strongswan.git
13 days agopem: Make sure we actually parsed some data master
Tobias Brunner [Tue, 10 Nov 2020 17:14:36 +0000 (18:14 +0100)]
pem: Make sure we actually parsed some data

This could happen if there is no separating empty line between header
and body.

References #3627.

13 days agoappveyor: Also build on Windows Server 2019
Tobias Brunner [Thu, 12 Nov 2020 11:06:32 +0000 (12:06 +0100)]
appveyor: Also build on Windows Server 2019

13 days agokernel-wfp: Declare constants explicitly as extern
Tobias Brunner [Fri, 13 Nov 2020 10:44:21 +0000 (11:44 +0100)]
kernel-wfp: Declare constants explicitly as extern

Newer compilers otherwise complain that there are multiple definitions
of these (in header and .c file).

13 days agolibimcv: Avoid compiler warning in segmentation unit test
Tobias Brunner [Thu, 12 Nov 2020 18:12:11 +0000 (19:12 +0100)]
libimcv: Avoid compiler warning in segmentation unit test

Newer versions of GCC complain that the variable may be used
uninitialized.

13 days agowindows: Don't declare [v]asprintf()
Tobias Brunner [Thu, 12 Nov 2020 13:20:04 +0000 (14:20 +0100)]
windows: Don't declare [v]asprintf()

None of our build environments seem to require these declarations.  And
current versions of MinGW-w64 define them as inline functions in stdio.h
so these declarations clashed with that ("static declaration of '...'
follows non-static declaration").

2 weeks agoVersion bump to 5.9.1 5.9.1
Andreas Steffen [Tue, 10 Nov 2020 19:45:13 +0000 (20:45 +0100)]
Version bump to 5.9.1

3 weeks agocontroller: Always return SUCCESS when terminating IKE_SAs without callback
Shmulik Ladkani [Mon, 2 Nov 2020 12:54:48 +0000 (14:54 +0200)]
controller: Always return SUCCESS when terminating IKE_SAs without callback

If no callback is specified, terminate_ike_execute() is invoked without the
listener waiting on the IKE state change.

Now, if 'force' is false, then ike_sa->delete() just queues an
IKE_DELETE task, and returns SUCCESS - indicating successful task
manager initiation.

However, terminate_ike_execute() ignored this success and set the
status to FAILED.

This is not ideal, as it will be the overall return code of
terminate_ike(), although no failure did occur. This eventually leads
vici's "terminate" to return "Command failed: terminating SA failed",
as seen in this example:

    In [9]: list(session.terminate({'ike-id': 2960, 'timeout': -1}))
    ---------------------------------------------------------------------------
    CommandException                          Traceback (most recent call last)
    <ipython-input-9-5f95b5cea88f> in <module>()
    ----> 1 list(session.terminate({'ike-id': 2960, 'timeout': -1}))

    vici/session.pyc in streamed_request(self, command, event_stream_type, message)
        136                 raise CommandException(
        137                     "Command failed: {errmsg}".format(
    --> 138                         errmsg=command_response["errmsg"]
        139                     )
        140                 )

    CommandException: Command failed: terminating SA failed

If we consider both queueing the task and actually destroying the IKS_SA
a success, we can just always return SUCCESS if we don't have a
callback. There is also no need to explicitly set the status to FAILED
if a listener is waiting as that's the default anyway.

Co-authored-by: Tobias Brunner <tobias@strongswan.org>
Closes strongswan/strongswan#185.

3 weeks agogcrypt: Use a dummy buffer to initialize static allocations
Tobias Brunner [Tue, 3 Nov 2020 11:07:48 +0000 (12:07 +0100)]
gcrypt: Use a dummy buffer to initialize static allocations

In FIPS mode, libgcrypt uses a DRBG, which behaves differently when the
length passed to gcry_create_nonce() or gcry_randomize() is <= 0.  It
expects a struct and explicitly checks that the passed pointer is not
NULL.

3 weeks agoparser-helper: Don't attempt to open anything but regular files
Tobias Brunner [Tue, 3 Nov 2020 09:59:38 +0000 (10:59 +0100)]
parser-helper: Don't attempt to open anything but regular files

A crash could be provoked e.g. via STRONGSWAN_CONF=. or any other
path to a directory.

