Reset errno to 0 before calling strtoul() since it sets errno only on
error cases. So the following test fails even on correct conversions if
errno had a value != 0.
Fixes#2506.
Otherwise, the remote identity is ignored when matching owner identities
of PSKs and this way matching PSKs that explicitly have %any assigned is
improved.
Fixes#2497.
If users want to associate secrets with any identity, let 'em. This is
also possible with vici and might help if e.g. the remote identity is
actually %any as that would match a PSK with local IP and %any better
than one with local and different remote IP.
Fixes#2497.
Use argument evaluation provided by settings_t instead of using strings
to enumerate key/values.
If section names contain dots the latter causes the names to get split
and interpreted as non-existing sections and subsections.
This currently doesn't work for connections and their subsections due to
the recursion.
libnm-glib is deprecated for several years and reaching the end of its
life. Let's switch to the more up-to-date library.
Closesstrongswan/strongswan#85.
Support for mark=%unique/%unique-dir is implemented by using designated
magic mark values.
Use of masks is orthogonal to the 'unique' feature, as it is useful to be
able to designate portions of the packet mark for other purposes, while
still using different marks for different connections.
When these magic values are masked, their magic meaning is lost.
Perform masking only on explicit mark values.
Closesstrongswan/strongswan#87.
This allows us to use it without having to initialize libcharon, which
was required for the logging (we probably could have included debug.h
instead of daemon.h to workaround that but this seems more correct).
Make sure, though, that we only remove the file if we actually
created it (e.g. not for --help or --version). And do so before
deinitializing libstrongswan due to leak detective.
Fixes#2460.
libstrongswan and kernel-netlink are the only two components which do
not adhere to the naming scheme used for all other tests. If the tests
are run by an external application this imposes problems due to clashing
names.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
In theory we should treat any parameters and the identifier itself as
restriction to only use the key to create signatures accordingly (e.g.
only use RSA with PSS padding or even use specific hash algorithms).
But that's currently tricky as we'd have to store and pass this information
along with our private keys (i.e. use PKCS#8 to store them and change the
builder calls to pass along the identifier and parameters). That would
require quite some work.
For salt lengths other than 20 this requires 0bd8137e68c2 ("cipher:
Add option to specify salt length for PSS verification."), which was
included in libgcrypt 1.7.0 (for Ubuntu requires 17.04). As that makes
it pretty much useless for us (SHA-1 is a MUST NOT), we require that version
to even provide the feature.
Since not all implementations allow setting a specific salt value when
generating signatures (e.g. OpenSSL doesn't), we are often limited to
only using the test vectors with salt length of 0.
We also exclude test vectors with SHA-1, SHA-224 and SHA-384.
RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.
References #2427.
The MySQL client doesn't like overlapping queries on the same
connection, so we make sure to destroy the enumerator used to check for
an existing pool before deleting it when --replace is used.
This is not ideal as the call to C_Finalize() should be the last one via
the PKCS#11 API. Since the order in which jobs are canceled is undefined
we can't be sure there is no other thread still using the library (it could
even be the canceled job that still handles a previous slot event).
According to PKCS#11 the behavior of C_Finalize() is undefined while other
threads still make calls over the API.
However, canceling the thread, as done previously, could also be problematic
as PKCS#11 libraries could hold locks while in the C_WaitForSlotEvent() call,
which might not get released properly when the thread is just canceled,
and which then might cause later calls to other API functions to block.
Fixes#2437.
If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.
Fixes#2451.
We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.
References #2430.
The fix for gperf in 0ae19f0ced added the generated header to
EXTRA_DIST but that's already added to the distribution because it is
contained in *_SOURCES, what was not added, though, was the .h.in file.
Also fixes the reference to the header file in the .c rule here and for
stroke in out-of-tree builds.
Fixes: 0ae19f0ced ("configure: Fix gperf length parameter determination")
This can happen if a stream is used blocking exclusively (the FD is
never registered with watcher, but is removed in the stream's destructor
just in case it ever was - doing this conditionally would require an
additional flag in streams). There may be no thread reading from
the read end of the notify pipe (e.g. in starter), causing the write
to the notify pipe to block after it's full. Anyway, doing a relatively
expensive FD update is unnecessary if there were no changes.
