37 hours agoandroid: Improved simplified Chinese translation / 完善了简体中文翻译 master
zhangxiaojun [Mon, 22 Nov 2021 09:25:16 +0000 (17:25 +0800)]
android: Improved simplified Chinese translation / 完善了简体中文翻译

Closes strongswan/strongswan#779

4 days agovici: Fix check before applying identity to public keys
Tobias Brunner [Tue, 23 Nov 2021 15:14:42 +0000 (16:14 +0100)]
vici: Fix check before applying identity to public keys

8 days agotesting: Increase memory of winnetou
Tobias Brunner [Fri, 19 Nov 2021 10:54:47 +0000 (11:54 +0100)]
testing: Increase memory of winnetou

Looks like named requires a lot more memory than previously so that
Apache seems to struggle serving the test results sometimes.

9 days agoVersion bump to 5.9.5dr2 5.9.5dr2
Andreas Steffen [Thu, 18 Nov 2021 17:23:21 +0000 (18:23 +0100)]
Version bump to 5.9.5dr2

10 days agofarp: Fix incompatible function types warning
Tobias Brunner [Wed, 17 Nov 2021 17:21:30 +0000 (18:21 +0100)]
farp: Fix incompatible function types warning

10 days agoeap-radius: Fix incompatible function types warnings
Tobias Brunner [Wed, 17 Nov 2021 17:09:39 +0000 (18:09 +0100)]
eap-radius: Fix incompatible function types warnings

10 days agoprocessor: Fix incompatible function types warnings
Tobias Brunner [Wed, 17 Nov 2021 17:06:20 +0000 (18:06 +0100)]
processor: Fix incompatible function types warnings

10 days agoblocking-queue: Fix incompatible function types warning
Tobias Brunner [Wed, 17 Nov 2021 16:46:27 +0000 (17:46 +0100)]
blocking-queue: Fix incompatible function types warning

2 weeks agoMerge branch 'rsa-oaep-encryption'
Andreas Steffen [Thu, 11 Nov 2021 09:03:17 +0000 (10:03 +0100)]
Merge branch 'rsa-oaep-encryption'

2 weeks agotesting: Added RSA PKCS1 encryption tests
Andreas Steffen [Tue, 9 Nov 2021 16:57:20 +0000 (17:57 +0100)]
testing: Added RSA PKCS1 encryption tests

2 weeks agotesting: Added RSA OAEP encryption tests
Andreas Steffen [Mon, 8 Nov 2021 08:28:53 +0000 (09:28 +0100)]
testing: Added RSA OAEP encryption tests

2 weeks agogcrypt: Support RSA OAEP SHA1 encryption/decryption
Andreas Steffen [Wed, 10 Nov 2021 20:04:00 +0000 (21:04 +0100)]
gcrypt: Support RSA OAEP SHA1 encryption/decryption

2 weeks agogcrypt: Enable RSA PKCS1 encryption/decryption
Andreas Steffen [Wed, 10 Nov 2021 17:10:42 +0000 (18:10 +0100)]
gcrypt: Enable RSA PKCS1 encryption/decryption

2 weeks agobotan: RSA OAEP labels are not supported
Andreas Steffen [Tue, 9 Nov 2021 21:46:14 +0000 (22:46 +0100)]
botan: RSA OAEP labels are not supported

2 weeks agowolfssl: Support OAEP labels
Andreas Steffen [Mon, 8 Nov 2021 18:29:28 +0000 (19:29 +0100)]
wolfssl: Support OAEP labels

2 weeks agoopenssl: Implemented RSA OAEP encryption/decryption with optional labels
Andreas Steffen [Mon, 8 Nov 2021 08:34:57 +0000 (09:34 +0100)]
openssl: Implemented RSA OAEP encryption/decryption with optional labels

2 weeks agocredentials: Added void *params to public_key encrypt() and private_key decrypt(...
Andreas Steffen [Mon, 8 Nov 2021 18:26:25 +0000 (19:26 +0100)]
credentials: Added void *params to public_key encrypt() and private_key decrypt() methods

