Tobias Brunner [Wed, 2 Feb 2022 14:51:06 +0000 (15:51 +0100)]
selinux: Add plugin to install trap policies with generic labels
After establishing an IKE_SA, we check if any of its child configs
define generic SELinux labels and install trap policies for them if
necessary narrowed to the current (virtual) IPs.
Tobias Brunner [Thu, 3 Feb 2022 16:10:46 +0000 (17:10 +0100)]
child-sa: Allocate a new reqid if dynamic traffic selectors are updated
If update_sa() is called and dynamic traffic selectors are changed using
new addresses, this might cause issues if we continue to use a reqid that
doesn't match the updated traffic selectors. For instance, if the initiator
then uses make-before-break reauth from the new IP. It's also a particular
problem in the SELinux case where multiple CHILD_SAs with specific labels
all share the same (trap) policy with generic label. However, SAs created
after the update would not match due to the new reqid.
Tobias Brunner [Fri, 4 Feb 2022 08:37:37 +0000 (09:37 +0100)]
kernel-netlink: Allow reqid updates for policies again
This was originally added with 1551d8b13d14 ("kernel-netlink: reject
policy refcount if the reqid differs"). Since then we added code to
allocate constant reqids for the same TS, which pretty much avoids the
previous issues.
However, the reqid might have to be changed due to MOBIKE updates. And
because reqids are allocated for a complete set of traffic selectors and
not individual pairs, this can create a problem with drop policies as
those will use the old reqid (they are installed with the same priority,
reqid etc. to replace the actual IPsec policies), while unmodified
replacement policies will use the new one. A similar issue exists for
CHILD_SAs with SELinux contexts as those all use duplicate policies (same
generic label) but can't all be updated concurrently.
Tobias Brunner [Wed, 2 Feb 2022 09:40:16 +0000 (10:40 +0100)]
child-create: Add support to handle security labels
With SELinux and without a specific label from an acquire, we abort
establishing the CHILD_SA (for the first one we prefer a childless IKE_SA,
but since that's a separate extension, we fall back to letting the initial
CHILD_SA fail as we won't propose a label).
If trap policies are not installed already (e.g. because it's impossible to
do so like as responder for roadwarriors), this will require installing
them dynamically once the IKE_SA is established.
Tobias Brunner [Mon, 20 Dec 2021 14:28:07 +0000 (15:28 +0100)]
child-sa: Add support for security labels
In SELinux mode we install the configured label on the policies and the
negotiated one on the SAs. This is how it usually is configured where the
policy/configuration has a generic context and the SAs will get the actual
context of the flows assigned (the latter matches the former, so flows
match the policies but will trigger an acquire if no matching SA exists).
In the simple mode we don't pass the label to the kernel and to avoid
duplicate policy errors we also don't use it to acquire unique reqids.
Tobias Brunner [Mon, 10 Jan 2022 16:39:56 +0000 (17:39 +0100)]
ts-payload: Add support for TS of type TS_SECLABEL
The security labels can be retrieved in a separate list from the
regular traffic selectors. We currently only plan to support a single
security label ourselves, so when generating we don't expect a list.
Tobias Brunner [Thu, 16 Dec 2021 15:34:37 +0000 (16:34 +0100)]
ike: Treat action_t as flags so 'start' and 'trap' can be combined
While combining the actions could cause duplicates (while the SA is
initiated, traffic might trigger the trap and the initiation of another
CHILD_SA), the previous commit should avoid most duplicates. If reuse_ikesa
is disabled, duplicates can't be prevented, though.
Tobias Brunner [Thu, 20 May 2021 16:11:58 +0000 (18:11 +0200)]
child-create: Abort initiating a duplicate CHILD_SA
This could happen if an acquire is triggered while we respond to a
CREATE_CHILD_SA request from the peer, or if an acquire is triggered
while an IKE_SA (with its existing CHILD_SAs) is reestablished (also
with break-before-make reauthentication). Also catches multiple
manual initiations.
Note that this ignores the traffic selectors from acquires (narrowing to
them seems rare in practice anyway).
Duplicates can still get created if e.g. both peers initiate them
concurrently.
Tobias Brunner [Fri, 28 May 2021 11:36:04 +0000 (13:36 +0200)]
kernel-netlink: Read protocol of acquire not from template
If a policy with IPComp template triggers an acquire, we get two, one for
an IPComp, one for ESP/AH SA. However, the triggering template of the trap
policy (where we get the reqid from), will be the same in both acquires,
IPComp, which we ignore, so no acquire was actually forwarded.
