472efd3809
leak-detective: Add an option to ignore frees of unknown memory blocks
...
This also changes how unknown/corrupted memory is handled in the free()
and realloc() hooks in general.
Incorporates changes provided by Thomas Egerer who ran into a similar
issue.
2018-09-12 16:25:00 +02:00
9ee23d5efa
travis: Add Botan build
...
We build Botan directly from the master branch until 2.8.0 is released.
2018-09-12 16:25:00 +02:00
c064a5288e
leak-detective: Whitelist some Botan functions
...
Due to the mangled C++ function names it's tricky to be more specific. The
"leaked" allocations are from a static hashtable containing EC groups.
There is another leak caused by the locking allocator singleton
(triggered by the first function that uses it, usually initialization of
a cipher, but could be a hasher in other test runners), but we can avoid
that with a Botan config option.
2018-09-12 16:25:00 +02:00
304d4ca57a
botan: Adhere to configured DH exponent length
2018-09-12 16:25:00 +02:00
bd267c863f
botan: Encode private keys as PKCS#8
...
Since we can now parse that encoding directly we can simplify the private
key export and stick to PKCS#8.
2018-09-12 16:25:00 +02:00
607f10dca4
botan: Load public/private keys generically
...
Simplifies public key loading and this way unencrypted PKCS#8-encoded
keys can be loaded directly without pkcs8 plugin (code for encrypted
keys could probably later be added, if necessary).
It also simplifies the implementation of private_key_t::get_public_key()
a lot.
2018-09-12 16:25:00 +02:00
72491b7843
botan: Encode curve OID and public key in EC private key
...
Without OID we can't generate an algorithmIdentifier when loading the
key again. And older versions of OpenSSL insist on a public key when
e.g. converting a key to PKCS#8.
Simply unwrapping the ECPrivateKey structure avoids log messages when
parsing other keys in the KEY_ANY case.
2018-09-12 16:25:00 +02:00
ba7e74291e
pkcs1: Accept EC private keys without public key but make sure of an OID
2018-09-12 16:25:00 +02:00
de2a24310c
botan: Fixes, code style changes plus some refactorings
...
Some changes rely on newly added FFI functions in Botan's master
branch.
2018-09-12 16:25:00 +02:00
13f113f7a9
botan: Add MD5 support to Botan hasher
...
Support MD5 in the Botan plugin if supported by Botan.
MD5 is required for RADIUS and obviously EAP-MD5,
and also for non-PKCS#8 encoded, encrypted private keys.
2018-09-12 16:25:00 +02:00
04ecaff6a9
unit-tests: Remove 768 bits RSA gen test
...
Botan only allows RSA generating keys >= 1,024 bits, which makes
the RSA test suite fail. It is questionable whether it makes
sense to test 768 bit RSA keys anymore. They are too weak
from today's perspective anyway.
2018-09-12 16:25:00 +02:00
af26cc4d85
botan: Add Botan plugin to libstrongswan
2018-09-12 16:25:00 +02:00
66c4735f99
dumm: Remove the Dynamic UML Mesh Modeler framework
...
This has been pretty much defunct for several years (requires a
specially patched UML-enabled guest kernel).
2018-09-12 15:53:55 +02:00
948c42ab2e
android: Properly set log file path
2018-09-12 11:44:57 +02:00
bd61236b4a
conf: Document new filelog configuration
2018-09-12 11:42:38 +02:00
f6b4ba2a65
library: Return FALSE from library_init() if loaded settings are invalid
...
This way daemons won't start with config files that contain errors.
2018-09-11 18:30:18 +02:00
71dca60c31
settings: Don't allow dots in section/key names anymore
...
This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`. Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.
2018-09-11 18:30:18 +02:00
85afe81e1f
ike-auth: Remove unnecessary case statement
2018-09-11 18:18:50 +02:00
a0c302f878
vici: Remove unreachable code
...
If list is TRUE any type but VICI_LIST_END and VICI_LIST_ITEM (i.e.
including VICI_END) is already handled in the first block in this
function.
