unit-tests: Don't link files from libimcv into the test executable
This causes odr-violation errors with libasan as some symbols will be
defined twice, once in the linked libimcv and once in the test
executable itself.
Thomas Egerer [Fri, 2 Sep 2022 11:54:05 +0000 (11:54 +0000)]
unit-tests: Use allocated listener instead of stack object in exchange tests
When using the statement expression and a stack object along with
clang-11 and libasan, we get quite a lot of errors about reading
invalid memory. This is due to clang making the actual listener_t local
to the block, such that the access outside of the macros using
_assert_payload is (correctly) considered an error.
By using a heap allocated object, we can destroy it once the listener
returns FALSE (cleaning up properly), and since bus_t does not touch the
listener after that, we don't get any errors from libasan.
Martin Willi [Wed, 8 Apr 2015 08:18:31 +0000 (10:18 +0200)]
unit-tests: Disable AddressSanitizer for threading cleanup function
As the cleanup function reads from the correct address on the parent frame,
it is currently unclear why AddressSanitizer complains about that pointer
dereference.
Some third party IKEv2 products expect an RSA-PSS ASN.1
algorithmIdentifier with an explicit trailerField value (CONTEXT3)
instead of the DEFAULT value if the trailerField is missing.
The setting charon.rsa_pss_trailerfield = yes enables the explicit
encoding.
unit-tests: Let the TLS server thread close its own socket
Closing the socket from the main thread, while the server thread is
still in accept() (or is just about to enter it), seems to
occasionally cause a deadlock on macOS.
testing: Add missing css dir to distribution tarballs
Add the css dir to the EXTRA_DIST variable in the Makefile for the test
environment. This dir was missing when generating distribution tarballs.
Adding it enables successful builds of the test environment from the
dist tarballs.
Fixes: 63f35993d9fb ("testing: Use sans-serif font for test results")
Closes strongswan/strongswan#1266
Seems to be required on macOS (libtls tests didn't run before the recent
implicit enabling via pki). Other platforms apparently let accept() fail
if the socket is shutdown/closed in teardown_creds(), macOS apparently
doesn't do that.
Andreas Steffen [Mon, 29 Aug 2022 08:34:58 +0000 (10:34 +0200)]
pki: pki --req can use old certreq as template
When an X.509 certificate has to be renewed it is helpful to use
the old PKCS#10 certificate request as a template, so that the
distinguishedName (DN), the subjectAlternativeName (SAN) and
a certificate profile name don't have to be typed-in again.
The old public key in the existing certreq is replaced with the
new key and the signature is re-generated using the new private key.
Andreas Steffen [Mon, 22 Aug 2022 12:33:00 +0000 (14:33 +0200)]
libtls: unit tests with crypto libs need additional plugins
In order for libtls to run with the gcrypt libraryi, additionally the
random, pem, gcm, hmac, kdf, x509, constraints, and the curve2519
plugins are needed.
The botan library additionally need the hmac (for HMAC_MD5), x509 and
constraints plugins.
The wolfssl library additionally need the pkcs1, pkcs8, x509 and constraints
plugins.
Andreas Steffen [Fri, 19 Aug 2022 15:18:52 +0000 (17:18 +0200)]
libtls: unit tests run with default plugins
The gcm plugin has been added to the default plugins and all
certificate types are loaded to allow the libtls socket unit
tests to run with the strongSwan default plugins.
Andreas Steffen [Fri, 19 Aug 2022 15:09:02 +0000 (17:09 +0200)]
libtls: Send empty cert payload upon cert request
Currently when a TLS client doesn't have a certificate, it doesn't
send a certficiate payload upon receiving a certificate request
from the TLS server. According to the TLS 1.2 and 1.3 RFCs an
empty certificate payload must be sent.
Andreas Steffen [Wed, 10 Aug 2022 22:21:28 +0000 (00:21 +0200)]
pkcs10: Support of Microsoft CertTypeExtension
The msCertificateTypeExtension OID (1.3.6.1.4.1.311.20.2) can
be used in a PKCS#10 certificate request to define a certificate
profile. It consists of an UTF8 string.
