strongswan.git
2 years agolibipsec: Make sure to expire the right SA
Tobias Brunner [Mon, 14 Aug 2017 14:03:54 +0000 (16:03 +0200)]
libipsec: Make sure to expire the right SA

If an IPsec SA is actually replaced with a rekeying its entry in the
manager is freed. That means that when the hard expire is triggered a
new entry might be found at the cached pointer location.  So we have
to make sure we trigger the expire only if we found the right SA.

We could use SPI and addresses for the lookup, but this here requires
a bit less memory and is just a small change. Another option would be to
somehow cancel the queued job, but our scheduler doesn't allow that at
the moment.

Fixes #2399.

2 years agoMerge branch 'libipsec-ip-frag'
Tobias Brunner [Mon, 18 Sep 2017 08:31:58 +0000 (10:31 +0200)]
Merge branch 'libipsec-ip-frag'

This fixes "packet too short" errors when parsing fragmented IPv4
packets and correctly determines the protocol in fragmented IPv6 packets.
Protocol headers are only parsed in unfragmented IPv4 and IPv6 packets,
or IPv4 first fragments.

Closes strongswan/strongswan#80.

2 years agotesting: Add libipsec/net2net-cert-ipv6 scenario
Tobias Brunner [Fri, 1 Sep 2017 08:03:11 +0000 (10:03 +0200)]
testing: Add libipsec/net2net-cert-ipv6 scenario

2 years agoip-packet: Correctly determine protocol in fragmented IPv6 packets
Tobias Brunner [Fri, 1 Sep 2017 07:47:29 +0000 (09:47 +0200)]
ip-packet: Correctly determine protocol in fragmented IPv6 packets

We don't attempt to parse the transport headers for fragments, not even
for the initial fragment (it's not guaranteed they contain the header,
depending on the number and type of extension headers).

2 years agoip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets
Tobias Brunner [Fri, 1 Sep 2017 06:57:56 +0000 (08:57 +0200)]
ip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets

Only attempt to parse the transport header of an IPv4 packet if it's
not fragmented or the first fragment.

2 years agoMerge branch 'tkm-cid-ref'
Tobias Brunner [Fri, 15 Sep 2017 10:17:07 +0000 (12:17 +0200)]
Merge branch 'tkm-cid-ref'

This fixes IKE_SA rekey collision handling and improves error handling
if CHILD_SA setup fails.

2 years agocharon-tkm: Reset ESA on child SA create failure
Adrian-Ken Rueegsegger [Tue, 5 Sep 2017 13:56:12 +0000 (15:56 +0200)]
charon-tkm: Reset ESA on child SA create failure

Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.

2 years agocharon-tkm: Check for error when acquiring ESA ID
Adrian-Ken Rueegsegger [Mon, 4 Sep 2017 13:00:42 +0000 (15:00 +0200)]
charon-tkm: Check for error when acquiring ESA ID

2 years agocharon-tkm: Fix AE context life-cycle handling
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 16:46:05 +0000 (18:46 +0200)]
charon-tkm: Fix AE context life-cycle handling

Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.

2 years agocharon-tkm: Return current refcount when releasing ID
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 15:21:05 +0000 (17:21 +0200)]
charon-tkm: Return current refcount when releasing ID

2 years agocharon-tkm: Add acquire_ref method to ID manager
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 15:15:41 +0000 (17:15 +0200)]
charon-tkm: Add acquire_ref method to ID manager

The function acquires a reference to the given context reference id for
a specific context kind.

2 years agocharon-tkm: Store context ids as int instead of bool
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 14:58:15 +0000 (16:58 +0200)]
charon-tkm: Store context ids as int instead of bool

This is in preparation of making context ids refcountable.