2018-09-11 18:18:50 +02:00
954e75effa
vici: Lease enumerator is always defined
...
mem_pool_t always returns an enumerator.
2018-09-11 18:18:50 +02:00
55fb268b51
stroke: Lease enumerator is always defined
...
This function is only called for existing pools (under the protection of
a read lock).
2018-09-11 18:18:50 +02:00
648709b392
smp: Remove unreachable initializer
...
Execution in this block will start with any of the case statements,
never with the initialization.
2018-09-11 18:18:49 +02:00
23d756e4f0
eap-sim-pcsc: Fix leak in error case
2018-09-11 18:18:49 +02:00
e2d8833f2b
travis: Add sonarcloud build
2018-09-11 18:18:43 +02:00
f5481496d6
travis: Automatically retry install steps
...
There occasionally are network issues when fetching from Ubuntu/PPA
repos. Let's see if this is a possible fix.
2018-09-11 18:17:28 +02:00
80e8845d36
swanctl: Allow passing a custom config file for each --load* command
...
Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.
2018-09-11 18:14:45 +02:00
7257ba3b44
Merge branch 'ikev2-ppk'
...
Adds support for Postquantum Preshared Keys for IKEv2.
Fixes #2710 .
2018-09-10 18:05:12 +02:00
d1c5e6816d
testing: Add some PPK scenarios
2018-09-10 18:04:23 +02:00
755985867e
swanctl: Report the use of a PPK in --list-sas
...
If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.
2018-09-10 18:03:30 +02:00
c4d2fdd915
vici: Return PPK state of an IKE_SA
2018-09-10 18:03:27 +02:00
e4d85011e4
ikev2: Mark IKE_SAs that used PPK during authentication
2018-09-10 18:03:18 +02:00
6627706786
eap-authenticator: Add support for authentication with PPK
2018-09-10 18:03:03 +02:00
18f8249415
pubkey-authenticator: Add support for authentication with PPK
2018-09-10 18:03:03 +02:00
46bdeaf359
psk-authenticator: Add support for authentication with PPK
2018-09-10 18:03:03 +02:00
a9e60c96dc
ike-auth: Add basic PPK support
...
Some of the work will have to be done in the authenticators.
2018-09-10 18:03:02 +02:00
94f9f421bc
ike-auth: Replace `== NULL` with `!`
2018-09-10 18:03:02 +02:00
7150fa7065
authenticator: Add optional method to set PPK
2018-09-10 18:03:02 +02:00
600b106852
ike-init: Send USE_PPK notify as appropriate
2018-09-10 18:03:02 +02:00
1fb46f7119
swanctl: Report PPK configuration in --list-conns
2018-09-10 18:03:02 +02:00
7f94528061
vici: Make PPK related options configurable
2018-09-10 18:03:02 +02:00
a2ff8b654d
peer-cfg: Add properties for PPK ID and whether PPK is required
2018-09-10 18:03:01 +02:00
83dcc1f4cf
ike-sa: Add flag for PPK extension
2018-09-10 18:03:01 +02:00
3fbc95cf54
keymat_v2: Add support for PPKs
2018-09-10 18:03:01 +02:00
3703dff2aa
swanctl: Add support for PPKs
2018-09-10 18:03:01 +02:00
1ec9382880
vici: Add support for PPKs
2018-09-10 18:03:01 +02:00
bac3ca2324
shared-key: Add a new type for Postquantum Preshared Keys
...
Using a separate type allows us to easily check if we have any PPKs
available at all.
2018-09-10 18:03:01 +02:00
0f423dda28
ikev2: Add notify types for Postquantum Preshared Keys
2018-09-10 18:03:00 +02:00
5dff6de8eb
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
2018-09-10 17:45:23 +02:00
40ed812442
peer-cfg: Replace equal child configs with newly added ones
...
Otherwise, renamed child configs would still be known to the daemon
under their old name.
Fixes #2746 .
2018-09-10 17:45:07 +02:00
375dfb9076
crypto: References to RFCs 8410 and 8420
2018-09-04 07:24:20 +02:00
Tobias Brunner