Andreas Steffen [Tue, 9 Aug 2022 08:15:36 +0000 (10:15 +0200)]
scepclient: Removal and replacement by pki subcommands
The "ipsec scepclient" tool has been removed and replaced by the
pki subcommands "pki --scep" and "pki --scepca" which implement the
new SCEP RFC 8894 standard that was released in September 2020 and
which supports trusted "certificate renewal" based on the existing
client certificate.
wolfssl: Rename `encrypt` methods to avoid conflicts with system headers
Rename `encrypt` methods to avoid the following build failure when wolfSSL
is built with --enable-opensslextra:
In file included from ../../../../src/libstrongswan/utils/utils.h:59,
from ../../../../src/libstrongswan/library.h:101,
from wolfssl_common.h:29,
from wolfssl_aead.c:23:
wolfssl_aead.c:90:16: error: conflicting types for 'encrypt'; have '_Bool(union <anonymous>, chunk_t, chunk_t, chunk_t, chunk_t *)'
90 | METHOD(aead_t, encrypt, bool,
| ^~~~~~~
../../../../src/libstrongswan/utils/utils/object.h:99:20: note: in definition of macro 'METHOD'
99 | static ret name(union {iface *_public; this;} \
| ^~~~
In file included from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/wc_port.h:573,
from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/types.h:35,
from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/logging.h:33,
from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/ssl.h:35,
from wolfssl_common.h:64,
from wolfssl_aead.c:23:
/home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/unistd.h:149:6: note: previous declaration of 'encrypt' with type 'void(char *, int)'
149 | void encrypt(char *, int);
| ^~~~~~~
Tobias Brunner [Mon, 15 Aug 2022 12:34:34 +0000 (14:34 +0200)]
eap-mschapv2: Fix compile warning/error when compiled with -Warray-bounds
Since the allocated data was smaller than sizeof(eap_mschapv2_header_t),
the following compile error was triggered (with newer GCC versions):
eap_mschapv2.c: In function 'process_peer_success':
eap_mschapv2.c:945:12: error: array subscript 'eap_mschapv2_header_t[0]' is partly outside array bounds of 'unsigned char[6]' [-Werror=array-bounds]
945 | eap->code = EAP_RESPONSE;
| ^~
In file included from /usr/include/stdlib.h:587,
from ../../../../src/libstrongswan/utils/printf_hook/printf_hook.h:26,
from ../../../../src/libstrongswan/library.h:101,
from ../../../../src/libcharon/sa/eap/eap_method.h:28,
from eap_mschapv2.h:27,
from eap_mschapv2.c:18:
eap_mschapv2.c:944:15: note: object of size 6 allocated by '__builtin_alloca'
944 | eap = alloca(len);
| ^~~~~~
The previous code did not ensure that there was a delay of at least
`try` seconds after each sent request. Instead, whenever the condvar was
signaled, which could be due to retransmitted responses or messages for
unrelated transactions (there could even be spurious wakeups), the counter
was increased and a retransmit sent. So instead of actually waiting for
15 seconds for a response (and sending 4 retransmits over that timespan),
it could happen that all five messages were sent within a second without
enough time to actually receive a response.
Using an absolute timeout that we reuse as long as there was no timeout
and the condvar was signaled for something unrelated, should ensure we
wait at least the intended delay after each sent message.
Tobias Brunner [Fri, 17 Jun 2022 10:10:19 +0000 (12:10 +0200)]
connmark: Consider configured mask in installed firewall rules
This allows using the upper parts of the marks for other purposes. For
instance, with `mark_in=mark_out=%unique/0x0000ffff` mark values in the
upper two bytes would not get reset by the rules installed by this plugin.
However, note that in this example the daemon would have to get restarted
after 65'535 CHILD_SAs to reset the counter for unique marks, which is a
global 32-bit counter that's unaware of any masks.
child-cfg: Skip non-matching TS instead of replacing them for transport mode
get_traffic_selectors() is called the same way also as responder when
selecting child configs via peer_cfg_t::select_child_cfg(). Replacing
TS for all child configs could lead to selecting one that later fails
to actually narrow the traffic selectors. Ignoring non-matching TS also
helps if we have a trap config with multiple remote subnets (otherwise,
we'd have to filter duplicates afterwards).
