5 months agoSECURITY: Fix link to PGP key
Tobias Brunner [Tue, 25 Jan 2022 09:54:10 +0000 (10:54 +0100)]
SECURITY: Fix link to PGP key

5 months agosys-logger: Optionally support mapping strongSwan loglevels to syslog levels
Martin Willi [Thu, 20 Jan 2022 13:48:48 +0000 (14:48 +0100)]
sys-logger: Optionally support mapping strongSwan loglevels to syslog levels

strongSwan logs all syslog messages using LOG_INFO for historical reasons,
regardless of the strongSwan loglevel used producing the log message.

In some setups with advanced logging infrastructure, it may be feasible
to be more verbose when logging in strongSwan, but then filter messages
on the syslog server. While this may be possible by custom syslog filtering
rules matching the log level included with the log_level setting, this is
not super convenient.

So add a new map_level setting, which can map strongSwan loglevels to
syslog loglevels. By default this is disabled, keeping the existing
behavior. If enabled, it maps strongSwan loglevels to syslog loglevels
at a given syslog loglevel offset.

Closes strongswan/strongswan#859

5 months agoaddrblock: Allow limiting validation depth of issuer addrblock extensions
Martin Willi [Wed, 12 Jan 2022 10:00:20 +0000 (11:00 +0100)]
addrblock: Allow limiting validation depth of issuer addrblock extensions

RFC3779 requires to validate the addrblocks of issuer certificates strictly,
that is, they must contain the extension and the claimed addrblock, up to
the root CA.

When working with third party root CAs that do not have the extension,
this makes using the plugin impossible. So add a depth setting that limits
the number of issuer certificates to check bottom-up towards the root CA.
A depth value of 0 disables any issuer check, the default value of -1
checks all issuers in the chain, keeping the existing behavior.

Closes strongswan/strongswan#860

5 months agoUse Botan 2.19.1 for tests
Tobias Brunner [Thu, 20 Jan 2022 09:04:30 +0000 (10:04 +0100)]
Use Botan 2.19.1 for tests

5 months agoVersion bump to 5.9.5 5.9.5
Andreas Steffen [Mon, 24 Jan 2022 11:01:10 +0000 (12:01 +0100)]
Version bump to 5.9.5

5 months agoNEWS: Add info about CVE-2021-45079
Tobias Brunner [Thu, 20 Jan 2022 16:24:02 +0000 (17:24 +0100)]
NEWS: Add info about CVE-2021-45079

5 months agoeap-authenticator: Enforce failure if MSK generation fails
Tobias Brunner [Tue, 14 Dec 2021 09:51:35 +0000 (10:51 +0100)]
eap-authenticator: Enforce failure if MSK generation fails

Without this, the authentication succeeded if the server sent an early
EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
which may be used in EAP-only scenarios but would complete without server
or client authentication.  For clients configured for such EAP-only
scenarios, a rogue server could capture traffic after the tunnel is
established or even access hosts behind the client.  For non-mutual EAP
methods, public key server authentication has been enforced for a while.

A server previously could also crash a client by sending an EAP-Success
immediately without initiating an actual EAP method.

Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
Fixes: CVE-2021-45079

5 months agoNEWS: Add news for 5.9.5
Tobias Brunner [Thu, 20 Jan 2022 16:22:37 +0000 (17:22 +0100)]
NEWS: Add news for 5.9.5

5 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Thu, 20 Jan 2022 09:44:42 +0000 (10:44 +0100)]
Fixed some typos, courtesy of codespell

5 months agoagent: Log socket path if connecting to it failed
Tobias Brunner [Tue, 14 Dec 2021 09:58:28 +0000 (10:58 +0100)]
agent: Log socket path if connecting to it failed

5 months agoVersion bump to 5.9.5rc1 5.9.5rc1
Andreas Steffen [Sun, 16 Jan 2022 06:48:06 +0000 (07:48 +0100)]
Version bump to 5.9.5rc1

5 months agomessage: Add getter/setter for metadata handling
Tobias Brunner [Thu, 2 Dec 2021 15:12:31 +0000 (16:12 +0100)]
message: Add getter/setter for metadata handling

