strongswan.git
3 years agoMerge branch 'testing-jessie'
Tobias Brunner [Thu, 16 Jun 2016 14:28:51 +0000 (16:28 +0200)]
Merge branch 'testing-jessie'

Updates the default Debian image used for the test environment from wheezy
to jessie.  Also adds a script that allows chrooting to an image (base,
root or one of the guests).  In pretty much all test scenarios
expect-connection is used to make test runs more reliable.

Fixes #1382.

3 years agotesting: Build hostapd from sources
Tobias Brunner [Wed, 15 Jun 2016 16:19:23 +0000 (18:19 +0200)]
testing: Build hostapd from sources

There is a bug (fix at [1]) in hostapd 2.1-2.3 that let it crash when used
with the wired driver.  The package in jessie (and sid) is affected, so we
build it from sources (same, older, version as wpa_supplicant).

[1] http://w1.fi/cgit/hostap/commit/?id=e9b783d58c23a7bb50b2f25bce7157f1f3

3 years agotesting: Update download URL for wpa_supplicant
Tobias Brunner [Wed, 15 Jun 2016 15:42:28 +0000 (17:42 +0200)]
testing: Update download URL for wpa_supplicant

3 years agotesting: Wait for packets to be processed by tcpdump
Tobias Brunner [Tue, 14 Jun 2016 18:41:43 +0000 (20:41 +0200)]
testing: Wait for packets to be processed by tcpdump

Sometimes tcpdump fails to process all packets during the short running
time of a scenario:

0 packets captured
18 packets received by filter
0 packets dropped by kernel

So 18 packets were captured by libpcap but tcpdump did not yet process
and print them.

This tries to use --immediate-mode if supported by tcpdump (the one
currently in jessie or wheezy does not, but the one in jessie-backports
does), which disables the buffering in libpcap.

However, even with immediate mode there are cases where it takes a while
longer for all packets to get processed.  And without it we also need a
workaround (even though the version in wheezy actually works fine).
That's why there now is a loop checking for differences in captured vs.
received packets.  There are actually cases where these numbers are not
equal but we still captured all packets we're interested in, so we abort
after 1s of retrying.  But sometimes it could still happen that packets
we expected got lost somewhere ("packets dropped by kernel" is not
always 0 either).

3 years agotesting: Fix expect-connection for tkm tests
Tobias Brunner [Thu, 16 Jun 2016 12:35:26 +0000 (14:35 +0200)]
testing: Fix expect-connection for tkm tests

We don't use swanctl there but there is no load statement either.

3 years agotesting: Add expect-connection calls for all tests and hosts
Tobias Brunner [Tue, 14 Jun 2016 18:41:14 +0000 (20:41 +0200)]
testing: Add expect-connection calls for all tests and hosts

There are some exceptions (e.g. those that use auto=start or p2pnat).

3 years agotesting: Update test scenarios for Debian jessie
Tobias Brunner [Tue, 14 Jun 2016 16:58:12 +0000 (18:58 +0200)]
testing: Update test scenarios for Debian jessie

The main difference is that ping now reports icmp_seq instead of
icmp_req, so we match for icmp_.eq, which works with both releases.

tcpdump now also reports port 4500 as ipsec-nat-t.

3 years agolibimcv: Add Debian 8.5 to database
Tobias Brunner [Tue, 14 Jun 2016 13:40:24 +0000 (15:40 +0200)]
libimcv: Add Debian 8.5 to database

3 years agotesting: Fix posttest.dat for ikev2/rw-dnssec scenario
Tobias Brunner [Tue, 8 Dec 2015 17:14:32 +0000 (18:14 +0100)]
testing: Fix posttest.dat for ikev2/rw-dnssec scenario

3 years agotesting: Make sure tcpdump is actually terminated before analyzing/collecting logs
Tobias Brunner [Tue, 8 Dec 2015 15:16:51 +0000 (16:16 +0100)]
testing: Make sure tcpdump is actually terminated before analyzing/collecting logs

3 years agotesting: Correctly dis-/enable services with systemd
Tobias Brunner [Tue, 8 Dec 2015 17:15:19 +0000 (18:15 +0100)]
testing: Correctly dis-/enable services with systemd

3 years agotesting: Install packages like the FIPS-enabled OpenSSL from a custom apt repo
Tobias Brunner [Tue, 8 Dec 2015 14:22:15 +0000 (15:22 +0100)]
testing: Install packages like the FIPS-enabled OpenSSL from a custom apt repo

3 years agotesting: Update base image to Debian jessie
Tobias Brunner [Fri, 20 Nov 2015 16:50:29 +0000 (17:50 +0100)]
testing: Update base image to Debian jessie

Several packages got renamed/updated, libgcrypt was apparently installed
by default previously.