2 years agocharon-tkm: Add missing whitespace log message
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 14:30:49 +0000 (16:30 +0200)]
charon-tkm: Add missing whitespace log message

2 years agochild-delete: Only let SAs expire naturally if they not already did
Tobias Brunner [Mon, 4 Sep 2017 16:11:39 +0000 (18:11 +0200)]
child-delete: Only let SAs expire naturally if they not already did

2 years agoVersion bump to 5.6.1dr2 5.6.1dr2
Andreas Steffen [Wed, 13 Sep 2017 14:56:45 +0000 (16:56 +0200)]
Version bump to 5.6.1dr2

2 years agosec-updater: Import SWID tags of updated packages
Andreas Steffen [Sat, 9 Sep 2017 11:13:28 +0000 (13:13 +0200)]
sec-updater: Import SWID tags of updated packages

sec-updater downloads the deb package files from security updates from
a given linux repository and uses the swid_generator command to
derive a SWID tag. The SWID tag is then imported into strongTNC
using the manage.py importswid command.

2 years agolibimcv: Corrected caption
Andreas Steffen [Sat, 9 Sep 2017 11:10:45 +0000 (13:10 +0200)]
libimcv: Corrected caption

2 years agopt-tls-client: Introduced --options as a synonym for --optionsfrom
Andreas Steffen [Sat, 9 Sep 2017 08:31:02 +0000 (10:31 +0200)]
pt-tls-client: Introduced --options as a synonym for --optionsfrom

2 years agosec-updater: Write to log only if at least one update is found.
Andreas Steffen [Thu, 7 Sep 2017 12:50:49 +0000 (14:50 +0200)]
sec-updater: Write to log only if at least one update is found.

2 years agoandroid: New release after adding OCSP, CRL cache and some other stuff
Tobias Brunner [Mon, 4 Sep 2017 09:27:40 +0000 (11:27 +0200)]
android: New release after adding OCSP, CRL cache and some other stuff

2 years agotesting: Reduce log level of SSH client
Tobias Brunner [Tue, 29 Aug 2017 12:11:23 +0000 (14:11 +0200)]
testing: Reduce log level of SSH client

This should suppress the "Permanently added ... to the list of known
hosts" warnings that occasionally come up for no apparent reason.

2 years agoike: Reset local SPI if retrying to connect in state IKE_CONNECTING
Tobias Brunner [Tue, 29 Aug 2017 07:06:55 +0000 (09:06 +0200)]
ike: Reset local SPI if retrying to connect in state IKE_CONNECTING

In case we send retransmits for an IKE_SA_INIT where we propose a DH
group the responder will reject we might later receive delayed responses
that either contain INVALID_KE_PAYLOAD notifies with the group we already
use or, if we retransmitted an IKE_SA_INIT with the requested group but
then had to restart again, a KE payload with a group different from the
one we proposed.  So far we didn't change the initiator SPI when
restarting the connection, i.e. these delayed responses were processed
and might have caused fatal errors due to a failed DH negotiation or
because of the internal retry counter in the ike-init task.  Changing
the initiator SPI avoids that as we won't process the delayed responses
anymore that caused this confusion.

2 years agoike-sa-manager: Add method to change the initiator SPI of an IKE_SA
Tobias Brunner [Fri, 25 Aug 2017 14:45:03 +0000 (16:45 +0200)]
ike-sa-manager: Add method to change the initiator SPI of an IKE_SA

2 years agoike-init: Fail if DH group in KE payload does not match proposed group
Tobias Brunner [Fri, 25 Aug 2017 12:42:51 +0000 (14:42 +0200)]
ike-init: Fail if DH group in KE payload does not match proposed group

2 years agoMerge branch 'android-updates'
Tobias Brunner [Mon, 4 Sep 2017 08:42:00 +0000 (10:42 +0200)]
Merge branch 'android-updates'

Caches CRLs in the app directory, adds support for OCSP, adds a button
to reconnect to the "already connected" dialog, only apply/configure app
selection on Android >= 5 (older versions don't support the API), and catches
some random exceptions.

2 years agoandroid: Add disconnect button to dialog if already connected to profile
Tobias Brunner [Tue, 22 Aug 2017 16:28:39 +0000 (18:28 +0200)]
android: Add disconnect button to dialog if already connected to profile

2 years agoandroid: Load x509 plugin to generate OCSP requests and parse responses
Tobias Brunner [Wed, 23 Aug 2017 14:15:48 +0000 (16:15 +0200)]
android: Load x509 plugin to generate OCSP requests and parse responses

BoringSSL does not support OpenSSL's OCSP API.

