8 weeks agotesting: Extended swanctl/rw-qske-l1 scenario ikev2-qske-notify
Andreas Steffen [Mon, 29 Oct 2018 11:34:26 +0000 (12:34 +0100)]
testing: Extended swanctl/rw-qske-l1 scenario

8 weeks agowip
Tobias Brunner [Mon, 23 Jul 2018 16:14:28 +0000 (18:14 +0200)]

8 weeks agowip: unit-tests: Add QSKE exchange tests
Tobias Brunner [Mon, 16 Jul 2018 13:50:56 +0000 (15:50 +0200)]
wip: unit-tests: Add QSKE exchange tests

wip: IKE rekey collisions are not properly handled at all. The passive
rekey job is adopted by the active one, and is therefore not able to
handle the IKE_AUX request.

8 weeks agounit-tests: Add mock QSKE implementation
Tobias Brunner [Mon, 16 Jul 2018 13:50:09 +0000 (15:50 +0200)]
unit-tests: Add mock QSKE implementation

8 weeks agoike-sa-manager: Log SPIs when checking in an IKE_SA
Tobias Brunner [Mon, 16 Jul 2018 13:48:30 +0000 (15:48 +0200)]
ike-sa-manager: Log SPIs when checking in an IKE_SA

8 weeks agowip: CHILD_SA rekey and creation testing
Tobias Brunner [Fri, 13 Jul 2018 16:45:53 +0000 (18:45 +0200)]
wip: CHILD_SA rekey and creation testing

8 weeks agoikev2: Use hashes to detect retransmits
Tobias Brunner [Mon, 23 Jul 2018 15:49:15 +0000 (17:49 +0200)]
ikev2: Use hashes to detect retransmits

We avoid parsing messages with unexpected message IDs.  This allows us to
process and detect retransmits of messages for which we don't have the keys
anymore (i.e. IKE_AUX after IKE_SA_INIT and changing the keys).

This also changes how retransmits for fragmented messages are triggered,
previously we waited for all fragments and reconstructed the message
before retransmitting the response.  Now we only track the first
fragment and if we receive a retransmit of it respond immediately
without waiting for other fragments (which are now ignored).  This is in
compliance with RFC 7383, section 2.6.1.

8 weeks agochild-create: Change how DH group/QSKE mechanism is determined
Tobias Brunner [Fri, 20 Jul 2018 15:44:14 +0000 (17:44 +0200)]
child-create: Change how DH group/QSKE mechanism is determined

Either reuse algorithms previously used (rekeying) or use the IKE_SA's
proposal to determine a preferred group/mechanism.

8 weeks agochild-cfg: Add method to check if an algorithm is proposed
Tobias Brunner [Fri, 20 Jul 2018 15:43:24 +0000 (17:43 +0200)]
child-cfg: Add method to check if an algorithm is proposed

8 weeks agounit-tests: Fix CHILD_SA rekey tests after INVALID_KE_PAYLOAD handling changes
Tobias Brunner [Fri, 20 Jul 2018 12:12:48 +0000 (14:12 +0200)]
unit-tests: Fix CHILD_SA rekey tests after INVALID_KE_PAYLOAD handling changes

The responder doesn't create a CHILD_SA and allocate an SPI anymore
when responding with an INVALID_KE_PAYLOAD notify.

8 weeks agowip: child-create: Prototypical support for QSKE mechanisms
Tobias Brunner [Fri, 13 Jul 2018 14:07:43 +0000 (16:07 +0200)]
wip: child-create: Prototypical support for QSKE mechanisms

wip: For some errors a more specific notify might be preferable (e.g.
INVALID_SYNTAX if a QSKE payload is missing or an exchange other than
IKE_AUX follows CREATE_CHILD_SA if a QSKE mechanism was negotiated).

8 weeks agooqs: Allow different paths to generate/encapsulate the shared secret
Tobias Brunner [Fri, 20 Jul 2018 14:02:19 +0000 (16:02 +0200)]
oqs: Allow different paths to generate/encapsulate the shared secret

This way we don't have to generate the QSKE payload before we can query
the shared secret.

