strongswan.git
4 years agoandroid: Add field for MTU to data model
Tobias Brunner [Mon, 15 Jun 2015 13:36:46 +0000 (15:36 +0200)]
android: Add field for MTU to data model

4 years agoandroid: Set preferred language for remediation instructions
Tobias Brunner [Fri, 12 Jun 2015 12:14:46 +0000 (14:14 +0200)]
android: Set preferred language for remediation instructions

4 years agoandroid: Encode connection settings as single Java string argument
Tobias Brunner [Wed, 10 Jun 2015 12:59:48 +0000 (14:59 +0200)]
android: Encode connection settings as single Java string argument

This makes adding new configuration settings easier.

4 years agoandroid: Add simple utility class to generate settings_t compatible config snippets
Tobias Brunner [Fri, 5 Jun 2015 14:01:31 +0000 (16:01 +0200)]
android: Add simple utility class to generate settings_t compatible config snippets

4 years agounit-tests: Add unit tests for settings_t.load_string[_section]
Tobias Brunner [Thu, 23 Oct 2014 15:03:52 +0000 (17:03 +0200)]
unit-tests: Add unit tests for settings_t.load_string[_section]

4 years agosettings: Add methods and a constructor to parse settings from strings
Tobias Brunner [Thu, 23 Oct 2014 14:57:47 +0000 (16:57 +0200)]
settings: Add methods and a constructor to parse settings from strings

4 years agosettings: Extend parser so we can parse settings from a string
Tobias Brunner [Thu, 23 Oct 2014 14:57:24 +0000 (16:57 +0200)]
settings: Extend parser so we can parse settings from a string

4 years agostarter: Add support for multi-line strings in ipsec.conf
Tobias Brunner [Mon, 8 Jun 2015 15:49:02 +0000 (17:49 +0200)]
starter: Add support for multi-line strings in ipsec.conf

4 years agosettings: Add support for multi-line strings
Tobias Brunner [Mon, 8 Jun 2015 15:47:51 +0000 (17:47 +0200)]
settings: Add support for multi-line strings

Unterminated strings are now an error.

4 years agostarter: Don't replace rarely used special characters in strings in ipsec.conf
Tobias Brunner [Fri, 5 Jun 2015 13:49:39 +0000 (15:49 +0200)]
starter: Don't replace rarely used special characters in strings in ipsec.conf

4 years agosettings: Don't replace rarely used special characters
Tobias Brunner [Fri, 5 Jun 2015 13:42:58 +0000 (15:42 +0200)]
settings: Don't replace rarely used special characters

4 years agoandroid: Don't pass null as root view to inflate()
Tobias Brunner [Mon, 22 Jun 2015 15:26:10 +0000 (17:26 +0200)]
android: Don't pass null as root view to inflate()

4 years agoandroid: Fix a potential NullPointerException in the IMC state fragment
Tobias Brunner [Mon, 22 Jun 2015 15:22:05 +0000 (17:22 +0200)]
android: Fix a potential NullPointerException in the IMC state fragment

4 years agoandroid: EAP-TNC does not require a client certificate
Tobias Brunner [Fri, 12 Jun 2015 13:13:46 +0000 (15:13 +0200)]
android: EAP-TNC does not require a client certificate

Was incorrectly changed with the refactoring in a64089738d3e ("android:
Change how features of VPN types are stored and checked").

4 years agoandroid: Enable charon.initiator_only option
Tobias Brunner [Thu, 4 Jun 2015 08:35:03 +0000 (10:35 +0200)]
android: Enable charon.initiator_only option

4 years agoandroid: Increase the minSdkVersion to 15 and targetSdkVersion to 22
Tobias Brunner [Wed, 10 Jun 2015 13:13:49 +0000 (15:13 +0200)]
android: Increase the minSdkVersion to 15 and targetSdkVersion to 22

There are no devices anymore that use API level 14 (4.0-4.0.2) and 22 is
the most recent level.