2 years agoandroid: Add support to POST data via SimpleFetcher
Tobias Brunner [Wed, 23 Aug 2017 14:14:36 +0000 (16:14 +0200)]
android: Add support to POST data via SimpleFetcher

That's required for OCSP verification.

2 years agoandroid: Add option to clear cached CRLs
Tobias Brunner [Fri, 1 Sep 2017 17:26:52 +0000 (19:26 +0200)]
android: Add option to clear cached CRLs

2 years agoandroid: Cache CRLs in app directory
Tobias Brunner [Mon, 21 Aug 2017 13:53:20 +0000 (15:53 +0200)]
android: Cache CRLs in app directory

Fixes #2405.

2 years agoandroid: Pass absolute path to the app's data directory via JNI
Tobias Brunner [Mon, 21 Aug 2017 13:26:06 +0000 (15:26 +0200)]
android: Pass absolute path to the app's data directory via JNI

2 years agoandroid: Hide app selection in profile editor on Android < 5
Tobias Brunner [Thu, 24 Aug 2017 13:18:32 +0000 (15:18 +0200)]
android: Hide app selection in profile editor on Android < 5

2 years agoandroid: Only apply app filter on Android 5 and newer
Tobias Brunner [Tue, 11 Jul 2017 07:44:35 +0000 (09:44 +0200)]
android: Only apply app filter on Android 5 and newer

2 years agoandroid: Catch OutOfMemoryError when importing profiles
Tobias Brunner [Mon, 10 Jul 2017 10:17:45 +0000 (12:17 +0200)]
android: Catch OutOfMemoryError when importing profiles

Not sure if this is actually caused because e.g. the file is too large
or due to some encoding issue.

2 years agoandroid: Catch NullPointerException when parsing invalid certificates
Tobias Brunner [Thu, 6 Jul 2017 13:40:42 +0000 (15:40 +0200)]
android: Catch NullPointerException when parsing invalid certificates

2 years agoandroid: Catch NullPointerException when calling VpnService.prepare()
Tobias Brunner [Thu, 6 Jul 2017 13:16:24 +0000 (15:16 +0200)]
android: Catch NullPointerException when calling VpnService.prepare()

According to the Play Console this occurs occasionally.

2 years agoVersion bump to 5.6.1dr1 5.6.1dr1
Andreas Steffen [Fri, 1 Sep 2017 11:49:09 +0000 (13:49 +0200)]
Version bump to 5.6.1dr1

2 years agoimv-os: Updated security update evaluation
Andreas Steffen [Thu, 31 Aug 2017 16:52:04 +0000 (18:52 +0200)]
imv-os: Updated security update evaluation

2 years agolibimcv: Updated database scheme
Andreas Steffen [Wed, 30 Aug 2017 11:30:18 +0000 (13:30 +0200)]
libimcv: Updated database scheme

2 years agosec-updater: Checks for security updates
Andreas Steffen [Fri, 25 Aug 2017 09:23:20 +0000 (11:23 +0200)]
sec-updater: Checks for security updates

sec-updater checks for security updates and backports in Debian/
Ubuntu repositories and sets the security flags in the strongTNC
policy database accordingly.

2 years agoimv-attestation: Fixed file hash measurements
Andreas Steffen [Fri, 1 Sep 2017 00:53:28 +0000 (02:53 +0200)]
imv-attestation: Fixed file hash measurements

The introduction of file versions broke file hash measurements.
This has been fixed by using a generic product versions having an
empty package name.

2 years agoike-cfg: Fix memory leak when checking for configured address
Tobias Brunner [Tue, 29 Aug 2017 13:24:32 +0000 (15:24 +0200)]
ike-cfg: Fix memory leak when checking for configured address

2 years agosw-collector.8: Some cleanups
Andreas Steffen [Fri, 25 Aug 2017 09:28:06 +0000 (11:28 +0200)]
sw-collector.8: Some cleanups

2 years agokernel-netlink: Set usable state whenever an interface appears
Tobias Brunner [Mon, 14 Aug 2017 15:26:08 +0000 (17:26 +0200)]
kernel-netlink: Set usable state whenever an interface appears

If an interface is renamed we already have an entry (based on the
ifindex) allocated but previously only set the usable state once
based on the original name.

