Commit Graph

17934 Commits

Author SHA1 Message Date
Tobias Brunner 48f4f9f667 pt-tls-server: Make TLS client authentication optional as appropriate 2021-02-18 15:41:52 +01:00
Tobias Brunner 82116dba66 tls-test: Add option to make client authentication optional 2021-02-18 15:39:35 +01:00
Tobias Brunner 760f3b730f tls-server: Add flag that makes client authentication optional
This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.
2021-02-18 15:35:46 +01:00
Tobias Brunner 11a4687930 libtls: Add control flags and replace GENERIC_NULLOK purpose with one 2021-02-18 15:10:29 +01:00
Tobias Brunner 602947d48a pt-tls-server: Explicitly request client authentication if necessary
The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.
2021-02-18 12:49:54 +01:00
Tobias Brunner 4b7cfb252e tls-server: Use subject DN as peer identity if it was ID_ANY
To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
2021-02-18 12:34:05 +01:00
Tobias Brunner d5606ec350 testing: Adapt some checks as SHA-384 is now preferred for TLS signatures 2021-02-18 12:02:54 +01:00
Tobias Brunner 024120f8ea tls-eap: Only servers conclude EAP method after processing packets
As client with older TLS versions, we have to ack the receipt of the server's
Finished message instead.

Fixes: 083f38259c ("tls-eap: Conclude EAP method also after processing packets")
2021-02-18 12:02:32 +01:00
Stefan Berghofer f7613cb581 ike-sa: Properly set timing info for delete after rekeying
The job is queued properly, yet the timing information is wrong.

Signed-off-by: Stefan Berghofer <stefan.berghofer@secunet.com>

Fixes: ee61471113 ("implemented RFC4478 (repeated authentication)...")
2021-02-18 10:02:55 +01:00
Tobias Brunner d65d4eab73 NEWS: Add news for 5.9.2 2021-02-17 15:24:36 +01:00
Tobias Brunner ff672c785b dhcp: Properly initialize struct when binding to interface 2021-02-16 15:22:18 +01:00
Tobias Brunner fbb70c968b pts: Don't rely on BIOS event buffer to be null terminated 2021-02-16 15:16:25 +01:00
Tobias Brunner 8384527ff5 tls-crypto: Fix potential memory leak
Fixes: d8e42a3d4e ("tls-crypto: Share private key search between client and server")
2021-02-16 14:52:43 +01:00
Tobias Brunner f4258c56f5 ike-sa-manager: Ensure we were able to create a new IKE_SA
This may happen if we are unable to allocate an SPI.
2021-02-16 14:45:51 +01:00
Tobias Brunner cb85967655 github: Bump wolfSSL to 4.7.0 2021-02-16 09:08:12 +01:00
Fedor Korotkov af9d2a8f1e cirrus: Use FreeBSD 12.2
This seems to fix the build with Autotools that recently started to fail
with:

autom4te-2.69: need GNU m4 1.4 or later: /usr/local/bin/gm4
aclocal: error: /usr/local/bin/autom4te-2.69 failed with exit status: 1
autoreconf-2.69: aclocal failed with exit status: 1

Closes strongswan/strongswan#197.
2021-02-16 08:56:43 +01:00
Tobias Brunner 7bd9c0c85e github: Fix emojis in templates 2021-02-15 15:30:03 +01:00
Tobias Brunner 27544f7bd9 github: Add security policy 2021-02-15 09:44:44 +01:00
Tobias Brunner ebf13f4caf github: Add issue templates 2021-02-15 09:44:44 +01:00
René Fischer 4261fcedec botan: Use strongSwan's RNG interface in Botan plugin
This allows using rng_t implementations provided by other plugins to
serve as RNG for Botan.