5 months agopacket: Add helper function to create a clone without data
Tobias Brunner [Thu, 2 Dec 2021 15:10:46 +0000 (16:10 +0100)]
packet: Add helper function to create a clone without data

5 months agopacket: Add getter/setter for metadata handling
Tobias Brunner [Thu, 2 Dec 2021 14:34:18 +0000 (15:34 +0100)]
packet: Add getter/setter for metadata handling

5 months agometadata-set: Add implementation for a collection of metadata objects
Tobias Brunner [Thu, 2 Dec 2021 10:25:34 +0000 (11:25 +0100)]
metadata-set: Add implementation for a collection of metadata objects

5 months agometadata: Add metadata factory and implementation for integer types
Tobias Brunner [Wed, 1 Dec 2021 16:13:35 +0000 (17:13 +0100)]
metadata: Add metadata factory and implementation for integer types

Co-authored-by: Thomas Egerer <>
5 months agotesting: Modified ikev2/net2net-rfc3779 scenario
Andreas Steffen [Mon, 10 Jan 2022 20:14:05 +0000 (21:14 +0100)]
testing: Modified ikev2/net2net-rfc3779 scenario

5 months agoUse wolfSSL 5.1.1 for tests
Tobias Brunner [Tue, 4 Jan 2022 14:44:29 +0000 (15:44 +0100)]
Use wolfSSL 5.1.1 for tests

Add --tags when fetching commits so we get tags that are not in any
branches, which is currently the case with this tag.

5 months agoconf: Fix typo for ha plugin's buffer size option
Noel Kuntze [Thu, 30 Dec 2021 09:30:55 +0000 (10:30 +0100)]
conf: Fix typo for ha plugin's buffer size option

Fixes: ce048c30ff87 ("ha: Double receive buffer size for HA messages and make it configurable")
Closes strongswan/strongswan#832

5 months agoVersion bump to 5.9.5dr4 5.9.5dr4
Andreas Steffen [Fri, 31 Dec 2021 13:46:31 +0000 (14:46 +0100)]
Version bump to 5.9.5dr4

5 months agosw-collector: Iterate through history logs
Andreas Steffen [Sun, 17 Oct 2021 13:53:42 +0000 (15:53 +0200)]
sw-collector: Iterate through history logs

The logrotate function causes the apt history to be split into
several parts at arbitrary points in time. If history.log only
is parsed then some package installation changes stored in
zipped backup history files might get lost.

Thus sw-collector now searches all backup history files until
a date older than the current event stored in the collector.db
database is found, so that no entries get overlooked.

6 months agolibtpmtss: Some minor improvements
Andreas Steffen [Fri, 17 Dec 2021 12:20:56 +0000 (13:20 +0100)]
libtpmtss: Some minor improvements

6 months agoVersion bump to 5.9.5dr3 5.9.5dr3
Andreas Steffen [Sat, 11 Dec 2021 15:39:34 +0000 (16:39 +0100)]
Version bump to 5.9.5dr3

6 months agolibtpmtss: Establish session with TPM 2.0
Andreas Steffen [Mon, 8 Nov 2021 08:02:40 +0000 (09:02 +0100)]
libtpmtss: Establish session with TPM 2.0

Using the trusted RSA or ECC Endorsement Key of the TPM 2.0 a
secure session is established via RSA public key encryption or
an ephemeral ECDH key exchange, respectively.

The session allows HMAC-based authenticated communication with
the TPM 2.0 and the exchanged parameters can be encrypted where
necessary to guarantee confidentiality.

6 months agoMerge branch 'openssl-providers'
Tobias Brunner [Wed, 8 Dec 2021 10:34:46 +0000 (11:34 +0100)]
Merge branch 'openssl-providers'

Optionally load the legacy provider in OpenSSL 3 (enabled, by default) to
make algorithms like MD4 and DES available, which we require for
EAP-MSCHAPv2.  Allow explicitly loading the fips provider via existing
fips_mode option.  The loaded providers, whether influenced by the above
options or not, are logged.

