0e80eb235d
Version bump to 5.7.2dr2
2018-10-31 14:22:03 +01:00
9be6dee6a4
botan: SHA-3 support
2018-10-30 16:06:15 +01:00
ae271810dc
Use Botan 2.8.0 for tests
2018-10-30 15:08:31 +01:00
a29f70e4fb
testing: Use AES-GCM for SSH connections
...
RC4, which was previously used for performance reasons, is not supported
anymore with newer versions of SSH (stretch still supports it, but it
requires explicit configuration on the guests when they act as clients
too - the version in Ubuntu 18.04 apparently doesn't support it anymore
at all).
AES-GCM should actually be faster (at least for larger amounts of data and
in particular with hardware acceleration).
2018-10-30 15:06:57 +01:00
67fd36e884
testing: Avoid unnecessary rebuilds of components built from Git repos
...
Installing apparently changes the timestamp on the repo dir triggering make
to checkout and build the whole thing again.
2018-10-30 15:06:47 +01:00
3a4372c1eb
testing: Disable predictable network interface names assigned by systemd/udev
2018-10-30 15:06:33 +01:00
3fbeeef908
testing: Remove unused custom OIDs from openssl.cnf files
...
ClientAuthentication is known in OpenSSL 1.1 and the redefinition, therefore,
causes an error. These two OIDs are not used anyway in these config
files.
2018-10-30 15:03:34 +01:00
e660f4579b
testing: Fixed evaluation in swanctl/rw-cert-pss scenario
2018-10-27 08:47:57 +02:00
f5565683b9
Version bump to 5.7.2dr1
2018-10-26 18:47:48 +02:00
534ab34df6
testing: Added botan/net2net-ed25519 scenario
2018-10-26 18:46:59 +02:00
d1acfeec7b
NEWS: Add some recent changes
2018-10-26 15:27:15 +02:00
ce381883a1
dhcp: Ignore DHCP OFFER messages without assigned address
...
FreeRADIUS seems to respond that way if it can't allocate an address to
the client.
2018-10-26 11:26:50 +02:00
6e9cfe9751
vici: Properly handle absence of peer ID on mediation connections
...
Fixes #2794 .
2018-10-26 11:25:31 +02:00
46bea1add9
task-manager-v2: Reject requests for incomplete IKE_SAs as initiator
...
Based on a patch by Thomas Egerer.
2018-10-26 11:22:08 +02:00
a61b1a6ee4
mysql: Don't release the connection if transactions are still using it
...
Fixes #2779 .
2018-10-26 11:18:43 +02:00
6c641377c3
Merge branch 'botan-algos'
...
This adds wrappers for additional algorithms (Ed25519, ChaCha20/Poly1305,
AES-CCM) to the botan plugin and fixes some potential compile issues.
2018-10-26 11:11:04 +02:00
147363c169
botan: Fix build without specific asymmetric crypto
2018-10-26 11:06:45 +02:00
37ae912271
botan: Fix build without AES and its modes
2018-10-26 11:06:45 +02:00
3f960e38a1
botan: Add support for AES-CCM
2018-10-26 11:06:45 +02:00
b1ab9782e2
test-vectors: Add another ChaCha20/Poly1305 test vector from RFC 7539
2018-10-26 11:06:45 +02:00
cb7b83017d
botan: Add support for ChaCha20/Poly1305 AEAD algorithm
2018-10-26 11:06:45 +02:00
4bcc4bacd4
botan: Add support for Ed25519 keys
2018-10-26 11:06:45 +02:00
5cd24d26e2
botan: Add helper function for signature verification
2018-10-26 11:06:45 +02:00
8d8e7a9c8b
Merge branch 'ssh-eddsa'
...
This adds support for Ed25519/Ed448 SSH keys and their signatures via
agent plugin.
2018-10-26 11:04:37 +02:00
8f23e64ee5
agent: Support signatures with Ed25519/Ed448 keys
2018-10-26 11:01:10 +02:00
87dd08b139
sshkey: Support encoding Ed25519/Ed448 SSH public keys
2018-10-26 11:01:10 +02:00
7de0729357
sshkey: Add support for parsing Ed25519/Ed448 SSH keys
2018-10-26 11:01:10 +02:00
20f74adbae
curve25519: Support loading Ed25519 public keys from simple blobs
2018-10-26 11:01:10 +02:00
b982473a86
charon-cmd: Print plugin list before parsing arguments
...
