strongswan.git
3 years agochild-delete: Reply as usual when concurrently rekeying the IKE_SA
Tobias Brunner [Tue, 31 May 2016 08:08:03 +0000 (10:08 +0200)]
child-delete: Reply as usual when concurrently rekeying the IKE_SA

As per RFC 7296, 2.25.2 (what we did before was the behavior described
in RFC 4718).

3 years agounit-tests: Add tests for IKE/CHILD rekey collisions
Tobias Brunner [Mon, 30 May 2016 16:30:51 +0000 (18:30 +0200)]
unit-tests: Add tests for IKE/CHILD rekey collisions

3 years agochild-create: Respond with TEMPORARY_FAILURE while rekeying/deleting IKE_SA
Tobias Brunner [Mon, 30 May 2016 16:07:53 +0000 (18:07 +0200)]
child-create: Respond with TEMPORARY_FAILURE while rekeying/deleting IKE_SA

3 years agoike-rekey: Respond with TEMPORARY_FAILURE if CHILD_SAs are currently rekeyed/deleted...
Tobias Brunner [Mon, 30 May 2016 15:59:42 +0000 (17:59 +0200)]
ike-rekey: Respond with TEMPORARY_FAILURE if CHILD_SAs are currently rekeyed/deleted/established

3 years agounit-tests: Add tests for collisions between IKE_SA rekeying and deletion
Tobias Brunner [Mon, 30 May 2016 15:26:28 +0000 (17:26 +0200)]
unit-tests: Add tests for collisions between IKE_SA rekeying and deletion

3 years agoike-rekey: Handle TEMPORARY_FAILURE notify
Tobias Brunner [Mon, 30 May 2016 15:10:51 +0000 (17:10 +0200)]
ike-rekey: Handle TEMPORARY_FAILURE notify

3 years agoike-rekey: Respond with TEMPORARY_FAILURE if we are deleting the SA
Tobias Brunner [Mon, 30 May 2016 14:53:37 +0000 (16:53 +0200)]
ike-rekey: Respond with TEMPORARY_FAILURE if we are deleting the SA

3 years agounit-tests: Add tests for IKE SA deletion
Tobias Brunner [Mon, 30 May 2016 14:30:56 +0000 (16:30 +0200)]
unit-tests: Add tests for IKE SA deletion

3 years agoike-delete: No need to wait for a response in case of concurrent deletes
Tobias Brunner [Mon, 30 May 2016 14:27:47 +0000 (16:27 +0200)]
ike-delete: No need to wait for a response in case of concurrent deletes

RFC 7296 explicitly says we SHOULD reply as usual and forget about our
own close request.

3 years agounit-tests: Only deliver messages to the SA they are addressed to
Tobias Brunner [Mon, 30 May 2016 13:39:38 +0000 (15:39 +0200)]
unit-tests: Only deliver messages to the SA they are addressed to

3 years agounit-tests: Add test for simple IKE rekey collision
Tobias Brunner [Sat, 28 May 2016 08:10:18 +0000 (10:10 +0200)]
unit-tests: Add test for simple IKE rekey collision

3 years agoikev2: Add a new state to track rekeyed IKE_SAs
Tobias Brunner [Sat, 28 May 2016 07:34:29 +0000 (09:34 +0200)]
ikev2: Add a new state to track rekeyed IKE_SAs

This makes handling such IKE_SAs more specifically compared to keeping them
in state IKE_CONNECTING or IKE_ESTABLISHED (which we did when we lost a
collision - even triggering the ike_updown event), or using IKE_REKEYING for
them, which would also be ambiguous.

For instance, we can now reject anything but DELETES for such SAs.