Closes strongswan/strongswan#759

6 months agoopenssl: Log loaded providers
Tobias Brunner [Mon, 22 Nov 2021 09:38:29 +0000 (10:38 +0100)]
openssl: Log loaded providers

6 months agoopenssl: Make fips_mode option work with OpenSSL 3
Tobias Brunner [Mon, 22 Nov 2021 09:34:08 +0000 (10:34 +0100)]
openssl: Make fips_mode option work with OpenSSL 3

6 months agoopenssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.
Tobias Brunner [Thu, 30 Sep 2021 07:41:57 +0000 (09:41 +0200)]
openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.

We still require these algorithms for e.g. EAP-MSCHAPv2, so the option is
enabled, by default.  To use other providers (e.g. fips or even custom
ones), the option can be disabled and the providers to load/activate can
be configured in openssl.cnf.  For instance, the following has the same
effect as enabling the option:

    openssl_conf = openssl_init

    providers = providers

    default = activate
    legacy = activate

    activate = yes

6 months agoMerge branch 'libtls-tests'
Tobias Brunner [Wed, 8 Dec 2021 10:33:32 +0000 (11:33 +0100)]
Merge branch 'libtls-tests'

Improves handling failures during unit tests of libtls and includes a
change for the openssl plugin so it only announces ECDH groups for which
the library provides the required ECC curve.

Closes strongswan/strongswan#752

6 months agoopenssl: Only announce ECDH groups actually supported by OpenSSL
Tobias Brunner [Tue, 16 Nov 2021 13:34:03 +0000 (14:34 +0100)]
openssl: Only announce ECDH groups actually supported by OpenSSL

Determined by whether the library provides curves for it or not.
For instance, in the OpenSSL 3 FIPS provider the Brainpool curves are
not included.  And in the Fedora package several weak curves are
explicitly patched out and the Brainpool curves are omitted even in
non-FIPS mode.

6 months agoopenssl: Add helper to map ECDH groups to curve NIDs
Tobias Brunner [Tue, 16 Nov 2021 13:33:09 +0000 (14:33 +0100)]
openssl: Add helper to map ECDH groups to curve NIDs

6 months agolibtls: Shutdown server socket in test teardown function
Tobias Brunner [Mon, 15 Nov 2021 13:01:44 +0000 (14:01 +0100)]
libtls: Shutdown server socket in test teardown function

If a test fails and the server thread is blocked reading on the socket,
it would stay stuck.

6 months agotls-socket: Handle sending fatal errors better
Tobias Brunner [Mon, 15 Nov 2021 13:39:22 +0000 (14:39 +0100)]
tls-socket: Handle sending fatal errors better

In particular as server, the previous code might cause it to hang in
recv() if this case wasn't triggered by a close notify (followed by a
shutdown of the socket) but it e.g. failed processing a ServerHello and
responded with a fatal alert.

Fixes: 09fbaad6bd71 ("tls-socket: Don't fail reading if sending data failed")

6 months agogcrypt: Support of AES-CFB encryption
Andreas Steffen [Mon, 6 Dec 2021 12:43:45 +0000 (13:43 +0100)]
gcrypt:  Support of AES-CFB encryption

6 months agobotan: Support of AES-CFB encryption
Andreas Steffen [Mon, 6 Dec 2021 12:28:31 +0000 (13:28 +0100)]
botan: Support of AES-CFB encryption

6 months agowolfssl: Support of AES-CFB encryption
Andreas Steffen [Mon, 6 Dec 2021 11:24:09 +0000 (12:24 +0100)]
wolfssl: Support of AES-CFB encryption

6 months agoopenssl: Support of AES-CFB encryption
Andreas Steffen [Sat, 4 Dec 2021 15:28:52 +0000 (16:28 +0100)]
openssl: Support of AES-CFB encryption

6 months agochild-rekey: Uninstall old outbound SA earlier on initiator/winner
Tobias Brunner [Fri, 26 Nov 2021 10:32:46 +0000 (11:32 +0100)]
child-rekey: Uninstall old outbound SA earlier on initiator/winner

This is useful for kernel implementations where the ordering of SAs
is unpredictable and the new SA might otherwise not be used until the
DELETE response has been received, which is not ideal as the responder
might not keep the old SA around that long.  On Linux, it makes no
difference as we switch to the new outbound SA immediately because the
updated outbound policy references its SPI.

