strongswan.git
16 months agoopenssl: Fail CRL validity check if thisUpdate is in the future
Tobias Brunner [Wed, 25 Apr 2018 09:38:22 +0000 (11:38 +0200)]
openssl: Fail CRL validity check if thisUpdate is in the future

16 months agox509: Fail CRL validity check if thisUpdate is in the future
Tobias Brunner [Wed, 25 Apr 2018 09:37:43 +0000 (11:37 +0200)]
x509: Fail CRL validity check if thisUpdate is in the future

16 months agoike: Reject certificates that are not compliant with RFC 4945
Tobias Brunner [Wed, 25 Apr 2018 09:10:48 +0000 (11:10 +0200)]
ike: Reject certificates that are not compliant with RFC 4945

16 months agoopenssl: Set IKE compliance flag depending on keyUsage
Tobias Brunner [Wed, 25 Apr 2018 08:51:51 +0000 (10:51 +0200)]
openssl: Set IKE compliance flag depending on keyUsage

16 months agox509: Set IKE compliance flag depending on keyUsage
Tobias Brunner [Wed, 25 Apr 2018 08:50:03 +0000 (10:50 +0200)]
x509: Set IKE compliance flag depending on keyUsage

16 months agox509: Add flag that marks compliance with RFC 4945
Tobias Brunner [Wed, 25 Apr 2018 08:48:21 +0000 (10:48 +0200)]
x509: Add flag that marks compliance with RFC 4945

According to RFC 4945, section 5.1.3.2, a certificate for IKE must
either not contain the keyUsage extension, or, if it does, have at least
one of the digitalSignature or nonReputiation bits set.

16 months agoMerge branch 'dhcp-fixes'
Tobias Brunner [Tue, 22 May 2018 07:44:51 +0000 (09:44 +0200)]
Merge branch 'dhcp-fixes'

Fixes some issues in the dhcp plugin like avoiding ICMP port unreachables
when setting a specific server address, or increasing the maximum size for
options e.g. for DNs in the client identifier option. The latter is also
only sent now if identity_lease is enabled (for most DHCP servers it
serves the same function as a unique MAC address does).

16 months agodhcp: Only send client identifier if identity_lease is enabled
Tobias Brunner [Wed, 11 Apr 2018 08:51:01 +0000 (10:51 +0200)]
dhcp: Only send client identifier if identity_lease is enabled

The client identifier serves as unique identifier just like a unique MAC
address would, so even with identity_leases disabled some DHCP servers
might assign unique leases per identity.

16 months agodhcp: Increase maximum size of client identification option
Tobias Brunner [Tue, 10 Apr 2018 16:45:16 +0000 (18:45 +0200)]
dhcp: Increase maximum size of client identification option

This increases the chances that subject DNs that might have been cut
off with the arbitrary previous limit of 64 bytes might now be sent
successfully.

The REQUEST message has the most static overhead in terms of other
options (17 bytes) as compared to DISCOVER (5) and RELEASE (7).
Added to that are 3 bytes for the DHCP message type, which means we have
288 bytes left for the two options based on the client identity (host
name and client identification).  Since both contain the same value, a
FQDN identity, which causes a host name option to get added, may be
142 bytes long, other identities like subject DNs may be 255 bytes
long (the maximum for a DHCP option).

16 months agodhcp: Increase buffer size for options in DHCP messages
Tobias Brunner [Tue, 10 Apr 2018 16:19:35 +0000 (18:19 +0200)]
dhcp: Increase buffer size for options in DHCP messages

According to RFC 2131, the minimum size of the 'options' field is 312
bytes, including the 4 byte magic cookie.  There also does not seem to
be any restriction regarding the message length, previously the length
was rounded to a multiple of 64 bytes.  The latter might have been
because in BOOTP the options field (or rather vendor-specific area as it
was called back then) had a fixed length of 64 bytes (so max(optlen+4, 64)
might actually have been what was intended), but for DHCP the field is
explicitly variable length, so I don't think it's necessary to pad it.

16 months agodhcp: Reduce receive buffer size on send socket
Tobias Brunner [Tue, 10 Apr 2018 16:14:32 +0000 (18:14 +0200)]
dhcp: Reduce receive buffer size on send socket

Since we won't read from the socket reducing the receive buffer saves
some memory and it should also minimize the impact on other processes that
bind the same port (Linux distributes packets to the sockets round-robin).

