Martin Willi [Fri, 22 Mar 2013 10:33:51 +0000 (11:33 +0100)]
Use new strongSwan HA kernel patchset keeping iptables ABI
Allows us to install stock debian iptables without the need for patching and
compiling our own.
Martin Willi [Fri, 22 Mar 2013 10:30:59 +0000 (11:30 +0100)]
Define SSHCONF from strongswan testing directory, not TESTDIR
This fixes the use of SSHCONF in the ssh wrapper script before ./do-tests
had a chance to create the required symlinks.
Martin Willi [Fri, 22 Mar 2013 10:27:37 +0000 (11:27 +0100)]
Lazy unmount guest filesystem after building image, as it still might be busy
Tobias Brunner [Mon, 25 Mar 2013 17:04:38 +0000 (18:04 +0100)]
crypt_burn: Proper cleanup
Tobias Brunner [Mon, 25 Mar 2013 17:02:07 +0000 (18:02 +0100)]
crypt_burn: Fix loop condition for regular crypters
Tobias Brunner [Mon, 25 Mar 2013 16:37:52 +0000 (17:37 +0100)]
libpts: Cast first argument for %.*s to int
Tobias Brunner [Mon, 25 Mar 2013 16:33:45 +0000 (17:33 +0100)]
error-notify: Close file descriptors in case clients are still connected
Tobias Brunner [Mon, 25 Mar 2013 16:19:51 +0000 (17:19 +0100)]
libpttls: Destroy reader when handling errors during SASL
Tobias Brunner [Mon, 25 Mar 2013 16:13:49 +0000 (17:13 +0100)]
pacman: Define gen_time out of the loop
It gets assigned if count==3 but only used later when count >= 7.
Tobias Brunner [Mon, 25 Mar 2013 16:02:45 +0000 (17:02 +0100)]
ipseckey: NULL pointer dereference fixed in error case
Reto Buerki [Mon, 25 Mar 2013 15:24:29 +0000 (16:24 +0100)]
Recipes: Disable Anet unit tests
Some Anet unit tests may fail because of the network configuration on
the testing host. These failures do not indicate a problem in Anet but
are a result of unpredictable events.
Tobias Brunner [Mon, 25 Mar 2013 09:59:37 +0000 (10:59 +0100)]
Fixed some typos, courtesy of codespell
Andreas Steffen [Fri, 22 Mar 2013 22:53:39 +0000 (23:53 +0100)]
Added hostapd package to base image
Andreas Steffen [Fri, 22 Mar 2013 22:52:01 +0000 (23:52 +0100)]
Added Framed-IP-Address information to RADIUS accounting records
Andreas Steffen [Fri, 22 Mar 2013 20:13:59 +0000 (21:13 +0100)]
enforce singular of packets
Tobias Brunner [Fri, 22 Mar 2013 18:41:01 +0000 (19:41 +0100)]
asprintf(3) requires _GNU_SOURCE to be defined
Andreas Steffen [Fri, 22 Mar 2013 18:08:42 +0000 (19:08 +0100)]
Added ikev2/rw-eap-framed-ip-radius scenario
Andreas Steffen [Fri, 22 Mar 2013 15:45:24 +0000 (16:45 +0100)]
Store debug output from standalone IMC/IMVs
Andreas Steffen [Fri, 22 Mar 2013 11:18:43 +0000 (12:18 +0100)]
Added ikev2/ip-two-pools-v4v6-db scenario
Tobias Brunner [Fri, 22 Mar 2013 10:36:48 +0000 (11:36 +0100)]
Use proper integer types when handling TLS exchanges
tls_t.build takes a size_t argument not a ssize_t.
Tobias Brunner [Fri, 22 Mar 2013 10:34:16 +0000 (11:34 +0100)]
Check return value of asprintf(3) when converting AR identity
Using chunk_t.ptr as target was also not optimal as it resulted in
a compiler warning.
