Tobias Brunner [Thu, 30 Oct 2025 15:36:45 +0000 (16:36 +0100)]
android: Fix edge-to-edge layout issues with settings and app selection
Using FrameLayout for the settings instead of the recommended
FragmentContainerView because the latter makes handling insets more
complicated (fitsSystemWindows doesn't work as the fragment is responsible
for handling insets but how that should work with PreferenceFragmentCompat
is unclear).
Fixes: 2404b2bee632 ("android: Apply UI changes for edge-to-edge views in Android 15+")
Tobias Brunner [Mon, 27 Oct 2025 14:36:49 +0000 (15:36 +0100)]
Merge branch 'android-updates'
This fixes the vulnerability in the eap-mschapv2 plugin and an issue
with the filename of log files. In the released app, the OpenSSL version
is also increased in order to support ML-KEM.
Tobias Brunner [Thu, 9 Oct 2025 09:33:45 +0000 (11:33 +0200)]
eap-mschapv2: Fix length check for Failure Request packets on the client
For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
`message_len` to become negative, which is then used in calls to malloc()
and memcpy() that both take size_t arguments, causing an integer
underflow.
For 6 and 7, the huge size requested from malloc() will fail (it exceeds
PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
fault in memcpy().
However, for 8, the allocation is 0, which succeeds. But then the -1
passed to memcpy() causes a heap-based buffer overflow (and possibly a
segmentation fault when attempting to read/write that much data).
Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
overflow and causes the daemon to get aborted immediately instead.
Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2") Fixes: CVE-2025-62291
Tobias Brunner [Fri, 3 Oct 2025 08:59:03 +0000 (10:59 +0200)]
vici: Provide a way to stop listening and re-connect in Python bindings
This allows re-connecting to a new session in a disconnect listener and
continue listening without having to return from listen(). The exception
can also be used to stop listening after some condition (e.g. to wait
until a specific SA got created and then stop).
Martin Willi [Wed, 24 Sep 2025 13:15:03 +0000 (15:15 +0200)]
child-create: Raise an ALERT_TS_MISMATCH when receiving TS_UNACCEPTABLE
When sending a TS_UNACCEPTABLE notify, a ALERT_TS_MISMATCH is sent, but
not when receiving one. This seems inconsistent compared to proposal
mismatch handling, so extend the child_create task to raise such an alert.
Martin Willi [Tue, 23 Sep 2025 11:01:52 +0000 (13:01 +0200)]
vici: Raise alert events from the bus alert listener hook
The bus alert infrastructure is currently exposed through the error-notify
plugin using a dedicated socket using a rather archaic message format.
Vici clients would need a dedicated socket connection just to receive such
alert messages, making their implementation more complex.
With vici, it is rather trivial to expose bus alerts through a dedicated
event message that vici clients may subscribe to. Add such an "alert"
event type to vici. Alert names are mapped to strings for simple consumption by
clients.
For now, the error-notify string message is omitted from events, as it mostly
contains static information without much value; instead add the IKE_SA details
for alerts associated to an IKE_SA. Other alert specific data may be added in
the future if needed; preferably using a structured format instead of the
arbitrary string messages used by error-notify. To allow future extensions,
wrap IKE_SA details under a dedicated "ike-sa" property.
Tobias Brunner [Thu, 2 Oct 2025 06:47:34 +0000 (08:47 +0200)]
github: Use OpenSSL 3 for macOS builds and enable additional plugins
The Homebrew formula has been using OpenSSL 3 for a while. The eap-peap
and pkcs11 plugins also have been enabled in the formula. The dhcp plugin
is enabled to test the port (the farp plugin was already enabled since
its port to FreeBSD/macOS). The drbg plugin is enabled to run the ML-KEM
test vectors.
Tobias Brunner [Wed, 1 Oct 2025 13:52:45 +0000 (15:52 +0200)]
github: Build on macOS 14 instead of the deprecated macOS 13
While macos-13 was running on Intel, both macos-latest (macOS 15) and
macos-14 run on ARM64. While there are Intel-based images for 14 and 15,
they will only be available until August 2027 (and there aren't any Intel
devices anymore anyway).