16 months agodhcp: Bind server port when a specific server address is specified
Tobias Brunner [Tue, 10 Apr 2018 15:04:10 +0000 (17:04 +0200)]
dhcp: Bind server port when a specific server address is specified

DHCP servers will respond to port 67 if giaddr is non-zero, which we set
if we are not broadcasting.  While such messages are received fine via
RAW socket the kernel will respond with an ICMP port unreachable if no
socket is bound to that port.  Instead of opening a dummy socket on port
67 just to avoid the ICMPs we can also just operate with a single
socket, bind it to port 67 and send our requests from that port.

Since SO_REUSEADDR behaves on Linux like SO_REUSEPORT does on other
systems we can bind that port even if a DHCP server is running on the
same host as the daemon (this might have to be adapted to make this work
on other systems, but due to the raw socket the plugin is not that portable
anyway).

16 months agodhcp: Fix destination port check in packet filter
Tobias Brunner [Fri, 16 Mar 2018 08:59:25 +0000 (09:59 +0100)]
dhcp: Fix destination port check in packet filter

The previous code compared the port in the packet to the client port and, if
successful, checked it also against the server port, which, therefore, never
matched, but due to incorrect offsets did skip the BPF_JA.  If the client port
didn't match the code also skipped to the instruction after the BPF_JA.
However, the latter was incorrect also and processing would have continued at
the next instruction anyway.  Basically, DHCP packets to any port were accepted.

What's not fixed with this is that the kernel returns an ICMP Port
unreachable for packets sent to the server port (67) because we don't
have a socket bound to it.

Fixes: f0212e8837b5 ("Accept DHCP replies on bootps port, as we act as a relay agent if server address configured")

16 months agodhcp: Fix typos in comments
Matt Selsky [Thu, 12 Apr 2018 04:17:49 +0000 (00:17 -0400)]
dhcp: Fix typos in comments

16 months agoeap-aka-3gpp: Add test vectors from 3GPP TS 35.207 14.0.0
Tobias Brunner [Mon, 23 Apr 2018 16:46:30 +0000 (18:46 +0200)]
eap-aka-3gpp: Add test vectors from 3GPP TS 35.207 14.0.0

16 months agoappveyor: Also build on Windows Server 2016
Tobias Brunner [Thu, 29 Mar 2018 16:22:40 +0000 (18:22 +0200)]
appveyor: Also build on Windows Server 2016

16 months agopki: --verify command optionally takes directories for CAs and CRLs
Tobias Brunner [Mon, 12 Feb 2018 10:48:16 +0000 (11:48 +0100)]
pki: --verify command optionally takes directories for CAs and CRLs

16 months agobliss: Fix compilation with non-GNU C libraries
Tobias Brunner [Tue, 17 Apr 2018 12:19:19 +0000 (14:19 +0200)]
bliss: Fix compilation with non-GNU C libraries

Not even the glibc man page mentions that type.

Fixes #2638.

16 months agoAllow strongSwan to be spawned as non-root user
Micah Morton [Tue, 17 Apr 2018 20:29:03 +0000 (13:29 -0700)]
Allow strongSwan to be spawned as non-root user

This patch allows for giving strongSwan only the runtime capabilities it
needs, rather than full root privileges.

Adds preprocessor directives which allow strongSwan to be configured to
 1) start up as a non-root user
 2) avoid modprobe()'ing IPsec kernel modules into the kernel, which
    would normally require root or CAP_SYS_MODULE

Additionally, some small mods to charon/libstrongswan ensure that charon
fully supports starting as a non-root user.

Tested with strongSwan 5.5.3.

16 months agonm: Update NEWS
Tobias Brunner [Mon, 7 May 2018 10:10:35 +0000 (12:10 +0200)]
nm: Update NEWS

16 months agonm: Don't hardcode install path for .name file
Tobias Brunner [Wed, 25 Apr 2018 07:45:07 +0000 (09:45 +0200)]
nm: Don't hardcode install path for .name file

16 months agonm: Don't rely on NetworkManager.pc for paths when building without libnm-glib
Tobias Brunner [Wed, 25 Apr 2018 07:33:27 +0000 (09:33 +0200)]
nm: Don't rely on NetworkManager.pc for paths when building without libnm-glib

Also make the paths configurable, in case the defaults don't work out on
a certain platform.