Closes strongswan/strongswan#192.
2021-02-15 09:27:51 +01:00
Tobias Brunner 5ffc1ec423 botan: Extract helper function to map RNG quality to Botan RNG names 2021-02-15 09:23:57 +01:00
Tobias Brunner eb399fb438 botan: Look for Botan 3 in configure script 2021-02-15 09:23:56 +01:00
Tobias Brunner 97857eaa12 ike-sa: Avoid possible integer underflow when scheduling reauth after rekeying
If the reauthentication is scheduled while rekeying, the difference
might be negative, however, schedule_job() takes an unsigned int,
so the reauth would get scheduled very far in the future.
2021-02-12 15:49:08 +01:00
Tobias Brunner 20dfbcad08 ha: Register new IKE_SAs before calling inherit_post() 2021-02-12 15:49:08 +01:00
Tobias Brunner 1c5cef1b89 ike-rekey: Register new IKE_SA before calling inherit_post()
If rekeying and reauthetication coincided, the reauth job could get
scheduled to run immediately i.e. before checkin() was called.  So the
new IKE_SA would not get reauthenticated, however, the further delayed
delete job would later find the new IKE_SA and delete it.
2021-02-12 15:49:08 +01:00
Tobias Brunner 5d97af5894 ike-sa-manager: Add a method to register/check out new IKE_SAs
This way, jobs for new IKE_SAs (created via create_new()) may be
scheduled/queued before checkin() is called.  If they run before
that happens, they will now correctly block in checkout() instead of
doing nothing because the IKE_SA was not found.
2021-02-12 15:49:08 +01:00
Tobias Brunner bde5bd47bd ike-sa-manager: Rename checkout_new() to create_new()
We don't actually check that SA out (i.e. it's not registered with the
manager).  That was originally different but had to be changed with
86993d6b90 to avoid that SAs created for rekeying don't block other
threads on the manager.
2021-02-12 15:49:08 +01:00
Tobias Brunner 7f6386afd9 Remove redundant calls to set peer config after checking out IKE_SAs by config 2021-02-12 15:49:08 +01:00
Tobias Brunner c46c40ef24 ike-sa-manager: Make checkout_by_config() atomic
These changes should ensure that concurrent calls to checkout_by_config()
result in a single IKE_SA.  For instance, when acquires for different
children of the same connection are triggered concurrently.

There are two major changes to the interface:

 1) The peer config object is now always set on the returned IKE_SA.
    That was previously only the case if an existing IKE_SA was
    returned.

 2) The IKE_SA is now always registered with the manager and properly
    checked out, which also was only the case for existing IKE_SAs
    before.
2021-02-12 15:49:08 +01:00
Tobias Brunner c7a0f2698d Merge branch 'tls13'
This adds support for TLS 1.3 to libtls and adds several new features to
existing TLS versions (e.g. support for x25519/x448, EdDSA or RSA-PSS).

Unfortunately, TLS 1.3 is not really usable for TLS-based EAP methods in
practice because, in particular, key derivation is not yet standardized.
While it works between two strongSwan instances and even FreeRADIUS 3.0.21,
there will be compatibility issues in the future when implementations move
to a standardized scheme.  There are currently two Internet-Drafts in
development to specify that (see 121ac4b9e3 for details).  Until they are
more stable, the default maximum version is set to 1.2.

