Tobias Brunner [Thu, 12 May 2016 10:22:35 +0000 (12:22 +0200)]
child-delete: Remove unnecessary call to destroy_child_sa()
Generally, we will not find the CHILD_SA by searching for it with the
outbound SPI (the initiator of the DELETE sent its inbound SPI) - and if
we found a CHILD_SA it would most likely be the wrong one (one in which
we used the same inbound SPI as the peer used for the one it deletes).
And we don't actually want to destroy the CHILD_SA at this point as we
know we already initiated a DELETE ourselves, which means that task
still has a reference to it and will destroy the CHILD_SA when it
receives the response from the other peer.
Tobias Brunner [Thu, 12 May 2016 11:49:11 +0000 (13:49 +0200)]
unit-tests: Don't unload plugins before calling libcharon_deinit()
libcharon_deinit() already calls all the functions we called manually.
Unloading the plugins will not work if charon->initialize() is called
as charon's static plugin features would already be unloaded before the
destroyed members are accessed in destroy() to flush them.
Tobias Brunner [Fri, 17 Jun 2016 09:18:25 +0000 (11:18 +0200)]
testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario
aacf84d837e7 ("testing: Add expect-connection calls for all tests and
hosts") removed the expect-connection call for the non-existing aaa
connection. However, because the credentials were loaded asynchronously
via start-script the clients might have been connecting when the secrets
were not yet loaded. As `swanctl --load-creds` is a synchronous call
this change avoids that issue without having to add a sleep or failing
expect-connection call.
Tobias Brunner [Fri, 17 Jun 2016 08:19:37 +0000 (10:19 +0200)]
daemon: Don't hold settings lock while executing start/stop scripts
If a called script interacts with the daemon or one of its plugins
another thread might have to acquire the write lock (e.g. to configure a
fallback or set a value). Holding the read lock prevents that, potentially
resulting in a deadlock.
Tobias Brunner [Thu, 26 Nov 2015 18:06:41 +0000 (19:06 +0100)]
testing: Use TLS 1.2 in RADIUS test cases
This took a while as in the OpenSSL package shipped with Debian and on which
our FIPS-enabled package is based, the function SSL_export_keying_material(),
which is used by FreeRADIUS to derive the MSK, did not use the correct digest
to calculate the result when TLS 1.2 was used. This caused IKE to fail with
"verification of AUTH payload with EAP MSK failed". The fix was only
backported to jessie recently.
Tobias Brunner [Thu, 26 Nov 2015 17:48:43 +0000 (18:48 +0100)]
testing: Update FreeRADIUS to 2.2.8
While this is not the latest 2.x release it is the latest in /old.
Upgrading to 3.0 might be possible, not sure if the TNC-FHH patches could
be easily updated, though. Upgrading to 3.1 will definitely not be possible
directly as that version removes the EAP-TNC module. So we'd first have to
get rid of the TNC-FHH stuff.
Tobias Brunner [Thu, 16 Jun 2016 15:57:37 +0000 (17:57 +0200)]
configure: Cache result of pthread_condattr_setclock() check
Even if not using caching when running the configure script (-C) this
allows pre-defining the result by setting the environment variable
ss_cv_func_pthread_condattr_setclock_monotonic=yes|no|unknown
before/while running the script.
As the check requires running a test program this might be helpful
when cross-compiling to disable using monotonic time if
pthread_condattr_setclock() is defined but not actually usable with
CLOCK_MONOTONIC.
Tobias Brunner [Fri, 17 Jun 2016 08:22:25 +0000 (10:22 +0200)]
load-tester: Fix load-tester on platforms where plain `char` is signed
fgetc() returns an int and EOF is usually -1 so when this gets casted to
a char the result depends on whether `char` means `signed char` or
`unsigned char` (the C standard does not specify it). If it is unsigned
then its value is 0xff so the comparison with EOF will fail as that is an
implicit signed int.
Tobias Brunner [Thu, 16 Jun 2016 14:28:51 +0000 (16:28 +0200)]
Merge branch 'testing-jessie'
Updates the default Debian image used for the test environment from wheezy
to jessie. Also adds a script that allows chrooting to an image (base,
root or one of the guests). In pretty much all test scenarios
expect-connection is used to make test runs more reliable.
Tobias Brunner [Wed, 15 Jun 2016 16:19:23 +0000 (18:19 +0200)]
testing: Build hostapd from sources
There is a bug (fix at [1]) in hostapd 2.1-2.3 that let it crash when used
with the wired driver. The package in jessie (and sid) is affected, so we
build it from sources (same, older, version as wpa_supplicant).
Tobias Brunner [Tue, 14 Jun 2016 18:41:43 +0000 (20:41 +0200)]
testing: Wait for packets to be processed by tcpdump
Sometimes tcpdump fails to process all packets during the short running
time of a scenario:
0 packets captured
18 packets received by filter
0 packets dropped by kernel
So 18 packets were captured by libpcap but tcpdump did not yet process
and print them.
