ikev2: Reuse marks and reqid of CHILD_SAs during MBB reauthentication
Since these are installed overlapping (like during a rekeying) we have to use
the same (unique) marks (and possibly reqid) that were used previously,
otherwise, the policy installation will fail.
Tobias Brunner [Thu, 29 Mar 2018 09:23:15 +0000 (11:23 +0200)]
ike: Float to port 4500 if either port is 500
If the responder is behind a NAT that remaps the response from the
statically forwarded port 500 to a new external port (as Azure seems to be
doing) we should still switch to port 4500 if we used port 500 so far as
it would not have been possible to send any messages to it if it wasn't
really port 500 (we only add a non-ESP marker if neither port is 500).
traffic-selector: Always print protocol if either protocol or port is set
This helps to distinguish between port and protocol if only one of them
is set. If no protocol is set it's printed as 0, if the traffic
selector covers any port (0-65535) the slash that separates the two values
and the port is omitted.
This adds a new state for CHILD_SAs that we deleted but still keep
around to process delayed packets (IKEv2 only). This allows us to treat
them specially in some cases (e.g. to avoid triggering child_updown()
events as we already did that when we deleted such SAs).
ikev1: Unify child_updown calls when having duplicate QMs
If a Quick mode is initiated for a CHILD_SA that is already installed
we can identify this situation and rekey the already installed CHILD_SA.
Otherwise we end up with several CHILD_SAs in state INSTALLED which
means multiple calls of child_updown are done. Unfortunately,
the deduplication code later does not call child_updown() (so up and down
were not even).
Tobias Brunner [Wed, 21 Mar 2018 09:32:48 +0000 (10:32 +0100)]
Merge branch 'hw-offload-auto'
This lets IPsec SA installation explicitly fail if HW offload is enabled
but either the kernel or the device don't support it. And it adds a new
configuration mode 'auto', which enables HW offload, if supported, but
does not fail the installation otherwise.
Adi Nissim [Mon, 12 Mar 2018 14:34:20 +0000 (16:34 +0200)]
kernel-netlink: Add new automatic hw_offload mode
Until now there were 2 hw_offload modes: no/yes
* hw_offload = no : Configure the SA without HW offload.
* hw_offload = yes : Configure the SA with HW offload.
In this case, if the device does not support
offloading, SA creation will fail.
This commit introduces a new mode: hw_offload = auto
----------------------------------------------------
If the device and kernel support HW offload, configure
the SA with HW offload, but do not fail SA creation otherwise.
Signed-off-by: Adi Nissim <adin@mellanox.com> Reviewed-by: Aviv Heller <avivh@mellanox.com>
Martin Willi [Mon, 12 Mar 2018 06:16:52 +0000 (07:16 +0100)]
charon: Ignore an existing PID file if it references ourself
If a daemon PID file references the process that does the check, it is safe
to ignore it; no running process can have the same PID. While this is rather
unlikely to get restarted with the same PID under normal conditions, it is
quite common when running inside PID namespaced containers: If a container
gets stopped and restarted with a PID file remaining, it is very likely that
the PID namespace assigns the same PID to our service, as they are assigned
sequentially starting from 1.
Tobias Brunner [Tue, 13 Mar 2018 11:13:47 +0000 (12:13 +0100)]
diffie-hellman: Don't set exponent length for DH groups with prime order subgroups
According to RFC 5114 the exponent length for these groups should always equal
the size of their prime order subgroup.
This was handled correctly before the initialization was done during
library initialization.
Fixes: 46184b07c163 ("diffie-hellman: Explicitly initialize DH exponent sizes during initialization")
Tobias Brunner [Tue, 6 Mar 2018 16:28:33 +0000 (17:28 +0100)]
ikev2: Use correct type to check for selected signature scheme
The previous code was obviously incorrect and caused strange side effects
depending on the compiler and its optimization flags (infinite looping seen
with GCC 4.8.4, segfault when destroying the private key in build() seen
with clang 4.0.0 on FreeBSD).