16 months agolibimcv: Added inactive field to device database table
Andreas Steffen [Fri, 13 Apr 2018 10:25:50 +0000 (12:25 +0200)]
libimcv: Added inactive field to device database table

16 months agosw-collector: Added --check option
Andreas Steffen [Thu, 26 Apr 2018 14:24:59 +0000 (16:24 +0200)]
sw-collector: Added --check option

16 months agoikev1: Ignore roam events for IKEv1
Tobias Brunner [Wed, 25 Apr 2018 13:14:21 +0000 (15:14 +0200)]
ikev1: Ignore roam events for IKEv1

We don't have MOBIKE and the fallback to reauthentication does also not
make much sense as that doesn't affect the CHILD_SAs for IKEv1.  So
instead of complicating the code we just ignore roam events for IKEv1
for now.

Closes strongswan/strongswan#100.

17 months agothread: Properly clean up meta data of thread if pthread_create() fails
Tobias Brunner [Tue, 17 Apr 2018 09:37:35 +0000 (11:37 +0200)]
thread: Properly clean up meta data of thread if pthread_create() fails

17 months agoVersion bump to 5.6.3dr1 5.6.3dr1
Andreas Steffen [Thu, 19 Apr 2018 14:34:06 +0000 (16:34 +0200)]
Version bump to 5.6.3dr1

17 months agotesting: Fixed ikev2/alg-chacha20poly1305 scenario
Andreas Steffen [Thu, 19 Apr 2018 14:33:04 +0000 (16:33 +0200)]
testing: Fixed ikev2/alg-chacha20poly1305 scenario

17 months agoike: Ignore rekeyed and deleted CHILD_SAs when reestablishing IKE_SAs
Tobias Brunner [Tue, 10 Apr 2018 09:48:26 +0000 (11:48 +0200)]
ike: Ignore rekeyed and deleted CHILD_SAs when reestablishing IKE_SAs

17 months agoike: Remove special handling for routed CHILD_SAs during reauth/reestablish
Tobias Brunner [Tue, 10 Apr 2018 09:43:40 +0000 (11:43 +0200)]
ike: Remove special handling for routed CHILD_SAs during reauth/reestablish

These are managed in the trap manager, no trap policies will ever be
attached to an IKE_SA (might have been the case in very early releases).

17 months agocontroller: Remove special handling for routed CHILD_SAs when terminating
Tobias Brunner [Thu, 12 Apr 2018 14:28:39 +0000 (16:28 +0200)]
controller: Remove special handling for routed CHILD_SAs when terminating

In very early versions routed CHILD_SAs were attached to IKE_SAs, since
that's not the case anymore (they are handled via trap manager), we can
remove this special handling.

17 months agoproposal: Don't specify key length for ChaCha20/Poly1305
Tobias Brunner [Wed, 4 Apr 2018 16:08:11 +0000 (18:08 +0200)]
proposal: Don't specify key length for ChaCha20/Poly1305

This algorithm uses a fixed-length key and we MUST NOT send a key length
attribute when proposing such algorithms.

While we could accept transforms with key length this would only work as
responder, as original initiator it wouldn't because we won't know if a
peer requires the key length.  And as exchange initiator (e.g. for
rekeyings), while being original responder, we'd have to go to great
lengths to store the condition and modify the sent proposal to patch in
the key length.  This doesn't seem worth it for only a partial fix.
This means, however, that ChaCha20/Poly1305 can't be used with previous
releases (5.3.3 an newer) that don't contain this fix.

Fixes #2614.

Fixes: 3232c0e64ed1 ("Merge branch 'chapoly'")

17 months agoikev2: Reuse marks and reqid of CHILD_SAs during MBB reauthentication
Tobias Brunner [Wed, 4 Apr 2018 07:28:28 +0000 (09:28 +0200)]
ikev2: Reuse marks and reqid of CHILD_SAs during MBB reauthentication

Since these are installed overlapping (like during a rekeying) we have to use
the same (unique) marks (and possibly reqid) that were used previously,
otherwise, the policy installation will fail.

Fixes #2610.

17 months agorevocation: Make sure issuer of fetched CRL matches that of the certificate
Tobias Brunner [Wed, 4 Apr 2018 14:16:38 +0000 (16:16 +0200)]
revocation: Make sure issuer of fetched CRL matches that of the certificate

Unless there is a cRLIssuer listed in the CDP, the CRL should be issued
by the same issuer as the checked certificate.

Fixes #2608.

17 months agoike: Float to port 4500 if either port is 500
Tobias Brunner [Thu, 29 Mar 2018 09:23:15 +0000 (11:23 +0200)]
ike: Float to port 4500 if either port is 500

If the responder is behind a NAT that remaps the response from the
statically forwarded port 500 to a new external port (as Azure seems to be
doing) we should still switch to port 4500 if we used port 500 so far as
it would not have been possible to send any messages to it if it wasn't
really port 500 (we only add a non-ESP marker if neither port is 500).

