Andreas Steffen [Mon, 4 Nov 2019 21:22:47 +0000 (22:22 +0100)]
key-exchange: Joint ke_test_vector format for DH and KEM
Both Diffie-Hellman (DH) and Key Encapsulation Mechanism (KEM) based
key exchange methods use a common ke_test_vector format. The
set_seed() function is used to provide deterministic private key
material for the crypto tests.
unit-tests: Ensure listeners can track SAs via ike/child_updown/rekey()
Previously, it could happen that child_rekey() was triggered twice for
the same "old" SA. For listeners that would mean they'd loose track as
they'd be tracking a new SA that wasn't relevant anymore and for which
no updown event would ever get triggered (it was the redundant SA in a
collision). This new assert ensures that events are triggered in a
predictable way and listeners can track SAs properly.
Tobias Brunner [Mon, 22 Aug 2022 13:43:16 +0000 (15:43 +0200)]
ikev2: Make CHILD_SAs properly trackable during rekey collisions
As the winner of a rekey collision, we previously always triggered the
child_rekey() event once when creating the redundant SA on behalf of the
peer in the passive child-rekey task and then a second time when
creating the winning SA in the active task. However, both calls passed
the replaced CHILD_SA as "old". This made tracking CHILD_SAs impossible
because there was no transition from the redundant, "new" SA of the
first event to the "new", winning SA of the second. Of course, when the
second event was triggered, the redundant SA might not have existed
anymore because the peer is expected to delete it, which could happen
before the CREATE_CHILD_SA response arrives at the initiator.
This refactoring ensures that the child_rekey() event is triggered in
a way that makes the CHILD_SAs trackable in all reasonable (and even
some unreasonable) scenarios. The event is generally only triggered
once after installing the outbound SA for the new/winning CHILD_SA.
This can be when processing the CREATE_CHILD_SA in the active child-rekey
task, or when processing the DELETE for the old SA in a passive
child-delete task. There are some cases where the event is still
triggered twice, but it is now ensured that listeners can properly
transition to the winning SA.
Some corner cases are now also handled correctly, e.g. if a responder's
DELETE for the new CHILD_SA arrives before its CREATE_CHILD_SA response
that actually creates it on the initiator. Also handled properly are
responders of rekeyings that incorrectly send a DELETE for the old
CHILD_SA (previously this caused both, the new and the old SA, to get
deleted).
Tobias Brunner [Thu, 25 Jun 2020 08:26:38 +0000 (10:26 +0200)]
child-create: Add support for multiple key exchanges
It also changes that payloads are built before installing the CHILD_SA
on the responder, that is, the KE payload is generated before keys are
derived, so that key_exchange_t::get_public_key() is called before
get_shared_secret(), or its internal equivalent, which could be relevant
for KE implementations that want to ensure that the key can't be
accessed again after the key derivation.
Tobias Brunner [Thu, 31 Oct 2019 16:16:44 +0000 (17:16 +0100)]
ike-init: Add support for multiple key exchanges
Initially, this is handled with a key derivation for each
IKE_INTERMEDIATE exchange. When rekeying the keys are derived only when
all IKE_FOLLOWUP_KE exchanges are done.
Tobias Brunner [Tue, 20 Aug 2019 15:07:55 +0000 (17:07 +0200)]
ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges
The message ID of the first IKE_AUTH exchange is a safe-guard against
potential truncation attacks if IKE_INTERMEDIATE exchanges are not used
for multiple key exchanges but some other future use where the number of
exchanges might not depend on the selected proposal.
Tobias Brunner [Tue, 8 Feb 2022 13:23:37 +0000 (14:23 +0100)]
ikev2: Reject IKE_INTERMEDIATE requests after IKE_AUTH
We currently only support these exchanges for additional key exchanges,
so once we have the final keys derived and the ike-init task is removed,
we don't expect any more of them.
kernel-pfroute: Maintain virtual flag when repopulating interface addrs
When adding a virtual IP on a TUN interface, the interface might get
activated (in terms of receiving the event) after we've already set the
virtual flag for the added address. As the activation repopulates the
addresses on the interface, this cleared the flag and the address would
no longer be treated as virtual IP when installing routes for CHILD_SAs
that reference it in their local traffic selectors.