Tobias Brunner [Mon, 5 Mar 2018 08:45:34 +0000 (09:45 +0100)]
pkcs5: Parse PRF algorithms if given in PBKDF2-params as defined in RFC 8018
We can't use ASN1_DEF, which would technically be more correct, as the
ASN.1 parser currently can't handle that. For algorithm identifiers we
often use ASN1_EOC as type (with ASN1_RAW), however, that doesn't work with
ASN1_DEF because the element is assumed missing if the type doesn't match.
On the other hand, we can't set the type to ASN1_SEQUENCE because then the
parser skips the following rule if the element is missing (it does so for
all constructed types, but I guess is mainly intended for context tags),
which in this case overruns the parser rules array.
Tobias Brunner [Wed, 7 Mar 2018 13:25:48 +0000 (14:25 +0100)]
Merge branch 'unknown-transform-types'
This changes how unknown transform types are handled in proposals. In
particular we make sure not to accept a proposal if it contains unknown
transform types (they were just ignored previously, which could have
resulted in an invalid selected proposal).
Tobias Brunner [Fri, 23 Feb 2018 08:02:49 +0000 (09:02 +0100)]
proposal: Make sure to consider all transform types when selecting proposals
This way there will be a mismatch if one of the proposals contains
transform types not contained in the other (the fix list of transform
types used previously resulted in a match if unknown transform types
were contained in one of the proposals). Merging the sets of types
makes comparing proposals with optional transform types easier (e.g.
DH for ESP with MODP_NONE).
Tobias Brunner [Fri, 23 Feb 2018 08:28:08 +0000 (09:28 +0100)]
Merge branch 'incorrect-inval-ke'
This improves the behavior during CREATE_CHILD_SA exchanges if the peer
sends an INVALID_KE_PAYLOAD with a DH group we didn't request or continues
to return the same notify even if we use the requested group.
Tobias Brunner [Fri, 9 Feb 2018 14:16:24 +0000 (15:16 +0100)]
child-create: Make sure we actually propose the requested DH group
If we receive an INVALID_KE_PAYLOAD notify we should not just retry
with the requested DH group without checking first if we actually propose
the group (or any at all).
Tobias Brunner [Wed, 21 Feb 2018 10:04:45 +0000 (11:04 +0100)]
child-sa: Don't update outbound policies if they are not installed
After a rekeying we keep the inbound SA and policies installed for a
while, but the outbound SA and policies are already removed. Attempting
to update them could get the refcount in the kernel interface out of sync
as the additional policy won't be removed when the CHILD_SA object is
eventually destroyed.
Tobias Brunner [Thu, 22 Feb 2018 10:31:14 +0000 (11:31 +0100)]
Merge branch 'trap-manager-uninstall'
This changes how trap policies are deleted in order to avoid conflicts if a
trap policy with changed peer config is concurrently removed and reinstalled
under a different name (the reqid will be the same, so the wrong policy
could have been deleted by the old code).
Tobias Brunner [Fri, 3 Nov 2017 10:49:45 +0000 (11:49 +0100)]
child-sa: No need to find reqid of existing trap policy
When initiating a trap policy we explicitly pass the reqid along. I guess
the lookup was useful to get the same reqid if a trapped CHILD_SA is manually
initiated. However, we now get the same reqid anyway if there is no
narrowing. And if the traffic selectors do get narrowed the reqid will be
different but that shouldn't be a problem as that doesn't cause an issue with
any temporary SAs in the kernel (this is why we pass the reqid to the
triggered CHILD_SA, otherwise, no new acquire would get triggered for
traffic that doesn't match the wider trap policy).
Tobias Brunner [Fri, 3 Nov 2017 10:32:04 +0000 (11:32 +0100)]
trap-manager: Remove reqid parameter from install() and change return type
Reqids for the same traffic selectors are now stable so we don't have to
pass reqids of previously installed CHILD_SAs. Likewise, we don't need
to know the reqid of the newly installed trap policy as we now uninstall
by name.