Since most libraries changed we have to completely rebuild all the tools
installed in the root image.  We currently don't provide a clean target in
the recipes, and even if we did we'd have to track which base image we
last built for.  It's easier to just use a different build directory for
each base image, at the cost of some additional disk space (if not manually
cleaned).  However, that's also the case when updating kernel or
software versions.

3 years agotesting: Update 4.x kernel configs to be compatible with Debian 8/systemd
Tobias Brunner [Tue, 24 Nov 2015 16:28:49 +0000 (17:28 +0100)]
testing: Update 4.x kernel configs to be compatible with Debian 8/systemd

3 years agotesting: Add root to fstab
Tobias Brunner [Tue, 24 Nov 2015 17:33:57 +0000 (18:33 +0100)]
testing: Add root to fstab

This seems to be required for systemd to remount it.

3 years agotesting: Update Apache config for newer Debian releases
Tobias Brunner [Tue, 24 Nov 2015 17:32:23 +0000 (18:32 +0100)]
testing: Update Apache config for newer Debian releases

It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.

3 years agotesting: Explicitly enable RC4 in SSH server config
Tobias Brunner [Tue, 24 Nov 2015 16:26:16 +0000 (17:26 +0100)]
testing: Explicitly enable RC4 in SSH server config

Newer OpenSSH versions disable this by default because it's unsafe.
Since this is not relevant for our use case we enable it due to its
speed.

3 years agotesting: Add script to chroot into an image
Tobias Brunner [Tue, 24 Nov 2015 10:08:57 +0000 (11:08 +0100)]
testing: Add script to chroot into an image

If changes are made to the base or root image the images depending on
these have to be rebuilt.

3 years agotesting: Add a patch to tnc-fhh that avoids building the tncsim package
Tobias Brunner [Fri, 20 Nov 2015 16:51:54 +0000 (17:51 +0100)]
testing: Add a patch to tnc-fhh that avoids building the tncsim package

This sub-package does not build on Debian jessie.

3 years agotesting: Don't attempt to stop services when building base image
Tobias Brunner [Fri, 20 Nov 2015 16:42:55 +0000 (17:42 +0100)]
testing: Don't attempt to stop services when building base image

Unlike `apt-get install` in a chroot debootstrap does not seem to start
the services but stopping them might cause problems if they were running
outside the chroot.

3 years agoleak-detective: Make sure to actually call malloc() from calloc() hook
Tobias Brunner [Wed, 15 Jun 2016 09:22:04 +0000 (11:22 +0200)]
leak-detective: Make sure to actually call malloc() from calloc() hook

Newer versions of GCC are too "smart" and replace a call to malloc(X)
followed by a call to memset(0,X) with a call co calloc(), which obviously
results in an infinite loop when it does that in our own calloc()
implementation.  Using `volatile` for the variable storing the total size
prevents the optimization and we actually call malloc().

3 years agoleak-detective: Whitelist __fprintf_chk as seen on newer systems
Tobias Brunner [Wed, 15 Jun 2016 09:21:16 +0000 (11:21 +0200)]
leak-detective: Whitelist __fprintf_chk as seen on newer systems

3 years agoconfigure: Check for and explicitly link against -latomic
Martin Willi [Wed, 8 Jun 2016 12:46:35 +0000 (14:46 +0200)]
configure: Check for and explicitly link against -latomic

Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.

