Commit Graph

17934 Commits

Author SHA1 Message Date
Domonkos P. Tomcsanyi cea991aea8 Updated entity name in copyright statements 2022-05-18 17:32:30 +02:00
Tomcsányi, Domonkos 0ed91dc681 simaka_manager: Some more debug logging on success/failure cases 2021-08-26 19:48:11 +02:00
Tomcsányi, Domonkos 65f576bd9c ignore mismatch in received identity.
This is needed, because the standard mandates that the remote entity
must be configured as ims (mimicking the APN setting I think), but on
the other hand the ePDG will identify itself with its FQDN in the end. I
tested this and this is currently the only way to do it with strongswan
I think, because you cannot configure different identities.
2021-08-26 19:47:15 +02:00
Tomcsányi, Domonkos 18b4a240dd permit SHA-1, as some ePDGs require that 2021-08-26 19:46:49 +02:00
Tomcsányi, Domonkos f68dcde6c5 Add support for EAP-AKA against USIM in PC/SC reader 2021-08-26 19:45:59 +02:00
Andreas Steffen 4817d5ed0d Version bump to 5.9.3 2021-07-06 14:00:39 +02:00
Andreas Steffen a09a905e1d vici: Suppress trailing nul character 2021-07-06 12:06:23 +02:00
Tobias Brunner 2cd5314de7 testing: Use specific versions of swidGenerator and strongTNC
This way we get updated versions automatically (referencing "master"
required manually deleting the downloaded archives and the unpacked
directories).  It also allows switching versions when working in different
branches (note that REV can also be set to a commit ID, e.g. to test
changes before tagging them later and merging the branch).
2021-06-30 16:17:39 +02:00
Tobias Brunner 06e11b481b kernel-netlink: Fix theoretical memory leak when parsing routes
This currently can't happen as the kernel always puts RTA_TABLE as first
attribute in RTM_NEWROUTE messages.
2021-06-25 13:51:44 +02:00
Tobias Brunner f6aafb3005 Fixed some typos, courtesy of codespell
Main change is the conversion from the British cancelling/-ed to the
American canceling/-ed.
2021-06-25 11:32:29 +02:00
Andreas Steffen 30fab57124 Version bump to 5.9.3rc1 2021-06-24 09:18:54 +02:00
Tobias Brunner 19611b1d28 testing: Build wolfSSL from the Git repository
Use the same configure options etc. for both builds (no need for the cert
options as we don't use TLS or X.509 parsing) and switch to a Git commit
that includes the SHA-3 OID fix (it's actually the fix itself).
2021-06-22 17:54:15 +02:00
Andreas Steffen 4baca5ca80 testing: Fixed ikev2/farp scenario 2021-06-22 12:32:35 +02:00
Andreas Steffen dbd1534875 Version bump to 5.9.3dr4 2021-06-22 10:33:07 +02:00
Andreas Steffen eba2622587 testing: Migrate ikev2-stroke-bye scenarios to vici 2021-06-22 10:23:06 +02:00
Andreas Steffen 706c58b291 testing: Fixed pretest script of ikev1/rw-psk-aggressive scenario 2021-06-21 12:03:36 +02:00
Tobias Brunner 6d8890767c testing: Migrate ikev2/host2host-transport-nat scenario to vici
This also restores the test as it was before the referenced commit so it
again, as written in the description, demonstrates that venus is unable
to ping sun without IPsec tunnel.

Fixes: f27fb58ae0 ("testing: Update description and test evaluation of host2host-transport-nat")
2021-06-21 12:03:36 +02:00
Tobias Brunner 2b5c743952 testing: Migrate MOBIKE tests to vici
Note that the mobike-nat test has been removed as it basically did the same
as the mobike-virtual-ip-nat test.  Instead, the mobike-nat-mapping scenario
is added, which simulates a NAT router restart.
2021-06-21 12:03:36 +02:00
Tobias Brunner abe51389c5 ike-mobike: Force MOBIKE update after NAT mappings changed
The addresses observed by the client behind the NAT are exactly the same if
the NAT router gets restarted.

