Tobias Brunner [Tue, 15 Jun 2021 09:11:14 +0000 (11:11 +0200)]
wip: child-sa: Configure UDP encapsulation for per-CPU SAs
wip: this is just a PoC. it needs some kind of notify to negotiate
the use (in theory it doesn't as IPsec stacks should be able to process
UDP encaped and plain ESPs for the same SA, the kernel doesn't so both
peers need to enable it - otherwise we could just enable it on the
outbound SA and send to port 4500)
To avoid lots of NAT mapping events from the kernel it needs a patch so it
doesn't produce any if the configured source port is 0
Tobias Brunner [Thu, 20 May 2021 08:12:30 +0000 (10:12 +0200)]
wip: vici: Make per-CPU CHILD_SAs configurable
wip: also, maybe add a check to ensure that start_action=trap is set (or even
set it implicitly?), but could also just be the responsibility of the
user as it's documented
Tobias Brunner [Thu, 20 May 2021 07:46:55 +0000 (09:46 +0200)]
wip: trap-manager: Add support to handle acquires for per-CPU SAs
wip: we could possibly install trap policies with num_sas set to install
per-CPU trap policies right from the start. then the first acquire would
already get us a CPU ID. however, since we don't now if the peer supports
the extension, the CPU ID might get reset and a regular SA negotiated,
rendering the match for CPU ID invalid (we could then perhaps just remove
the first acquire with has acquire->cpu != CPU_ID_MAX and stop enumerating).
the policy installed with the regular SA should hopefully prevent further
CPU-specific acquires (at least if there was no narrowing)
Tobias Brunner [Thu, 20 May 2021 07:41:54 +0000 (09:41 +0200)]
ike-sa: Sort CHILD_SAs by CPU ID
This might make debugging easier and also ensures that a possible
fallback SA without CPU ID is established first when reestablishing
an IKE_SA. Because even if such an SA is established first, that might
change if per-CPU SAs are rekeyed first.
Tobias Brunner [Mon, 31 May 2021 13:21:46 +0000 (15:21 +0200)]
forecast: Ignore per-CPU CHILD_SAs
Not sure if this combination does make sense as the plugin itself would
be a major bottleneck.
Similar to the connmark plugin, PREROUTING rules list SPIs or UDP ports,
which would be necessary for all SAs while the OUTPUT rules would only be
required once.
Tobias Brunner [Mon, 31 May 2021 13:06:41 +0000 (15:06 +0200)]
connmark: Ignore per-CPU CHILD_SAs
The combination probably doesn't make much sense.
The OUTPUT rules would definitely only be required once, while the INPUT
and PREROUTING rules list individual SPIs and/or UDP ports, which would
be necessary for all SAs.
By the way, the rules in PREROUTING might actually not be necessary
anymore if the set_mark_in option was used for such SAs.
Tobias Brunner [Fri, 27 Aug 2021 16:18:09 +0000 (18:18 +0200)]
tun-device: Fix handling of IPv6 addresses
struct ifreq can't be used for IPv6 as the ifr_addr member is not large
enough. Actually, configuring an IPv6 address via an AF_INET socket won't
work anyway. And unfortunately, it's not standardized how IPv6 addresses
are installed, so we have to do this quite differently on Linux and on BSD.
However, we already use SIOCAIFADDR for IPv4 on newer FreeBSD systems,
which wasn't the case when this patch was originally created in 2014.
Consider queued child-creating tasks when reloading configs that have
`start` as start action. Besides some possible corner cases it fixes
handling IKE_SAs that are current getting established and have no
established CHILD_SAs yet.
Thomas Egerer [Fri, 6 Sep 2024 11:29:40 +0000 (13:29 +0200)]
array: Don't use realloc() with zero size in array_compress()
The behavior of realloc(3) with zero size was apparently implementation
defined. While glibc documents the behavior as equivalent to free(3),
that might not apply to other C libraries. With C17, this behavior has
been deprecated, and with C23, the behavior is now undefined. It's also
why valgrind warns about this use.
Hence, when array_compress() would call realloc() with a zero size, we
now call free() explicitly and set the pointer to NULL.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Tobias Brunner [Wed, 7 Aug 2024 14:20:42 +0000 (16:20 +0200)]
Merge branch 'multi-ke'
This adds support for multiple key exchanges (no KEMs yet as none are
standardized so far). Work on this started over five years ago and went
through multiple iterations (first our own protocol, then standardized
extensions in different variations).
