Commit Graph

17819 Commits

Author SHA1 Message Date
Fedor Korotkov af9d2a8f1e cirrus: Use FreeBSD 12.2
This seems to fix the build with Autotools that recently started to fail
with:

autom4te-2.69: need GNU m4 1.4 or later: /usr/local/bin/gm4
aclocal: error: /usr/local/bin/autom4te-2.69 failed with exit status: 1
autoreconf-2.69: aclocal failed with exit status: 1

Closes strongswan/strongswan#197.
2021-02-16 08:56:43 +01:00
Tobias Brunner 7bd9c0c85e github: Fix emojis in templates 2021-02-15 15:30:03 +01:00
Tobias Brunner 27544f7bd9 github: Add security policy 2021-02-15 09:44:44 +01:00
Tobias Brunner ebf13f4caf github: Add issue templates 2021-02-15 09:44:44 +01:00
René Fischer 4261fcedec botan: Use strongSwan's RNG interface in Botan plugin
This allows using rng_t implementations provided by other plugins to
serve as RNG for Botan.

Closes strongswan/strongswan#192.
2021-02-15 09:27:51 +01:00
Tobias Brunner 5ffc1ec423 botan: Extract helper function to map RNG quality to Botan RNG names 2021-02-15 09:23:57 +01:00
Tobias Brunner eb399fb438 botan: Look for Botan 3 in configure script 2021-02-15 09:23:56 +01:00
Tobias Brunner 97857eaa12 ike-sa: Avoid possible integer underflow when scheduling reauth after rekeying
If the reauthentication is scheduled while rekeying, the difference
might be negative, however, schedule_job() takes an unsigned int,
so the reauth would get scheduled very far in the future.
2021-02-12 15:49:08 +01:00
Tobias Brunner 20dfbcad08 ha: Register new IKE_SAs before calling inherit_post() 2021-02-12 15:49:08 +01:00
Tobias Brunner 1c5cef1b89 ike-rekey: Register new IKE_SA before calling inherit_post()
If rekeying and reauthetication coincided, the reauth job could get
scheduled to run immediately i.e. before checkin() was called.  So the
new IKE_SA would not get reauthenticated, however, the further delayed
delete job would later find the new IKE_SA and delete it.
2021-02-12 15:49:08 +01:00
Tobias Brunner 5d97af5894 ike-sa-manager: Add a method to register/check out new IKE_SAs
This way, jobs for new IKE_SAs (created via create_new()) may be
scheduled/queued before checkin() is called.  If they run before
that happens, they will now correctly block in checkout() instead of
doing nothing because the IKE_SA was not found.
2021-02-12 15:49:08 +01:00
Tobias Brunner bde5bd47bd ike-sa-manager: Rename checkout_new() to create_new()
We don't actually check that SA out (i.e. it's not registered with the
manager).  That was originally different but had to be changed with
86993d6b90 to avoid that SAs created for rekeying don't block other
threads on the manager.
2021-02-12 15:49:08 +01:00
Tobias Brunner 7f6386afd9 Remove redundant calls to set peer config after checking out IKE_SAs by config 2021-02-12 15:49:08 +01:00
Tobias Brunner c46c40ef24 ike-sa-manager: Make checkout_by_config() atomic
These changes should ensure that concurrent calls to checkout_by_config()
result in a single IKE_SA.  For instance, when acquires for different
children of the same connection are triggered concurrently.

There are two major changes to the interface:

 1) The peer config object is now always set on the returned IKE_SA.
    That was previously only the case if an existing IKE_SA was
    returned.

 2) The IKE_SA is now always registered with the manager and properly
    checked out, which also was only the case for existing IKE_SAs
    before.
2021-02-12 15:49:08 +01:00
Tobias Brunner c7a0f2698d Merge branch 'tls13'
This adds support for TLS 1.3 to libtls and adds several new features to
existing TLS versions (e.g. support for x25519/x448, EdDSA or RSA-PSS).

Unfortunately, TLS 1.3 is not really usable for TLS-based EAP methods in
practice because, in particular, key derivation is not yet standardized.
While it works between two strongSwan instances and even FreeRADIUS 3.0.21,
there will be compatibility issues in the future when implementations move
to a standardized scheme.  There are currently two Internet-Drafts in
development to specify that (see 121ac4b9e3 for details).  Until they are
more stable, the default maximum version is set to 1.2.