Tobias Brunner [Thu, 20 May 2021 09:43:39 +0000 (11:43 +0200)]
ike: Don't reset optional CHILD_SA properties when migrating child-creating tasks
These are set via methods, which are not called again after migration
(e.g. when retrying due to INVALID_KE or when moving queued tasks), so we
don't want to clear these values.
Tobias Brunner [Fri, 4 Jun 2021 16:11:46 +0000 (18:11 +0200)]
ike: Track unprocessed initial IKE messages like half-open IKE_SAs
This should make the DoS limits (cookie_threshold[_ip] and block_threshold)
more accurate so that it won't be possible to create lots of jobs from
spoofed IP addresses before half-open IKE_SAs are actually created from
these jobs to enforce those limits.
Note that retransmits are tracked as half-open SAs until they are
processed/dismissed as the check only happens in checkout_by_message().
Increasing the count in process_message_job_create() avoids issues with
missing calls to track_init() before calling checkout_by_message() (e.g.
when processing fragmented IKEv1 messages, which are reinjected via a
process message job).
Tobias Brunner [Fri, 18 Mar 2022 14:13:06 +0000 (15:13 +0100)]
receiver: Add per-IP cookie threshold
Because the global cookie threshold is higher than the per-IP block
threshold, it was previously possible for an attacker to block a legitimate
user by sending spoofed IKE_SA_INIT packets from that user's IP.
The timespan for requiring cookies is now also not extended anymore with
every IKE_SA_INIT received during the calm down period. Because this
allowed an attacker, after initially triggering the global cookie threshold,
to force cookies for all clients by sending just a single spoofed
IKE_SA_INIT every 10 seconds.
We keep track of reaching the per-IP threshold in segments of the hashed
IP addresses, so only a (random, due to chunk_hash()'s random key) subset
of clients will receive cookies, if single IPs are targeted.
Tobias Brunner [Fri, 4 Jun 2021 11:41:31 +0000 (13:41 +0200)]
receiver: Use a time based limit to switch COOKIE secrets
If we are under attack and there are lots of requests, we might hit
the previous use count limit pretty quickly and may switch secrets multiple
times a second, which renders the 10 second default lifetime of COOKIEs
pointless and prevents legitimate clients from sending requests with valid
COOKIEs.
Tobias Brunner [Wed, 16 Mar 2022 10:45:49 +0000 (11:45 +0100)]
traffic-selector: Avoid out-of-bound array access when calculating range
This happens for `/0` subnet masks. In practice, it's not an issue because
if `bytes` is 0, then so are `netbits`, `bits` and `mask`. So the two
incorrectly addressed array elements are not actually modified. The first
operation is a `&= 0xff` and the second a `|= 0`, so nothing changes.
But some tools might not consider the values and report this as undefined
behavior, which it technically is.
Tobias Brunner [Wed, 16 Feb 2022 13:47:40 +0000 (14:47 +0100)]
kernel-pfkey: Don't install exclude routes for locally connected peers
Such routes with a gateway that equals the peer's address are problematic
on FreeBSD. And since there is most likely a narrow route for the local
subnet anyway, the exclude routes would be redundant.
Tobias Brunner [Fri, 11 Feb 2022 16:23:15 +0000 (17:23 +0100)]
kernel-pfkey: Only install exclude route if not routing via outbound interface
When installing routes based on remote traffic selectors, it can be
necessary to install an exclude route for the remote peer to avoid a
routing loop and continue to be able to reach it via IKE/ESP.
However, such routes are only necessary, if the routes we install don't
go via outbound interface. That's the case when using VIPs and routing
via TUN devices, or when using internal source IPs and routing via
their interfaces.
Installing such exclude routes if not necessary can cause issues on
FreeBSD (EINVAL when sending packets to the peer).
Tobias Brunner [Wed, 23 Feb 2022 16:29:02 +0000 (17:29 +0100)]
openssl: Don't unload providers
There is a conflict between atexit() handlers registered by OpenSSL and
some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
Because plugins are usually loaded after atexit() has been called, the
handler registered by OpenSSL will run before our handler. So when the
latter destroys the plugins it's a bad idea to try to access any OpenSSL
objects as they might already be invalid.
Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
Closes strongswan/strongswan#921
Tobias Brunner [Fri, 4 Feb 2022 10:16:14 +0000 (11:16 +0100)]
tls-peer: Simplify identity check for server certificate
has_subject() already matches the identity against the subject DN and
all the SANs (it actually already did when this check was added with c81147998619 ("Strictly check if the server certificate matches the TLS
server identity")).
Tobias Brunner [Wed, 2 Feb 2022 17:39:20 +0000 (18:39 +0100)]
libtls: Enforce client/server identity when looking for public key
The client already enforces that the server identity is contained in the
received certificate. But on the server, the referenced commit changed
the lookup from the configured (or adopted if %any was configured) client
identity to the subject DN of the received client certificate. So any
client with a trusted certificate was accepted.
Fixes: d2fc9b0961c6 ("tls-server: Mutual authentication support for TLS 1.3")
Closes strongswan/strongswan#873
Tobias Brunner [Tue, 15 Feb 2022 15:38:31 +0000 (16:38 +0100)]
Merge branch 'natd-fixes'
This adds some modifications to NAT-D in case the source IP can't be
determined before generating NAT-D notifies. If this happens when using
IPv4, a local NAT is faked (UDP-encap can be disabled later via MOBIKE
if no NAT is actually detected). If it happens when using IPv6, NAT-T
is disabled completely.
It also removes the old fallbacks for source NAT-D notifies, which were
generally unused but could lead to incorrect results in the above
scenario.
Tobias Brunner [Tue, 29 Jun 2021 14:11:51 +0000 (16:11 +0200)]
ike-natd: Fake NAT situation or disable NAT-D if source IP is undetermined
This can happen if an IKE_SA is initiated to a static IP before DHCP is
done. Instead of failing the initiation, we either fake a NAT situation
(for IPv4) or disable NAT-D (for IPv6 where NATs and UDP-encap are not
widely used or supported).
This also removes the old fallbacks to determine the source address(es).
A source address lookup is done in ike_sa_t::resolve_hosts() (wasn't the
case initially) and enumerating local IPs (which was added even earlier)
could still lead to issues if e.g. LAN addresses are available but the
WAN address that's later used is not yet (in which case only the responder
would detect a NAT and UDP-encap would be configured asymmetrically).
To force UDP-encap locally in case there is no actual NAT, we store this
as COND_NAT_HERE instead of COND_NAT_FAKE. This ensures DPDs will contain
NAT-D notifies and we can later remove the state via MOBIKE. We trigger
a MOBIKE update after such a DPD by registering a changed NAT mapping after
checking for a disappearing local NAT, which is very unlikely to happen
outside of a MOBIKE update (where that flag is not checked).
Tobias Brunner [Fri, 4 Feb 2022 11:05:53 +0000 (12:05 +0100)]
appveyor: Install autotools package on 2019 image
On the recently updated 2019 image, autoreconf is not found anymore, as
recent versions of msys2 don't ship autools with base-devel aymore, so
install the autotools package explicitly.
Martin Willi [Mon, 31 Jan 2022 13:01:42 +0000 (14:01 +0100)]
proposal: Add ESN transform to default ESP AEAD proposal
The commit mentioned below adds an AES-GCM default proposal for ESP. That
proposal does not include any ESN or non-ESN transform to indicate if
extended sequence numbers are supported.
A standards-compliant peer will include one or more ESN support transforms,
and will be unable to select this proposal due to a proposal mismatch.
Fix the default AES-GCM proposal by adding a NO_ESN algorithm. While ESN has
been supported in the Linux kernel for a while, having it in the default
proposal can be problematic with kernel-libipsec or on other platforms.
Fixes: c7bef954eec6 ("proposal: Add AES-GCM to the ESP default AEAD proposal")
Closes strongswan/strongswan#868
Martin Willi [Thu, 20 Jan 2022 13:48:48 +0000 (14:48 +0100)]
sys-logger: Optionally support mapping strongSwan loglevels to syslog levels
strongSwan logs all syslog messages using LOG_INFO for historical reasons,
regardless of the strongSwan loglevel used producing the log message.
In some setups with advanced logging infrastructure, it may be feasible
to be more verbose when logging in strongSwan, but then filter messages
on the syslog server. While this may be possible by custom syslog filtering
rules matching the log level included with the log_level setting, this is
not super convenient.
