Noel Kuntze
4886a2c7d8
Doxyfile.in: Remove deprecated variables
2021-04-15 16:13:22 +02:00
Noel Kuntze
a11efc5214
doxygen: Fix documentation problems
2021-04-15 00:17:59 +02:00
Andreas Steffen
09df86c033
Version bump to 5.9.3dr1
2021-03-31 09:59:55 +02:00
Andreas Steffen
66ba50b217
testing: Migrated p2pnat/medsrv-psk scenario to vici
2021-03-30 22:12:00 +02:00
Andreas Steffen
03e1272ff2
testing: Migrated p2pnat/behind-same-nat scenario to vici
2021-03-30 22:12:00 +02:00
Andreas Steffen
68154033bb
testing: Store mars credentials in the swanctl directory
2021-03-30 22:12:00 +02:00
Andreas Steffen
2cbf7da51a
testing: Migrated redirect-active scenario to vici
2021-03-30 22:12:00 +02:00
Andreas Steffen
511b860916
testing: Migrated ha/both-active scenario to vici
2021-03-30 18:57:49 +02:00
Andreas Steffen
5c22e94f0f
testing: Migrated ha/active-passive scenario to vici
2021-03-30 18:57:49 +02:00
Andreas Steffen
737f7fce51
testing: Switched PTS measurements to /usr/sbin
...
Due to Debian 10 linking /bin to /usr/bin which drastically
increased the number of files in /bin, the PTS measurement
was switched to /usr/sbin with a lesser number of files.
2021-03-23 10:54:48 +01:00
Andreas Steffen
f412c97648
wolfssl: Support SHAKE_256
2021-03-20 11:19:12 +01:00
Andreas Steffen
a91eb3eb96
wolfssl: Support SHA3
2021-03-20 11:15:42 +01:00
Andreas Steffen
b57215ba2b
wolfssl: Support AES_ECB
2021-03-20 11:15:42 +01:00
Andreas Steffen
bd323ae6c8
openssl: Migrate from deprecated EC_POINT_[set|get]_affine_coordinates_GFp() functions
2021-03-19 08:50:27 +01:00
Petr Gotthard
c5eac9c390
libcharon: Include libtpmtss in monolithic build
2021-03-17 12:14:47 +01:00
Andreas Steffen
6aef079f59
testing: Bump guest kernel to Linux 5.11
2021-03-07 14:39:44 +01:00
Andreas Steffen
87ba3a424d
Version bump to 5.9.2
2021-02-26 11:30:13 +01:00
Tobias Brunner
88c4d8cb22
Merge branch 'sha2-no-trunc'
...
Closes strongswan/strongswan#215 .
2021-02-23 17:30:11 +01:00
Tobias Brunner
875813c055
save-keys: Fix length of AES-GCM with 12-byte ICV
2021-02-23 17:28:46 +01:00
Michał Skalski
b6b8880340
save-keys: Add support for full-length HMAC-SHA256 for ESP
...
Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted. The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
2021-02-23 17:28:46 +01:00
Michał Skalski
c632aa7b31
kernel-netlink: Add support for full-length HMAC-SHA2 algorithms
2021-02-23 17:28:46 +01:00
Michał Skalski
aa6da3700a
keymat: Add support for full-length HMAC-SHA2 algorithms
2021-02-23 17:23:29 +01:00
Michał Skalski
7a8cd5d6d0
af-alg: Fix typo in algorithm mapping for full-size HMAC-SHA-256
2021-02-23 09:25:44 +01:00
Andreas Steffen
356f87355b
Version bump to 5.9.2rc2
2021-02-21 10:40:34 +01:00
Andreas Steffen
20c47af319
testing: Use TLS 1.3 in TNC PT-TLS tests
2021-02-21 09:48:34 +01:00
Andreas Steffen
9f55246018
testing: Added mgf1 plugin to load statement
2021-02-19 17:41:44 +01:00
Andreas Steffen
283b352cee
Merge branch 'tls-fixes'
2021-02-18 20:28:33 +01:00
Andreas Steffen
d08fa4bd0a
Version bump to 5.9.2rc1
2021-02-18 20:16:17 +01:00
Tobias Brunner
48f4f9f667
pt-tls-server: Make TLS client authentication optional as appropriate
2021-02-18 15:41:52 +01:00
Tobias Brunner
82116dba66
tls-test: Add option to make client authentication optional
2021-02-18 15:39:35 +01:00
Tobias Brunner
760f3b730f
tls-server: Add flag that makes client authentication optional
...
