Tobias Brunner [Fri, 31 Aug 2018 10:27:40 +0000 (12:27 +0200)]
Merge branch 'xfrm-set-mark'
This adds the ability to configure marks the in- and/or outbound SA
should apply to packets after processing on Linux. Configuring such a mark
for outbound SAs requires at least a 4.14 kernel. The ability to set a mask
and configuring a mark/mask for inbound SAs will be added with the upcoming
4.19 kernel.
Martin Willi [Wed, 9 May 2018 11:40:36 +0000 (13:40 +0200)]
child-sa: Use SA matching mark as SA set mark if the latter is %same
For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.
Martin Willi [Mon, 14 May 2018 11:42:53 +0000 (13:42 +0200)]
ipsec-types: Restrict the use of %unique and other keywords when parsing marks
%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.
Tobias Brunner [Mon, 6 Aug 2018 15:01:20 +0000 (17:01 +0200)]
ikev1: Increase DPD sequence number only after receiving a response
We don't retransmit DPD requests like we do requests for proper exchanges,
so increasing the number with each sent DPD could result in the peer's state
getting out of sync if DPDs are lost. Because according to RFC 3706, DPDs
with an unexpected sequence number SHOULD be rejected (it does mention the
possibility of maintaining a window of acceptable numbers, but we currently
don't implement that). We partially ignore such messages (i.e. we don't
update the expected sequence number and the inbound message stats, so we
might send a DPD when none is required). However, we always send a response,
so a peer won't really notice this (it also ensures a reply for "retransmits"
caused by this change, i.e. multiple DPDs with the same number - hopefully,
other implementations behave similarly when receiving such messages).
Tobias Brunner [Thu, 23 Aug 2018 15:54:29 +0000 (17:54 +0200)]
ikev1: Signal IKE_SA connection failure via bus
This is mainly for HA where a passive SA was already created when the
IKE keys were derived. If e.g. an authentication error occurs later that
SA wouldn't get cleaned up.
Thomas Egerer [Wed, 29 Aug 2018 11:14:59 +0000 (13:14 +0200)]
custom-logger: Add optional reload method
The reload of the configuration of the loggers so far only included
the log levels. In order to support the reload of all other options,
a reload function may be implemented.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Tobias Brunner [Wed, 29 Aug 2018 09:46:13 +0000 (11:46 +0200)]
Merge branch 'ip-header-fields'
Adds new options that allow configuring how/whether certain fields in
the IP headers are copied during IPsec processing. Currently only allows
configuration on Linux.
Tobias Brunner [Mon, 11 Jun 2018 08:49:16 +0000 (10:49 +0200)]
kernel: Add options to control DF and ECN header bits/fields via XFRM
The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.
Note: This implementation only works with Linux/Netlink/XFRM.
vici: Improve message parsing performance in Perl bindings
During a test with ~12000 established SAs it was noted that vici
related operations hung.
The operations took over 16 minutes to finish. The time was spent in
the vici message parser, which was assigning the message over and over
again, to get rid of the already parsed portions.
First fixed by cutting the consumed parts off without copying the message.
Runtime for ~12000 SAs is now around 20 seconds.
Further optimization brought the runtime down to roughly 1-2 seconds
by using an fd to read through the message variable.
The code to support parallel Netlink queries (commit 3c7193f) made use
of nlmsg_len member from struct nlmsghdr to allocate and copy the
responses. Since NLMSG_NEXT is later used to parse these responses, they
must be aligned, or the results are undefined.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Tobias Brunner [Mon, 6 Aug 2018 09:54:24 +0000 (11:54 +0200)]
travis: Fix vici Python tests when using Clang
For some reason the clang binary that's installed in an uncommon
directory could not be found anymore when installing packages via pip for
the last couple of builds. While the directory is obviously contained in PATH,
using `sudo -E` didn't help. So we now install the Python packages in the
user's home directory to avoid having to use sudo.
SC Lee [Mon, 9 Jul 2018 09:54:25 +0000 (17:54 +0800)]
charon-nm: Parse any type of private key in need_secrets
Previously, when the user supplied an ECDSA key for public key authentication,
the user was always asked to provide a password, even if the key was not
encrypted.
Related: 954f73ea6e7e ("charon-nm: Parse any type of private key not only RSA")
Closes strongswan/strongswan#108.
android: Move hint from TextInputEditText to TextInputLayout
This avoids a NullPointerException on Android 8 related to the optional
Autofill functionality. The bug has been fixed in Android 8.1 [1] but there
is no fix for Android 8.
This is hopefully a bit more efficient for large log files than the previous
single TextView. The ListView widget also provides an auto-scroll mechanism.
Tobias Brunner [Fri, 29 Jun 2018 14:42:18 +0000 (16:42 +0200)]
android: Simplify error handling in VPN state fragment
Always reset the error state when disconnecting via state service. This
way the error state is also cleared when the connection is terminated
directly via control activity.
Tobias Brunner [Fri, 22 Jun 2018 11:57:51 +0000 (13:57 +0200)]
android: Handle restarts of the control Activity better
For instance, rotating a device will restart it and this previously
could have started the wrong profile or shown the system's VPN
confirmation dialog twice.
Tobias Brunner [Fri, 22 Jun 2018 09:22:23 +0000 (11:22 +0200)]
android: Properly handle pressing home when VPN confirmation dialog is shown
As documented, onActivityResult() is called right before onResume() when
the activity is reactivated. However, if the system's VPN confirmation
dialog is shown and the home button is pressed, the activity is stopped
and not just paused, so its state is saved. And onActivityResult() is
actually also called before onStart(). This means that no fragment
transactions may be committed (i.e. no dialog may be shown) when the
activity is later restarted (e.g. because there is another attempt to
connect the VPN) until onStart() has been called. So if we'd try to show
the error dialog in onActivityResult() after returning to the launcher
it would result in an IllegalStateException.
However, showing the dialog for the previous confirmation dialog is not
ideal anyway, so we just ignore that result.
Tobias Brunner [Thu, 21 Jun 2018 09:17:22 +0000 (11:17 +0200)]
android: Make fetching OCSP/CRL interruptible
This allows cancelling connecting if e.g. the OCSP server is not
reachable. Previously this caused some delay in disconnecting state but
even worse it cause an ANR if the user tried reconnecting during that
time as the main thread would get struck in setNextProfile() (we could
probably find a better solution there too in the future).
Tobias Brunner [Tue, 19 Jun 2018 15:14:17 +0000 (17:14 +0200)]
android: Install a blocking TUN device until the VPN is established
It's reinstalled when reconnecting (or during error recovery) and
eventually uninstalled after disconnecting.
Only on Android 5+, otherwise we'd block our fetcher (and Android 4.4 is
stupid in regards to overlapping TUN devices anyway).
Note that Android 8's blocking feature blocks everything that passes by
the VPN, so this only works when tunneling everything (i.e. neither subnets,
nor apps can be excluded from the VPN if that feature is enabled).
Tobias Brunner [Tue, 19 Jun 2018 15:01:21 +0000 (17:01 +0200)]
android: Exclude our own app from the VPN
Otherwise, a blocking VPN interface would prevent our fetcher from working
as we currently rely on an interface that doesn't allow access to the
underlying socket/FD, which would be required to call VpnService.protect().