Tobias Brunner [Wed, 8 Jul 2015 13:28:46 +0000 (15:28 +0200)]
ike-sa-manager: Safely access the RNG instance with an rwlock
Threads might still be allocating SPIs (e.g. triggered by an acquire or
an inbound message) while the main thread calls flush(). If there is a
context switch right after such a thread successfully checked this->rng
in get_spi() and the main thread destroys the RNG instance right then,
that worker thread will cause a segmentation fault when it continues and
attempts to call get_bytes().
Fixes #1014.
Martin Willi [Thu, 2 Jul 2015 07:10:21 +0000 (09:10 +0200)]
vici: Asynchronize debug logging
The vici logger uses the listener_t.log() callback to raise vici events.
When doing so, it holds the bus lock as reader while acquiring the vici socket
mutex (1). If at the same time the vici socket enables a writer, that thread
tries to lock the watcher mutex (2). The watcher thread uses debugging while
holding the lock, i.e. acquires the bus read lock (3).
(1) bus.rlock -> vici.lock!
(2) vici.lock -> watcher.lock!
(3) watcher.lock -> bus.rlock!
This all actually would resolve just fine, as we have a shared read lock on the
bus. However, under Windows we seem to have a strict writer preference when
acquiring the rwlock (4). This results in blocking read locks until any pending
write lock can be fulfilled, and makes the constellation deadlock. The relevant
threads are:
Thread (1)
6 0x71313d25 in wait_ at threading/windows/mutex.c:137
7 0x7054c8a2 in find_entry at vici_socket.c:201
8 0x7054d690 in send_ at vici_socket.c:624
9 0x7054f6c1 in send_op at vici_dispatcher.c:119
10 0x705502c1 in raise_event at vici_dispatcher.c:469
12 0x704c3878 in log_cb at bus/bus.c:332
13 0x712c7c3a in invoke_function at collections/linked_list.c:414
14 0x704c3a63 in vlog at bus/bus.c:400
15 0x704c3b36 in log_ at bus/bus.c:430
18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664
20 0x704f5430 in process_message at sa/ike_sa.c:1369
21 0x704e3823 in execute at processing/jobs/process_message_job.c:74
22 0x712e629f in process_job at processing/processor.c:235
Thread (2)
4 0x71313b61 in lock at threading/windows/mutex.c:66
5 0x712e81fd in add at processing/watcher.c:441
6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213
7 0x712e1b4d in on_write at networking/streams/stream.c:237
8 0x7054d606 in _cb_enable_writer at vici_socket.c:609
9 0x712e5e34 in execute at processing/jobs/callback_job.c:77
10 0x712e629f in process_job at processing/processor.c:235
Thread (3)
3 0x71313f38 in read_lock at threading/windows/rwlock.c:74
4 0x704c3971 in vlog at bus/bus.c:373
5 0x704cc156 in dbg_bus at daemon.c:126
6 0x712e7bf9 in watch at processing/watcher.c:316
7 0x712e5e34 in execute at processing/jobs/callback_job.c:77
8 0x712e629f in process_job at processing/processor.c:235
Thread (4)
3 0x71313f70 in write_lock at threading/windows/rwlock.c:82
4 0x704c378b in remove_logger at bus/bus.c:290
5 0x704cb284 in listener_unregister at control/controller.c:166
6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558
8 0x704cb94e in initiate at control/controller.c:435
9 0x70553996 in _cb_initiate at vici_control.c:187
12 0x7054d200 in _cb_process_queue at vici_socket.c:508
13 0x712e5e34 in execute at processing/jobs/callback_job.c:77
14 0x712e629f in process_job at processing/processor.c:235
To avoid such a situation, we dissolve the (1) lock sequence. It's actually
never good practice to acquire shared locks during bus hooks, as it is
problematic if we raise bus events while holding the lock. We do so by
raising vici events for log message asynchronously, but of curse must keep
log order as is using a synchronized queue.
Martin Willi [Sun, 12 Jul 2015 11:55:08 +0000 (13:55 +0200)]
Merge branch 'chapoly'
Add ChaCha20/Poly1305 AEAD support in IKEv2 and libipsec ESP through the
chapoly plugin, and in kernel ESP SAs starting with Linux 4.2.