3 years agoike-rekey: Add the name/ID of the redundant IKE_SAs to the log messages
Tobias Brunner [Fri, 27 May 2016 17:16:03 +0000 (19:16 +0200)]
ike-rekey: Add the name/ID of the redundant IKE_SAs to the log messages

3 years agounit-tests: Add tests for IKE_SA rekeying
Tobias Brunner [Fri, 27 May 2016 08:31:42 +0000 (10:31 +0200)]
unit-tests: Add tests for IKE_SA rekeying

3 years agounit-tests: Add asserts against IKE_SAs
Tobias Brunner [Fri, 27 May 2016 08:31:11 +0000 (10:31 +0200)]
unit-tests: Add asserts against IKE_SAs

3 years agounit-tests: Make sure to flush the IKE_SA manager before destroying the sender
Tobias Brunner [Fri, 27 May 2016 08:17:53 +0000 (10:17 +0200)]
unit-tests: Make sure to flush the IKE_SA manager before destroying the sender

As the static plugin that creates and destroys the default sender was
not initialized because of the missing socket the daemon won't destroy
our sender.  Test cases will eventually have to flush the IKE_SA manager to
satisfy the leak detective.  However, in case of a test failure and if there
are IKE_SAs in the manager the daemon will flush the SAs when deinitializing,
which will cause deletes to get sent.  This crashes if the sender is already
destroyed.

3 years agounit-tests: Return status from process_message()
Tobias Brunner [Fri, 27 May 2016 08:07:03 +0000 (10:07 +0200)]
unit-tests: Return status from process_message()

3 years agounit-tests: Use wrapper for add_listener in bus_t related asserts
Tobias Brunner [Thu, 26 May 2016 15:00:10 +0000 (17:00 +0200)]
unit-tests: Use wrapper for add_listener in bus_t related asserts

3 years agounit-tests: Provide a wrapper around bus_t::add_listener and unregister them during...
Tobias Brunner [Thu, 26 May 2016 14:57:31 +0000 (16:57 +0200)]
unit-tests: Provide a wrapper around bus_t::add_listener and unregister them during cleanup

In case listeners on the stack are triggered while cleaning up after a
test failed (e.g. via ike_sa_manager_t::flush) remaining listeners defined on
the stack would cause a segmentation fault.

3 years agoike-sa-manager: Make sure rng is defined before destroying it in flush()
Tobias Brunner [Thu, 26 May 2016 14:35:18 +0000 (16:35 +0200)]
ike-sa-manager: Make sure rng is defined before destroying it in flush()

This allows calling flush() multiple times.

3 years agoike-rekey: Establish new IKE_SA earlier as responder, but only if no collision
Tobias Brunner [Thu, 26 May 2016 13:08:09 +0000 (15:08 +0200)]
ike-rekey: Establish new IKE_SA earlier as responder, but only if no collision

Moving to the new SA only after receiving the DELETE for the old SA was
not ideal as it rendered the new SA unusable (because it simply didn't
exist in the manager) if the DELETE was delayed/got dropped.

3 years agounit-tests: Add tests where a peer is not aware of a CHILD_SA rekey collision
Tobias Brunner [Thu, 26 May 2016 09:21:45 +0000 (11:21 +0200)]
unit-tests: Add tests where a peer is not aware of a CHILD_SA rekey collision

3 years agochild-delete: Check if the deleted CHILD_SA is the redundant SA of a collision
Tobias Brunner [Wed, 25 May 2016 17:12:53 +0000 (19:12 +0200)]
child-delete: Check if the deleted CHILD_SA is the redundant SA of a collision

This happens if the peer deletes the redundant SA before we are able to
handle the response. The deleted SA will be in state CHILD_INSTALLED but
we don't want to trigger the child_updown() event for it or recreate it.

3 years agochild-rekey: Add method to check for the redundant SA created in a collision
Tobias Brunner [Wed, 25 May 2016 17:11:51 +0000 (19:11 +0200)]
child-rekey: Add method to check for the redundant SA created in a collision

3 years agounit-tests: Test for rekeying if INVALID_KE_PAYLOAD notifies are received
Tobias Brunner [Wed, 25 May 2016 13:15:51 +0000 (15:15 +0200)]
unit-tests: Test for rekeying if INVALID_KE_PAYLOAD notifies are received

3 years agochild-rekey: Don't change state to INSTALLED if it was already REKEYING
Tobias Brunner [Wed, 25 May 2016 12:55:16 +0000 (14:55 +0200)]
child-rekey: Don't change state to INSTALLED if it was already REKEYING

This happens if there is a rekey collision and the peers disagree on the
DH group.

