Tobias Brunner [Mon, 24 Nov 2014 16:28:27 +0000 (17:28 +0100)]
ikev1: Use same map for AH and ESP authentication algorithms
The transform identifier used in AH transforms is not the same as the
authentication algorithm identifier used in the transform attributes in
AH (and ESP) transforms.
Tobias Brunner [Fri, 17 Oct 2014 10:33:14 +0000 (12:33 +0200)]
asn1: Add OID for Blowfish CBC
The OID (1.3.6.1.4.1.3029.1.2) is technically not correct, the correct
one is (1.3.6.1.4.1.3029.1.1.2). Every other library or tool (like OpenSSL)
uses the incorrect one so we do the same.
Martin Willi [Fri, 5 Dec 2014 12:48:51 +0000 (13:48 +0100)]
diffie-hellman: Handle dh_exponent_ansi_x9_42 as a boolean setting
While it was always documented as boolean setting, the option is currently
handled as integer value, for which yes/no values do not work. Instead the
default of TRUE is used for a no value.
The option has been moved a lot during the last years, and in some locations
was handled as bool, in some as integer. In the latest codebase it
congruently used integer, which is actually not what is documented and used
in testing.
Tobias Brunner [Thu, 16 Oct 2014 14:16:48 +0000 (16:16 +0200)]
unity: Only do narrowing of responder's TS if we received 0.0.0.0/0
iOS and Mac OS X clients establish individual IPsec SAs for the traffic
selectors received in Split-Include attributes (might have been different
in earlier releases). If we return 0.0.0.0/0 as TSr that either results
in a bunch of Quick Mode exchanges (for each TS), or with the latest
client releases an error notify (ATTRIBUTES_NOT_SUPPORTED).
We also can't install the IPsec SA with all configured subnets as that
would cause conflicts if the client later negotiates SAs for other subnets,
which iOS 8 does based on traffic to such subnets.
For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to
override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept
the Quick Mode response. Likewise, we also have to narrow the TS before
installing the IPsec SAs and policies.
So we basically have to follow the client's proposal and only modify TSr
if we received 0.0.0.0/0. Since we don't get the original TS in the
narrow hook we handle the inbound QM messages and make note of IKE_SAs on
which we received a TSr of 0.0.0.0/0.
Martin Willi [Fri, 28 Nov 2014 08:39:40 +0000 (09:39 +0100)]
kernel-wfp: Install outbound ALE connect rules for IPsec
Similar to the inbound rules, the ALE filter processes IP-in-IP packets for
outbound tunnel mode traffic. When using an outbound default-drop policy,
Windows does not allow connection initiation without these explicit rules.
Martin Willi [Thu, 27 Nov 2014 18:19:09 +0000 (19:19 +0100)]
kernel-wfp: Install inbound ALE IP-in-IP filters
When processing inbound tunnel mode packets, Windows decrypts packets and
filters them as IP-in-IP packets. We therefore require an ALE filter that
calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them
when using a default-drop policy.
Without these rules, any outbound packet created an ALE state that allows
inbound packets as well. Processing inbound packets without any outbound
traffic fails without these rules.
Martin Willi [Wed, 19 Nov 2014 13:20:47 +0000 (14:20 +0100)]
vici: Make sure to send/recv all requested bytes over socket
As the underlying C functions, send/recv on ruby sockets are not guaranteed
to send/recv all requested bytes. Use wrapper functions to make sure we get
all bytes needed.
Andreas Steffen [Mon, 10 Nov 2014 06:56:28 +0000 (07:56 +0100)]
Implemented get_byte() method for mgf1_bitspender class
The new get_byte() method returns a pseudo-random byte at a time.
Changed the get_bits() interface to the same interface as get_byte().
Updated the mgf1 unit-tests accordingly.
Andreas Steffen [Sat, 25 Oct 2014 17:09:41 +0000 (19:09 +0200)]
Implemented Number Theoretic Transform using the FFT algorithm
By pre-multiplying the input arrays with a linear phase the
fast multiplication via FFT and inverse FFT computes a negative
wrapped convolution corresponding to a modulus of x^n+1.
poll() may return POLLHUP or POLLNVAL for given file descriptors. To handle
these properly, we signal them to the EXCEPT watcher state, if registered. If
not, we call the read/write callbacks, so they can properly fail when trying
to read from or write to the file descriptor.
Martin Willi [Fri, 21 Nov 2014 11:49:07 +0000 (12:49 +0100)]
Merge branch 'poll'
Replace relevant uses of select() by poll(). poll(2) avoids the difficulties
we have with more than 1024 open file descriptors, and seems to be fairly
portable.
Martin Willi [Fri, 21 Nov 2014 10:43:20 +0000 (11:43 +0100)]
socket-default: Use round-robin selection of sockets to read from
If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.
Martin Willi [Fri, 21 Nov 2014 10:23:08 +0000 (11:23 +0100)]
tun-device: Read from tun to buffer on stack to avoid over-allocation of packets
Instead of allocating MTU-sized buffers for each packet, read to a stack buffer
and copy to an allocation of the actual packet size. While it requires an
additional copy on non-Apple platforms, this should make allocation more
efficient for small packets.