3 years agotesting: Fix scenarios that check /etc/resolv.conf
Tobias Brunner [Mon, 13 Jun 2016 14:18:38 +0000 (16:18 +0200)]
testing: Fix scenarios that check /etc/resolv.conf

3 years agoandroid: Catch exception if numbers are too large for Integer
Tobias Brunner [Mon, 13 Jun 2016 14:12:17 +0000 (16:12 +0200)]
android: Catch exception if numbers are too large for Integer

3 years agoandroid: Use non-aliased cipher identifiers
Tobias Brunner [Mon, 13 Jun 2016 08:37:17 +0000 (10:37 +0200)]
android: Use non-aliased cipher identifiers

Some of these are also understood by BoringSSL.

Fixes #1510.

3 years agoandroid: Update Gradle plugin
Tobias Brunner [Mon, 13 Jun 2016 08:19:13 +0000 (10:19 +0200)]
android: Update Gradle plugin

3 years agoandroid: Fix signature of get_nexthop()
Tobias Brunner [Mon, 13 Jun 2016 08:18:45 +0000 (10:18 +0200)]
android: Fix signature of get_nexthop()

3 years agoresolve: Add refcounting for installed DNS servers
Tobias Brunner [Wed, 8 Jun 2016 17:43:13 +0000 (19:43 +0200)]
resolve: Add refcounting for installed DNS servers

This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.

3 years agoresolve: Use process abstraction when calling resolvconf
Tobias Brunner [Tue, 7 Jun 2016 14:51:04 +0000 (16:51 +0200)]
resolve: Use process abstraction when calling resolvconf

This allows us to capture output written to stderr/stdout.

3 years agoresolve: Make sure to clean up if calling resolvconf failed
Tobias Brunner [Tue, 7 Jun 2016 13:58:05 +0000 (15:58 +0200)]
resolve: Make sure to clean up if calling resolvconf failed

If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).

3 years agoMerge branch 'interface-for-routes'
Tobias Brunner [Fri, 10 Jun 2016 16:15:42 +0000 (18:15 +0200)]
Merge branch 'interface-for-routes'

Changes how the interface for routes installed with policies is
determined.  In most cases we now use the interface over which we reach the
other peer, not the interface on which the local address (or the source IP) is
installed.  However, that might be the same interface depending on the
configuration (i.e. in practice there will often not be a change).

Routes are not installed anymore for drop policies and for policies with
protocol/port selectors.

Fixes #809, #824, #1347.

3 years agokernel-pfroute: Return interface to reach destination from get_nexthop()
Tobias Brunner [Fri, 10 Jun 2016 15:13:22 +0000 (17:13 +0200)]
kernel-pfroute: Return interface to reach destination from get_nexthop()

3 years agokernel-pfkey: Install routes with OUT policies
Tobias Brunner [Fri, 10 Jun 2016 08:30:00 +0000 (10:30 +0200)]
kernel-pfkey: Install routes with OUT policies

3 years agokernel-netlink: Install routes with OUT policies
Tobias Brunner [Fri, 10 Jun 2016 08:10:09 +0000 (10:10 +0200)]
kernel-netlink: Install routes with OUT policies

This is the direction we actually need routes in and makes the code
easier to read.

3 years agokernel-pfkey: Don't install routes for drop policies and if protocol/ports are in...
Tobias Brunner [Thu, 9 Jun 2016 13:46:32 +0000 (15:46 +0200)]
kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector

3 years agokernel-netlink: Don't install routes for drop policies and if protocol/ports are...
Tobias Brunner [Thu, 9 Jun 2016 13:38:37 +0000 (15:38 +0200)]
kernel-netlink: Don't install routes for drop policies and if protocol/ports are in the selector

We don't need them for drop policies and they might even mess with other
routes we install.  Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.

3 years agokernel-pfkey: Also use interface returned by get_nexthop() for IPsec policies
Tobias Brunner [Mon, 6 Jun 2016 14:20:34 +0000 (16:20 +0200)]
kernel-pfkey: Also use interface returned by get_nexthop() for IPsec policies

An exception is if the local address is virtual, in which case we want
the route to be via TUN device.