3 years agounit-tests: Make IKE and ESP proposals configurable
Tobias Brunner [Tue, 24 May 2016 12:14:05 +0000 (14:14 +0200)]
unit-tests: Make IKE and ESP proposals configurable

3 years agounit-tests: Add tests for CHILD_SA rekeying/deletion collisions
Tobias Brunner [Sat, 21 May 2016 10:22:06 +0000 (12:22 +0200)]
unit-tests: Add tests for CHILD_SA rekeying/deletion collisions

3 years agounit-tests: Add asserts against job scheduling
Tobias Brunner [Sat, 21 May 2016 09:12:16 +0000 (11:12 +0200)]
unit-tests: Add asserts against job scheduling

3 years agoikev2: Use CHILD_REKEYED for replaced CHILD_SAs after rekeying
Tobias Brunner [Fri, 20 May 2016 08:49:21 +0000 (10:49 +0200)]
ikev2: Use CHILD_REKEYED for replaced CHILD_SAs after rekeying

This allows handling collisions better, in particular with deletions.

3 years agounit-tests: Add asserts against task queues of IKE_SAs
Tobias Brunner [Thu, 19 May 2016 17:25:12 +0000 (19:25 +0200)]
unit-tests: Add asserts against task queues of IKE_SAs

3 years agochild-rekey: Use more appropriate error notifies if CHILD_SA is not found or getting...
Tobias Brunner [Thu, 19 May 2016 15:23:32 +0000 (17:23 +0200)]
child-rekey: Use more appropriate error notifies if CHILD_SA is not found or getting deleted

These are the notifies we should return according to RFC 7296.

3 years agochild-rekey: Recreate the CHILD_SA if we receive a CHILD_SA_NOT_FOUND notify
Tobias Brunner [Thu, 19 May 2016 13:31:02 +0000 (15:31 +0200)]
child-rekey: Recreate the CHILD_SA if we receive a CHILD_SA_NOT_FOUND notify

3 years agochild-create: Handle TEMPORARY_FAILURE notify as failure
Tobias Brunner [Thu, 19 May 2016 13:06:27 +0000 (15:06 +0200)]
child-create: Handle TEMPORARY_FAILURE notify as failure

We will later add code to retry creating the CHILD_SA if we are not
rekeying.  Rekeying is already rescheduled as with any other errors.

3 years agounit-tests: Add unit tests for basic CHILD_SA rekeying
Tobias Brunner [Tue, 17 May 2016 18:07:09 +0000 (20:07 +0200)]
unit-tests: Add unit tests for basic CHILD_SA rekeying

3 years agounit-tests: Add asserts against ike|child_rekey hooks
Tobias Brunner [Wed, 18 May 2016 15:16:29 +0000 (17:16 +0200)]
unit-tests: Add asserts against ike|child_rekey hooks

3 years agounit-tests: Match in and outbound SPIs in SA asserts
Tobias Brunner [Wed, 18 May 2016 15:15:12 +0000 (17:15 +0200)]
unit-tests: Match in and outbound SPIs in SA asserts

Since we use unique sequential SPIs that should be OK.

3 years agounit-tests: Register nonce generator and make first nonce byte configurable
Tobias Brunner [Tue, 17 May 2016 18:06:24 +0000 (20:06 +0200)]
unit-tests: Register nonce generator and make first nonce byte configurable

3 years agocrypto-factory: Stop after successfully creating one nonce generator
Tobias Brunner [Tue, 17 May 2016 18:05:06 +0000 (20:05 +0200)]
crypto-factory: Stop after successfully creating one nonce generator

Fixes: e2fc09c186c3 ("Add nonce generator interface")

3 years agounit-tests: Add mock nonce generator
Tobias Brunner [Tue, 17 May 2016 18:03:59 +0000 (20:03 +0200)]
unit-tests: Add mock nonce generator

We don't make the full nonces configurable but only the first byte,
which should be enough to force a nonce to be smaller than others.

