Martin Willi [Tue, 25 Mar 2014 13:14:37 +0000 (14:14 +0100)]
unit-tests: Catch timeouts during test runner deinit function
The test runner deinit function often cancels all threads from the pool. This
operation might hang on error conditions, hence we should include that hook in
the test timeout to fail properly.
Martin Willi [Mon, 24 Mar 2014 16:17:50 +0000 (17:17 +0100)]
unit-tests: Prevent a failing worker thread to go wild after it fails
A worker raises SIGUSR1 to inform the main thread that the test fails. The main
thread then starts cancelling workers, but the offending thread should be
terminated immediately to prevent it from test continuation.
Martin Willi [Mon, 31 Mar 2014 14:17:57 +0000 (16:17 +0200)]
Merge branch 'tls-aead'
Adds AEAD support to the TLS stack, currently supporting AES-GCM. Brings fixes
for TLS record fragmentation, enforcing TLS versions < 1.2 and proper signature
scheme support indication.
Martin Willi [Tue, 25 Mar 2014 09:50:51 +0000 (10:50 +0100)]
tls: Include TLS version announced in Client Hello in encrypted premaster
While a hardcoded 1.2 version is fine when we offer that in Client Hello, we
should include the actually offered version if it has been reduced before
starting the exchange.
Martin Willi [Fri, 21 Mar 2014 08:29:44 +0000 (09:29 +0100)]
tls: Check for minimal TLS record length before each record iteration
Fixes fragment reassembling if a buffer contains more than one record, but
the last record contains a partial TLS record header. Thanks to Nick Saunders
and Jamil Nimeh for identifying this issue and providing a fix for it.
Martin Willi [Mon, 3 Feb 2014 12:20:46 +0000 (13:20 +0100)]
tls: Separate TLS protection to abstracted AEAD modes
To better separate the code path for different TLS versions and modes of
operation, we introduce a TLS AEAD abstraction. We provide three implementations
using traditional transforms, and get prepared for TLS AEAD modes.
Martin Willi [Fri, 31 Jan 2014 14:53:38 +0000 (15:53 +0100)]
aead: Support custom AEAD salt sizes
The salt, or often called implicit nonce, varies between AEAD algorithms and
their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses
3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM.
Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine
until we go for CCM mode support in TLS, which requires 4 byte nonces.
Martin Willi [Mon, 31 Mar 2014 12:44:50 +0000 (14:44 +0200)]
Merge branch 'ocsp-constraints'
Limits cached OCSP verification to responses signed by the CA, a directly
delegated signer or a pre-installed OCSP responder certificate. Disables
auth config merge for revocation trust-chain strength checkin, as it breaks
CA constraints in some scenarios.
Martin Willi [Tue, 25 Mar 2014 13:34:58 +0000 (14:34 +0100)]
revocation: Restrict OCSP signing to specific certificates
To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:
- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint
The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.
Martin Willi [Thu, 27 Mar 2014 09:59:29 +0000 (10:59 +0100)]
revocation: Don't merge auth config of CLR/OCSP trustchain validation
This behavior was introduced with 6840a6fb to avoid key/signature strength
checking for the revocation trustchain as we do it for end entity certificates.
Unfortunately this breaks CA constraint checking under certain conditions, as
we merge additional intermediate/CA certificates to the auth config.
As key/signature strength checking of the revocation trustchain is a rather
exotic requirement we drop support for that to properly enforce CA constraints.
Tobias Brunner [Fri, 28 Feb 2014 14:27:52 +0000 (15:27 +0100)]
proposal: Don't fail DH proposal matching if peer includes NONE
The DH transform is optional for ESP/AH proposals. The initiator can
include NONE (0) in its proposal to indicate that while it prefers to
do a DH exchange, the responder may still decide to not do so.
Martin Willi [Mon, 31 Mar 2014 10:11:04 +0000 (12:11 +0200)]
Merge branch 'acerts'
(Re-)Introduces X.509 Attribute Certificate support in IKE, and cleans up the
x509 AC parser/generator. ACs may be stored locally or exchanged in IKEv2
CERT payloads, Attribute Authorities must be installed locally. pki --acert
issues Attribute Certificates and replaces the removed openac utility.
Martin Willi [Wed, 5 Feb 2014 15:59:55 +0000 (16:59 +0100)]
acert: Implement a plugin finding, validating and evaluating attribute certs
This validator checks for any attribute certificate it can find for validated
end entity certificates and tries to extract group membership information
used for connection authorization rules.
Tobias Brunner [Tue, 25 Mar 2014 10:46:17 +0000 (11:46 +0100)]
travis: Run the "all" test case with leak detective enabled
But disable the gcrypt plugin, as it causes leaks.
Also disable the backtraces by libunwind as they seem to cause
threads to get cleaned up after the leak detective already has been
disabled, which leads to invalid free()s.
Tobias Brunner [Fri, 14 Mar 2014 16:33:22 +0000 (17:33 +0100)]
openssl: Add default fallback when calculating fingerprints of RSA keys
We still try to calculate these directly as it can avoid a dependency on
the pkcs1 or other plugins. But for e.g. PGPv3 keys we need to delegate the
actual fingerprint calculation to the pgp plugin.
Tobias Brunner [Thu, 20 Mar 2014 17:49:03 +0000 (18:49 +0100)]
Merge branch 'travis-ci'
Adds a config file and build script for Travis CI. Makes the unit tests
buildable with Clang, and test vectors are now actually verified when
the unit tests are executed.
Also adds options to run only selected test suites and to increase the debug
level during unit tests.
The --enable/disable configure options have been reordered and grouped, and
an option to enable all the features has been added (plus an option to
select a specific printf-hook implementation).
Tobias Brunner [Tue, 18 Mar 2014 14:25:56 +0000 (15:25 +0100)]
travis: Use parallel build
Not sure if 4 jobs is optimal, but according to the docs each build host
has 1.5 virtual cores available (although "getconf _NPROCESSORS_ONLN"
returns 32, which is probably the number of real cores underneath), so
more jobs might not actually reduce the build time much more.
Tobias Brunner [Fri, 14 Mar 2014 08:56:23 +0000 (09:56 +0100)]
crypto-tester: Don't fail if key size is not supported
The Blowfish and Twofish implementations provided by the gcrypt plugin
only support specific key lengths, which we don't know when testing
against vectors (either during unit tests or during algorithm
registration). The on_create test with a specific key length will be
skipped anyway, so there is no point in treating this failure differently.
Tobias Brunner [Thu, 13 Mar 2014 15:03:05 +0000 (16:03 +0100)]
unit-tests: Actually verify registered algorithms against test vectors
Previously, the {ns}.crypto_test.on_add option had to be enabled to
actually test the algorithms, which we can't enforce for the tests in
the test_runner as the option is already read when the crypto factory
is initialized. Even so, we wouldn't want to do this for every unit
test, which would be the result of enabling that option.
Tobias Brunner [Fri, 28 Feb 2014 16:08:39 +0000 (17:08 +0100)]
unit-tests: Change how hashtable for testable functions is created
Because GCC does not adhere to the priorities defined for constructors
when building with --enable-monolithic (not sure if it was just luck
that it worked in non-monolithic mode - anyway, it's not very portable)
function registration would fail because the hashtable would not be
created yet.