3 years agokernel-netlink: Also use interface returned by get_nexthop() for IPsec policies
Tobias Brunner [Mon, 6 Jun 2016 14:01:43 +0000 (16:01 +0200)]
kernel-netlink: Also use interface returned by get_nexthop() for IPsec policies

3 years agokernel-pfkey: Use interface to next hop for shunt policies
Tobias Brunner [Fri, 11 Mar 2016 18:17:03 +0000 (19:17 +0100)]
kernel-pfkey: Use interface to next hop for shunt policies

3 years agokernel-netlink: Use interface to next hop for shunt policies
Tobias Brunner [Fri, 11 Mar 2016 18:09:54 +0000 (19:09 +0100)]
kernel-netlink: Use interface to next hop for shunt policies

Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.

3 years agokernel-netlink: Return outbound interface in get_nexthop()
Tobias Brunner [Fri, 11 Mar 2016 18:07:10 +0000 (19:07 +0100)]
kernel-netlink: Return outbound interface in get_nexthop()

3 years agokernel-net: Let get_nexthop() return an optional interface name
Tobias Brunner [Fri, 11 Mar 2016 17:54:31 +0000 (18:54 +0100)]
kernel-net: Let get_nexthop() return an optional interface name

The returned name should be the interface over which the destination
address/net is reachable.

3 years agokernel-interface: Always set `vip` if get_address_by_ts() returns successfully
Tobias Brunner [Fri, 10 Jun 2016 11:52:30 +0000 (13:52 +0200)]
kernel-interface: Always set `vip` if get_address_by_ts() returns successfully

3 years agokernel-netlink: Let only a single thread work on a specific policy
Tobias Brunner [Wed, 25 May 2016 10:15:38 +0000 (12:15 +0200)]
kernel-netlink: Let only a single thread work on a specific policy

Other threads are free to add/update/delete other policies.

This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel.  For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA.  This could have resulted in no policies being installed
eventually.

Fixes #1400.

3 years agokernel-netlink: Add priority and refcount to policy log
Tobias Brunner [Fri, 27 May 2016 15:31:04 +0000 (17:31 +0200)]
kernel-netlink: Add priority and refcount to policy log

3 years agokernel-netlink: Consistently print mark in log messages only if set
Tobias Brunner [Fri, 27 May 2016 15:03:26 +0000 (17:03 +0200)]
kernel-netlink: Consistently print mark in log messages only if set

3 years agokernel-netlink: Provide error information for Netlink sockets
Tobias Brunner [Fri, 27 May 2016 11:43:41 +0000 (13:43 +0200)]
kernel-netlink: Provide error information for Netlink sockets

 #1467.

3 years agokernel-netlink: Allow definition of a custom priority calculation function
Tobias Brunner [Thu, 28 Apr 2016 16:05:36 +0000 (18:05 +0200)]
kernel-netlink: Allow definition of a custom priority calculation function

3 years agoMerge branch 'ipsec-sa-cfg-equals'
Tobias Brunner [Thu, 9 Jun 2016 09:46:06 +0000 (11:46 +0200)]
Merge branch 'ipsec-sa-cfg-equals'

Fixes the comparison of ipsec_sa_cfg_t instances in case there is
padding that's not initialized to zero.

Fixes #1503.

3 years agokernel-pfkey: Use ipsec_sa_cfg_equals()
Tobias Brunner [Wed, 8 Jun 2016 14:11:07 +0000 (16:11 +0200)]
kernel-pfkey: Use ipsec_sa_cfg_equals()

3 years agokernel-netlink: Use ipsec_sa_cfg_equals() and compare marks properly
Tobias Brunner [Wed, 8 Jun 2016 14:10:30 +0000 (16:10 +0200)]
kernel-netlink: Use ipsec_sa_cfg_equals() and compare marks properly

3 years agoipsec: Add function to compare two ipsec_sa_cfg_t instances
Tobias Brunner [Wed, 8 Jun 2016 14:06:53 +0000 (16:06 +0200)]
ipsec: Add function to compare two ipsec_sa_cfg_t instances

memeq() is currently used to compare these but if there is padding that
is not initialized the same for two instances the comparison fails.
Using this function ensures the objects are compared correctly.

3 years agoeap-simaka-pseudonym: Properly store mappings
Tobias Brunner [Tue, 24 May 2016 08:26:38 +0000 (10:26 +0200)]
eap-simaka-pseudonym: Properly store mappings

If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed.  This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.

