Tobias Brunner [Thu, 20 Mar 2025 13:52:32 +0000 (14:52 +0100)]
kernel-interface: Change reqid if seq. nos. are supported and narrowing occurred
With the sequence numbers we don't have to maintain the reqid to delete
the temporary state.
One exception is with labels. There we currently only install trap
policies with the generic label. SAs created from those don't have
policies installed, so we have to reuse the reqid of the trap even if
narrowing occurs.
And as before, we reuse the reqid without checking traffic selectors if
sequence numbers are not supported.
Note that if a CHILD_SA is manually initiated (i.e. has no sequence
number assigned) right before an acquire is triggered, there are several
possible outcomes depending on whether narrowing occurs. If there is no
narrowing, the same reqid is assigned and the kernel will remove the
temporary SA when the SA is installed (no seq => reqid match).
Afterwards, the queued duplicate CHILD_SA is destroyed and the acquire
state in the trap manager gets removed. If there is narrowing, a new
reqid is allocated, so the installation of the SA will not remove the
temporary state. However, due to the narrowing, the duplicate check
fails and when the duplicate is installed (with sequence number), the
temporary state is deleted (as is the state in the trap manager).
Tobias Brunner [Wed, 19 Mar 2025 14:34:58 +0000 (15:34 +0100)]
child-cfg: Use separate method to get configured traffic selectors
Optionally with "dynamic" traffic selectors resolved. A new method
is added for those cases where we actually want to select potentially
narrowed traffic selectors using a supplied list. The latter now also
always logs details, while the former does not.
Tobias Brunner [Wed, 19 Mar 2025 13:20:46 +0000 (14:20 +0100)]
trap-manager: Use sequence numbers to identify acquires
Either use the sequence number from the kernel (and potentially update
it if the acquire was retriggered), or generate our own sequence
numbers, which simplifies matching acquires to established/destroyed
CHILD_SAs.
identification: Add support for POSIX regular expressions
When cross-compiling for Windows on Ubuntu, we don't have POSIX regular
expressions available (there does not seem to be any alternative libraries
either), but since the tests are not executed that's OK. On AppVeyor,
MSYS2 has libgnurx installed, which works fine but requires explicit
linking with `-lregex`.
This is loosely based on a patch by Thomas Egerer.
Tobias Brunner [Tue, 13 May 2025 14:47:13 +0000 (16:47 +0200)]
vici: Make threads handling requests get canceled explicitly
Threads initiating SAs can get stuck on the semaphore in
wait_for_listener() during shutdown if the corresponding job is never
executed. A particular case when this can happen is if more initiations
are triggered than worker threads are available. This causes a (known)
deadlock as no workers are free anymore to process jobs (for inbound
messages or timeouts etc.), including the one to initiate an SA.
This change at least allows a proper shutdown.
Tobias Brunner [Mon, 19 May 2025 13:49:58 +0000 (15:49 +0200)]
uci: Remove obsolete and broken plugin
The plugin was apparently broken for years because it uses functions that
don't exist anymore. It was quite limited anyway, so it was never really
used in OpenWrt to begin with (instead they generate configs in a custom
init script).
Gerardo Ravago [Mon, 12 May 2025 18:17:46 +0000 (14:17 -0400)]
openssl: Fix AWS-LC build
The `crypt` functions defined here conflict with the `crypt` function
defined in `unistd.h` and trigger compilation errors when building
against the latest version of AWS-LC, which introduced a new transitive
include of `unistd.h` via `bio.h`.
This simply renames the function to avoid the error.
Tobias Brunner [Mon, 12 May 2025 15:29:54 +0000 (17:29 +0200)]
Include lib-prefix.m4 directly and remove gettext dependency
A recent gettext release (0.25 via Homebrew) installs the M4 macros in a
different location (<prefix>/share/gettext/m4 instead of
<prefix>/share/aclocal). According to the commit messages to avoid "bad
interactions between autoreconf and autopoint". Since we only depend
on gettext for that macro and this move makes it complicated, we can also
just integrate the macro from gnulib directly (which gettext 0.18+ relies
on anyway).
Tobias Brunner [Tue, 4 Mar 2025 10:14:14 +0000 (11:14 +0100)]
ikev2: Add support to switch peer configs based on EAP-Identities
This changes how EAP identities are used from the config. Instead of
setting a statically configured identity != %any, an EAP-Identity
exchange is now always initiated (and required). If the received identity
doesn't match, the peer config is switched to one with a matching
identity (wildcards are supported for that match). This allows switching
to a config with a different EAP method or child settings based on the
EAP identity.
There is currently no "best" match. The configs are evaluated based on
the order returned from the initial peer config lookup.
Tobias Brunner [Fri, 21 Mar 2025 07:44:15 +0000 (08:44 +0100)]
android: Skip unknown ABIs when building OpenSSL
Newer NDKs have RISC-V as experimental ABI (not enabled by default, see
next commit). If we don't have a mapping for a specific target, OpenSSL
falls back to 'android-arm', so that won't really work (interestingly,
it does build).
Tobias Brunner [Tue, 25 Mar 2025 12:44:44 +0000 (13:44 +0100)]
kernel-netlink: Enable UDP GRO
This enables GRO offload for inbound ESP-in-UDP packets if the
esp4|6_offload modules are loaded. Note that inbound ESP or ESP-in-UDP
packets won't be visible on layer 3 in Netfilter or tcpdump.