3 weeks agokernel-netlink: Only attempt to remove routing rule if we have a socket
Tobias Brunner [Tue, 3 Nov 2020 09:38:38 +0000 (10:38 +0100)]
kernel-netlink: Only attempt to remove routing rule if we have a socket

3 weeks agoimv-attestation: Fix typo in default value for hash_algorithm option
Tobias Brunner [Mon, 2 Nov 2020 14:43:35 +0000 (15:43 +0100)]
imv-attestation: Fix typo in default value for hash_algorithm option

3 weeks agolibimcv: Remove empty 'swid' Doxygen group
Tobias Brunner [Mon, 2 Nov 2020 13:37:45 +0000 (14:37 +0100)]
libimcv: Remove empty 'swid' Doxygen group

The corresponding IMC/IMV were already removed with a31f9b7691ca ("libimcv:
Removed TCG SWID IMC/IMV support").

3 weeks agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 2 Nov 2020 13:32:27 +0000 (14:32 +0100)]
Fixed some typos, courtesy of codespell

3 weeks agoNEWS: Add news for 5.9.1
Tobias Brunner [Mon, 2 Nov 2020 13:03:45 +0000 (14:03 +0100)]
NEWS: Add news for 5.9.1

3 weeks agoVersion bump to 5.9.1rc1 5.9.1rc1
Andreas Steffen [Sun, 1 Nov 2020 17:45:34 +0000 (18:45 +0100)]
Version bump to 5.9.1rc1

3 weeks agochild-sa: Delete inbound SAs even if not installed to remove allocated SPIs
Tobias Brunner [Fri, 30 Oct 2020 12:06:07 +0000 (13:06 +0100)]
child-sa: Delete inbound SAs even if not installed to remove allocated SPIs

If we can't establish an SA, this should delete the allocated SPI.

3 weeks agovici: Send all queued messages during shutdown
Tobias Brunner [Tue, 20 Oct 2020 18:14:08 +0000 (20:14 +0200)]
vici: Send all queued messages during shutdown

This ensures that e.g. ike/child-updown messages are sent that were
queued but couldn't be sent (even the job to enable to on_write() callback
requires a worker thread that's not around anymore during shutdown).

References #3602.

4 weeks agoikev2: Clear fragments of a retransmitted message if we receive the next one
Tobias Brunner [Wed, 28 Oct 2020 14:50:59 +0000 (15:50 +0100)]
ikev2: Clear fragments of a retransmitted message if we receive the next one

The message_t object used for defragmentation was only cleared after
all fragments have been received and the message was delivered.  So
if we received only some fragments of a retransmitted message, the
fragments of the next message were not processed (message_t returns
INVALID_ARG if the message ID does not match causing the message to
get ignored).  This rendered the IKE_SA unusable as the client
obviously never retransmitted the fragments of that previous message
after it received our response.

4 weeks agoMerge branch 'android-ipv6-transport'
Tobias Brunner [Thu, 29 Oct 2020 10:23:48 +0000 (11:23 +0100)]
Merge branch 'android-ipv6-transport'

Adds support to use IPv6 as transport addresses for IKE and ESP and a
bunch of fixes.  On Linux servers, this requires at least a 5.8 kernel so
UDP encapsulation for IPv6 is supported.

Fixes #892.

4 weeks agoandroid: New release after adding IPv6 support and several fixes
Tobias Brunner [Thu, 29 Oct 2020 09:55:09 +0000 (10:55 +0100)]
android: New release after adding IPv6 support and several fixes

4 weeks agoandroid: Throw an exception if UUID can't get parsed
Tobias Brunner [Mon, 19 Oct 2020 15:52:15 +0000 (17:52 +0200)]
android: Throw an exception if UUID can't get parsed

The parser is quite picky and e.g. doesn't accept UUIDs without dashes.
Even without a specific error, this at least points the users into the
right direction.

Fixes #3583.

