Commit Graph

17934 Commits

Author SHA1 Message Date
Tobias Brunner b51c1d468e tls-hkdf: Support updating client/server traffic secrets 2021-02-12 11:45:44 +01:00
Tobias Brunner 09fbaad6bd tls-socket: Don't fail reading if sending data failed
If data is processed that eventually includes a TLS close notify, build()
will fail after a close notify has been sent in turn.  However, propagating
that error immediately when reading prevented ever returning the data
already processed before the close notify was received.
2021-02-12 11:45:44 +01:00
Tobias Brunner d532d6c7bc tls-peer: Correctly handle classic ECDH key-share format
Similar to TLS 1.2 but uses a 16-bit length header.
2021-02-12 11:45:44 +01:00
Tobias Brunner 8e35b1f1a5 tls-test: Add options to configure TLS versions 2021-02-12 11:45:44 +01:00
Tobias Brunner a7f2818832 tls-socket: Allow configuring both minimum and maximum TLS versions 2021-02-12 11:45:44 +01:00
Tobias Brunner c4576a1f57 tls: Allow setting both minimum and maximum TLS versions
This allows to increase the initial minimum version and also prevents
sending a list of versions during retries when 1.3 was already
negotiated.
2021-02-12 11:45:44 +01:00
Tobias Brunner 2b6565c236 tls-peer: Handle HelloRetryRequest
Adds support to handle retries with different DH group and/or a cookie
extension.
2021-02-12 11:45:44 +01:00
Tobias Brunner 2271d67f07 tls-crypto: Add method to hash handshake data and use result as initial transcript
This is used for HelloRetryRequest.
2021-02-12 11:45:44 +01:00
Tobias Brunner 64e63c68c8 tls-crypto: Destroy HKDF instance if keys are derived multiple times
This will be the case during a retry.
2021-02-12 11:45:44 +01:00
Tobias Brunner 851b605e21 tls-peer: Refactor writing of extensions and use less hard-coded DH group
Note that this breaks connecting to many TLS 1.3 servers until we support
HelloRetryRequest as we now send a key_share for ECP_256 while still
proposing other groups, so many servers request to use CURVE_25519.
2021-02-12 11:45:44 +01:00
Tobias Brunner de31646a09 tls-peer: Refactor sending/processing finished message
Also fixes leaks.
2021-02-12 11:45:44 +01:00
Tobias Brunner 44cda40d58 tls-peer: Simply ignore certificate request context
This SHALL be zero length for server authentication anyway.
2021-02-12 11:45:44 +01:00
Tobias Brunner bfa3178836 tls-peer: Use existing code to verify certificate and signature 2021-02-12 11:45:44 +01:00
Tobias Brunner c78b2bee5d tls-peer: Refactor parsing of TLS extensions
Also adds proper error handling.
2021-02-12 11:45:44 +01:00
Tobias Brunner f0ed5f9125 tls-peer: Fix parsing of encrypted extensions 2021-02-12 11:45:44 +01:00
Tobias Brunner 4c40a3d3f0 tls-peer: Fix parsing of intermediate CA certificates 2021-02-12 11:45:44 +01:00