Martin Willi [Sun, 12 Jul 2015 11:42:11 +0000 (13:42 +0200)]
NEWS: Add ChaCha20/Poly1305 news
Martin Willi [Mon, 1 Jun 2015 08:01:56 +0000 (10:01 +0200)]
testing: Enable AESNI/PCLMULQD in moon/sun guests, if supported
Martin Willi [Fri, 29 May 2015 20:29:59 +0000 (22:29 +0200)]
testing: Do not overwrite kernel configuration if it already exists
This allows us to do changes to the kernel configuration using menuconfig
and friends, and update the kernel with make-testing.
Martin Willi [Fri, 29 May 2015 20:28:05 +0000 (22:28 +0200)]
testing: Extract and patch each kernel version only once
This allows us to do modifications to the kernel tree and rebuild that kernel
using make-testing. We can even have a git kernel tree in a directory to
do kernel development.
Martin Willi [Fri, 29 May 2015 20:42:04 +0000 (22:42 +0200)]
testing: Build with --enable-chapoly
Martin Willi [Mon, 27 Apr 2015 13:40:08 +0000 (15:40 +0200)]
libipsec: Add a unit-test for ESP encryption using ChaCha20Poly1305
Martin Willi [Mon, 27 Apr 2015 12:13:58 +0000 (14:13 +0200)]
libipsec: Add a unit-test test runner
Martin Willi [Mon, 27 Apr 2015 11:11:02 +0000 (13:11 +0200)]
unit-tests: Add a IKEv2 message encryption test case
It uses the ChaCha20Poly1305 test vectors from
draft-ietf-ipsecme-chacha20-poly1305-06.
Martin Willi [Tue, 14 Apr 2015 08:21:06 +0000 (10:21 +0200)]
unit-tests: Increase failure message buffer to hold larger hex dumps
Martin Willi [Mon, 27 Apr 2015 11:09:25 +0000 (13:09 +0200)]
unit-tests: Forward variable argument list in TEST_SUITE_DEPEND
For some plugin features, such as crypters or AEADs, we have some additional
feature arguments, such as the key size.
Martin Willi [Mon, 27 Apr 2015 11:06:39 +0000 (13:06 +0200)]
unit-tests: Load libstrongswan plugins in libcharon tests
Martin Willi [Tue, 7 Apr 2015 09:28:51 +0000 (11:28 +0200)]
chapoly: Process two Poly1305 blocks in parallel in SSSE3 driver
By using a derived key r^2 we can improve performance, as we can do loop
unrolling and slightly better utilize SIMD instructions.
Overall ChaCha20-Poly1305 performance increases by ~12%.
Converting integers to/from our 5-word representation in SSE does not seem
to pay off, so we work on individual words.
Martin Willi [Sun, 5 Apr 2015 19:50:03 +0000 (21:50 +0200)]
chapoly: Process four ChaCha20 blocks in parallel in SSSE3 driver
As we don't have to shuffle the state in each ChaCha round, overall performance
for ChaCha20-Poly1305 increases by ~40%.
Martin Willi [Thu, 2 Apr 2015 13:11:02 +0000 (15:11 +0200)]
chapoly: Add an SSSE3 based driver
We always build the driver on x86/x64, but enable it only if SSSE3 support
is detected during runtime.
Poly1305 uses parallel 32-bit multiplication operands yielding a 64-bit result,
for which two can be done in parallel in SSE. This is minimally faster than
multiplication with 64-bit operands, and also works on 32-bit builds not having
a __int128 result type.
On a 32-bit architecture, this is more than twice as fast as the portable
driver, and on 64-bit it is ~30% faster.
Martin Willi [Thu, 2 Apr 2015 13:08:34 +0000 (15:08 +0200)]
configure: Check if building against a x86/x64 architecture
This allows us to include compiler flags specific for them, such as MMX/SSE.
