Andreas Steffen [Fri, 29 Mar 2019 14:33:24 +0000 (15:33 +0100)]
Corrected use of PB-TNC CRETRY and SRETRY batches
The PB-TNC finite state machine according to section 3.2 of RFC 5793
was not correctly implemented when sending either a CRETRY or SRETRY
batch. These batches can only be sent in the "Decided" state and a
CRETRY batch can immediately carry all messages usually transported
by a CDATA batch. strongSwan currently is not able to send a SRETRY
batch since full-duplex mode for PT-TLS isn't supported yet.
Tobias Brunner [Mon, 18 Mar 2019 12:58:52 +0000 (13:58 +0100)]
generator: Don't print any tainted values in DBG3 messages for U_INT_4
The bits not written to are marked tainted by valgrind, don't print
them in the debug messages. Also use more specific printf-specifiers
for other values.
Sheena Mira-ato [Wed, 20 Mar 2019 23:30:56 +0000 (12:30 +1300)]
trap-manager: Wait for install to finish before uninstalling
There was a race condition between install() and uninstall()
where one thread was in the process of installing a trap
entry, and had destroyed the child_sa, while the other
thread was uninstalling the same trap entry and ended up
trying to destroy the already destroyed child_sa, resulting
in a segmentation fault in the destroy_entry() function.
The uninstall() function needs to wait until all the threads
are done with the installing before proceeding to uninstall
a trap entry.
Tobias Brunner [Tue, 5 Feb 2019 16:21:21 +0000 (17:21 +0100)]
forecast: Only reinject packets that are marked or from the configured interface
This seems to avoid broadcast loops (i.e. processing and reinjecting the
same broadcast packet over and over again) as the packets we send via
AF_PACKET socket are neither marked nor from that interface.
kernel-netlink: Use address labels instead of deprecation for IPv6 virtual IPs
In order to avoid that the kernel uses virtual tunnel IPs for traffic
over physical interfaces we previously deprecated the virtual IP. While
this is working it is not ideal. This patch adds address labels for
virtual IPs, which should force the kernel to avoid such addresses to
reach any destination unless there is an explicit route that uses it as
source address.
Tobias Brunner [Wed, 6 Mar 2019 17:39:28 +0000 (18:39 +0100)]
vici: Correctly parse inactivity timeout as uint32_t
Using parse_time() directly actually overwrites the next member in the
child_cfg_create_t struct, which is start_action, which can cause
incorrect configs if inactivity is parsed after start_action.
Tobias Brunner [Tue, 5 Mar 2019 15:40:20 +0000 (16:40 +0100)]
android: Add menu option to copy a profile
Some users requests something like that to use different server IPs.
Interestingly, it's actually also possible to configure multiple
hostnames/IPs, separated by commas, as server address in the profile, which
are then tried one after another.
It's also useful when testing stuff to quickly compare the behavior with
some setting changed between two otherwise identical profiles.
Carl Smith [Mon, 4 Mar 2019 01:43:00 +0000 (14:43 +1300)]
child-sa: Remove temporary DROP policy using same parameters as when added
A temporary DROP policy is added to avoid traffic leak
while the SA is being updated. It is added with
manual_prio set but when the temporary policy is removed
it is removed with manual_prio parameter set to 0.
The call to del_policies_outbound does not match the original
policy and we end up with an ever increasing refcount.
If we try to manually remove the policy, it is not removed
due to the positive refcount. Then new SA requests fail with
"unable to install policy out for reqid 1618,
the same policy for reqid 1528 exists"
Fixes: 35ef1b032d24 ("child-sa: Install drop policies while updating IPsec SAs and policies")
Closes strongswan/strongswan#129.
Tobias Brunner [Fri, 1 Feb 2019 08:48:43 +0000 (09:48 +0100)]
agent: Don't keep socket to ssh/gpg-agent open
Instead, create a socket when necessary. Apparently, it can prevent
the agent from getting terminated (e.g. during system shutdown) if e.g.
charon-nm is still running with an open connection to the agent.
Shmulik Ladkani [Tue, 19 Feb 2019 11:31:11 +0000 (13:31 +0200)]
vici: Fix wrong argument order for terminate_ike() in clear_start_action()
In 7b7290977 ("controller: Add option to force destruction of an IKE_SA")
the 'force' option was added as 3rd parameter to controller_t::terminate_ike.
However in vici's 'clear_start_action', the argument was incorrectly
placed as the 2nd parameter - constantly sending 0 (FALSE) as the
'unique_id' to terminate, rendering calls to 'handle_start_actions'
having undo=TRUE being unable to terminate the relevant conn.
For example, this is log of such a bogus 'unload-conn':
strongswan[498]: 13[CFG] vici client 96 requests: unload-conn
strongswan[498]: 13[CFG] closing IKE_SA #9
strongswan[498]: 13[IKE] unable to terminate IKE_SA: ID 0 not found
strongswan[498]: 09[CFG] vici client 96 disconnected
here, the unloaded conn's IKE id was 9, alas 'terminate_ike_execute'
reports failure to terminate "ID 0".
Fix by passing 'id, FALSE' arguments in the correct order.
Fixes: 7b7290977 ("controller: Add option to force destruction of an IKE_SA") Signed-off-by: Shmulik Ladkani <shmulik@metanetworks.com>
Closes strongswan/strongswan#127.
krinfels [Sun, 20 Jan 2019 13:39:08 +0000 (14:39 +0100)]
libtpmtss: Read RSA public key exponent instead of assuming its value
Up to now it was assumed that the RSA public key exponent is equal to 2^16+1.
