0100)]
aesni: Use 4-way parallel AES-NI instructions for CBC decryption

CBC decryption can be parallelized, and we do so by queueing instructions
to the processor pipeline. While we have enough registers for 128-bit
decryption, the register count is insufficient to hold all variables with
larger key sizes. Nonetheless is 4-way parallelism faster, roughly by ~8%.

4 years agoaesni: Use separate en-/decryption CBC code paths for different key sizes
Martin Willi [Thu, 26 Mar 2015 07:31:00 +0000 (08:31 +0100)]
aesni: Use separate en-/decryption CBC code paths for different key sizes

This allows us to unroll loops, and use local (register) variables for the
key schedule. This improves performance slightly for encryption, but a lot
for reorderable decryption (>30%).

4 years agoaesni: Implement a AES-NI based CBC crypter using the key schedule
Martin Willi [Wed, 25 Mar 2015 16:30:58 +0000 (17:30 +0100)]
aesni: Implement a AES-NI based CBC crypter using the key schedule

4 years agoaesni: Implement 256-bit key schedule
Martin Willi [Thu, 26 Mar 2015 07:07:07 +0000 (08:07 +0100)]
aesni: Implement 256-bit key schedule

4 years agoaesni: Implement 192-bit key schedule
Martin Willi [Thu, 26 Mar 2015 07:05:58 +0000 (08:05 +0100)]
aesni: Implement 192-bit key schedule

4 years agoaesni: Implement 128-bit key schedule
Martin Willi [Thu, 26 Mar 2015 07:05:04 +0000 (08:05 +0100)]
aesni: Implement 128-bit key schedule

4 years agoaesni: Add a common key schedule class for AES
Martin Willi [Wed, 25 Mar 2015 13:31:24 +0000 (14:31 +0100)]
aesni: Add a common key schedule class for AES

4 years agoaesni: Provide a plugin stub for AES-NI instruction based crypto primitives
Martin Willi [Wed, 25 Mar 2015 12:27:39 +0000 (13:27 +0100)]
aesni: Provide a plugin stub for AES-NI instruction based crypto primitives

4 years agoutils: Provide an INIT_EXTRA() macro, that allocates extra data to INIT()
Martin Willi [Thu, 5 Jun 2014 13:57:18 +0000 (15:57 +0200)]
utils: Provide an INIT_EXTRA() macro, that allocates extra data to INIT()

4 years agotest-vectors: Add some self-made additional AES-GCM test vectors
Martin Willi [Tue, 31 Mar 2015 09:25:20 +0000 (11:25 +0200)]
test-vectors: Add some self-made additional AES-GCM test vectors

We missed test vectors for 192/256-bit key vectors for ICV8/12, and should
also have some for larger associated data chunk.

4 years agotest-vectors: Define some additional CCM test vectors
Martin Willi [Thu, 26 Mar 2015 16:44:46 +0000 (17:44 +0100)]
test-vectors: Define some additional CCM test vectors

We don't have any where plain or associated data is not a multiple of the block
size, but it is likely to find bugs here. Also, we miss some ICV12 test vectors
using 128- and 192-bit key sizes.

4 years agocrypto-tester: Use the plugin feature key size to benchmark crypters/aeads
Martin Willi [Thu, 26 Mar 2015 10:50:28 +0000 (11:50 +0100)]
crypto-tester: Use the plugin feature key size to benchmark crypters/aeads

We previously didn't pass the key size during algorithm registration, but this
resulted in benchmarking with the "default" key size the crypter uses when
passing 0 as key size.

4 years agocrypt-burn: Support burning signers
Martin Willi [Fri, 27 Mar 2015 13:02:08 +0000 (14:02 +0100)]
crypt-burn: Support burning signers

4 years agocrypt-burn: Add a encryption buffer command line argument
Martin Willi [Fri, 27 Mar 2015 09:25:01 +0000 (10:25 +0100)]
crypt-burn: Add a encryption buffer command line argument

4 years agocrypt-burn: Set a defined key, as some backends require that
Martin Willi [Fri, 27 Mar 2015 09:21:43 +0000 (10:21 +0100)]
crypt-burn: Set a defined key, as some backends require that

4 years agocrypt-burn: Refactor to separate burn methods
Martin Willi [Fri, 27 Mar 2015 09:21:20 +0000 (10:21 +0100)]
crypt-burn: Refactor to separate burn methods

4 years agocrypt-burn: Accept a PLUGINS env var to configure plugins to load
Martin Willi [Fri, 27 Mar 2015 09:00:49 +0000 (10:00 +0100)]
crypt-burn: Accept a PLUGINS env var to configure plugins to load

4 years agovici: Relicense libvici.h under MIT
Martin Willi [Tue, 14 Apr 2015 15:42:53 +0000 (17:42 +0200)]
vici: Relicense libvici.h under MIT

libvici currently relies on libstrongswan, and therefore is bound to the GPLv2.
But to allow alternatively licensed reimplementations without copyleft based
on the same interface, we liberate the header.