Andreas Steffen [Fri, 22 Mar 2013 09:38:25 +0000 (10:38 +0100)]
version bump to 5.0.3rc1
Andreas Steffen [Fri, 22 Mar 2013 09:37:49 +0000 (10:37 +0100)]
Switch encoding of AR Identity Value from binary to UTF-8
Reto Buerki [Fri, 22 Mar 2013 09:35:48 +0000 (10:35 +0100)]
Fixed TKM build
Andreas Steffen [Fri, 22 Mar 2013 09:33:39 +0000 (10:33 +0100)]
Build TNC-enabled wpa_supplicant
Andreas Steffen [Thu, 21 Mar 2013 17:04:24 +0000 (18:04 +0100)]
activate logging before loading plugins
Martin Willi [Thu, 21 Mar 2013 09:29:23 +0000 (10:29 +0100)]
Add a load-tester option to keep allocated external address until shutdown
Tobias Brunner [Wed, 20 Mar 2013 15:59:45 +0000 (16:59 +0100)]
android: No need to disable CMS explicitly
The version check introduced with
0d237763 should take care of it.
Tobias Brunner [Wed, 20 Mar 2013 15:20:39 +0000 (16:20 +0100)]
Allow up to 10 NAT-D payloads in IKEv1 messages
Tobias Brunner [Fri, 1 Mar 2013 13:36:02 +0000 (14:36 +0100)]
Avoid a race condition when reloading secrets from ipsec.secrets
With the previous implementation that cleared the secrets in the active
credential set and then loaded the secrets, IKE SA establishment would
fail (as initiator or responder) if secrets are concurrently reloaded
and the required secret was not yet loaded.
Tobias Brunner [Fri, 1 Mar 2013 13:34:31 +0000 (14:34 +0100)]
Add a method to replace all secrets in a mem_cred_t object
Tobias Brunner [Wed, 20 Mar 2013 13:50:41 +0000 (14:50 +0100)]
android: Build native libraries also for x86
Requires an updated build script for Vstr.
Tobias Brunner [Fri, 8 Mar 2013 16:26:04 +0000 (17:26 +0100)]
android: libtnccs requires headers from libtls
Tobias Brunner [Fri, 8 Mar 2013 16:05:55 +0000 (17:05 +0100)]
android: Fix Android.mk for ipsec script
Tobias Brunner [Fri, 8 Mar 2013 15:48:11 +0000 (16:48 +0100)]
android: Remove/filter header files from LOCAL_SRC_FILES
This avoids huge warnings when building the native code.
Tobias Brunner [Thu, 7 Mar 2013 17:20:10 +0000 (18:20 +0100)]
android: Request and install an IPv6 DNS server
Tobias Brunner [Thu, 7 Mar 2013 17:16:56 +0000 (18:16 +0100)]
android: Also request a virtual IPv6 address and propose IPv6 TS
This allows IPv6 over IPv4 but falls back nicely if we don't get a
virtual IPv6 (or IPv4) address.
Tobias Brunner [Thu, 7 Mar 2013 15:21:11 +0000 (16:21 +0100)]
ipsec: Increased log level for message in case no outbound policy is found
This might happen on Android if sockets are bound to the physical IP
address but packets are still routed via TUN device. Since it seems to
happen quite often (or for stuff that requires regular traffic) this
hides these messages from the default log.
Martin Willi [Tue, 19 Mar 2013 15:49:07 +0000 (16:49 +0100)]
Add an option to autobalance a HA cluster automatically
Martin Willi [Tue, 19 Mar 2013 15:48:53 +0000 (16:48 +0100)]
Check if for some reason we handle a HA segment on both nodes
Martin Willi [Tue, 19 Mar 2013 15:46:43 +0000 (16:46 +0100)]
Acquire HA segment lock while sending heartbeat
Tobias Brunner [Tue, 19 Mar 2013 15:37:40 +0000 (16:37 +0100)]
Removed unused variable 'id'
Tobias Brunner [Mon, 18 Mar 2013 18:17:19 +0000 (19:17 +0100)]
Properly cleanup libmysql
Seems to work correctly with recent MySQL versions.
Tobias Brunner [Mon, 18 Mar 2013 18:11:10 +0000 (19:11 +0100)]
Use proper address family when adding multiple addresses to SQL pool
Tobias Brunner [Mon, 18 Mar 2013 17:45:29 +0000 (18:45 +0100)]
Ignore SQL-based IP address pools if their address family does not match
Tobias Brunner [Tue, 26 Feb 2013 14:43:30 +0000 (15:43 +0100)]
charon-nm: Add dependencies to CERT_DECODE and PRIVKEY plugin features
This ensures the NM-specific credential set is unloaded before any
implementation of certificate/key objects, which causes a segmentation
fault during shutdown.