This tries to use --immediate-mode if supported by tcpdump (the one
currently in jessie or wheezy does not, but the one in jessie-backports
does), which disables the buffering in libpcap.
However, even with immediate mode there are cases where it takes a while
longer for all packets to get processed. And without it we also need a
workaround (even though the version in wheezy actually works fine).
That's why there now is a loop checking for differences in captured vs.
received packets. There are actually cases where these numbers are not
equal but we still captured all packets we're interested in, so we abort
after 1s of retrying. But sometimes it could still happen that packets
we expected got lost somewhere ("packets dropped by kernel" is not
always 0 either).
Tobias Brunner [Fri, 20 Nov 2015 16:50:29 +0000 (17:50 +0100)]
testing: Update base image to Debian jessie
Several packages got renamed/updated, libgcrypt was apparently installed
by default previously.
Since most libraries changed we have to completely rebuild all the tools
installed in the root image. We currently don't provide a clean target in
the recipes, and even if we did we'd have to track which base image we
last built for. It's easier to just use a different build directory for
each base image, at the cost of some additional disk space (if not manually
cleaned). However, that's also the case when updating kernel or
software versions.
Tobias Brunner [Tue, 24 Nov 2015 17:32:23 +0000 (18:32 +0100)]
testing: Update Apache config for newer Debian releases
It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.
Tobias Brunner [Fri, 20 Nov 2015 16:42:55 +0000 (17:42 +0100)]
testing: Don't attempt to stop services when building base image
Unlike `apt-get install` in a chroot debootstrap does not seem to start
the services but stopping them might cause problems if they were running
outside the chroot.
Tobias Brunner [Wed, 15 Jun 2016 09:22:04 +0000 (11:22 +0200)]
leak-detective: Make sure to actually call malloc() from calloc() hook
Newer versions of GCC are too "smart" and replace a call to malloc(X)
followed by a call to memset(0,X) with a call co calloc(), which obviously
results in an infinite loop when it does that in our own calloc()
implementation. Using `volatile` for the variable storing the total size
prevents the optimization and we actually call malloc().
Tobias Brunner [Wed, 8 Jun 2016 17:43:13 +0000 (19:43 +0200)]
resolve: Add refcounting for installed DNS servers
This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.
Tobias Brunner [Tue, 7 Jun 2016 13:58:05 +0000 (15:58 +0200)]
resolve: Make sure to clean up if calling resolvconf failed
If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).
Tobias Brunner [Fri, 10 Jun 2016 16:15:42 +0000 (18:15 +0200)]
Merge branch 'interface-for-routes'
Changes how the interface for routes installed with policies is
determined. In most cases we now use the interface over which we reach the
other peer, not the interface on which the local address (or the source IP) is
installed. However, that might be the same interface depending on the
configuration (i.e. in practice there will often not be a change).
Routes are not installed anymore for drop policies and for policies with
protocol/port selectors.
Tobias Brunner [Thu, 9 Jun 2016 13:38:37 +0000 (15:38 +0200)]
kernel-netlink: Don't install routes for drop policies and if protocol/ports are in the selector
We don't need them for drop policies and they might even mess with other
routes we install. Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.
Tobias Brunner [Fri, 11 Mar 2016 18:09:54 +0000 (19:09 +0100)]
kernel-netlink: Use interface to next hop for shunt policies
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
Tobias Brunner [Wed, 25 May 2016 10:15:38 +0000 (12:15 +0200)]
kernel-netlink: Let only a single thread work on a specific policy
Other threads are free to add/update/delete other policies.
This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel. For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA. This could have resulted in no policies being installed
eventually.
Tobias Brunner [Wed, 8 Jun 2016 14:06:53 +0000 (16:06 +0200)]
ipsec: Add function to compare two ipsec_sa_cfg_t instances
memeq() is currently used to compare these but if there is padding that
is not initialized the same for two instances the comparison fails.
Using this function ensures the objects are compared correctly.
Tobias Brunner [Tue, 24 May 2016 08:26:38 +0000 (10:26 +0200)]
eap-simaka-pseudonym: Properly store mappings
If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed. This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.
Tobias Brunner [Thu, 19 May 2016 09:56:44 +0000 (11:56 +0200)]
child-sa: Use non-static variable to store generated unique mark
If two CHILD_SAs with mark=%unique are created concurrently they could
otherwise end up with either the same mark or different marks in both
directions.
Tobias Brunner [Wed, 25 May 2016 07:42:08 +0000 (09:42 +0200)]
ike: Don't trigger message hook when fragmenting pre-generated messages
This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which
are pre-generated in tasks as at least parts of it are used to generate
the AUTH payload. The IKE_SA_INIT message will never be fragmented, but
the IKEv1 messages might be, so we can't just call generate_message().
projects / thirdparty / strongswan.git / log