Fixes #2403.

2 years agolibimcv: Updated Android.mk after move of swid-gen(-info)
Tobias Brunner [Mon, 21 Aug 2017 10:17:02 +0000 (12:17 +0200)]
libimcv: Updated Android.mk after move of swid-gen(-info)

2 years agocoverage: Use absolute path when removing paths with lcov
Tobias Brunner [Mon, 21 Aug 2017 09:08:59 +0000 (11:08 +0200)]
coverage: Use absolute path when removing paths with lcov

There is a bug in some versions of lcov that causes it to fail writing
to files via relative paths after it issued warnings (e.g. due to
negative counts in the tracefile).

2 years agotraffic-selector: Use single buffer for both address families
Tobias Brunner [Wed, 16 Aug 2017 14:52:13 +0000 (16:52 +0200)]
traffic-selector: Use single buffer for both address families

The generic field of size 0 in the union that was used previously
triggered index-out-of-bounds errors with the UBSAN sanitizer that's
used on OSS-Fuzz.  Since the two family specific union members don't
really provide any advantage, we can just use a single buffer for both
families to avoid the errors.

2 years agotesting: Make removal of SWID tags work with different releases
Tobias Brunner [Wed, 16 Aug 2017 08:38:44 +0000 (10:38 +0200)]
testing: Make removal of SWID tags work with different releases

The regid.2004-03.org.strongswan directory might not exist in new images.

2 years agofuzzing: Also run input that previously caused crashes
Tobias Brunner [Wed, 31 May 2017 12:37:27 +0000 (14:37 +0200)]
fuzzing: Also run input that previously caused crashes

2 years agoconfigure: Detect mpz_powm_sec() when built with -Werror
Tobias Brunner [Wed, 31 May 2017 12:33:43 +0000 (14:33 +0200)]
configure: Detect mpz_powm_sec() when built with -Werror

2 years agotravis: Use the same ASAN_OPTIONS as used by OSS-Fuzz
Tobias Brunner [Tue, 30 May 2017 17:38:31 +0000 (19:38 +0200)]
travis: Use the same ASAN_OPTIONS as used by OSS-Fuzz

2 years agoplugin-loader: Move indent variables into !USE_FUZZING block
Tobias Brunner [Tue, 30 May 2017 17:14:22 +0000 (19:14 +0200)]
plugin-loader: Move indent variables into !USE_FUZZING block

This avoids compile errors on Travis.

2 years agotravis: Run fuzz targets
Tobias Brunner [Tue, 30 May 2017 16:41:31 +0000 (18:41 +0200)]
travis: Run fuzz targets

2 years agofuzzing: Run local fuzz targets on given corpora during `make check`
Tobias Brunner [Tue, 30 May 2017 14:46:32 +0000 (16:46 +0200)]
fuzzing: Run local fuzz targets on given corpora during `make check`

The base directory of the corpora must be set in FUZZING_CORPORA.

2 years agofuzzing: Add driver to run fuzz targets on a given list of files
Tobias Brunner [Tue, 30 May 2017 14:44:22 +0000 (16:44 +0200)]
fuzzing: Add driver to run fuzz targets on a given list of files

This is enabled if the path to libFuzzer.a is not specified when running
the configure script.

2 years agocharon-tkm: Build fix for kernel SAD tests
Adrian-Ken Rueegsegger [Mon, 14 Aug 2017 16:30:15 +0000 (18:30 +0200)]
charon-tkm: Build fix for kernel SAD tests

Commit 7729577... added a flag to the get_esa_id function but the unit
tests were not adjusted.