17 months agoMerge branch 'ikev1-down-reauth'
Tobias Brunner [Thu, 12 Apr 2018 13:19:49 +0000 (15:19 +0200)]
Merge branch 'ikev1-down-reauth'

This triggers child_updown() if IKEv1 reauthentication fails due to
retransmits. The SA is also tried to be reestablished.

Fixes #2573.

17 months ago_updown: Remove printf calls for identities
Tobias Brunner [Mon, 12 Mar 2018 09:20:42 +0000 (10:20 +0100)]
_updown: Remove printf calls for identities

This was apparently for compatibility with pluto, which escaped some
characters as octal values.

17 months agoikev1: Trigger down events for CHILD_SAs if reauthentication failed due to retransmits
Tobias Brunner [Thu, 1 Mar 2018 17:02:08 +0000 (18:02 +0100)]
ikev1: Trigger down events for CHILD_SAs if reauthentication failed due to retransmits

17 months agoikev1: Reestablish SAs if reauthentication failed due to retransmits
Tobias Brunner [Thu, 1 Mar 2018 16:53:59 +0000 (17:53 +0100)]
ikev1: Reestablish SAs if reauthentication failed due to retransmits

17 months agotraffic-selector: Always print protocol if either protocol or port is set
Tobias Brunner [Wed, 11 Apr 2018 10:15:55 +0000 (12:15 +0200)]
traffic-selector: Always print protocol if either protocol or port is set

This helps to distinguish between port and protocol if only one of them
is set.  If no protocol is set it's printed as 0, if the traffic
selector covers any port (0-65535) the slash that separates the two values
and the port is omitted.

17 months agoMerge branch 'child-deleted'
Tobias Brunner [Mon, 9 Apr 2018 15:15:24 +0000 (17:15 +0200)]
Merge branch 'child-deleted'

This adds a new state for CHILD_SAs that we deleted but still keep
around to process delayed packets (IKEv2 only).  This allows us to treat
them specially in some cases (e.g. to avoid triggering child_updown()
events as we already did that when we deleted such SAs).

Closes strongswan/strongswan#93.

17 months agobus: Don't trigger child_updown for deleted CHILD_SAs
Tobias Brunner [Tue, 20 Mar 2018 11:44:35 +0000 (12:44 +0100)]
bus: Don't trigger child_updown for deleted CHILD_SAs

These were rekeyed but have not been destroyed yet.

17 months agochild-sa: Add new state to track deleted but not yet destroyed CHILD_SAs
Tobias Brunner [Tue, 20 Mar 2018 11:43:13 +0000 (12:43 +0100)]
child-sa: Add new state to track deleted but not yet destroyed CHILD_SAs

This allows us to easily identify SAs we keep around after a rekeying to
process delayed packets.

17 months agoikev1: Unify child_updown calls when having duplicate QMs
Afschin Hormozdiary [Tue, 27 Mar 2018 14:55:59 +0000 (16:55 +0200)]
ikev1: Unify child_updown calls when having duplicate QMs

If a Quick mode is initiated for a CHILD_SA that is already installed
we can identify this situation and rekey the already installed CHILD_SA.

Otherwise we end up with several CHILD_SAs in state INSTALLED which
means multiple calls of child_updown are done. Unfortunately,
the deduplication code later does not call child_updown() (so up and down
were not even).

Closes strongswan/strongswan#95.

17 months agolibtpmtss: Properly initialize tabrmd tcti_context
Andreas Steffen [Mon, 9 Apr 2018 09:07:16 +0000 (11:07 +0200)]
libtpmtss: Properly initialize tabrmd tcti_context

17 months agotesting: Fix typo in sysctl.conf file
Matt Selsky [Fri, 30 Mar 2018 05:35:53 +0000 (01:35 -0400)]
testing: Fix typo in sysctl.conf file

Closes strongswan/strongswan#97.

17 months agopkcs11: Use unused return value of C_GetMechanismList
robinleander [Tue, 27 Mar 2018 20:50:28 +0000 (22:50 +0200)]
pkcs11: Use unused return value of C_GetMechanismList

Closes strongswan/strongswan#96.

18 months agokernel-pfkey: Add option to install routes via internal interface
Tobias Brunner [Thu, 8 Mar 2018 17:34:50 +0000 (18:34 +0100)]
kernel-pfkey: Add option to install routes via internal interface

On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.

