2 years agofuzz: Added PB-TNC fuzzer
Andreas Steffen [Fri, 9 Mar 2018 13:40:00 +0000 (14:40 +0100)]
fuzz: Added PB-TNC fuzzer

2 years agolibimcv: Fixed processing of PTS Request File Metadata
Andreas Steffen [Sat, 3 Mar 2018 20:06:42 +0000 (21:06 +0100)]
libimcv: Fixed processing of PTS Request File Metadata

2 years agolibimcv: Removed whitespace
Andreas Steffen [Sat, 3 Mar 2018 19:56:47 +0000 (20:56 +0100)]
libimcv: Removed whitespace

2 years agolibimcv: Fixed processing of PTS Simple Component Evidence
Andreas Steffen [Sat, 3 Mar 2018 18:30:55 +0000 (19:30 +0100)]
libimcv: Fixed processing of PTS Simple Component Evidence

2 years agobio_reader: Fix read_uint24
Andreas Steffen [Fri, 2 Mar 2018 13:45:28 +0000 (14:45 +0100)]
bio_reader: Fix read_uint24

2 years agofuzz: Added PA-TNC fuzzer
Andreas Steffen [Fri, 2 Mar 2018 12:35:30 +0000 (13:35 +0100)]
fuzz: Added PA-TNC fuzzer

2 years agotesting: Removed TCG SWID IMC/IMV scenarios
Andreas Steffen [Mon, 5 Mar 2018 10:31:27 +0000 (11:31 +0100)]
testing: Removed TCG SWID IMC/IMV scenarios

2 years agolibimcv: Removed TCG SWID IMC/IMV support
Andreas Steffen [Thu, 1 Mar 2018 16:33:49 +0000 (17:33 +0100)]
libimcv: Removed TCG SWID IMC/IMV support

2 years agolibimcv: SWIMA SW locator must be file URI
Andreas Steffen [Mon, 5 Mar 2018 19:56:25 +0000 (20:56 +0100)]
libimcv: SWIMA SW locator must be file URI

2 years agolibimcv: Updated IANA numbers assigned to SWIMA
Andreas Steffen [Wed, 28 Feb 2018 18:23:59 +0000 (19:23 +0100)]
libimcv: Updated IANA numbers assigned to SWIMA

2 years agoAllow charon to change group on files before dropping caps
Micah Morton [Fri, 8 Jun 2018 18:55:30 +0000 (11:55 -0700)]
Allow charon to change group on files before dropping caps

Allow charon to start as a non-root user without CAP_CHOWN and still be
able to change the group on files that need to be accessed by charon
after capabilities have been dropped. This requires the user charon starts
as to have access to socket/pidfile directory as well as belong to the
group that charon will run as after dropping capabilities.

Closes strongswan/strongswan#105.

2 years agostarter: Reset action before handling it
Markus Sattler [Tue, 5 Jun 2018 06:20:52 +0000 (08:20 +0200)]
starter: Reset action before handling it

Stater will lose update/reload commands when there is a second signal
coming in when the previous is still processed. This can happen more
easily with big configurations.

Closes strongswan/strongswan#101.

2 years agoVersion bump to 5.7.0dr1 5.7.0dr1
Andreas Steffen [Wed, 30 May 2018 21:02:27 +0000 (23:02 +0200)]
Version bump to 5.7.0dr1

2 years agolibstrongswan: xmppaddr prefix designates an xmppAddr otherName ID type
Andreas Steffen [Wed, 30 May 2018 13:41:01 +0000 (15:41 +0200)]
libstrongswan: xmppaddr prefix designates an xmppAddr otherName ID type

2 years agoVersion bump to 5.6.3 5.6.3
Andreas Steffen [Mon, 28 May 2018 13:38:58 +0000 (15:38 +0200)]
Version bump to 5.6.3

2 years agoNEWS: Add info about CVE-2018-10811
Tobias Brunner [Thu, 24 May 2018 13:52:06 +0000 (15:52 +0200)]
NEWS: Add info about CVE-2018-10811

2 years agoikev2: Initialize variable in case set_key() or allocate_bytes() fails
Tobias Brunner [Mon, 19 Mar 2018 16:03:05 +0000 (17:03 +0100)]
ikev2: Initialize variable in case set_key() or allocate_bytes() fails

In case the PRF's set_key() or allocate_bytes() method failed, skeyseed
was not initialized and the chunk_clear() call later caused a crash.