Fixes strongswan/strongswan#46.

3 years agochild-sa: Use non-static variable to store generated unique mark
Tobias Brunner [Thu, 19 May 2016 09:56:44 +0000 (11:56 +0200)]
child-sa: Use non-static variable to store generated unique mark

If two CHILD_SAs with mark=%unique are created concurrently they could
otherwise end up with either the same mark or different marks in both
directions.

3 years agoike: Don't trigger message hook when fragmenting pre-generated messages
Tobias Brunner [Wed, 25 May 2016 07:42:08 +0000 (09:42 +0200)]
ike: Don't trigger message hook when fragmenting pre-generated messages

This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which
are pre-generated in tasks as at least parts of it are used to generate
the AUTH payload.  The IKE_SA_INIT message will never be fragmented, but
the IKEv1 messages might be, so we can't just call generate_message().

Fixes #1478.

3 years agoerror-notify: Notify listeners upon IKE retransmit
Thomas Egerer [Tue, 16 Feb 2016 11:58:20 +0000 (12:58 +0100)]
error-notify: Notify listeners upon IKE retransmit

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agotask-manager: Add retransmit cleared alert
Tobias Brunner [Tue, 3 May 2016 09:23:43 +0000 (11:23 +0200)]
task-manager: Add retransmit cleared alert

3 years agotask-manager: Add retransmit count to retransmit send alert
Thomas Egerer [Tue, 16 Feb 2016 11:55:37 +0000 (12:55 +0100)]
task-manager: Add retransmit count to retransmit send alert

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agostroke: Permanently store PINs in credential set
Tobias Brunner [Thu, 7 Apr 2016 17:08:59 +0000 (19:08 +0200)]
stroke: Permanently store PINs in credential set

This fixes authentication with tokens that require the PIN for every
signature.

Fixes #1369.

3 years agocontroller: Use separate callbacks to track termination and initiation of SAs
Tobias Brunner [Fri, 6 May 2016 07:08:08 +0000 (09:08 +0200)]
controller: Use separate callbacks to track termination and initiation of SAs

If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which
we don't want the controller to detect as success.

Fixes #1449.

3 years agoikev1: Queue INFORMATIONAL messages during XAuth
Tobias Brunner [Tue, 26 Apr 2016 10:44:49 +0000 (12:44 +0200)]
ikev1: Queue INFORMATIONAL messages during XAuth

Some peers send an INITIAL_CONTACT notify after they received our XAuth
username.  The XAuth task waiting for the third XAuth message handles
this incorrectly and closes the IKE_SA as no configuration payloads are
contained in the message.  We queue the INFORMATIONAL until the XAuth
exchange is complete to avoid this issue.

Fixes #1434.

3 years agoidentification: Compare identity types when comparing ID_FQDN/ID_RFC822_ADDR identities
Tobias Brunner [Wed, 6 Apr 2016 10:16:11 +0000 (12:16 +0200)]
identification: Compare identity types when comparing ID_FQDN/ID_RFC822_ADDR identities

References #1380.

3 years agoikev2: Handle INITIAL_CONTACT notifies also when peer is authenticated with EAP
Tobias Brunner [Tue, 5 Apr 2016 15:42:45 +0000 (17:42 +0200)]
ikev2: Handle INITIAL_CONTACT notifies also when peer is authenticated with EAP

Fixes #1380.

3 years agox509: Properly wrap keyid in authorityKeyIdentifier in attribute certificates
Tobias Brunner [Thu, 31 Mar 2016 10:14:47 +0000 (12:14 +0200)]
x509: Properly wrap keyid in authorityKeyIdentifier in attribute certificates

The correct encoding got lost in bdec2e4f5291 ("refactored openac and
its attribute certificate factory").

Fixes #1370.

