strongswan.git
6 months agoAvoid enumerating certificates with non-matching key type
SophieK [Tue, 21 May 2019 01:28:21 +0000 (09:28 +0800)]
Avoid enumerating certificates with non-matching key type

If the key type was specified but the ID was NULL or matched a subject, it
was possible that a certificate was returned that didn't actually match
the requested key type.

Closes strongswan/strongswan#141.

6 months agoVersion bump to 5.8.0 5.8.0
Andreas Steffen [Mon, 20 May 2019 10:31:08 +0000 (12:31 +0200)]
Version bump to 5.8.0

6 months agoproposal: Add missing curve448/x448 keywords
Tobias Brunner [Fri, 17 May 2019 15:15:38 +0000 (17:15 +0200)]
proposal: Add missing curve448/x448 keywords

Fixes #3064.

6 months agonm: Version bump to 1.4.5
Tobias Brunner [Tue, 14 May 2019 08:38:12 +0000 (10:38 +0200)]
nm: Version bump to 1.4.5

6 months agoVersion bump to 5.8.0rc1 5.8.0rc1
Andreas Steffen [Fri, 10 May 2019 10:55:48 +0000 (12:55 +0200)]
Version bump to 5.8.0rc1

6 months agotesting: Use strongswan systemd service
Andreas Steffen [Fri, 10 May 2019 10:55:09 +0000 (12:55 +0200)]
testing: Use strongswan systemd service

6 months agotesting: Load PEM keys in ikev2/net2-net-rsa scenario
Andreas Steffen [Fri, 10 May 2019 10:54:28 +0000 (12:54 +0200)]
testing: Load PEM keys in ikev2/net2-net-rsa scenario

6 months agotesting: Copy keys and certs to swanctl/rw-newhope-bliss scenario
Andreas Steffen [Fri, 10 May 2019 10:53:33 +0000 (12:53 +0200)]
testing: Copy keys and certs to swanctl/rw-newhope-bliss scenario

6 months agokeymat_v1: Avoid memory leak during IKE key derivation in some error cases
SophieK [Thu, 9 May 2019 07:20:30 +0000 (15:20 +0800)]
keymat_v1: Avoid memory leak during IKE key derivation in some error cases

Closes strongswan/strongswan#138.

6 months agoMerge branch 'build-certs'
Tobias Brunner [Wed, 8 May 2019 12:57:03 +0000 (14:57 +0200)]
Merge branch 'build-certs'

Adds a script to generate the keys and certificates used for regression
tests dynamically.  They are built with the pki version installed in the
root image so it's not necessary to have an up-to-date version with all
required plugins installed on the host system.

6 months agotesting: Return an error if any command in the certificate build script fails
Tobias Brunner [Wed, 8 May 2019 12:36:27 +0000 (14:36 +0200)]
testing: Return an error if any command in the certificate build script fails

6 months agotesting: Build certificates before guests after building strongSwan
Tobias Brunner [Tue, 7 May 2019 17:21:21 +0000 (19:21 +0200)]
testing: Build certificates before guests after building strongSwan

If the script is run on a clean working copy, building the guests will
fail if the certificates don't exist.

6 months agotesting: Automatically build guest images after generating certificates
Tobias Brunner [Tue, 7 May 2019 17:20:04 +0000 (19:20 +0200)]
testing: Automatically build guest images after generating certificates

This (re-)generates the CRLs on winnetou.

6 months agotesting: Use custom plugin configuration to build SHA-3 CA
Tobias Brunner [Tue, 7 May 2019 17:07:51 +0000 (19:07 +0200)]
testing: Use custom plugin configuration to build SHA-3 CA

6 months agopki: Plugins to load may be defined via PKI_PLUGINS env variable
Tobias Brunner [Tue, 7 May 2019 16:34:49 +0000 (18:34 +0200)]
pki: Plugins to load may be defined via PKI_PLUGINS env variable

6 months agotesting: Fix ikev2/net2net-rsa scenario
Tobias Brunner [Tue, 7 May 2019 14:06:28 +0000 (16:06 +0200)]
testing: Fix ikev2/net2net-rsa scenario

6 months agotesting: Add wrapper script to build certificates in root image
Tobias Brunner [Thu, 18 Apr 2019 13:10:10 +0000 (15:10 +0200)]
testing: Add wrapper script to build certificates in root image

This does not modify the root image but uses the strongSwan version
installed there (avoids build dependencies on version installed on the
host to use pki to generate all the keys and certificates).

