Commit Graph

17862 Commits

Author SHA1 Message Date
Noel Kuntze 4886a2c7d8
Doxyfile.in: Remove deprecated variables 2021-04-15 16:13:22 +02:00
Noel Kuntze a11efc5214
doxygen: Fix documentation problems 2021-04-15 00:17:59 +02:00
Andreas Steffen 09df86c033 Version bump to 5.9.3dr1 2021-03-31 09:59:55 +02:00
Andreas Steffen 66ba50b217 testing: Migrated p2pnat/medsrv-psk scenario to vici 2021-03-30 22:12:00 +02:00
Andreas Steffen 03e1272ff2 testing: Migrated p2pnat/behind-same-nat scenario to vici 2021-03-30 22:12:00 +02:00
Andreas Steffen 68154033bb testing: Store mars credentials in the swanctl directory 2021-03-30 22:12:00 +02:00
Andreas Steffen 2cbf7da51a testing: Migrated redirect-active scenario to vici 2021-03-30 22:12:00 +02:00
Andreas Steffen 511b860916 testing: Migrated ha/both-active scenario to vici 2021-03-30 18:57:49 +02:00
Andreas Steffen 5c22e94f0f testing: Migrated ha/active-passive scenario to vici 2021-03-30 18:57:49 +02:00
Andreas Steffen 737f7fce51 testing: Switched PTS measurements to /usr/sbin
Due to Debian 10 linking /bin to /usr/bin which drastically
increased the number of files in /bin, the PTS measurement
was switched to /usr/sbin with a lesser number of files.
2021-03-23 10:54:48 +01:00
Andreas Steffen f412c97648 wolfssl: Support SHAKE_256 2021-03-20 11:19:12 +01:00
Andreas Steffen a91eb3eb96 wolfssl: Support SHA3 2021-03-20 11:15:42 +01:00
Andreas Steffen b57215ba2b wolfssl: Support AES_ECB 2021-03-20 11:15:42 +01:00
Andreas Steffen bd323ae6c8 openssl: Migrate from deprecated EC_POINT_[set|get]_affine_coordinates_GFp() functions 2021-03-19 08:50:27 +01:00
Petr Gotthard c5eac9c390 libcharon: Include libtpmtss in monolithic build 2021-03-17 12:14:47 +01:00
Andreas Steffen 6aef079f59 testing: Bump guest kernel to Linux 5.11 2021-03-07 14:39:44 +01:00
Andreas Steffen 87ba3a424d Version bump to 5.9.2 2021-02-26 11:30:13 +01:00
Tobias Brunner 88c4d8cb22 Merge branch 'sha2-no-trunc'
Closes strongswan/strongswan#215.
2021-02-23 17:30:11 +01:00
Tobias Brunner 875813c055 save-keys: Fix length of AES-GCM with 12-byte ICV 2021-02-23 17:28:46 +01:00
Michał Skalski b6b8880340 save-keys: Add support for full-length HMAC-SHA256 for ESP
Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted.  The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
2021-02-23 17:28:46 +01:00
Michał Skalski c632aa7b31 kernel-netlink: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:28:46 +01:00
Michał Skalski aa6da3700a keymat: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:23:29 +01:00
Michał Skalski 7a8cd5d6d0 af-alg: Fix typo in algorithm mapping for full-size HMAC-SHA-256 2021-02-23 09:25:44 +01:00
Andreas Steffen 356f87355b Version bump to 5.9.2rc2 2021-02-21 10:40:34 +01:00
Andreas Steffen 20c47af319 testing: Use TLS 1.3 in TNC PT-TLS tests 2021-02-21 09:48:34 +01:00
Andreas Steffen 9f55246018 testing: Added mgf1 plugin to load statement 2021-02-19 17:41:44 +01:00
Andreas Steffen 283b352cee Merge branch 'tls-fixes' 2021-02-18 20:28:33 +01:00
Andreas Steffen d08fa4bd0a Version bump to 5.9.2rc1 2021-02-18 20:16:17 +01:00
Tobias Brunner 48f4f9f667 pt-tls-server: Make TLS client authentication optional as appropriate 2021-02-18 15:41:52 +01:00
Tobias Brunner 82116dba66 tls-test: Add option to make client authentication optional 2021-02-18 15:39:35 +01:00
Tobias Brunner 760f3b730f tls-server: Add flag that makes client authentication optional
This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.
2021-02-18 15:35:46 +01:00
Tobias Brunner 11a4687930 libtls: Add control flags and replace GENERIC_NULLOK purpose with one 2021-02-18 15:10:29 +01:00
Tobias Brunner 602947d48a pt-tls-server: Explicitly request client authentication if necessary
The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.
2021-02-18 12:49:54 +01:00
Tobias Brunner 4b7cfb252e tls-server: Use subject DN as peer identity if it was ID_ANY
To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
2021-02-18 12:34:05 +01:00
Tobias Brunner d5606ec350 testing: Adapt some checks as SHA-384 is now preferred for TLS signatures 2021-02-18 12:02:54 +01:00
Tobias Brunner 024120f8ea tls-eap: Only servers conclude EAP method after processing packets
As client with older TLS versions, we have to ack the receipt of the server's
Finished message instead.