3 years agop-cscf: Remove libhydra reference in Makefile
Tobias Brunner [Fri, 27 May 2016 16:24:59 +0000 (18:24 +0200)]
p-cscf: Remove libhydra reference in Makefile

3 years agoaf-alg: Silently skip probing algorithms if AF_ALG is not supported
Martin Willi [Thu, 19 May 2016 09:13:24 +0000 (11:13 +0200)]
af-alg: Silently skip probing algorithms if AF_ALG is not supported

If the af-alg plugin is enabled, but kernel support is missing, we get
an error line during startup for each probed algorithm. This is way too
verbose, so just skip probing if AF_ALG is unsupported.

3 years agoconfigure: Check for a potential -lpthread by using -ldl
Martin Willi [Wed, 18 May 2016 12:44:19 +0000 (14:44 +0200)]
configure: Check for a potential -lpthread by using -ldl

Some pthread library variants depend on libdl, hence we must pass such a
library to successfully build against libpthread.

3 years agoMerge branch 'test-timing'
Andreas Steffen [Sun, 15 May 2016 17:03:49 +0000 (19:03 +0200)]
Merge branch 'test-timing'

3 years agotesting: Changed gcrypt-ikev1 scenarios to swanctl
Andreas Steffen [Sun, 8 May 2016 13:16:24 +0000 (15:16 +0200)]
testing: Changed gcrypt-ikev1 scenarios to swanctl

3 years agotesting: wait until connections are loaded
Andreas Steffen [Mon, 2 May 2016 08:10:56 +0000 (10:10 +0200)]
testing: wait until connections are loaded

3 years agoVersion bump to 5.4.1dr4 5.4.1dr4
Andreas Steffen [Fri, 13 May 2016 10:49:52 +0000 (12:49 +0200)]
Version bump to 5.4.1dr4

3 years agovici: Put source distribution in the dist dir in the build directory
Tobias Brunner [Wed, 11 May 2016 12:32:10 +0000 (14:32 +0200)]
vici: Put source distribution in the dist dir in the build directory

This fixes the out-of-tree build.

3 years agomem-cred: Fix memory leak when replacing existing CRLs
Tobias Brunner [Mon, 2 May 2016 14:04:43 +0000 (16:04 +0200)]
mem-cred: Fix memory leak when replacing existing CRLs

Fixes #1442.

3 years agovici: Add target to build a source package and universal wheel of the Python package
Tobias Brunner [Wed, 11 May 2016 09:23:20 +0000 (11:23 +0200)]
vici: Add target to build a source package and universal wheel of the Python package

3 years agovici: Add README.rst to be used as description on PyPI
Tobias Brunner [Wed, 11 May 2016 09:11:44 +0000 (11:11 +0200)]
vici: Add README.rst to be used as description on PyPI

3 years agovici: Replace dr with dev in version numbers for the Python egg
Tobias Brunner [Tue, 10 May 2016 10:09:24 +0000 (12:09 +0200)]
vici: Replace dr with dev in version numbers for the Python egg

The versioning scheme used by Python (PEP 440) supports the rcN suffix
but development releases have to be named devN, not drN, which are
not supported and considered legacy versions.

3 years agovici: Update setup.py
Tobias Brunner [Tue, 10 May 2016 09:42:10 +0000 (11:42 +0200)]
vici: Update setup.py

3 years agovici: Ensure we read exactly the specified amount of bytes from the socket in Python
Tobias Brunner [Mon, 2 May 2016 13:14:40 +0000 (15:14 +0200)]
vici: Ensure we read exactly the specified amount of bytes from the socket in Python

recv() will return less bytes than specified (as that's the buffer size)
if not as many are ready to be read from the socket.

3 years agoVersion bump to 5.4.1dr3 5.4.1dr3
Andreas Steffen [Sun, 8 May 2016 07:06:16 +0000 (09:06 +0200)]
Version bump to 5.4.1dr3

3 years agoswanctl: indicate initiator and responder in --list-sas
Andreas Steffen [Sat, 7 May 2016 15:54:56 +0000 (17:54 +0200)]
swanctl: indicate initiator and responder in --list-sas

3 years agoVersion bump to 5.4.1dr2 5.4.1dr2
Andreas Steffen [Fri, 6 May 2016 20:29:32 +0000 (22:29 +0200)]
Version bump to 5.4.1dr2