4 weeks agoandroid: Prevent illegalStateException when showing power whitelist dialog
Tobias Brunner [Mon, 19 Oct 2020 15:41:52 +0000 (17:41 +0200)]
android: Prevent illegalStateException when showing power whitelist dialog

If the activity is not active when the service connection is
established and handleIntent() is called, the activity's state is already
saved and any fragment transaction would result in an illegalStateException
due to state loss.  We just ignore this and wait for another initiation
attempt (via onNewIntent()).

4 weeks agoandroid: Handle restarts of control activity with power whitelist dialog better
Tobias Brunner [Mon, 19 Oct 2020 14:46:22 +0000 (16:46 +0200)]
android: Handle restarts of control activity with power whitelist dialog better

With the flag set, we basically ignore the resent intent, which is not
ideal if we have not yet actually started another activity.  The information
dialog we show first would disappear when closing and reopening the app
or even just rotating it (we hide all dialogs when receiving an intent),
but since the flag was restored, the dialog was not shown again even
when attempting to start other connections.

4 weeks agoandroid: Make IPv6 transport flag configurable in the GUI
Tobias Brunner [Thu, 15 Oct 2020 16:00:09 +0000 (18:00 +0200)]
android: Make IPv6 transport flag configurable in the GUI

4 weeks agoandroid: Import IPv6 transport flag
Tobias Brunner [Thu, 15 Oct 2020 15:49:53 +0000 (17:49 +0200)]
android: Import IPv6 transport flag

4 weeks agoandroid: Add flag to enable IPv6 transport addresses
Tobias Brunner [Thu, 15 Oct 2020 15:28:46 +0000 (17:28 +0200)]
android: Add flag to enable IPv6 transport addresses

4 weeks agoandroid: IPV6_PKTINFO is supported (i.e. struct in6_pktinfo is available)
Tobias Brunner [Tue, 13 Oct 2020 09:39:40 +0000 (11:39 +0200)]
android: IPV6_PKTINFO is supported (i.e. struct in6_pktinfo is available)

4 weeks agoandroid: Add ability to lookup IPv6 source addresses
Tobias Brunner [Thu, 4 Feb 2016 10:27:48 +0000 (11:27 +0100)]
android: Add ability to lookup IPv6 source addresses

4 weeks agoandroid: Fix port scanning IMC
Tobias Brunner [Thu, 8 Oct 2020 14:42:37 +0000 (16:42 +0200)]
android: Fix port scanning IMC

Since 9e88bb987d65 ("Subscribed Scanner IMC/IMV to IETF_FIREWALL PA subtype")
the port filter attribute is requested with a different message type.

4 weeks agoandroid: Ignore deprecation warning for legacy code in NetworkManager
Tobias Brunner [Tue, 6 Oct 2020 13:08:39 +0000 (15:08 +0200)]
android: Ignore deprecation warning for legacy code in NetworkManager

4 weeks agoandroid: Replace deprecated getFragmentManager() in TNC-related Fragments
Tobias Brunner [Tue, 6 Oct 2020 12:28:05 +0000 (14:28 +0200)]
android: Replace deprecated getFragmentManager() in TNC-related Fragments

4 weeks agoandroid: Consistently use PreferenceManager from AndroidX
Tobias Brunner [Tue, 6 Oct 2020 11:47:06 +0000 (13:47 +0200)]
android: Consistently use PreferenceManager from AndroidX

android.preference.PreferenceManager has been deprecated.  The one from
AndroidX was already in use in some places.

4 weeks agoandroid: Update dependencies
Tobias Brunner [Tue, 6 Oct 2020 11:43:40 +0000 (13:43 +0200)]
android: Update dependencies

4 weeks agoandroid: Set compile-/targetSdkVersion to 29
Tobias Brunner [Tue, 6 Oct 2020 11:42:10 +0000 (13:42 +0200)]
android: Set compile-/targetSdkVersion to 29

This will be mandatory for existing apps on Nov 2, 2020.

4 weeks agoandroid: Update Gradle plugin
Tobias Brunner [Mon, 5 Oct 2020 13:59:47 +0000 (15:59 +0200)]
android: Update Gradle plugin

4 weeks agotesting: Ignore hosts that are not running during shutdown
Tobias Brunner [Tue, 6 Oct 2020 13:31:14 +0000 (15:31 +0200)]
testing: Ignore hosts that are not running during shutdown

This allows properly terminating the environment if a host has crashed
or was terminated manually for some reason.