3 years agounit-tests: Make message asserts more flexible
Tobias Brunner [Tue, 17 May 2016 11:49:58 +0000 (13:49 +0200)]
unit-tests: Make message asserts more flexible

3 years agounit-tests: Add another CHILD_SA delete collision
Tobias Brunner [Mon, 16 May 2016 17:35:14 +0000 (19:35 +0200)]
unit-tests: Add another CHILD_SA delete collision

3 years agounit-tests: Register mock DH implementation as static plugin feature
Tobias Brunner [Fri, 13 May 2016 10:16:45 +0000 (12:16 +0200)]
unit-tests: Register mock DH implementation as static plugin feature

3 years agounit-tests: Add mock DH implementation that's basically a noop
Tobias Brunner [Fri, 13 May 2016 10:12:51 +0000 (12:12 +0200)]
unit-tests: Add mock DH implementation that's basically a noop

If the openssl plugin is built DH isn't that much of an overhead as
ecp256 is used, but the default MODP group is now modp3072.

3 years agounit-tests: Make IKE SPIs predictable
Tobias Brunner [Fri, 13 May 2016 06:50:17 +0000 (08:50 +0200)]
unit-tests: Make IKE SPIs predictable

3 years agounit-tests: Call methods on IKE_SAs in their context
Tobias Brunner [Fri, 13 May 2016 06:44:13 +0000 (08:44 +0200)]
unit-tests: Call methods on IKE_SAs in their context

3 years agounit-tests: Add a unit test for CHILD_SA DELETE collisions
Tobias Brunner [Thu, 12 May 2016 15:25:42 +0000 (17:25 +0200)]
unit-tests: Add a unit test for CHILD_SA DELETE collisions

3 years agochild-delete: Remove unnecessary call to destroy_child_sa()
Tobias Brunner [Thu, 12 May 2016 10:22:35 +0000 (12:22 +0200)]
child-delete: Remove unnecessary call to destroy_child_sa()

Generally, we will not find the CHILD_SA by searching for it with the
outbound SPI (the initiator of the DELETE sent its inbound SPI) - and if
we found a CHILD_SA it would most likely be the wrong one (one in which
we used the same inbound SPI as the peer used for the one it deletes).

And we don't actually want to destroy the CHILD_SA at this point as we
know we already initiated a DELETE ourselves, which means that task
still has a reference to it and will destroy the CHILD_SA when it
receives the response from the other peer.

3 years agounit-tests: Add asserts against hooks on listener_t and messages captured there
Tobias Brunner [Fri, 13 May 2016 18:48:44 +0000 (20:48 +0200)]
unit-tests: Add asserts against hooks on listener_t and messages captured there

3 years agounit-tests: Add asserts against SAs (e.g. their states)
Tobias Brunner [Thu, 12 May 2016 15:59:42 +0000 (17:59 +0200)]
unit-tests: Add asserts against SAs (e.g. their states)

3 years agounit-tests: Add separate test runner to test IKEv2 exchanges
Tobias Brunner [Fri, 13 May 2016 09:57:11 +0000 (11:57 +0200)]
unit-tests: Add separate test runner to test IKEv2 exchanges

This allows proper initialization of the daemon and the helper object.

3 years agounit-tests: Add helper class/object to test IKE exchanges
Tobias Brunner [Thu, 12 May 2016 15:03:44 +0000 (17:03 +0200)]
unit-tests: Add helper class/object to test IKE exchanges

3 years agounit-tests: Add mock kernel_ipsec_t implementation for unit tests
Tobias Brunner [Thu, 12 May 2016 14:14:03 +0000 (16:14 +0200)]
unit-tests: Add mock kernel_ipsec_t implementation for unit tests

Provides predictable sequential SPIs.

3 years agounit-tests: Add mock sender_t implementation for unit testing
Tobias Brunner [Thu, 12 May 2016 13:33:44 +0000 (15:33 +0200)]
unit-tests: Add mock sender_t implementation for unit testing

This allows to retrieve packets sent by an IKE_SA and pass it to another
IKE_SA directly via process_message().