Martin Willi [Thu, 2 Apr 2015 10:26:34 +0000 (12:26 +0200)]
chapoly: Add a ChaCha20/Poly1305 driver implemented in portable C
Martin Willi [Wed, 1 Apr 2015 17:17:25 +0000 (19:17 +0200)]
chapoly: Provide a generic ChaCha20/Poly1305 AEAD supporting driver backends
Martin Willi [Wed, 1 Apr 2015 17:16:33 +0000 (19:16 +0200)]
test-vectors: Add some initial ChaCha20/Poly1305 AEAD test vector
Martin Willi [Fri, 29 May 2015 20:26:34 +0000 (22:26 +0200)]
kernel-netlink: Add ChaCha20-Poly1305 AEAD support
Martin Willi [Tue, 7 Apr 2015 12:56:51 +0000 (14:56 +0200)]
libipsec: Create AEAD with four byte salt for ChaCha20-Poly1305
Martin Willi [Fri, 29 May 2015 21:21:39 +0000 (23:21 +0200)]
ikev2: Derive additional 4 byte CHILD_SA nonce keymat for ChaCha20-Poly1305
Martin Willi [Sun, 5 Apr 2015 12:29:29 +0000 (14:29 +0200)]
ikev2: Use four byte salt for ChaCha20-Poly1305 AEAD
Martin Willi [Wed, 1 Apr 2015 17:15:30 +0000 (19:15 +0200)]
proposal: Add a chacha20poly1305 proposal keyword
Martin Willi [Wed, 1 Apr 2015 17:14:47 +0000 (19:14 +0200)]
crypter: Define a ChaCha20/Poly1305 AEAD algorithm identifier
Tobias Brunner [Tue, 23 Jun 2015 07:46:18 +0000 (09:46 +0200)]
capabilities: Handle ERANGE in user and group lookups
As it turns out, getpwnam_r, getgrnam_r, and friends will return
ERANGE if _any_ user or group on the system is larger than will fit
into the scratch buffer you pass to them.
This reworks the resolve_uid and resolve_gid methods plus
init_supplementary_groups to use a variable-size buffer that is grown
until the results fit.
Based on a patch by Evan Broder.
Closes strongswan/strongswan#12.
Martin Willi [Tue, 24 Mar 2015 13:20:15 +0000 (14:20 +0100)]
osx: Version bump to 5.3.2-1
Martin Willi [Tue, 24 Mar 2015 13:15:36 +0000 (14:15 +0100)]
osx: Use CodeSignOnCopy for privileged helper, as suggested by XCode
Martin Willi [Tue, 24 Mar 2015 13:14:59 +0000 (14:14 +0100)]
charon-xpc: Use DNS non-append/replace mode in osx-attr plugin
Martin Willi [Tue, 24 Mar 2015 13:14:20 +0000 (14:14 +0100)]
osx-attr: Optionally replace existing DNS server instead of appending them
Tobias Brunner [Mon, 15 Jun 2015 12:12:14 +0000 (14:12 +0200)]
Remove accidentally added stamp-h1
Was added in
bc4748832395 ("Add a return value to prf_t.get_bytes()").
Tobias Brunner [Thu, 11 Jun 2015 10:32:33 +0000 (12:32 +0200)]
settings: Fix out-of-tree build
The header file was created in the source directory before, where it
wasn't found by the generated C files in the build directory.
Tobias Brunner [Tue, 9 Jun 2015 08:24:25 +0000 (10:24 +0200)]
stroke: Add missing include for UINT16_MAX
Fixes the build on FreeBSD.
Fixes #988.
Andreas Steffen [Mon, 8 Jun 2015 07:56:34 +0000 (09:56 +0200)]
Version bump to 5.3.2
Tobias Brunner [Wed, 3 Jun 2015 10:33:58 +0000 (12:33 +0200)]
NEWS: Add info about CVE-2015-4171
Martin Willi [Wed, 3 Jun 2015 08:52:34 +0000 (10:52 +0200)]
ikev2: Enforce remote authentication config before proceeding with own authentication
Previously the constraints in the authentication configuration of an
initiator were enforced only after all authentication rounds were
complete. This posed a problem if an initiator used EAP or PSK
authentication while the responder was authenticated with a certificate
and if a rogue server was able to authenticate itself with a valid
certificate issued by any CA the initiator trusted.