4 weeks agokernel-netlink: Ignore deprecated candidate source addresses
Tobias Brunner [Mon, 20 Jul 2020 14:20:24 +0000 (16:20 +0200)]
kernel-netlink: Ignore deprecated candidate source addresses

The currently used address may get deprecated e.g. if an IPv6 prefix changes.
In this case we should switch to another address.

Fixes #3511.

4 weeks agokernel-netlink: Update cached address flags
Tobias Brunner [Thu, 15 Oct 2020 14:10:07 +0000 (16:10 +0200)]
kernel-netlink: Update cached address flags

Note that manually adding an IPv6 address without disabling duplicate
address detection (DAD, e.g. via `nodad` when using iproute2) will cause
a roam event due to a flag change after about 1-2 seconds (TENTATIVE is
removed).  If this is a problem, we might have to ignore addresses with
TENTATIVE flag when we receive a RTM_NEWADDR message until that flag is
eventually removed.

Fixes #3511.

4 weeks agoREADME: Add missing closing quote
Tobias Brunner [Wed, 28 Oct 2020 16:09:53 +0000 (17:09 +0100)]
README: Add missing closing quote

4 weeks agochild-create: Update CHILD_SA IP addresses before installation
Tobias Brunner [Thu, 15 Oct 2020 11:45:53 +0000 (13:45 +0200)]
child-create: Update CHILD_SA IP addresses before installation

We create the child_sa_t object when initiating the CREATE_CHILD_SA
request, however, the IP addresses/ports might have changed once we
eventually receive the response (potentially to a retransmit sent to
a different address).  So update them before installing the SA and
policies.

If the local address changed too and depending on the kernel
implementation, the temporary SA created to allocate the inbound SPI
might remain as it can't be updated.  This could cause issues if e.g.
the address switches back before that SA expired (the updated inbound
SA conflicts with the temporary one), or if that happens close together
and the expire (having to wait for the address update) causes the
updated SA to get deleted.

Fixes #3164.

4 weeks agochild-sa: Only query/update/delete inbound SA if it was actually installed
Tobias Brunner [Thu, 15 Oct 2020 13:23:02 +0000 (15:23 +0200)]
child-sa: Only query/update/delete inbound SA if it was actually installed

We usually can't do any of these things with temporary SAs created while
allocating an SPI.

4 weeks agounit-tests: Free allocated SPIs in mock IPsec backend
Tobias Brunner [Thu, 15 Oct 2020 16:33:26 +0000 (18:33 +0200)]
unit-tests: Free allocated SPIs in mock IPsec backend

4 weeks agochild-sa: No need to attempt to update policies if none are configured
Tobias Brunner [Thu, 15 Oct 2020 11:54:15 +0000 (13:54 +0200)]
child-sa: No need to attempt to update policies if none are configured

4 weeks agochild-sa: Only reinstall VIPs if any are passed
Tobias Brunner [Thu, 15 Oct 2020 11:42:57 +0000 (13:42 +0200)]
child-sa: Only reinstall VIPs if any are passed

4 weeks agotesting: Use silent rules to build strongSwan
Tobias Brunner [Thu, 15 Oct 2020 12:24:46 +0000 (14:24 +0200)]
testing: Use silent rules to build strongSwan

4 weeks agoload-tester: Also request a virtual IPv6 address
Tobias Brunner [Wed, 21 Oct 2020 14:24:07 +0000 (16:24 +0200)]
load-tester: Also request a virtual IPv6 address

Fixes #3595.

4 weeks agoload-tester: Use appropriate family to request addresses from source IP pools
Tobias Brunner [Wed, 21 Oct 2020 14:04:37 +0000 (16:04 +0200)]
load-tester: Use appropriate family to request addresses from source IP pools

Looks like this wasn't necessary before 40e90898895c ("Strictly enforce
address family match while acquiring mem_pool IPs").

Fixes #3595.

4 weeks agoquick-delete: Properly handle failures to restart CHILD_SA
Tobias Brunner [Thu, 8 Oct 2020 12:04:36 +0000 (14:04 +0200)]
quick-delete: Properly handle failures to restart CHILD_SA

If DESTROY_ME is returned from initiate(), we must not touch the IKE_SA
anymore.