4 years agoutils: Define MAX_(U)INT_TYPE to the maximum size integer type available
Martin Willi [Thu, 19 Mar 2015 15:29:06 +0000 (16:29 +0100)]
utils: Define MAX_(U)INT_TYPE to the maximum size integer type available

4 years agoutils: Typedef int128_t and u_int128_t types if supported
Martin Willi [Thu, 19 Mar 2015 14:59:31 +0000 (15:59 +0100)]
utils: Typedef int128_t and u_int128_t types if supported

4 years agoconfigure: Check for __int128 type support
Martin Willi [Thu, 19 Mar 2015 14:58:59 +0000 (15:58 +0100)]
configure: Check for __int128 type support

4 years agoMerge branch 'const-memeq'
Martin Willi [Tue, 14 Apr 2015 09:57:17 +0000 (11:57 +0200)]
Merge branch 'const-memeq'

Introduce constant time memory comparing functions for cryptographic purposes,
and a tool to test such functions or crypto transforms relying on them.

4 years agoutils: Use chunk_equals_const() for all cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 13:56:42 +0000 (15:56 +0200)]
utils: Use chunk_equals_const() for all cryptographic purposes

4 years agoutils: Add a constant time chunk_equals() variant for cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 13:55:26 +0000 (15:55 +0200)]
utils: Add a constant time chunk_equals() variant for cryptographic purposes

4 years agoutils: Use memeq_const() for all cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 13:25:21 +0000 (15:25 +0200)]
utils: Use memeq_const() for all cryptographic purposes

4 years agoutils: Add a constant time memeq() variant for cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 14:44:18 +0000 (16:44 +0200)]
utils: Add a constant time memeq() variant for cryptographic purposes

4 years agoscripts: Add a tool that tries to guess MAC/ICV values using validation times
Martin Willi [Sat, 11 Apr 2015 12:59:22 +0000 (14:59 +0200)]
scripts: Add a tool that tries to guess MAC/ICV values using validation times

This tool shows that it is trivial to re-construct the value memcmp() compares
against by just measuring the time the non-time-constant memcmp() requires to
fail.

It also shows that even when running without any network latencies it gets
very difficult to reconstruct MAC/ICV values, as the time variances due to the
crypto routines are large enough that it gets difficult to measure the time
that memcmp() actually requires after computing the MAC.

However, the faster/time constant an algorithm is, the more likely is a
successful attack. When using AES-NI, it is possible to reconstruct (parts of)
a valid MAC with this tool, for example with AES-GCM.

While this is all theoretical, and way more difficult to exploit with network
jitter, it nonetheless shows that we should replace any use of memcmp/memeq()
with a constant-time alternative in all sensitive places.

4 years agoMerge branch 'cpu-features'
Martin Willi [Mon, 13 Apr 2015 13:18:47 +0000 (15:18 +0200)]
Merge branch 'cpu-features'

Centralize all uses of CPUID to a cpu_feature class, which in theory can support
optional features of non-x86/x64 as well using architecture specific code.

4 years agosqlite: Use our locking mechanism also when sqlite3_threadsafe() returns 0
Martin Willi [Fri, 10 Apr 2015 11:36:58 +0000 (13:36 +0200)]
sqlite: Use our locking mechanism also when sqlite3_threadsafe() returns 0

We previously checked for older library versions without locking support at
all. But newer libraries can be built in single-threading mode as well, where
we have to care about the locking.

4 years agordrand: Reuse CPU feature detection to check for RDRAND instructions
Martin Willi [Thu, 2 Apr 2015 12:08:25 +0000 (14:08 +0200)]
rdrand: Reuse CPU feature detection to check for RDRAND instructions

4 years agosqlite: Show SQLite library version and thread safety flag during startup
Martin Willi [Fri, 10 Apr 2015 11:36:26 +0000 (13:36 +0200)]
sqlite: Show SQLite library version and thread safety flag during startup

4 years agopadlock: Reuse common CPU feature detection to check for Padlock features
Martin Willi [Thu, 2 Apr 2015 12:05:39 +0000 (14:05 +0200)]
padlock: Reuse common CPU feature detection to check for Padlock features

4 years agocpu-feature: Support Via Padlock security features
Martin Willi [Thu, 2 Apr 2015 12:04:57 +0000 (14:04 +0200)]
cpu-feature: Support Via Padlock security features

4 years agocpu-feature: Add a common class to query available CPU features
Martin Willi [Thu, 2 Apr 2015 12:02:57 +0000 (14:02 +0200)]
cpu-feature: Add a common class to query available CPU features

Currently supported is x86/x64 via cpuid() for some common features.

4 years agovici: Defer read/write error reporting after connection entry has been released
Martin Willi [Thu, 2 Apr 2015 06:50:56 +0000 (08:50 +0200)]
vici: Defer read/write error reporting after connection entry has been released

If a vici client registered for (control-)log events, but a vici read/write
operation fails, this may result in a deadlock. The attempt to write to the
bus results in a vici log message, which in turn tries to acquire the lock
for the entry currently held.