8 weeks agokeymat_v2: Add optional qske_t argument to derive_child_keys()
Tobias Brunner [Fri, 13 Jul 2018 13:31:34 +0000 (15:31 +0200)]
keymat_v2: Add optional qske_t argument to derive_child_keys()

8 weeks agochild-cfg: Generalize get_dh_group() method
Tobias Brunner [Fri, 20 Jul 2018 09:11:00 +0000 (11:11 +0200)]
child-cfg: Generalize get_dh_group() method

8 weeks agochild-cfg: Strip QSKE mechanisms from ESP proposal when we strip DH groups
Tobias Brunner [Mon, 9 Jul 2018 14:59:05 +0000 (16:59 +0200)]
child-cfg: Strip QSKE mechanisms from ESP proposal when we strip DH groups

8 weeks agowip: keymat_v2: Cache initial IKE messages for auth octets
Tobias Brunner [Tue, 10 Jul 2018 14:26:58 +0000 (16:26 +0200)]
wip: keymat_v2: Cache initial IKE messages for auth octets

This avoids pre-generating the message to be sent and supports fragments
as used for IKE_AUX.

In scenarios with IKE_AUX this basically changes the auth octets as follows:

  InitiatorSignedOctets = RealMessage1(INIT) | RealMessage3(AUX) | ...
                          NonceRData | MACedIDForI


  ResponderSignedOctets = RealMessage2(INIT) | RealMessage4(AUX) | ...
                          NonceIData | MACedIDForR

wip: Since this requires keeping around quite some data, alternatives would
be to hash the message (with some negotiated or fixed hash function) or
applying the PRF (if it is QC-safe, e.g. with a zero key or the ones we
derived from DH).

8 weeks agotesting: Added swanctl/rw-qske-l1 and swanctl/rw-qske-l5 scenarios
Andreas Steffen [Mon, 18 Jun 2018 22:06:35 +0000 (00:06 +0200)]
testing: Added swanctl/rw-qske-l1 and swanctl/rw-qske-l5 scenarios

8 weeks agoike-rekey: Reset IKE_SA after processing CREATE_CHILD_SA request
Tobias Brunner [Tue, 10 Jul 2018 12:36:28 +0000 (14:36 +0200)]
ike-rekey: Reset IKE_SA after processing CREATE_CHILD_SA request

This probably didn't cause any problems, as there wasn't really anything
happening between the calls, but reset it anyway, just to be safe.

8 weeks agowip: ike-init: Prototypical (optional) IKE_AUX exchange for QSKE mechanisms
Tobias Brunner [Mon, 25 Jun 2018 15:19:39 +0000 (17:19 +0200)]
wip: ike-init: Prototypical (optional) IKE_AUX exchange for QSKE mechanisms

The QSKE payloads are, by default, exchanged in a separate IKE_AUX exchange
after IKE_SA_INIT to leverage IKEv2 fragmentation.  It would be possible
to do that directly in IKE_SA_INIT (DH is currently not optional, though).

Rekeying is always done with a single CREATE_CHILD_SA exchange (again,
DH is currently not optional).

The key material is derived by concatenating the DH and QSKE secrets.

wip: DH could theoretically be made optional if QSKE is used (only during
rekeying, or when not using IKE_AUX also during IKE_SA_INIT)

wip: HA and the ike_keys() hook on listener_t currently handle only
classic key derivation.

wip: Retransmits of IKE_AUX requests will fail after changing the keys?
We either have to keep the old keys around, or use hashes to detect
retransmits (tricky with fragments, unless we retransmit the message
even if we receive the retransmit of just one fragment).

