Tobias Brunner [Thu, 18 Dec 2014 08:13:38 +0000 (09:13 +0100)]
x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuer
Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and
authorityKeyIdentifier. If that's the case we can't force the
calculation of the hash to compare that to authorityKeyIdentifier in the CRL,
instead we use the subjectKeyIdentifier stored in the issuer certificate, if
available. Otherwise, we fall back to the SHA-1 hash (or comparing the
DNs) as before.
Tobias Brunner [Mon, 15 Dec 2014 15:43:03 +0000 (16:43 +0100)]
kernel-pfkey: Add option to set receive buffer size of event socket
If many requests are sent to the kernel the events generated by these
requests may fill the receive buffer before the daemon is able to read
these messages.
Tobias Brunner [Wed, 4 Mar 2015 12:56:50 +0000 (13:56 +0100)]
Merge branch 'ikev2-signature-authentication'
This adds support for RFC 7427 signature authentication in IKEv2,
enabling the use of stronger signature schemes (e.g. RSA with SHA-2)
for IKE authentication.
Public key constraints defined in `rightauth` are now also checked
against IKEv2 signature schemes (may be disabled via strongswan.conf).
Tobias Brunner [Fri, 27 Feb 2015 17:45:56 +0000 (18:45 +0100)]
ikev2: Add an option to disable constraints against signature schemes
If this is disabled the schemes configured in `rightauth` are only
checked against signature schemes used in the certificate chain and
signature schemes used during IKEv2 are ignored.
Disabling this could be helpful if existing connections with peers that
don't support RFC 7427 use signature schemes in `rightauth` to verify
certificate chains.
Tobias Brunner [Wed, 25 Feb 2015 15:44:46 +0000 (16:44 +0100)]
ikev2: Store signature scheme used to verify peer in auth_cfg
This enables late connection switching based on the signature scheme used
for IKEv2 and allows to enforce stronger signature schemes.
This may break existing connections with peers that don't support RFC 7427
if signature schemes are currently used in `rightauth` for certificate chain
validation and if the configured schemes are stronger than the default used
for IKE (e.g. SHA-1 for RSA).
Tobias Brunner [Tue, 24 Feb 2015 15:53:02 +0000 (16:53 +0100)]
ikev2: Remove private AUTH_BLISS method
We use the new signature authentication instead for this. This is not
backward compatible but we only released one version with BLISS support,
and the key format will change anyway with the next release.
Tobias Brunner [Mon, 23 Feb 2015 16:38:05 +0000 (17:38 +0100)]
public-key: Add helper to map signature schemes to ASN.1 OIDs
There is a similar function to map key_type_t and hasher_t to an OID,
but this maps schemes directly (and to use the other function we'd
have to have a function to map schemes to hash algorithms first).
Tobias Brunner [Wed, 25 Feb 2015 07:09:11 +0000 (08:09 +0100)]
ike-sa-manager: Make sure the message ID of initial messages is 0
It is mandated by the RFCs and it is expected by the task managers.
Initial messages with invalid MID will be treated like regular messages,
so no IKE_SA will be created for them. Instead, if the responder SPI is 0
no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
If an SPI is set and we do find an SA, then we either ignore the message
because the MID is unexpected, or because we don't allow initial messages
on established connections.
There is one exception, though, if an attacker can slip in an IKE_SA_INIT
with both SPIs set before the client's IKE_AUTH is handled by the server,
it does get processed (see next commit).
Tobias Brunner [Wed, 25 Feb 2015 07:18:58 +0000 (08:18 +0100)]
ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
does not have message ID 0") because it allowed to close any IKE_SA by
sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
of that SA.
The next commit will prevent SAs from getting created for IKE_SA_INIT messages
with invalid MID.
Martin Willi [Wed, 4 Mar 2015 10:16:00 +0000 (11:16 +0100)]
ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication
While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.
Martin Willi [Tue, 3 Mar 2015 13:08:55 +0000 (14:08 +0100)]
Merge branch 'eap-constraints'
Introduces basic support for EAP server module authentication constraints. With
EAP-(T)TLS, public key, signature and end entity or CA certificate constraints
can be enforced for connections.
Martin Willi [Fri, 6 Feb 2015 11:43:33 +0000 (12:43 +0100)]
stroke: Serve ca section CA certificates directly, not over central CA set
This makes these CA certificates independent from the purge issued by reread
commands. Certificates loaded by CA sections can be removed through ipsec.conf
update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts
can individually be reread using ipsec rereadcacerts.
Martin Willi [Tue, 25 Nov 2014 13:21:34 +0000 (14:21 +0100)]
ikev2: Schedule a timeout for the delete message following passive IKE rekeying
Under some conditions it can happen that the CREATE_CHILD_SA exchange for
rekeying the IKE_SA initiated by the peer is successful, but the delete message
does not follow. For example if processing takes just too long locally, the
peer might consider us dead, but we won't notice that.