6 months agotesting: Upgrade to Linux 5.1 kernel
Andreas Steffen [Mon, 6 May 2019 14:58:44 +0000 (16:58 +0200)]
testing: Upgrade to Linux 5.1 kernel

6 months agopki: Allow inclusion of [unsupported] critical X.509 extension
Andreas Steffen [Mon, 6 May 2019 12:33:49 +0000 (14:33 +0200)]
pki: Allow inclusion of [unsupported] critical X.509 extension

6 months agotesting: Updated build-certs script
Andreas Steffen [Sun, 5 May 2019 16:07:43 +0000 (18:07 +0200)]
testing: Updated build-certs script

6 months agotesting: Deleting dynamic test keys and certificates
Andreas Steffen [Sat, 4 May 2019 13:23:57 +0000 (15:23 +0200)]
testing: Deleting dynamic test keys and certificates

6 months agotesting: Exclude files that are ignored in Git from the distribution
Tobias Brunner [Mon, 29 Apr 2019 12:53:28 +0000 (14:53 +0200)]
testing: Exclude files that are ignored in Git from the distribution

Since the complete hosts and tests directories are part of the tarball
this would include generated certificates and keys.

6 months agotesting: Remove dynamic keys and certs from repository
Andreas Steffen [Sun, 28 Apr 2019 18:39:26 +0000 (20:39 +0200)]
testing: Remove dynamic keys and certs from repository

6 months agotesting: Build data.sql files for SQL test cases
Andreas Steffen [Sun, 28 Apr 2019 15:16:59 +0000 (17:16 +0200)]
testing: Build data.sql files for SQL test cases

6 months agopki: Add different output options for --keyid
Tobias Brunner [Thu, 18 Apr 2019 14:14:16 +0000 (16:14 +0200)]
pki: Add different output options for --keyid

Makes machine-processing these identifiers easier.

6 months agotesting: Build CERT and IPSECKEY RRs for strongswan.org zone
Tobias Brunner [Mon, 15 Apr 2019 16:25:13 +0000 (18:25 +0200)]
testing: Build CERT and IPSECKEY RRs for strongswan.org zone

Also copy generated keys to DNSSEC test cases.

6 months agotesting: Rename public keys in DNSSEC scenarios
Tobias Brunner [Mon, 15 Apr 2019 16:20:20 +0000 (18:20 +0200)]
testing: Rename public keys in DNSSEC scenarios

We will generate PEM-encoded public keys with the script.

6 months agotesting: Convert keys and certificates for all TKM scenarios
Tobias Brunner [Wed, 10 Apr 2019 09:27:11 +0000 (11:27 +0200)]
testing: Convert keys and certificates for all TKM scenarios

6 months agotesting: Disable leak detective in build-certs script
Tobias Brunner [Wed, 10 Apr 2019 07:34:26 +0000 (09:34 +0200)]
testing: Disable leak detective in build-certs script

6 months agotesting: Script building fresh certificates
Andreas Steffen [Mon, 1 Apr 2019 14:21:10 +0000 (16:21 +0200)]
testing: Script building fresh certificates

6 months agosmp: Use correct printf specifier to print SPIs
Tobias Brunner [Tue, 7 May 2019 12:50:11 +0000 (14:50 +0200)]
smp: Use correct printf specifier to print SPIs

6 months agofast: Use correct printf specifier to print content length
Tobias Brunner [Tue, 7 May 2019 12:48:19 +0000 (14:48 +0200)]
fast: Use correct printf specifier to print content length

6 months agolibimcv: Use proper printf specifier for unsigned issuer and responder IDs
Tobias Brunner [Tue, 7 May 2019 12:43:30 +0000 (14:43 +0200)]
libimcv: Use proper printf specifier for unsigned issuer and responder IDs

6 months agoswima-collector: Use proper type for field precision
Tobias Brunner [Tue, 7 May 2019 12:40:58 +0000 (14:40 +0200)]
swima-collector: Use proper type for field precision

6 months agoopenssl: Fix build with OpenSSL 1.1.1 without compatibility layer
Tobias Brunner [Tue, 7 May 2019 09:44:34 +0000 (11:44 +0200)]
openssl: Fix build with OpenSSL 1.1.1 without compatibility layer

If OpenSSL is built with --api, defines for deprecated functions in
OpenSSL's header files are not visible anymore.