3 years agounit-tests: Defining TESTS_RUNNERS allows to only run specific test runners
Tobias Brunner [Thu, 12 May 2016 12:30:54 +0000 (14:30 +0200)]
unit-tests: Defining TESTS_RUNNERS allows to only run specific test runners

3 years agounit-tests: Don't unload plugins before calling libcharon_deinit()
Tobias Brunner [Thu, 12 May 2016 11:49:11 +0000 (13:49 +0200)]
unit-tests: Don't unload plugins before calling libcharon_deinit()

libcharon_deinit() already calls all the functions we called manually.
Unloading the plugins will not work if charon->initialize() is called
as charon's static plugin features would already be unloaded before the
destroyed members are accessed in destroy() to flush them.

3 years agokernel-netlink: Don't set replay window for outbound SAs
Tobias Brunner [Fri, 17 Jun 2016 12:56:37 +0000 (14:56 +0200)]
kernel-netlink: Don't set replay window for outbound SAs

It's not necessary and might waste memory.  However, if ESN is used we set
the window to 1 as the kernel rejects the attribute otherwise.

3 years agokernel-pfkey: Only set the replay window for inbound SAs
Tobias Brunner [Fri, 17 Jun 2016 12:52:11 +0000 (14:52 +0200)]
kernel-pfkey: Only set the replay window for inbound SAs

It is not necessary for outbound SAs and might waste memory when large
window sizes are used.

3 years agotesting: Fix race in tnc/tnccs-20-pdp-pt-tls scenario
Tobias Brunner [Fri, 17 Jun 2016 09:18:25 +0000 (11:18 +0200)]
testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario

aacf84d837e7 ("testing: Add expect-connection calls for all tests and
hosts") removed the expect-connection call for the non-existing aaa
connection.  However, because the credentials were loaded asynchronously
via start-script the clients might have been connecting when the secrets
were not yet loaded.  As `swanctl --load-creds` is a synchronous call
this change avoids that issue without having to add a sleep or failing
expect-connection call.

3 years agodaemon: Don't hold settings lock while executing start/stop scripts
Tobias Brunner [Fri, 17 Jun 2016 08:19:37 +0000 (10:19 +0200)]
daemon: Don't hold settings lock while executing start/stop scripts

If a called script interacts with the daemon or one of its plugins
another thread might have to acquire the write lock (e.g. to configure a
fallback or set a value).  Holding the read lock prevents that, potentially
resulting in a deadlock.

3 years agotesting: Use TLS 1.2 in RADIUS test cases
Tobias Brunner [Thu, 26 Nov 2015 18:06:41 +0000 (19:06 +0100)]
testing: Use TLS 1.2 in RADIUS test cases

This took a while as in the OpenSSL package shipped with Debian and on which
our FIPS-enabled package is based, the function SSL_export_keying_material(),
which is used by FreeRADIUS to derive the MSK, did not use the correct digest
to calculate the result when TLS 1.2 was used.  This caused IKE to fail with
"verification of AUTH payload with EAP MSK failed".  The fix was only
backported to jessie recently.

3 years agotesting: Update FreeRADIUS to 2.2.8
Tobias Brunner [Thu, 26 Nov 2015 17:48:43 +0000 (18:48 +0100)]
testing: Update FreeRADIUS to 2.2.8

While this is not the latest 2.x release it is the latest in /old.

Upgrading to 3.0 might be possible, not sure if the TNC-FHH patches could
be easily updated, though.  Upgrading to 3.1 will definitely not be possible
directly as that version removes the EAP-TNC module.  So we'd first have to
get rid of the TNC-FHH stuff.

3 years agoRevert "configure: Cache result of pthread_condattr_setclock() check"
Tobias Brunner [Fri, 17 Jun 2016 13:04:17 +0000 (15:04 +0200)]
Revert "configure: Cache result of pthread_condattr_setclock() check"

This reverts commit 8d79bfa8318ddd1b9b863241fe0e637be73af5f4 as it does
not provide any advantage over setting ac_cv_func_pthread_condattr_setclock=no.

References #1502.