18 months agoMerge branch 'hw-offload-auto'
Tobias Brunner [Wed, 21 Mar 2018 09:32:48 +0000 (10:32 +0100)]
Merge branch 'hw-offload-auto'

This lets IPsec SA installation explicitly fail if HW offload is enabled
but either the kernel or the device don't support it.  And it adds a new
configuration mode 'auto', which enables HW offload, if supported, but
does not fail the installation otherwise.

18 months agochild-cfg: Make HW offload auto mode configurable
Adi Nissim [Mon, 12 Mar 2018 14:34:21 +0000 (16:34 +0200)]
child-cfg: Make HW offload auto mode configurable

Until now the configuration available to user for HW offload were:
hw_offload = no
hw_offload = yes

With this commit users will be able to configure auto mode using:
hw_offload = auto

Signed-off-by: Adi Nissim <adin@mellanox.com>
Reviewed-by: Aviv Heller <avivh@mellanox.com>
18 months agokernel-netlink: Cleanup and fix some HW offload code issues
Tobias Brunner [Fri, 16 Mar 2018 18:34:43 +0000 (19:34 +0100)]
kernel-netlink: Cleanup and fix some HW offload code issues

Besides some style issues there were some incorrect allocations
for ethtool requests.

18 months agokernel-netlink: Add new automatic hw_offload mode
Adi Nissim [Mon, 12 Mar 2018 14:34:20 +0000 (16:34 +0200)]
kernel-netlink: Add new automatic hw_offload mode

Until now there were 2 hw_offload modes: no/yes
* hw_offload = no  : Configure the SA without HW offload.
* hw_offload = yes : Configure the SA with HW offload.
                     In this case, if the device does not support
                     offloading, SA creation will fail.

This commit introduces a new mode: hw_offload = auto
----------------------------------------------------
If the device and kernel support HW offload, configure
the SA with HW offload, but do not fail SA creation otherwise.

Signed-off-by: Adi Nissim <adin@mellanox.com>
Reviewed-by: Aviv Heller <avivh@mellanox.com>
18 months agoipsec-types: Create new enum hw_offload_t
Adi Nissim [Mon, 12 Mar 2018 14:34:19 +0000 (16:34 +0200)]
ipsec-types: Create new enum hw_offload_t

Add the new enum in order to add HW offload auto mode.

Signed-off-by: Adi Nissim <adin@mellanox.com>
Reviewed-by: Aviv Heller <avivh@mellanox.com>
18 months agostarter: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:26:06 +0000 (07:26 +0100)]
starter: Ignore an existing PID file if it references ourself

18 months agocharon-tkm: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:25:49 +0000 (07:25 +0100)]
charon-tkm: Ignore an existing PID file if it references ourself

18 months agocharon: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:16:52 +0000 (07:16 +0100)]
charon: Ignore an existing PID file if it references ourself

If a daemon PID file references the process that does the check, it is safe
to ignore it; no running process can have the same PID. While this is rather
unlikely to get restarted with the same PID under normal conditions, it is
quite common when running inside PID namespaced containers: If a container
gets stopped and restarted with a PID file remaining, it is very likely that
the PID namespace assigns the same PID to our service, as they are assigned
sequentially starting from 1.

18 months agodiffie-hellman: Remove unused exponent length initialization in get_params()
Tobias Brunner [Tue, 13 Mar 2018 11:18:56 +0000 (12:18 +0100)]
diffie-hellman: Remove unused exponent length initialization in get_params()

This isn't used anymore since 46184b07c163 ("diffie-hellman: Explicitly
initialize DH exponent sizes during initialization").

18 months agodiffie-hellman: Don't set exponent length for DH groups with prime order subgroups
Tobias Brunner [Tue, 13 Mar 2018 11:13:47 +0000 (12:13 +0100)]
diffie-hellman: Don't set exponent length for DH groups with prime order subgroups

According to RFC 5114 the exponent length for these groups should always equal
the size of their prime order subgroup.
This was handled correctly before the initialization was done during
library initialization.

Fixes: 46184b07c163 ("diffie-hellman: Explicitly initialize DH exponent sizes during initialization")

18 months agoproposal: Make sure non-AEAD IKE proposals contain integrity algorithms
Tobias Brunner [Thu, 8 Mar 2018 17:26:19 +0000 (18:26 +0100)]
proposal: Make sure non-AEAD IKE proposals contain integrity algorithms

18 months agoproposal: Compress arrays after removing transforms
Tobias Brunner [Thu, 8 Mar 2018 17:22:55 +0000 (18:22 +0100)]
proposal: Compress arrays after removing transforms

18 months agoikev2: Use correct type to check for selected signature scheme
Tobias Brunner [Tue, 6 Mar 2018 16:28:33 +0000 (17:28 +0100)]
ikev2: Use correct type to check for selected signature scheme

The previous code was obviously incorrect and caused strange side effects
depending on the compiler and its optimization flags (infinite looping seen
with GCC 4.8.4, segfault when destroying the private key in build() seen
with clang 4.0.0 on FreeBSD).