6 months agogithub: Run charon-tkm tests
Tobias Brunner [Tue, 23 Nov 2021 16:08:11 +0000 (17:08 +0100)]
github: Run charon-tkm tests

Use a Debian-based Docker container to run the unit tests for charon-tkm,
once without and once with TKM running.  The container can also be used
locally to run the tests (see comments in the Dockerfile).

6 months agocharon-tkm: Make only tests requiring TKM optional
Tobias Brunner [Mon, 22 Nov 2021 14:06:19 +0000 (15:06 +0100)]
charon-tkm: Make only tests requiring TKM optional

This way we can run many unit tests without having to run the TKM in the
background and as regular user.  To run the other tests, TESTS_TKM can
optionally be defined when running `make check`.

6 months agoRevert "testing: Don't run tests when building tkm"
Tobias Brunner [Fri, 19 Nov 2021 14:24:44 +0000 (15:24 +0100)]
Revert "testing: Don't run tests when building tkm"

This reverts commit e74bca9e1952cfe4f27f68afeb72be2af56a1256.

6 months agoRevert "testing: Don't run tests when building tkm-rpc"
Tobias Brunner [Fri, 19 Nov 2021 14:23:44 +0000 (15:23 +0100)]
Revert "testing: Don't run tests when building tkm-rpc"

Let's try that again on current systems.

This reverts commit 9c2aba2735b5b54a892b50e2224008bc0cde4267.

7 months agoandroid: Improved simplified Chinese translation / 完善了简体中文翻译
zhangxiaojun [Mon, 22 Nov 2021 09:25:16 +0000 (17:25 +0800)]
android: Improved simplified Chinese translation / 完善了简体中文翻译

Closes strongswan/strongswan#779

7 months agovici: Fix check before applying identity to public keys
Tobias Brunner [Tue, 23 Nov 2021 15:14:42 +0000 (16:14 +0100)]
vici: Fix check before applying identity to public keys

7 months agotesting: Increase memory of winnetou
Tobias Brunner [Fri, 19 Nov 2021 10:54:47 +0000 (11:54 +0100)]
testing: Increase memory of winnetou

Looks like named requires a lot more memory than previously so that
Apache seems to struggle serving the test results sometimes.

7 months agoVersion bump to 5.9.5dr2 5.9.5dr2
Andreas Steffen [Thu, 18 Nov 2021 17:23:21 +0000 (18:23 +0100)]
Version bump to 5.9.5dr2

7 months agofarp: Fix incompatible function types warning
Tobias Brunner [Wed, 17 Nov 2021 17:21:30 +0000 (18:21 +0100)]
farp: Fix incompatible function types warning

7 months agoeap-radius: Fix incompatible function types warnings
Tobias Brunner [Wed, 17 Nov 2021 17:09:39 +0000 (18:09 +0100)]
eap-radius: Fix incompatible function types warnings

7 months agoprocessor: Fix incompatible function types warnings
Tobias Brunner [Wed, 17 Nov 2021 17:06:20 +0000 (18:06 +0100)]
processor: Fix incompatible function types warnings

7 months agoblocking-queue: Fix incompatible function types warning
Tobias Brunner [Wed, 17 Nov 2021 16:46:27 +0000 (17:46 +0100)]
blocking-queue: Fix incompatible function types warning

7 months agoMerge branch 'rsa-oaep-encryption'
Andreas Steffen [Thu, 11 Nov 2021 09:03:17 +0000 (10:03 +0100)]
Merge branch 'rsa-oaep-encryption'

7 months agotesting: Added RSA PKCS1 encryption tests
Andreas Steffen [Tue, 9 Nov 2021 16:57:20 +0000 (17:57 +0100)]
testing: Added RSA PKCS1 encryption tests