Fixes#1453.
This allows systemd socket activation by passing URIs such as systemd://foo
to plugins such as VICI.
For example setting charon.plugins.vici.socket = systemd://vici, a
systemd socket file descriptor with the name "vici" will be picked up.
So these would be the corresponding unit options:
[Socket]
FileDescriptorName=vici
Service=strongswan.service
ListenStream=/run/charon.vici
The implementation currently is very basic and right now only the first
file descriptor for a particular identifier is picked up if there are
multiple socket units with the same FileDescriptorName.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Closesstrongswan/strongswan#79.
Just rely on the default proposals by charon if nothing is defined. The
hard-coded IKE proposal used curve25519, which depends on an optional
plugin (while enabled by default it might still not be loaded, or, like
on Debian, shipped in an optional package). With charon's default
proposal only loaded algorithms are proposed for IKE avoiding this issue.
The order of arguments in X509_CRL_get0_signature() is not the same as that
of X509_get0_signature().
Fixes: 989ba4b6cd ("openssl: Update CRL API to OpenSSL 1.1.0")
gperf is not actually a build dependency as the generated files are
shipped in the tarball. So the type depends on the gperf version on
the host that ran gperf and created the tarball, which might not be
the same as that on the actual build host, and gperf might not even
be installed there, leaving the type undetermined.
Fixes: e0e4322973 ("configure: Detect type of length parameter for gperf generated function")
It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.
Recent releases of glibc don't include the full stdint.h header in some
network headers included by utils.h. So uintptr_t might not be defined.
Since we use fixed width integers, including the latter, all over the place
we make sure the complete file is included.
Fixes#2425.
The value of DHCP_OPTEND is 255. When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.
This fixes compilation with -Werror when using Clang 4.0 (but not 3.9)
and possibly prevents undefined behavior.
According to the C standard the following applies to the second
parameter of the va_start() macro (subclause 7.16.1.4, paragraph 4):
The parameter parmN is the identifier of the rightmost parameter
in the variable parameter list in the function definition (the
one just before the ...). If the parameter parmN is declared with
the register storage class, with a function or array type, or with
a type that is not compatible with the type that results after
application of the default argument promotions, the behavior is
undefined.
Because bool is usually just 1 byte and therefore smaller than int (i.e.
the result of default argument promotion) its use as last argument before
... might result in undefined behavior. This theoretically can also
apply to enums as a compiler may use a smaller base type than int.
Since Clang 3.9 (currently in use on Travis by default) a warning is
issued about this, however, that version did not yet compare the actual
size of the argument's type, causing warnings where they are not
warranted (basically for all cases where enum types are used for the
last argument). This was apparently fixed with Clang 4.0, which only
warns about this use of bool with va_start(), which makes sense.
They now match the dh_constructor_t signature. This is a follow up for
the changes merged with b668bf3f9e and should fix use of MODP_CUSTOM on
Apple's ARM64 platform.
This causes problems e.g. on Android where we handle the alert (and
reestablish the IKE_SA) even though it usually is no problem if the
peer retries with the requested group. We don't consider it as a
failure on the initiator either.
If an IPsec SA is actually replaced with a rekeying its entry in the
manager is freed. That means that when the hard expire is triggered a
new entry might be found at the cached pointer location. So we have
to make sure we trigger the expire only if we found the right SA.
We could use SPI and addresses for the lookup, but this here requires
a bit less memory and is just a small change. Another option would be to
somehow cancel the queued job, but our scheduler doesn't allow that at
the moment.
Fixes#2399.
We don't attempt to parse the transport headers for fragments, not even
for the initial fragment (it's not guaranteed they contain the header,
depending on the number and type of extension headers).
Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.
Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.
sec-updater downloads the deb package files from security updates from
a given linux repository and uses the swid_generator command to
derive a SWID tag. The SWID tag is then imported into strongTNC
using the manage.py importswid command.