Fixes #2579.

18 months agovici: Make sure to read all requested data from socket in Perl binding
Tobias Brunner [Wed, 7 Mar 2018 09:31:11 +0000 (10:31 +0100)]
vici: Make sure to read all requested data from socket in Perl binding

Closes strongswan/strongswan#91.

18 months agolibimcv: Add Debian 8.10 to IMV database
Tobias Brunner [Tue, 20 Mar 2018 08:19:07 +0000 (09:19 +0100)]
libimcv: Add Debian 8.10 to IMV database

References #2582.

18 months agostroke: Ensure a minimum message length
Tobias Brunner [Tue, 13 Mar 2018 17:54:08 +0000 (18:54 +0100)]
stroke: Ensure a minimum message length

18 months agolibipsec: Fix ip_packet_create_from_data() version field in IPv6 header
Matus Fabian [Mon, 19 Mar 2018 09:19:45 +0000 (02:19 -0700)]
libipsec: Fix ip_packet_create_from_data() version field in IPv6 header

Closes strongswan/strongswan#92.

Signed-off-by: Matus Fabian <matfabia@cisco.com>
18 months agotesting: Use HA patch compatible with 4.15.6+
Tobias Brunner [Thu, 8 Mar 2018 09:07:33 +0000 (10:07 +0100)]
testing: Use HA patch compatible with 4.15.6+

18 months agotesting: Use a HA patch that's actually compatible with 4.15 kernels
Tobias Brunner [Wed, 7 Mar 2018 16:16:54 +0000 (17:16 +0100)]
testing: Use a HA patch that's actually compatible with 4.15 kernels

18 months agotesting: Revert typo fix in FreeRADIUS patch
Tobias Brunner [Wed, 7 Mar 2018 15:38:18 +0000 (16:38 +0100)]
testing: Revert typo fix in FreeRADIUS patch

Fixes: 2db6d5b8b378 ("Fixed some typos, courtesy of codespell")
Fixes #2582.

18 months agoload-tester: Start numbering IDs from 1 again
Tobias Brunner [Tue, 27 Feb 2018 09:31:49 +0000 (10:31 +0100)]
load-tester: Start numbering IDs from 1 again

ref_get() increments the number before returning it.

Fixes: 2cbaa632951d ("load-tester: Fix race condition issuing same identity")

18 months agoMerge branch 'pbkdf2-sha2'
Tobias Brunner [Wed, 7 Mar 2018 14:24:56 +0000 (15:24 +0100)]
Merge branch 'pbkdf2-sha2'

Adds support for common SHA-2 based PRFs in PKCS#5/PBKDF2 as used by
OpenSSL 1.1 when generating PKCS#8-encoded private keys.

Fixes #2574.

18 months agocharon-nm: Parse any type of private key not only RSA
Tobias Brunner [Mon, 5 Mar 2018 08:47:15 +0000 (09:47 +0100)]
charon-nm: Parse any type of private key not only RSA

18 months agopkcs5: Parse PRF algorithms if given in PBKDF2-params as defined in RFC 8018
Tobias Brunner [Mon, 5 Mar 2018 08:45:34 +0000 (09:45 +0100)]
pkcs5: Parse PRF algorithms if given in PBKDF2-params as defined in RFC 8018

We can't use ASN1_DEF, which would technically be more correct, as the
ASN.1 parser currently can't handle that.  For algorithm identifiers we
often use ASN1_EOC as type (with ASN1_RAW), however, that doesn't work with
ASN1_DEF because the element is assumed missing if the type doesn't match.
On the other hand, we can't set the type to ASN1_SEQUENCE because then the
parser skips the following rule if the element is missing (it does so for
all constructed types, but I guess is mainly intended for context tags),
which in this case overruns the parser rules array.