2 weeks agobotan: Fully enable RSA OAEP decryption
Andreas Steffen [Mon, 8 Nov 2021 08:20:15 +0000 (09:20 +0100)]
botan: Fully enable RSA OAEP decryption

2 weeks agokernel-pfroute: Set lower MTU on TUN devices
Tobias Brunner [Fri, 5 Nov 2021 07:46:48 +0000 (08:46 +0100)]
kernel-pfroute: Set lower MTU on TUN devices

The default MTU of 1500 is too high if kernel-libipsec is used (considering
the overhead of UDP-encapsulated ESP), but might also have an effect if
a TUN device is only used to install a virtual IP (the route points to it,
so the system might use its MTU and 1500 would still be too high).

This also works around an issue on macOS 12 where no RTM_IFINFO event
is sent for the newly created TUN device (neither for the creation,
setting it "up", nor adding the address).  Changing the MTU, however,
triggers such an event and we can detect the virtual IP.

Closes strongswan/strongswan#707

3 weeks agoike: Fix length of vendor ID Cisco VPN 3000 client
Tobias Brunner [Wed, 3 Nov 2021 09:35:30 +0000 (10:35 +0100)]
ike: Fix length of vendor ID Cisco VPN 3000 client

The actual length of the data is 16 bytes.

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

3 weeks agoike: Fix prefix length and data of vendor ID Cisco VPN Concentrator
Volker Rümelin [Mon, 1 Nov 2021 13:49:17 +0000 (14:49 +0100)]
ike: Fix prefix length and data of vendor ID Cisco VPN Concentrator

Currently the length of vendor ID Cisco VPN Concentrator is 16
bytes but the string has only 13+1 bytes. The actual vendor
ID has 16 bytes with a prefix length of 14 bytes and two version

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

3 weeks agoikev1: Fix prefix length of vendor ID Cisco Unity
Volker Rümelin [Mon, 1 Nov 2021 13:49:16 +0000 (14:49 +0100)]
ikev1: Fix prefix length of vendor ID Cisco Unity

Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor ID
Cisco Unity was hardcoded to 14. Since we need to know the actual
length of this VID to send it, the length can't be overloaded
with a prefix length. Revert part of commit 6c49ddfbca to
fix this problem.

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

3 weeks agoikev1: Fix prefix length of vendor ID MS NT5 ISAKMPOAKLEY
Volker Rümelin [Mon, 1 Nov 2021 13:49:15 +0000 (14:49 +0100)]
ikev1: Fix prefix length of vendor ID MS NT5 ISAKMPOAKLEY

Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor ID
MS NT5 ISAKMPOAKLEY was hardcoded to 16. Change the prefix length

Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")

3 weeks agoUse wolfSSL 5.0.0 for tests
Tobias Brunner [Tue, 2 Nov 2021 08:41:25 +0000 (09:41 +0100)]
Use wolfSSL 5.0.0 for tests

4 weeks agoUse Botan 2.18.2 for tests
Tobias Brunner [Tue, 26 Oct 2021 08:33:05 +0000 (10:33 +0200)]
Use Botan 2.18.2 for tests

4 weeks agoVersion bump to 5.9.5dr1 5.9.5dr1
Andreas Steffen [Tue, 26 Oct 2021 06:04:19 +0000 (08:04 +0200)]
Version bump to 5.9.5dr1

5 weeks agotesting: Optimized plugin use in pkcs8 scenarios
Andreas Steffen [Sat, 23 Oct 2021 09:44:15 +0000 (11:44 +0200)]
testing: Optimized plugin use in pkcs8 scenarios

5 weeks agotesting: Minimum required plugins for net2net-pkcs12 scenarios
Andreas Steffen [Fri, 22 Oct 2021 09:39:20 +0000 (11:39 +0200)]
testing: Minimum required plugins for net2net-pkcs12 scenarios

5 weeks agotesting: Use AES and SHA-256 to protect PKCS#12 files
Tobias Brunner [Mon, 18 Oct 2021 12:27:14 +0000 (14:27 +0200)]
testing: Use AES and SHA-256 to protect PKCS#12 files

The -aes128 option is used when encrypting private keys read from a
PKCS#12 file, not when generating such a file.