7 months agotesting: Added RSA OAEP encryption tests
Andreas Steffen [Mon, 8 Nov 2021 08:28:53 +0000 (09:28 +0100)]
testing: Added RSA OAEP encryption tests

7 months agogcrypt: Support RSA OAEP SHA1 encryption/decryption
Andreas Steffen [Wed, 10 Nov 2021 20:04:00 +0000 (21:04 +0100)]
gcrypt: Support RSA OAEP SHA1 encryption/decryption

7 months agogcrypt: Enable RSA PKCS1 encryption/decryption
Andreas Steffen [Wed, 10 Nov 2021 17:10:42 +0000 (18:10 +0100)]
gcrypt: Enable RSA PKCS1 encryption/decryption

7 months agobotan: RSA OAEP labels are not supported
Andreas Steffen [Tue, 9 Nov 2021 21:46:14 +0000 (22:46 +0100)]
botan: RSA OAEP labels are not supported

7 months agowolfssl: Support OAEP labels
Andreas Steffen [Mon, 8 Nov 2021 18:29:28 +0000 (19:29 +0100)]
wolfssl: Support OAEP labels

7 months agoopenssl: Implemented RSA OAEP encryption/decryption with optional labels
Andreas Steffen [Mon, 8 Nov 2021 08:34:57 +0000 (09:34 +0100)]
openssl: Implemented RSA OAEP encryption/decryption with optional labels

7 months agocredentials: Added void *params to public_key encrypt() and private_key decrypt(...
Andreas Steffen [Mon, 8 Nov 2021 18:26:25 +0000 (19:26 +0100)]
credentials: Added void *params to public_key encrypt() and private_key decrypt() methods

7 months agobotan: Fully enable RSA OAEP decryption
Andreas Steffen [Mon, 8 Nov 2021 08:20:15 +0000 (09:20 +0100)]
botan: Fully enable RSA OAEP decryption

7 months agokernel-pfroute: Set lower MTU on TUN devices
Tobias Brunner [Fri, 5 Nov 2021 07:46:48 +0000 (08:46 +0100)]
kernel-pfroute: Set lower MTU on TUN devices

The default MTU of 1500 is too high if kernel-libipsec is used (considering
the overhead of UDP-encapsulated ESP), but might also have an effect if
a TUN device is only used to install a virtual IP (the route points to it,
so the system might use its MTU and 1500 would still be too high).

This also works around an issue on macOS 12 where no RTM_IFINFO event
is sent for the newly created TUN device (neither for the creation,
setting it "up", nor adding the address).  Changing the MTU, however,
triggers such an event and we can detect the virtual IP.

Closes strongswan/strongswan#707

7 months agoike: Fix length of vendor ID Cisco VPN 3000 client
Tobias Brunner [Wed, 3 Nov 2021 09:35:30 +0000 (10:35 +0100)]
ike: Fix length of vendor ID Cisco VPN 3000 client

The actual length of the data is 16 bytes.

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

7 months agoike: Fix prefix length and data of vendor ID Cisco VPN Concentrator
Volker Rümelin [Mon, 1 Nov 2021 13:49:17 +0000 (14:49 +0100)]
ike: Fix prefix length and data of vendor ID Cisco VPN Concentrator

Currently the length of vendor ID Cisco VPN Concentrator is 16
bytes but the string has only 13+1 bytes. The actual vendor
ID has 16 bytes with a prefix length of 14 bytes and two version

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

7 months agoikev1: Fix prefix length of vendor ID Cisco Unity
Volker Rümelin [Mon, 1 Nov 2021 13:49:16 +0000 (14:49 +0100)]
ikev1: Fix prefix length of vendor ID Cisco Unity

Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor ID
Cisco Unity was hardcoded to 14. Since we need to know the actual
length of this VID to send it, the length can't be overloaded
with a prefix length. Revert part of commit 6c49ddfbca to
fix this problem.