The default minimum version has also been increased to 1.2 and several
older/weaker cipher suites have been removed (e.g. with 3DES and MD5).
2021-02-12 15:32:03 +01:00
Tobias Brunner 74b9ba7cdb tls-crypto: Simplify and extend cipher config filter
This way we automatically can filter for newer algorithms (e.g.
chacha20poly1305).
2021-02-12 14:35:23 +01:00
Tobias Brunner 8b2b5a647b proposal: Add aliases for AES-GCM/CCM without explicit ICV length
These are mapped to use the default, maximum ICV length of 16 bytes.
2021-02-12 14:35:23 +01:00
Tobias Brunner 966a26eaa2 tls-server: Support x25519/448 for TLS 1.2 2021-02-12 14:35:23 +01:00
Tobias Brunner f77ecf0728 tls-crypto: Fallback to any supported ECDH group
If the default group listed in the cipher suite is not supported, we try
to use any other supported group (the groups are negotiated separately
so we are not locked in to a specific group).
2021-02-12 14:35:23 +01:00
Tobias Brunner 311405c34d tls-crypto: Don't filter suites with specific ECDH group if any is available
Since DH groups (or with TLS < 1.3 curves) are negotiated separately,
it doesn't matter which one is listed in the cipher suite as any one could
be used.
2021-02-12 14:35:23 +01:00
Tobias Brunner 85bde019d3 diffie-hellman: Classify x25519 and x448 as ECDH methods 2021-02-12 14:35:23 +01:00
Pascal Knecht e3757300eb tls-crypto: Add signature scheme config file filter
And add signature scheme unit tests.
2021-02-12 14:35:23 +01:00
Pascal Knecht e5b6565730 tls-crypto: Rename DH group/key exchange method config option
TLS key exchange methods are now configured with `ke_group`.
2021-02-12 14:35:23 +01:00
Tobias Brunner a60e248b0d libtls: Increase default min version to 1.2
The older versions are generally considered deprecated (there is an
Internet-Draft that aims to do that formally).
2021-02-12 14:35:23 +01:00
Tobias Brunner 3abcbf82b5 tls-peer: Verify server selects the same cipher suite after HelloRetryRequest
This is as per RFC 8446, section 4.1.4.
2021-02-12 14:35:23 +01:00
Tobias Brunner ab226b3927 tls-server: Select cipher suite also when handling HelloRetryRequest
This was previously treated like a resumption, which it is clearly not.
Also added a check that verifies that the same cipher suite is selected
during the retry, as per RFC 8446, section 4.1.4.
2021-02-12 14:35:23 +01:00
Tobias Brunner 111e907168 tls-server: Remove unused variable 2021-02-12 14:35:23 +01:00
Pascal Knecht dc9f6c68df libtls: Add downgrade protection for TLS 1.3 and TLS 1.2
Section 4.1.3 in RFC 8446 defines a new downgrade protection mechanism
that also affects TLS 1.2.
2021-02-12 14:35:23 +01:00
Shmulik Ladkani a4a128bd2f tls-server: Optionally omit CAs in CertificateRequest messages
Usually, the DNs of all loaded CA certificates are included in the
CertificateRequest messages sent by the server.

Alas, certain EAP-TLS clients fail to process this message if the
list is too long, returning the fatal TLS alert 'illegal parameter'.

This new option allows configuring whether CAs are included or an
empty list is sent (TLS 1.2), or the certificate_authorities extension
is omitted (TLS 1.3).  The list only serves as hint/constraint
for clients during certificate selection, they still have to provide
a certificate but are free to select any one they have available.

Closes strongswan/strongswan#187.
2021-02-12 14:35:23 +01:00
Tobias Brunner 083f38259c tls-eap: Conclude EAP method also after processing packets
With TLS 1.3, the server sends its Finished message first, so the
session is complete after processing the client's Finished message,
without having to send anything else (in particular no acknowledgement
as the last message from the client is no fragment).
2021-02-12 14:35:23 +01:00
Tobias Brunner a00ace0fe2 libtls: Only run socket tests with EdDSA keys if they are supported
ECDSA support is currently required to run the tests because ECDSA
cipher suites are not filtered when determining the supported cipher
suites.  Also required are ECDH groups.
2021-02-12 14:35:23 +01:00
Tobias Brunner 7b64880a8c tls-peer: Don't log anything if we are not sending supported groups 2021-02-12 14:35:23 +01:00
Tobias Brunner 8cf3998f1a tls-crypto: Only log modified TLS versions if successfully set
If no cipher suites are available, the new versions are the previous
values but reversed (i.e. the versions were not changed but we still
ended up with a log message saying "TLS min/max TLS 1.3/TLS 1.0 ...").

