Evan Broder [Sat, 22 Aug 2015 23:20:40 +0000 (19:20 -0400)]
vici: Handle closed sockets in the Ruby gem
From recvfrom(2) (which UDPSocket#recv backs into):
The return value will be 0 when the peer has performed an orderly
shutdown.
(i.e. it will return an empty string)
Previously in this scenario, Vici::Transport#recv_all would spin
forever trying to pull more data off the socket. I'm not entirely
clear what happened that caused strongSwan to shutdown the socket, but
it probably should not cause vici Ruby apps to spin.
Tobias Brunner [Fri, 21 Aug 2015 16:27:12 +0000 (18:27 +0200)]
Merge branch 'starter-kernel-flush'
Removes flushing of the IPsec state in the kernel when starter
terminates. We can't easily flush only the policies created for
IPsec SAs (and if installpolicies=no is used we don't want to flush
policies anyway). Also, since existing policies don't cause errors
anymore these aren't really an issue anymore (I think this was one of
the main reasons to flush the state). This behavior is also specific to
starter, so nothing is flushed when charon is used via systemd/swanctl.
This will also allow us to merge libhydra with libcharon in a future
release.
If the previous behavior is needed it can easily be replicated with some
external tools (we could also write a simple utility that does this).
Additional checks in the test environment make sure that the daemon
cleans up the state properly.
Tobias Brunner [Thu, 13 Aug 2015 09:08:41 +0000 (11:08 +0200)]
starter: Don't flush policies in the kernel
We can't control which policies we flush, so if policies are installed
and used outside of strongSwan for other protocols we'd flush them too.
And if installpolicies=no is used we probably shouldn't flush policies
either. Luckily already existing policies are not treated as fatal
errors anymore, so not flushing policies should not be that much of an
issue (in case of a crash in dynamic setups, e.g. with virtual IPs,
policies could be left behind even after restarting the connections and
properly terminating the daemon).
Tobias Brunner [Fri, 21 Aug 2015 16:21:24 +0000 (18:21 +0200)]
Merge branch 'init-limits'
IKE_SAs that are initiated are now counted towards the half-open IKE_SAs
limit. Optionally it is possible to enforce limits towards the number of
half-open IKE_SAs and the job load also when initiating SAs. This is
currently only possible via VICI.
child-rekey: Remove redundant migrate() call for child-create sub-task
When retrying due to a DH group mismatch this is already done by the
child-create task itself. And in other cases where the task returns
NEED_MORE we actually will need access to a possible proposal to properly
delete it.
child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group mismatch
If the responder declines our KE payload during a CHILD_SA rekeying migrate()
is called to reuse the child-create task. But the child-rekey task then
calls the same method again.
Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
Tobias Brunner [Thu, 20 Aug 2015 17:37:09 +0000 (19:37 +0200)]
Merge branch 'stroke-ca-sections'
This resolves the duplicate CERTREQ issue when certificates in
ipsec.d/cacerts were referenced in ca sections. It also ensures CA
certificates are reloaded atomically, so there is never a time when
an unchanged CA certificate is not available.
Tobias Brunner [Thu, 20 Aug 2015 13:29:33 +0000 (15:29 +0200)]
stroke: Change how CA certificates are stored
Since 11c14bd2f5 CA certificates referenced in ca sections were
enumerated by two credential sets if they were also stored in
ipsec.d/cacerts. This caused duplicate certificate requests to
get sent. All CA certificates, whether loaded automatically or
via a ca section, are now stored in stroke_ca_t.
Certificates referenced in ca sections are now also reloaded
when `ipsec rereadcacerts` is used.
Tobias Brunner [Wed, 19 Aug 2015 13:28:02 +0000 (15:28 +0200)]
ikev1: Fix handling of overlapping Quick Mode exchanges
In some cases the third message of a Quick Mode exchange might arrive
after the first message of a subsequent Quick Mode exchange. Previously
these messages were handled incorrectly and the second Quick Mode
exchange failed.
Some implementations might even try to establish multiple Quick Modes
simultaneously, which is explicitly allowed in RFC 2409. We don't fully
support that, though, in particular in case of retransmits.
While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it. When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).
Tobias Brunner [Wed, 10 Jun 2015 13:53:08 +0000 (15:53 +0200)]
ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag set
While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.