2 years agoVersion bump to 5.6.0 5.6.0
Andreas Steffen [Mon, 14 Aug 2017 08:07:47 +0000 (10:07 +0200)]
Version bump to 5.6.0

2 years agoNEWS: Add info about CVE-2017-11185
Tobias Brunner [Tue, 8 Aug 2017 18:14:00 +0000 (20:14 +0200)]
NEWS: Add info about CVE-2017-11185

2 years agogmp: Fix RSA signature verification for m >= n
Tobias Brunner [Mon, 29 May 2017 09:59:34 +0000 (11:59 +0200)]
gmp: Fix RSA signature verification for m >= n

By definition, m must be <= n-1, we didn't enforce that and because
mpz_export() returns NULL if the passed value is zero a crash could have
been triggered with m == n.

Fixes CVE-2017-11185.

2 years agoVersion bump to 5.6.0rc2 5.6.0rc2
Andreas Steffen [Wed, 9 Aug 2017 12:23:28 +0000 (14:23 +0200)]
Version bump to 5.6.0rc2

2 years agosw-collector: Moved info class to libimcv
Andreas Steffen [Wed, 9 Aug 2017 07:18:20 +0000 (09:18 +0200)]
sw-collector: Moved info class to libimcv

2 years agoNEWS: Added some news
Tobias Brunner [Tue, 8 Aug 2017 18:05:30 +0000 (20:05 +0200)]
NEWS: Added some news

2 years agoconf: Descriptions of several settings updated
Tobias Brunner [Tue, 8 Aug 2017 15:17:27 +0000 (17:17 +0200)]
conf: Descriptions of several settings updated

2 years agolibimcv: Cast chunk length to int when printing as string
Tobias Brunner [Tue, 8 Aug 2017 13:32:08 +0000 (15:32 +0200)]
libimcv: Cast chunk length to int when printing as string

2 years agosw-collector: Cast chunk length to int when printing as string
Tobias Brunner [Tue, 8 Aug 2017 13:31:22 +0000 (15:31 +0200)]
sw-collector: Cast chunk length to int when printing as string

2 years agosw-collector: Fix memory leak after failing to open DB
Tobias Brunner [Tue, 8 Aug 2017 13:30:44 +0000 (15:30 +0200)]
sw-collector: Fix memory leak after failing to open DB

2 years agosw-collector: Use correct variable to report failure to open history file
Tobias Brunner [Tue, 8 Aug 2017 13:29:41 +0000 (15:29 +0200)]
sw-collector: Use correct variable to report failure to open history file

2 years agoRevert "apidoc: Update Doxyfile"
Tobias Brunner [Mon, 7 Aug 2017 16:29:07 +0000 (18:29 +0200)]
Revert "apidoc: Update Doxyfile"

This reverts commit 8ec979fd64bca07e73f6f255a7cf26e587bb55d8.

Mainly because Travis is still on Trusty and this generates lots of
warnings.

2 years agoVersion bump to 5.6.0rc1 5.6.0rc1
Andreas Steffen [Mon, 7 Aug 2017 16:25:52 +0000 (18:25 +0200)]
Version bump to 5.6.0rc1

2 years agoimv-database: Improve performance by creating file_hashes index
Andreas Steffen [Mon, 7 Aug 2017 14:46:27 +0000 (16:46 +0200)]
imv-database: Improve performance by creating file_hashes index

2 years agosw-collector: Add missing Doxygen group
Tobias Brunner [Mon, 7 Aug 2017 15:33:55 +0000 (17:33 +0200)]
sw-collector: Add missing Doxygen group

Fix location of two classes.

2 years agolibimcv: Add missing Doxgen group for SWIMA-related classes
Tobias Brunner [Mon, 7 Aug 2017 15:31:25 +0000 (17:31 +0200)]
libimcv: Add missing Doxgen group for SWIMA-related classes

Fix location of swima_error_t.