So add a new map_level setting, which can map strongSwan loglevels to
syslog loglevels. By default this is disabled, keeping the existing
behavior. If enabled, it maps strongSwan loglevels to syslog loglevels
at a given syslog loglevel offset.
Martin Willi [Wed, 12 Jan 2022 10:00:20 +0000 (11:00 +0100)]
addrblock: Allow limiting validation depth of issuer addrblock extensions
RFC3779 requires to validate the addrblocks of issuer certificates strictly,
that is, they must contain the extension and the claimed addrblock, up to
the root CA.
When working with third party root CAs that do not have the extension,
this makes using the plugin impossible. So add a depth setting that limits
the number of issuer certificates to check bottom-up towards the root CA.
A depth value of 0 disables any issuer check, the default value of -1
checks all issuers in the chain, keeping the existing behavior.
Tobias Brunner [Tue, 14 Dec 2021 09:51:35 +0000 (10:51 +0100)]
eap-authenticator: Enforce failure if MSK generation fails
Without this, the authentication succeeded if the server sent an early
EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
which may be used in EAP-only scenarios but would complete without server
or client authentication. For clients configured for such EAP-only
scenarios, a rogue server could capture traffic after the tunnel is
established or even access hosts behind the client. For non-mutual EAP
methods, public key server authentication has been enforced for a while.
A server previously could also crash a client by sending an EAP-Success
immediately without initiating an actual EAP method.
Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") Fixes: CVE-2021-45079
Andreas Steffen [Sun, 17 Oct 2021 13:53:42 +0000 (15:53 +0200)]
sw-collector: Iterate through history logs
The logrotate function causes the apt history to be split into
several parts at arbitrary points in time. If history.log only
is parsed then some package installation changes stored in
zipped backup history files might get lost.
Thus sw-collector now searches all backup history files until
a date older than the current event stored in the collector.db
database is found, so that no entries get overlooked.
Andreas Steffen [Mon, 8 Nov 2021 08:02:40 +0000 (09:02 +0100)]
libtpmtss: Establish session with TPM 2.0
Using the trusted RSA or ECC Endorsement Key of the TPM 2.0 a
secure session is established via RSA public key encryption or
an ephemeral ECDH key exchange, respectively.
The session allows HMAC-based authenticated communication with
the TPM 2.0 and the exchanged parameters can be encrypted where
necessary to guarantee confidentiality.
Tobias Brunner [Wed, 8 Dec 2021 10:34:46 +0000 (11:34 +0100)]
Merge branch 'openssl-providers'
Optionally load the legacy provider in OpenSSL 3 (enabled, by default) to
make algorithms like MD4 and DES available, which we require for
EAP-MSCHAPv2. Allow explicitly loading the fips provider via existing
fips_mode option. The loaded providers, whether influenced by the above
options or not, are logged.
openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.
We still require these algorithms for e.g. EAP-MSCHAPv2, so the option is
enabled, by default. To use other providers (e.g. fips or even custom
ones), the option can be disabled and the providers to load/activate can
be configured in openssl.cnf. For instance, the following has the same
effect as enabling the option:
Tobias Brunner [Wed, 8 Dec 2021 10:33:32 +0000 (11:33 +0100)]
Merge branch 'libtls-tests'
Improves handling failures during unit tests of libtls and includes a
change for the openssl plugin so it only announces ECDH groups for which
the library provides the required ECC curve.
Tobias Brunner [Tue, 16 Nov 2021 13:34:03 +0000 (14:34 +0100)]
openssl: Only announce ECDH groups actually supported by OpenSSL
Determined by whether the library provides curves for it or not.
For instance, in the OpenSSL 3 FIPS provider the Brainpool curves are
not included. And in the Fedora package several weak curves are
explicitly patched out and the Brainpool curves are omitted even in
non-FIPS mode.
Tobias Brunner [Mon, 15 Nov 2021 13:39:22 +0000 (14:39 +0100)]
tls-socket: Handle sending fatal errors better
In particular as server, the previous code might cause it to hang in
recv() if this case wasn't triggered by a close notify (followed by a
shutdown of the socket) but it e.g. failed processing a ServerHello and
responded with a fatal alert.
Fixes: 09fbaad6bd71 ("tls-socket: Don't fail reading if sending data failed")
projects / thirdparty / strongswan.git / log