4 weeks agopkcs7: Order DER encoded attributes
Tobias Brunner [Fri, 9 Oct 2020 15:42:08 +0000 (17:42 +0200)]
pkcs7: Order DER encoded attributes

The attributes are encoded as a SET OF, which means that in DER encoding
the encoded attributes have to be ordered lexicographically.

Fixes #3589.

4 weeks agoswanctl: Support any key type for decrypted keys
Tobias Brunner [Thu, 8 Oct 2020 07:40:12 +0000 (09:40 +0200)]
swanctl: Support any key type for decrypted keys

The previous code required explicit support for a particular key type,
of which Ed25519 and Ed448 were missing.  While a fallback to `any` would
have been possible (this is already the case for unencrypted keys in the
`private` and `pkcs8` directories, which are not parsed by swanctl), it's
not necessary (as long as swanctl and the daemon are from the same release)
and does not require the daemon to detect the key type again.

Fixes #3586.

4 weeks agovici: Support all defined key types
Tobias Brunner [Thu, 8 Oct 2020 07:32:57 +0000 (09:32 +0200)]
vici: Support all defined key types

References #3586.

4 weeks agorevocation: Validate OCSP nonce only if response actually contains a nonce
Martin Willi [Mon, 10 Aug 2020 16:29:52 +0000 (18:29 +0200)]
revocation: Validate OCSP nonce only if response actually contains a nonce

Commit 27756b081c1b8 (revocation: Check that nonce in OCSP response matches)
introduced strict nonce validation to prevent replay attacks with OCSP
responses having a longer lifetime. However, many commercial CAs (such as
Digicert) do not support nonces in responses, as they reuse once-issued OCSP
responses for the OCSP lifetime. This can be problematic for replay attack
scenarios, but is nothing we can fix at our end.

With the mentioned commit, such OCSP responses get completely unusable,
requiring the fallback to CRL based revocation. CRLs don't provide any
replay protection either, so there is nothing gained security-wise, but may
require a download of several megabytes CRL data.

To make use of replay protection where available, but fix OCSP verification
where it is not, do nonce verification only if the response actually contains
a nonce. To be safe against replay attacks, one has to fix the OCSP responder
or use a different CA, but this is not something we can enforce.

Fixes #3557.

4 weeks agocharon-nm: Terminate if signaled by NetworkManager
Tobias Brunner [Tue, 6 Sep 2016 07:25:27 +0000 (09:25 +0200)]
charon-nm: Terminate if signaled by NetworkManager

This only happens during shutdown, not after terminating a connection.

Fixes #3579.

4 weeks agosys-logger: Optionally log the level of each message
Tobias Brunner [Tue, 21 Jul 2020 13:57:12 +0000 (15:57 +0200)]
sys-logger: Optionally log the level of each message

Fixes #3509.

4 weeks agofile-logger: Optionally log the level of each message
Tobias Brunner [Tue, 21 Jul 2020 13:56:50 +0000 (15:56 +0200)]
file-logger: Optionally log the level of each message

Fixes #3509.

6 weeks agodrbg: Add missing format specifiers to debug output
Thomas Egerer [Mon, 12 Oct 2020 16:41:53 +0000 (16:41 +0000)]
drbg: Add missing format specifiers to debug output

Fixes: 737375a2d27e ("drbg: Implemented NIST SP-800-90A DRBG")

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
6 weeks agolibimcv: Fix Doxygen comments for some pts_meas_algo_* functions
Tobias Brunner [Mon, 12 Oct 2020 11:48:57 +0000 (13:48 +0200)]
libimcv: Fix Doxygen comments for some pts_meas_algo_* functions

7 weeks agoVersion bump to 5.9.1dr1 5.9.1dr1
Andreas Steffen [Mon, 5 Oct 2020 19:43:44 +0000 (21:43 +0200)]
Version bump to 5.9.1dr1

7 weeks agotpm: Auto-detection of legacy TPM 2.0 devices
Andreas Steffen [Wed, 30 Sep 2020 14:36:29 +0000 (16:36 +0200)]
tpm: Auto-detection of legacy TPM 2.0 devices