3 years agoconfigure: Cache result of pthread_condattr_setclock() check
Tobias Brunner [Thu, 16 Jun 2016 15:57:37 +0000 (17:57 +0200)]
configure: Cache result of pthread_condattr_setclock() check

Even if not using caching when running the configure script (-C) this
allows pre-defining the result by setting the environment variable
ss_cv_func_pthread_condattr_setclock_monotonic=yes|no|unknown
before/while running the script.

As the check requires running a test program this might be helpful
when cross-compiling to disable using monotonic time if
pthread_condattr_setclock() is defined but not actually usable with
CLOCK_MONOTONIC.

References #1502.

3 years agoconfigure: Fix typo in pthread_condattr_setclock() check
Tobias Brunner [Thu, 16 Jun 2016 15:19:10 +0000 (17:19 +0200)]
configure: Fix typo in pthread_condattr_setclock() check

3 years agoquick-mode: Fix reporting lifebytes if lifetime is configured
Tobias Brunner [Wed, 15 Jun 2016 15:43:55 +0000 (17:43 +0200)]
quick-mode: Fix reporting lifebytes if lifetime is configured

3 years agoload-tester: Fix load-tester on platforms where plain `char` is signed
Tobias Brunner [Fri, 17 Jun 2016 08:22:25 +0000 (10:22 +0200)]
load-tester: Fix load-tester on platforms where plain `char` is signed

fgetc() returns an int and EOF is usually -1 so when this gets casted to
a char the result depends on whether `char` means `signed char` or
`unsigned char` (the C standard does not specify it).  If it is unsigned
then its value is 0xff so the comparison with EOF will fail as that is an
implicit signed int.

3 years agotesting: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenario
Tobias Brunner [Fri, 17 Jun 2016 08:22:03 +0000 (10:22 +0200)]
testing: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenario

3 years agoMerge branch 'testing-jessie'
Tobias Brunner [Thu, 16 Jun 2016 14:28:51 +0000 (16:28 +0200)]
Merge branch 'testing-jessie'

Updates the default Debian image used for the test environment from wheezy
to jessie.  Also adds a script that allows chrooting to an image (base,
root or one of the guests).  In pretty much all test scenarios
expect-connection is used to make test runs more reliable.

Fixes #1382.

3 years agotesting: Build hostapd from sources
Tobias Brunner [Wed, 15 Jun 2016 16:19:23 +0000 (18:19 +0200)]
testing: Build hostapd from sources

There is a bug (fix at [1]) in hostapd 2.1-2.3 that let it crash when used
with the wired driver.  The package in jessie (and sid) is affected, so we
build it from sources (same, older, version as wpa_supplicant).

[1] http://w1.fi/cgit/hostap/commit/?id=e9b783d58c23a7bb50b2f25bce7157f1f3

3 years agotesting: Update download URL for wpa_supplicant
Tobias Brunner [Wed, 15 Jun 2016 15:42:28 +0000 (17:42 +0200)]
testing: Update download URL for wpa_supplicant

3 years agotesting: Wait for packets to be processed by tcpdump
Tobias Brunner [Tue, 14 Jun 2016 18:41:43 +0000 (20:41 +0200)]
testing: Wait for packets to be processed by tcpdump

Sometimes tcpdump fails to process all packets during the short running
time of a scenario:

0 packets captured
18 packets received by filter
0 packets dropped by kernel

So 18 packets were captured by libpcap but tcpdump did not yet process
and print them.

This tries to use --immediate-mode if supported by tcpdump (the one
currently in jessie or wheezy does not, but the one in jessie-backports
does), which disables the buffering in libpcap.

However, even with immediate mode there are cases where it takes a while
longer for all packets to get processed.  And without it we also need a
workaround (even though the version in wheezy actually works fine).
That's why there now is a loop checking for differences in captured vs.
received packets.  There are actually cases where these numbers are not
equal but we still captured all packets we're interested in, so we abort
after 1s of retrying.  But sometimes it could still happen that packets
we expected got lost somewhere ("packets dropped by kernel" is not
always 0 either).