5 weeks agoVersion bump to 5.9.4 5.9.4
Andreas Steffen [Mon, 18 Oct 2021 09:45:53 +0000 (11:45 +0200)]
Version bump to 5.9.4

5 weeks agotesting: Correctly remove pkcs8 key after test case
Andreas Steffen [Mon, 18 Oct 2021 09:45:31 +0000 (11:45 +0200)]
testing: Correctly remove pkcs8 key after test case

5 weeks agoNEWS: Add news for 5.9.4
Tobias Brunner [Tue, 12 Oct 2021 16:44:48 +0000 (18:44 +0200)]
NEWS: Add news for 5.9.4

5 weeks agopkcs8: Don't forward NULL parameters when parsing keys
Tobias Brunner [Mon, 18 Oct 2021 09:22:40 +0000 (11:22 +0200)]
pkcs8: Don't forward NULL parameters when parsing keys

Other plugins don't expect this build part for RSA keys and will fail
parsing the keys further.

6 weeks agosignature-params: Reject schemes other than RSASSA-PSS with parameters
Tobias Brunner [Mon, 4 Oct 2021 10:10:37 +0000 (12:10 +0200)]
signature-params: Reject schemes other than RSASSA-PSS with parameters

NULL parameters (for classic PKCS#1 signature schemes) are explicitly
allowed (for any schemes for now), but we only expect parameters for
RSASSA-PSS.  Before enforcing this, it was possible to modify the
parameters in the signatureAlgorithm field of the outer X.509 Certificate
structure to something different than the signature field of the signed,
inner tbsCertificate structure, allowing generating infinite versions
of valid certificates with different binary encodings.  Now we accept at
most two (NULL and absent parameters).

6 weeks agoasn1: Return any parameters of algorithmIdentifier structures
Tobias Brunner [Mon, 4 Oct 2021 10:39:11 +0000 (12:39 +0200)]
asn1: Return any parameters of algorithmIdentifier structures

Previously, only parameters of type OID, SEQUENCE and OCTET STRING were
returned (so e.g. random integers could be put in parameters and we
wouldn't know about it).

Log output is basically the same as with asn1_parser_t before, except
that parameters are always dumped (if any), that wasn't the case before
because ASN1_RAW (instead of ASN1_OBJ) was used.

6 weeks agocert-cache: Prevent crash due to integer overflow/sign change
Tobias Brunner [Tue, 28 Sep 2021 17:38:22 +0000 (19:38 +0200)]
cert-cache: Prevent crash due to integer overflow/sign change

random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1.  Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array.  If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock.  This most likely results in a segmentation fault.

Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991

6 weeks agogmp: Reject RSASSA-PSS signatures with negative salt length
Tobias Brunner [Tue, 28 Sep 2021 16:00:01 +0000 (18:00 +0200)]
gmp: Reject RSASSA-PSS signatures with negative salt length

The `salt_len` field is signed because negative values are used to indicate
automatic salt lengths when generating signatures.  This must never be the
case when validating them.

Not checking this could lead to an integer overflow below.  The value is
assigned to the `len` field of a chunk (`size_t`), which is further used
in calculations to check the padding structure and (if that is passed by
a matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.

Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990

6 weeks agosignature-params: Reject RSASSA-PSS params that result in negative salt len
Tobias Brunner [Tue, 28 Sep 2021 15:52:08 +0000 (17:52 +0200)]
signature-params: Reject RSASSA-PSS params that result in negative salt len

The `salt_len` member in the struct is of type `ssize_t` because we use
negative values for special automatic salt lengths when generating
signatures.  This change ensures that `salt_len` will not overflow the
`len` fields of chunks (`size_t`), which could lead to integer overflows
when validating signatures (see the next commit).

Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")

6 weeks agopki: Use correct enum value to initialize ID type in --keyid command
Tobias Brunner [Wed, 13 Oct 2021 13:17:09 +0000 (15:17 +0200)]
pki: Use correct enum value to initialize ID type in --keyid command

6 weeks agocirrus: Use specific package name for OpenLDAP
Tobias Brunner [Tue, 12 Oct 2021 12:55:55 +0000 (14:55 +0200)]
cirrus: Use specific package name for OpenLDAP

Seems the openldap-client alias is gone.