8 weeks agonotify-payload: Add INVALID_QSKE_PAYLOAD notify type
Tobias Brunner [Thu, 19 Jul 2018 10:08:19 +0000 (12:08 +0200)]
notify-payload: Add INVALID_QSKE_PAYLOAD notify type

8 weeks agoike-cfg: Generalize get_dh_group() method
Tobias Brunner [Thu, 19 Jul 2018 14:53:01 +0000 (16:53 +0200)]
ike-cfg: Generalize get_dh_group() method

8 weeks agoproposal: Generalize DH methods
Tobias Brunner [Mon, 9 Jul 2018 14:27:04 +0000 (16:27 +0200)]
proposal: Generalize DH methods

8 weeks agokeymat_v2: Add optional qske_t argument to derive_ike_keys()
Tobias Brunner [Thu, 28 Jun 2018 09:40:49 +0000 (11:40 +0200)]
keymat_v2: Add optional qske_t argument to derive_ike_keys()

If given, its shared secret is appended to the secret provided by the
diffie_hellman_t implementation.

8 weeks agokeymat_v2: Proper cleanup if derive_ike_keys() is called multiple times
Tobias Brunner [Thu, 28 Jun 2018 13:33:35 +0000 (15:33 +0200)]
keymat_v2: Proper cleanup if derive_ike_keys() is called multiple times

8 weeks agokeymat_v2: Add method to create QSKE implementation
Tobias Brunner [Thu, 28 Jun 2018 09:38:54 +0000 (11:38 +0200)]
keymat_v2: Add method to create QSKE implementation

8 weeks agoikev2: Allow tasks to do work after generating requests/responses
Tobias Brunner [Thu, 28 Jun 2018 08:44:40 +0000 (10:44 +0200)]
ikev2: Allow tasks to do work after generating requests/responses

8 weeks agotask: Add optional post_build() method
Tobias Brunner [Thu, 28 Jun 2018 08:44:03 +0000 (10:44 +0200)]
task: Add optional post_build() method

This will allow tasks to do some work after the message has been

8 weeks agounit-tests: Use a simple default IKE proposal to avoid issues with IKE_AUX
Tobias Brunner [Tue, 26 Jun 2018 08:13:05 +0000 (10:13 +0200)]
unit-tests: Use a simple default IKE proposal to avoid issues with IKE_AUX

The exchange tests don't expect an IKE_AUX exchange so we don't want any
QSKE methods getting negotiated (in case they are proposed in the default

8 weeks agoike-auth: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 12:27:16 +0000 (14:27 +0200)]
ike-auth: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

8 weeks agochild-create: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 12:14:59 +0000 (14:14 +0200)]
child-create: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

Handling of IKE_AUX when creating new CHILD_SAs or rekeying is not yet

8 weeks agoike-mobike: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 12:03:56 +0000 (14:03 +0200)]
ike-mobike: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

This changes the MID of the first IKE_AUTH message.

8 weeks agoike-config: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 10:32:27 +0000 (12:32 +0200)]
ike-config: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

This changes the MID of the first IKE_AUTH message.

8 weeks agoike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)]
ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.

8 weeks agoike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 10:07:50 +0000 (12:07 +0200)]
ike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

The first IKE_AUTH does not have MID 1 if that's the case.

8 weeks agostatus: Add return_need_more() utility function
Tobias Brunner [Fri, 13 Jul 2018 12:52:05 +0000 (14:52 +0200)]
status: Add return_need_more() utility function

8 weeks agotest-vectors: Added QSKE vectors
Andreas Steffen [Tue, 10 Jul 2018 07:31:26 +0000 (09:31 +0200)]
test-vectors: Added QSKE vectors

8 weeks agoscripts: nist-kam-kat generates KEM KAT test data
Andreas Steffen [Fri, 6 Jul 2018 06:06:16 +0000 (08:06 +0200)]
scripts: nist-kam-kat generates KEM KAT test data

The script converts the Known-Answers-Test data (KAT) for the NIST
post-quantum round 1 submission Key Encapsulation Mechanism (KEM)
candidates into a C struct amenable for our unit-tests.