18 months agoprf: Add helper function to convert OIDs to algorithm identifiers
Tobias Brunner [Mon, 5 Mar 2018 08:43:07 +0000 (09:43 +0100)]
prf: Add helper function to convert OIDs to algorithm identifiers

18 months agoasn1: Add OIDs for HMAC-based PRFs as defined in RFC 8018
Tobias Brunner [Mon, 5 Mar 2018 08:42:41 +0000 (09:42 +0100)]
asn1: Add OIDs for HMAC-based PRFs as defined in RFC 8018

18 months agoMerge branch 'unknown-transform-types'
Tobias Brunner [Wed, 7 Mar 2018 13:25:48 +0000 (14:25 +0100)]
Merge branch 'unknown-transform-types'

This changes how unknown transform types are handled in proposals.  In
particular we make sure not to accept a proposal if it contains unknown
transform types (they were just ignored previously, which could have
resulted in an invalid selected proposal).

Fixes #2557.

18 months agoproposal: Compare algorithms of all transform types for equality
Tobias Brunner [Fri, 23 Feb 2018 08:59:38 +0000 (09:59 +0100)]
proposal: Compare algorithms of all transform types for equality

18 months agoproposal: Make sure to consider all transform types when selecting proposals
Tobias Brunner [Fri, 23 Feb 2018 08:02:49 +0000 (09:02 +0100)]
proposal: Make sure to consider all transform types when selecting proposals

This way there will be a mismatch if one of the proposals contains
transform types not contained in the other (the fix list of transform
types used previously resulted in a match if unknown transform types
were contained in one of the proposals).  Merging the sets of types
makes comparing proposals with optional transform types easier (e.g.
DH for ESP with MODP_NONE).

18 months agoproposal: Print all algorithms even those with currently unknown transform types
Tobias Brunner [Fri, 23 Feb 2018 07:43:07 +0000 (08:43 +0100)]
proposal: Print all algorithms even those with currently unknown transform types

18 months agoproposal: Keep track of contained transform types
Tobias Brunner [Fri, 23 Feb 2018 07:36:33 +0000 (08:36 +0100)]
proposal: Keep track of contained transform types

18 months agotransform: Move internal identifiers out of private range
Tobias Brunner [Fri, 23 Feb 2018 07:12:48 +0000 (08:12 +0100)]
transform: Move internal identifiers out of private range

Avoid any conflicts if implementations use transform types in the
private range.
Also removed the unused UNKNOWN_TRANSFORM_TYPE identifier.

18 months agounit-tests: Ignore binaries of renamed test runners
Tobias Brunner [Fri, 2 Mar 2018 16:10:33 +0000 (17:10 +0100)]
unit-tests: Ignore binaries of renamed test runners

Fixes: 9cc61baaf592 ("unit-tests: Rename targets for libstrongswan and kernel-netlink")

18 months agolibimcv: Fix typo in PTS hash algorithm mapping for 512-bit SHA-3
Tobias Brunner [Fri, 2 Mar 2018 07:29:34 +0000 (08:29 +0100)]
libimcv: Fix typo in PTS hash algorithm mapping for 512-bit SHA-3

Fixes: 40f2589abfc8 ("gmp: Support of SHA-3 RSA signatures")

18 months agokernel-netlink: Ignore local routes in any table
Tobias Brunner [Mon, 26 Feb 2018 14:07:15 +0000 (15:07 +0100)]
kernel-netlink: Ignore local routes in any table

Such routes seem to show up in tables other than local with recent kernels.

Fixes #2555.

18 months agokernel-netlink: Ignore routes with next hop during local subnet enumeration
Tobias Brunner [Thu, 22 Feb 2018 08:50:52 +0000 (09:50 +0100)]
kernel-netlink: Ignore routes with next hop during local subnet enumeration

These are not locally attached and we do the same already in kernel-pfroute.

Fixes #2554.

18 months agokernel-netlink: Simplify rt_entry_t initialization
Tobias Brunner [Thu, 22 Feb 2018 08:49:57 +0000 (09:49 +0100)]
kernel-netlink: Simplify rt_entry_t initialization

18 months agonm: Version bump to 1.4.4
Tobias Brunner [Fri, 23 Feb 2018 14:31:01 +0000 (15:31 +0100)]
nm: Version bump to 1.4.4

18 months agonm: Update German translation
Tobias Brunner [Fri, 23 Feb 2018 14:26:00 +0000 (15:26 +0100)]
nm: Update German translation

18 months agonm: Fix tooltips for proposal text fields
Tobias Brunner [Fri, 23 Feb 2018 14:25:23 +0000 (15:25 +0100)]
nm: Fix tooltips for proposal text fields

There is no ! syntax as the default proposal is only used if no custom
proposal is configured.