This could have happened with OpenSSL in FIPS mode when MD5 was
negotiated (and test vectors were not checked, in which case the PRF
couldn't be instantiated as the test vectors would have failed).
MD5 is not included in the default proposal anymore since 5.6.1, so
with recent versions this could only happen with configs that are not
valid in FIPS mode anyway.

Fixes: CVE-2018-10811

2 years agoNEWS: Some minor updates
Tobias Brunner [Thu, 24 May 2018 10:03:45 +0000 (12:03 +0200)]
NEWS: Some minor updates

2 years agoswanctl: Document new HW offload options/behavior
Tobias Brunner [Thu, 24 May 2018 08:49:19 +0000 (10:49 +0200)]
swanctl: Document new HW offload options/behavior

2 years agoVersion bump to 5.6.3rc1 5.6.3rc1
Andreas Steffen [Wed, 23 May 2018 20:36:39 +0000 (22:36 +0200)]
Version bump to 5.6.3rc1

2 years agoNEWS: Added some news for 5.6.3
Tobias Brunner [Wed, 23 May 2018 18:25:18 +0000 (20:25 +0200)]
NEWS: Added some news for 5.6.3

2 years agosw-collector: Proper cleanup if DB query fails in check operation
Tobias Brunner [Wed, 23 May 2018 17:08:45 +0000 (19:08 +0200)]
sw-collector: Proper cleanup if DB query fails in check operation

2 years agokernel-netlink: Use strncpy to copy interface name when configuring HW offload
Tobias Brunner [Wed, 23 May 2018 17:06:02 +0000 (19:06 +0200)]
kernel-netlink: Use strncpy to copy interface name when configuring HW offload

2 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Wed, 23 May 2018 14:06:45 +0000 (16:06 +0200)]
Fixed some typos, courtesy of codespell

2 years agoUnify format of HSR copyright statements
Tobias Brunner [Wed, 23 May 2018 14:04:50 +0000 (16:04 +0200)]
Unify format of HSR copyright statements

2 years agosettings: Parse assigned values in a different context
Tobias Brunner [Mon, 7 May 2018 16:24:48 +0000 (18:24 +0200)]
settings: Parse assigned values in a different context

This allows us to accept characters like = or { without having to use
quoted strings.  And we can also properly warn about unexpected quoted

2 years agosettings: Support CRLF in settings parser
Tobias Brunner [Mon, 13 Jul 2015 09:58:21 +0000 (11:58 +0200)]
settings: Support CRLF in settings parser

2 years agoVersion bump to 5.6.3dr2 5.6.3dr2
Andreas Steffen [Tue, 22 May 2018 19:58:32 +0000 (21:58 +0200)]
Version bump to 5.6.3dr2

2 years agoman: Remove keylife/rekeymargin from ipsec.conf man page
Tobias Brunner [Tue, 22 May 2018 12:18:17 +0000 (14:18 +0200)]
man: Remove keylife/rekeymargin from ipsec.conf man page

We continue to parse them but remove the documentation because mixing the two
sets of keywords in the same config might result in unexpected behavior.

References #2663.

2 years agoMerge branch 'ikesa-force-destroy'
Tobias Brunner [Tue, 22 May 2018 08:13:59 +0000 (10:13 +0200)]
Merge branch 'ikesa-force-destroy'

Adds new options to force the local destruction of an IKE_SA (after
trying to send a DELETE first).  This might be useful in situations where
it's known the other end is not reachable or already deleted the IKE_SA so
there is no point in retransmitting the DELETE and waiting for a response.

2 years agoswanctl: Add option to force IKE_SA termination
Tobias Brunner [Fri, 27 Apr 2018 16:11:42 +0000 (18:11 +0200)]
swanctl: Add option to force IKE_SA termination

2 years agovici: Optionally terminate IKE_SA immediately
Tobias Brunner [Fri, 27 Apr 2018 16:09:25 +0000 (18:09 +0200)]
vici: Optionally terminate IKE_SA immediately

2 years agocontroller: Add option to force destruction of an IKE_SA
Tobias Brunner [Fri, 27 Apr 2018 16:01:54 +0000 (18:01 +0200)]
controller: Add option to force destruction of an IKE_SA

It's optionally possible to wait for a timeout to destroy the SA.