8 weeks agounit-tests: Tests for oqs plugin
Andreas Steffen [Wed, 4 Jul 2018 17:15:41 +0000 (19:15 +0200)]
unit-tests: Tests for oqs plugin

8 weeks agounit-tests: Fixed newhope plugin test
Andreas Steffen [Wed, 4 Jul 2018 17:12:19 +0000 (19:12 +0200)]
unit-tests: Fixed newhope plugin test

8 weeks agooqs: Created QSKE plugin based on OQS library
Andreas Steffen [Wed, 27 Jun 2018 11:22:58 +0000 (13:22 +0200)]
oqs: Created QSKE plugin based on OQS library

8 weeks agoqske-newhope: Created NewHope QSKE plugin
Andreas Steffen [Wed, 20 Jun 2018 12:51:07 +0000 (14:51 +0200)]
qske-newhope: Created NewHope QSKE plugin

8 weeks agostroke: Support for QSKE mechanisms
Andreas Steffen [Thu, 21 Jun 2018 08:23:52 +0000 (10:23 +0200)]
stroke: Support for QSKE mechanisms

8 weeks agoswanctl: Support for QSKE mechanisms
Andreas Steffen [Mon, 18 Jun 2018 22:30:11 +0000 (00:30 +0200)]
swanctl: Support for QSKE mechanisms

8 weeks agovici: Support for QSKE mechanisms
Andreas Steffen [Mon, 18 Jun 2018 22:29:39 +0000 (00:29 +0200)]
vici: Support for QSKE mechanisms

8 weeks agoencoding: Transport of QSKE payload via IKE_AUX
Andreas Steffen [Mon, 18 Jun 2018 15:48:04 +0000 (17:48 +0200)]
encoding: Transport of QSKE payload via IKE_AUX

8 weeks agocrypto: Support for QSKE mechanisms
Andreas Steffen [Mon, 18 Jun 2018 15:43:11 +0000 (17:43 +0200)]
crypto: Support for QSKE mechanisms

A new transform type for Quantum-Safe Key Encapsulation (QSKE)
mechanisms is defined.

2 months agoNEWS: More news for 5.7.2
Tobias Brunner [Tue, 18 Dec 2018 13:48:18 +0000 (14:48 +0100)]
NEWS: More news for 5.7.2

2 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Tue, 18 Dec 2018 10:14:19 +0000 (11:14 +0100)]
Fixed some typos, courtesy of codespell

2 months agoMerge branch 'radius-accounting-unclaimed'
Tobias Brunner [Tue, 18 Dec 2018 09:34:17 +0000 (10:34 +0100)]
Merge branch 'radius-accounting-unclaimed'

Adds all IPs to RADIUS Accounting-Stop messages even those not claimed by
a client.  For instance, if the connection fails with FAILED_CP_REQUIRED,
adding the unclaimed addresses allows the RADIUS server to release the
leases early.

Fixes #2856.

2 months agoeap-radius: Don't clear unclaimed IPs early if accounting is enabled
Tobias Brunner [Tue, 11 Dec 2018 10:46:18 +0000 (11:46 +0100)]
eap-radius: Don't clear unclaimed IPs early if accounting is enabled

2 months agoeap-radius: Add unclaimed IPs to Accounting-Stop messages
Tobias Brunner [Tue, 11 Dec 2018 10:07:05 +0000 (11:07 +0100)]
eap-radius: Add unclaimed IPs to Accounting-Stop messages

Some RADIUS servers may use these to release them early.

2 months agoeap-radius: Add method to explicitly clear unclaimed IPs
Tobias Brunner [Tue, 11 Dec 2018 10:00:59 +0000 (11:00 +0100)]
eap-radius: Add method to explicitly clear unclaimed IPs

Instead of just enumerating them, removing and then destroying the entry
avoids having to keep the mutex locked.

2 months agoeap-radius: Add RADIUS Accounting session ID to Access-Request messages
Tobias Brunner [Fri, 14 Dec 2018 08:26:51 +0000 (09:26 +0100)]
eap-radius: Add RADIUS Accounting session ID to Access-Request messages

This allows e.g. associating database entries for IP leases and
accounting directly from the start.