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

7 months agoikev1: Fix prefix length of vendor ID MS NT5 ISAKMPOAKLEY
Volker Rümelin [Mon, 1 Nov 2021 13:49:15 +0000 (14:49 +0100)]
ikev1: Fix prefix length of vendor ID MS NT5 ISAKMPOAKLEY

Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor ID
MS NT5 ISAKMPOAKLEY was hardcoded to 16. Change the prefix length

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

7 months agoUse wolfSSL 5.0.0 for tests
Tobias Brunner [Tue, 2 Nov 2021 08:41:25 +0000 (09:41 +0100)]
Use wolfSSL 5.0.0 for tests

8 months agoUse Botan 2.18.2 for tests
Tobias Brunner [Tue, 26 Oct 2021 08:33:05 +0000 (10:33 +0200)]
Use Botan 2.18.2 for tests

8 months agoVersion bump to 5.9.5dr1 5.9.5dr1
Andreas Steffen [Tue, 26 Oct 2021 06:04:19 +0000 (08:04 +0200)]
Version bump to 5.9.5dr1

8 months agotesting: Optimized plugin use in pkcs8 scenarios
Andreas Steffen [Sat, 23 Oct 2021 09:44:15 +0000 (11:44 +0200)]
testing: Optimized plugin use in pkcs8 scenarios

8 months agotesting: Minimum required plugins for net2net-pkcs12 scenarios
Andreas Steffen [Fri, 22 Oct 2021 09:39:20 +0000 (11:39 +0200)]
testing: Minimum required plugins for net2net-pkcs12 scenarios

8 months agotesting: Use AES and SHA-256 to protect PKCS#12 files
Tobias Brunner [Mon, 18 Oct 2021 12:27:14 +0000 (14:27 +0200)]
testing: Use AES and SHA-256 to protect PKCS#12 files

The -aes128 option is used when encrypting private keys read from a
PKCS#12 file, not when generating such a file.

8 months agoVersion bump to 5.9.4 5.9.4
Andreas Steffen [Mon, 18 Oct 2021 09:45:53 +0000 (11:45 +0200)]
Version bump to 5.9.4

8 months agotesting: Correctly remove pkcs8 key after test case
Andreas Steffen [Mon, 18 Oct 2021 09:45:31 +0000 (11:45 +0200)]
testing: Correctly remove pkcs8 key after test case

8 months agoNEWS: Add news for 5.9.4
Tobias Brunner [Tue, 12 Oct 2021 16:44:48 +0000 (18:44 +0200)]
NEWS: Add news for 5.9.4

8 months agopkcs8: Don't forward NULL parameters when parsing keys
Tobias Brunner [Mon, 18 Oct 2021 09:22:40 +0000 (11:22 +0200)]
pkcs8: Don't forward NULL parameters when parsing keys

Other plugins don't expect this build part for RSA keys and will fail
parsing the keys further.

8 months agosignature-params: Reject schemes other than RSASSA-PSS with parameters
Tobias Brunner [Mon, 4 Oct 2021 10:10:37 +0000 (12:10 +0200)]
signature-params: Reject schemes other than RSASSA-PSS with parameters

NULL parameters (for classic PKCS#1 signature schemes) are explicitly
allowed (for any schemes for now), but we only expect parameters for
RSASSA-PSS.  Before enforcing this, it was possible to modify the
parameters in the signatureAlgorithm field of the outer X.509 Certificate
structure to something different than the signature field of the signed,
inner tbsCertificate structure, allowing generating infinite versions
of valid certificates with different binary encodings.  Now we accept at
most two (NULL and absent parameters).

8 months agoasn1: Return any parameters of algorithmIdentifier structures
Tobias Brunner [Mon, 4 Oct 2021 10:39:11 +0000 (12:39 +0200)]
asn1: Return any parameters of algorithmIdentifier structures

Previously, only parameters of type OID, SEQUENCE and OCTET STRING were
returned (so e.g. random integers could be put in parameters and we
wouldn't know about it).

Log output is basically the same as with asn1_parser_t before, except
that parameters are always dumped (if any), that wasn't the case before
because ASN1_RAW (instead of ASN1_OBJ) was used.