2 years agoike-sa: Add option to force the destruction of an IKE_SA after initiating a delete
Tobias Brunner [Fri, 27 Apr 2018 15:27:53 +0000 (17:27 +0200)]
ike-sa: Add option to force the destruction of an IKE_SA after initiating a delete

2 years agoproposal: Add a compat alg for ChaCha20Poly1305 with explicit key length
Martin Willi [Tue, 8 May 2018 13:06:33 +0000 (15:06 +0200)]
proposal: Add a compat alg for ChaCha20Poly1305 with explicit key length

The keylength fix for ChaCha20Poly1305 (5a7b0be2) removes the keylength
attribute from the AEAD transform. This breaks compatibility between
versions with the patch and those without. The ChaCha20Poly1305 AEAD
won't match in proposals between such versions, and if no other algorithm
is available, negotiating SAs fails.

As a migration strategy, this patch introduces a new string identifier for a
ChaCha20Poly1305 proposal keyword which uses the explicit keylength, exactly
as it was used before the mentioned patch. Administrators that care about
the use of that AEAD with old clients can temporarily add this keyword to
the list of proposals, until all clients have been upgraded.

The used approach is the least invasive, as it just adds an additional
keyword that can't do any harm if not explicitly configured. Nontheless
allows it the administrator to smoothly keep ChaCha20Poly1305 working,
even if upgrading all peers simultaneously is not an option. It requires
manual configuration edits, though, but we assume that ChaCha20Poly1305
is not that widely used, and not as the only transform in proposals.

Removing the compat keyword in a future version is an option; it might
be helpful for other implementations, though, that falsely use an
explicit key length in ChaCha20Poly1305 AEAD transforms.

2 years agokernel-netlink: Change how routes are un-/installed
Tobias Brunner [Thu, 19 Apr 2018 16:15:24 +0000 (18:15 +0200)]
kernel-netlink: Change how routes are un-/installed

We now check if there are other routes tracked for the same destination
and replace the installed route instead of just removing it.  Same during
installation, where we previously didn't replace existing routes due to
NLM_F_EXCL.  Routes with virtual IPs as source address are preferred over
routes without.

This should allow using trap policies with virtual IPs on Linux.

Fixes #85, #2162.

2 years agoMerge branch 'cert-chain-fixes'
Tobias Brunner [Tue, 22 May 2018 07:52:08 +0000 (09:52 +0200)]
Merge branch 'cert-chain-fixes'

This fixes several issues that came up via BSI's Certification Path
Validation Test Tool (CPT):

 1) In compliance with RFC 4945, section, we now enforce that a
    certificate used for IKE authentication either does not contain a keyUsage
    extension (like the ones produced by pki --issue) or that they include
    digitalSignature or nonRepudiation.

 2) CRLs that are not yet valid are now rejected as that could be a
    problem in scenarios where expired certificates are removed from CRLs and
    the clock on the host doing the revocation check is trailing behind that
    of the host issuing CRLs.

 3) Results other than revocation (e.g. a skipped check because the CRL
    couldn't be fetched) are now stored also for intermediate CA certificates
    and not only for end-entity certificates, so a strict CRL policy can be
    enforced in such cases.

2 years agotesting: Add ikev2/multi-level-ca-skipped scenario
Tobias Brunner [Thu, 3 May 2018 09:26:34 +0000 (11:26 +0200)]
testing: Add ikev2/multi-level-ca-skipped scenario

2 years agorevocation: Fix memory leak if fetching CRL/OCSP fails
Tobias Brunner [Thu, 3 May 2018 09:38:07 +0000 (11:38 +0200)]
revocation: Fix memory leak if fetching CRL/OCSP fails

We might get a 404 error page back.

2 years agorevocation: Set defaults if CRL/OCSP checking is disabled in config
Tobias Brunner [Thu, 3 May 2018 09:19:18 +0000 (11:19 +0200)]
revocation: Set defaults if CRL/OCSP checking is disabled in config

2 years agorevocation: Also store validation results for intermediate CA certificates
Tobias Brunner [Thu, 3 May 2018 09:07:59 +0000 (11:07 +0200)]
revocation: Also store validation results for intermediate CA certificates

If the certificate is revoked, we immediately returned and the chain was
invalid, however, if we couldn't fetch the CRL that result was not stored
for intermediate CAs and we weren't able to enforce a strict CRL policy

2 years agorevocation: Ignore CRLs that are not yet valid
Tobias Brunner [Wed, 25 Apr 2018 09:38:38 +0000 (11:38 +0200)]
revocation: Ignore CRLs that are not yet valid

Using such CRLs can be a problem if the clock on the host doing the
revocation check is trailing behind that of the host issuing CRLs in
scenarios where expired certificates are removed from CRLs.  As revoked
certificates that expired will then not be part of new CRLs a host with
trailing clock might still accept such a certificate if it is still
valid according to its system clock but is not contained anymore in the
not yet valid CRL.