6 weeks agocirrus: Also build on FreeBSD 13.0
Tobias Brunner [Tue, 12 Oct 2021 12:49:03 +0000 (14:49 +0200)]
cirrus: Also build on FreeBSD 13.0

6 weeks agoVersion bump to 5.9.4rc1 5.9.4rc1
Andreas Steffen [Tue, 12 Oct 2021 06:54:03 +0000 (08:54 +0200)]
Version bump to 5.9.4rc1

7 weeks agopki: Ensure allocated serial numbers don't start with a zero byte
Tobias Brunner [Tue, 28 Sep 2021 10:05:28 +0000 (12:05 +0200)]
pki: Ensure allocated serial numbers don't start with a zero byte

If the randomly allocated serial starts with 0x80, the fix added with
e49197f15eef ("pki: Don't generate negative random serial numbers in
X.509 certificates") causes the value to become zero.  So the encoded
ASN.1 integer will start with a zero byte, which is only correct if the
integer would otherwise be interpreted as negative, i.e. the next byte
starts with the most significant bit set.  If that isn't the case, the
encoding is technically invalid and might get rejected by strict parsers.

Note that e49197f15eef did not actually fix a violation of RFC 5280 as
asn1_integer() assumes all passed numbers are positive and automatically
adds a zero prefix if the MSB is set.  What it did instead (or at least
attempted to) is ensure that the generated serial is a positive 64-bit
number in two's complement. The difference can be seen in the output of
`openssl x509 -text`.  While 8-byte serials with the MSB set are printed
as hex dump:

    Serial Number:

    (The encoding is 02:09:00:af:e2:e1:47:0f:66:b5:a4)

those without MSB set are actually printed as number:

    Serial Number: 289805014144645117 (0x405981ffa37f7fd)

    (The encoding is 02:08:04:05:98:1F:FA:37:F7:FD)

The reason is that OpenSSL only does the latter if the number fits into a
signed `long` variable, which isn't the case if a positive 64-bit number
has the MSB set (i.e. has a zero prefix) as it would be interpreted as
negative number in two's complement.  OpenSSL does print negative serial
numbers (even if it's a violation of the RFC), but only if they were
encoded as such, i.e. if there was no zero prefix:

    Serial Number: -5492225205882687294 (-0x4c384db9c7158f3e)

    (The encoding is 02:08:b3:c7:b2:46:38:ea:70:c2)

Fixes: e49197f15eef ("pki: Don't generate negative random serial numbers in X.509 certificates")
Closes strongswan/strongswan#631

7 weeks agoVersion bump to 5.9.4dr3 5.9.4dr3
Andreas Steffen [Mon, 4 Oct 2021 09:50:30 +0000 (11:50 +0200)]
Version bump to 5.9.4dr3

7 weeks agoClear static buffer returned by getpass()
Tobias Brunner [Fri, 1 Oct 2021 11:49:46 +0000 (13:49 +0200)]
Clear static buffer returned by getpass()

7 weeks agoswanctl: Clear config from memory
Tobias Brunner [Thu, 30 Sep 2021 13:16:48 +0000 (15:16 +0200)]
swanctl: Clear config from memory

The 'secrets' section in the config file may contain passwords/PINs.

7 weeks agosettings: Add destructor that wipes contents
Tobias Brunner [Thu, 30 Sep 2021 13:13:35 +0000 (15:13 +0200)]
settings: Add destructor that wipes contents

7 weeks agostroke: Clear ipsec.secrets file from memory
Tobias Brunner [Thu, 30 Sep 2021 13:38:38 +0000 (15:38 +0200)]
stroke: Clear ipsec.secrets file from memory

7 weeks agoswanctl: Clear possibly unencrypted key/container files from memory
Tobias Brunner [Thu, 30 Sep 2021 13:37:46 +0000 (15:37 +0200)]
swanctl: Clear possibly unencrypted key/container files from memory