Tobias Brunner [Fri, 22 Feb 2013 17:52:17 +0000 (18:52 +0100)]
charon-nm: Prevent NM from changing the default route
This is not required as we install our own (narrow) route(s) in our own
routing table. This should allow split tunneling if configured on the
gateway.
Tobias Brunner [Fri, 22 Feb 2013 17:49:55 +0000 (18:49 +0100)]
charon-nm: Use VIP (if any) as local address
NM will install this address on the provided device.
Tobias Brunner [Fri, 22 Feb 2013 15:51:52 +0000 (16:51 +0100)]
charon-nm: Pass a dummy TUN device to NetworkManager
NetworkManager modifies the addresses etc. on this interface so using
"lo" is not optimal. With the dummy interface NM is free to do its
thing.
Tobias Brunner [Mon, 25 Feb 2013 17:46:15 +0000 (18:46 +0100)]
charon-nm: Fix NM plugin utility macros
Tobias Brunner [Tue, 19 Mar 2013 15:18:35 +0000 (16:18 +0100)]
Ignore 'compile' script which is generated by AM_PROG_CC_C_O
Tobias Brunner [Thu, 31 Jan 2013 17:42:26 +0000 (18:42 +0100)]
Avoid returning COOKIEs right after system boot
When the monotonic timer is initialized to 0 right after the system is
booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s).
Since the COOKIE verification code actually produces an overflow for
COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs.
Checking for last_cookie makes sense anyway as that condition must only
apply if we actually sent a COOKIE before.
Martin Willi [Tue, 19 Mar 2013 14:17:41 +0000 (15:17 +0100)]
Fix scheduling of heartbeat sending in HA plugin
e0efd7c1 switches to automated job rescheduling for HA heartbeat. However,
send_status() is initially called directly, which will not reschedule the job
as required.
Martin Willi [Tue, 19 Mar 2013 14:16:06 +0000 (15:16 +0100)]
Fix compiler warning in HA plugin
Tobias Brunner [Tue, 19 Mar 2013 14:25:38 +0000 (15:25 +0100)]
Merge branch 'tkm'
This adds charon-tkm a special build of the charon IKEv2 daemon that delegates
security critical operations to a separate process (TKM = Trusted Key Manager).
Adrian-Ken Rueegsegger [Mon, 18 Mar 2013 17:47:16 +0000 (18:47 +0100)]
Various stylistic fixes
Reto Buerki [Mon, 18 Mar 2013 15:13:55 +0000 (16:13 +0100)]
Add NEWS about TKM separation
Adrian-Ken Rueegsegger [Mon, 4 Mar 2013 10:23:22 +0000 (11:23 +0100)]
Use network byte order for ESA SPIs
Adrian-Ken Rueegsegger [Mon, 11 Feb 2013 14:21:49 +0000 (15:21 +0100)]
Provide MODP-2048 through TKM DH plugin
Adrian-Ken Rueegsegger [Wed, 30 Jan 2013 10:16:16 +0000 (11:16 +0100)]
Add charon-tkm API documentation
Reto Buerki [Wed, 30 Jan 2013 14:36:03 +0000 (15:36 +0100)]
Do not hardwire keys to KEY_RSA
Make the TKM private and public keys more easily extendable by
determining the associated key type dynamically.
Reto Buerki [Fri, 18 Jan 2013 13:40:02 +0000 (14:40 +0100)]
Provide TKM credential encoder
The TKM credential encoder creates fingerprints of type
KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using
CRED_PART_RSA_PUB_ASN1_DER.
This makes the pkcs1 plugin unnecessary.
Reto Buerki [Tue, 29 Jan 2013 09:28:38 +0000 (10:28 +0100)]
Switch to openssl plugin
Reto Buerki [Mon, 28 Jan 2013 10:58:03 +0000 (11:58 +0100)]
Implement multiple-clients integration test
Two transport connections to gateway sun are set up, one from client
carol and the other from client dave. The gateway sun uses the Trusted
Key Manager (TKM) and is the responder for both connections. The
authentication is based on X.509 certificates. In order to test the
connections, both carol and dave ping gateway sun.