4 years agotesting: Regenerated BLISS certificates due to oracle changes
Andreas Steffen [Mon, 27 Jul 2015 17:51:18 +0000 (19:51 +0200)]
testing: Regenerated BLISS certificates due to oracle changes

4 years agoUse MGF1 with SHA-512 as BLISS random oracle
Andreas Steffen [Mon, 27 Jul 2015 12:50:14 +0000 (14:50 +0200)]
Use MGF1 with SHA-512 as BLISS random oracle

4 years agoGeneralize c_indices generation using SHA-512 random oracle.
Markku-Juhani Olavi Saarinen [Thu, 18 Jun 2015 10:46:16 +0000 (12:46 +0200)]
Generalize c_indices generation using SHA-512 random oracle.

This generalization allows the ring dimension n to be different
from the current n = 512 and allows kappa to be > 56. Also the
hash octets are consumed in a more consistent manner.

4 years agoFixed several bugs in the BLISS signature generation/verification step.
Markku-Juhani Olavi Saarinen [Wed, 17 Jun 2015 10:00:32 +0000 (12:00 +0200)]
Fixed several bugs in the BLISS signature generation/verification step.

The c_indices derived from the SHA-512 random oracle consist of
nine bits (0..511). The leftmost 8 bits of each index are taken
on an octet-by-octet basis from the 56 leftmost octets of the
SHA-512 hash. The 9th bit needed for the LSB is taken from the
extra_bits 64 bit unsigned integer which consists of the 8 rightmost
octets of the SHA-512 hash (in network order). If more than 56
indices must be derived then additional rounds of the random oracle
are executed until all kappa c_indices have been determined.

The bug fix shifts the extra_bits value by one bit in each loop
iteration so that the LSB of each index is random. Also iterate
through the hash array using the loop variable j not the c_indices
variable i.

4 years agoike: Fix memory leak if remote address is kept
Tobias Brunner [Mon, 27 Jul 2015 17:37:41 +0000 (19:37 +0200)]
ike: Fix memory leak if remote address is kept

4 years agoike-rekey: Fix cleanup() call
Tobias Brunner [Mon, 27 Jul 2015 13:20:01 +0000 (15:20 +0200)]
ike-rekey: Fix cleanup() call

4 years agoike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA response
Tobias Brunner [Mon, 15 Jun 2015 09:52:16 +0000 (11:52 +0200)]
ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA response

Even when there is no error the CREATE_CHILD_SA response should be sent
in the context of the existing IKE_SA.

4 years agoike-rekey: Reset IKE_SA on the bus after destroying new IKE_SA
Tobias Brunner [Mon, 15 Jun 2015 09:46:33 +0000 (11:46 +0200)]
ike-rekey: Reset IKE_SA on the bus after destroying new IKE_SA

The destroy() method sets the IKE_SA on the bus to NULL, we reset it to
the current IKE_SA so any events and log messages that follow happen in
the correct context.

A practical example where this is problematic is a DH group mismatch,
which causes the first CREATE_CHILD_SA exchange to fail.  Because the SA
was not reset previously, the message() hook for the CREATE_CHILD_SA
response, for instance, was triggered outside the context of an IKE_SA,
that is, the ike_sa parameter was NULL, which is definitely not expected
by several plugins.

Fixes #862.

4 years agoMerge branch 'trap-shunt-updates'
Tobias Brunner [Mon, 27 Jul 2015 12:00:23 +0000 (14:00 +0200)]
Merge branch 'trap-shunt-updates'

Changes how acquires are tracked in the trap manager, which fixes
several race conditions.  Also fixes races between threads installing
trap policies and the main thread trying to flush the trap policies.
Similar changes were added to the shunt manager which previously
used no locking at all.

Fixes #1014.

4 years agodaemon: Flush shunts before unloading plugins
Tobias Brunner [Tue, 14 Jul 2015 14:56:33 +0000 (16:56 +0200)]
daemon: Flush shunts before unloading plugins

4 years agoshunt-manager: Add flush() method to properly uninstall shunts
Tobias Brunner [Tue, 14 Jul 2015 14:55:36 +0000 (16:55 +0200)]
shunt-manager: Add flush() method to properly uninstall shunts

This will allow us to uninstall shunts before unloading the
kernel-interface plugins.