18 months agoMerge branch 'incorrect-inval-ke'
Tobias Brunner [Fri, 23 Feb 2018 08:28:08 +0000 (09:28 +0100)]
Merge branch 'incorrect-inval-ke'

This improves the behavior during CREATE_CHILD_SA exchanges if the peer
sends an INVALID_KE_PAYLOAD with a DH group we didn't request or continues
to return the same notify even if we use the requested group.

Fixes #2536.

18 months agochild-rekey: Don't destroy IKE_SA if initiating CHILD_SA rekeying failed
Tobias Brunner [Mon, 19 Feb 2018 14:09:34 +0000 (15:09 +0100)]
child-rekey: Don't destroy IKE_SA if initiating CHILD_SA rekeying failed

This could happen if the peer e.g. selects an invalid DH group or
responds multiple time with an INVALID_KE_PAYLAOD notify.

18 months agochild-create: Fail if we already retried with a requested DH group
Tobias Brunner [Fri, 9 Feb 2018 14:27:50 +0000 (15:27 +0100)]
child-create: Fail if we already retried with a requested DH group

With faulty peers that always return the same unusable DH group in
INVALID_KE_PAYLOADs we'd otherwise get stuck in a loop.

18 months agochild-create: Make sure we actually propose the requested DH group
Tobias Brunner [Fri, 9 Feb 2018 14:16:24 +0000 (15:16 +0100)]
child-create: Make sure we actually propose the requested DH group

If we receive an INVALID_KE_PAYLOAD notify we should not just retry
with the requested DH group without checking first if we actually propose
the group (or any at all).

18 months agochild-create: Make sure the returned KE payload uses the proposed DH group
Tobias Brunner [Fri, 9 Feb 2018 14:13:54 +0000 (15:13 +0100)]
child-create: Make sure the returned KE payload uses the proposed DH group

19 months agochild-sa: Don't update outbound policies if they are not installed
Tobias Brunner [Wed, 21 Feb 2018 10:04:45 +0000 (11:04 +0100)]
child-sa: Don't update outbound policies if they are not installed

After a rekeying we keep the inbound SA and policies installed for a
while, but the outbound SA and policies are already removed.  Attempting
to update them could get the refcount in the kernel interface out of sync
as the additional policy won't be removed when the CHILD_SA object is
eventually destroyed.

19 months agochild-sa: Don't try to update outbound SA if it is not installed anymore
Tobias Brunner [Wed, 21 Feb 2018 09:58:39 +0000 (10:58 +0100)]
child-sa: Don't try to update outbound SA if it is not installed anymore

19 months agoMerge branch 'trap-manager-uninstall'
Tobias Brunner [Thu, 22 Feb 2018 10:31:14 +0000 (11:31 +0100)]
Merge branch 'trap-manager-uninstall'

This changes how trap policies are deleted in order to avoid conflicts if a
trap policy with changed peer config is concurrently removed and reinstalled
under a different name (the reqid will be the same, so the wrong policy
could have been deleted by the old code).

19 months agotrap-manager: Remove unused find_reqid() method
Tobias Brunner [Fri, 3 Nov 2017 10:51:36 +0000 (11:51 +0100)]
trap-manager: Remove unused find_reqid() method

It might actually have returned an incorrect result if there were child
configs for different peer configs sharing the same name.

19 months agochild-sa: No need to find reqid of existing trap policy
Tobias Brunner [Fri, 3 Nov 2017 10:49:45 +0000 (11:49 +0100)]
child-sa: No need to find reqid of existing trap policy

When initiating a trap policy we explicitly pass the reqid along.  I guess
the lookup was useful to get the same reqid if a trapped CHILD_SA is manually
initiated.  However, we now get the same reqid anyway if there is no
narrowing.  And if the traffic selectors do get narrowed the reqid will be
different but that shouldn't be a problem as that doesn't cause an issue with
any temporary SAs in the kernel (this is why we pass the reqid to the
triggered CHILD_SA, otherwise, no new acquire would get triggered for
traffic that doesn't match the wider trap policy).

19 months agotrap-manager: Remove reqid parameter from install() and change return type
Tobias Brunner [Fri, 3 Nov 2017 10:32:04 +0000 (11:32 +0100)]
trap-manager: Remove reqid parameter from install() and change return type

Reqids for the same traffic selectors are now stable so we don't have to
pass reqids of previously installed CHILD_SAs.  Likewise, we don't need
to know the reqid of the newly installed trap policy as we now uninstall
by name.

19 months agotrap-manager: Compare peer config name during installation
Tobias Brunner [Fri, 3 Nov 2017 10:26:23 +0000 (11:26 +0100)]
trap-manager: Compare peer config name during installation