Tobias Brunner [Fri, 16 Feb 2018 10:55:54 +0000 (11:55 +0100)]
appveyor: Allow events to trigger early in threading unit tests
The timed wait functions tested in the threading unit tests often but
randomly trigger a bit early on AppVeyor Windows containers. We allow this
if it is not earlier than 5ms.
Tobias Brunner [Wed, 21 Feb 2018 10:53:55 +0000 (11:53 +0100)]
charon-nm: Fix building list of DNS/MDNS servers with libnm
g_variant_builder_add() creates a new GVariant using g_variant_new() and
then adds it to the builder. Passing a GVariant probably adds the
pointer to the array, not the value. I think an alternative fix would
be to use "@u" as type string for the g_variant_builder_add() call, then
the already allocated GVariant is adopted.
Tobias Brunner [Wed, 14 Feb 2018 13:51:24 +0000 (14:51 +0100)]
ha: Double receive buffer size for HA messages and make it configurable
With IKEv1 we transmit both public DH factors (used to derive the initial
IV) besides the shared secret. So these messages could get significantly
larger than 1024 bytes, depending on the DH group (modp2048 just about
fits into it). The new default of 2048 bytes should be fine up to modp4096
and for larger groups the buffer size may be increased (an error is
logged should this happen).
Liu Qun (liuqun) [Mon, 12 Feb 2018 03:39:00 +0000 (11:39 +0800)]
README: Fix paths to private keys
Since version 5.5.1, different keys can be put together in
/etc/swanctl/private.
See:
* tobiasbrunner@7caba2eb5524be6b51943bcc3d2cb0e4c5ecc09a
swanctl: Add 'private' directory/section to load any type of private key
Signed-off-by: Liu Qun (liuqun) <qunliu@zyhx-group.com>
Tobias Brunner [Fri, 9 Feb 2018 14:54:36 +0000 (15:54 +0100)]
Merge branch 'mobike-nat'
These changes improve MOBIKE task queuing. In particular we don't
want to ignore the response to an update (with NAT-D payloads) if only
an address list update or DPD is queued as that could prevent use from
updating the UDP encapsulation in the kernel.
A new optional roam trigger is added to the kernel-netlink plugin based
on routing rule changes. This only works properly, though, if the kernel
based route lookup is used as the kernel-netlink plugin does currently
not consider routing rules for its own route lookup.
Another change prevents acquires during address updates if we have to
update IPsec SAs by deleting and readding them. Because the outbound policy
is still installed an acquire and temporary SA might get triggered in
the short time no IPsec SA is installed, which could subsequently prevent the
reinstallation of the SA. To this end we install drop policies before
updating the policies and SAs. These also replace the fallback drop policies
we previously used to prevent plaintext leaks during policy updates (which
reduces the overhead in cases where addresses never or rarely change as
additional policies will only have to be tracked during address updates).
Tobias Brunner [Fri, 9 Feb 2018 07:48:07 +0000 (08:48 +0100)]
ike-mobike: Don't trigger update for NAT mapping change detected during an address update
This is really only needed for other exchanges like DPDs not when we
just updated the addresses. The NAT-D payloads are only used here to
detect whether UDP encapsulation has to be enabled/disabled.
Tobias Brunner [Tue, 6 Feb 2018 17:07:34 +0000 (18:07 +0100)]
child-sa: Install drop policies while updating IPsec SAs and policies
If we have to remove and reinstall SAs for address updates (as with the
Linux kernel) there is a short time where there is no SA installed. If
we keep the policies installed they (or any traps) might cause acquires
and temporary kernel states that could prevent the updated SA from
getting installed again.
This replaces the previous workaround to avoid plaintext traffic leaks
during policy updates, which used low-priority drop policies.