4 years agoshunt-manager: Remove stored entries if installation fails
Tobias Brunner [Tue, 14 Jul 2015 14:50:32 +0000 (16:50 +0200)]
shunt-manager: Remove stored entries if installation fails

4 years agoshunt-manager: Add a lock to safely access the list of shunt policies
Tobias Brunner [Tue, 14 Jul 2015 14:35:21 +0000 (16:35 +0200)]
shunt-manager: Add a lock to safely access the list of shunt policies

4 years agotrap-manager: Resolve race conditions between flush() and install()
Tobias Brunner [Mon, 13 Jul 2015 11:20:14 +0000 (13:20 +0200)]
trap-manager: Resolve race conditions between flush() and install()

When flush() is called there might be threads in install() waiting for
trap policies to get installed (without holding the lock).  We have to
wait until they updated the entries with the respective CHILD_SAs before
destroying the list.

We also have to prevent further trap policy installations (and wait until
threads in install() are really finished), otherwise we might end up
destroying CHILD_SA objects after the kernel interface implementations
have already been unloaded (avoiding this is the whole point of calling
flush() before unloading the plugins).

4 years agotrap-manager: Changed how acquires we acted on are tracked
Tobias Brunner [Thu, 9 Jul 2015 10:00:56 +0000 (12:00 +0200)]
trap-manager: Changed how acquires we acted on are tracked

This fixes potential race conditions in case complete() or flush() is
executed before or concurrently with a thread that handles an acquire.
It will also simplify tracking multiple acquires created for the same
trap policy in the future.

Also fixes the behavior in some error situations.

4 years agotrap-manager: Properly check-in IKE_SA if initiating fails
Tobias Brunner [Thu, 9 Jul 2015 12:34:19 +0000 (14:34 +0200)]
trap-manager: Properly check-in IKE_SA if initiating fails

This basically reverts f4e822c1b422 ("trap-manager: don't check-in
nonexisting IKE_SA if acquire fails").  As checkout_by_config() could
return an already existing and established IKE_SA we have to properly
destroy it, for instance, in case other threads are waiting to check
it out.  checkin_and_destroy() should handle the case of a new SA
properly (it produces a log message on level 1, though).

4 years agoike: Fall back to the current remote IP if it resolves to %any
Tobias Brunner [Fri, 10 Jul 2015 08:23:02 +0000 (10:23 +0200)]
ike: Fall back to the current remote IP if it resolves to %any

In some situations it might be valid for a host that configures
right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
immediately abort the initiation causing the new SA to fail (which
might already have the existing CHILD_SAs assigned).

Fixes #1027.

4 years agoMerge branch 'remote-host-family'
Tobias Brunner [Mon, 27 Jul 2015 11:42:49 +0000 (13:42 +0200)]
Merge branch 'remote-host-family'

Considers the address family of locally defined addresses when resolving
the remote host.

Fixes #993.

4 years agoike: Use address family of local address when resolving remote host
Tobias Brunner [Thu, 11 Jun 2015 13:10:29 +0000 (15:10 +0200)]
ike: Use address family of local address when resolving remote host

If static local addresses are configured we should use their address family
as a hint when resolving the remote address.
We don't do this if %any is configured as this might break existing
configurations (%any4 and %any6 are however used as hint).

4 years agoike-cfg: Add unit tests for ike_cfg_get_family() helper
Tobias Brunner [Thu, 11 Jun 2015 14:10:25 +0000 (16:10 +0200)]
ike-cfg: Add unit tests for ike_cfg_get_family() helper

4 years agoike-cfg: Add helper function to determine address family of IP addresses
Tobias Brunner [Thu, 11 Jun 2015 13:42:54 +0000 (15:42 +0200)]
ike-cfg: Add helper function to determine address family of IP addresses

All configured static addresses (hostnames, ranges or subnets are not
considered) must be of the same family, otherwise AF_UNSPEC is returned.

4 years agohost: Properly handle NULL in host_create_from_string[_and_family]
Tobias Brunner [Thu, 11 Jun 2015 13:07:07 +0000 (15:07 +0200)]
host: Properly handle NULL in host_create_from_string[_and_family]

4 years agoImproved legibility of swanctl CRL listings 5.3.3dr1
Andreas Steffen [Wed, 22 Jul 2015 15:46:15 +0000 (17:46 +0200)]
Improved legibility of swanctl CRL listings

4 years agotesting: Updated loop ca certificates
Andreas Steffen [Wed, 22 Jul 2015 15:11:00 +0000 (17:11 +0200)]
testing: Updated loop ca certificates

4 years agotesting: Added swanctl --list-authorities output to do-tests
Andreas Steffen [Tue, 21 Jul 2015 21:26:44 +0000 (23:26 +0200)]
testing: Added swanctl --list-authorities output to do-tests