2 years agoopenssl: Fail CRL validity check if thisUpdate is in the future
Tobias Brunner [Wed, 25 Apr 2018 09:38:22 +0000 (11:38 +0200)]
openssl: Fail CRL validity check if thisUpdate is in the future

2 years agox509: Fail CRL validity check if thisUpdate is in the future
Tobias Brunner [Wed, 25 Apr 2018 09:37:43 +0000 (11:37 +0200)]
x509: Fail CRL validity check if thisUpdate is in the future

2 years agoike: Reject certificates that are not compliant with RFC 4945
Tobias Brunner [Wed, 25 Apr 2018 09:10:48 +0000 (11:10 +0200)]
ike: Reject certificates that are not compliant with RFC 4945

2 years agoopenssl: Set IKE compliance flag depending on keyUsage
Tobias Brunner [Wed, 25 Apr 2018 08:51:51 +0000 (10:51 +0200)]
openssl: Set IKE compliance flag depending on keyUsage

2 years agox509: Set IKE compliance flag depending on keyUsage
Tobias Brunner [Wed, 25 Apr 2018 08:50:03 +0000 (10:50 +0200)]
x509: Set IKE compliance flag depending on keyUsage

2 years agox509: Add flag that marks compliance with RFC 4945
Tobias Brunner [Wed, 25 Apr 2018 08:48:21 +0000 (10:48 +0200)]
x509: Add flag that marks compliance with RFC 4945

According to RFC 4945, section, a certificate for IKE must
either not contain the keyUsage extension, or, if it does, have at least
one of the digitalSignature or nonReputiation bits set.

2 years agoMerge branch 'dhcp-fixes'
Tobias Brunner [Tue, 22 May 2018 07:44:51 +0000 (09:44 +0200)]
Merge branch 'dhcp-fixes'

Fixes some issues in the dhcp plugin like avoiding ICMP port unreachables
when setting a specific server address, or increasing the maximum size for
options e.g. for DNs in the client identifier option. The latter is also
only sent now if identity_lease is enabled (for most DHCP servers it
serves the same function as a unique MAC address does).

2 years agodhcp: Only send client identifier if identity_lease is enabled
Tobias Brunner [Wed, 11 Apr 2018 08:51:01 +0000 (10:51 +0200)]
dhcp: Only send client identifier if identity_lease is enabled

The client identifier serves as unique identifier just like a unique MAC
address would, so even with identity_leases disabled some DHCP servers
might assign unique leases per identity.

2 years agodhcp: Increase maximum size of client identification option
Tobias Brunner [Tue, 10 Apr 2018 16:45:16 +0000 (18:45 +0200)]
dhcp: Increase maximum size of client identification option

This increases the chances that subject DNs that might have been cut
off with the arbitrary previous limit of 64 bytes might now be sent

The REQUEST message has the most static overhead in terms of other
options (17 bytes) as compared to DISCOVER (5) and RELEASE (7).
Added to that are 3 bytes for the DHCP message type, which means we have
288 bytes left for the two options based on the client identity (host
name and client identification).  Since both contain the same value, a
FQDN identity, which causes a host name option to get added, may be
142 bytes long, other identities like subject DNs may be 255 bytes
long (the maximum for a DHCP option).

2 years agodhcp: Increase buffer size for options in DHCP messages
Tobias Brunner [Tue, 10 Apr 2018 16:19:35 +0000 (18:19 +0200)]
dhcp: Increase buffer size for options in DHCP messages

According to RFC 2131, the minimum size of the 'options' field is 312
bytes, including the 4 byte magic cookie.  There also does not seem to
be any restriction regarding the message length, previously the length
was rounded to a multiple of 64 bytes.  The latter might have been
because in BOOTP the options field (or rather vendor-specific area as it
was called back then) had a fixed length of 64 bytes (so max(optlen+4, 64)
might actually have been what was intended), but for DHCP the field is
explicitly variable length, so I don't think it's necessary to pad it.

2 years agodhcp: Reduce receive buffer size on send socket
Tobias Brunner [Tue, 10 Apr 2018 16:14:32 +0000 (18:14 +0200)]
dhcp: Reduce receive buffer size on send socket

Since we won't read from the socket reducing the receive buffer saves
some memory and it should also minimize the impact on other processes that
bind the same port (Linux distributes packets to the sockets round-robin).