Fixes #3045.

6 months agotravis: Build OpenSSL 1.1.1 without compatibility layer for older versions
Tobias Brunner [Tue, 7 May 2019 09:28:29 +0000 (11:28 +0200)]
travis: Build OpenSSL 1.1.1 without compatibility layer for older versions

Configuring 1.1.1 is not actually possible with 1.1.1b, not sure if
that's on purpose.

6 months agotravis: Make sure crypto plugins are actually loaded
Tobias Brunner [Tue, 7 May 2019 11:43:45 +0000 (13:43 +0200)]
travis: Make sure crypto plugins are actually loaded

6 months agostarter: Remove IPsec stack detection
Tobias Brunner [Tue, 7 May 2019 09:03:23 +0000 (11:03 +0200)]
starter: Remove IPsec stack detection

Checking specifically for /proc/net/pfkey is not ideal as af_key will
eventually be removed in Linux kernels.  Support for KLIPS is long gone.
The detection also wasn't used for anything anymore (failures were just
ignored since the ports to BSD-based systems).  And modprobing doesn't seem
to be necessary either (charon-systemd doesn't do that, for instance).

6 months agovici: Add Python command wrappers to tarball
Tobias Brunner [Mon, 6 May 2019 13:51:05 +0000 (15:51 +0200)]
vici: Add Python command wrappers to tarball

Fixes: e0f7da864481 ("vici: Extract command wrappers in Python bindings")

6 months agopki: Fix memory leaks in --signcrl if signature scheme is not found
Tobias Brunner [Tue, 30 Apr 2019 08:25:56 +0000 (10:25 +0200)]
pki: Fix memory leaks in --signcrl if signature scheme is not found

Fixes: dd4bd21c5a22 ("pki: Query private key for supported signature schemes")

6 months agotesting: Update documentation in headers of all updown scripts
Tobias Brunner [Mon, 29 Apr 2019 15:43:04 +0000 (17:43 +0200)]
testing: Update documentation in headers of all updown scripts

6 months agoswanctl: Move documentation of if_id_in/out after all mark-related options
Tobias Brunner [Mon, 29 Apr 2019 15:37:30 +0000 (17:37 +0200)]
swanctl: Move documentation of if_id_in/out after all mark-related options

Also fix a typo.

6 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 29 Apr 2019 13:07:25 +0000 (15:07 +0200)]
Fixed some typos, courtesy of codespell

6 months agononce: Allow overriding the RNG quality used to generate nonces
Tobias Brunner [Tue, 23 Apr 2019 09:14:44 +0000 (11:14 +0200)]
nonce: Allow overriding the RNG quality used to generate nonces

Usually, changing this won't be necessary (actually, some plugins
specifically use different DRGBs for RNG_WEAK in order to separate
the public nonces from random data used for e.g. DH).
But for experts with special plugin configurations this might be
more flexible and avoids code changes.

6 months agounit-tests: Fix skipping of some ECDSA signature schemes
SophieK [Mon, 29 Apr 2019 06:33:47 +0000 (14:33 +0800)]
unit-tests: Fix skipping of some ECDSA signature schemes

Closes strongswan/strongswan#137.

6 months agoNEWS: Added some news for 5.8.0
Tobias Brunner [Fri, 26 Apr 2019 16:54:58 +0000 (18:54 +0200)]
NEWS: Added some news for 5.8.0

6 months agoMerge branch 'update-vici-bindings'
Tobias Brunner [Fri, 26 Apr 2019 08:19:21 +0000 (10:19 +0200)]
Merge branch 'update-vici-bindings'

Updates the command wrappers in all the bindings and simplifies calling
new commands (i.e. not yet wrapped) with the Python and Ruby bindings.

Fixes #3028.