Tobias Brunner 2e1c0a2776 tls-crypto: Rename methods to calculate finished message
Instead of the version number use "legacy" for the one for earlier TLS
versions.
2021-02-12 11:45:44 +01:00
Tobias Brunner f116a4823f tls-crypto: Use internal PRF of tls-hkdf to generate finished message
Also adds additional checks.
2021-02-12 11:45:44 +01:00
Tobias Brunner a9f661f52a tls-hkdf: Add helper method to allocate data from the internal PRF 2021-02-12 11:45:44 +01:00
Tobias Brunner 6a0ee0c23c tls-hkdf: Cleanups and refactorings
The main refactoring is how secrets (PSK/DH) are handled.
2021-02-12 11:45:44 +01:00
Tobias Brunner de983a3cb9 tls-crypto: Simplify signature creation/verification 2021-02-12 11:45:44 +01:00
Tobias Brunner 2921f43705 tls-crypto: Simplify handshake/application key derivation and rename methods
Also consistently change the ciphers outside of tls_crypto_t and
simplify key derivation in tls_peer_t and fix a memory leak.
2021-02-12 11:45:44 +01:00
Tobias Brunner fff1974012 tls-hkdf: Make labels enum a proper type 2021-02-12 11:45:44 +01:00
Tobias Brunner 8495138d4a tls-peer: Support x25519/448 for TLS 1.2
These DH groups don't use the point format prefix (RFC 8422 deprecated
any other format anyway).  Since they are enumerated now, they can also
be used by servers for TLS 1.2.
2021-02-12 11:45:44 +01:00
Tobias Brunner 3101120c75 tls-crypto: Enumerate x25519/448 and rename constant for consistency 2021-02-12 11:45:44 +01:00
Tobias Brunner 53ba0801ac tls-crypto: Simplify hash algorithm handling 2021-02-12 11:45:44 +01:00
Tobias Brunner 43c8f950a7 tls-crypto: Delay instantiation of cipher suites
This way we can take into account the version set via setter on tls_t.
2021-02-12 11:45:44 +01:00
Tobias Brunner 281766c5e6 tls-crypto: Filter TLS cipher suites by min/max version
There is no point proposing legacy (or future) cipher suites depending on
the proposed TLS versions. It was actually possible to negotiate and use
cipher suites only defined for TLS 1.2 with earlier TLS versions.
2021-02-12 11:45:44 +01:00
Tobias Brunner 436571b2f0 tls-crypto: Correctly filter cipher suites based on PRF algorithms
The previous check operated on the first array element.
2021-02-12 11:45:44 +01:00
Tobias Brunner b7ea969b32 tls-crypto: Use correct key length for ChaCha20/Poly1305 2021-02-12 11:45:44 +01:00
Tobias Brunner ba3c90ded1 libtls: Some code style fixes 2021-02-12 11:45:44 +01:00
Tobias Brunner 4099035a0c tls-test: Make address family configurable and simplify DNS/socket handling 2021-02-12 11:45:44 +01:00
bytinbit 7a2b02667c libtls: Implement TLS 1.3 handshake on client-side
The code is a minimal handshake with the HelloRetryRequest message
implementation missing.
Can be tested with an OpenSSL server running TLS 1.3. The server must
be at least version 1.1.1 (September 2018).