Because any constraints for the responder's identity (rightid) or other
aspects of the authentication (e.g. rightca) the initiator had were not
enforced until the initiator itself finished its authentication such a rogue
responder was able to acquire usernames and password hashes from the client.
And if a client supported EAP-GTC it was even possible to trick it into
sending plaintext passwords.
This patch enforces the configured constraints right after the responder's
authentication successfully finished for each round and before the initiator
starts with its own authentication.
Fixes CVE-2015-4171.
Martin Willi [Mon, 1 Jun 2015 08:10:19 +0000 (10:10 +0200)]
child-sa: Use any fixed reqid configured on the CHILD_SA config
Global reqid allocation (
94eb09ac) broke fixed reqid allocation. Resupport them
by bypassing allocation in the kernel if a fixed reqid has been configured.
Fixes #976.
Tobias Brunner [Wed, 3 Jun 2015 10:29:02 +0000 (12:29 +0200)]
unit-tests: Add tests for iv_gen_seq_t
Martin Willi [Tue, 2 Jun 2015 12:08:42 +0000 (14:08 +0200)]
ivgen: Allow reusing the same message ID twice in sequential IV gen
We use the message ID and fragment number as IV generator. As IKEv2 uses
distinct message ID counters for actively and passively initiated exchanges,
each IV would be used twice. As we explicitly reject such message IDs since
d0ed1079, original-responder initiated exchanges fail with counter mode ciphers.
This commit separates IV space in two halves for sequential IVs, and
automatically assigns once reused sequence numbers to the second half.
Fixes #980.
Andreas Steffen [Fri, 5 Jun 2015 10:09:38 +0000 (12:09 +0200)]
Fix timeattack script compilation under ARM
Andreas Steffen [Tue, 2 Jun 2015 04:51:41 +0000 (06:51 +0200)]
Updated SWID attribute list
Andreas Steffen [Mon, 1 Jun 2015 07:50:48 +0000 (09:50 +0200)]
Version bump to 5.3.1
Tobias Brunner [Thu, 21 May 2015 15:17:51 +0000 (17:17 +0200)]
NEWS: Add info about CVE-2015-3991
Tobias Brunner [Fri, 15 May 2015 10:19:27 +0000 (12:19 +0200)]
message: Log message if unknown/disallowed payload received
Tobias Brunner [Fri, 15 May 2015 09:35:40 +0000 (11:35 +0200)]
message: Log original message type of unknown payloads
Tobias Brunner [Fri, 15 May 2015 09:15:57 +0000 (11:15 +0200)]
unknown-payload: Use a new private payload type and make original type available
This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).
Fixes CVE-2015-3991.
Martin Willi [Fri, 17 Apr 2015 12:19:37 +0000 (14:19 +0200)]
ikev2: Include fragment number into message ID passed to IV gen
When using a cipher with sequential IVs, we never must pass an identical IV
to the IV generator. To avoid it when using IKEv2 fragmentation, use the lower
bits of the 64-bit message ID as the fragment number.
Martin Willi [Fri, 17 Apr 2015 14:16:45 +0000 (16:16 +0200)]
iv-gen: Fail getting shorter IV values than the used counter size
While no algorithm actually uses such short IVs, we add a check here to ensure
we won't return just the lower bits of the counter.
Martin Willi [Fri, 17 Apr 2015 12:08:14 +0000 (14:08 +0200)]
iv-gen: Ensure external sequential IVs are actually sequential
We allow gaps in IVs, but ensure that an IV is never used more than once.
Martin Willi [Fri, 17 Apr 2015 12:19:05 +0000 (14:19 +0200)]
message: Show the fragmentation numbers in message stringification
Andreas Steffen [Sat, 30 May 2015 14:56:41 +0000 (16:56 +0200)]
testing: use a decent PSK
Andreas Steffen [Sat, 30 May 2015 14:48:17 +0000 (16:48 +0200)]
testing: Added ha/active-passive scenario
Andreas Steffen [Thu, 28 May 2015 04:26:43 +0000 (06:26 +0200)]
Added 5.3.1 caption to NEWS
Tobias Brunner [Wed, 27 May 2015 10:59:39 +0000 (12:59 +0200)]
ha: Document tunnel parameter
Tobias Brunner [Tue, 26 May 2015 13:43:46 +0000 (15:43 +0200)]
ha: Skip SA for sync messages when resyncing HA segments
Tobias Brunner [Tue, 26 May 2015 10:47:17 +0000 (12:47 +0200)]
ha: Move plugin initialization from constructor to plugin callback
This fixes support for the secret option, as otherwise the kernel interface
is not registered yet when the trap policy is installed.