Fixes: 083f38259c ("tls-eap: Conclude EAP method also after processing packets")
2021-02-18 12:02:32 +01:00
Stefan Berghofer f7613cb581 ike-sa: Properly set timing info for delete after rekeying
The job is queued properly, yet the timing information is wrong.

Signed-off-by: Stefan Berghofer <stefan.berghofer@secunet.com>

Fixes: ee61471113 ("implemented RFC4478 (repeated authentication)...")
2021-02-18 10:02:55 +01:00
Tobias Brunner d65d4eab73 NEWS: Add news for 5.9.2 2021-02-17 15:24:36 +01:00
Tobias Brunner ff672c785b dhcp: Properly initialize struct when binding to interface 2021-02-16 15:22:18 +01:00
Tobias Brunner fbb70c968b pts: Don't rely on BIOS event buffer to be null terminated 2021-02-16 15:16:25 +01:00
Tobias Brunner 8384527ff5 tls-crypto: Fix potential memory leak
Fixes: d8e42a3d4e ("tls-crypto: Share private key search between client and server")
2021-02-16 14:52:43 +01:00
Tobias Brunner f4258c56f5 ike-sa-manager: Ensure we were able to create a new IKE_SA
This may happen if we are unable to allocate an SPI.
2021-02-16 14:45:51 +01:00
Tobias Brunner cb85967655 github: Bump wolfSSL to 4.7.0 2021-02-16 09:08:12 +01:00
Fedor Korotkov af9d2a8f1e cirrus: Use FreeBSD 12.2
This seems to fix the build with Autotools that recently started to fail
with:

autom4te-2.69: need GNU m4 1.4 or later: /usr/local/bin/gm4
aclocal: error: /usr/local/bin/autom4te-2.69 failed with exit status: 1
autoreconf-2.69: aclocal failed with exit status: 1

Closes strongswan/strongswan#197.
2021-02-16 08:56:43 +01:00
Tobias Brunner 7bd9c0c85e github: Fix emojis in templates 2021-02-15 15:30:03 +01:00
Tobias Brunner 27544f7bd9 github: Add security policy 2021-02-15 09:44:44 +01:00
Tobias Brunner ebf13f4caf github: Add issue templates 2021-02-15 09:44:44 +01:00
René Fischer 4261fcedec botan: Use strongSwan's RNG interface in Botan plugin
This allows using rng_t implementations provided by other plugins to
serve as RNG for Botan.

Closes strongswan/strongswan#192.
2021-02-15 09:27:51 +01:00
Tobias Brunner 5ffc1ec423 botan: Extract helper function to map RNG quality to Botan RNG names 2021-02-15 09:23:57 +01:00
Tobias Brunner eb399fb438 botan: Look for Botan 3 in configure script 2021-02-15 09:23:56 +01:00