2 years agodhcp: Bind server port when a specific server address is specified
Tobias Brunner [Tue, 10 Apr 2018 15:04:10 +0000 (17:04 +0200)]
dhcp: Bind server port when a specific server address is specified

DHCP servers will respond to port 67 if giaddr is non-zero, which we set
if we are not broadcasting.  While such messages are received fine via
RAW socket the kernel will respond with an ICMP port unreachable if no
socket is bound to that port.  Instead of opening a dummy socket on port
67 just to avoid the ICMPs we can also just operate with a single
socket, bind it to port 67 and send our requests from that port.

Since SO_REUSEADDR behaves on Linux like SO_REUSEPORT does on other
systems we can bind that port even if a DHCP server is running on the
same host as the daemon (this might have to be adapted to make this work
on other systems, but due to the raw socket the plugin is not that portable

2 years agodhcp: Fix destination port check in packet filter
Tobias Brunner [Fri, 16 Mar 2018 08:59:25 +0000 (09:59 +0100)]
dhcp: Fix destination port check in packet filter

The previous code compared the port in the packet to the client port and, if
successful, checked it also against the server port, which, therefore, never
matched, but due to incorrect offsets did skip the BPF_JA.  If the client port
didn't match the code also skipped to the instruction after the BPF_JA.
However, the latter was incorrect also and processing would have continued at
the next instruction anyway.  Basically, DHCP packets to any port were accepted.

What's not fixed with this is that the kernel returns an ICMP Port
unreachable for packets sent to the server port (67) because we don't
have a socket bound to it.

Fixes: f0212e8837b5 ("Accept DHCP replies on bootps port, as we act as a relay agent if server address configured")

2 years agodhcp: Fix typos in comments
Matt Selsky [Thu, 12 Apr 2018 04:17:49 +0000 (00:17 -0400)]
dhcp: Fix typos in comments

2 years agoeap-aka-3gpp: Add test vectors from 3GPP TS 35.207 14.0.0
Tobias Brunner [Mon, 23 Apr 2018 16:46:30 +0000 (18:46 +0200)]
eap-aka-3gpp: Add test vectors from 3GPP TS 35.207 14.0.0

2 years agoappveyor: Also build on Windows Server 2016
Tobias Brunner [Thu, 29 Mar 2018 16:22:40 +0000 (18:22 +0200)]
appveyor: Also build on Windows Server 2016

2 years agopki: --verify command optionally takes directories for CAs and CRLs
Tobias Brunner [Mon, 12 Feb 2018 10:48:16 +0000 (11:48 +0100)]
pki: --verify command optionally takes directories for CAs and CRLs

2 years agobliss: Fix compilation with non-GNU C libraries
Tobias Brunner [Tue, 17 Apr 2018 12:19:19 +0000 (14:19 +0200)]
bliss: Fix compilation with non-GNU C libraries

Not even the glibc man page mentions that type.

Fixes #2638.

2 years agoAllow strongSwan to be spawned as non-root user
Micah Morton [Tue, 17 Apr 2018 20:29:03 +0000 (13:29 -0700)]
Allow strongSwan to be spawned as non-root user

This patch allows for giving strongSwan only the runtime capabilities it
needs, rather than full root privileges.

Adds preprocessor directives which allow strongSwan to be configured to
 1) start up as a non-root user
 2) avoid modprobe()'ing IPsec kernel modules into the kernel, which
    would normally require root or CAP_SYS_MODULE

Additionally, some small mods to charon/libstrongswan ensure that charon
fully supports starting as a non-root user.

Tested with strongSwan 5.5.3.

2 years agonm: Update NEWS
Tobias Brunner [Mon, 7 May 2018 10:10:35 +0000 (12:10 +0200)]
nm: Update NEWS

2 years agonm: Don't hardcode install path for .name file
Tobias Brunner [Wed, 25 Apr 2018 07:45:07 +0000 (09:45 +0200)]
nm: Don't hardcode install path for .name file

2 years agonm: Don't rely on NetworkManager.pc for paths when building without libnm-glib
Tobias Brunner [Wed, 25 Apr 2018 07:33:27 +0000 (09:33 +0200)]
nm: Don't rely on NetworkManager.pc for paths when building without libnm-glib

Also make the paths configurable, in case the defaults don't work out on
a certain platform.

