Tobias Brunner [Wed, 16 Mar 2022 10:45:49 +0000 (11:45 +0100)]
traffic-selector: Avoid out-of-bound array access when calculating range
This happens for `/0` subnet masks. In practice, it's not an issue because
if `bytes` is 0, then so are `netbits`, `bits` and `mask`. So the two
incorrectly addressed array elements are not actually modified. The first
operation is a `&= 0xff` and the second a `|= 0`, so nothing changes.
But some tools might not consider the values and report this as undefined
behavior, which it technically is.
Tobias Brunner [Wed, 16 Feb 2022 13:47:40 +0000 (14:47 +0100)]
kernel-pfkey: Don't install exclude routes for locally connected peers
Such routes with a gateway that equals the peer's address are problematic
on FreeBSD. And since there is most likely a narrow route for the local
subnet anyway, the exclude routes would be redundant.
Tobias Brunner [Fri, 11 Feb 2022 16:23:15 +0000 (17:23 +0100)]
kernel-pfkey: Only install exclude route if not routing via outbound interface
When installing routes based on remote traffic selectors, it can be
necessary to install an exclude route for the remote peer to avoid a
routing loop and continue to be able to reach it via IKE/ESP.
However, such routes are only necessary, if the routes we install don't
go via outbound interface. That's the case when using VIPs and routing
via TUN devices, or when using internal source IPs and routing via
their interfaces.
Installing such exclude routes if not necessary can cause issues on
FreeBSD (EINVAL when sending packets to the peer).
Tobias Brunner [Wed, 23 Feb 2022 16:29:02 +0000 (17:29 +0100)]
openssl: Don't unload providers
There is a conflict between atexit() handlers registered by OpenSSL and
some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
Because plugins are usually loaded after atexit() has been called, the
handler registered by OpenSSL will run before our handler. So when the
latter destroys the plugins it's a bad idea to try to access any OpenSSL
objects as they might already be invalid.
Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
Closes strongswan/strongswan#921
Tobias Brunner [Fri, 4 Feb 2022 10:16:14 +0000 (11:16 +0100)]
tls-peer: Simplify identity check for server certificate
has_subject() already matches the identity against the subject DN and
all the SANs (it actually already did when this check was added with c81147998619 ("Strictly check if the server certificate matches the TLS
server identity")).
Tobias Brunner [Wed, 2 Feb 2022 17:39:20 +0000 (18:39 +0100)]
libtls: Enforce client/server identity when looking for public key
The client already enforces that the server identity is contained in the
received certificate. But on the server, the referenced commit changed
the lookup from the configured (or adopted if %any was configured) client
identity to the subject DN of the received client certificate. So any
client with a trusted certificate was accepted.
Fixes: d2fc9b0961c6 ("tls-server: Mutual authentication support for TLS 1.3")
Closes strongswan/strongswan#873
Tobias Brunner [Tue, 15 Feb 2022 15:38:31 +0000 (16:38 +0100)]
Merge branch 'natd-fixes'
This adds some modifications to NAT-D in case the source IP can't be
determined before generating NAT-D notifies. If this happens when using
IPv4, a local NAT is faked (UDP-encap can be disabled later via MOBIKE
if no NAT is actually detected). If it happens when using IPv6, NAT-T
is disabled completely.
It also removes the old fallbacks for source NAT-D notifies, which were
generally unused but could lead to incorrect results in the above
scenario.
Tobias Brunner [Tue, 29 Jun 2021 14:11:51 +0000 (16:11 +0200)]
ike-natd: Fake NAT situation or disable NAT-D if source IP is undetermined
This can happen if an IKE_SA is initiated to a static IP before DHCP is
done. Instead of failing the initiation, we either fake a NAT situation
(for IPv4) or disable NAT-D (for IPv6 where NATs and UDP-encap are not
widely used or supported).
This also removes the old fallbacks to determine the source address(es).
A source address lookup is done in ike_sa_t::resolve_hosts() (wasn't the
case initially) and enumerating local IPs (which was added even earlier)
could still lead to issues if e.g. LAN addresses are available but the
WAN address that's later used is not yet (in which case only the responder
would detect a NAT and UDP-encap would be configured asymmetrically).
To force UDP-encap locally in case there is no actual NAT, we store this
as COND_NAT_HERE instead of COND_NAT_FAKE. This ensures DPDs will contain
NAT-D notifies and we can later remove the state via MOBIKE. We trigger
a MOBIKE update after such a DPD by registering a changed NAT mapping after
checking for a disappearing local NAT, which is very unlikely to happen
outside of a MOBIKE update (where that flag is not checked).