2 years agoapidoc: Update Doxyfile
Tobias Brunner [Mon, 7 Aug 2017 15:27:31 +0000 (17:27 +0200)]
apidoc: Update Doxyfile

2 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 7 Aug 2017 15:22:01 +0000 (17:22 +0200)]
Fixed some typos, courtesy of codespell

2 years agotesting: Add -v option to do-tests to prefix commands with timestamps
Tobias Brunner [Mon, 7 Aug 2017 14:52:01 +0000 (16:52 +0200)]
testing: Add -v option to do-tests to prefix commands with timestamps

2 years agotesting: Move collector.db in tnc/tnccs-20-ev-pt-tls scenario to /etc/db.d
Tobias Brunner [Mon, 7 Aug 2017 14:26:38 +0000 (16:26 +0200)]
testing: Move collector.db in tnc/tnccs-20-ev-pt-tls scenario to /etc/db.d

Also move initialization to the pretest script (it's way faster in the
in-memory database).

2 years agokernel-netlink: Wipe buffer used to read Netlink messages
Tobias Brunner [Wed, 2 Aug 2017 09:39:31 +0000 (11:39 +0200)]
kernel-netlink: Wipe buffer used to read Netlink messages

When querying SAs the keys will end up in this buffer (the allocated
messages that are returned are already wiped). The kernel also returns
XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish
this here as we only see the response.

References #2388.

2 years agosha2: Write final hash directly to output buffer
Tobias Brunner [Wed, 2 Aug 2017 09:33:55 +0000 (11:33 +0200)]
sha2: Write final hash directly to output buffer

This avoids having the last output in internal memory that's not wiped.

References #2388.

2 years agoprf-plus: Wipe seed and internal buffer
Tobias Brunner [Tue, 25 Jul 2017 08:15:58 +0000 (10:15 +0200)]
prf-plus: Wipe seed and internal buffer

The buffer contains key material we handed out last and the seed can
contain the DH secret.

References #2388.

2 years agochild-sa: Allow requesting different unique marks for in/out
Eyal Birger [Fri, 28 Jul 2017 09:18:52 +0000 (12:18 +0300)]
child-sa: Allow requesting different unique marks for in/out

When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.

This is useful when different marks are desired for each direction but the
number of peers is not predefined.

An example use case is when implementing a site-to-site route-based VPN
without VTI devices.

A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.

Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.

Closes strongswan/strongswan#78.

2 years agoconf: Match more characters in _ and **
Tobias Brunner [Wed, 2 Aug 2017 12:32:32 +0000 (14:32 +0200)]
conf: Match more characters in _ and **

\w does not match e.g. / but \S does.

2 years agotrap-manager: Don't require that remote is resolvable during installation
Tobias Brunner [Wed, 12 Jul 2017 09:36:59 +0000 (11:36 +0200)]
trap-manager: Don't require that remote is resolvable during installation

Initiation might later fail, of course, but we don't really
require an IP address when installing, that is, unless the remote
traffic selector is dynamic. As that would result in installing a
0.0.0.0/0 remote TS which is not ideal when a single IP is expected as
remote.

2 years agochild-create: Don't log CHILD_SA initiation until we know the unique ID
Tobias Brunner [Mon, 7 Aug 2017 11:59:37 +0000 (13:59 +0200)]
child-create: Don't log CHILD_SA initiation until we know the unique ID

2 years agochild-rekey: Add CHILD_SA name and unique ID to collision log messages
Tobias Brunner [Mon, 7 Aug 2017 10:14:57 +0000 (12:14 +0200)]
child-rekey: Add CHILD_SA name and unique ID to collision log messages

2 years agochild-sa: Suppress CHILD_SA state changes if there is no change
Tobias Brunner [Mon, 7 Aug 2017 10:13:06 +0000 (12:13 +0200)]
child-sa: Suppress CHILD_SA state changes if there is no change

2 years agoMerge commit 'child-sa-rekey-tkm'
Tobias Brunner [Mon, 7 Aug 2017 08:46:45 +0000 (10:46 +0200)]
Merge commit 'child-sa-rekey-tkm'

This fixes CHILD_SA rekeying with TKM and changes how we switch to the
outbound IPsec SA with Netlink/XFRM (using SPIs on the outbound policy
instead of installing the outbound SA delayed).

For charon-tkm it changes when esa_select() and esa_reset() are called,
now with the outbound policy and the inbound SA, respectively, instead
of the outbound SA in both cases.

Also fixed is a potential traffic loss when a rekey collision is lost.