We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since 17ec1c74de).
Tobias Brunner [Wed, 19 Aug 2015 15:25:30 +0000 (17:25 +0200)]
ikev1: Pass current auth-cfg when looking for key to determine auth method
If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.
Tobias Brunner [Mon, 8 Jun 2015 14:52:03 +0000 (16:52 +0200)]
ikev2: Store outer EAP method used to authenticate remote peer in auth-cfg
This allows symmetric configuration of EAP methods (i.e. the same value
in leftauth and rightauth) when mutual EAP-only authentication is used.
Previously the client had to configure rightauth=eap or rightauth=any,
which prevented it from using this same config as responder.
Tobias Brunner [Tue, 18 Aug 2015 15:35:39 +0000 (17:35 +0200)]
ike: Use the original port when remote resolves to %any
When reestablishing the IKE_SA we should still use the original port
when right resolves to %any as some implementations might not like
initial IKE messages on port 4500 (especially for IKEv1).
Andreas Steffen [Tue, 18 Aug 2015 18:25:26 +0000 (20:25 +0200)]
Fixed the implemention of the IF-M segmentation protocol
The first segment only fit if the segmentation envelope attribute
was preceded by a Max Attribute Size Response attribute. The
improved implementation fills up the first PA-TNC message with
the first segment up to the maximum message size.
Tobias Brunner [Wed, 5 Aug 2015 14:51:38 +0000 (16:51 +0200)]
kernel-netlink: Avoid route dump if routing rule excludes traffic with a certain mark
If the routing rule we use to direct traffic to our own routing table
excludes traffic with a certain mark (fwmark = !<mark>) we can simplify
the route lookup and avoid dumping all routes by passing the mark to the
request. That way our own routes are ignored and we get the preferred
route back without having to dump and analyze all routes, which is quite a
burden on hosts with lots of routes.
Tobias Brunner [Thu, 13 Aug 2015 12:37:15 +0000 (14:37 +0200)]
ha: Recreate the control FIFO if the file exists but is not a FIFO
This may happen if something like `echo ... > /path/to/fifo` is used
before the plugin was able to create the FIFO. In that case we'd end
up in a loop always reading the same values from the static file.
Tobias Brunner [Thu, 13 Aug 2015 16:54:34 +0000 (18:54 +0200)]
ikev1: Assume a default key length of 128-bit for AES-CBC
Some implementations don't send a Key Length attribute for AES-128.
This was allowed for IKE in early drafts of RFC 3602, however, some
implementations also seem to do it for ESP, where it never was allowed.
And the final version of RFC 3602 demands a Key Length attribute for both
phases so they shouldn't do it anymore anyway.
Tobias Brunner [Mon, 3 Aug 2015 11:55:36 +0000 (13:55 +0200)]
auth-cfg: Matching one CA should be enough, similar to peer certificates
Not sure if defining multiple CA constraints and enforcing _all_ of them,
i.e. the previous behavior, makes even sense. To ensure a very specific
chain it should be enough to define the last intermediate CA. On the
other hand, the ability to define multiple CAs could simplify configuration.
This can currently only be used with swanctl/VICI based configs as `rightca`
only takes a single DN.
During a rekeying we want to reuse the current reqid, but if the new SA
does not allocate it via kernel-interface the state there will disappear
when the old SA is destroyed after the rekeying. When the IKE_SA is
later reauthenticated with make-before-break reauthentication the new
CHILD_SAs there will get new reqids as no existing state is found in the
kernel-interface, breaking policy installation in the kernel.
Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
scripts: Add script to extract the ASN.1 subject DN from a certificate
This can be useful if the subject DN has to be configured with the
asn1dn: prefix in ipsec.conf (e.g. because the actual encoding can't be
created by strongSwan's string parser/encoder).
Tobias Brunner [Tue, 4 Aug 2015 12:43:26 +0000 (14:43 +0200)]
utils: Don't use directory enumerator to close open FDs in closefrom()
Calling malloc() after fork() is potentially unsafe, so we should avoid
it if possible. opendir() will still require an allocation but that's
less than the variant using the enumerator wrapper, thus, decreasing
the conflict potential. This way we can also avoid closing the
FD for the enumerated directory itself.
projects / thirdparty / strongswan.git / log