Fixes #2853.

2 months agoswanctl: Make credential directories relative to swanctl.conf
Tobias Brunner [Wed, 12 Dec 2018 10:30:09 +0000 (11:30 +0100)]
swanctl: Make credential directories relative to swanctl.conf

All directories are now considered relative to the loaded swanctl.conf
file, in particular, when loading it from a custom location via --file
argument.  The base directory, which is used if no custom location for
swanctl.conf is specified, is now also configurable at runtime via
SWANCTL_DIR environment variable.

Closes strongswan/strongswan#120.

2 months agoopenssl: Make sure to release the functional ENGINE reference
Tobias Brunner [Tue, 11 Dec 2018 13:53:23 +0000 (14:53 +0100)]
openssl: Make sure to release the functional ENGINE reference

The functional reference created by ENGINE_init() was never released,
only the structural one created by ENGINE_by_id().  The functional
reference includes an implicit structural reference, which is also
released by ENGINE_finish().

Closes strongswan/strongswan#119.

2 months agoVersion bump to 5.7.2dr4 5.7.2dr4
Andreas Steffen [Sun, 9 Dec 2018 18:53:31 +0000 (19:53 +0100)]
Version bump to 5.7.2dr4

2 months agolibimcv: Updated openssl version in IMV database
Andreas Steffen [Sun, 9 Dec 2018 18:53:05 +0000 (19:53 +0100)]
libimcv: Updated openssl version in IMV database

2 months agotesting: Migrated ikev2 scenarios to swanctl
Andreas Steffen [Thu, 15 Nov 2018 15:05:56 +0000 (16:05 +0100)]
testing: Migrated ikev2 scenarios to swanctl

2 months agoMerge branch 'ikev1-adopt-child-tasks'
Tobias Brunner [Fri, 7 Dec 2018 09:38:32 +0000 (10:38 +0100)]
Merge branch 'ikev1-adopt-child-tasks'

Makes sure to adopt active and queued Quick Mode tasks if the peer
reauthenticates the IKE_SA while creating lots of CHILD_SAs.

Closes strongswan/strongswan#117.

2 months agoike: Implement adopt_child_tasks() outside task managers
Tobias Brunner [Wed, 28 Nov 2018 14:21:44 +0000 (15:21 +0100)]
ike: Implement adopt_child_tasks() outside task managers

2 months agoadopt-children-job: Adopt child-creating tasks from the old IKE_SA
Tobias Brunner [Wed, 28 Nov 2018 14:09:55 +0000 (15:09 +0100)]
adopt-children-job: Adopt child-creating tasks from the old IKE_SA

2 months agoike-sa: Expose task_manager_t::remove_task()
Tobias Brunner [Wed, 28 Nov 2018 13:54:31 +0000 (14:54 +0100)]
ike-sa: Expose task_manager_t::remove_task()

2 months agotask-manager: Add method to remove a task from a queue
Tobias Brunner [Wed, 28 Nov 2018 13:50:09 +0000 (14:50 +0100)]
task-manager: Add method to remove a task from a queue

2 months agoike-sa-manager: Migrate child creating tasks during IKEv1 reauth
Tobias Brunner [Tue, 20 Nov 2018 09:49:07 +0000 (10:49 +0100)]
ike-sa-manager: Migrate child creating tasks during IKEv1 reauth

2 months agoike-sa: Expose task_manager_t::adopt_child_tasks()
Tobias Brunner [Tue, 20 Nov 2018 09:48:01 +0000 (10:48 +0100)]
ike-sa: Expose task_manager_t::adopt_child_tasks()

2 months agocharon-cmd: Register atexit() handler for libcharon_deinit twice
Tobias Brunner [Thu, 6 Dec 2018 14:01:52 +0000 (15:01 +0100)]
charon-cmd: Register atexit() handler for libcharon_deinit twice

Similar to cbe9e575eef5, this avoids issues with libraries that are
pulled in via plugins and register their own atexit() handlers.