The default minimum version has also been increased to 1.2 and several
older/weaker cipher suites have been removed (e.g. with 3DES and MD5).
2021-02-12 15:32:03 +01:00
Tobias Brunner 74b9ba7cdb tls-crypto: Simplify and extend cipher config filter
This way we automatically can filter for newer algorithms (e.g.
chacha20poly1305).
2021-02-12 14:35:23 +01:00
Tobias Brunner 8b2b5a647b proposal: Add aliases for AES-GCM/CCM without explicit ICV length
These are mapped to use the default, maximum ICV length of 16 bytes.
2021-02-12 14:35:23 +01:00
Tobias Brunner 966a26eaa2 tls-server: Support x25519/448 for TLS 1.2 2021-02-12 14:35:23 +01:00
Tobias Brunner f77ecf0728 tls-crypto: Fallback to any supported ECDH group
If the default group listed in the cipher suite is not supported, we try
to use any other supported group (the groups are negotiated separately
so we are not locked in to a specific group).
2021-02-12 14:35:23 +01:00
Tobias Brunner 311405c34d tls-crypto: Don't filter suites with specific ECDH group if any is available
Since DH groups (or with TLS < 1.3 curves) are negotiated separately,
it doesn't matter which one is listed in the cipher suite as any one could
be used.
2021-02-12 14:35:23 +01:00
Tobias Brunner 85bde019d3 diffie-hellman: Classify x25519 and x448 as ECDH methods 2021-02-12 14:35:23 +01:00
Pascal Knecht e3757300eb tls-crypto: Add signature scheme config file filter
And add signature scheme unit tests.
2021-02-12 14:35:23 +01:00
Pascal Knecht e5b6565730 tls-crypto: Rename DH group/key exchange method config option
TLS key exchange methods are now configured with `ke_group`.
2021-02-12 14:35:23 +01:00
Tobias Brunner a60e248b0d libtls: Increase default min version to 1.2
The older versions are generally considered deprecated (there is an
Internet-Draft that aims to do that formally).
2021-02-12 14:35:23 +01:00
Tobias Brunner 3abcbf82b5 tls-peer: Verify server selects the same cipher suite after HelloRetryRequest
This is as per RFC 8446, section 4.1.4.
2021-02-12 14:35:23 +01:00
Tobias Brunner ab226b3927 tls-server: Select cipher suite also when handling HelloRetryRequest
This was previously treated like a resumption, which it is clearly not.
Also added a check that verifies that the same cipher suite is selected
during the retry, as per RFC 8446, section 4.1.4.
2021-02-12 14:35:23 +01:00
Tobias Brunner 111e907168 tls-server: Remove unused variable 2021-02-12 14:35:23 +01:00
Pascal Knecht dc9f6c68df libtls: Add downgrade protection for TLS 1.3 and TLS 1.2
Section 4.1.3 in RFC 8446 defines a new downgrade protection mechanism
that also affects TLS 1.2.
2021-02-12 14:35:23 +01:00
Shmulik Ladkani a4a128bd2f tls-server: Optionally omit CAs in CertificateRequest messages
Usually, the DNs of all loaded CA certificates are included in the
CertificateRequest messages sent by the server.

Alas, certain EAP-TLS clients fail to process this message if the
list is too long, returning the fatal TLS alert 'illegal parameter'.

This new option allows configuring whether CAs are included or an
empty list is sent (TLS 1.2), or the certificate_authorities extension
is omitted (TLS 1.3).  The list only serves as hint/constraint
for clients during certificate selection, they still have to provide
a certificate but are free to select any one they have available.

Closes strongswan/strongswan#187.
2021-02-12 14:35:23 +01:00
Tobias Brunner 083f38259c tls-eap: Conclude EAP method also after processing packets
With TLS 1.3, the server sends its Finished message first, so the
session is complete after processing the client's Finished message,
without having to send anything else (in particular no acknowledgement
as the last message from the client is no fragment).
2021-02-12 14:35:23 +01:00
Tobias Brunner a00ace0fe2 libtls: Only run socket tests with EdDSA keys if they are supported
ECDSA support is currently required to run the tests because ECDSA
cipher suites are not filtered when determining the supported cipher
suites.  Also required are ECDH groups.
2021-02-12 14:35:23 +01:00
Tobias Brunner 7b64880a8c tls-peer: Don't log anything if we are not sending supported groups 2021-02-12 14:35:23 +01:00
Tobias Brunner 8cf3998f1a tls-crypto: Only log modified TLS versions if successfully set
If no cipher suites are available, the new versions are the previous
values but reversed (i.e. the versions were not changed but we still
ended up with a log message saying "TLS min/max TLS 1.3/TLS 1.0 ...").

Also switched to using the numeric version names to avoid the repeated
"TLS" prefix.
2021-02-12 14:35:23 +01:00
Tobias Brunner 92aef122c3 libtls: Reduce default max version to 1.2
Using TLS 1.3 with various EAP methods is not yet fully standardized, so we
don't enable it by default yet.
2021-02-12 14:35:23 +01:00
Tobias Brunner 663969ddf7 libtls: Make min/max TLS version configurable
Except for the tls_test tool, the versions now default to those
configured in strongswan.conf.
2021-02-12 14:35:23 +01:00