Reto Buerki [Mon, 28 Jan 2013 09:44:19 +0000 (10:44 +0100)]
Implement net2net-xfrmproxy integration test
Reto Buerki [Mon, 28 Jan 2013 09:40:36 +0000 (10:40 +0100)]
Implement net2net-initiator integration test
Reto Buerki [Fri, 25 Jan 2013 09:40:29 +0000 (10:40 +0100)]
Add xfrm_proxy integration test
Reto Buerki [Fri, 25 Jan 2013 09:33:46 +0000 (10:33 +0100)]
Provide script to build Ada XFRM proxy
Reto Buerki [Thu, 24 Jan 2013 16:05:17 +0000 (17:05 +0100)]
Add TKM responder integration test
Reto Buerki [Tue, 22 Jan 2013 19:52:55 +0000 (20:52 +0100)]
Add initial TKM integration test
A connection between the hosts moon and sun is set up. The host moon
uses the Trusted Key Manager (TKM) and is the initiator of the transport
connection. The authentication is based on X.509 certificates.
Reto Buerki [Thu, 24 Jan 2013 17:26:34 +0000 (18:26 +0100)]
Add expect-file guest image script
This script can be used in pretest.dat files to wait until a given file
appears.
Reto Buerki [Tue, 22 Jan 2013 19:52:15 +0000 (20:52 +0100)]
Add /usr/local/lib/ipsec to linker cache
Reto Buerki [Tue, 22 Jan 2013 15:07:25 +0000 (16:07 +0100)]
Provide recipes to build tkm and required libraries
Reto Buerki [Tue, 22 Jan 2013 15:04:34 +0000 (16:04 +0100)]
Add GNAT compiler and Ada libs to base image
Reto Buerki [Wed, 23 Jan 2013 12:51:12 +0000 (13:51 +0100)]
Don't manually register kernel_netlink_net
Load complete kernel_netlink plugin instead. Registering the TKM
specific plugins first still ensures that the correct ipsec plugin
is used.
Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable
soft dependency on startup.
Reto Buerki [Wed, 23 Jan 2013 12:43:07 +0000 (13:43 +0100)]
Move stroke plugin to the end of PLUGINS list
This fixes the problem of stroke being unable to load the ca
certificates on startup.
Reto Buerki [Thu, 17 Jan 2013 09:01:31 +0000 (10:01 +0100)]
Make sure IP_XFRM_POLICY is defined
Adrian-Ken Rueegsegger [Wed, 19 Dec 2012 14:58:17 +0000 (15:58 +0100)]
Call isa_skip_create_first when keeping IKE SA
An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment
fails but the corresponding IKE SA is not destroyed. To allow later creation
of child SAs the ISA context must be signaled that the implicity first child SA
creation was skipped.
Adrian-Ken Rueegsegger [Tue, 18 Dec 2012 16:15:58 +0000 (17:15 +0100)]
Make IKE and EES sockets configurable
The IKE and EES sockets are now read from strongswan.conf. They can be
specified like this:
charon-tkm {
ike_socket = /tmp/tkm.rpc.ike
ees_socket = /tmp/tkm.rpc.ees
}
The socket names given above are used by default if none are configured.
Reto Buerki [Tue, 18 Dec 2012 14:35:40 +0000 (15:35 +0100)]
Implement TKM-specific credential set
The TKM credential set extends the in-memory credential set. It
provides a private key enumerator which is used to instantiate private
key proxy objects on-demand. This allows the usage of private keys with
arbitrary identifiers.
Reto Buerki [Tue, 18 Dec 2012 14:06:07 +0000 (15:06 +0100)]
Initialize libstrongswan in test_runner main()
Adrian-Ken Rueegsegger [Mon, 17 Dec 2012 17:27:03 +0000 (18:27 +0100)]
Set ri_id to reqid when setting user certificate
Pass the reqid (of the first child config of an IKE SA) as remote identity id
when calling cc_set_user_certificate. May lead to the usage of the wrong id in
case an IKE SA has multiple child configurations/reqids.
This must be replaced with a proper lookup once the configuration backend is
implemented and provides remote identity ids to charon-tkm.
Adrian-Ken Rueegsegger [Mon, 17 Dec 2012 16:21:47 +0000 (17:21 +0100)]
Set sp_id to reqid when creating ESA
The reqid corresponds to the sp_id (security policy id) on the TKM side.