7 weeks agopts: Variable size PCR banks
Andreas Steffen [Sat, 19 Sep 2020 07:22:14 +0000 (09:22 +0200)]
pts: Variable size PCR banks

7 weeks agolibtpmtss: Remove aik_blob debug output
Andreas Steffen [Wed, 16 Sep 2020 19:35:00 +0000 (21:35 +0200)]
libtpmtss: Remove aik_blob debug output

7 weeks agopts: Parse TPM 2.0 BIOS/EFI event log
Andreas Steffen [Wed, 16 Sep 2020 15:15:05 +0000 (17:15 +0200)]
pts: Parse TPM 2.0 BIOS/EFI event log

7 weeks agotpm: TPM 2.0 supports SHA3 and CMAC
Andreas Steffen [Tue, 15 Sep 2020 10:32:05 +0000 (12:32 +0200)]
tpm: TPM 2.0 supports SHA3 and CMAC

7 weeks agoUse Botan 2.16.0 for tests
Tobias Brunner [Wed, 7 Oct 2020 08:01:37 +0000 (10:01 +0200)]
Use Botan 2.16.0 for tests

7 weeks agoopenssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag
Tobias Brunner [Wed, 29 Jul 2020 16:40:20 +0000 (18:40 +0200)]
openssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag

The x509 plugin accepted CRL signers since forever, to be precise, since
dffb176f2bc0 ("CRLSign keyUsage or CA basicConstraint are sufficient
for CRL validation")).

References #3529.

8 weeks agotesting: Build certificates when make-testing is called
Tobias Brunner [Tue, 22 Sep 2020 15:31:45 +0000 (17:31 +0200)]
testing: Build certificates when make-testing is called

8 weeks agoinit: Remove obsolete StandardOutput setting from legacy systemd unit
Mingli Yu [Wed, 23 Sep 2020 08:20:22 +0000 (16:20 +0800)]
init: Remove obsolete StandardOutput setting from legacy systemd unit

The standard output value "syslog" was deprecated for a while and did fall
back to "journal". It causes a warning since systemd version 246 [1].

By removing the setting it will default to DefaultStandardOutput, which
defaults to "journal".

[1] https://github.com/systemd/systemd/blob/master/NEWS#L202

Closes strongswan/strongswan#181.

8 weeks agoSimplify handling of terminating signals in all libcharon wrappers
Tobias Brunner [Tue, 29 Sep 2020 13:38:24 +0000 (15:38 +0200)]
Simplify handling of terminating signals in all libcharon wrappers

Closes strongswan/strongswan#182.

2 months agotravis: Bump tpm2-tss to 2.4.3
Tobias Brunner [Thu, 24 Sep 2020 06:52:22 +0000 (08:52 +0200)]
travis: Bump tpm2-tss to 2.4.3

2 months agolgtm: Fix building dependencies (in particular tpm2-tss)
Tobias Brunner [Tue, 22 Sep 2020 08:51:12 +0000 (10:51 +0200)]
lgtm: Fix building dependencies (in particular tpm2-tss)

This was moved to a separate step with 0ff939585ec7 ("travis: Bump tpm2-tss
to 2.4.1") so packages are installed before these dependencies are built.
However, on LGTM, packages can't be installed explicitly, so `deps` is
a no-op and we still have to list some dependencies in the config.

2 months agoike-vendor: Add option to send Cisco FLexVPN vendor ID
Noel Kuntze [Fri, 24 Jul 2020 20:25:40 +0000 (22:25 +0200)]
ike-vendor: Add option to send Cisco FLexVPN vendor ID

A new global option enables sending this vendor ID to prevent Cisco
devices from narrowing the initiator's local traffic selector to the
requested virtual IP, so e.g. 0.0.0.0/0 can be used instead.

This has been tested with a "tunnel mode ipsec ipv4" Cisco template but
should also work for GRE encapsulation.

Closes strongswan/strongswan#180.

2 months agolibipsec: Enable code coverage
Tobias Brunner [Wed, 9 Sep 2020 09:38:02 +0000 (11:38 +0200)]
libipsec: Enable code coverage

Same as with libtls.