In case we send retransmits for an IKE_SA_INIT where we propose a DH
group the responder will reject we might later receive delayed responses
that either contain INVALID_KE_PAYLOAD notifies with the group we already
use or, if we retransmitted an IKE_SA_INIT with the requested group but
then had to restart again, a KE payload with a group different from the
one we proposed. So far we didn't change the initiator SPI when
restarting the connection, i.e. these delayed responses were processed
and might have caused fatal errors due to a failed DH negotiation or
because of the internal retry counter in the ike-init task. Changing
the initiator SPI avoids that as we won't process the delayed responses
anymore that caused this confusion.
sec-updater checks for security updates and backports in Debian/
Ubuntu repositories and sets the security flags in the strongTNC
policy database accordingly.
If an interface is renamed we already have an entry (based on the
ifindex) allocated but previously only set the usable state once
based on the original name.
Fixes#2403.
The generic field of size 0 in the union that was used previously
triggered index-out-of-bounds errors with the UBSAN sanitizer that's
used on OSS-Fuzz. Since the two family specific union members don't
really provide any advantage, we can just use a single buffer for both
families to avoid the errors.
By definition, m must be <= n-1, we didn't enforce that and because
mpz_export() returns NULL if the passed value is zero a crash could have
been triggered with m == n.
Fixes CVE-2017-11185.
When querying SAs the keys will end up in this buffer (the allocated
messages that are returned are already wiped). The kernel also returns
XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish
this here as we only see the response.
References #2388.
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closesstrongswan/strongswan#78.
Initiation might later fail, of course, but we don't really
require an IP address when installing, that is, unless the remote
traffic selector is dynamic. As that would result in installing a
0.0.0.0/0 remote TS which is not ideal when a single IP is expected as
remote.
After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.
This adds a flag to get_esa_id() that specifies the location of the
given SPI.
This splits the SA installation also on the initiator, so we can avoid
installing the outbound SA if we lost a rekey collision, which might
have caused traffic loss depending on the timing of the DELETEs that are
sent in both directions.
This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.
Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.
If multiple threads want to enumerate child-cfgs and potentially lock
other locks (e.g. check out IKE_SAs) while doing so a deadlock could
be caused (as was the case with VICI configs with start_action=start).
It should also improve performance for roadwarrior connections and lots
of clients connecting concurrently.
Fixes#2374.
This prevented new listeners from receiving notifies if they joined
after another listener disconnected previously, and if they themselves
disconnected their old connection would prevent them again from getting
notifies.
Multiple CHILD_SAs sharing the same traffic selectors (e.g. during
make-before-break reauthentication) also have the same reqid assigned.
If all matching entries are removed we could end up without entry even
though an SA exists that still uses these traffic selectors.
Fixes#2373.
This way we get the log message in stroke and swanctl as last message
when establishing a connection. It's already like this for the IKE_SA
where IKE_ESTABLISHED is set after the corresponding log message.
Fixes#2364.
Due to the lookup based on the mapped algorithm ID the resulting AH
proposals were invalid.
Fixes#2347.
Fixes: 8456d6f5a8 ("ikev1: Don't require AH mapping for integrity algorithm when generating proposal")
This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated
with OPc) may be configured as binary EAP secret in ipsec.secrets or
swanctl.conf.
Based on a patch by Thomas Strangert.
Fixes#2326.
A second property will control if only the selected apps have access to
the VPN or if the selected apps are excluded from the VPN, or if the
functionality is disabled.
We register when the service connects but also in onStart() (as we
unregister in onStop() to avoid updates when not shown). So this could
theoretically cause the listener to get registered twice if the service
is connected before onStart() is called (it seems it usually isn't).
If we find a redundant CHILD_SA (the peer probably rekeyed the SA before
us) we might not want to delete the old SA because the peer might still
use it (same applies to old CHILD_SAs after rekeyings). So only delete
them if configured to do so.
Fixes#2358.
Unlike mpz_powm() its secure replacement mpz_powm_sec() has the additional
requirement that the exponent must be > 0 and the modulus has to be odd.
Otherwise, it will crash with a floating-point exception.
Fixes: CVE-2017-9022
Fixes: 3e35a6e7a1 ("Use side-channel secured mpz_powm_sec of libgmp 5, if available")
Reinhard Pfau