Fixes: 2b255f01af ("ike-mobike: Use ike_sa_t::update_hosts() to trigger events")
2021-06-21 12:03:36 +02:00
Tobias Brunner 036ae27645 ike-sa: Log IKE endpoint changes 2021-06-21 12:03:36 +02:00
Tobias Brunner 79b526deba ha: Register the correct IKE_SA with the manager after a rekeying
Fixes: 20dfbcad08 ("ha: Register new IKE_SAs before calling inherit_post()")
Closes strongswan/strongswan#456.
2021-06-21 10:02:26 +02:00
Tobias Brunner 4b9b4dc956 Merge branch 'vici-stuck'
Closes strongswan/strongswan#268.
2021-06-21 09:59:28 +02:00
Tobias Brunner eec3bdb04a vici: Signal waiting threads when skipping disconnected connections
If two threads are waiting in find_entry() and remove_entry(),
respectively, and the former is woken first, the latter remains stuck
as it won't get signaled.
2021-06-21 09:59:15 +02:00
Tobias Brunner b0e2187b6b vici: Signal waiting threads when removing a connection entry
If there are threads waiting in find_entry() and one in remove_entry()
and the latter is woken first by a thread calling put_entry(), the
former threads would remain stuck as they get never signaled.
2021-06-21 09:59:15 +02:00
Tobias Brunner 030e80957d kernel-netlink: Don't wait for VIPs to disappear during de-initialization
This can happen if an IKE_SA is terminated forcefully shortly before
terminating the daemon.  The thread that handles the terminate command
will call checkin_and_destroy(), which unregisters the IKE_SA from the
manager before destroying it.  The main thread that calls flush() on the
IKE_SA manager won't wait for this SA (its entry is already gone), so
the processor and in turn the watcher job/thread might get canceled
before the first thread started deleting the VIP.  It would then wait
indefinitely for a signal that can never be sent.

There is still a small chance the thread hangs in wait() if the state check
happens right before the watcher is canceled and it wasn't yet able to
deliver the event from the kernel, we counter that by rechecking the state
after a while.
2021-06-21 09:59:06 +02:00
Tobias Brunner 0fc8cf0013 NEWS: Add news for 5.9.3 2021-06-18 10:31:31 +02:00
Adrian-Ken Rueegsegger 859dedeab7 testing: Update Anet to version 0.4.2 2021-06-17 09:53:51 +02:00
Stefan Berghofer d7a9e723f3 charon-tkm: Remove useless checks when deriving IKE keys 2021-06-17 09:53:51 +02:00
Stefan Berghofer 22e7900718 charon-tkm: Delegate encryption/decryption of IKE traffic to TKM
Co-authored-by: Tobias Brunner <>
2021-06-17 09:53:51 +02:00
Tobias Brunner 6537be9c8d pkcs11: Change how unavailable attributes like CKA_TRUSTED are handled
If a PKCS#11 library/token doesn't provide one or more attributes via
C_GetAttributeValue(), we get back CKR_ATTRIBUTE_TYPE_INVALID (similar
for protected attributes where CKR_ATTRIBUTE_SENSITIVE is returned).
This is not an error as the spec demands that all attributes have been
processed with the unavailable attributes having set their length

We use this to handle the CKA_TRUSTED attribute, which some tokens
apparently don't support.  We previously used a version check to remove
the attribute from the call but even the latest spec doesn't make the
attribute mandatory (it's just in a list of "common" attributes for
CKO_CERTIFICATE objects, without a default value), so there are current
tokens that don't support it and prevent us from enumerating certificates.
2021-06-14 13:58:48 +02:00
Tobias Brunner a90716cd4d receiver: Avoid division by 0 after system start if CLOCK_MONOTONIC is used
Depending on how CLOCK_MONOTONIC is implemented, time_monotonic() might
return 0 within 1 second after the system is started.  If that's the
case, we just default to 0 for now to avoid a crash (doesn't "hide" the
system time, but it's only the uptime anyway in this case).

Closes strongswan/strongswan#435.
2021-06-14 13:24:08 +02:00
Tobias Brunner 8dbf40d19a charon-nm: Simplify certificate enumeration and allow IDs other than DNs
This allows using SANs as identity instead of having to use the subject DN.