8 months agocert-cache: Prevent crash due to integer overflow/sign change
Tobias Brunner [Tue, 28 Sep 2021 17:38:22 +0000 (19:38 +0200)]
cert-cache: Prevent crash due to integer overflow/sign change

random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1.  Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array.  If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock.  This most likely results in a segmentation fault.

Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991

8 months agogmp: Reject RSASSA-PSS signatures with negative salt length
Tobias Brunner [Tue, 28 Sep 2021 16:00:01 +0000 (18:00 +0200)]
gmp: Reject RSASSA-PSS signatures with negative salt length

The `salt_len` field is signed because negative values are used to indicate
automatic salt lengths when generating signatures.  This must never be the
case when validating them.

Not checking this could lead to an integer overflow below.  The value is
assigned to the `len` field of a chunk (`size_t`), which is further used
in calculations to check the padding structure and (if that is passed by
a matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.

Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990

8 months agosignature-params: Reject RSASSA-PSS params that result in negative salt len
Tobias Brunner [Tue, 28 Sep 2021 15:52:08 +0000 (17:52 +0200)]
signature-params: Reject RSASSA-PSS params that result in negative salt len

The `salt_len` member in the struct is of type `ssize_t` because we use
negative values for special automatic salt lengths when generating
signatures.  This change ensures that `salt_len` will not overflow the
`len` fields of chunks (`size_t`), which could lead to integer overflows
when validating signatures (see the next commit).

Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")

8 months agopki: Use correct enum value to initialize ID type in --keyid command
Tobias Brunner [Wed, 13 Oct 2021 13:17:09 +0000 (15:17 +0200)]
pki: Use correct enum value to initialize ID type in --keyid command

8 months agocirrus: Use specific package name for OpenLDAP
Tobias Brunner [Tue, 12 Oct 2021 12:55:55 +0000 (14:55 +0200)]
cirrus: Use specific package name for OpenLDAP

Seems the openldap-client alias is gone.

8 months agocirrus: Also build on FreeBSD 13.0
Tobias Brunner [Tue, 12 Oct 2021 12:49:03 +0000 (14:49 +0200)]
cirrus: Also build on FreeBSD 13.0

8 months agoVersion bump to 5.9.4rc1 5.9.4rc1
Andreas Steffen [Tue, 12 Oct 2021 06:54:03 +0000 (08:54 +0200)]
Version bump to 5.9.4rc1

8 months agopki: Ensure allocated serial numbers don't start with a zero byte
Tobias Brunner [Tue, 28 Sep 2021 10:05:28 +0000 (12:05 +0200)]
pki: Ensure allocated serial numbers don't start with a zero byte

If the randomly allocated serial starts with 0x80, the fix added with
e49197f15eef ("pki: Don't generate negative random serial numbers in
X.509 certificates") causes the value to become zero.  So the encoded
ASN.1 integer will start with a zero byte, which is only correct if the
integer would otherwise be interpreted as negative, i.e. the next byte
starts with the most significant bit set.  If that isn't the case, the
encoding is technically invalid and might get rejected by strict parsers.

Note that e49197f15eef did not actually fix a violation of RFC 5280 as
asn1_integer() assumes all passed numbers are positive and automatically
adds a zero prefix if the MSB is set.  What it did instead (or at least
attempted to) is ensure that the generated serial is a positive 64-bit
number in two's complement. The difference can be seen in the output of
`openssl x509 -text`.  While 8-byte serials with the MSB set are printed
as hex dump:

    Serial Number:

    (The encoding is 02:09:00:af:e2:e1:47:0f:66:b5:a4)

those without MSB set are actually printed as number:

    Serial Number: 289805014144645117 (0x405981ffa37f7fd)

    (The encoding is 02:08:04:05:98:1F:FA:37:F7:FD)

The reason is that OpenSSL only does the latter if the number fits into a
signed `long` variable, which isn't the case if a positive 64-bit number
has the MSB set (i.e. has a zero prefix) as it would be interpreted as
negative number in two's complement.  OpenSSL does print negative serial
numbers (even if it's a violation of the RFC), but only if they were
encoded as such, i.e. if there was no zero prefix:

