Tobias Brunner [Mon, 13 Nov 2023 11:02:25 +0000 (12:02 +0100)]
Merge branch 'reqid-refcount'
This fixes issues with CHILD_SAs getting reestablished concurrently.
We intend to reuse the reqid of the previous CHILD_SA, however, previously
the reqids were released and up for reassignment to any other CHILD_SA
or trap policy. This could cause the reqid to get associated with
completely different traffic selectors, as the reestablished CHILD_SA
would eventually get the requested reqid because the traffic selectors
explicitly don't have to match (to allow narrowing for CHILD_SAs based
on trap policies).
Tobias Brunner [Mon, 2 Oct 2023 14:21:28 +0000 (16:21 +0200)]
ike-sa: Correctly maintain allocated reqid when recreating CHILD_SA
Maintaining the reqid when recreating a CHILD_SA from scratch night not
strictly be necessary as we usually don't have to replace any temporary
states in the kernel. However, there could be concurrent acquires that
might actually make it necessary (we use the reqid to keep track of
acquires and it's also part of the duplicate check).
Tobias Brunner [Mon, 2 Oct 2023 14:02:08 +0000 (16:02 +0200)]
child-rekey: Only set reqid on new CHILD_SA if it was allocated dynamically
Keeping a reference ensures that if the old SA expires before the new
one is installed, the previous reqid isn't reallocated to a concurrently
established CHILD_SA with different selectors.
Tobias Brunner [Mon, 2 Oct 2023 13:47:02 +0000 (15:47 +0200)]
child-sa: Keep a reference to the previous reqid
The reference is kept until the reqid is either confirmed (i.e.
re-allocated) or replaced by a different reqid, which happens only once
we know the final traffic selectors, or the SA is destroyed without
installing it.
Tobias Brunner [Mon, 2 Oct 2023 11:59:23 +0000 (13:59 +0200)]
kernel-interface: Use reqid as sole key in hash table
Every reqid is allocated once, we don't store the same reqid with e.g.
different marks or interface IDs that would make it necessary to make
them part of the key in that table (that's different in the other table).
To preserve the current behavior, that is, allocating a new reqid if e.g.
the marks are different, the additional selector values (which will
result in an additional policy in the Linux kernel) are compared after
the initial lookup.
Tobias Brunner [Wed, 31 May 2023 12:39:05 +0000 (14:39 +0200)]
credential-manager: Add option to reject trusted end-entity certificates
This allows preventing peers from authenticating with certificates
that are locally trusted, in particular, our own local certificate (which
safeguards against accidental reuse of certificates on multiple peers).
On the other hand, if this option is enabled, end-entity certificates
for peers can't be configured anymore explicitly (e.g. via remote.certs
in swanctl.conf).
Tobias Brunner [Thu, 5 Oct 2023 08:27:18 +0000 (10:27 +0200)]
tls-server: Also change DH group when selecting a different EC curve
If we initially selected a group the peer doesn't support (e.g. because
curve25519 is the first ECDH group provided by plugins), then found
a supported curve, we previously still instantiated a DH object for the
original group and might have formatted the parameters incorrectly.
Tobias Brunner [Thu, 31 Aug 2023 11:45:10 +0000 (13:45 +0200)]
ike-sa: Fix handling of redirects during IKE_AUTH
Since the referenced commit, the state switch to IKE_ESTABLISHED doesn't
happen immediately after completing the authentication but only after
the remaining tasks have finished. Due to that redirects during IKE_AUTH
were treated like those during IKE_SA_INIT causing the IKE_SA and task
manager to get reset. However, unlike the ike-init task, the ike-auth
task returned SUCCESS and, therefore, got destroyed, while a different
task was removed from the array that was modified during the reset.
This later caused a dereference of the freed ike-auth task and a crash.
