vici: Refactor how commands are called in the Ruby bindings
Also expose a method to call arbitrary commands, which allows calling not
yet wrapped commands. Exceptions are raised for all commands if the response
includes a negative "success" key (similar to how it's done in the Python
bindings).
Tobias Brunner [Fri, 29 Mar 2019 09:24:07 +0000 (10:24 +0100)]
testing: Use renamed systemd unit
While the alias is available after enabling the unit, we don't
actually do that in our testing environment (adding a symlink manually
would work too, then again, why not just use the proper name?).
Tobias Brunner [Fri, 29 Mar 2019 09:00:42 +0000 (10:00 +0100)]
init: Rename systemd units
Use strongswan-starter for the legacy unit and simply strongswan for the
modern one (strongswan-swanctl is configured as alias, which should
cause the installation of symlinks when the service is enabled via
systemctl).
Check for wolfssl/options.h because if it isn't included, checking other
headers will trigger a warning about hardening the wolfSSL build, which
will cause the check to fail with -Werror.
If the file doesn't exist because user_settings.h is used, the check may
be skipped by configuring with `ac_cv_header_wolfssl_options_h=yes`.
wolfssl: Fixes, code style changes and some refactorings
The main fixes are
* the generation of fingerprints for RSA, ECDSA, and EdDSA
* the encoding of ECDSA private keys
* calculating p and q for RSA private keys
* deriving the public key for raw Ed25519 private keys
Also, instead of numeric literals for buffer lengths ASN.1 related
constants are used.
Instead of assuming passwords are simply ASCII-encoded we now assume they are
provided UTF-8-encoded, which is quite likely nowadays. The UTF-8 byte
sequences are not validated, however, only valid code points are encoded
as UTF-16LE.
child-create: Make sure the mode selected by the responder is acceptable
Previously, the initiator would install the SA in transport mode if the
peer sent back the USE_TRANSPORT_MODE notify, even if that was not
requested originally.
message: Enforce encryption except for INFORMATIONALs
The only messages that are generally sent encrypted but could be sent
unencrypted are INFORMATIONALs (currently only used for IKEv1 and ME
connectivity checks). This should prevent issues if the keymat_t behaves
incorrectly and does not return an aead_t when it actually should.
ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm
Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.
Tobias Brunner [Fri, 29 Mar 2019 10:05:42 +0000 (11:05 +0100)]
ike-config: If we don't send a CFG_REQUEST, we don't expect a CFG_REPLY
Previously, attributes in an incorrectly sent CFG_REPLY would still be passed
to attribute handlers. This does not prevent handlers from receiving
unrequested attributes if they requested at least one other.
This adds support for XFRM interfaces, which replace VTI devices and are
available with 4.19+ Linux kernels.
IPsec SAs and policies are associated with such interfaces via interface
IDs that can be configured on the CHILD_SA-level (dynamic IDs may
optionally be allocated for each instance and even direction) or on the
IKE_SA-level (again, dynamic IDs may be optionally allocated per IKE_SA).
IDs on an IKE_SA are inherited by all CHILD_SAs created under it, unless
the child configuration overrides them.
The effect the interface ID has on policies is similar to that of marks,
i.e. they won't match packets unless they are routed via interface with
matching interface ID. So it's possible to negotiate e.g. 0.0.0.0/0 as
traffic selector on both sides and then control the affected traffic via
routes/firewall.
It's possible to use separate interfaces for in- and outbound traffic (or
only use an interface in one direction and regular policies in the other).
Since iproute2 does not yet support XFRM interfaces, a small utility is
provided that allows creating and listing XFRM interfaces.
Interfaces may be created dynamically via updown/vici scripts or
statically (before or after establishing the SAs). Routes must be added
manually as needed (the daemon will not install any routes for outbound
policies with an interface ID).
When moving XFRM interfaces to other network namespaces they retain access
to the SAs and policies created in the original namespace, which allows
providing IPsec tunnels for processes in other network namespaces without
giving them access to the IPsec keys or IKE credentials.
Tobias Brunner [Fri, 1 Feb 2019 08:28:10 +0000 (09:28 +0100)]
kernel-netlink: Add utility to create XFRM interfaces
This is mainly to see what's necessary to create them (in case we
integrate this into the daemon) and to experiment in our testing
environment without having to add a patched version of iproute2 (the
4.20.0 version in stretch-backports doesn't support XFRM interfaces
yet). The regular version of iproute2 can be used for other operations
with these interfaces (delete, up, addrs etc.).
Andreas Steffen [Fri, 29 Mar 2019 14:33:24 +0000 (15:33 +0100)]
Corrected use of PB-TNC CRETRY and SRETRY batches
The PB-TNC finite state machine according to section 3.2 of RFC 5793
was not correctly implemented when sending either a CRETRY or SRETRY
batch. These batches can only be sent in the "Decided" state and a
CRETRY batch can immediately carry all messages usually transported
by a CDATA batch. strongSwan currently is not able to send a SRETRY
batch since full-duplex mode for PT-TLS isn't supported yet.
Tobias Brunner [Mon, 18 Mar 2019 12:58:52 +0000 (13:58 +0100)]
generator: Don't print any tainted values in DBG3 messages for U_INT_4
The bits not written to are marked tainted by valgrind, don't print
them in the debug messages. Also use more specific printf-specifiers
for other values.
Sheena Mira-ato [Wed, 20 Mar 2019 23:30:56 +0000 (12:30 +1300)]
trap-manager: Wait for install to finish before uninstalling
There was a race condition between install() and uninstall()
where one thread was in the process of installing a trap
entry, and had destroyed the child_sa, while the other
thread was uninstalling the same trap entry and ended up
trying to destroy the already destroyed child_sa, resulting
in a segmentation fault in the destroy_entry() function.
The uninstall() function needs to wait until all the threads
are done with the installing before proceeding to uninstall
a trap entry.
Tobias Brunner [Tue, 5 Feb 2019 16:21:21 +0000 (17:21 +0100)]
forecast: Only reinject packets that are marked or from the configured interface
This seems to avoid broadcast loops (i.e. processing and reinjecting the
same broadcast packet over and over again) as the packets we send via
AF_PACKET socket are neither marked nor from that interface.
kernel-netlink: Use address labels instead of deprecation for IPv6 virtual IPs
In order to avoid that the kernel uses virtual tunnel IPs for traffic
over physical interfaces we previously deprecated the virtual IP. While
this is working it is not ideal. This patch adds address labels for
virtual IPs, which should force the kernel to avoid such addresses to
reach any destination unless there is an explicit route that uses it as
source address.