6 months agovici: Update command wrappers in the Perl bindings
Tobias Brunner [Thu, 25 Apr 2019 09:09:20 +0000 (11:09 +0200)]
vici: Update command wrappers in the Perl bindings

Note that load_key() now returns the complete response (to get the key
identifier).

6 months agovici: Update some data in the Ruby gemspec
Tobias Brunner [Thu, 25 Apr 2019 08:26:11 +0000 (10:26 +0200)]
vici: Update some data in the Ruby gemspec

6 months agovici: Some code style fixes in the Ruby bindings
Tobias Brunner [Wed, 24 Apr 2019 16:05:11 +0000 (18:05 +0200)]
vici: Some code style fixes in the Ruby bindings

As reported by rubocop (some issues were not fixed, in particular
related to class/method length metrics).

6 months agovici: Update command wrappers of the Ruby bindings
Tobias Brunner [Wed, 24 Apr 2019 14:37:11 +0000 (16:37 +0200)]
vici: Update command wrappers of the Ruby bindings

Also reorder them to match README.md.

6 months agovici: Refactor how commands are called in the Ruby bindings
Tobias Brunner [Wed, 24 Apr 2019 14:05:12 +0000 (16:05 +0200)]
vici: Refactor how commands are called in the Ruby bindings

Also expose a method to call arbitrary commands, which allows calling not
yet wrapped commands. Exceptions are raised for all commands if the response
includes a negative "success" key (similar to how it's done in the Python
bindings).

6 months agovici: Fix formatting of return values for load-conn and load-authority commands
Tobias Brunner [Tue, 23 Apr 2019 17:56:22 +0000 (19:56 +0200)]
vici: Fix formatting of return values for load-conn and load-authority commands

6 months agovici: Add missing command wrappers for Python bindings
Tobias Brunner [Tue, 23 Apr 2019 14:13:19 +0000 (16:13 +0200)]
vici: Add missing command wrappers for Python bindings

Also change some for which the return value became relevant.

6 months agovici: Extract command wrappers in Python bindings
Tobias Brunner [Thu, 18 Apr 2019 08:56:15 +0000 (10:56 +0200)]
vici: Extract command wrappers in Python bindings

This simplifies the interface and allows calling not yet wrapped
commands more easily.

6 months agoeap-aka-3gpp2: Increase SQN after each authentication
Tobias Brunner [Wed, 24 Apr 2019 09:30:14 +0000 (11:30 +0200)]
eap-aka-3gpp2: Increase SQN after each authentication

6 months agoMerge branch 'childless'
Tobias Brunner [Thu, 25 Apr 2019 13:32:02 +0000 (15:32 +0200)]
Merge branch 'childless'

Adds support for childless initiation of IKE_SAs (RFC 6023) e.g. to
force a separate DH exchange for all CHILD_SAs including the first one.

Also allows the initiation of only the IKE_SA via swanctl --initiate if
the peer supports this extension.

Closes strongswan/strongswan#99.

6 months agotesting: Add swanctl/net2net-childless scenario
Tobias Brunner [Wed, 3 Apr 2019 09:15:50 +0000 (11:15 +0200)]
testing: Add swanctl/net2net-childless scenario

6 months agounit-tests: Add unit tests for childless IKE_SA initiation
Tobias Brunner [Tue, 2 Apr 2019 14:44:44 +0000 (16:44 +0200)]
unit-tests: Add unit tests for childless IKE_SA initiation

6 months agounit-tests: Make childless initiation configurable
Tobias Brunner [Tue, 2 Apr 2019 14:24:01 +0000 (16:24 +0200)]
unit-tests: Make childless initiation configurable

6 months agounit-tests: Add helper to create but not yet establish two IKE_SAs
Tobias Brunner [Tue, 2 Apr 2019 14:23:34 +0000 (16:23 +0200)]
unit-tests: Add helper to create but not yet establish two IKE_SAs

6 months agounit-tests: Add macros to assert certain payloads are (not) in a message
Tobias Brunner [Tue, 2 Apr 2019 14:22:21 +0000 (16:22 +0200)]
unit-tests: Add macros to assert certain payloads are (not) in a message

6 months agovici: Support initiation of IKE_SAs
Tobias Brunner [Fri, 29 Mar 2019 16:38:39 +0000 (17:38 +0100)]
vici: Support initiation of IKE_SAs

The configuration must allow the initiation of a childless IKE_SA (which
is already the case with the default of 'accept').