Helps debugging e.g. failures to load certs/keys.
2018-10-26 11:01:10 +02:00
64adacc3c6
Merge commit 'key-sig-schemes'
...
This adds the ability to return supported signature schemes (and
parameters) from a private key.
This is useful for keys on a TPM 2.0 as these can be used only with a
particular scheme (the hash algorithm and for RSA even the padding scheme
is fixed). For RSA with PSS padding there is an additional complication
because different TPMs use different salt lengths, which we have to know
beforehand to correctly produce e.g. a certificate request (the signature
covers the algorithm identifier that describes the signature scheme).
It turned out that the new method is also useful for the agent plugin.
Newer ssh/gpg-agents support SHA-256 and SHA-512 for RSA signatures, but
not SHA-384, which we can now convey to the pubkey authenticator.
Unfortunately, older agents ignore the flags that request a SHA2 signature
and just return one with SHA-1, in such scenarios IKEv2 signature
authentication has to be disabled.
2018-10-26 10:59:38 +02:00
153eb8199a
agent: Enumerate only the supported signature schemes for RSA keys
...
SHA-384 is not supported but is selected by signature_schemes_for_key()
for keys between 3072 and 7680 bits.
Since this is only called for IKEv2 signature authentication we don't
even provide SHA-1 anymore. We always provide both schemes, though,
which is what pubkey-authenticator does too for RSA.
Older agents apparently just ignore the flags and always return a SHA-1
signature. If that's the case, charon.signature_authentication has to
be disabled.
2018-10-26 09:55:08 +02:00
5e03675a19
agent: Add support for RSA signatures with SHA256 and SHA512
2018-10-26 09:55:07 +02:00
1b510c0467
pubkey-authenticator: Append RSAPSS salt length to debug output
2018-10-26 09:55:07 +02:00
7b46089ea7
travis: Build tmp2-tss from sources
2018-10-26 09:55:07 +02:00
3150bd2b81
libtpmtss: Generalize AIK keys to signature keys
2018-10-26 09:55:07 +02:00
526c5abd0f
tpm: Check FIPS-140-2 and FIPS-186-4 compliance
2018-10-26 09:55:07 +02:00
b158404c5f
tpm: Return signature schemes supported by the key if TSS supports it
2018-10-26 09:03:27 +02:00
7ca3b3daee
libtpmtss: Add enumeration of supported signature schemes to TSS2 implementations
2018-10-26 09:03:27 +02:00
532cd488e3
libtpmtss: TSS can optionally return signature schemes supported by a key
2018-10-26 09:03:26 +02:00
ecfe67550d
signature-params: Provide option for maximum RSA/PSS salt length
...
However, the length now has to be resolved early, so we don't operate on
the negative constant values e.g. when generating the encoding.
2018-10-26 09:03:26 +02:00
dd4bd21c5a
pki: Query private key for supported signature schemes
2018-10-26 09:03:26 +02:00
b88f2b3815
pubkey-authenticator: Query private key for supported signature schemes
2018-10-26 09:03:09 +02:00
1c4738325d
private-key: Add optional method that returns supported signature schemes
2018-10-25 17:21:32 +02:00
9b5b55b026
Merge branch 'openssl-keyid'
...
Closes strongswan/strongswan#116 .
2018-10-24 10:07:49 +02:00
6b3dfe9c38
openssl: Remove extra semicolon
2018-10-24 09:49:25 +02:00
b9e45b5b4a
openssl: Remove arbitrary keyid length check
2018-10-24 09:49:18 +02:00
b148517c6b
openssl: Fix invalid keyid length check
...
Check was designed for base64 conversion, however a hex conversion is
being performed, which requires more memory.
2018-10-24 09:48:56 +02:00
d99e73548e
libtpmtss: Fixed inclusion of tcti-tabrmd.h header file
2018-10-19 10:46:08 +02:00
f18945dfea
libvici: Wrap header in extern "C" to include it from C++
...
Fixes #2795 .
2018-10-18 15:14:23 +02:00
537764ea55
android: New release after fixing DNS leak and some bugs
2018-10-17 12:08:47 +02:00
Andreas Steffen