2 months agoikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth
Tobias Brunner [Wed, 5 Dec 2018 11:24:55 +0000 (12:24 +0100)]
ikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth

Fixes: 745714307256 ("During reauthentication reestablish IKE_SA even if deleting the old one fails.")
Fixes #2847.

2 months agoikev2: Ignore COOKIE notifies we already received
Tobias Brunner [Wed, 28 Nov 2018 14:52:27 +0000 (15:52 +0100)]
ikev2: Ignore COOKIE notifies we already received

This could be due to a delayed response to an IKE_SA_INIT retransmit.

Fixes #2837.

2 months agoha: Add auth method for HA IKEv1 key derivation
Thomas Egerer [Thu, 22 Nov 2018 17:08:51 +0000 (18:08 +0100)]
ha: Add auth method for HA IKEv1 key derivation

Signed-off-by: Thomas Egerer <>
2 months agoMerge branch 'ha-pool-offset'
Tobias Brunner [Fri, 7 Dec 2018 09:16:21 +0000 (10:16 +0100)]
Merge branch 'ha-pool-offset'

Ensure an even distribution of a pool's addresses among all segments.

Fixes #2828.

2 months agoha: Divide virtual IPs evenly among all segments
Tobias Brunner [Tue, 20 Nov 2018 15:40:21 +0000 (16:40 +0100)]
ha: Divide virtual IPs evenly among all segments

2 months agoha: Add getter for the number of segments
Tobias Brunner [Tue, 20 Nov 2018 15:39:04 +0000 (16:39 +0100)]
ha: Add getter for the number of segments

2 months agoha: Improve distribution of pool addresses over segments
Tobias Brunner [Tue, 20 Nov 2018 11:50:05 +0000 (12:50 +0100)]
ha: Improve distribution of pool addresses over segments

This is particularly important for higher number of segments, but even
with small numbers there is a significant difference.  For instance,
with 4 segments the fourth segment had no IPs assigned with the old
code, no matter how large the pool, because none of the eight bits used
for the segment check hashed/mapped to it.

2 months agokernel-pfkey: Read reqid directly from acquire if possible
Tobias Brunner [Mon, 22 Oct 2018 08:12:25 +0000 (10:12 +0200)]
kernel-pfkey: Read reqid directly from acquire if possible

Upcoming versions of FreeBSD will include an SADB_X_EXT_SA2 extension in
acquires that contains the reqid set on the matching policy.  This allows
handling acquires even when no policies are installed (e.g. to work with
FreeBSD's implementation of VTI interfaces, which manage policies

2 months agoikev2: Only set STAT_INBOUND for valid and expected messages
Tobias Brunner [Mon, 19 Nov 2018 09:18:27 +0000 (10:18 +0100)]
ikev2: Only set STAT_INBOUND for valid and expected messages

2 months agoscepclient: Don't use a block-scope buffer for the default DN
Tobias Brunner [Fri, 30 Nov 2018 09:28:50 +0000 (10:28 +0100)]
scepclient: Don't use a block-scope buffer for the default DN

The correct behavior will depend on the compiler.

Fixes #2843.

2 months agoMerge branch 'openssl-25519/448'
Tobias Brunner [Fri, 30 Nov 2018 15:45:47 +0000 (16:45 +0100)]
Merge branch 'openssl-25519/448'

Adds support for X25519/448 and Ed25519/448 via OpenSSL 1.1.1.

2 months agotravis: Don't run sonarcloud in forked repositories
Tobias Brunner [Fri, 23 Nov 2018 08:37:07 +0000 (09:37 +0100)]
travis: Don't run sonarcloud in forked repositories

2 months agotravis: Use the latest OpenSSL release for unit tests
Tobias Brunner [Thu, 22 Nov 2018 14:38:49 +0000 (15:38 +0100)]
travis: Use the latest OpenSSL release for unit tests

But also run the unit tests against the 1.0 version installed with
Ubuntu 16.04.