Fixes: 5ce1c91b58a2 ("ikev2: Trigger ike_updown() event after all IKE-specific tasks ran")
Tobias Brunner [Fri, 13 Oct 2023 07:10:56 +0000 (09:10 +0200)]
Merge branch 'reject-explicit-ecdsa'
There is a relatively recent NIAP requirement to reject certificates with
ECDSA keys that explicitly encode the curve parameters (TD0527, Test 8b).
Since explicit encoding is pretty rare (if used at all and e.g. wolfSSL
already rejects it, by default), we should follow that requirement and
just reject such keys/certificates completely.
This currently can be enforced in all crypto plugins except when using
older versions of OpenSSL (< 1.1.1h) and Botan (< 3.2.0).
Andreas Steffen [Fri, 1 Sep 2023 10:33:09 +0000 (12:33 +0200)]
cert-enroll: certificate checking and enrollment
The cert-enroll script handles the initial enrollment of an X.509
host certificate with a PKI server via the EST or SCEP protocols.
Run as a systemd timer or via a crontab entry the script daily
checks the expiration date of the host certificate. When a given
deadline is reached, the host certificate is automatically renewed
via EST or SCEP re-enrollment based on the possession of the old
private key and the matching certificate.
This works around an issue that occurs when recreating an IKE_SA with
multiple CHILD_SAs that use dynamically allocated reqids.
We currently try to preserve the reqid when reestablishing, so the
create-child task gets the reqid of the previous CHILD_SA and will try
to reallocate that once the CHILD_SA is installed. Before that, the old
CHILD_SA is destroyed and the reqid is released and added to the array
of reqids to get reused. However, because of the reverse order used here,
the first reqid in the array is the one of the last CHILD_SA.
So it can happen that a newly created CHILD_SA gets a reqid reassigned
that a later CHILD_SA will then also claim for itself and get assigned
because an entry with that reqid exists. So multiple CHILD_SAs with
different traffic selectors could then share the same reqid.
Boi Sletterink [Thu, 29 Jun 2023 15:39:37 +0000 (17:39 +0200)]
libipsec: Also install routes without preferred source to forward traffic
Fixes a problem installing policies with source traffic selectors that do
not contain/match any of the local addresses.
When installing a route for a source TS that does contain one or more
local addresses, a preferred source address should be set in the route
(analogous to the `src` option in `ip route add`). This address is used
when the host itself sends traffic via that route (in contrast to
forwarding it).
When the source TS does not encompass any of the local addresses, the
host is not allowed to send traffic via this route and does not need to
set the preferred source address. However, the code would just return a
failure because it could not find a matching local address. This commit
changes this so routes without preferred source IP are installed to
allow non-local traffic to get forwarded via TUN device.
This commit fixes auto detection of in6_pktinfo.
When negotiating an IPv6 IKE session charon reported an error
"Jun 30 16:42:49 03[NET] error reading IP header"
The cause of error was missing in6_pktinfo declaration, which is
auto detected. This auto detection may fail with an error depending
on compiler flags:
configure:19850: checking for in6_pktinfo
configure:19870: gcc -c -g -O0 -Wall -Wno-format -Wno-format-security
-Wno-pointer-sign -Werror -Wfatal-errors -Wno-error=stringop-truncation
conftest.c >&5
conftest.c: In function 'main':
conftest.c:73:11: error: 'pi.ipi6_ifindex' is used uninitialized in this
function [-Werror=uninitialized]
73 | if (pi.ipi6_ifindex)
| ~~^~~~~~~~~~~~~
compilation terminated due to -Wfatal-errors.
cc1: all warnings being treated as errors
Tobias Brunner [Tue, 29 Aug 2023 15:45:32 +0000 (17:45 +0200)]
android: Request permission to display notifications on Android 13
Note that displaying the notification for the background service is
apparently not strictly necessary. So it's fine if the user wants to
hide it. That the service is running can still be seen in the task
manager (pull down the status drawer twice, there is a bullet with a number
at the bottom if the service is running).