Martin Willi [Fri, 21 Nov 2014 10:01:39 +0000 (11:01 +0100)]
Merge branch 'netlink-extensions'
Introduces options to enable concurrent Netlink queries. While this does not
make much sense on vanilla Linux, this can help on third party stacks to
increase throughput if longer latencies are to expect. Netlink message
retransmission can be optionally enabled if transmission is unreliable.
Non-socket based IKE bypass policies and other tweaks bring better compatibility
to third party stacks using Netlink.
Martin Willi [Thu, 14 Aug 2014 09:33:12 +0000 (11:33 +0200)]
kernel-netlink: Optionally ignore errors resulting from response message loss
As some backends over unreliable transport do not cache response messages,
retransmissions due the loss of responses perform the operation again. Add an
option to ignore some errors arising from such duplicate operations.
Note: This approach can't distinguish between real EXIST/NOTFOUND errors
and packet failures, and therefore is a source of race conditions and can't
detect any of these errors actually happening. Therefore that behavior is
disabled by default, and can be enabled with the ignore_retransmit_errors
strongswan.conf option.
To properly distinguish between real and retransmission errors, a Netlink
backend should implement retransmission detection using sequence numbers.
Martin Willi [Wed, 16 Jul 2014 14:31:52 +0000 (16:31 +0200)]
kernel-netlink: Alternatively support global port based IKE bypass policies
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
Martin Willi [Wed, 16 Jul 2014 10:38:30 +0000 (12:38 +0200)]
kernel-netlink: Add options to enable parallel Netlink queries explicitly
As under vanilla Linux the kernel can't handle parallel dump queries and returns
EBUSY, it makes not much sense to use them. Disable parallel queries by default
to basically restore original behavior, improving performance.
Martin Willi [Wed, 16 Jul 2014 09:59:59 +0000 (11:59 +0200)]
kernel-netlink: Release lock while doing Netlink NEW/DELADDR operations
Besides that it can improve throughput, it avoids a deadlock situation. If
all threads are busy, watcher will invoke the FD notification for NEWADDR
events itself. If the lock is held, it gets locked up. As watcher is not
dispatching anymore, it can't signal Netlink socket send() completion, and
the send() operation does not return and keeps the lock.
Martin Willi [Mon, 14 Jul 2014 14:50:07 +0000 (16:50 +0200)]
kernel-netlink: Retry netlink query while kernel returns EBUSY
If the kernel can't execute a Netlink query because a different query is already
active, it returns EBUSY. As this can happen now as we support parallel queries,
retry on this error condition.
Martin Willi [Thu, 10 Jul 2014 14:28:44 +0000 (16:28 +0200)]
kernel-netlink: Support parallel Netlink queries
Instead of locking the socket exclusively to wait for replies, use watcher
to wait for and read in responses asynchronously. This allows multiple parallel
Netlink queries, which can significantly improve performance if the kernel
Netlink layer has longer latencies and supports parallel queries.
For vanilla Linux, parallel queries don't make much sense, as it usually returns
EBUSY for the relevant dump requests. This requires a retry, and in the end
makes queries more expensive under high load.
Instead of checking the Netlink message sequence number to detect multi-part
messages, this code now relies on the NLM_F_MULTI flag to detect them. This
has previously been avoided (by 1d51abb7). It is unclear if the flag did not
work correctly on very old Linux kernels, or if the flag was not used
appropriately by strongSwan. The flag seems to work just fine back to 2.6.18,
which is a kernel still in use by RedHat/CentOS 5.
Tobias Brunner [Tue, 11 Nov 2014 17:50:26 +0000 (18:50 +0100)]
mem-pool: Fix potential memory leak and lost leases when reassigning leases
If no offline leases are available for the current client and assigning online
leases is disabled, and if all IPs of the pool have already been assigned to
clients we look for offline leases that previously were assigned to other
clients.
In case the current client has online leases the previous code would
replace the existing mapping entry and besides resulting in a memory leak
the online leases would be lost forever (even if the client later releases
the addresses). If this happens repeatedly the number of available addresses
would decrease even though the total number of online and offline leases seen
in `ipsec leases` would indicate that there are free addresses available.
Tobias Brunner [Thu, 6 Nov 2014 15:33:01 +0000 (16:33 +0100)]
Merge branch 'android-eap-tls'
This adds support for EAP-TLS authentication on Android.
EAP-only authentication is currently not allowed because the AAA identity
is not configurable, so to prevent anyone with a valid certificate from
impersonating the AAA server and thus the gateway, we authenticate the
gateway (like we do with other authentication methods).
Also, it's currently not possible to select a specific CA certificate to
authenticate the AAA server certificate, so it either must be issued by the
same CA as that of the gateway or automatic CA certificate selection must
be used.
Tobias Brunner [Tue, 21 Oct 2014 16:28:24 +0000 (18:28 +0200)]
android: Use %any as AAA identity, but disable EAP-only authentication
Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway. So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.