Adrian-Ken Rueegsegger [Mon, 12 Nov 2012 18:05:28 +0000 (19:05 +0100)]
Call Esa_Select after creation of child SA
This tells the TKM which child SA is the currently active SA.
Adrian-Ken Rueegsegger [Mon, 12 Nov 2012 11:08:32 +0000 (12:08 +0100)]
Check that chunk fits into sequence when converting
Reto Buerki [Thu, 8 Nov 2012 14:32:54 +0000 (15:32 +0100)]
Remove result out parameter from EES Init
Error processing is done by the registered exception handler.
Adrian-Ken Rueegsegger [Thu, 8 Nov 2012 11:22:10 +0000 (12:22 +0100)]
Drop support for pre-shared key authentication
Reto Buerki [Tue, 16 Oct 2012 15:12:51 +0000 (17:12 +0200)]
charon-tkm: Register TKM private key on startup
Reto Buerki [Tue, 16 Oct 2012 14:27:46 +0000 (16:27 +0200)]
Add TKM private key implementation
The key currently imitates the private key of alice@strongswan.org by
returning it's fingerprint in the get_fingerprint function.
This associates the private key with alice's X.509 cert and charon will
use it to create a signature over the local AUTH octets of the test
connection.
The private key serves as a proxy to the TKM ike_isa_sign operation and
extracts the required information from the auth octets chunk passed on
by the keymat.
Reto Buerki [Tue, 16 Oct 2012 14:42:23 +0000 (16:42 +0200)]
keymat: Store signature info in auth octets
Store the ISA context id and the initial message in the auth octets
chunk using the sign_info_t struct. Charon will pass on this information
to the TKM private key sign operation where it is extracted.
Reto Buerki [Tue, 16 Oct 2012 14:39:54 +0000 (16:39 +0200)]
Add AUTH signature info data structure
The sign_info_t type is used to transfer an ISA context id and the
initial message from the keymat to the TKM private key sign operation.
Adrian-Ken Rueegsegger [Thu, 8 Nov 2012 10:04:48 +0000 (11:04 +0100)]
charon-tkm: Register TKM public key on startup
Adrian-Ken Rueegsegger [Thu, 8 Nov 2012 10:00:21 +0000 (11:00 +0100)]
Add TKM public key implementation
The key unconditionally returns TRUE for the verify operation if it is called
with a supported signature algorithm. All such verification operations are
performed by the TKM (e.g. trustchain or auth octets verification) anyway, so
this is safe.
Adrian-Ken Rueegsegger [Wed, 7 Nov 2012 16:55:47 +0000 (17:55 +0100)]
Authenticate ISA using certificates
The authentication of the ISA is now done using the certificate provided
by the peer.
Adrian-Ken Rueegsegger [Wed, 7 Nov 2012 16:54:24 +0000 (17:54 +0100)]
Store peer IKE init message
The IKE init message sent to us by the peer is needed for authentication
in the authorization hook. Store the message as chunk in the keymat and
provide a getter to make it available.
Adrian-Ken Rueegsegger [Tue, 25 Sep 2012 13:21:11 +0000 (15:21 +0200)]
Build cc context in tkm listener authorize hook
Extract peer certificate information and build a TKM certificate chain
context in the authorize hook of the tkm_listener_t. The cc context will
be used for ISA authentication using certificates.
Adrian-Ken Rueegsegger [Tue, 25 Sep 2012 15:13:19 +0000 (17:13 +0200)]
Add TKM_CTX_CC (Certificate chain context id)
Adrian-Ken Rueegsegger [Thu, 4 Oct 2012 09:17:33 +0000 (11:17 +0200)]
Add typelen parameter to chunk_to_sequence function
The parameter is used to initialize the given sequence to zero.
Reto Buerki [Tue, 2 Oct 2012 15:03:39 +0000 (17:03 +0200)]
Implement Ada exception processing
Register a global exception action with the Ada runtime to log uncaught
exceptions to the daemon log and terminate.
Reto Buerki [Wed, 26 Sep 2012 13:40:27 +0000 (15:40 +0200)]
Implement Esa Event Service (EES)
The Esa Event Service can be used to trigger ESP SA (ESA) events such as
acquire or expire. The incoming events are forwarded to the hydra kernel
interface for processing.