4 years agotesting: Updated all swanctl scenarios and added some new ones
Andreas Steffen [Tue, 21 Jul 2015 21:23:10 +0000 (23:23 +0200)]
testing: Updated all swanctl scenarios and added some new ones

4 years agotests: Introduced IPV6 flag in tests.conf
Andreas Steffen [Mon, 29 Jun 2015 11:13:35 +0000 (13:13 +0200)]
tests: Introduced IPV6 flag in tests.conf

4 years agotests: Introduced SWANCTL flag in test.conf
Andreas Steffen [Mon, 29 Jun 2015 10:43:20 +0000 (12:43 +0200)]
tests: Introduced SWANCTL flag in test.conf

4 years agotests: fixed evaltest of swanctl/rw-cert scenario
Andreas Steffen [Mon, 29 Jun 2015 10:42:35 +0000 (12:42 +0200)]
tests: fixed evaltest of swanctl/rw-cert scenario

4 years agotests: fixed description of swanctl ip-pool scenarios
Andreas Steffen [Mon, 29 Jun 2015 10:41:37 +0000 (12:41 +0200)]
tests: fixed description of swanctl ip-pool scenarios

4 years agoVersion bump to 5.3.3dr1
Andreas Steffen [Tue, 21 Jul 2015 21:15:36 +0000 (23:15 +0200)]
Version bump to 5.3.3dr1

4 years agovici: Certification Authority support added.
Andreas Steffen [Tue, 14 Jul 2015 12:41:27 +0000 (14:41 +0200)]
vici: Certification Authority support added.

CDP and OCSP URIs for a one or multiple certification authorities
can be added via the VICI interface. swanctl allows to read
definitions from a new authorities section.

4 years agovici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets are defined
Andreas Steffen [Mon, 13 Jul 2015 16:54:54 +0000 (18:54 +0200)]
vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets are defined

4 years agotesting: Do not attempt to start the test environment if hosts are still running
Tobias Brunner [Wed, 15 Jul 2015 14:52:52 +0000 (16:52 +0200)]
testing: Do not attempt to start the test environment if hosts are still running

4 years agoike-sa-manager: Safely access the RNG instance with an rwlock
Tobias Brunner [Wed, 8 Jul 2015 13:28:46 +0000 (15:28 +0200)]
ike-sa-manager: Safely access the RNG instance with an rwlock

Threads might still be allocating SPIs (e.g. triggered by an acquire or
an inbound message) while the main thread calls flush().  If there is a
context switch right after such a thread successfully checked this->rng
in get_spi() and the main thread destroys the RNG instance right then,
that worker thread will cause a segmentation fault when it continues and
attempts to call get_bytes().

Fixes #1014.

4 years agovici: Asynchronize debug logging
Martin Willi [Thu, 2 Jul 2015 07:10:21 +0000 (09:10 +0200)]
vici: Asynchronize debug logging

The vici logger uses the listener_t.log() callback to raise vici events.

When doing so, it holds the bus lock as reader while acquiring the vici socket
mutex (1). If at the same time the vici socket enables a writer, that thread
tries to lock the watcher mutex (2). The watcher thread uses debugging while
holding the lock, i.e. acquires the bus read lock (3).

(1) bus.rlock -> vici.lock!
(2) vici.lock -> watcher.lock!
(3) watcher.lock -> bus.rlock!

This all actually would resolve just fine, as we have a shared read lock on the
bus. However, under Windows we seem to have a strict writer preference when
acquiring the rwlock (4). This results in blocking read locks until any pending
write lock can be fulfilled, and makes the constellation deadlock. The relevant
threads are:

Thread (1)
6  0x71313d25 in wait_ at threading/windows/mutex.c:137
7  0x7054c8a2 in find_entry at vici_socket.c:201
8  0x7054d690 in send_ at vici_socket.c:624
9  0x7054f6c1 in send_op at vici_dispatcher.c:119
10 0x705502c1 in raise_event at vici_dispatcher.c:469
12 0x704c3878 in log_cb at bus/bus.c:332
13 0x712c7c3a in invoke_function at collections/linked_list.c:414
14 0x704c3a63 in vlog at bus/bus.c:400
15 0x704c3b36 in log_ at bus/bus.c:430
18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664
20 0x704f5430 in process_message at sa/ike_sa.c:1369
21 0x704e3823 in execute at processing/jobs/process_message_job.c:74
22 0x712e629f in process_job at processing/processor.c:235