While a recursive lock could help as well for a single thread, there is still
a risk of inter-thread races if there is more than one thread listening for
events and/or having read/write errors.

We instead log to a local buffer, and write to the bus not before the connection
entry has been released. Additionally, we mark the connection entry as unusable
to avoid writing to the failed socket again, potentially triggering an error
loop.

4 years agoaead: Create AEAD using traditional transforms with an explicit IV generator
Martin Willi [Tue, 31 Mar 2015 12:59:12 +0000 (14:59 +0200)]
aead: Create AEAD using traditional transforms with an explicit IV generator

Real AEADs directly provide a suitable IV generator, but traditional crypters
do not. For some (stream) ciphers, we should use sequential IVs, for which
we pass an appropriate generator to the AEAD wrapper.

4 years agoiv-gen: Add a generic constructor to create an IV gen from an algorithm
Martin Willi [Tue, 31 Mar 2015 12:58:17 +0000 (14:58 +0200)]
iv-gen: Add a generic constructor to create an IV gen from an algorithm

4 years agoopenssl: Don't pre-initialize OpenSSL HMAC with an empty key
Martin Willi [Mon, 30 Mar 2015 08:25:41 +0000 (10:25 +0200)]
openssl: Don't pre-initialize OpenSSL HMAC with an empty key

With OpenSSL commit 929b0d70c19f60227f89fac63f22a21f21950823 setting an empty
key fails if no previous key has been set on that HMAC.

In 9138f49e we explicitly added the check we remove now, as HMAC_Update()
might crash if HMAC_Init_ex() has not been called yet. To avoid that, we
set and check a flag locally to let any get_mac() call fail if set_key() has
not yet been called.

4 years agothread: Remove unneeded thread startup synchronization
Martin Willi [Fri, 27 Mar 2015 19:16:58 +0000 (20:16 +0100)]
thread: Remove unneeded thread startup synchronization

sem_init() is deprecated on OS X, and it actually fails with ENOSYS. Using our
wrapped semaphore object is not an option, as it relies on the thread cleanup
that we can't rely on at this stage.

It is unclear why startup synchronization is required, as we can allocate the
thread ID just before creating the pthread. There is a chance that we allocate
a thread ID for a thread that fails to create, but the risk and consequences
are negligible.

4 years agolibsimaka: Link against Winsock2 on Windows
Martin Willi [Mon, 30 Mar 2015 09:24:47 +0000 (11:24 +0200)]
libsimaka: Link against Winsock2 on Windows

The library makes use of htons/ntohs().

4 years agofips-prf: Remove superfluous <arpa/inet.h> include
Martin Willi [Mon, 30 Mar 2015 09:23:06 +0000 (11:23 +0200)]
fips-prf: Remove superfluous <arpa/inet.h> include

As we make no use of htonl() and friends, this is unneeded, but actually
prevents a Windows build.

4 years agokernel-netlink: Fix GCC error about uninitialized variable use
Martin Willi [Wed, 8 Apr 2015 09:13:04 +0000 (11:13 +0200)]
kernel-netlink: Fix GCC error about uninitialized variable use

get_replay_state() always returns a replay_state_len when returning a
replay state, but GCC doesn't know about that.

4 years agoasn1: Undefine TIME_UTC, which is used by C11
Martin Willi [Wed, 8 Apr 2015 06:47:31 +0000 (08:47 +0200)]
asn1: Undefine TIME_UTC, which is used by C11

When building with C11 support, TIME_UTC is used for timespec_get() and
defined in <time.h>. Undefine TIME_UTC for our own internal use in asn1.c.

4 years agoWipe auxiliary key store 5.3.0
Andreas Steffen [Sat, 28 Mar 2015 09:44:23 +0000 (10:44 +0100)]
Wipe auxiliary key store

4 years agocrypto-tester: Explicitly exclude FIPS-PRF from append mode tests
Martin Willi [Sat, 28 Mar 2015 07:38:52 +0000 (08:38 +0100)]
crypto-tester: Explicitly exclude FIPS-PRF from append mode tests

This was implicitly done by the seed length check before 58dda5d6, but we
now require an explicit check to avoid that unsupported use.

4 years agofips-prf: Fail when trying to use append mode on FIPS-PRF
Martin Willi [Sat, 28 Mar 2015 07:36:35 +0000 (08:36 +0100)]
fips-prf: Fail when trying to use append mode on FIPS-PRF

Append mode hardly makes sense for the special stateful FIPS-PRF, which is
different to other PRFs.

4 years agoAdded PB-TNC test options to strongswan.conf man page
Andreas Steffen [Fri, 27 Mar 2015 20:05:00 +0000 (21:05 +0100)]
Added PB-TNC test options to strongswan.conf man page

4 years agoAdded tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios
Andreas Steffen [Fri, 27 Mar 2015 19:56:34 +0000 (20:56 +0100)]
Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios

4 years agoVersion bump to 5.3.0
Andreas Steffen [Fri, 27 Mar 2015 19:55:48 +0000 (20:55 +0100)]
Version bump to 5.3.0