2 years agolibimcv: Added inactive field to device database table
Andreas Steffen [Fri, 13 Apr 2018 10:25:50 +0000 (12:25 +0200)]
libimcv: Added inactive field to device database table

2 years agosw-collector: Added --check option
Andreas Steffen [Thu, 26 Apr 2018 14:24:59 +0000 (16:24 +0200)]
sw-collector: Added --check option

2 years agoikev1: Ignore roam events for IKEv1
Tobias Brunner [Wed, 25 Apr 2018 13:14:21 +0000 (15:14 +0200)]
ikev1: Ignore roam events for IKEv1

We don't have MOBIKE and the fallback to reauthentication does also not
make much sense as that doesn't affect the CHILD_SAs for IKEv1.  So
instead of complicating the code we just ignore roam events for IKEv1
for now.

Closes strongswan/strongswan#100.

2 years agothread: Properly clean up meta data of thread if pthread_create() fails
Tobias Brunner [Tue, 17 Apr 2018 09:37:35 +0000 (11:37 +0200)]
thread: Properly clean up meta data of thread if pthread_create() fails

2 years agoVersion bump to 5.6.3dr1 5.6.3dr1
Andreas Steffen [Thu, 19 Apr 2018 14:34:06 +0000 (16:34 +0200)]
Version bump to 5.6.3dr1

2 years agotesting: Fixed ikev2/alg-chacha20poly1305 scenario
Andreas Steffen [Thu, 19 Apr 2018 14:33:04 +0000 (16:33 +0200)]
testing: Fixed ikev2/alg-chacha20poly1305 scenario

3 years agoike: Ignore rekeyed and deleted CHILD_SAs when reestablishing IKE_SAs
Tobias Brunner [Tue, 10 Apr 2018 09:48:26 +0000 (11:48 +0200)]
ike: Ignore rekeyed and deleted CHILD_SAs when reestablishing IKE_SAs

3 years agoike: Remove special handling for routed CHILD_SAs during reauth/reestablish
Tobias Brunner [Tue, 10 Apr 2018 09:43:40 +0000 (11:43 +0200)]
ike: Remove special handling for routed CHILD_SAs during reauth/reestablish

These are managed in the trap manager, no trap policies will ever be
attached to an IKE_SA (might have been the case in very early releases).

3 years agocontroller: Remove special handling for routed CHILD_SAs when terminating
Tobias Brunner [Thu, 12 Apr 2018 14:28:39 +0000 (16:28 +0200)]
controller: Remove special handling for routed CHILD_SAs when terminating

In very early versions routed CHILD_SAs were attached to IKE_SAs, since
that's not the case anymore (they are handled via trap manager), we can
remove this special handling.

3 years agoproposal: Don't specify key length for ChaCha20/Poly1305
Tobias Brunner [Wed, 4 Apr 2018 16:08:11 +0000 (18:08 +0200)]
proposal: Don't specify key length for ChaCha20/Poly1305

This algorithm uses a fixed-length key and we MUST NOT send a key length
attribute when proposing such algorithms.

While we could accept transforms with key length this would only work as
responder, as original initiator it wouldn't because we won't know if a
peer requires the key length.  And as exchange initiator (e.g. for
rekeyings), while being original responder, we'd have to go to great
lengths to store the condition and modify the sent proposal to patch in
the key length.  This doesn't seem worth it for only a partial fix.
This means, however, that ChaCha20/Poly1305 can't be used with previous
releases (5.3.3 an newer) that don't contain this fix.

Fixes #2614.

Fixes: 3232c0e64ed1 ("Merge branch 'chapoly'")

3 years agoikev2: Reuse marks and reqid of CHILD_SAs during MBB reauthentication
Tobias Brunner [Wed, 4 Apr 2018 07:28:28 +0000 (09:28 +0200)]
ikev2: Reuse marks and reqid of CHILD_SAs during MBB reauthentication

Since these are installed overlapping (like during a rekeying) we have to use
the same (unique) marks (and possibly reqid) that were used previously,
otherwise, the policy installation will fail.

Fixes #2610.

3 years agorevocation: Make sure issuer of fetched CRL matches that of the certificate
Tobias Brunner [Wed, 4 Apr 2018 14:16:38 +0000 (16:16 +0200)]
revocation: Make sure issuer of fetched CRL matches that of the certificate

Unless there is a cRLIssuer listed in the CDP, the CRL should be issued
by the same issuer as the checked certificate.