6 months agovici: Make childless initiation of IKE_SAs configurable
Tobias Brunner [Fri, 29 Mar 2019 16:13:49 +0000 (17:13 +0100)]
vici: Make childless initiation of IKE_SAs configurable

6 months agocontroller: Make child config optional for initiate()
Tobias Brunner [Fri, 29 Mar 2019 15:50:26 +0000 (16:50 +0100)]
controller: Make child config optional for initiate()

6 months agochild-create: Initiate and handle childless IKE_SAs according to RFC 6023
Tobias Brunner [Fri, 29 Mar 2019 15:46:59 +0000 (16:46 +0100)]
child-create: Initiate and handle childless IKE_SAs according to RFC 6023

6 months agoike-init: Notify initiator if childless IKE_SAs are accepted
Tobias Brunner [Fri, 29 Mar 2019 14:18:08 +0000 (15:18 +0100)]
ike-init: Notify initiator if childless IKE_SAs are accepted

6 months agoike-cfg: Add setting for childless IKE_SAs
Tobias Brunner [Fri, 29 Mar 2019 14:06:20 +0000 (15:06 +0100)]
ike-cfg: Add setting for childless IKE_SAs

6 months agoike-cfg: Pass arguments as struct
Tobias Brunner [Fri, 29 Mar 2019 11:11:10 +0000 (12:11 +0100)]
ike-cfg: Pass arguments as struct

6 months agoproposal-substructure: Fix incorrect type for IKEv2 proposals
SophieK [Thu, 25 Apr 2019 06:39:32 +0000 (14:39 +0800)]
proposal-substructure: Fix incorrect type for IKEv2 proposals

Luckily, the type is only used once when generating payloads and there it
doesn't matter because the encoding rules are the same.

Closes strongswan/strongswan#135.

6 months agotesting: Use renamed systemd unit
Tobias Brunner [Fri, 29 Mar 2019 09:24:07 +0000 (10:24 +0100)]
testing: Use renamed systemd unit

While the alias is available after enabling the unit, we don't
actually do that in our testing environment (adding a symlink manually
would work too, then again, why not just use the proper name?).

6 months agoinit: Rename systemd units
Tobias Brunner [Fri, 29 Mar 2019 09:00:42 +0000 (10:00 +0100)]
init: Rename systemd units

Use strongswan-starter for the legacy unit and simply strongswan for the
modern one (strongswan-swanctl is configured as alias, which should
cause the installation of symlinks when the service is enabled via
systemctl).

6 months agoMerge branch 'wolfssl'
Tobias Brunner [Wed, 24 Apr 2019 11:55:20 +0000 (13:55 +0200)]
Merge branch 'wolfssl'

Adds a plugin that uses wolfSSL for cryptographic operations.

Closes strongswan/strongswan#133.

6 months agotravis: Run tests against wolfSSL
Tobias Brunner [Tue, 9 Apr 2019 08:40:54 +0000 (10:40 +0200)]
travis: Run tests against wolfSSL

Check for wolfssl/options.h because if it isn't included, checking other
headers will trigger a warning about hardening the wolfSSL build, which
will cause the check to fail with -Werror.

If the file doesn't exist because user_settings.h is used, the check may
be skipped by configuring with `ac_cv_header_wolfssl_options_h=yes`.

6 months agowolfssl: Fixes, code style changes and some refactorings
Tobias Brunner [Fri, 5 Apr 2019 10:03:18 +0000 (12:03 +0200)]
wolfssl: Fixes, code style changes and some refactorings

The main fixes are

 * the generation of fingerprints for RSA, ECDSA, and EdDSA
 * the encoding of ECDSA private keys
 * calculating p and q for RSA private keys
 * deriving the public key for raw Ed25519 private keys

Also, instead of numeric literals for buffer lengths ASN.1 related
constants are used.