7 weeks agopem: Clear possibly unencrypted key file from memory
Tobias Brunner [Thu, 30 Sep 2021 13:33:40 +0000 (15:33 +0200)]
pem: Clear possibly unencrypted key file from memory

7 weeks agochunk: Optionally clear mmap'd chunk before unmapping
Tobias Brunner [Thu, 30 Sep 2021 10:39:08 +0000 (12:39 +0200)]
chunk: Optionally clear mmap'd chunk before unmapping

This is mostly for the non-mmap case as with mmap available, access to the
unmapped memory isn't easily possible (e.g. opening the same area with
MAP_ANONYMOUS | MAP_UNINITIALIZED is usually prevented by the missing
CONFIG_MMAP_ALLOW_UNINITIALIZED option in most kernels).

7 weeks agovici: Clear all request messages in case they contain secrets
Tobias Brunner [Thu, 30 Sep 2021 10:22:59 +0000 (12:22 +0200)]
vici: Clear all request messages in case they contain secrets

7 weeks agovici: Clear cached strings in case the message contained shared secrets
Tobias Brunner [Thu, 30 Sep 2021 10:10:44 +0000 (12:10 +0200)]
vici: Clear cached strings in case the message contained shared secrets

7 weeks agopem: Clear chunks after decrypting files
Tobias Brunner [Thu, 30 Sep 2021 10:03:42 +0000 (12:03 +0200)]
pem: Clear chunks after decrypting files

7 weeks agoshared-key: Clear shared secret when destroyed
Tobias Brunner [Thu, 30 Sep 2021 10:00:25 +0000 (12:00 +0200)]
shared-key: Clear shared secret when destroyed

8 weeks agoMerge branch 'testing-bullseye'
Tobias Brunner [Fri, 1 Oct 2021 15:13:18 +0000 (17:13 +0200)]
Merge branch 'testing-bullseye'

Use Debian bullseye as base image for the testing environment.

8 weeks agotesting: Use Debian bullseye as base image
Tobias Brunner [Tue, 21 Sep 2021 17:30:00 +0000 (19:30 +0200)]
testing: Use Debian bullseye as base image

8 weeks agotesting: Determine Debian version in TNC scenarios automatically again
Tobias Brunner [Wed, 22 Sep 2021 12:10:54 +0000 (14:10 +0200)]
testing: Determine Debian version in TNC scenarios automatically again

Was statically set to 10 since f3d96b7bc9e2 ("Version bump to 5.9.1dr1").

8 weeks agolibimcv: Add Debian 11 (bullseye) to IMV database
Tobias Brunner [Wed, 22 Sep 2021 12:04:39 +0000 (14:04 +0200)]
libimcv: Add Debian 11 (bullseye) to IMV database

8 weeks agotesting: Replace `arp` with `ip neigh`
Tobias Brunner [Wed, 22 Sep 2021 11:46:19 +0000 (13:46 +0200)]
testing: Replace `arp` with `ip neigh`

The net-tools package, which provides arp and other older utilities like
ifconfig, is not installed anymore on Debian bullseye.

8 weeks agotesting: Allow DNS via TCP in net2net-dnscert scenario
Tobias Brunner [Wed, 22 Sep 2021 11:28:53 +0000 (13:28 +0200)]
testing: Allow DNS via TCP in net2net-dnscert scenario

New versions of Bind limit the maximum UDP message size to 1232 bytes,
which is the same that newer versions of libunbound propose as maximum via
EDNS in requests, so increasing the limit on the server wouldn't help.

Instead we allow DNS via TCP so the client can switch after receiving the
truncated UDP response.