Thread (2)
4  0x71313b61 in lock at threading/windows/mutex.c:66
5  0x712e81fd in add at processing/watcher.c:441
6  0x712e1ab9 in add_watcher at networking/streams/stream.c:213
7  0x712e1b4d in on_write at networking/streams/stream.c:237
8  0x7054d606 in _cb_enable_writer at vici_socket.c:609
9  0x712e5e34 in execute at processing/jobs/callback_job.c:77
10 0x712e629f in process_job at processing/processor.c:235

Thread (3)
3  0x71313f38 in read_lock at threading/windows/rwlock.c:74
4  0x704c3971 in vlog at bus/bus.c:373
5  0x704cc156 in dbg_bus at daemon.c:126
6  0x712e7bf9 in watch at processing/watcher.c:316
7  0x712e5e34 in execute at processing/jobs/callback_job.c:77
8  0x712e629f in process_job at processing/processor.c:235

Thread (4)
3  0x71313f70 in write_lock at threading/windows/rwlock.c:82
4  0x704c378b in remove_logger at bus/bus.c:290
5  0x704cb284 in listener_unregister at control/controller.c:166
6  0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558
8  0x704cb94e in initiate at control/controller.c:435
9  0x70553996 in _cb_initiate at vici_control.c:187
12 0x7054d200 in _cb_process_queue at vici_socket.c:508
13 0x712e5e34 in execute at processing/jobs/callback_job.c:77
14 0x712e629f in process_job at processing/processor.c:235

To avoid such a situation, we dissolve the (1) lock sequence. It's actually
never good practice to acquire shared locks during bus hooks, as it is
problematic if we raise bus events while holding the lock. We do so by
raising vici events for log message asynchronously, but of curse must keep
log order as is using a synchronized queue.

4 years agoMerge branch 'chapoly'
Martin Willi [Sun, 12 Jul 2015 11:55:08 +0000 (13:55 +0200)]
Merge branch 'chapoly'

Add ChaCha20/Poly1305 AEAD support in IKEv2 and libipsec ESP through the
chapoly plugin, and in kernel ESP SAs starting with Linux 4.2.

4 years agoNEWS: Add ChaCha20/Poly1305 news
Martin Willi [Sun, 12 Jul 2015 11:42:11 +0000 (13:42 +0200)]
NEWS: Add ChaCha20/Poly1305 news

4 years agotesting: Enable AESNI/PCLMULQD in moon/sun guests, if supported
Martin Willi [Mon, 1 Jun 2015 08:01:56 +0000 (10:01 +0200)]
testing: Enable AESNI/PCLMULQD in moon/sun guests, if supported

4 years agotesting: Do not overwrite kernel configuration if it already exists
Martin Willi [Fri, 29 May 2015 20:29:59 +0000 (22:29 +0200)]
testing: Do not overwrite kernel configuration if it already exists

This allows us to do changes to the kernel configuration using menuconfig
and friends, and update the kernel with make-testing.

4 years agotesting: Extract and patch each kernel version only once
Martin Willi [Fri, 29 May 2015 20:28:05 +0000 (22:28 +0200)]
testing: Extract and patch each kernel version only once

This allows us to do modifications to the kernel tree and rebuild that kernel
using make-testing. We can even have a git kernel tree in a directory to
do kernel development.

4 years agotesting: Build with --enable-chapoly
Martin Willi [Fri, 29 May 2015 20:42:04 +0000 (22:42 +0200)]
testing: Build with --enable-chapoly

4 years agolibipsec: Add a unit-test for ESP encryption using ChaCha20Poly1305
Martin Willi [Mon, 27 Apr 2015 13:40:08 +0000 (15:40 +0200)]
libipsec: Add a unit-test for ESP encryption using ChaCha20Poly1305

4 years agolibipsec: Add a unit-test test runner
Martin Willi [Mon, 27 Apr 2015 12:13:58 +0000 (14:13 +0200)]
libipsec: Add a unit-test test runner

4 years agounit-tests: Add a IKEv2 message encryption test case
Martin Willi [Mon, 27 Apr 2015 11:11:02 +0000 (13:11 +0200)]
unit-tests: Add a IKEv2 message encryption test case

It uses the ChaCha20Poly1305 test vectors from
draft-ietf-ipsecme-chacha20-poly1305-06.