Martin Willi [Wed, 20 May 2015 08:56:23 +0000 (10:56 +0200)]
libtls: As client, reject DH exchanges using primes smaller than 1024 bit
While the server signs the ephemeral DH parameters, it can be tricked to its
lowest supported DH group by a man-in-the-middle:
https://weakdh.org/imperfect-forward-secrecy.pdf
While we at least use 2048-bit DH groups as server, the client accepts any
DH prime the server sends. If it supports export ciphers, only a 512-bit prime
may be used.
As TLS does not define nor negotiate a DH group for cipher suites, the client
actually must accept what the server offers. To avoid downgrades to weak
DH groups, we must reject what we consider insecure. We set this limit to
1024-bit primes. While this breaks compatibility with TLS servers using weaker
primes, this is what we expect servers at least use. Most browser vendors use
the same limit in a similar fix.
Andreas Steffen [Sun, 24 May 2015 09:15:36 +0000 (11:15 +0200)]
Check for NULL installed packages enumerator
Andreas Steffen [Sun, 24 May 2015 09:13:51 +0000 (11:13 +0200)]
Fixed os_info path in strongswan.conf
Andreas Steffen [Sun, 24 May 2015 07:17:29 +0000 (09:17 +0200)]
List attribute request entries also during build
Tobias Brunner [Fri, 22 May 2015 11:30:10 +0000 (13:30 +0200)]
testing: Include iperf and htop in base image
Tobias Brunner [Wed, 20 May 2015 16:21:15 +0000 (18:21 +0200)]
stroke: Dynamically resize stroke messages
The maximum size of a stroke message is currently 64k due to the 2 byte
length field.
Fixes #943.
Tobias Brunner [Tue, 31 Mar 2015 08:51:22 +0000 (10:51 +0200)]
vici: Explicitly disable --user-install when installing Ruby Gem
Only one of `--user-install` and `--install-dir` may be set and if
`--user-install` is the default on a system installation will fail
unless we disable it explicitly.
Fixes #914.
Tobias Brunner [Thu, 21 May 2015 09:05:05 +0000 (11:05 +0200)]
vici: Make installation of Ruby Gem and Python Egg optional
Installing them might not work well when building distro packages (e.g.
with DESTDIR installs). It might be easier to install them later with a
script in the distro package.
When building from source on the local system it could still be useful to
install the packages directly, which can be enabled with separate configure
options.
The main problem with DESTDIR installations of the Python Egg is that
easy_install creates or modifies a file called easy-install.pth in the
installation directory. So it's not actually possible to simply copy
the results in DESTDIR over to the actual system as that file would have
to be merged with any existing one.
Fixes #914.
Tobias Brunner [Tue, 31 Mar 2015 13:40:30 +0000 (15:40 +0200)]
vici: Support out-of-tree build of Python Egg
We also don't require setup.py to exist during cleanup, as e.g. with
make distcheck the source directory is not writable when the build directory
is cleaned, so setup.py can't be created (to just get removed again anyway
if VICI and the Python Eggs haven't been enabled previously).
Tobias Brunner [Tue, 12 May 2015 14:59:20 +0000 (16:59 +0200)]
ikev1: When a reauth is detected explicitly delete the old IKE_SA
Instead of just implicitly destroying the old SA we properly delete it to
notify the other peer (if the other peer keeps the SA up after the
reauthentication and sends DPDs it might consider us dead even though the
new SA is up, that seems to be the case with racoon). We delay the DELETE
a bit to give the other peer time to get the new SA fully established.
Since DELETE messages are not retransmitted it is still possible that
the other peer misses that we deleted the SA.