6 months agounit-tests: Add tests for ECDSA fingerprints and encoding
Tobias Brunner [Mon, 8 Apr 2019 15:57:19 +0000 (17:57 +0200)]
unit-tests: Add tests for ECDSA fingerprints and encoding

6 months agounit-tests: Add tests for RSA fingerprints and encoding
Tobias Brunner [Mon, 8 Apr 2019 10:23:36 +0000 (12:23 +0200)]
unit-tests: Add tests for RSA fingerprints and encoding

6 months agochunk: Add helper to copy a chunk left-padded to a certain length
Tobias Brunner [Mon, 8 Apr 2019 13:24:23 +0000 (15:24 +0200)]
chunk: Add helper to copy a chunk left-padded to a certain length

6 months agowolfssl: Add wolfSSL plugin for cryptographic implementations
Sean Parkinson [Wed, 3 Apr 2019 07:06:34 +0000 (17:06 +1000)]
wolfssl: Add wolfSSL plugin for cryptographic implementations

6 months agoMerge branch 'android-fixes'
Tobias Brunner [Wed, 24 Apr 2019 09:36:26 +0000 (11:36 +0200)]
Merge branch 'android-fixes'

Fixes an upgrade issue and includes UTF8 support for EAP-MSCHAPv2.

6 months agosocket-default: Fix setting DSCP value on FreeBSD
Tobias Brunner [Tue, 23 Apr 2019 09:49:04 +0000 (11:49 +0200)]
socket-default: Fix setting DSCP value on FreeBSD

Fixes #3030.

7 months agoandroid: New release after fixing DB update and adding UTF-8 for EAP-MSCHAPv2
Tobias Brunner [Tue, 16 Apr 2019 13:58:31 +0000 (15:58 +0200)]
android: New release after fixing DB update and adding UTF-8 for EAP-MSCHAPv2

7 months agoandroid: Fix database upgrade from older versions
Tobias Brunner [Mon, 15 Apr 2019 12:24:23 +0000 (14:24 +0200)]
android: Fix database upgrade from older versions

7 months agoeap-mschapv2: Convert UTF-8-encoded passwords
Tobias Brunner [Wed, 10 Apr 2019 15:38:35 +0000 (17:38 +0200)]
eap-mschapv2: Convert UTF-8-encoded passwords

Instead of assuming passwords are simply ASCII-encoded we now assume they are
provided UTF-8-encoded, which is quite likely nowadays.  The UTF-8 byte
sequences are not validated, however, only valid code points are encoded
as UTF-16LE.

Fixes #3014.

7 months agotesting: Use latest tkm-rpc and x509-ada versions
Tobias Brunner [Mon, 15 Apr 2019 16:31:12 +0000 (18:31 +0200)]
testing: Use latest tkm-rpc and x509-ada versions

Includes fixes for larger signatures, critical extensions and
utf8Strings in DNs.

7 months agochild-create: Make sure the mode selected by the responder is acceptable
Tobias Brunner [Tue, 9 Apr 2019 17:13:53 +0000 (19:13 +0200)]
child-create: Make sure the mode selected by the responder is acceptable

Previously, the initiator would install the SA in transport mode if the
peer sent back the USE_TRANSPORT_MODE notify, even if that was not
requested originally.

7 months agomessage: Enforce encryption except for INFORMATIONALs
Tobias Brunner [Tue, 9 Apr 2019 09:42:19 +0000 (11:42 +0200)]
message: Enforce encryption except for INFORMATIONALs

The only messages that are generally sent encrypted but could be sent
unencrypted are INFORMATIONALs (currently only used for IKEv1 and ME
connectivity checks).  This should prevent issues if the keymat_t behaves
incorrectly and does not return an aead_t when it actually should.

7 months agotesting: Create new files in mounted strongSwan sources as regular user
Tobias Brunner [Mon, 15 Apr 2019 11:23:05 +0000 (13:23 +0200)]
testing: Create new files in mounted strongSwan sources as regular user

7 months agoike-sa-manager: Extract IKE SPI labeling feature from charon-tkm
Tobias Brunner [Tue, 9 Apr 2019 16:29:10 +0000 (18:29 +0200)]
ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm

Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.

Closes strongswan/strongswan#134.