Tobias Brunner [Wed, 1 Oct 2025 13:19:18 +0000 (15:19 +0200)]
Merge branch 'android-updates'
This fixes GUI-related compatibility issues with Android 16 and allows
(pre-)selecting on-device certificates/keys with managed profiles. Also
fixes a typo in the managed config description that prevented
split-tunneling settings from working.
android: Make a certificate alias pre-selectable in managed profiles
This allows associating a pre-installed certificate/key with a VPN
profile. For instance, one locally generated on the device via
SCEP/ETS by the MDM. It only works if the app is granted access to the
certificate/key (alias) by the MDM.
For now, users may still select a different certificate if one is
available (since this requires the certificate to be installed as
user-selectable there might not be).
android: Explicitly pull in androidx.localbroadcastmanager
Seems to not get pulled in automatically anymore. This has actually been
deprecated for years apparently. Unfortunately, it's not that easy to
replace, so keep it for now.
Tobias Brunner [Mon, 4 Aug 2025 12:35:11 +0000 (14:35 +0200)]
android: Apply UI changes for edge-to-edge views in Android 15+
When targeting Android 15, edge-to-edge is the default and when targeting
Android 16, apps can't opt-out from this anymore. So we update our views
and enable edge-to-edge also for older versions (avoids the black bar
behind the system UI at the bottom). For most views we just use automatic
margins via android:fitsSystemWindows (or programmatically via
setDecorFitsSystemWindows). However, for the profile lists and log views,
we take some extra measures that allow the lists to go behind the bottom
system UI. Appropriate padding is applied at the bottom of the lists so
the last item(s) can be scrolled into full view.
No part of IKE/IPsec or X.509 uses MD2 anymore, so there really is no
reason to still support it (unlike MD4 that is used in EAP-MSCHAPv2,
MD5 that's used in EAP-MD5, or SHA-1 that's used for e.g. NAT-D hashes).
It caused test vectors to fail on systems where OpenSSL is built with
MD2 support but has it disabled at runtime.
Tobias Brunner [Fri, 15 Aug 2025 16:32:24 +0000 (18:32 +0200)]
testing: Add option to run tests without leak detective
This new option allows to disable leak detective to reduce the runtime
during development. Either only for the command line (swanctl, pki etc.)
or optionally also for the daemon(s).
Disabling leak detective only for the CLI tools already brings a
considerable reduction in runtime (from 48m to 38m on my dev host) as
there are many such calls in the post-test stage. Any leaks in those
tools are also a lot less of an issue than leaks in the daemon. So using
this during development should be fine as long as a full test run is done
regularly (in particular before releases). Disabling leak detective
completely further reduces the runtime (to 30m on my dev host). But that
should probably only be used for functional regression tests after
verifying new code didn't introduce new leaks.
This also fixes the service script which is used for charon-tkm since 16fcdb460afd ("charon-tkm: Don't use starter/stroke with charon-tkm anymore").
Tobias Brunner [Fri, 15 Aug 2025 12:48:49 +0000 (14:48 +0200)]
testing: Increase memory for guest hosts to run Debian trixie
While some increase was necessary anyway because the idle system requires
about 5-10 MiB more memory, the main issue is resolving the code line and
function name in case of a memory leak. Calling addr2line requires a lot
more memory than before. Using backtraces via libbfd doesn't help either
because the trigger is the bfd_find_nearest_line() call we use as well.
And because we'd try to resolve all symbols that way (for whitelisting),
the memory overhead would be even higher and affect every shutdown, even
if no leak occurred. It also causes a significant time overhead (running
all tests took 75m instead of 48m).
I also tested switching to ASAN/LSAN. The peak memory usage is slightly
higher than when using libbfd, but enabling it also increased the runtime
overhead a lot (the daemon and swanctl both required about 10-20 MiB more
memory, not just during the shutdown).