Co-authored-by: ryru <pascal.knecht@hsr.ch>
2021-02-12 11:45:44 +01:00
Pascal K 02d7405512 libtls: Implement HKDF for TLS 1.3
TLS 1.3 uses HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
as defined in RFC 5869 to compute traffic secrets.

Co-authored-by: bytinbit <meline.sieber@hsr.ch>
2021-02-12 11:45:44 +01:00
Tobias Brunner 3d83d348f4 libtls: Add support to run unit tests with a custom plugin list 2021-02-12 11:45:44 +01:00
Tobias Brunner 818dc86568 libtls: Add TLS 1.3 implementation of tls_aead_t
The key material, in particular the nonce/IV, is derived differently and
the IV is also generated in a different way.  Additionally, the actual
content type is encrypted and there may be optional padding to mask the
actual size of the encrypted data.
2021-02-12 11:45:44 +01:00
Tobias Brunner ba2bcdd882 libtls: Allow tls_aead_t to change the content type
The actual content type is encrypted with TLS 1.3, the type in the record
header is always Application Data.
2021-02-12 11:45:44 +01:00
Andreas Steffen 0d43b39931 testing: extended sleep time tkm/xfrmproxy tests 2021-02-12 09:44:00 +01:00
Andreas Steffen ab58f95b12 Version bump to 5.9.2dr2 2021-02-12 08:17:54 +01:00
Tobias Brunner cc25d2195a testing: Copy /etc/resolv.conf from host in chroot script
This makes installing packages etc. easier.
2021-02-11 16:41:06 +01:00
Tobias Brunner f3acc0a87b appveyor: Set timezone on the build system
For some reason, setting the time zone via TZ to `GST-1GDT` in the utils test
doesn't work anymore (the DST zone is not considered, it's as if only `GST-1`
was configured).
2021-02-11 16:40:58 +01:00
Tobias Brunner 8ff8b85ce6 appveyor: Create dummy strongswan.conf file to avoid log messages
Only relevant when increasing the verbosity, but causes quite a lot of
them then.
2021-02-11 16:40:58 +01:00
Tobias Brunner 671164865b appveyor: Print OpenSSL version 2021-02-11 16:40:58 +01:00
Tobias Brunner 781ad0b93b openssl: Allocate our own buffer for i2d_* wrapper macro
If we pass a pointer to NULL, the memory allocated by OpenSSL has to be
freed with OPENSSL_free().  Otherwise, this can lead to random
crashes/freezes for Windows builds as seen on AppVeyor.  To not
complicate things for callers of this macro, we allocate our own memory,
which we already do for other i2d_* calls.
2021-02-11 16:40:58 +01:00
Tobias Brunner 6a440f83ab openssl: Reset HMAC key if chunk_empty is passed
If no valid key is configured (e.g. because it's inadvertently uninitialized),
we should not just reuse the previous key.

The `key_set` flag is not necessary anymore because a non-NULL key is set
during initialization since 6b347d5232 ("openssl: Ensure underlying hash
algorithm is available during HMAC init").
2021-02-11 16:40:58 +01:00
Tobias Brunner cd10ae2ff0 android: Explicitly apply DNS servers to the TUN device
If the peer deletes the CHILD_SA, we recreate it due to the close
action.  However, if we create a new TUN device, we do so with a new
VpnService.Builder object and on that the DNS servers were never applied.
The latter happened only on the fly in the attribute handler when an
IKE_SA was established.  Now we do this explicitly when creating the TUN
device, like the virtual IPs and routes.  While we could avoid the
recreation of the TUN device if the CHILD_SA is recreated, there is the
theoretical possibility that the remote traffic selectors change.  This
way we also avoid adding stuff to the builder in different places.

Fixes #3637.
2021-02-04 16:52:15 +01:00
Tobias Brunner 4dc9edfa55 swanctl: Don't print status message if nothing was loaded to stderr
This is not an error (as reflected by the returned status code) so we
should not print to stderr as output there might still be considered an
error (or at least an audit-worthy event) by some scripts.
2021-02-04 16:50:36 +01:00
Thomas Egerer 2566eb2194 plugin-loader: Add optional filter for plugin features
In some cases, the algorithms that have been compiled into a plugin have
to be disabled at runtime. Based on the array returned by the get_features()
function the optionally provided function can strip algorithms or even
callbacks or registrations from a plugin, giving us a handy and powerful way
for runtime feature configuration aside from the plugin list.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2021-02-04 16:39:27 +01:00
Tobias Brunner e6a6fc33b6 path: Also accept / as directory separator on Windows
This adds helper functions to determine the first or last directory separator
in a string and to check if a given character is a separator.

Paths starting with a separator are now also considered absolute on
Windows as these are rooted at the current drive.

Note that it's fine to use DIRECTORY_SEPARATOR when combining strings as
Windows API calls accept both forward and backward slashes as separators.

Co-authored-by: Michał Skalski <mskalski@enigma.com.pl>

References #3684.
2021-02-03 17:27:57 +01:00
Tobias Brunner 3de65f8d67 enumerator: Implement globbing enumerator on Windows
We don't have glob() available there.  This replacement should work
similarly for simple cases like `include conf.d/*.conf`.

Fixes #3684.
2021-02-03 17:27:31 +01:00