Although this is probably true in most if not all cases, it is not correct
according to the TPM 2.0 specification.
This patch fixes that by reading the exponent from the structure returned
by TPM2_ReadPublic.
Tobias Brunner [Tue, 18 Dec 2018 09:34:17 +0000 (10:34 +0100)]
Merge branch 'radius-accounting-unclaimed'
Adds all IPs to RADIUS Accounting-Stop messages even those not claimed by
a client. For instance, if the connection fails with FAILED_CP_REQUIRED,
adding the unclaimed addresses allows the RADIUS server to release the
leases early.
Tobias Brunner [Wed, 12 Dec 2018 10:30:09 +0000 (11:30 +0100)]
swanctl: Make credential directories relative to swanctl.conf
All directories are now considered relative to the loaded swanctl.conf
file, in particular, when loading it from a custom location via --file
argument. The base directory, which is used if no custom location for
swanctl.conf is specified, is now also configurable at runtime via
SWANCTL_DIR environment variable.
Tobias Brunner [Tue, 11 Dec 2018 13:53:23 +0000 (14:53 +0100)]
openssl: Make sure to release the functional ENGINE reference
The functional reference created by ENGINE_init() was never released,
only the structural one created by ENGINE_by_id(). The functional
reference includes an implicit structural reference, which is also
released by ENGINE_finish().
Tobias Brunner [Tue, 20 Nov 2018 11:50:05 +0000 (12:50 +0100)]
ha: Improve distribution of pool addresses over segments
This is particularly important for higher number of segments, but even
with small numbers there is a significant difference. For instance,
with 4 segments the fourth segment had no IPs assigned with the old
code, no matter how large the pool, because none of the eight bits used
for the segment check hashed/mapped to it.
Tobias Brunner [Mon, 22 Oct 2018 08:12:25 +0000 (10:12 +0200)]
kernel-pfkey: Read reqid directly from acquire if possible
Upcoming versions of FreeBSD will include an SADB_X_EXT_SA2 extension in
acquires that contains the reqid set on the matching policy. This allows
handling acquires even when no policies are installed (e.g. to work with
FreeBSD's implementation of VTI interfaces, which manage policies
themselves).
Tobias Brunner [Fri, 16 Nov 2018 10:44:17 +0000 (11:44 +0100)]
unit-tests: Add test suite for Ed448
Same issue with signature malleability as with Ed25519 and apparently
OpenSSL doesn't even explicitly verify that the most significant 10 bits
are all zero.
As per RFC 8032, section 5.1.7 (and section 8.4) we have to make sure s, which
is the scalar in the second half of the signature value, is smaller than L.
Without that check, L can be added to most signatures at least once to create
another valid signature for the same public key and message.
This could be problematic if, for instance, a blacklist is based on hashes
of certificates. A new certificate could be created with a different
signature (without knowing the signature key) by simply adding L to s.
Currently, both OpenSSL 1.1.1 and Botan 2.8.0 are vulnerable to this, which is
why the unit test currently only warns about it.
Tobias Brunner [Fri, 16 Nov 2018 10:11:27 +0000 (11:11 +0100)]
openssl: Use separate DRBG for RNG_STRONG and RNG_TRUE with OpenSSL 1.1.1
OpenSSL 1.1.1 introduces DRGBs and provides two sources (same security
profile etc. but separate internal state), which allows us to use one for
RNG_WEAK (e.g. for nonces that are directly publicly visible) and the other
for stronger random data like keys.
Tobias Brunner [Thu, 15 Nov 2018 09:20:45 +0000 (10:20 +0100)]
openssl: Add support for X25519 and X448
While X25519 was already added with 1.1.0a, its use would be a lot more
complicated, as the helpers like EVP_PKEY_new_raw_public_key() were only
added in 1.1.1, which also added X448.
Tobias Brunner [Thu, 8 Nov 2018 11:02:04 +0000 (12:02 +0100)]
bypass-lan: Compare interface for unchanged policies
In case a subnet is moved from one interface to another the policies can
remain as is but the route has to change. This currently doesn't happen
automatically and there is no option to update the policy or route so
removing and reinstalling the policies is the only option.
Tobias Brunner [Tue, 6 Nov 2018 11:13:35 +0000 (12:13 +0100)]
child-delete: Don't send delete for expired CHILD_SAs that were already rekeyed
The peer might not have seen the CREATE_CHILD_SA response yet, receiving a
DELETE for the SA could then trigger it to abort the rekeying, causing
the deletion of the newly established SA (it can't know whether the
DELETE was sent due to an expire or because the user manually deleted
it). We just treat this SA as if we received a DELETE for it. This is
not an ideal situation anyway, as it causes some traffic to get dropped,
so it should usually be avoided by setting appropriate soft and hard limits.
Tobias Brunner [Mon, 22 Oct 2018 08:38:53 +0000 (10:38 +0200)]
Avoid inclusion of unistd.h in generated lexers
Because the file is not available on all platforms the inclusion comes
after the user options in order to disable including it. But that means
the inclusion also follows after the defined scanner states, which are
generated as simple #defines to numbers. If the included unistd.h e.g.
uses variables in function definitions with the same names this could
result in compilation errors.
Interactive mode has to be disabled too as it relies on isatty() from
unistd.h. Since we don't use the scanners interactively, this is not a
problem and might even make the scanners a bit faster.