Tobias Brunner [Fri, 15 Aug 2025 12:45:13 +0000 (14:45 +0200)]
testing: Install required packages in venv of updated strongTNC
Update revision for some dependency updates. While python3-setuptools is
installed on the system, the venv apparently can't use it. legacy-cgi is
required to use that old Django version with newer Python releases.
Tobias Brunner [Fri, 15 Aug 2025 12:40:38 +0000 (14:40 +0200)]
testing: Use newer version of TKM on trixie
The API for libgmpada has change with 1.6 in a way that's not
backwards-compatible. So we use a different revision that includes
the required changes depending on the Debian version.
This also adds support for esa_select(), to support seamless rekeyings,
which requires updating xfrm-ada as well.
Tobias Brunner [Wed, 13 Aug 2025 11:54:01 +0000 (13:54 +0200)]
testing: Use new recommended approach to install key for custom apt repository
apt-key add is deprecated (and not available in trixie) as it makes the
available for all sources. The recommended approach makes the key very
specifically available for just our repository.
Tobias Brunner [Wed, 13 Aug 2025 11:38:52 +0000 (13:38 +0200)]
testing: Move sysctl settings to sysctl.d and add some memory settings
Debian trixie doesn't provide a 99-sysctl.conf symlink in that directory
anymore. The memory settings are also useful there as the default of
one changed and overbooking helps when forking a process with large
memory footprint (e.g. the IKE daemon).
host: Don't try to resolve %any* keywords with mismatched address family
While host_create_from_string_and_family() usually replaces %any*
keywords, this fails if the address family doesn't match (e.g. %any4 with
AF_INET6). There is no point in trying to resolve these keywords via
DNS as % is no valid character for host names.
Tobias Brunner [Fri, 22 Aug 2025 14:46:10 +0000 (16:46 +0200)]
Merge branch 'plugin-versions'
This adds a symbol with the current version number to all existing
plugins (the PLUGIN_DEFINE() macro makes this easy). The version is
checked when a plugin is loaded from a file in order to prevent loading
old plugins from any previous build, which could cause all sorts of
issues.
Tobias Brunner [Thu, 21 Aug 2025 08:24:37 +0000 (10:24 +0200)]
pkcs11: Improve detection of already unwrapped CKA_EC_POINTs
If an uncompressed point is already unwrapped (incorrect but some tokens/
modules do this) and therefore still looks like an ASN.1 octet string,
there could be false positives with the previous checks that lead to
mangled points.
By ensuring that we unwrapped the complete ASN.1 chunk, we can already
reduce the false positive rate when the assumed length is smaller than
the chunk, which we previously accepted but isn't the case in correctly
encoded points.
And while we already checked that the first byte indicates a valid point
type/encoding, there could still be false positives. We can avoid those
with some checks on the length of the unwrapped point. In particular,
enforcing a multiple of 4/8 should fail for valid unwrapped points where
three bytes were removed in the process (ASN.1 tag and length, point
encoding).
Tobias Brunner [Mon, 11 Aug 2025 12:24:16 +0000 (14:24 +0200)]
ike-sa-manager: Avoid deadlock due to race condition during shutdown
If an entry is added while we wait for a checked out SA in flush() (e.g.
due to an action performed by that SA), new entries might get inserted
before the one we wait for. If that was the first entry in the row, we
didn't correctly update the table and the new entries were basically lost
by overwriting the first entry in the row. As the SA count was still
increased but the new entries couldn't get enumerated, the daemon wasn't
terminated properly but was stuck in the loop in flush().
Tobias Brunner [Fri, 22 Aug 2025 06:34:01 +0000 (08:34 +0200)]
testing: Disable deprecated features in Botan
We keep MD5 enabled for now as we need it for TLS 1.0/1.1. Once we
remove that we can reconsider (although, it's also needed for EAP-MD5
and since MD4 is disabled as well, which means EAP-MSCHAPv2 won't
be available, we'd be left with only EAP-GTC for simple username/password
authentication, which nobody else supports).
projects / thirdparty / strongswan.git / log