8 weeks agotesting: Remove support for Debian jessie and FreeRADIUS 2
Tobias Brunner [Tue, 21 Sep 2021 09:18:16 +0000 (11:18 +0200)]
testing: Remove support for Debian jessie and FreeRADIUS 2

8 weeks agotesting: Support build with Debian bullseye base image
Tobias Brunner [Tue, 21 Sep 2021 09:15:43 +0000 (11:15 +0200)]
testing: Support build with Debian bullseye base image

8 weeks agoopenssl: Use correct key types when adopting Ed25519/448 keys
Tobias Brunner [Mon, 20 Sep 2021 15:20:30 +0000 (17:20 +0200)]
openssl: Use correct key types when adopting Ed25519/448 keys

Fixes: cbf07ab5b0b6 ("openssl: Add support for Ed25519/Ed448")

8 weeks agoopenssl: Remove workaround for Brainpool ECDH curves for older OpenSSL versions
Tobias Brunner [Mon, 20 Sep 2021 14:31:33 +0000 (16:31 +0200)]
openssl: Remove workaround for Brainpool ECDH curves for older OpenSSL versions

Using the workaround with the EVP interface, which we use to derive shared
keys since 74e02ff5e624 ("openssl: Mainly use EVP interface for ECDH"),
would actually require us to register the OIDs of these curves as NID.
Otherwise, the two EC_GROUPs used by private and public key objects
are not considered the same and the key derivation fails.

Since the curves are supported by OpenSSL since 1.0.2 it's probably rare to
find a version without them nowadays.  One exception is the old BoringSSL
version we still use on Android, which defines the NIDs but not the curve
data.  However, that version also lacks support to register OIDs as NIDs,
so the only option to support these groups there would be to got back to not
using the EVP interface, which isn't in anyone's interest.  If there really
is a need for them there, we could probably patch BoringSSL or use OpenSSL.

8 weeks agogithub: Fix build on macOS due to moved OpenSSL location
Tobias Brunner [Thu, 30 Sep 2021 14:21:45 +0000 (16:21 +0200)]
github: Fix build on macOS due to moved OpenSSL location

8 weeks agocrl: Fix compilation with OpenSSL 3.0
Tobias Brunner [Thu, 30 Sep 2021 07:40:47 +0000 (09:40 +0200)]
crl: Fix compilation with OpenSSL 3.0

Closes strongswan/strongswan#635

2 months agogithub: Use OpenSSL 1.1 on macOS
Tobias Brunner [Thu, 23 Sep 2021 14:56:19 +0000 (16:56 +0200)]
github: Use OpenSSL 1.1 on macOS

The "openssl" alias now defaults to OpenSSL 3.0, which produces a lot of
deprecation warnings.  To avoid build failures due to `-Werror`, stay with
OpenSSL 1.1 until we can get rid of these issues.

2 months agokernel-pfkey: Wipe request/response messages when managing SAs
Tobias Brunner [Thu, 23 Sep 2021 13:24:52 +0000 (15:24 +0200)]
kernel-pfkey: Wipe request/response messages when managing SAs

2 months agoVersion bump to 5.9.4dr2 5.9.4dr2
Andreas Steffen [Tue, 21 Sep 2021 12:18:16 +0000 (14:18 +0200)]
Version bump to 5.9.4dr2

2 months agoChange shebang for Python scripts to use python3
Tobias Brunner [Tue, 21 Sep 2021 09:13:50 +0000 (11:13 +0200)]
Change shebang for Python scripts to use python3

2 months agotesting: Fix updown script in route-based/net2net-xfrmi-ike scenario
Tobias Brunner [Tue, 21 Sep 2021 10:40:52 +0000 (12:40 +0200)]
testing: Fix updown script in route-based/net2net-xfrmi-ike scenario

With the update to Python 3 the encoding of the values in vici messages
changed to bytestrings (the keys are properly decoded).  And getting the
first CHILD_SA also needs a change.

The logger is now also initialized after daemonizing to avoid that opened
sockets are closed etc.

2 months agotesting: Switch to Python 3
Andreas Steffen [Tue, 21 Sep 2021 07:28:49 +0000 (09:28 +0200)]
testing: Switch to Python 3

Both swidGenerator and strongTNC were migrated to Python 3.
This allows to migrate all testing scripts to Python 3, too.

2 months agokeymat_v2: Properly wipe DH secret during IKE_SA rekeying
Tobias Brunner [Mon, 20 Sep 2021 14:08:00 +0000 (16:08 +0200)]
keymat_v2: Properly wipe DH secret during IKE_SA rekeying

While `secret` is wiped explicitly, it wasn't when concatenating with
the nonces.