Tobias Brunner [Thu, 21 May 2015 13:40:05 +0000 (15:40 +0200)]
Merge branch 'accounting-fixes'
This fixes the usage stats reported via RADIUS Accounting in several
corner cases (e.g. with interim updates while rekeying a CHILD_SA).
Fixes #891.
Tobias Brunner [Fri, 27 Mar 2015 13:49:38 +0000 (14:49 +0100)]
libipsec: Insert SAs first, so latest SA with the same reqid gets used
This was useful for testing purposes of RADIUS accounting, but OS kernels
generally will use the latest SA, so we do the same.
Tobias Brunner [Wed, 25 Mar 2015 17:20:01 +0000 (18:20 +0100)]
eap-radius: Keep track of stats for SAs migrated during IKEv1 reauthentication
Tobias Brunner [Wed, 25 Mar 2015 17:11:22 +0000 (18:11 +0100)]
ikev1: Trigger children_migrate event if CHILD_SAs are adopted
Tobias Brunner [Wed, 25 Mar 2015 17:05:57 +0000 (18:05 +0100)]
bus: Add new hook called when IKEv1 CHILD_SAs are migrated to a new IKE_SA
The interface is currently not very nice, but if we ever were able to
safely checkout multiple SAs concurrently we could add something similar
to ike_rekey() and call that when we detect a reauthentication.
Tobias Brunner [Wed, 25 Mar 2015 15:47:24 +0000 (16:47 +0100)]
eap-radius: Remove cache entries for expired SAs during ike/child_rekey
Tobias Brunner [Tue, 24 Mar 2015 16:38:49 +0000 (17:38 +0100)]
eap-radius: Add cache for usage stats of expired/rekeyed SAs
There are several situations that the previous code didn't handle that
well, for example, interim updates during rekeying (until the rekeyed SA
was deleted the numbers were too high, then suddenly dropped afterwards),
or rekeying for IKEv1 in general because rekeyed IPsec SAs stay installed
until they expire (so if they were still around when the IKE_SA was
terminated, the reported numbers in the Stop message were too high).
If intermediate updates are not used the cache entries for rekeyed
CHILD_SA will accumulate, we can't clean them up as we don't get
child_updown() events for them.
Tobias Brunner [Wed, 15 Apr 2015 16:03:42 +0000 (18:03 +0200)]
libradius: Verify message ID of RADIUS responses
If we sent retransmits for a message and didn't receive a response it might
still arrive later. Such a message will be queued on the socket. The next
read will then return not the expected response but the one for the earlier
request. For this message the verification will fail and the message gets
discarded. But with the earlier code the actual response was never received.
Instead, a subsequent request resulted in the same failure and so on.
Fixes #838.
Tobias Brunner [Thu, 9 Apr 2015 12:43:07 +0000 (14:43 +0200)]
kernel-netlink: Ignore unusable routes
Tobias Brunner [Tue, 14 Apr 2015 07:56:10 +0000 (09:56 +0200)]
kernel-netlink: Make buffer size for received Netlink messages configurable
Tobias Brunner [Thu, 21 May 2015 07:32:37 +0000 (09:32 +0200)]
testing: Don't check parent dir (and subdirs) when downloading OpenSSL packages
Andreas Steffen [Tue, 19 May 2015 20:54:00 +0000 (22:54 +0200)]
Exempt ignored PA-TNC attributes from error handling
Tobias Brunner [Tue, 19 May 2015 14:59:35 +0000 (16:59 +0200)]
testing: Fix kernel download URL for kernel versions != 4.x
Adrian-Ken Rueegsegger [Tue, 19 May 2015 11:26:28 +0000 (13:26 +0200)]
man: Clarification of ah keyword description
Tobias Brunner [Tue, 5 May 2015 16:11:50 +0000 (18:11 +0200)]
starter: Ensure the daemon executable exists when starting up
The only purpose of starter is to control the IKE daemon, so we
terminate it if the daemon executable is not found (e.g. because
DAEMON_NAME is incorrect).
This removes the charonstart setting (it was not actually configurable
anymore).