Simply use the system dialog. If the user denies it twice, it won't show
up again. The explanation dialog would not show up the first time (i.e.
shouldShowRequestPermissionRationale() returns false), only once the user
denied the permission once. Currently seems like a bit much work
as we don't need the user to allow notifications.
Tobias Brunner [Wed, 17 May 2023 08:17:14 +0000 (10:17 +0200)]
android: Use new sockets to determine source IP
Particularly on Samsung devices, the connect() call to dissolve the
previous connection on an existing socket via AF_UNSPEC does fail in
some situations with ECONNREFUSED:
[KNL] failed to disconnect socket: Connection refused
While creating a new socket is potentially a bit more overhead, this
should avoid the issue.
kernel-pfroute: Maintain virtual flag when repopulating interface addrs
When adding a virtual IP on a TUN interface, the interface might get
activated (in terms of receiving the event) after we've already set the
virtual flag for the added address. As the activation repopulates the
addresses on the interface, this cleared the flag and the address would
no longer be treated as virtual IP when installing routes for CHILD_SAs
that reference it in their local traffic selectors.
Fixes an infinite loop if e.g. Netlink event sockets get too many
packets queued and poll() just returns POLLERR for the socket. Also
increases the default receive buffer size for Netlink sockets to better
support systems with lots of route updates.
watcher: Change handling of POLLERR and remove WATCHER_EXCEPT
We can't actually explicitly listen for errors by passing POLLERR in
`events` (the man page for poll() clearly states it's ignored). On the
other hand, POLLERR can be returned for any FD and, even worse, it might
be the only event indicated.
The latter caused an infinite loop as we didn't notify the callback nor
clear the error by calling `getsockopt(..., SOL_SOCKET, SO_ERROR, ...)`.
And while the latter would be able to reset the state to break the loop,
it seems to leave the FD in a defunct state where no further events will
be returned by poll(). Notifying the callback works better (the error
is then reported by e.g. recvfrom()) and automatically happened already
if POLLERR was returned together with e.g. POLLIN.
So we now treat POLLERR like the other error indicators we handle (POLLHUP
and POLLINVAL) and just notify the callbacks.
kernel-netlink: Increase the default receive buffer size
Also simplify how we try to exceed the system-wide maximum. We basically
just try to force the value and simply fall back to the regular call.
The kernel actually won't let the latter fail if the value is too big,
it just caps it at the internal maximum.
Tobias Brunner [Wed, 21 Jun 2023 13:57:38 +0000 (15:57 +0200)]
child-rekey: Correctly encode protocol/SPI in CHILD_SA_NOT_FOUND notify
As specified in RFC 7296, section 2.25:
The SA that the initiator attempted to rekey is indicated by the SPI
field in the Notify payload, which is copied from the SPI field in
the REKEY_SA notification.
Tobias Brunner [Thu, 16 Mar 2023 14:42:11 +0000 (15:42 +0100)]
notify-payload: Add methods to simplify encoding and retrieving IKE SPIs
The get_spi_data() method is currently not used, so that has been
simplified so it can be used for any protocol type and any SPI length.
Same for set_spi_data(), which is currently used for IKEv1 to encode
two SPIs.
Tobias Brunner [Fri, 23 Jun 2023 10:04:14 +0000 (12:04 +0200)]
charon-nm: Actually use the created XFRM interface
The created XFRM interface was not actually used (no interface IDs on the
SAs, no routes via interface). It was basically treated like the dummy
TUN device. To actually install the routes via XFRM interface, we have
to create it before we install the SAs and policies, signal_ip_config()
happens too late. We also have to mark the ESP packets the same as IKE
the packets to avoid a routing loop if the server's IP is included in
the remote traffic selector (in particular if it's 0.0.0.0/0 or ::/0).