2 months agotravis: Only use GCC for crypto plugin tests
Tobias Brunner [Thu, 22 Nov 2018 17:30:46 +0000 (18:30 +0100)]
travis: Only use GCC for crypto plugin tests

They are already build-tested with Clang via "all" and others.

2 months agounit-tests: Add test suite for Ed448
Tobias Brunner [Fri, 16 Nov 2018 10:44:17 +0000 (11:44 +0100)]
unit-tests: Add test suite for Ed448

Same issue with signature malleability as with Ed25519 and apparently
OpenSSL doesn't even explicitly verify that the most significant 10 bits
are all zero.

2 months agounit-tests: Add fingerprint test vectors for Ed25519
Tobias Brunner [Fri, 30 Nov 2018 14:34:32 +0000 (15:34 +0100)]
unit-tests: Add fingerprint test vectors for Ed25519

2 months agocurve25519: Prevent Ed25519 signature malleability
Tobias Brunner [Fri, 16 Nov 2018 14:48:56 +0000 (15:48 +0100)]
curve25519: Prevent Ed25519 signature malleability

As per RFC 8032, section 5.1.7 (and section 8.4) we have to make sure s, which
is the scalar in the second half of the signature value, is smaller than L.
Without that check, L can be added to most signatures at least once to create
another valid signature for the same public key and message.

This could be problematic if, for instance, a blacklist is based on hashes
of certificates.  A new certificate could be created with a different
signature (without knowing the signature key) by simply adding L to s.

Currently, both OpenSSL 1.1.1 and Botan 2.8.0 are vulnerable to this, which is
why the unit test currently only warns about it.

2 months agoopenssl: Use separate DRBG for RNG_STRONG and RNG_TRUE with OpenSSL 1.1.1
Tobias Brunner [Fri, 16 Nov 2018 10:11:27 +0000 (11:11 +0100)]
openssl: Use separate DRBG for RNG_STRONG and RNG_TRUE with OpenSSL 1.1.1

OpenSSL 1.1.1 introduces DRGBs and provides two sources (same security
profile etc. but separate internal state), which allows us to use one for
RNG_WEAK (e.g. for nonces that are directly publicly visible) and the other
for stronger random data like keys.

2 months agoleak-detective: Whitelist functions added in OpenSSL 1.1.1
Tobias Brunner [Fri, 16 Nov 2018 09:57:50 +0000 (10:57 +0100)]
leak-detective: Whitelist functions added in OpenSSL 1.1.1

2 months agoopenssl: Add support for Ed25519/Ed448
Tobias Brunner [Thu, 15 Nov 2018 14:54:05 +0000 (15:54 +0100)]
openssl: Add support for Ed25519/Ed448

2 months agodh-speed: Add curve448 keyword
Tobias Brunner [Thu, 15 Nov 2018 10:25:06 +0000 (11:25 +0100)]
dh-speed: Add curve448 keyword

2 months agotest-vectors: Add vector for X448
Tobias Brunner [Thu, 15 Nov 2018 10:24:53 +0000 (11:24 +0100)]
test-vectors: Add vector for X448

2 months agoopenssl: Add support for X25519 and X448
Tobias Brunner [Thu, 15 Nov 2018 09:20:45 +0000 (10:20 +0100)]
openssl: Add support for X25519 and X448

While X25519 was already added with 1.1.0a, its use would be a lot more
complicated, as the helpers like EVP_PKEY_new_raw_public_key() were only
added in 1.1.1, which also added X448.

2 months agobypass-lan: Compare interface for unchanged policies
Tobias Brunner [Thu, 8 Nov 2018 11:02:04 +0000 (12:02 +0100)]
bypass-lan: Compare interface for unchanged policies

In case a subnet is moved from one interface to another the policies can
remain as is but the route has to change.  This currently doesn't happen
automatically and there is no option to update the policy or route so
removing and reinstalling the policies is the only option.

Fixes #2820.