As this leaves the old IKE_SA in IKE_REKEYING state, we currently avoid actively
initiating any tasks, such as rekeying or scheduled DPD. This leaves the IKE_SA
in a dead and unusable state. To avoid that situation, we schedule a timeout
to wait for the DELETE message to follow the CREATE_CHILD_SA, before we
actively start to delete the IKE_SA.
Alternatively we could start a liveness check on the SA after a timeout to see
if the peer still has that state and we can expect the delete to follow. But
it is unclear if all peers can handle such messages in this very special state,
so we currently don't go for that approach.
While we could calculate the timeout based on the local retransmission timeout,
the peer might use a different scheme, so a fixed timeout works as well.
Martin Willi [Thu, 15 Jan 2015 14:05:42 +0000 (15:05 +0100)]
kernel-netlink: Respect kernel routing priorities for IKE routes
If a system uses routing metrics, we should honor them when doing (manual)
routing lookups for IKE. When enumerating routes, the kernel reports priorities
with the RTA_PRIORITY attribute, not RTA_METRICS. We prefer routes with a
lower priority value, and fall back to longest prefix match priorities if
the priority value is equal.
Tobias Brunner [Tue, 17 Feb 2015 15:47:29 +0000 (16:47 +0100)]
bliss: Add generated Huffman codes to the repository
While these files are generated they don't really change and are not
architecture dependant. The previous solution prevented cross-compilation
from the repository as `bliss_huffman` was built for the target system but
was then executed on the build host to create the source files, which
naturally was bound to fail.
The `recreate-bliss-huffman` make target can be used inside the bliss
directory to update the source files if needed.
Martin Willi [Fri, 27 Feb 2015 10:40:50 +0000 (11:40 +0100)]
vici: Support ruby gem out-of-tree builds
Referencing $(srcdir) in the gemspec is not really an option, as "gem build"
includes the full path in the gem, so we need to build in $(srcdir). As there
does not seem to be a way to control the output of "gem build", we manually
move the gem to $(builddir) in OOT builds.
Martin Willi [Fri, 27 Feb 2015 09:54:38 +0000 (10:54 +0100)]
ha: Always install the CHILD_SAs with the inbound flag set to FALSE
The inbound flag is used to determine if we have to install an update or a new
SA in the kernel. As we do not have allocated SPIs and therefore can't update
an existing SA in the HA plugin, always set the flag to FALSE.
Before 698ed656 we had extra logic for that case, but handling it directly in
the HA plugin is simpler.
Martin Willi [Thu, 26 Feb 2015 09:39:50 +0000 (10:39 +0100)]
travis: Disable unwind backtraces regardless of LEAK_DETECTIVE option
While d0d85683 works around a crasher related to the use of libunwind, other
build hangs have been seen in the all test cases. Try to
--disable-unwind-backtraces to see if libunwind is really related to those
and if it fixes these issues.
Martin Willi [Tue, 24 Feb 2015 15:00:38 +0000 (16:00 +0100)]
host-resolver: Do not cancel threads waiting for new queries during cleanup
While it is currently unclear why it happens, canceling threads waiting in the
new_query condvar does not work as expected. The behavior is not fully
reproducible: Either cancel(), join() or destroying the condvar hangs.
The issue has been seen in the http-fetcher unit tests, where the stream service
triggers the use of the resolver for "localhost" hosts. It is reproducible with
any cleanup following a host_create_from_dns() use on a Ubuntu 14.04 x64 system.
Further, the issue is related to the use of libunwind, as only builds with
--enable-unwind-backtraces are affected.
As we broadcast() the new_query condvar before destruction, a hard cancel() of
these threads is actually not required. Instead we let these threads clean up
themselves after receiving the condvar signal.
Martin Willi [Tue, 24 Feb 2015 10:27:53 +0000 (11:27 +0100)]
travis: Disable forecast/connmark plugins in monolithic builds
Ubuntu 12.04 does not seem to provide a sane pkg-config for libiptc or libip4tc.
The monolithic build fails due to missing symbols, so disable it until we have
a newer Ubuntu release.
Martin Willi [Tue, 24 Feb 2015 10:50:21 +0000 (11:50 +0100)]
plugin-loader: Do not unload libraries during dlclose(), if supported
Unloading libraries calls any library constructor/destructor functions. Some
libraries can't handle that in our excessive unit test use. GnuTLS leaks
a /dev/urandom file descriptor, letting unit tests fail with arbitrary
out-of-resources errors.
Martin Willi [Fri, 20 Feb 2015 15:01:44 +0000 (16:01 +0100)]
Merge branch 'forecast'
Implement a forecast plugin that supports forwarding of multi- and broadcast
messages between a LAN and clients or between connected clients. It uses
IPsec policy marks to send packets over multiple identical multi- and broadcast
policies.