For salt lengths other than 20 this requires 0bd8137e68c2 ("cipher:
Add option to specify salt length for PSS verification."), which was
included in libgcrypt 1.7.0 (for Ubuntu requires 17.04). As that makes
it pretty much useless for us (SHA-1 is a MUST NOT), we require that version
to even provide the feature.
unit-tests: Add FIPS 186-4 RSASSA-PSS test vectors
Since not all implementations allow setting a specific salt value when
generating signatures (e.g. OpenSSL doesn't), we are often limited to
only using the test vectors with salt length of 0.
We also exclude test vectors with SHA-1, SHA-224 and SHA-384.
proposal: Remove MODP-1024 from default IKE proposal
RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.
Tobias Brunner [Mon, 6 Nov 2017 09:29:56 +0000 (10:29 +0100)]
pool: Destroy enumerator before deleting existing pool
The MySQL client doesn't like overlapping queries on the same
connection, so we make sure to destroy the enumerator used to check for
an existing pool before deleting it when --replace is used.
Tobias Brunner [Fri, 6 Oct 2017 12:51:37 +0000 (14:51 +0200)]
pkcs11: Call C_Finalize() to cancel jobs waiting in C_WaitForSlotEvent()
This is not ideal as the call to C_Finalize() should be the last one via
the PKCS#11 API. Since the order in which jobs are canceled is undefined
we can't be sure there is no other thread still using the library (it could
even be the canceled job that still handles a previous slot event).
According to PKCS#11 the behavior of C_Finalize() is undefined while other
threads still make calls over the API.
However, canceling the thread, as done previously, could also be problematic
as PKCS#11 libraries could hold locks while in the C_WaitForSlotEvent() call,
which might not get released properly when the thread is just canceled,
and which then might cause later calls to other API functions to block.
Tobias Brunner [Wed, 11 Oct 2017 16:10:46 +0000 (18:10 +0200)]
starter: Add the correct keywords header file to EXTRA_DIST
The fix for gperf in 0ae19f0ced8d added the generated header to
EXTRA_DIST but that's already added to the distribution because it is
contained in *_SOURCES, what was not added, though, was the .h.in file.
Also fixes the reference to the header file in the .c rule here and for
stroke in out-of-tree builds.
watcher: Don't notify watcher if removed FD was not found
This can happen if a stream is used blocking exclusively (the FD is
never registered with watcher, but is removed in the stream's destructor
just in case it ever was - doing this conditionally would require an
additional flag in streams). There may be no thread reading from
the read end of the notify pipe (e.g. in starter), causing the write
to the notify pipe to block after it's full. Anyway, doing a relatively
expensive FD update is unnecessary if there were no changes.
The implementation currently is very basic and right now only the first
file descriptor for a particular identifier is picked up if there are
multiple socket units with the same FileDescriptorName.
Tobias Brunner [Wed, 30 Aug 2017 13:15:31 +0000 (15:15 +0200)]
starter: Don't define any hard-coded proposal strings
Just rely on the default proposals by charon if nothing is defined. The
hard-coded IKE proposal used curve25519, which depends on an optional
plugin (while enabled by default it might still not be loaded, or, like
on Debian, shipped in an optional package). With charon's default
proposal only loaded algorithms are proposed for IKE avoiding this issue.
Tobias Brunner [Wed, 30 Aug 2017 10:30:02 +0000 (12:30 +0200)]
configure: Also check for libcrypto on Windows
With OpenSSL 1.1.0 the library is now named libcrypto too on Windows.
Check for libeay32 first so we don't link against the build environment's
version of OpenSSL instead of the native one that might be available.
gperf is not actually a build dependency as the generated files are
shipped in the tarball. So the type depends on the gperf version on
the host that ran gperf and created the tarball, which might not be
the same as that on the actual build host, and gperf might not even
be installed there, leaving the type undetermined.
Fixes: e0e43229736a ("configure: Detect type of length parameter for gperf generated function")
Tobias Brunner [Mon, 28 Aug 2017 17:12:16 +0000 (19:12 +0200)]
kernel-pfroute: Delay call to if_indextoname(3) when handling RTM_IFINFO
It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.
Recent releases of glibc don't include the full stdint.h header in some
network headers included by utils.h. So uintptr_t might not be defined.
Since we use fixed width integers, including the latter, all over the place
we make sure the complete file is included.
The value of DHCP_OPTEND is 255. When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.
travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings
This is a follow up on the issue documented in the previous commit.
To build with -Werror and Clang 3.9 we'd have to change all enum arguments
that are used as last argument before ... to e.g. u_int, which affects
quite a lot of places (crypto-factory, MODP_CUSTOM constructors, auth-cfg,
bus, vici-builder, vici-message). Besides that it doesn't look as nice
it also seems a bit too much hassle just to cater to the whims of a
particular version of one compiler, so we just don't build with that
version on Travis and use 4.0 instead.
settings: Fix possible undefined behavior with va_start() and bool
This fixes compilation with -Werror when using Clang 4.0 (but not 3.9)
and possibly prevents undefined behavior.
According to the C standard the following applies to the second
parameter of the va_start() macro (subclause 7.16.1.4, paragraph 4):
The parameter parmN is the identifier of the rightmost parameter
in the variable parameter list in the function definition (the
one just before the ...). If the parameter parmN is declared with
the register storage class, with a function or array type, or with
a type that is not compatible with the type that results after
application of the default argument promotions, the behavior is
undefined.
Because bool is usually just 1 byte and therefore smaller than int (i.e.
the result of default argument promotion) its use as last argument before
... might result in undefined behavior. This theoretically can also
apply to enums as a compiler may use a smaller base type than int.
Since Clang 3.9 (currently in use on Travis by default) a warning is
issued about this, however, that version did not yet compare the actual
size of the argument's type, causing warnings where they are not
warranted (basically for all cases where enum types are used for the
last argument). This was apparently fixed with Clang 4.0, which only
warns about this use of bool with va_start(), which makes sense.
Define MODP_CUSTOM constructors as variadic functions
They now match the dh_constructor_t signature. This is a follow up for
the changes merged with b668bf3f9ec1 and should fix use of MODP_CUSTOM on
Apple's ARM64 platform.
child-create: Don't consider a DH group mismatch as failure as responder
This causes problems e.g. on Android where we handle the alert (and
reestablish the IKE_SA) even though it usually is no problem if the
peer retries with the requested group. We don't consider it as a
failure on the initiator either.
Tobias Brunner [Mon, 14 Aug 2017 14:03:54 +0000 (16:03 +0200)]
libipsec: Make sure to expire the right SA
If an IPsec SA is actually replaced with a rekeying its entry in the
manager is freed. That means that when the hard expire is triggered a
new entry might be found at the cached pointer location. So we have
to make sure we trigger the expire only if we found the right SA.
We could use SPI and addresses for the lookup, but this here requires
a bit less memory and is just a small change. Another option would be to
somehow cancel the queued job, but our scheduler doesn't allow that at
the moment.
This fixes "packet too short" errors when parsing fragmented IPv4
packets and correctly determines the protocol in fragmented IPv6 packets.
Protocol headers are only parsed in unfragmented IPv4 and IPv6 packets,
or IPv4 first fragments.
ip-packet: Correctly determine protocol in fragmented IPv6 packets
We don't attempt to parse the transport headers for fragments, not even
for the initial fragment (it's not guaranteed they contain the header,
depending on the number and type of extension headers).