This allows clients to send an empty certificate payload if the server
sent a certificate request. If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.
2021-02-18 15:35:46 +01:00
Tobias Brunner
11a4687930
libtls: Add control flags and replace GENERIC_NULLOK purpose with one
2021-02-18 15:10:29 +01:00
Tobias Brunner
602947d48a
pt-tls-server: Explicitly request client authentication if necessary
...
The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.
2021-02-18 12:49:54 +01:00
Tobias Brunner
4b7cfb252e
tls-server: Use subject DN as peer identity if it was ID_ANY
...
To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY. However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
2021-02-18 12:34:05 +01:00
Tobias Brunner
d5606ec350
testing: Adapt some checks as SHA-384 is now preferred for TLS signatures
2021-02-18 12:02:54 +01:00
Tobias Brunner
024120f8ea
tls-eap: Only servers conclude EAP method after processing packets
...
As client with older TLS versions, we have to ack the receipt of the server's
Finished message instead.
Fixes: 083f38259c
("tls-eap: Conclude EAP method also after processing packets")
2021-02-18 12:02:32 +01:00
Stefan Berghofer
f7613cb581
ike-sa: Properly set timing info for delete after rekeying
...
The job is queued properly, yet the timing information is wrong.
Signed-off-by: Stefan Berghofer <stefan.berghofer@secunet.com>
Fixes: ee61471113
("implemented RFC4478 (repeated authentication)...")
2021-02-18 10:02:55 +01:00
Tobias Brunner
d65d4eab73
NEWS: Add news for 5.9.2
2021-02-17 15:24:36 +01:00
Tobias Brunner
ff672c785b
dhcp: Properly initialize struct when binding to interface
2021-02-16 15:22:18 +01:00
Tobias Brunner
fbb70c968b
pts: Don't rely on BIOS event buffer to be null terminated
2021-02-16 15:16:25 +01:00
Tobias Brunner
8384527ff5
tls-crypto: Fix potential memory leak
...
Fixes: d8e42a3d4e
("tls-crypto: Share private key search between client and server")
2021-02-16 14:52:43 +01:00
Tobias Brunner
f4258c56f5
ike-sa-manager: Ensure we were able to create a new IKE_SA
...
This may happen if we are unable to allocate an SPI.
2021-02-16 14:45:51 +01:00
Tobias Brunner
cb85967655
github: Bump wolfSSL to 4.7.0
2021-02-16 09:08:12 +01:00
Fedor Korotkov
af9d2a8f1e
cirrus: Use FreeBSD 12.2
...
This seems to fix the build with Autotools that recently started to fail
with:
autom4te-2.69: need GNU m4 1.4 or later: /usr/local/bin/gm4
aclocal: error: /usr/local/bin/autom4te-2.69 failed with exit status: 1
autoreconf-2.69: aclocal failed with exit status: 1
Closes strongswan/strongswan#197 .
2021-02-16 08:56:43 +01:00
Tobias Brunner
7bd9c0c85e
github: Fix emojis in templates
2021-02-15 15:30:03 +01:00
Tobias Brunner
27544f7bd9
github: Add security policy
2021-02-15 09:44:44 +01:00
Tobias Brunner
ebf13f4caf
github: Add issue templates
2021-02-15 09:44:44 +01:00
René Fischer
4261fcedec
botan: Use strongSwan's RNG interface in Botan plugin
...
This allows using rng_t implementations provided by other plugins to
serve as RNG for Botan.
Closes strongswan/strongswan#192 .
2021-02-15 09:27:51 +01:00
Tobias Brunner
5ffc1ec423
botan: Extract helper function to map RNG quality to Botan RNG names
2021-02-15 09:23:57 +01:00
Tobias Brunner
eb399fb438
botan: Look for Botan 3 in configure script
2021-02-15 09:23:56 +01:00