Tobias Brunner [Fri, 4 Feb 2022 11:05:53 +0000 (12:05 +0100)]
appveyor: Install autotools package on 2019 image
On the recently updated 2019 image, autoreconf is not found anymore, as
recent versions of msys2 don't ship autools with base-devel aymore, so
install the autotools package explicitly.
Martin Willi [Mon, 31 Jan 2022 13:01:42 +0000 (14:01 +0100)]
proposal: Add ESN transform to default ESP AEAD proposal
The commit mentioned below adds an AES-GCM default proposal for ESP. That
proposal does not include any ESN or non-ESN transform to indicate if
extended sequence numbers are supported.
A standards-compliant peer will include one or more ESN support transforms,
and will be unable to select this proposal due to a proposal mismatch.
Fix the default AES-GCM proposal by adding a NO_ESN algorithm. While ESN has
been supported in the Linux kernel for a while, having it in the default
proposal can be problematic with kernel-libipsec or on other platforms.
Fixes: c7bef954eec6 ("proposal: Add AES-GCM to the ESP default AEAD proposal")
Closes strongswan/strongswan#868
Martin Willi [Thu, 20 Jan 2022 13:48:48 +0000 (14:48 +0100)]
sys-logger: Optionally support mapping strongSwan loglevels to syslog levels
strongSwan logs all syslog messages using LOG_INFO for historical reasons,
regardless of the strongSwan loglevel used producing the log message.
In some setups with advanced logging infrastructure, it may be feasible
to be more verbose when logging in strongSwan, but then filter messages
on the syslog server. While this may be possible by custom syslog filtering
rules matching the log level included with the log_level setting, this is
not super convenient.
So add a new map_level setting, which can map strongSwan loglevels to
syslog loglevels. By default this is disabled, keeping the existing
behavior. If enabled, it maps strongSwan loglevels to syslog loglevels
at a given syslog loglevel offset.
Martin Willi [Wed, 12 Jan 2022 10:00:20 +0000 (11:00 +0100)]
addrblock: Allow limiting validation depth of issuer addrblock extensions
RFC3779 requires to validate the addrblocks of issuer certificates strictly,
that is, they must contain the extension and the claimed addrblock, up to
the root CA.
When working with third party root CAs that do not have the extension,
this makes using the plugin impossible. So add a depth setting that limits
the number of issuer certificates to check bottom-up towards the root CA.
A depth value of 0 disables any issuer check, the default value of -1
checks all issuers in the chain, keeping the existing behavior.
Tobias Brunner [Tue, 14 Dec 2021 09:51:35 +0000 (10:51 +0100)]
eap-authenticator: Enforce failure if MSK generation fails
Without this, the authentication succeeded if the server sent an early
EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
which may be used in EAP-only scenarios but would complete without server
or client authentication. For clients configured for such EAP-only
scenarios, a rogue server could capture traffic after the tunnel is
established or even access hosts behind the client. For non-mutual EAP
methods, public key server authentication has been enforced for a while.
A server previously could also crash a client by sending an EAP-Success
immediately without initiating an actual EAP method.
Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") Fixes: CVE-2021-45079
Andreas Steffen [Sun, 17 Oct 2021 13:53:42 +0000 (15:53 +0200)]
sw-collector: Iterate through history logs
The logrotate function causes the apt history to be split into
several parts at arbitrary points in time. If history.log only
is parsed then some package installation changes stored in
zipped backup history files might get lost.
Thus sw-collector now searches all backup history files until
a date older than the current event stored in the collector.db
database is found, so that no entries get overlooked.
Andreas Steffen [Mon, 8 Nov 2021 08:02:40 +0000 (09:02 +0100)]
libtpmtss: Establish session with TPM 2.0
Using the trusted RSA or ECC Endorsement Key of the TPM 2.0 a
secure session is established via RSA public key encryption or
an ephemeral ECDH key exchange, respectively.
The session allows HMAC-based authenticated communication with
the TPM 2.0 and the exchanged parameters can be encrypted where
necessary to guarantee confidentiality.
Tobias Brunner [Wed, 8 Dec 2021 10:34:46 +0000 (11:34 +0100)]
Merge branch 'openssl-providers'
Optionally load the legacy provider in OpenSSL 3 (enabled, by default) to
make algorithms like MD4 and DES available, which we require for
EAP-MSCHAPv2. Allow explicitly loading the fips provider via existing
fips_mode option. The loaded providers, whether influenced by the above
options or not, are logged.
openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.