IKE_INTERMEDIATE exchanges, defined RFC 9242, are used to transport
multiple KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges.
To rekey IKE and CHILD_SAs with multiple key exchanges, IKE_FOLLOWUP_KE
exchanges are used, as defined in RFC 9370.
In proposals, additional key exchange methods are configured via `keX_`
prefix, where X is a number between 1 and 7. For example, `ke1_ecp256`
adds ECP_256 as additional KE method. As with regular key exchanges,
peers have to agree on a method for each round unless no algorithms are
defined by both or `keX_none` is configured to make that round explicitly
optional.
Also changed is how rekey collisions are handled, which makes CHILD_SAs
properly trackable via child_rekey() hook.
unit-tests: Ensure listeners can track SAs via ike/child_updown/rekey()
Previously, it could happen that child_rekey() was triggered twice for
the same "old" SA. For listeners that would mean they'd loose track as
they'd be tracking a new SA that wasn't relevant anymore and for which
no updown event would ever get triggered (it was the redundant SA in a
collision). This new assert ensures that events are triggered in a
predictable way and listeners can track SAs properly.
Tobias Brunner [Mon, 22 Aug 2022 13:43:16 +0000 (15:43 +0200)]
ikev2: Make CHILD_SAs properly trackable during rekey collisions
As the winner of a rekey collision, we previously always triggered the
child_rekey() event once when creating the redundant SA on behalf of the
peer in the passive child-rekey task and then a second time when
creating the winning SA in the active task. However, both calls passed
the replaced CHILD_SA as "old". This made tracking CHILD_SAs impossible
because there was no transition from the redundant, "new" SA of the
first event to the "new", winning SA of the second. Of course, when the
second event was triggered, the redundant SA might not have existed
anymore because the peer is expected to delete it, which could happen
before the CREATE_CHILD_SA response arrives at the initiator.
This refactoring ensures that the child_rekey() event is triggered in
a way that makes the CHILD_SAs trackable in all reasonable (and even
some unreasonable) scenarios. The event is generally only triggered
once after installing the outbound SA for the new/winning CHILD_SA.
This can be when processing the CREATE_CHILD_SA in the active child-rekey
task, or when processing the DELETE for the old SA in a passive
child-delete task. There are some cases where the event is still
triggered twice, but it is now ensured that listeners can properly
transition to the winning SA.
Some corner cases are now also handled correctly, e.g. if a responder's
DELETE for the new CHILD_SA arrives before its CREATE_CHILD_SA response
that actually creates it on the initiator. Also handled properly are
responders of rekeyings that incorrectly send a DELETE for the old
CHILD_SA (previously this caused both, the new and the old SA, to get
deleted).
Tobias Brunner [Thu, 25 Jun 2020 08:26:38 +0000 (10:26 +0200)]
child-create: Add support for multiple key exchanges
It also changes that payloads are built before installing the CHILD_SA
on the responder, that is, the KE payload is generated before keys are
derived, so that key_exchange_t::get_public_key() is called before
get_shared_secret(), or its internal equivalent, which could be relevant
for KE implementations that want to ensure that the key can't be
accessed again after the key derivation.
Tobias Brunner [Thu, 31 Oct 2019 16:16:44 +0000 (17:16 +0100)]
ike-init: Add support for multiple key exchanges
Initially, this is handled with a key derivation for each
IKE_INTERMEDIATE exchange. When rekeying, the keys are derived only
once all IKE_FOLLOWUP_KE exchanges are done.
Tobias Brunner [Tue, 20 Aug 2019 15:07:55 +0000 (17:07 +0200)]
ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges
The message ID of the first IKE_AUTH exchange is a safe-guard against
potential truncation attacks if IKE_INTERMEDIATE exchanges are not used
for multiple key exchanges but some other future use where the number of
exchanges might not depend on the selected proposal.
Tobias Brunner [Tue, 8 Feb 2022 13:23:37 +0000 (14:23 +0100)]
ikev2: Reject IKE_INTERMEDIATE requests after IKE_AUTH
We currently only support these exchanges for additional key exchanges,
so once we have the final keys derived and the ike-init task is removed,
we don't expect any more of them.
projects / thirdparty / strongswan.git / log