2 months agosec-updater: Use latest versions
Andreas Steffen [Tue, 7 Sep 2021 16:55:02 +0000 (18:55 +0200)]
sec-updater: Use latest versions

2 months agoos_info: Parse /etc/os-release first
Andreas Steffen [Tue, 7 Sep 2021 12:59:36 +0000 (14:59 +0200)]
os_info: Parse /etc/os-release first

2 months agogithub: Remove build on Ubuntu Xenial (16.04)
Tobias Brunner [Wed, 8 Sep 2021 10:00:12 +0000 (12:00 +0200)]
github: Remove build on Ubuntu Xenial (16.04)

Support for it will be removed later this month.

2 months agovici: Update supported Python versions
Tobias Brunner [Wed, 8 Sep 2021 09:55:41 +0000 (11:55 +0200)]
vici: Update supported Python versions

2 months agovici: Add DBG4 messages that print loaded shared keys and PINs
Noel Kuntze [Fri, 27 Aug 2021 17:05:03 +0000 (19:05 +0200)]
vici: Add DBG4 messages that print loaded shared keys and PINs

Closes strongswan/strongswan#217

3 months agoike: Initiate new IKE_SA not until all children are queued
Tobias Brunner [Mon, 12 Jul 2021 12:47:57 +0000 (14:47 +0200)]
ike: Initiate new IKE_SA not until all children are queued

If there are many CHILD_SAs, the time between initiating the new IKE_SA
and checking it in might be longer (depending on what else is going on
in the daemon) than the retransmission timeout and no retransmits might
be sent afterwards for this SA (it will just linger around dead).
Calling initiate() last should avoid that (we do this similarly for MBB

3 months agoikev2: Only request reauth during IKE_AUTH if active reauth is not possible
Tobias Brunner [Tue, 29 Jun 2021 13:54:15 +0000 (15:54 +0200)]
ikev2: Only request reauth during IKE_AUTH if active reauth is not possible

If we can initiate the reauthentication ourselves, there is no reason to
explicitly request the peer to do so (at basically the same time).

3 months agoike-rekey: Respond with TEMPORARY_FAILURE while reauthenticating
Tobias Brunner [Tue, 29 Jun 2021 13:50:43 +0000 (15:50 +0200)]
ike-rekey: Respond with TEMPORARY_FAILURE while reauthenticating

This could lead to duplicates as the new IKE_SA can't delete the old one
once reauthentication is complete if it was replaced by a rekeying.

3 months agoike: Don't rekey IKE_SA while reauthenticating
Tobias Brunner [Tue, 29 Jun 2021 13:25:48 +0000 (15:25 +0200)]
ike: Don't rekey IKE_SA while reauthenticating

If we are using make-before-break reauthentication, this could lead to
duplicates as the new IKE_SA wouldn't be able to delete the previous
one if it was replaced by a rekeying.

3 months agoike-delete: Don't call reestablish() when reauthenticating
Tobias Brunner [Wed, 16 Jun 2021 11:54:18 +0000 (13:54 +0200)]
ike-delete: Don't call reestablish() when reauthenticating

If we initiated a make-before-break reauthentication and the peer
concurrently deletes the IKE_SA (e.g. because it uses break-before-make
reauthentication), we would create a duplicate IKE_SA (the condition forces
a recreation of all existing CHILD_SAs because reestablish() is also called
to complete a break-before-make reauthentication).

3 months agoopenssl: Improve compatibility to newer BoringSSL releases
Tobias Brunner [Tue, 22 Jun 2021 08:55:31 +0000 (10:55 +0200)]
openssl: Improve compatibility to newer BoringSSL releases

Closes strongswan/strongswan#352

3 months agoMerge branch 'swanctl-ssh-public-keys'
Tobias Brunner [Mon, 23 Aug 2021 16:01:49 +0000 (18:01 +0200)]
Merge branch 'swanctl-ssh-public-keys'

Minor changes that allow loading SSH public keys via `pubkeys` in

References strongswan/strongswan#467

3 months agopubkey: Ignore X.509 flags passed to the parser
Tobias Brunner [Tue, 22 Jun 2021 08:35:10 +0000 (10:35 +0200)]
pubkey: Ignore X.509 flags passed to the parser

3 months agopubkey: Don't assume blobs are only ASN.1 DER
Tobias Brunner [Mon, 21 Jun 2021 09:44:51 +0000 (11:44 +0200)]
pubkey: Don't assume blobs are only ASN.1 DER

Also forward the blob's type when parsing pubkeys.