When installing traps, the hosts might be %any, in which case we allow
the configured (technically non-matching) TS for the wildcard use case.
Fixes: da82786b2d8c ("child-cfg: Always apply hosts to traffic selectors if proposing transport mode")
Closes strongswan/strongswan#1143
configure: Add option to build with extended compiler warnings and -Werror
Setting -Werror in CFLAGS passed to configure is not ideal as that affects
all the checks performed by the script.
This caused an issue with newer versions of Autoconf and the AC_PROG_LEX
macro that insisted on finding a lexer library. But due to warnings from
the generated test lexer (misleading indentation) that got turned into
errors no library was found (none would have been necessary), so LEX was
not set and no lexers were built.
With this option enabled, we add -Werror to CFLAGS after all tests ran.
It also enables additional warnings via -Wextra.
The option is auto-enabled when building from the repository.
Making the variable volatile avoids a "variable ‘failure’ might be
clobbered by ‘longjmp’" warning (or error when compiling with
-Werror) that's triggered via -Wextra.
The 5.4.0 update changed the default bignum implementation to what
could explicitly be enabled via `--enable-sp-math-all`. Since this uses
fixed-sized buffers sufficient for key sizes of SP_INT_BITS, with a default
of 4096, modp6144 and modp8192 didn't work anymore (wc_DhGenerateKeyPair()
returned MP_EXPTMOD_E). So we have to adapt the feature checks for this.
To support the larger DH groups we can either increase the buffer size
via `--with-max-rsa-bits` or add `--enable-heapmath` so buffers get
(re-)allocated as needed. We go with the latter for now.
Andreas Steffen [Tue, 12 Jul 2022 08:20:30 +0000 (10:20 +0200)]
doc: Removed the standards directory
This collection of Internet standards and drafts hadn't been
updated for a long time and the documents are readily available
on the Internet anyway. The strongSwan documentation page
Tobias Brunner [Wed, 29 Jun 2022 08:29:16 +0000 (10:29 +0200)]
Merge branch 'multi-ke-backport'
This merge includes changes that were created for the upcoming IKEv2
extension for multiple key exchanges over the last four years, but which
are not directly related to the actual protocol changes.
Changes include renaming diffie_hellman_t to the more generic
key_exchange_t (also renamed are some of the interface's methods),
making utility functions that deal with DH groups more generic, and let
tasks handle the first IKE_AUTH message more reliably by not depending
on e.g. specific message IDs.
One significant change is delaying the IKEv2 key derivation until
the keys are actually needed to process or send the next message. So
instead of deriving the keys directly while processing an IKE_SA_INIT
request (which could come from a spoofed address), this is delayed until
the corresponding IKE_AUTH request is received. Implementations of the
key_exchange_t interface are now expected to do the key derivation and
any costly public key validation in get_shared_secret() and not
set_public_key().
Sent IKE_SA_INIT messages are now also not pre-generated anymore to collect
their encoding for the authentication. Instead, a new post_build() hook
allows the ike-auth task to do so after the actual message has been built,
which allows later tasks and plugins (via message() hook) to modify the
message (e.g. add notifies) after the ike-auth task's build() method
already ran.
Also changed is how inbound requests are processed and retransmits are
detected. Instead of parsing all inbound messages right away (which
might trigger a key derivation or require keys we don't have anymore in
the multi-KE use case), we now first check a request's message ID and
compare its hash to that of the previous request to decide if it's a
valid retransmit. For fragmented messages, we only keep track of the
first fragment so we can send the corresponding response immediately if
a retransmit of it is received, instead of waiting for all fragments
and reconstructing the message, which we did before.
ike-auth: Move packet collection to post_build() method
This way we avoid having to pre-generate the message when it could
theoretically still get modified by a task that follows or from a plugin
via message() hook.
ikev2: Delay IKE key derivation until next message
In particular as responder, this delays costly cryptographic operations
until the IKE_AUTH request is received, which is preferable to reduce
the impact of DoS attacks.
Another advantage is that the key material is not changed until all tasks
built or processed a message.