Fixes #2608.

3 years agoike: Float to port 4500 if either port is 500
Tobias Brunner [Thu, 29 Mar 2018 09:23:15 +0000 (11:23 +0200)]
ike: Float to port 4500 if either port is 500

If the responder is behind a NAT that remaps the response from the
statically forwarded port 500 to a new external port (as Azure seems to be
doing) we should still switch to port 4500 if we used port 500 so far as
it would not have been possible to send any messages to it if it wasn't
really port 500 (we only add a non-ESP marker if neither port is 500).

3 years agoMerge branch 'ikev1-down-reauth'
Tobias Brunner [Thu, 12 Apr 2018 13:19:49 +0000 (15:19 +0200)]
Merge branch 'ikev1-down-reauth'

This triggers child_updown() if IKEv1 reauthentication fails due to
retransmits. The SA is also tried to be reestablished.

Fixes #2573.

3 years ago_updown: Remove printf calls for identities
Tobias Brunner [Mon, 12 Mar 2018 09:20:42 +0000 (10:20 +0100)]
_updown: Remove printf calls for identities

This was apparently for compatibility with pluto, which escaped some
characters as octal values.

3 years agoikev1: Trigger down events for CHILD_SAs if reauthentication failed due to retransmits
Tobias Brunner [Thu, 1 Mar 2018 17:02:08 +0000 (18:02 +0100)]
ikev1: Trigger down events for CHILD_SAs if reauthentication failed due to retransmits

3 years agoikev1: Reestablish SAs if reauthentication failed due to retransmits
Tobias Brunner [Thu, 1 Mar 2018 16:53:59 +0000 (17:53 +0100)]
ikev1: Reestablish SAs if reauthentication failed due to retransmits

3 years agotraffic-selector: Always print protocol if either protocol or port is set
Tobias Brunner [Wed, 11 Apr 2018 10:15:55 +0000 (12:15 +0200)]
traffic-selector: Always print protocol if either protocol or port is set

This helps to distinguish between port and protocol if only one of them
is set.  If no protocol is set it's printed as 0, if the traffic
selector covers any port (0-65535) the slash that separates the two values
and the port is omitted.

3 years agoMerge branch 'child-deleted'
Tobias Brunner [Mon, 9 Apr 2018 15:15:24 +0000 (17:15 +0200)]
Merge branch 'child-deleted'

This adds a new state for CHILD_SAs that we deleted but still keep
around to process delayed packets (IKEv2 only).  This allows us to treat
them specially in some cases (e.g. to avoid triggering child_updown()
events as we already did that when we deleted such SAs).

Closes strongswan/strongswan#93.

3 years agobus: Don't trigger child_updown for deleted CHILD_SAs
Tobias Brunner [Tue, 20 Mar 2018 11:44:35 +0000 (12:44 +0100)]
bus: Don't trigger child_updown for deleted CHILD_SAs

These were rekeyed but have not been destroyed yet.

3 years agochild-sa: Add new state to track deleted but not yet destroyed CHILD_SAs
Tobias Brunner [Tue, 20 Mar 2018 11:43:13 +0000 (12:43 +0100)]
child-sa: Add new state to track deleted but not yet destroyed CHILD_SAs

This allows us to easily identify SAs we keep around after a rekeying to
process delayed packets.

3 years agoikev1: Unify child_updown calls when having duplicate QMs
Afschin Hormozdiary [Tue, 27 Mar 2018 14:55:59 +0000 (16:55 +0200)]
ikev1: Unify child_updown calls when having duplicate QMs

If a Quick mode is initiated for a CHILD_SA that is already installed
we can identify this situation and rekey the already installed CHILD_SA.

Otherwise we end up with several CHILD_SAs in state INSTALLED which
means multiple calls of child_updown are done. Unfortunately,
the deduplication code later does not call child_updown() (so up and down
were not even).

Closes strongswan/strongswan#95.

3 years agolibtpmtss: Properly initialize tabrmd tcti_context
Andreas Steffen [Mon, 9 Apr 2018 09:07:16 +0000 (11:07 +0200)]
libtpmtss: Properly initialize tabrmd tcti_context

3 years agotesting: Fix typo in sysctl.conf file
Matt Selsky [Fri, 30 Mar 2018 05:35:53 +0000 (01:35 -0400)]
testing: Fix typo in sysctl.conf file

Closes strongswan/strongswan#97.