2 months agolibtls: Enable code coverage
Tobias Brunner [Wed, 9 Sep 2020 09:36:53 +0000 (11:36 +0200)]
libtls: Enable code coverage

While the test runner was already correctly set up, the library itself
was not and no coverage was reported for any of its files.

2 months agoleak-detective: Whitelist OPENSSL_init_ssl()
Tobias Brunner [Fri, 4 Sep 2020 14:40:48 +0000 (16:40 +0200)]
leak-detective: Whitelist OPENSSL_init_ssl()

These leaks are reported with OpenSSL 1.1.0+ if the mysql plugin is loaded.

2 months agotravis: Read project/organization for SonarCloud from environment variable
Tobias Brunner [Fri, 4 Sep 2020 14:20:40 +0000 (16:20 +0200)]
travis: Read project/organization for SonarCloud from environment variable

2 months agoAdd project config for SonarCloud to ignore some files/rules
Tobias Brunner [Tue, 17 Mar 2020 13:37:33 +0000 (14:37 +0100)]
Add project config for SonarCloud to ignore some files/rules

These settings have already been configured in the UI, but it might be
helpful to have them here so it's easier to set up the analysis of forks.

2 months agotesting: Increase memory of alice by 20 MiB
Tobias Brunner [Fri, 4 Sep 2020 12:57:56 +0000 (14:57 +0200)]
testing: Increase memory of alice by 20 MiB

It's ever so close with strongTNC, sometimes the OOM killer got triggered
and the tests failed, or even worse, the whole guest system got stuck.
This might just be enough for now.

2 months agotesting: Fix dependency issue with strongTNC
Tobias Brunner [Mon, 24 Aug 2020 14:22:18 +0000 (16:22 +0200)]
testing: Fix dependency issue with strongTNC

Apparently, djangorestframework-camel-case, in the referenced version,
uses `six` but does not itself require/install it (later versions removed
Python 2 support altogether).

2 months agoMerge branch 'testing-buster'
Tobias Brunner [Thu, 3 Sep 2020 13:53:14 +0000 (15:53 +0200)]
Merge branch 'testing-buster'

Use Debian buster as base image for the testing environment.

2 months agotesting: Fix route-based/net2net-xfrmi-ike scenario
Tobias Brunner [Tue, 25 Aug 2020 08:28:58 +0000 (10:28 +0200)]
testing: Fix route-based/net2net-xfrmi-ike scenario

On newer systems, the upper hard limit for open file descriptors (see
`ulimit -H -n`) was increased from 4096 to 524288.  Due to how python-daemon
closes potentially open file descriptors (basically stores them in a set,
removes those excluded by config, and loops through all of them), the updown
script was either killed immediately (by the OOM killer) or not ready yet
when updown events occurred.

2 months agoleak-detective: Whitelist leaks that occur on Debian buster
Tobias Brunner [Mon, 24 Aug 2020 14:20:43 +0000 (16:20 +0200)]
leak-detective: Whitelist leaks that occur on Debian buster

2 months agotesting: Use Debian buster as base image
Tobias Brunner [Mon, 24 Aug 2020 14:20:15 +0000 (16:20 +0200)]
testing: Use Debian buster as base image

2 months agotesting: Use latest x509-ada release
Tobias Brunner [Thu, 3 Sep 2020 11:30:30 +0000 (13:30 +0200)]
testing: Use latest x509-ada release

This fixes an issue with newer compiler versions where crashes would be
caused if functions of the generated C X.509 parser are not aligned.

2 months agotesting: Add man, valgrind and strace to base image
Tobias Brunner [Mon, 24 Aug 2020 14:19:34 +0000 (16:19 +0200)]
testing: Add man, valgrind and strace to base image

2 months agotesting: Install vici Python module manually
Tobias Brunner [Mon, 24 Aug 2020 14:17:04 +0000 (16:17 +0200)]
testing: Install vici Python module manually

easy_install is not included in Debian's python-setuptools package
anymore, so we install it manually using setup.py.

2 months agotesting: Replace deprecated/removed `pip install --download` command
Tobias Brunner [Mon, 24 Aug 2020 14:15:50 +0000 (16:15 +0200)]
testing: Replace deprecated/removed `pip install --download` command

It was deprecated for a while and has been replaced by `pip download`.