We still require these algorithms for e.g. EAP-MSCHAPv2, so the option is
enabled, by default. To use other providers (e.g. fips or even custom
ones), the option can be disabled and the providers to load/activate can
be configured in openssl.cnf. For instance, the following has the same
effect as enabling the option:
Tobias Brunner [Wed, 8 Dec 2021 10:33:32 +0000 (11:33 +0100)]
Merge branch 'libtls-tests'
Improves handling failures during unit tests of libtls and includes a
change for the openssl plugin so it only announces ECDH groups for which
the library provides the required ECC curve.
Tobias Brunner [Tue, 16 Nov 2021 13:34:03 +0000 (14:34 +0100)]
openssl: Only announce ECDH groups actually supported by OpenSSL
Determined by whether the library provides curves for it or not.
For instance, in the OpenSSL 3 FIPS provider the Brainpool curves are
not included. And in the Fedora package several weak curves are
explicitly patched out and the Brainpool curves are omitted even in
non-FIPS mode.
Tobias Brunner [Mon, 15 Nov 2021 13:39:22 +0000 (14:39 +0100)]
tls-socket: Handle sending fatal errors better
In particular as server, the previous code might cause it to hang in
recv() if this case wasn't triggered by a close notify (followed by a
shutdown of the socket) but it e.g. failed processing a ServerHello and
responded with a fatal alert.
Fixes: 09fbaad6bd71 ("tls-socket: Don't fail reading if sending data failed")
Tobias Brunner [Fri, 26 Nov 2021 10:32:46 +0000 (11:32 +0100)]
child-rekey: Uninstall old outbound SA earlier on initiator/winner
This is useful for kernel implementations where the ordering of SAs
is unpredictable and the new SA might otherwise not be used until the
DELETE response has been received, which is not ideal as the responder
might not keep the old SA around that long. On Linux, it makes no
difference as we switch to the new outbound SA immediately because the
updated outbound policy references its SPI.
Tobias Brunner [Tue, 23 Nov 2021 16:08:11 +0000 (17:08 +0100)]
github: Run charon-tkm tests
Use a Debian-based Docker container to run the unit tests for charon-tkm,
once without and once with TKM running. The container can also be used
locally to run the tests (see comments in the Dockerfile).
Tobias Brunner [Mon, 22 Nov 2021 14:06:19 +0000 (15:06 +0100)]
charon-tkm: Make only tests requiring TKM optional
This way we can run many unit tests without having to run the TKM in the
background and as regular user. To run the other tests, TESTS_TKM can
optionally be defined when running `make check`.
Tobias Brunner [Fri, 5 Nov 2021 07:46:48 +0000 (08:46 +0100)]
kernel-pfroute: Set lower MTU on TUN devices
The default MTU of 1500 is too high if kernel-libipsec is used (considering
the overhead of UDP-encapsulated ESP), but might also have an effect if
a TUN device is only used to install a virtual IP (the route points to it,
so the system might use its MTU and 1500 would still be too high).
This also works around an issue on macOS 12 where no RTM_IFINFO event
is sent for the newly created TUN device (neither for the creation,
setting it "up", nor adding the address). Changing the MTU, however,
triggers such an event and we can detect the virtual IP.
Volker Rümelin [Mon, 1 Nov 2021 13:49:17 +0000 (14:49 +0100)]
ike: Fix prefix length and data of vendor ID Cisco VPN Concentrator
Currently the length of vendor ID Cisco VPN Concentrator is 16
bytes but the string has only 13+1 bytes. The actual vendor
ID has 16 bytes with a prefix length of 14 bytes and two version
bytes.
Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")
Volker Rümelin [Mon, 1 Nov 2021 13:49:16 +0000 (14:49 +0100)]
ikev1: Fix prefix length of vendor ID Cisco Unity
Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor ID
Cisco Unity was hardcoded to 14. Since we need to know the actual
length of this VID to send it, the length can't be overloaded
with a prefix length. Revert part of commit 6c49ddfbca to
fix this problem.
Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")
Volker Rümelin [Mon, 1 Nov 2021 13:49:15 +0000 (14:49 +0100)]
ikev1: Fix prefix length of vendor ID MS NT5 ISAKMPOAKLEY
Before commit 6c49ddfbca ("ike: Add additional Vendor IDs for
third-party implementations") the prefix length of vendor ID
MS NT5 ISAKMPOAKLEY was hardcoded to 16. Change the prefix length
accordingly.
Fixes: 6c49ddfbca72 ("ike: Add additional Vendor IDs for third-party implementations")