Tobias Brunner [Tue, 5 May 2015 15:50:27 +0000 (17:50 +0200)]
starter: Remove START_CHARON compile flag
Since the removal of pluto this is quite superfluous. The flag itself
might be useful to avoid starting charon if the executable does not
exist for some reason (e.g. if DAEMON_NAME is incorrect).
Tobias Brunner [Tue, 5 May 2015 15:52:34 +0000 (17:52 +0200)]
charon-nm: Disable leak-detective in charon-nm
It segfaults immediately if it is enabled, at least on Ubuntu 14.04.
Tobias Brunner [Tue, 5 May 2015 09:48:13 +0000 (11:48 +0200)]
testing: Fix URL to TNC@FHH project in scenario descriptions
Reto Buerki [Tue, 5 May 2015 08:08:35 +0000 (10:08 +0200)]
testing: Update TKM assert strings
Reto Buerki [Tue, 5 May 2015 07:29:21 +0000 (09:29 +0200)]
testing: Update alog to version 0.3.1
Reto Buerki [Tue, 5 May 2015 07:27:37 +0000 (09:27 +0200)]
testing: Update tkm to version 0.1.2
Reto Buerki [Tue, 5 May 2015 07:26:57 +0000 (09:26 +0200)]
testing: Update tkm-rpc to version 0.2
Tobias Brunner [Tue, 5 May 2015 07:51:19 +0000 (09:51 +0200)]
child-create: Destroy nonceg in migrate()
Since another nonce gets allocated later (if any was allocated already)
this would have resulted in a leaked nonce context ID when used in charon-tkm.
Tobias Brunner [Tue, 5 May 2015 07:49:45 +0000 (09:49 +0200)]
child-create: Fix error handling if nonceg can't be created
As with ike-init we can't return NULL in the task constructor.
Tobias Brunner [Tue, 5 May 2015 07:39:11 +0000 (09:39 +0200)]
ike-init: Fix error handling if nonceg can't be created
Returning FAILED in the constructor is wrong, but returning NULL doesn't work
either as it's currently assumed tasks always can be created.
Therefore, delay this check until we actually try to allocate a nonce.
Tobias Brunner [Tue, 5 May 2015 07:37:42 +0000 (09:37 +0200)]
ike-init: Fix compiler warning
Martin Willi [Tue, 5 May 2015 08:37:34 +0000 (10:37 +0200)]
swanctl: Fix --uri option
As we now pass the vici connection to the command dispatcher callback, we can't
parse the --uri option to create the connection from the same callback. Instead
pre-process the common command options in a separate loop, and ignore the same
options while processing the actual command.
Tobias Brunner [Mon, 4 May 2015 16:19:13 +0000 (18:19 +0200)]
Merge branch 'tkm-fixes'
This fixes several issues with charon-tkm (e.g. nonce context ID leaks during
rekey collisions).
Adrian-Ken Rueegsegger [Tue, 21 Apr 2015 14:34:06 +0000 (16:34 +0200)]
charon-tkm: Also store local SPI in SAD
Reto Buerki [Thu, 23 Apr 2015 09:19:24 +0000 (11:19 +0200)]
ike-init: Make nonceg a member of ike_init struct
This allows to control the life-cycle of a nonce in the context of the
ike init task. In the TKM use-case the nonce generator cannot be
destroyed before the ike init task is finalized, otherwise the created
nonce is detected as stale.
Reto Buerki [Thu, 23 Apr 2015 06:46:18 +0000 (08:46 +0200)]
child-create: Make nonceg a member of child_create struct
This allows to control the life-cycle of a nonce in the context of the
child create task. In the TKM use-case, it is required to reset the
nonce context if the created nonce is not consumed. This happens if the
child SA negotiation fails and it is detected before the SA is
established via the TKM kernel plugin (i.e. rekey collision).
Reto Buerki [Thu, 23 Apr 2015 07:41:12 +0000 (09:41 +0200)]
charon-tkm: Reset stale nonce contexts
If the nonce generator detects a stale nonce upon destroy(), it resets
the context in the TKM and releases associated resources in the ID
manager and chunk map.
Also, do not acquire the nonce context ID in tkm_nonceg_create function
but rather when the nonce is actually created by get_nonce().
The nonces created with get_nonce must also be registered in the chunk map.