4 years agounit-tests: Increase failure message buffer to hold larger hex dumps
Martin Willi [Tue, 14 Apr 2015 08:21:06 +0000 (10:21 +0200)]
unit-tests: Increase failure message buffer to hold larger hex dumps

4 years agounit-tests: Forward variable argument list in TEST_SUITE_DEPEND
Martin Willi [Mon, 27 Apr 2015 11:09:25 +0000 (13:09 +0200)]
unit-tests: Forward variable argument list in TEST_SUITE_DEPEND

For some plugin features, such as crypters or AEADs, we have some additional
feature arguments, such as the key size.

4 years agounit-tests: Load libstrongswan plugins in libcharon tests
Martin Willi [Mon, 27 Apr 2015 11:06:39 +0000 (13:06 +0200)]
unit-tests: Load libstrongswan plugins in libcharon tests

4 years agochapoly: Process two Poly1305 blocks in parallel in SSSE3 driver
Martin Willi [Tue, 7 Apr 2015 09:28:51 +0000 (11:28 +0200)]
chapoly: Process two Poly1305 blocks in parallel in SSSE3 driver

By using a derived key r^2 we can improve performance, as we can do loop
unrolling and slightly better utilize SIMD instructions.

Overall ChaCha20-Poly1305 performance increases by ~12%.

Converting integers to/from our 5-word representation in SSE does not seem
to pay off, so we work on individual words.

4 years agochapoly: Process four ChaCha20 blocks in parallel in SSSE3 driver
Martin Willi [Sun, 5 Apr 2015 19:50:03 +0000 (21:50 +0200)]
chapoly: Process four ChaCha20 blocks in parallel in SSSE3 driver

As we don't have to shuffle the state in each ChaCha round, overall performance
for ChaCha20-Poly1305 increases by ~40%.

4 years agochapoly: Add an SSSE3 based driver
Martin Willi [Thu, 2 Apr 2015 13:11:02 +0000 (15:11 +0200)]
chapoly: Add an SSSE3 based driver

We always build the driver on x86/x64, but enable it only if SSSE3 support
is detected during runtime.

Poly1305 uses parallel 32-bit multiplication operands yielding a 64-bit result,
for which two can be done in parallel in SSE. This is minimally faster than
multiplication with 64-bit operands, and also works on 32-bit builds not having
a __int128 result type.

On a 32-bit architecture, this is more than twice as fast as the portable
driver, and on 64-bit it is ~30% faster.

4 years agoconfigure: Check if building against a x86/x64 architecture
Martin Willi [Thu, 2 Apr 2015 13:08:34 +0000 (15:08 +0200)]
configure: Check if building against a x86/x64 architecture

This allows us to include compiler flags specific for them, such as MMX/SSE.

4 years agochapoly: Add a ChaCha20/Poly1305 driver implemented in portable C
Martin Willi [Thu, 2 Apr 2015 10:26:34 +0000 (12:26 +0200)]
chapoly: Add a ChaCha20/Poly1305 driver implemented in portable C

4 years agochapoly: Provide a generic ChaCha20/Poly1305 AEAD supporting driver backends
Martin Willi [Wed, 1 Apr 2015 17:17:25 +0000 (19:17 +0200)]
chapoly: Provide a generic ChaCha20/Poly1305 AEAD supporting driver backends

4 years agotest-vectors: Add some initial ChaCha20/Poly1305 AEAD test vector
Martin Willi [Wed, 1 Apr 2015 17:16:33 +0000 (19:16 +0200)]
test-vectors: Add some initial ChaCha20/Poly1305 AEAD test vector

4 years agokernel-netlink: Add ChaCha20-Poly1305 AEAD support
Martin Willi [Fri, 29 May 2015 20:26:34 +0000 (22:26 +0200)]
kernel-netlink: Add ChaCha20-Poly1305 AEAD support

4 years agolibipsec: Create AEAD with four byte salt for ChaCha20-Poly1305
Martin Willi [Tue, 7 Apr 2015 12:56:51 +0000 (14:56 +0200)]
libipsec: Create AEAD with four byte salt for ChaCha20-Poly1305