3 years agotesting: Fix expect-connection for tkm tests
Tobias Brunner [Thu, 16 Jun 2016 12:35:26 +0000 (14:35 +0200)]
testing: Fix expect-connection for tkm tests

We don't use swanctl there but there is no load statement either.

3 years agotesting: Add expect-connection calls for all tests and hosts
Tobias Brunner [Tue, 14 Jun 2016 18:41:14 +0000 (20:41 +0200)]
testing: Add expect-connection calls for all tests and hosts

There are some exceptions (e.g. those that use auto=start or p2pnat).

3 years agotesting: Update test scenarios for Debian jessie
Tobias Brunner [Tue, 14 Jun 2016 16:58:12 +0000 (18:58 +0200)]
testing: Update test scenarios for Debian jessie

The main difference is that ping now reports icmp_seq instead of
icmp_req, so we match for icmp_.eq, which works with both releases.

tcpdump now also reports port 4500 as ipsec-nat-t.

3 years agolibimcv: Add Debian 8.5 to database
Tobias Brunner [Tue, 14 Jun 2016 13:40:24 +0000 (15:40 +0200)]
libimcv: Add Debian 8.5 to database

3 years agotesting: Fix posttest.dat for ikev2/rw-dnssec scenario
Tobias Brunner [Tue, 8 Dec 2015 17:14:32 +0000 (18:14 +0100)]
testing: Fix posttest.dat for ikev2/rw-dnssec scenario

3 years agotesting: Make sure tcpdump is actually terminated before analyzing/collecting logs
Tobias Brunner [Tue, 8 Dec 2015 15:16:51 +0000 (16:16 +0100)]
testing: Make sure tcpdump is actually terminated before analyzing/collecting logs

3 years agotesting: Correctly dis-/enable services with systemd
Tobias Brunner [Tue, 8 Dec 2015 17:15:19 +0000 (18:15 +0100)]
testing: Correctly dis-/enable services with systemd

3 years agotesting: Install packages like the FIPS-enabled OpenSSL from a custom apt repo
Tobias Brunner [Tue, 8 Dec 2015 14:22:15 +0000 (15:22 +0100)]
testing: Install packages like the FIPS-enabled OpenSSL from a custom apt repo

3 years agotesting: Update base image to Debian jessie
Tobias Brunner [Fri, 20 Nov 2015 16:50:29 +0000 (17:50 +0100)]
testing: Update base image to Debian jessie

Several packages got renamed/updated, libgcrypt was apparently installed
by default previously.

Since most libraries changed we have to completely rebuild all the tools
installed in the root image.  We currently don't provide a clean target in
the recipes, and even if we did we'd have to track which base image we
last built for.  It's easier to just use a different build directory for
each base image, at the cost of some additional disk space (if not manually
cleaned).  However, that's also the case when updating kernel or
software versions.

3 years agotesting: Update 4.x kernel configs to be compatible with Debian 8/systemd
Tobias Brunner [Tue, 24 Nov 2015 16:28:49 +0000 (17:28 +0100)]
testing: Update 4.x kernel configs to be compatible with Debian 8/systemd

3 years agotesting: Add root to fstab
Tobias Brunner [Tue, 24 Nov 2015 17:33:57 +0000 (18:33 +0100)]
testing: Add root to fstab

This seems to be required for systemd to remount it.

3 years agotesting: Update Apache config for newer Debian releases
Tobias Brunner [Tue, 24 Nov 2015 17:32:23 +0000 (18:32 +0100)]
testing: Update Apache config for newer Debian releases

It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.

3 years agotesting: Explicitly enable RC4 in SSH server config
Tobias Brunner [Tue, 24 Nov 2015 16:26:16 +0000 (17:26 +0100)]
testing: Explicitly enable RC4 in SSH server config

Newer OpenSSH versions disable this by default because it's unsafe.
Since this is not relevant for our use case we enable it due to its
speed.

3 years agotesting: Add script to chroot into an image
Tobias Brunner [Tue, 24 Nov 2015 10:08:57 +0000 (11:08 +0100)]
testing: Add script to chroot into an image

If changes are made to the base or root image the images depending on
these have to be rebuilt.