7 months agoeap-aka-3gpp: Ignore test runner in repository
Tobias Brunner [Thu, 4 Apr 2019 15:56:41 +0000 (17:56 +0200)]
eap-aka-3gpp: Ignore test runner in repository

7 months agotravis: Check for unignored build artifacts after the build
Tobias Brunner [Thu, 4 Apr 2019 15:41:53 +0000 (17:41 +0200)]
travis: Check for unignored build artifacts after the build

7 months agoike-config: If we don't send a CFG_REQUEST, we don't expect a CFG_REPLY
Tobias Brunner [Fri, 29 Mar 2019 10:05:42 +0000 (11:05 +0100)]
ike-config: If we don't send a CFG_REQUEST, we don't expect a CFG_REPLY

Previously, attributes in an incorrectly sent CFG_REPLY would still be passed
to attribute handlers.  This does not prevent handlers from receiving
unrequested attributes if they requested at least one other.

7 months agoike-config: Ignore unrequested virtual IP addresses
Tobias Brunner [Thu, 28 Mar 2019 17:44:08 +0000 (18:44 +0100)]
ike-config: Ignore unrequested virtual IP addresses

But forward them to handlers in case they requested them.

7 months agoMerge branch 'xfrmi'
Tobias Brunner [Thu, 4 Apr 2019 08:41:01 +0000 (10:41 +0200)]
Merge branch 'xfrmi'

This adds support for XFRM interfaces, which replace VTI devices and are
available with 4.19+ Linux kernels.

IPsec SAs and policies are associated with such interfaces via interface
IDs that can be configured on the CHILD_SA-level (dynamic IDs may
optionally be allocated for each instance and even direction) or on the
IKE_SA-level (again, dynamic IDs may be optionally allocated per IKE_SA).
IDs on an IKE_SA are inherited by all CHILD_SAs created under it, unless
the child configuration overrides them.

The effect the interface ID has on policies is similar to that of marks,
i.e. they won't match packets unless they are routed via interface with
matching interface ID.  So it's possible to negotiate e.g. 0.0.0.0/0 as
traffic selector on both sides and then control the affected traffic via
routes/firewall.

It's possible to use separate interfaces for in- and outbound traffic (or
only use an interface in one direction and regular policies in the other).

Since iproute2 does not yet support XFRM interfaces, a small utility is
provided that allows creating and listing XFRM interfaces.

Interfaces may be created dynamically via updown/vici scripts or
statically (before or after establishing the SAs).  Routes must be added
manually as needed (the daemon will not install any routes for outbound
policies with an interface ID).

When moving XFRM interfaces to other network namespaces they retain access
to the SAs and policies created in the original namespace, which allows
providing IPsec tunnels for processes in other network namespaces without
giving them access to the IPsec keys or IKE credentials.

Fixes #2845.

7 months agotesting: Add scenario that uses IKE-specific interface IDs
Tobias Brunner [Mon, 25 Mar 2019 17:31:28 +0000 (18:31 +0100)]
testing: Add scenario that uses IKE-specific interface IDs

7 months agotesting: Install python-daemon with strongSwan for use in updown scripts
Tobias Brunner [Wed, 27 Mar 2019 10:13:41 +0000 (11:13 +0100)]
testing: Install python-daemon with strongSwan for use in updown scripts

7 months agotesting: Add /etc/resolv.conf when building strongSwan
Tobias Brunner [Wed, 27 Mar 2019 10:04:57 +0000 (11:04 +0100)]
testing: Add /etc/resolv.conf when building strongSwan

7 months agotesting: Enable Python eggs in testing environment (i.e. vici's Python bindings)
Tobias Brunner [Mon, 25 Mar 2019 13:28:21 +0000 (14:28 +0100)]
testing: Enable Python eggs in testing environment (i.e. vici's Python bindings)

7 months agoconfigure: Fix package version for python packages for developer releases
Tobias Brunner [Mon, 25 Mar 2019 13:26:11 +0000 (14:26 +0100)]
configure: Fix package version for python packages for developer releases

According to PEP 440 the suffix for development releases is .devN and
not just devN.

7 months agovici: Add support for interface ID configurable on IKE_SA
Tobias Brunner [Fri, 22 Mar 2019 17:33:46 +0000 (18:33 +0100)]
vici: Add support for interface ID configurable on IKE_SA