Fixes an infinite loop if e.g. Netlink event sockets get too many
packets queued and poll() just returns POLLERR for the socket. Also
increases the default receive buffer size for Netlink sockets to better
support systems with lots of route updates.
watcher: Change handling of POLLERR and remove WATCHER_EXCEPT
We can't actually explicitly listen for errors by passing POLLERR in
`events` (the man page for poll() clearly states it's ignored). On the
other hand, POLLERR can be returned for any FD and, even worse, it might
be the only event indicated.
The latter caused an infinite loop as we didn't notify the callback nor
clear the error by calling `getsockopt(..., SOL_SOCKET, SO_ERROR, ...)`.
And while the latter would be able to reset the state to break the loop,
it seems to leave the FD in a defunct state where no further events will
be returned by poll(). Notifying the callback works better (the error
is then reported by e.g. recvfrom()) and automatically happened already
if POLLERR was returned together with e.g. POLLIN.
So we now treat POLLERR like the other error indicators we handle (POLLHUP
and POLLINVAL) and just notify the callbacks.
kernel-netlink: Increase the default receive buffer size
Also simplify how we try to exceed the system-wide maximum. We basically
just try to force the value and simply fall back to the regular call.
The kernel actually won't let the latter fail if the value is too big,
it just caps it at the internal maximum.
Tobias Brunner [Wed, 21 Jun 2023 13:57:38 +0000 (15:57 +0200)]
child-rekey: Correctly encode protocol/SPI in CHILD_SA_NOT_FOUND notify
As specified in RFC 7296, section 2.25:
The SA that the initiator attempted to rekey is indicated by the SPI
field in the Notify payload, which is copied from the SPI field in
the REKEY_SA notification.
Tobias Brunner [Thu, 16 Mar 2023 14:42:11 +0000 (15:42 +0100)]
notify-payload: Add methods to simplify encoding and retrieving IKE SPIs
The get_spi_data() method is currently not used, so that has been
simplified so it can be used for any protocol type and any SPI length.
Same for set_spi_data(), which is currently used for IKEv1 to encode
two SPIs.
Tobias Brunner [Fri, 23 Jun 2023 10:04:14 +0000 (12:04 +0200)]
charon-nm: Actually use the created XFRM interface
The created XFRM interface was not actually used (no interface IDs on the
SAs, no routes via interface). It was basically treated like the dummy
TUN device. To actually install the routes via XFRM interface, we have
to create it before we install the SAs and policies, signal_ip_config()
happens too late. We also have to mark the ESP packets the same as IKE
the packets to avoid a routing loop if the server's IP is included in
the remote traffic selector (in particular if it's 0.0.0.0/0 or ::/0).
Fixes: 58f278f93239 ("charon-nm: Use an XFRM interface if available")
testing: Change memory allocation for alice and winnetou and switch to MiB
The services running on alice seem to require a bit more memory with
Debian bookworm, so increase the memory allocation. But at the same
time reduce winnetou's allocation by the same amount as it really doesn't
require that much memory.
testing: Hardcode /testresults mount point in winnetou's fstab
Because do-tests runs the restore-defaults script, fstab would get reset
to the default version and the mount point wouldn't be available anymore
after stopping and restarting the guests (unless the guest images were
rebuilt in between).
Tobias Brunner [Wed, 28 Jun 2023 13:54:54 +0000 (15:54 +0200)]
testing: Add support for Debian bookworm base images
By default, rsyslog is not installed anymore to avoid storing everything
twice (since journald is the default). If this becomes an issue, we
could delete /var/log/journal to only log via rsyslog.
Tobias Brunner [Wed, 28 Jun 2023 13:49:32 +0000 (15:49 +0200)]
testing: Install python-daemon via Debian package
System-wide installation via pip isn't easily possible anymore on Debian
bookworm, so just use the Debian package for this (is available in old
releases as well).
Tobias Brunner [Tue, 27 Jun 2023 17:03:32 +0000 (19:03 +0200)]
libimcv: Add Debian 12 (bookworm) to database
Because libcrypto and libssl are measured, we need a new group for Debian
versions with OpenSSL 3 (I've rather added a suffix to the old group as
that could eventually get removed, although we might need a 3.1 variant
in the future - maybe we should measure some other files?).