3 months agovici: Use the more generic BUILD_BLOB to parse certificates/public keys
Tobias Brunner [Mon, 21 Jun 2021 09:39:07 +0000 (11:39 +0200)]
vici: Use the more generic BUILD_BLOB to parse certificates/public keys

3 months agogithub: Remove github.ref from cache keys
Tobias Brunner [Fri, 20 Aug 2021 09:42:39 +0000 (11:42 +0200)]
github: Remove github.ref from cache keys

According to the documentation for actions/cache, the lookup is already
scoped to the current branch (with fallback to any base branch including
the default branch).

3 months agotpm_extendpcr: Support platforms not having syslog()
Tobias Brunner [Mon, 23 Aug 2021 09:30:15 +0000 (11:30 +0200)]
tpm_extendpcr: Support platforms not having syslog()

3 months agotpm_extendpcr: Build does not depend on tpm plugin but libtpmtss
Tobias Brunner [Mon, 23 Aug 2021 08:44:41 +0000 (10:44 +0200)]
tpm_extendpcr: Build does not depend on tpm plugin but libtpmtss

The utility basically requires a TSS, the tpm plugin is not used at all.

3 months agoVersion bump to 5.9.4dr1 5.9.4dr1
Andreas Steffen [Sun, 22 Aug 2021 08:55:37 +0000 (10:55 +0200)]
Version bump to 5.9.4dr1

3 months agolibtpmtss: Initialize library from all users
Tobias Brunner [Fri, 20 Aug 2021 14:34:48 +0000 (16:34 +0200)]
libtpmtss: Initialize library from all users

Previously, only the tpm plugin initialized the library, so in order
to use a TPM 2.0 (a required TCTI library is loaded via init), it was
necessary to load it even if none of its actual features were used.

3 months agoconfigure: Enforce tss-tss2 if tpm plugin is enabled
Tobias Brunner [Fri, 20 Aug 2021 08:45:44 +0000 (10:45 +0200)]
configure: Enforce tss-tss2 if tpm plugin is enabled

The plugin is useless without a TSS 2.0 and this is currently the only one.

3 months agoopenssl: Use a longer key to test/initialize HMAC instances
Tobias Brunner [Mon, 16 Aug 2021 08:50:01 +0000 (10:50 +0200)]
openssl: Use a longer key to test/initialize HMAC instances

OpenSSL enforces a minimum of 14 bytes (112 bits) on the key size when
used in FIPS-mode (as required by SP 800-131A).  So by using an empty
string, instantiation always failed.  32 bytes (256 bits) should be safe
for now.

Closes strongswan/strongswan#557

3 months agotesting: Fix build of tkm and tkm-rpc
Tobias Brunner [Tue, 17 Aug 2021 17:20:45 +0000 (19:20 +0200)]
testing: Fix build of tkm and tkm-rpc

3 months agogithub: Use latest version of SonarScanner
Tobias Brunner [Mon, 16 Aug 2021 09:24:14 +0000 (11:24 +0200)]
github: Use latest version of SonarScanner

3 months agokernel-netlink: Initialize ifreq structs when detecting offload capability
Tobias Brunner [Wed, 11 Aug 2021 13:35:52 +0000 (15:35 +0200)]
kernel-netlink: Initialize ifreq structs when detecting offload capability

4 months agogitignore: Add nbproject/
Noel Kuntze [Fri, 23 Jul 2021 21:29:23 +0000 (23:29 +0200)]
gitignore: Add nbproject/

As used by the NetBeans IDE.

Closes strongswan/strongswan#505.