2 months agotesting: Use legacy iptables on Debian buster
Tobias Brunner [Mon, 24 Aug 2020 14:14:07 +0000 (16:14 +0200)]
testing: Use legacy iptables on Debian buster

The iptables-nft wrapper that uses the nftables framework can't handle
the CLUSTERIP target (plus we'd require nftables in the kernel).

2 months agotesting: Increase maximum guest image size
Tobias Brunner [Mon, 24 Aug 2020 14:06:06 +0000 (16:06 +0200)]
testing: Increase maximum guest image size

Seems that each Debian release increases the image size by about 200 MiB.
But increase it a bit more so we have room for logs/tools/debug symbols.

2 months agotesting: Use pkill to reload rsyslogd config/recreate log files
Tobias Brunner [Mon, 24 Aug 2020 14:01:27 +0000 (16:01 +0200)]
testing: Use pkill to reload rsyslogd config/recreate log files

The PID location changes with newer Debian releases so it's more
portable this way.

2 months agotesting: Remove deprecated UsePrivilegeSeparation option from sshd_config
Tobias Brunner [Mon, 24 Aug 2020 13:57:03 +0000 (15:57 +0200)]
testing: Remove deprecated UsePrivilegeSeparation option from sshd_config

2 months agotesting: Add Linux 5.8 kernel config
Tobias Brunner [Mon, 24 Aug 2020 13:54:13 +0000 (15:54 +0200)]
testing: Add Linux 5.8 kernel config

Enables TCP encap for ESP.

2 months agotesting: Use host's /dev/urandom as /dev/random on guests via VirtIO RNG
Tobias Brunner [Mon, 24 Aug 2020 13:33:44 +0000 (15:33 +0200)]
testing: Use host's /dev/urandom as /dev/random on guests via VirtIO RNG

Newer versions of systemd etc. seem to require quite a lot of entropy
from /dev/random while booting, which can block and therefore delay the
start of other services (in particular sshd) by more than a minute.
Using the host's /dev/urandom via VirtIO RNG, we can avoid blocking the
guests.

The required kernel options are added for kernel versions 5.4+.

2 months agolibimcv: Add Debian 10.5 to IMV database
Tobias Brunner [Mon, 24 Aug 2020 13:32:16 +0000 (15:32 +0200)]
libimcv: Add Debian 10.5 to IMV database

2 months agotesting: Support build with Debian buster base image
Tobias Brunner [Tue, 28 Jul 2020 15:20:31 +0000 (17:20 +0200)]
testing: Support build with Debian buster base image

2 months agotravis: Bump wolfSSL to 4.5.0
Tobias Brunner [Fri, 21 Aug 2020 06:49:59 +0000 (08:49 +0200)]
travis: Bump wolfSSL to 4.5.0

3 months agoimv-scanner: Fix potential buffer overflow
Tobias Brunner [Tue, 18 Aug 2020 11:18:52 +0000 (13:18 +0200)]
imv-scanner: Fix potential buffer overflow

While `pos` was moved to the end, `len` was not adjusted (i.e. set to 0)
so later calls could write beyond the buffer.  However, the last port
written might have been incomplete, so instead we just reset the string.

3 months agoaesni: Remove useless algorithm assignments
Tobias Brunner [Tue, 18 Aug 2020 11:17:24 +0000 (13:17 +0200)]
aesni: Remove useless algorithm assignments

3 months agovici: Don't use pytest-pycodestyle with Python 3.5
Tobias Brunner [Mon, 17 Aug 2020 13:22:34 +0000 (15:22 +0200)]
vici: Don't use pytest-pycodestyle with Python 3.5

This causes problems due to a deprecation error during the Ubuntu Xenial
build on Travis.

3 months agotravis: Bump tpm2-tss to 2.4.2
Tobias Brunner [Mon, 17 Aug 2020 11:45:15 +0000 (13:45 +0200)]
travis: Bump tpm2-tss to 2.4.2

3 months agoVersion bump to 5.9.0 5.9.0
Andreas Steffen [Wed, 29 Jul 2020 11:08:09 +0000 (13:08 +0200)]
Version bump to 5.9.0