2 years agocharon-tkm: Call esa_reset() when the inbound SA is deleted
Tobias Brunner [Fri, 4 Aug 2017 12:02:42 +0000 (14:02 +0200)]
charon-tkm: Call esa_reset() when the inbound SA is deleted

After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.

This adds a flag to get_esa_id() that specifies the location of the
given SPI.

2 years agocharon-tkm: Remove unused get_other_esa_id() method
Tobias Brunner [Fri, 4 Aug 2017 11:59:40 +0000 (13:59 +0200)]
charon-tkm: Remove unused get_other_esa_id() method

2 years agochild-rekey: Don't install outbound SA in case of lost collisions
Tobias Brunner [Fri, 4 Aug 2017 11:12:57 +0000 (13:12 +0200)]
child-rekey: Don't install outbound SA in case of lost collisions

This splits the SA installation also on the initiator, so we can avoid
installing the outbound SA if we lost a rekey collision, which might
have caused traffic loss depending on the timing of the DELETEs that are
sent in both directions.

2 years agotesting: Also capture stderr during test cases
Tobias Brunner [Fri, 14 Jul 2017 09:22:27 +0000 (11:22 +0200)]
testing: Also capture stderr during test cases

The output was not correct otherwise due to the reordering of commands.

2 years agotesting: Clearly mark the tests that failed
Tobias Brunner [Thu, 13 Jul 2017 17:09:07 +0000 (19:09 +0200)]
testing: Clearly mark the tests that failed

2 years agotesting: Add tkm/xfrmproxy-rekey scenario
Tobias Brunner [Thu, 13 Jul 2017 16:41:36 +0000 (18:41 +0200)]
testing: Add tkm/xfrmproxy-rekey scenario

Similar to the xfrmproxy-expire scenario but here the TKM host is the
responder to a rekeying.

2 years agotesting: Add pfkey/net2net-rekey scenario
Tobias Brunner [Fri, 14 Jul 2017 10:29:04 +0000 (12:29 +0200)]
testing: Add pfkey/net2net-rekey scenario

2 years agotesting: Add ikev2/net2net-rekey scenario
Tobias Brunner [Wed, 12 Jul 2017 14:58:11 +0000 (16:58 +0200)]
testing: Add ikev2/net2net-rekey scenario

2 years agotesting: Add support for counting matching lines in tests
Tobias Brunner [Wed, 12 Jul 2017 14:53:13 +0000 (16:53 +0200)]
testing: Add support for counting matching lines in tests

Specifying an integer instead of YES in evaltest.dat causes the number to get
compared against the actual number of lines matching the pattern.

This may be used to count matching packets or log lines.

2 years agobus: Don't trigger child_updown() for rekeyed CHILD_SAs
Tobias Brunner [Wed, 12 Jul 2017 11:00:59 +0000 (13:00 +0200)]
bus: Don't trigger child_updown() for rekeyed CHILD_SAs

We don't trigger it either when they are deleted individually.

2 years agocharon-tkm: Don't select new outbound SA until the policy is installed
Tobias Brunner [Tue, 11 Jul 2017 12:05:01 +0000 (14:05 +0200)]
charon-tkm: Don't select new outbound SA until the policy is installed

This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.

Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.

2 years agocharon-tkm: Claim to support SPIs on policies
Tobias Brunner [Tue, 11 Jul 2017 11:49:21 +0000 (13:49 +0200)]
charon-tkm: Claim to support SPIs on policies

This fixes rekeying as the delayed installation of the outbound SA
caused the nonce context to be expired already.

2 years agochild-sa: Install outbound SA immediately if kernel supports SPIs on policies
Tobias Brunner [Tue, 11 Jul 2017 11:42:06 +0000 (13:42 +0200)]
child-sa: Install outbound SA immediately if kernel supports SPIs on policies

2 years agochild-sa: Use flags to track installation of outbound SA and policies separately
Tobias Brunner [Tue, 11 Jul 2017 11:12:02 +0000 (13:12 +0200)]
child-sa: Use flags to track installation of outbound SA and policies separately