3 years agopkcs11: Use unused return value of C_GetMechanismList
robinleander [Tue, 27 Mar 2018 20:50:28 +0000 (22:50 +0200)]
pkcs11: Use unused return value of C_GetMechanismList

Closes strongswan/strongswan#96.

3 years agokernel-pfkey: Add option to install routes via internal interface
Tobias Brunner [Thu, 8 Mar 2018 17:34:50 +0000 (18:34 +0100)]
kernel-pfkey: Add option to install routes via internal interface

On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.

3 years agoMerge branch 'hw-offload-auto'
Tobias Brunner [Wed, 21 Mar 2018 09:32:48 +0000 (10:32 +0100)]
Merge branch 'hw-offload-auto'

This lets IPsec SA installation explicitly fail if HW offload is enabled
but either the kernel or the device don't support it.  And it adds a new
configuration mode 'auto', which enables HW offload, if supported, but
does not fail the installation otherwise.

3 years agochild-cfg: Make HW offload auto mode configurable
Adi Nissim [Mon, 12 Mar 2018 14:34:21 +0000 (16:34 +0200)]
child-cfg: Make HW offload auto mode configurable

Until now the configuration available to user for HW offload were:
hw_offload = no
hw_offload = yes

With this commit users will be able to configure auto mode using:
hw_offload = auto

Signed-off-by: Adi Nissim <>
Reviewed-by: Aviv Heller <>
3 years agokernel-netlink: Cleanup and fix some HW offload code issues
Tobias Brunner [Fri, 16 Mar 2018 18:34:43 +0000 (19:34 +0100)]
kernel-netlink: Cleanup and fix some HW offload code issues

Besides some style issues there were some incorrect allocations
for ethtool requests.

3 years agokernel-netlink: Add new automatic hw_offload mode
Adi Nissim [Mon, 12 Mar 2018 14:34:20 +0000 (16:34 +0200)]
kernel-netlink: Add new automatic hw_offload mode

Until now there were 2 hw_offload modes: no/yes
* hw_offload = no  : Configure the SA without HW offload.
* hw_offload = yes : Configure the SA with HW offload.
                     In this case, if the device does not support
                     offloading, SA creation will fail.

This commit introduces a new mode: hw_offload = auto
If the device and kernel support HW offload, configure
the SA with HW offload, but do not fail SA creation otherwise.

Signed-off-by: Adi Nissim <>
Reviewed-by: Aviv Heller <>
3 years agoipsec-types: Create new enum hw_offload_t
Adi Nissim [Mon, 12 Mar 2018 14:34:19 +0000 (16:34 +0200)]
ipsec-types: Create new enum hw_offload_t

Add the new enum in order to add HW offload auto mode.

Signed-off-by: Adi Nissim <>
Reviewed-by: Aviv Heller <>
3 years agostarter: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:26:06 +0000 (07:26 +0100)]
starter: Ignore an existing PID file if it references ourself

3 years agocharon-tkm: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:25:49 +0000 (07:25 +0100)]
charon-tkm: Ignore an existing PID file if it references ourself

3 years agocharon: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:16:52 +0000 (07:16 +0100)]
charon: Ignore an existing PID file if it references ourself

If a daemon PID file references the process that does the check, it is safe
to ignore it; no running process can have the same PID. While this is rather
unlikely to get restarted with the same PID under normal conditions, it is
quite common when running inside PID namespaced containers: If a container
gets stopped and restarted with a PID file remaining, it is very likely that
the PID namespace assigns the same PID to our service, as they are assigned
sequentially starting from 1.

3 years agodiffie-hellman: Remove unused exponent length initialization in get_params()
Tobias Brunner [Tue, 13 Mar 2018 11:18:56 +0000 (12:18 +0100)]
diffie-hellman: Remove unused exponent length initialization in get_params()

This isn't used anymore since 46184b07c163 ("diffie-hellman: Explicitly
initialize DH exponent sizes during initialization").

3 years agodiffie-hellman: Don't set exponent length for DH groups with prime order subgroups
Tobias Brunner [Tue, 13 Mar 2018 11:13:47 +0000 (12:13 +0100)]
diffie-hellman: Don't set exponent length for DH groups with prime order subgroups

According to RFC 5114 the exponent length for these groups should always equal
the size of their prime order subgroup.
This was handled correctly before the initialization was done during
library initialization.

Fixes: 46184b07c163 ("diffie-hellman: Explicitly initialize DH exponent sizes during initialization")