    Serial Number: -5492225205882687294 (-0x4c384db9c7158f3e)

    (The encoding is 02:08:b3:c7:b2:46:38:ea:70:c2)

Fixes: e49197f15eef ("pki: Don't generate negative random serial numbers in X.509 certificates")
Closes strongswan/strongswan#631

8 months agoVersion bump to 5.9.4dr3 5.9.4dr3
Andreas Steffen [Mon, 4 Oct 2021 09:50:30 +0000 (11:50 +0200)]
Version bump to 5.9.4dr3

8 months agoClear static buffer returned by getpass()
Tobias Brunner [Fri, 1 Oct 2021 11:49:46 +0000 (13:49 +0200)]
Clear static buffer returned by getpass()

8 months agoswanctl: Clear config from memory
Tobias Brunner [Thu, 30 Sep 2021 13:16:48 +0000 (15:16 +0200)]
swanctl: Clear config from memory

The 'secrets' section in the config file may contain passwords/PINs.

8 months agosettings: Add destructor that wipes contents
Tobias Brunner [Thu, 30 Sep 2021 13:13:35 +0000 (15:13 +0200)]
settings: Add destructor that wipes contents

8 months agostroke: Clear ipsec.secrets file from memory
Tobias Brunner [Thu, 30 Sep 2021 13:38:38 +0000 (15:38 +0200)]
stroke: Clear ipsec.secrets file from memory

8 months agoswanctl: Clear possibly unencrypted key/container files from memory
Tobias Brunner [Thu, 30 Sep 2021 13:37:46 +0000 (15:37 +0200)]
swanctl: Clear possibly unencrypted key/container files from memory

8 months agopem: Clear possibly unencrypted key file from memory
Tobias Brunner [Thu, 30 Sep 2021 13:33:40 +0000 (15:33 +0200)]
pem: Clear possibly unencrypted key file from memory

8 months agochunk: Optionally clear mmap'd chunk before unmapping
Tobias Brunner [Thu, 30 Sep 2021 10:39:08 +0000 (12:39 +0200)]
chunk: Optionally clear mmap'd chunk before unmapping

This is mostly for the non-mmap case as with mmap available, access to the
unmapped memory isn't easily possible (e.g. opening the same area with
MAP_ANONYMOUS | MAP_UNINITIALIZED is usually prevented by the missing
CONFIG_MMAP_ALLOW_UNINITIALIZED option in most kernels).

8 months agovici: Clear all request messages in case they contain secrets
Tobias Brunner [Thu, 30 Sep 2021 10:22:59 +0000 (12:22 +0200)]
vici: Clear all request messages in case they contain secrets

8 months agovici: Clear cached strings in case the message contained shared secrets
Tobias Brunner [Thu, 30 Sep 2021 10:10:44 +0000 (12:10 +0200)]
vici: Clear cached strings in case the message contained shared secrets

8 months agopem: Clear chunks after decrypting files
Tobias Brunner [Thu, 30 Sep 2021 10:03:42 +0000 (12:03 +0200)]
pem: Clear chunks after decrypting files

8 months agoshared-key: Clear shared secret when destroyed
Tobias Brunner [Thu, 30 Sep 2021 10:00:25 +0000 (12:00 +0200)]
shared-key: Clear shared secret when destroyed

8 months agoMerge branch 'testing-bullseye'
Tobias Brunner [Fri, 1 Oct 2021 15:13:18 +0000 (17:13 +0200)]
Merge branch 'testing-bullseye'

Use Debian bullseye as base image for the testing environment.

8 months agotesting: Use Debian bullseye as base image
Tobias Brunner [Tue, 21 Sep 2021 17:30:00 +0000 (19:30 +0200)]
testing: Use Debian bullseye as base image

8 months agotesting: Determine Debian version in TNC scenarios automatically again
Tobias Brunner [Wed, 22 Sep 2021 12:10:54 +0000 (14:10 +0200)]
testing: Determine Debian version in TNC scenarios automatically again

Was statically set to 10 since f3d96b7bc9e2 ("Version bump to 5.9.1dr1").