4 years agoikev2: Derive additional 4 byte CHILD_SA nonce keymat for ChaCha20-Poly1305
Martin Willi [Fri, 29 May 2015 21:21:39 +0000 (23:21 +0200)]
ikev2: Derive additional 4 byte CHILD_SA nonce keymat for ChaCha20-Poly1305

4 years agoikev2: Use four byte salt for ChaCha20-Poly1305 AEAD
Martin Willi [Sun, 5 Apr 2015 12:29:29 +0000 (14:29 +0200)]
ikev2: Use four byte salt for ChaCha20-Poly1305 AEAD

4 years agoproposal: Add a chacha20poly1305 proposal keyword
Martin Willi [Wed, 1 Apr 2015 17:15:30 +0000 (19:15 +0200)]
proposal: Add a chacha20poly1305 proposal keyword

4 years agocrypter: Define a ChaCha20/Poly1305 AEAD algorithm identifier
Martin Willi [Wed, 1 Apr 2015 17:14:47 +0000 (19:14 +0200)]
crypter: Define a ChaCha20/Poly1305 AEAD algorithm identifier

4 years agocapabilities: Handle ERANGE in user and group lookups
Tobias Brunner [Tue, 23 Jun 2015 07:46:18 +0000 (09:46 +0200)]
capabilities: Handle ERANGE in user and group lookups

As it turns out, getpwnam_r, getgrnam_r, and friends will return
ERANGE if _any_ user or group on the system is larger than will fit
into the scratch buffer you pass to them.

This reworks the resolve_uid and resolve_gid methods plus
init_supplementary_groups to use a variable-size buffer that is grown
until the results fit.

Based on a patch by Evan Broder.

Closes strongswan/strongswan#12.

4 years agoosx: Version bump to 5.3.2-1
Martin Willi [Tue, 24 Mar 2015 13:20:15 +0000 (14:20 +0100)]
osx: Version bump to 5.3.2-1

4 years agoosx: Use CodeSignOnCopy for privileged helper, as suggested by XCode
Martin Willi [Tue, 24 Mar 2015 13:15:36 +0000 (14:15 +0100)]
osx: Use CodeSignOnCopy for privileged helper, as suggested by XCode

4 years agocharon-xpc: Use DNS non-append/replace mode in osx-attr plugin
Martin Willi [Tue, 24 Mar 2015 13:14:59 +0000 (14:14 +0100)]
charon-xpc: Use DNS non-append/replace mode in osx-attr plugin

4 years agoosx-attr: Optionally replace existing DNS server instead of appending them
Martin Willi [Tue, 24 Mar 2015 13:14:20 +0000 (14:14 +0100)]
osx-attr: Optionally replace existing DNS server instead of appending them

4 years agoRemove accidentally added stamp-h1
Tobias Brunner [Mon, 15 Jun 2015 12:12:14 +0000 (14:12 +0200)]
Remove accidentally added stamp-h1

Was added in bc4748832395 ("Add a return value to prf_t.get_bytes()").

4 years agosettings: Fix out-of-tree build
Tobias Brunner [Thu, 11 Jun 2015 10:32:33 +0000 (12:32 +0200)]
settings: Fix out-of-tree build

The header file was created in the source directory before, where it
wasn't found by the generated C files in the build directory.

4 years agostroke: Add missing include for UINT16_MAX
Tobias Brunner [Tue, 9 Jun 2015 08:24:25 +0000 (10:24 +0200)]
stroke: Add missing include for UINT16_MAX

Fixes the build on FreeBSD.

Fixes #988.

4 years agoVersion bump to 5.3.2 5.3.2
Andreas Steffen [Mon, 8 Jun 2015 07:56:34 +0000 (09:56 +0200)]
Version bump to 5.3.2

4 years agoNEWS: Add info about CVE-2015-4171
Tobias Brunner [Wed, 3 Jun 2015 10:33:58 +0000 (12:33 +0200)]
NEWS: Add info about CVE-2015-4171

4 years agoikev2: Enforce remote authentication config before proceeding with own authentication
Martin Willi [Wed, 3 Jun 2015 08:52:34 +0000 (10:52 +0200)]
ikev2: Enforce remote authentication config before proceeding with own authentication

Previously the constraints in the authentication configuration of an
initiator were enforced only after all authentication rounds were
complete.  This posed a problem if an initiator used EAP or PSK
authentication while the responder was authenticated with a certificate
and if a rogue server was able to authenticate itself with a valid
certificate issued by any CA the initiator trusted.

