We avoid parsing messages with unexpected message IDs. This allows us to
process and detect retransmits of messages for which we don't have the keys
anymore (i.e. IKE_INTERMEDIATE after IKE_SA_INIT and changing the keys).
This also changes how retransmits for fragmented messages are triggered,
previously we waited for all fragments and reconstructed the message
before retransmitting the response. Now we only track the first
fragment and if we receive a retransmit of it respond immediately
without waiting for other fragments (which are now ignored). This is in
compliance with RFC 7383, section 2.6.1.
Tobias Brunner [Mon, 25 Jun 2018 15:19:39 +0000 (17:19 +0200)]
wip: ike-init: Prototypical (optional) IKE_INTERMEDIATE exchange for QSKE mechanisms
The QSKE payloads are, by default, exchanged in a separate IKE_INTERMEDIATE
exchange after IKE_SA_INIT to leverage IKEv2 fragmentation. It would be
possible to do that directly in IKE_SA_INIT (DH is currently not optional,
though).
Rekeying is always done with a single CREATE_CHILD_SA exchange (again,
DH is currently not optional).
The key material is derived by concatenating the DH and QSKE secrets.
wip: DH could theoretically be made optional if QSKE is used (only during
rekeying, or when not using IKE_INTERMEDIATE also during IKE_SA_INIT)
wip: HA and the ike_keys() hook on listener_t currently handle only
classic key derivation.
wip: Retransmits of IKE_INTERMEDIATE requests will fail after changing
the keys. We either have to keep the old keys around, or use hashes to
detect retransmits (tricky with fragments, unless we retransmit the message
even if we receive the retransmit of just one fragment).
Tobias Brunner [Tue, 26 Jun 2018 08:13:05 +0000 (10:13 +0200)]
unit-tests: Use simple default IKE proposal to avoid issues with IKE_INTERMEDIATE
The exchange tests don't expect an IKE_INTERMEDIATE exchange so we don't want
any QSKE methods getting negotiated (in case they are proposed in the default
proposal).
Andreas Steffen [Fri, 6 Jul 2018 06:06:16 +0000 (08:06 +0200)]
scripts: nist-kam-kat generates KEM KAT test data
The script converts the Known-Answers-Test data (KAT) for the NIST
post-quantum round 1 submission Key Encapsulation Mechanism (KEM)
candidates into a C struct amenable for our unit-tests.
Tobias Brunner [Tue, 15 Oct 2019 15:26:16 +0000 (17:26 +0200)]
Merge branch 'android-updates'
Makes the local identity configurable and includes a fix for Android 10,
plus a break-before-make reauth issue (not Android specific) and some
deprecation workarounds.
Tobias Brunner [Tue, 8 Oct 2019 13:34:00 +0000 (15:34 +0200)]
android: New release after making local identity configurable
This also includes a fix for Android 10 and some older fixes for
API level 28 compatibility and a crash on Huawei devices. The API
used to detect network changes is also replaced on newer Android
versions and an issue with DELETES received during break-before-make
reauthentication is also fixed.
Tobias Brunner [Mon, 14 Oct 2019 15:24:15 +0000 (17:24 +0200)]
ike-delete: Continue break-before-make reauth if server concurrently deletes SA
There seem to be servers around that, upon receiving a delete from the
client, instead of responding with an empty INFORMATIONAL, send a delete
themselves.
Tobias Brunner [Mon, 14 Oct 2019 13:03:10 +0000 (15:03 +0200)]
android: Replace deprecated CONNECTIVITY_ACTION on newer Android versions
It was deprecated in API level 28, registerNetworkCallback is available
since API level 21, but ConnectivityManager got some updates with 24
(e.g. default network handling) so we start using it then.
Tobias Brunner [Tue, 8 Oct 2019 13:51:18 +0000 (15:51 +0200)]
android: Don't use specific key types to select user certificates
Android 10 will honor the preselection and could, thus, hide some
installed certificates if we only pass "RSA". The dialog will also only
be shown if there are actually certificates installed (i.e. users will
have to do that manually outside of the app or via profile import).
Tobias Brunner [Tue, 8 Oct 2019 13:02:30 +0000 (15:02 +0200)]
android: Allow configuration of client identity for all authentication types
This replaces the drop-down box to select certificate identities with a
text field (in the advanced settings) with auto-completion for SANs
contained in the certificate.
The field is always shown and allows using an IKE identity different from
the username for EAP authentication (e.g. to configure a more complete
identity to select a specific config on the server).
kernel-pfkey: Pass ESN flag to kernel if ESN is enabled
This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.
Felix Kaiser [Fri, 4 Oct 2019 06:18:30 +0000 (23:18 -0700)]
vici: Use unique names for CHILD_SAs in the child-updown event too
The unique names were introduced for the list-sas command in commit 04c0219e55d9338b6492548c073189bfd3d5431b. However, the child-updown
event wasn't updated to match. Even though the documentation suggests
that the section name of the CHILD_SAs are the same in both messages.
The original name is already being returned in the "name" attribute,
so it'll still be available.
# A child-updown event before the change:
>>> for x in s.listen(["child-updown"]): print(json.dumps(x, sort_keys=True, indent=4, separators=(',', ': ')))
[
"child-updown",
{
"vti0": {
"child-sas": {
"vti0": { # <-- wrong: inconsistent with list-sas
...
# A child-updown event after the change:
>>> s = vici.Session()
>>> for x in s.listen(["child-updown"]): print(json.dumps(x, sort_keys=True, indent=4, separators=(',', ': ')))
[
"child-updown",
{
"vti0": {
"child-sas": {
"vti0-1": { # <-- fixed
openssl: Don't manually seed DRBG with OpenSSL 1.1.1
According to the documentation, it's generally not necessary to manually
seed OpenSSL's DRBG (and it actually can cause the daemon to lock up
during start up on systems with low entropy if OpenSSL is already trying
to seed it itself and holds the lock). While that might already have been
the case with earlier versions, it's not explicitly stated in their
documentation. So we keep the code for these versions.
Tobias Brunner [Wed, 28 Aug 2019 07:53:19 +0000 (09:53 +0200)]
libipsec: Fix compiler warning with GCC 9
The compiler complains that "taking address of packed member ... of
class or structure 'ip6_hdr' may result in an unaligned pointer value".
We don't care if the address is aligned as we explicitly use untoh16()
to convert the read value.