2 months agochild-delete: Don't send delete for expired CHILD_SAs that were already rekeyed
Tobias Brunner [Tue, 6 Nov 2018 11:13:35 +0000 (12:13 +0100)]
child-delete: Don't send delete for expired CHILD_SAs that were already rekeyed

The peer might not have seen the CREATE_CHILD_SA response yet, receiving a
DELETE for the SA could then trigger it to abort the rekeying, causing
the deletion of the newly established SA (it can't know whether the
DELETE was sent due to an expire or because the user manually deleted
it).  We just treat this SA as if we received a DELETE for it.  This is
not an ideal situation anyway, as it causes some traffic to get dropped,
so it should usually be avoided by setting appropriate soft and hard limits.

References #2815.

2 months agokernel-netlink: Update SA selector if it contains changed IP address(es)
Tobias Brunner [Wed, 31 Oct 2018 14:43:46 +0000 (15:43 +0100)]
kernel-netlink: Update SA selector if it contains changed IP address(es)

2 months agoAvoid inclusion of unistd.h in generated lexers
Tobias Brunner [Mon, 22 Oct 2018 08:38:53 +0000 (10:38 +0200)]
Avoid inclusion of unistd.h in generated lexers

Because the file is not available on all platforms the inclusion comes
after the user options in order to disable including it.  But that means
the inclusion also follows after the defined scanner states, which are
generated as simple #defines to numbers.  If the included unistd.h e.g.
uses variables in function definitions with the same names this could
result in compilation errors.

Interactive mode has to be disabled too as it relies on isatty() from
unistd.h.  Since we don't use the scanners interactively, this is not a
problem and might even make the scanners a bit faster.

Fixes #2806.

2 months agoMerge branch 'travis-xenial'
Tobias Brunner [Wed, 21 Nov 2018 13:40:00 +0000 (14:40 +0100)]
Merge branch 'travis-xenial'

Run builds on Travis on Ubuntu Xenial (16.04) images.

2 months agotravis: Use ccache for MinGW builds
Tobias Brunner [Tue, 13 Nov 2018 17:59:38 +0000 (18:59 +0100)]
travis: Use ccache for MinGW builds

2 months agotravis: Use manual matrix expansion to improve overall run time
Tobias Brunner [Tue, 13 Nov 2018 17:31:21 +0000 (18:31 +0100)]
travis: Use manual matrix expansion to improve overall run time

The sonarcloud build runs a long time now (the win32/64 builds are also
a lot slower on xenial), which increases the overall time a build takes
because we can't run these before regular matrix jobs run.  So we do a
manual matrix expansion to control the order of jobs (slower first).
This also removes the TEST=default build with GCC as that's basically
what TEST=dist does (except for forcing the printf implementation)

2 months agotravis: Simplify explicitly included jobs
Tobias Brunner [Tue, 13 Nov 2018 15:46:10 +0000 (16:46 +0100)]
travis: Simplify explicitly included jobs

The first value for the compiler array (gcc) is inherited.

2 months agotravis: Start with sonarcloud job first
Tobias Brunner [Tue, 13 Nov 2018 15:42:44 +0000 (16:42 +0100)]
travis: Start with sonarcloud job first

Also change the condition, the environment variable is apparently still
around when the decision to run it is made.

2 months agotravis: Use two threads to analyze C code with SonarQube
Tobias Brunner [Tue, 13 Nov 2018 11:08:43 +0000 (12:08 +0100)]
travis: Use two threads to analyze C code with SonarQube

On Nov 12, the scanner was updated and now takes a lot more time (about
3 times as much).  Using two threads reduces it a bit (by about 25%).
Using even more threads doesn't help or even increases the time again.

2 months agoFix make distcheck if systemd is installed
Tobias Brunner [Fri, 9 Nov 2018 15:48:40 +0000 (16:48 +0100)]
Fix make distcheck if systemd is installed

The automatically determined path for systemd units is an absolute system
path that doesn't respect $(prefix).  That's a problem for make distcheck,
which is usually ran as regular user and it's not expected to have any
impact on the system (it does a local install in a subdir).  To avoid
these issues we override the configure flags used by make distcheck and
set the path to one relative to the specified prefix.