Because any constraints for the responder's identity (rightid) or other
aspects of the authentication (e.g. rightca) the initiator had were not
enforced until the initiator itself finished its authentication such a rogue
responder was able to acquire usernames and password hashes from the client.
And if a client supported EAP-GTC it was even possible to trick it into
sending plaintext passwords.

This patch enforces the configured constraints right after the responder's
authentication successfully finished for each round and before the initiator
starts with its own authentication.

Fixes CVE-2015-4171.

4 years agochild-sa: Use any fixed reqid configured on the CHILD_SA config
Martin Willi [Mon, 1 Jun 2015 08:10:19 +0000 (10:10 +0200)]
child-sa: Use any fixed reqid configured on the CHILD_SA config

Global reqid allocation (94eb09ac) broke fixed reqid allocation. Resupport them
by bypassing allocation in the kernel if a fixed reqid has been configured.

Fixes #976.

4 years agounit-tests: Add tests for iv_gen_seq_t
Tobias Brunner [Wed, 3 Jun 2015 10:29:02 +0000 (12:29 +0200)]
unit-tests: Add tests for iv_gen_seq_t

4 years agoivgen: Allow reusing the same message ID twice in sequential IV gen
Martin Willi [Tue, 2 Jun 2015 12:08:42 +0000 (14:08 +0200)]
ivgen: Allow reusing the same message ID twice in sequential IV gen

We use the message ID and fragment number as IV generator. As IKEv2 uses
distinct message ID counters for actively and passively initiated exchanges,
each IV would be used twice. As we explicitly reject such message IDs since
d0ed1079, original-responder initiated exchanges fail with counter mode ciphers.

This commit separates IV space in two halves for sequential IVs, and
automatically assigns once reused sequence numbers to the second half.

Fixes #980.

4 years agoFix timeattack script compilation under ARM
Andreas Steffen [Fri, 5 Jun 2015 10:09:38 +0000 (12:09 +0200)]
Fix timeattack script compilation under ARM

4 years agoUpdated SWID attribute list
Andreas Steffen [Tue, 2 Jun 2015 04:51:41 +0000 (06:51 +0200)]
Updated SWID attribute list

4 years agoVersion bump to 5.3.1 5.3.1
Andreas Steffen [Mon, 1 Jun 2015 07:50:48 +0000 (09:50 +0200)]
Version bump to 5.3.1

4 years agoNEWS: Add info about CVE-2015-3991
Tobias Brunner [Thu, 21 May 2015 15:17:51 +0000 (17:17 +0200)]
NEWS: Add info about CVE-2015-3991

4 years agomessage: Log message if unknown/disallowed payload received
Tobias Brunner [Fri, 15 May 2015 10:19:27 +0000 (12:19 +0200)]
message: Log message if unknown/disallowed payload received

4 years agomessage: Log original message type of unknown payloads
Tobias Brunner [Fri, 15 May 2015 09:35:40 +0000 (11:35 +0200)]
message: Log original message type of unknown payloads

4 years agounknown-payload: Use a new private payload type and make original type available
Tobias Brunner [Fri, 15 May 2015 09:15:57 +0000 (11:15 +0200)]
unknown-payload: Use a new private payload type and make original type available

This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).

Fixes CVE-2015-3991.

4 years agoikev2: Include fragment number into message ID passed to IV gen
Martin Willi [Fri, 17 Apr 2015 12:19:37 +0000 (14:19 +0200)]
ikev2: Include fragment number into message ID passed to IV gen

When using a cipher with sequential IVs, we never must pass an identical IV
to the IV generator. To avoid it when using IKEv2 fragmentation, use the lower
bits of the 64-bit message ID as the fragment number.

4 years agoiv-gen: Fail getting shorter IV values than the used counter size
Martin Willi [Fri, 17 Apr 2015 14:16:45 +0000 (16:16 +0200)]
iv-gen: Fail getting shorter IV values than the used counter size

While no algorithm actually uses such short IVs, we add a check here to ensure
we won't return just the lower bits of the counter.