3 years agotesting: Add a patch to tnc-fhh that avoids building the tncsim package
Tobias Brunner [Fri, 20 Nov 2015 16:51:54 +0000 (17:51 +0100)]
testing: Add a patch to tnc-fhh that avoids building the tncsim package

This sub-package does not build on Debian jessie.

3 years agotesting: Don't attempt to stop services when building base image
Tobias Brunner [Fri, 20 Nov 2015 16:42:55 +0000 (17:42 +0100)]
testing: Don't attempt to stop services when building base image

Unlike `apt-get install` in a chroot debootstrap does not seem to start
the services but stopping them might cause problems if they were running
outside the chroot.

3 years agoleak-detective: Make sure to actually call malloc() from calloc() hook
Tobias Brunner [Wed, 15 Jun 2016 09:22:04 +0000 (11:22 +0200)]
leak-detective: Make sure to actually call malloc() from calloc() hook

Newer versions of GCC are too "smart" and replace a call to malloc(X)
followed by a call to memset(0,X) with a call co calloc(), which obviously
results in an infinite loop when it does that in our own calloc()
implementation.  Using `volatile` for the variable storing the total size
prevents the optimization and we actually call malloc().

3 years agoleak-detective: Whitelist __fprintf_chk as seen on newer systems
Tobias Brunner [Wed, 15 Jun 2016 09:21:16 +0000 (11:21 +0200)]
leak-detective: Whitelist __fprintf_chk as seen on newer systems

3 years agoconfigure: Check for and explicitly link against -latomic
Martin Willi [Wed, 8 Jun 2016 12:46:35 +0000 (14:46 +0200)]
configure: Check for and explicitly link against -latomic

Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.

3 years agotesting: Fix scenarios that check /etc/resolv.conf
Tobias Brunner [Mon, 13 Jun 2016 14:18:38 +0000 (16:18 +0200)]
testing: Fix scenarios that check /etc/resolv.conf

3 years agoandroid: Catch exception if numbers are too large for Integer
Tobias Brunner [Mon, 13 Jun 2016 14:12:17 +0000 (16:12 +0200)]
android: Catch exception if numbers are too large for Integer

3 years agoandroid: Use non-aliased cipher identifiers
Tobias Brunner [Mon, 13 Jun 2016 08:37:17 +0000 (10:37 +0200)]
android: Use non-aliased cipher identifiers

Some of these are also understood by BoringSSL.

Fixes #1510.

3 years agoandroid: Update Gradle plugin
Tobias Brunner [Mon, 13 Jun 2016 08:19:13 +0000 (10:19 +0200)]
android: Update Gradle plugin

3 years agoandroid: Fix signature of get_nexthop()
Tobias Brunner [Mon, 13 Jun 2016 08:18:45 +0000 (10:18 +0200)]
android: Fix signature of get_nexthop()

3 years agoresolve: Add refcounting for installed DNS servers
Tobias Brunner [Wed, 8 Jun 2016 17:43:13 +0000 (19:43 +0200)]
resolve: Add refcounting for installed DNS servers

This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.

3 years agoresolve: Use process abstraction when calling resolvconf
Tobias Brunner [Tue, 7 Jun 2016 14:51:04 +0000 (16:51 +0200)]
resolve: Use process abstraction when calling resolvconf

This allows us to capture output written to stderr/stdout.

3 years agoresolve: Make sure to clean up if calling resolvconf failed
Tobias Brunner [Tue, 7 Jun 2016 13:58:05 +0000 (15:58 +0200)]
resolve: Make sure to clean up if calling resolvconf failed

If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).

3 years agoMerge branch 'interface-for-routes'
Tobias Brunner [Fri, 10 Jun 2016 16:15:42 +0000 (18:15 +0200)]
Merge branch 'interface-for-routes'

Changes how the interface for routes installed with policies is
determined.  In most cases we now use the interface over which we reach the
other peer, not the interface on which the local address (or the source IP) is
installed.  However, that might be the same interface depending on the
configuration (i.e. in practice there will often not be a change).

Routes are not installed anymore for drop policies and for policies with
protocol/port selectors.

Fixes #809, #824, #1347.