Andreas Steffen [Mon, 1 Apr 2024 10:18:42 +0000 (12:18 +0200)]
oqs: Updated ML-KEM algorithms to liboqs-0.10.0
The liboqs-0.10.0 library implements the NIST FIPS 203 ML-KEM
draft standard. strongSwan now uses the mlkem512 (ML_KEM_512),
mlkem768 (ML_KEM_768) and mlkem1024 (ML_KEM_1024) KE identifiers
but is still assigning private KE codepoints.
Andreas Steffen [Mon, 4 Nov 2019 21:22:47 +0000 (22:22 +0100)]
key-exchange: Joint ke_test_vector format for DH and KEM
Both Diffie-Hellman (DH) and Key Encapsulation Mechanism (KEM) based
key exchange methods use a common ke_test_vector format. The
set_seed() function is used to provide deterministic private key
material for the crypto tests.
unit-tests: Ensure listeners can track SAs via ike/child_updown/rekey()
Previously, it could happen that child_rekey() was triggered twice for
the same "old" SA. For listeners that would mean they'd loose track as
they'd be tracking a new SA that wasn't relevant anymore and for which
no updown event would ever get triggered (it was the redundant SA in a
collision). This new assert ensures that events are triggered in a
predictable way and listeners can track SAs properly.
Tobias Brunner [Mon, 22 Aug 2022 13:43:16 +0000 (15:43 +0200)]
ikev2: Make CHILD_SAs properly trackable during rekey collisions
As the winner of a rekey collision, we previously always triggered the
child_rekey() event once when creating the redundant SA on behalf of the
peer in the passive child-rekey task and then a second time when
creating the winning SA in the active task. However, both calls passed
the replaced CHILD_SA as "old". This made tracking CHILD_SAs impossible
because there was no transition from the redundant, "new" SA of the
first event to the "new", winning SA of the second. Of course, when the
second event was triggered, the redundant SA might not have existed
anymore because the peer is expected to delete it, which could happen
before the CREATE_CHILD_SA response arrives at the initiator.
This refactoring ensures that the child_rekey() event is triggered in
a way that makes the CHILD_SAs trackable in all reasonable (and even
some unreasonable) scenarios. The event is generally only triggered
once after installing the outbound SA for the new/winning CHILD_SA.
This can be when processing the CREATE_CHILD_SA in the active child-rekey
task, or when processing the DELETE for the old SA in a passive
child-delete task. There are some cases where the event is still
triggered twice, but it is now ensured that listeners can properly
transition to the winning SA.
Some corner cases are now also handled correctly, e.g. if a responder's
DELETE for the new CHILD_SA arrives before its CREATE_CHILD_SA response
that actually creates it on the initiator. Also handled properly are
responders of rekeyings that incorrectly send a DELETE for the old
CHILD_SA (previously this caused both, the new and the old SA, to get
deleted).
Tobias Brunner [Thu, 25 Jun 2020 08:26:38 +0000 (10:26 +0200)]
child-create: Add support for multiple key exchanges
It also changes that payloads are built before installing the CHILD_SA
on the responder, that is, the KE payload is generated before keys are
derived, so that key_exchange_t::get_public_key() is called before
get_shared_secret(), or its internal equivalent, which could be relevant
for KE implementations that want to ensure that the key can't be
accessed again after the key derivation.
Tobias Brunner [Thu, 31 Oct 2019 16:16:44 +0000 (17:16 +0100)]
ike-init: Add support for multiple key exchanges
Initially, this is handled with a key derivation for each
IKE_INTERMEDIATE exchange. When rekeying the keys are derived only when
all IKE_FOLLOWUP_KE exchanges are done.
Tobias Brunner [Tue, 20 Aug 2019 15:07:55 +0000 (17:07 +0200)]
ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges
The message ID of the first IKE_AUTH exchange is a safe-guard against
potential truncation attacks if IKE_INTERMEDIATE exchanges are not used
for multiple key exchanges but some other future use where the number of
exchanges might not depend on the selected proposal.
Tobias Brunner [Tue, 8 Feb 2022 13:23:37 +0000 (14:23 +0100)]
ikev2: Reject IKE_INTERMEDIATE requests after IKE_AUTH
We currently only support these exchanges for additional key exchanges,
so once we have the final keys derived and the ike-init task is removed,
we don't expect any more of them.
Tobias Brunner [Fri, 22 Mar 2024 08:57:07 +0000 (09:57 +0100)]
pf-handler: Fix build with musl C library
musl's headers define a lot of networking structs. For some, the
definition in the Linux UAPI headers is then suppressed by e.g.
__UAPI_DEF_ETHHDR.
Since we included musl's net/ethernet.h, which includes netinet/if_ether.h
that defines `struct ethhdr` (and the above constant), **after** we
include linux/if_ether.h, there was a compilation error because the
struct was defined multiple times.
However, simply moving that include doesn't fix the problem because for
ARP-specific structs the Linux headers don't provide __UAPI_DEF* checks.
So instead of directly including the linux/ headers, we include those
provided by the C library. For glibc these usually just include the
Linux headers, but for musl this allows them to define the struct
directly. We also need to move if.h and add packet.h, which define
other structs (or include headers that do so) that we use.
Fixes: 187c72d1afdc ("dhcp: Port the plugin to FreeBSD/macOS")
projects / thirdparty / strongswan.git / log