References strongswan/strongswan#437.
2021-06-14 12:13:47 +02:00
Tobias Brunner ae71f8357d dhcp: Move log messages for received packets
This way they are logged in the context of the corresponding IKE_SA.

Closes strongswan/strongswan#417.
2021-06-08 17:03:17 +02:00
Thomas Egerer 4e29d6fac1 bus: Extend and reorder arguments of ike_derived_keys() hook
This now includes all key material derived for IKE_SAs in the order
defined in the RFC:

  {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr}
               = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)

Signed-off-by: Thomas Egerer <>
2021-06-07 17:08:27 +02:00
Andreas Steffen 9c85a52956 Version bump to 5.9.3dr3 2021-06-04 09:28:17 +02:00
Tobias Brunner e166423856 ikev1: Fix flags so NAT Vendor IDs are sent again
Fixes: 6c49ddfbca ("ike: Add additional Vendor IDs for third-party implementations")
2021-06-04 09:20:49 +02:00
Andreas Steffen cc4338267e testing: Added openssl-ikev2/net2net-sha3-rsa-cert scenario 2021-06-03 14:20:06 +02:00
Andreas Steffen 5688e631e3 openssl: Support SHA-3 based RSA_EMSA_PKCS1 signatures 2021-06-03 14:20:06 +02:00
Andreas Steffen de5ca4021a testing: Test wolfssl plugin 2021-06-03 10:22:59 +02:00
Andreas Steffen 8bbd7bbd36 wolfssl: Full support of SHA3 signatures 2021-06-03 10:20:18 +02:00
Andreas Steffen e0044e5f48 credential_factory: Store name of plugin registering a builder 2021-06-01 21:12:46 +02:00
Andreas Steffen 62c5ef035c wolfssl: Set RSA key type 2021-05-30 12:40:08 +02:00
Marius Tomaschewski d654117c66 ccm: Destroy IV generator on crypter creation failure
Closes strongswan/strongswan#343.
2021-05-27 17:43:03 +02:00
Tobias Brunner a82f13e7ce dhcp: Log MAC address when sending DISCOVER message
Closes strongswan/strongswan#239.
2021-05-27 12:06:47 +02:00
Noel Kuntze 6c49ddfbca ike: Add additional Vendor IDs for third-party implementations
For some that are followed by unknown data (e.g. detailed version
information) we only do a prefix match.

Co-authored-by: Tobias Brunner <>

Closes strongswan/strongswan#393.
2021-05-21 17:50:35 +02:00
Andreas Steffen d415673565 Version bump to 5.9.3dr2 2021-05-21 10:00:41 +02:00
Andreas Steffen 7c5a2974b9 testing: Reorganizing IKEv1 and IKEv2 examples
For documentation purposes the new folders ikev1-algs, ikev2-algs,
ikev1-multi-ca and ikev2-multi-ca have been created. Most of the
test cases have now been converted to the vici interface. The
remaining legacy stroke scenarios yet to be converted have been put
into the ikev2-stroke-bye folder.

For documentation purposes some legacy stroke scenarios will be kept
in the ikev1-stroke, ikev2-stroke and ipv6-stroke folders.
2021-05-21 09:42:50 +02:00
Tobias Brunner db93938297 notify-payload: Update reference for notify types for PPKs
draft-ietf-ipsecme-qr-ikev2 was released as RFC 8784 in June of 2020.
2021-05-11 14:30:05 +02:00
Tobias Brunner c13a1c2829 Don't report current text in parser error messages
The values of `yytext` and `yyleng` might not be properly defined when
the error function is called (in particular if the lexer reached EOF).
While this might just cause non-printable characters in the output, it
could actually lead to a crash depending on where `yytext` points.

Closes strongswan/strongswan#346.
2021-05-11 10:08:58 +02:00
Noel Kuntze cf6a164108 testing: Replace kvm with qemu-system-x86_64
It might not exist on all platforms and according to the man page:

  The kvm wrapper script is used to provide compatibility with old
  qemu-kvm package which has been merged into qemu as of version 1.3.

  The script executes
    qemu-system-x86_64 -enable-kvm
  passing all other command-line arguments to the qemu binary.

Closes strongswan/strongswan#385.
2021-05-10 11:14:00 +02:00