Fixes: 58f278f93239 ("charon-nm: Use an XFRM interface if available")
testing: Change memory allocation for alice and winnetou and switch to MiB
The services running on alice seem to require a bit more memory with
Debian bookworm, so increase the memory allocation. But at the same
time reduce winnetou's allocation by the same amount as it really doesn't
require that much memory.
testing: Hardcode /testresults mount point in winnetou's fstab
Because do-tests runs the restore-defaults script, fstab would get reset
to the default version and the mount point wouldn't be available anymore
after stopping and restarting the guests (unless the guest images were
rebuilt in between).
Tobias Brunner [Wed, 28 Jun 2023 13:54:54 +0000 (15:54 +0200)]
testing: Add support for Debian bookworm base images
By default, rsyslog is not installed anymore to avoid storing everything
twice (since journald is the default). If this becomes an issue, we
could delete /var/log/journal to only log via rsyslog.
Tobias Brunner [Wed, 28 Jun 2023 13:49:32 +0000 (15:49 +0200)]
testing: Install python-daemon via Debian package
System-wide installation via pip isn't easily possible anymore on Debian
bookworm, so just use the Debian package for this (is available in old
releases as well).
Tobias Brunner [Tue, 27 Jun 2023 17:03:32 +0000 (19:03 +0200)]
libimcv: Add Debian 12 (bookworm) to database
Because libcrypto and libssl are measured, we need a new group for Debian
versions with OpenSSL 3 (I've rather added a suffix to the old group as
that could eventually get removed, although we might need a 3.1 variant
in the future - maybe we should measure some other files?).
Tobias Brunner [Tue, 27 Jun 2023 16:45:53 +0000 (18:45 +0200)]
testing: Fix vici updown script on Debian bookworm
OOM-killer is now already triggered with `import daemon`, so set the
limit before that. Also some PEP8 fixes (including an exclusion for
the above fix as that causes imports to not be at the beginning of the
file).
Tobias Brunner [Tue, 27 Jun 2023 16:41:42 +0000 (18:41 +0200)]
testing: Whitelist all Git repositories in the root image
Without this, Git refuses to operate on the build dirs that are mounted
with weird ownership. When running as root in the chroot, Git checks
SUDO_UID, which won't match.
Tobias Brunner [Tue, 27 Jun 2023 16:40:24 +0000 (18:40 +0200)]
testing: Create traditional RSA keys with OpenSSL 3
This is necessary because TKM can't read PKCS#8 files and in some
scenarios we don't have the pkcs8 plugin loaded that would be required
to read/decrypt the non-traditional files.
Tobias Brunner [Tue, 27 Jun 2023 16:01:29 +0000 (18:01 +0200)]
testing: Fix systemctl wrapper and adapt enabling services on winnetou
The wrapper called the command twice for any unit but "strongswan" and
it didn't return the correct exit code. This was noticed when an
if-updown script tried to check if systemd-resolved is active and always
succeeded, which caused failing attempts to configure it.
But now that the return code is correct, trying to enable bind9 won't
fail silently anymore if the unit doesn't exist (similar on older systems
for named), so this is adapted.
Tobias Brunner [Mon, 26 Jun 2023 12:20:14 +0000 (14:20 +0200)]
testing: Configure curve25519-sha256 as key exchange for SSH
With Debian bookworm, the PQC KE sntrup761x25519-sha512 is negotiated, by
default. This increases the overhead significantly, in particular, the
size of the KE message, which wouldn't get through IPsec tunnels without
MSS clamping.
Tobias Brunner [Thu, 15 Jun 2023 15:54:08 +0000 (17:54 +0200)]
resolve: Try to maintain the order of DNS servers if using resolvconf
Since 17fd304e60df ("resolve: Don't install individual servers via
resolvconf"), DNS servers were sorted if getting installed via resolvconf.
In some setups the order might be important (even though relying on it
isn't a good idea in general as stub resolvers are free to use all of
the servers as they please).
projects / thirdparty / strongswan.git / log