Also switched to using the numeric version names to avoid the repeated
"TLS" prefix.
2021-02-12 14:35:23 +01:00
Tobias Brunner 92aef122c3 libtls: Reduce default max version to 1.2
Using TLS 1.3 with various EAP methods is not yet fully standardized, so we
don't enable it by default yet.
2021-02-12 14:35:23 +01:00
Tobias Brunner 663969ddf7 libtls: Make min/max TLS version configurable
Except for the tls_test tool, the versions now default to those
configured in strongswan.conf.
2021-02-12 14:35:23 +01:00
Pascal Knecht 9389fef78a test-hkdf: Add two test cases and restructure all tests
RFC 8448 contains multiple TLS 1.3 message traces, this commit adds two
new test cases focusing on key derivation:

- Simple 1-RTT Handshake
- Resumed 0-RTT Handshake

Additionally, the whole test suite is restructured and duplicate code is
removed and consolidated.
2021-02-12 14:35:23 +01:00
Pascal Knecht 7797c058d9 tls-hkdf: Implement binder PSK generation 2021-02-12 14:35:23 +01:00
Pascal Knecht 3e535c31b4 tls-hkdf: Implement resumption key generation 2021-02-12 14:35:23 +01:00
Pascal Knecht 9ef46cfaf9 tls-peer: Mutual authentication support for TLS 1.3 2021-02-12 14:35:23 +01:00
Pascal Knecht 2d933f318b tls-peer: Derive application traffic keys after server finished message
The inbound key is used right away, the outbound key only after the
client finished message has been sent.
2021-02-12 14:35:23 +01:00
Pascal Knecht d41d8b0039 tls-peer: Use private key enumeration also in TLS versions < 1.2
Until now, key selection was based on tls_client_certificate_type_t and now
uses a simple mapping from these types to tls_signature_scheme_t.
2021-02-12 14:35:23 +01:00
Pascal Knecht d8e42a3d4e tls-crypto: Share private key search between client and server
This way the client also properly considers the TLS version and the signature
schemes supported by the server.

Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2021-02-12 14:35:23 +01:00
Pascal Knecht 299cc80094 tls-test: Add support to require/verify client certificates
Also add detailed usage output with description of all options.
2021-02-12 14:35:23 +01:00
Pascal Knecht d2fc9b0961 tls-server: Mutual authentication support for TLS 1.3
This commit also addresses the side effect that additional messages have
an influence on the derivation of the application traffic secrets. Therefore,
key derivation is relocated after the server finished message has been sent,
so the additional messages from the client (Certificate, CertificateVerify)
don't affect the key derivation. Only the outbound key is switched there, the
inbound key remains in use until the client's finished message has been
processed.
2021-02-12 14:35:23 +01:00
Pascal Knecht dc49d457a2 tls-server: Terminate connection if peer certificate is required but not sent
This change mainly affects legacy TLS versions because TLS 1.3
connections are terminated by the server once the peer does not send a
CertificateVerify message next to its empty Certificate message.
2021-02-12 14:35:23 +01:00
Pascal Knecht 4bba89fff3 tls-server: Make CertificateRequest conditional in old TLS versions
The server implementation now only sends a CertificateRequest message if
it has identity information to verify client certificates.
2021-02-12 14:35:23 +01:00
Pascal Knecht 4635f348fa tls-server: Share trusted public key search between client and server 2021-02-12 14:35:23 +01:00
Pascal Knecht 6b23543abd tls-crypto: Move AEAD ownership to the protection layer
This separates key derivation from key switching.
2021-02-12 14:35:23 +01:00
Pascal Knecht 534a781646 tls-hkdf: Always use correct base key to derive finished message
The cached traffic secrets change once the application traffic secrets
are derived, but we must always use the correct base key to derive the
finished message, which are the handshake traffic secrets (RFC 8446,
section 4.4).
2021-02-12 14:35:23 +01:00
Pascal Knecht 0aaf1242d9 libtls: Add unit tests for Ed25519 and Ed448 keys
TLS 1.0 to TLS 1.3 socket connection tests with each key type.
2021-02-12 14:35:23 +01:00