Tobias Brunner [Mon, 31 Mar 2025 14:28:47 +0000 (16:28 +0200)]
proposal: Add supported KE methods to default ESP/AH proposals, but optional
This allows accepting clients that send proposals with non-optional KE
methods during rekeying, while still accepting clients that use the
previous non-KE default proposals.
Tobias Brunner [Fri, 28 Mar 2025 15:06:58 +0000 (16:06 +0100)]
ha: Support sync of private IKE_SA extensions and conditions
This requires a new protocol version as private extensions would enable
unrelated regular extensions, even when sending the private extension
as second attribute (which would work for conditions as they are
explicitly enabled/disabled).
Tobias Brunner [Fri, 28 Mar 2025 14:50:53 +0000 (15:50 +0100)]
ike-sa: Remove redundant setting of IKE_SA conditions after a rekeying
This was originally added with b0e40caafbd7 ("NAT-T conditions were not
inherited during IKE_SA rekeying") in 2008 when there was only a single
inherit() method. Later the inherit_pre() method was added and then
with 094963d1b160 ("ikev2: Apply extensions and conditions before
starting rekeying") in 2014 the extensions and conditions were set
already there.
Tobias Brunner [Fri, 28 Mar 2025 14:06:52 +0000 (15:06 +0100)]
ike-sa: Add possibility to store private extensions/conditions
This avoids conflicts with upstream changes if patched versions of
strongSwan require a number of private extensions and conditions. For
example, the following extensions can be used as usual via the
`enable|supports_extension()` methods:
Tobias Brunner [Fri, 28 Mar 2025 11:06:37 +0000 (12:06 +0100)]
Add configure option to disable testing key exchange methods
If this is used, the functionality to set a private key/value/seed for
key exchange methods is removed (including from the interface to avoid
accidentally forgetting to wrap implementations and uses of set_seed()).
The set_seed() method is assigned outside the INIT() macro to avoid
potentially undefined behavior (preprocessing directives in macro
arguments).
The test done by the crypto tester is a simple functionality test.
Thomas Egerer [Mon, 15 Jul 2019 16:32:38 +0000 (18:32 +0200)]
ldap: Use timeout value for synchronous calls
So far, the timeout value was only used as connect timeout while a
malicious server could accept the connection and then starve us. So use
the timeout for LDAP_OPT_TIMEOUT, too, which affects all synchronous
calls. In particular, ldap_simple_bind_s(), which has no timeout
argument like ldap_search_st().
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
It seems that scp is sometimes very slow (unclear what causes it as it's
not always the same). Packing up the files with tar performs a lot
better in these situations. And copying the files to multiple hosts
in parallel additionally helps to reduce the time required for these
steps.
Using --overwrite and -h preserves existing symlinks (e.g. for the users
file in /etc/freeradius/3.0) and overwrites the target file instead.
The -m option ignores timestamps when extracting the files as some target
files will be newer than the source. Using -h when packing up files in
load-testconfig allows using symlinks in the test config dirs to files
on the host running the tests.
Tobias Brunner [Wed, 26 Mar 2025 16:56:00 +0000 (17:56 +0100)]
testing: Fix loading test config for tests that were never run
The file won't exist in the previous location until load-testconfig was
executed once. Since it's not modified by the script it's fine to
load it directly from the original location.
Fixes: a103f3a2849f ("testing: Add options to only run pre- or posttest scripts of a scenario")
android: Fix starting a managed profile as Always-on VPN
The callbacks provided via ProcessLifecycleOwner are only triggered when
Activities are started. However, when Android triggers the Always-on
VPN it directly starts our VpnService subclass, no Activity. So the
configs were not loaded and the VPN couldn't be initiated with a managed
profile. This ensures the config is loaded right from the start of
the app. And by registering for modifications in onCreate() we can also
use the correct config if the app is never started in-between changes to
the managed profiles and triggering the Always-on VPN.
Tobias Brunner [Fri, 21 Feb 2025 16:00:44 +0000 (17:00 +0100)]
Cast uses of return_*(), nop() and enumerator_create_empty()
As described in the previous commit, GCC 15 uses C23 by default and that
changes the meaning of such argument-less function declarations. So
whenever we assign such a function to a pointer that expects a function
with arguments it causes an incompatible pointer type warning. We
could define dedicated functions/callbacks whenever necessary, but this
seems like the simpler approach for now (especially since most uses of
these functions have already been cast).
Tobias Brunner [Fri, 21 Feb 2025 15:45:57 +0000 (16:45 +0100)]
callback-job: Replace return_false() in constructors with dedicated function
Besides being clearer, this fixes issues with GCC 15. The latter uses
C23 by default, which changes the meaning of function declarations
without parameters such as
bool return false();
Instead of "this function takes an unknown number of arguments", this
now equals (void), that is, "this function takes no arguments". So we
run into incompatible pointer type warnings all over when using such
functions. They could be cast to (void*) but this seems the cleaner
solution for this use case.
Tobias Brunner [Thu, 27 Feb 2025 08:37:25 +0000 (09:37 +0100)]
charon-nm: Use a DPD to check the current path
If the client's network goes down for a while but the same IP address
is assigned later, it won't be aware if the server killed the IKE_SA
while it wasn't reachable. This way, a DPD is triggered and the client
can reestablish the SA if necessary. When roaming to a different IP,
a MOBIKE update is triggered with the same effect.
projects / thirdparty / strongswan.git / log