3 years agoMerge branch 'fwd-policy-prio'
Andreas Steffen [Fri, 6 May 2016 20:28:44 +0000 (22:28 +0200)]
Merge branch 'fwd-policy-prio'

3 years agochild-sa: Install "outbound" FWD policy with lower priority
Tobias Brunner [Mon, 2 May 2016 12:21:30 +0000 (14:21 +0200)]
child-sa: Install "outbound" FWD policy with lower priority

This provides a fix if symmetrically overlapping policies are
installed as e.g. the case in the ikev2/ip-two-pools-db scenario:

  carol 10.3.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon
  alice 10.4.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon

Among others, the following FWD policies are installed on moon:

  src 10.3.0.1/32 dst 10.4.0.0/16
    ...
    tmpl ...

  src 10.4.0.0/16 dst 10.3.0.1/32
    ...

  src 10.4.0.1/32 dst 10.3.0.0/16
    ...
    tmpl ...

  src 10.3.0.0/16 dst 10.4.0.1/32
    ...

Because the network prefixes are the same for all of these they all have the
same priority.  Due to that it depends on the install order which policy gets
used.  For instance, a packet from 10.3.0.1 to 10.4.0.1 will match the
first as well as the last policy.  However, when handling the inbound
packet we have to use the first one as the packet will otherwise be
dropped due to a template mismatch.  And we can't install templates with
the "outbound" FWD policies as that would prevent using different
IPsec modes or e.g. IPComp on only one of multiple SAs.

Instead we install the "outbound" FWD policies with a lower priority
than the "inbound" FWD policies so the latter are preferred.  But we use
a higher priority than default drop policies would use (in case they'd
be defined with the same subnets).

3 years agokernel-netlink: Check proper watcher state in parallel mode
Tobias Brunner [Wed, 4 May 2016 13:39:51 +0000 (15:39 +0200)]
kernel-netlink: Check proper watcher state in parallel mode

After adding the read callback the state is WATCHER_QUEUED and it is
switched to WATCHER_RUNNING only later by an asynchronous job. This means
that a thread that sent a Netlink message shortly after registration
might see the state as WATCHER_QUEUED.  If it then tries to read the
response and the watcher thread is quicker to actually read the message
from the socket, it could block on recv() while still holding the lock.
And the asynchronous job that actually read the message and tries to queue
it will block while trying to acquire the lock, so we'd end up in a deadlock.

This is probably mostly a problem in the unit tests.

3 years agotrap-manager: Allow local address to be unspecified
Tobias Brunner [Wed, 27 Apr 2016 08:56:54 +0000 (10:56 +0200)]
trap-manager: Allow local address to be unspecified

If there is currently no route to reach the other peer we just default
to left=%any.  The local address is only really used to resolve
leftsubnet=%dynamic anyway (and perhaps for MIPv6 proxy transport mode).

Fixes #1375.

3 years agokernel-netlink: Order routes by prefix before comparing priority/metric
Tobias Brunner [Mon, 18 Apr 2016 16:39:35 +0000 (18:39 +0200)]
kernel-netlink: Order routes by prefix before comparing priority/metric

Metrics are basically defined to order routes with equal prefix, so ordering
routes by metric first makes not much sense as that could prefer totally
unspecific routes over very specific ones.

For instance, the previous code did break installation of routes for
passthrough policies with two routes like these in the main routing table:

  default via 192.168.2.1 dev eth0 proto static
  192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.10 metric 1

Because the default route has no metric set (0) it was used, instead of the
more specific other one, to determine src and next hop when installing a route
for a passthrough policy for 192.168.2.0/24.  Therefore, the installed route
in table 220 did then incorrectly redirect all local traffic to "next hop"
192.168.2.1.

The same issue occurred when determining the source address while
installing trap policies.

Fixes 6b57790270fb ("kernel-netlink: Respect kernel routing priorities for IKE routes").
Fixes #1416.

3 years agoikev1: Activate DELETE tasks before other tasks in state ESTABLISHED
Tobias Brunner [Fri, 15 Apr 2016 10:04:32 +0000 (12:04 +0200)]
ikev1: Activate DELETE tasks before other tasks in state ESTABLISHED

Fixes #1410.

3 years agoikev1: Don't use rekeyed CHILD_SAs for rekey detection
Tobias Brunner [Wed, 20 Apr 2016 11:56:55 +0000 (13:56 +0200)]
ikev1: Don't use rekeyed CHILD_SAs for rekey detection

An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING
state.  And we actually want to change the currently installed CHILD_SA to
that state and later CHILD_REKEYED and properly call e.g. child_rekey() and
not do this again with an old CHILD_SA.  Instead let's only check installed
or currently rekeying CHILD_SAs (in case of a rekey collision).  It's also
uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state
CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted
and recreated a CHILD_SA after a rekeying.  But in that case we don't want
to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).

3 years agoikev1: Don't call updown hook etc. when deleting redundant CHILD_SAs
Tobias Brunner [Wed, 20 Apr 2016 12:14:05 +0000 (14:14 +0200)]
ikev1: Don't call updown hook etc. when deleting redundant CHILD_SAs

Fixes #1421.

3 years agoandroid: New release after fixing a crash during certificate imports
Tobias Brunner [Fri, 6 May 2016 10:50:51 +0000 (12:50 +0200)]
android: New release after fixing a crash during certificate imports

3 years agoandroid: Avoid IllegalStateException when importing certificates
Tobias Brunner [Fri, 6 May 2016 10:41:33 +0000 (12:41 +0200)]
android: Avoid IllegalStateException when importing certificates

When certificates are imported via Storage Access Framework we did handle
the selection directly in onActivityResult().  However, at that point the
activity might apparently not yet be resumed.  So committing
FragmentTransactions could result in IllegalStateExceptions due to the
potential state loss.  To avoid that we cache the returned URI and wait
until onPostResume() to make sure the activity's state is fully restored
before showing the confirmation dialog.

3 years agoswanctl: Do not display rekey times for shunts
Andreas Steffen [Thu, 5 May 2016 12:53:22 +0000 (14:53 +0200)]
swanctl: Do not display rekey times for shunts

3 years agoMerge branch 'list-conns-plus'
Andreas Steffen [Wed, 4 May 2016 16:16:32 +0000 (18:16 +0200)]
Merge branch 'list-conns-plus'

3 years agotesting: Use reauthentication and set CHILD_SA rekey time, bytes and packets limits
Andreas Steffen [Tue, 3 May 2016 16:24:55 +0000 (18:24 +0200)]
testing: Use reauthentication and set CHILD_SA rekey time, bytes and packets limits

3 years agovici list-conns sends reauthentication and rekeying time information
Andreas Steffen [Tue, 3 May 2016 15:33:43 +0000 (17:33 +0200)]
vici list-conns sends reauthentication and rekeying time information

3 years agoswanctl: --list-conns shows eap_id, xauth_id and aaa_id
Andreas Steffen [Fri, 29 Apr 2016 15:33:57 +0000 (17:33 +0200)]
swanctl: --list-conns shows eap_id, xauth_id and aaa_id

3 years agotesting: uses xauth_id in swanctl/xauth-rsa scenario
Andreas Steffen [Fri, 29 Apr 2016 15:33:21 +0000 (17:33 +0200)]
testing: uses xauth_id in swanctl/xauth-rsa scenario

3 years agoandroid: New release after reducing number of DH groups in proposal
Tobias Brunner [Wed, 4 May 2016 10:07:36 +0000 (12:07 +0200)]
android: New release after reducing number of DH groups in proposal

3 years agoproposal: Remove some weaker and rarely used DH groups from the default proposal
Tobias Brunner [Wed, 4 May 2016 09:26:38 +0000 (11:26 +0200)]
proposal: Remove some weaker and rarely used DH groups from the default proposal

This fixes an interoperability issue with Windows Server 2012 R2 gateways.
They insist on using modp1024 for IKE, however, Microsoft's IKEv2
implementation seems only to consider the first 15 DH groups in the proposal.
Depending on the loaded plugins modp1024 is now at position 17 or even
later, causing the server to reject the proposal.  By removing some of
the weaker and rarely used DH groups from the default proposal we make
sure modp1024 is among the first 15 DH groups.  The removed groups may
still be used by configuring custom proposals.