Much like in commit a68454b, we now use a global atomic counter to keep
track of the number of IKE_SAs currently registered. This should improve
scalability for a large number of segments even more.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Line 66 yields "TypeError: can't concat bytes to str" using Python 3.4.
"requestdata" was introduced in 22f08609f1 but is not actually used.
Since the original "request" is not used anywhere else this can be changed
to be similar to the other UTF-8 encoding changes in that commit.
Fixes: 22f08609f1 ("vici: Explicitly set the Python encoding type").
Closesstrongswan/strongswan#66.
When constructing the result, all responses from Netlink were concatenated
iteratively, i.e. for each response, the previously acquired result was
copied to newly allocated memory and the current response appended to it.
This results in O(n^2) copy operations. Instead, we now check for the
total final length of the result and copy the individual responses to it
in one pass, i.e. in O(n) copy operations. In particular, this issue caused
very high CPU usage in memcpy() function as the result is copied over and
over. Common way how to hit the issue is when having 1000+ routes and 5+
connecting clients a second. In that case, the memcpy() function can
take 50%+ of one CPU thread on a decent CPU and the whole charon daemon
is stuck just reading routes and concatenating them together (connecting
clients are blocked in that particular case as this is done under mutex).
Closes strongswan/strongswan#65.
References #2055.
If a the original responder narrows the selectors of its peer in addrblock,
the peer gets a subset of that selectors. However, once the original responder
initiates rekeying of that CHILD_SA, it sends the full selectors to the peer,
and then narrows the received selectors locally for the installation, only.
This is insufficient, as the peer ends up with wider selectors, sending traffic
that the original responder will reject to the stricter IPsec policy. So
additionally narrow the selectors when rekeying CHILD_SAs before sending the
TS list to the peer.
This is different if `ike` and `child` are provided and uninstall()
fails as we call that without knowing whether a matching shunt exists.
But if `ike` is not provided we explicitly search for a matching shunt
and if found don't need to look for a trap policy.
This provides a solution for configs where there is e.g. a catch-all %any
PSK, while more specific PSKs would be found by the identities of configs
that e.g. use FQDNs as local/remote addresses.
Fixes#2223.
Memory is allocated with calloc, hence set to zero, thus assigning the
numerical value 0 is not required.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
We actually want to wait until the IKE_SA is destroyed, not any of the
CHILD_SAs (even though there might not be that much of a difference
depending on the number of CHILD_SAs).
Fixes#2261.
Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.
This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.
Usually, %dynamic is used as traffic selector for transport mode SAs,
however, if wildcard traps are used then the remote TS will be a subnet.
With strongSwan at the remote end that usually works fine as the local
%dynamic TS narrows the proposed TS appropriately. But some
implementations reject non-host TS for transport mode SAs.
Another problem could be if several distinct subnets are configured for a
wildcard trap, as we'd then propose unrelated subnets on that transport
mode SA, which might be problematic even for strongSwan (switch to tunnel
mode and duplicate policies).
Closesstrongswan/strongswan#61.
Some devices always use the oldest IKE_SA to send DPDs and will delete
all IKE_SAs when there is no response. If uniqueness is not enforced
rekeyed IKE_SAs might not get deleted until they expire so we should
respond to DPDs.
References #2090.
When multihomed, a setup might prefer to dynamically stay on the cheapest
available path by using MOBIKE migrations. If the cheapest path goes away and
comes back, we currently stay on the more expensive path to reduce noise and
prevent potential migration issues. This is usually just fine for links not
generating real cost.
If we have more expensive links in the setup, it can be desirable to always
migrate to the cheapest link available. By setting charon.prefer_best_path,
charon tries to migrate to the path using the highest priority link, allowing
an external application to update routes to indirectly control MOBIKE behavior.
This option has no effect if MOBIKE is unavailable.
Disabling MOBIKE and statically configuring a local address should be
enough indication that the user doesn't want to roam to a different
address. There might not be any routes that indicate we can use the
current address but it might still work (e.g. if the address is on an
interface that is not referenced in any routes and the address itself
is neither). This way we avoid switching to another address for routes
that might be available on the system.
We currently don't make much use of COND_STALE anyway when MOBIKE is not
enabled, e.g. to avoid sending DPDs if the connection is seemingly down.
With MOBIKE enabled we don't exactly check that state but we do don't
send DPDs if there is no route/source address available.
This way updates to the mediation config are respected and the order in
which configs are configured/loaded does not matter.
The SQL plugin currently maintains the strong relationship between
mediated and mediation connection (we could theoretically change that to a
string too).
The original name is returned in the new "name" attribute.
This fixes an issue with bindings that map VICI messages to
dictionaries. For instance, in roadwarrior scenarios where every
CHILD_SA has the same name only the information of the last CHILD_SA
would end up in the dictionary for that name.
PINs are stored in a "hidden" credential set, so that its shared
secrets are not exposed via VICI. Since they are not explicitly loaded as
shared secrets via VICI a client might consider them as removed secrets and
remove them.
After an interface disappeared we can't remove the policies correctly as
the name doesn't resolve to the previous index anymore.
And making the policies so specific might not provide that much benefit.
To handle the interfaces on the policies correctly would require some
changes to the child-cfg, kernel-interface etc. so they'd take interface
indices directly so we could target the policies correctly even if an
interface disappeared (or reappeared and got a new index).
The SA ID (src, dst, proto, spi) is unique on ingress.
As such, explicit inbound marking is not needed to match an SA.
On the other hand, requiring inbound SAs to use marks forces the
installation of a mechanism for marking traffic (e.g. iptables) based
on some criteria.
Defining the criteria becomes complicated, for example when required to
support multiple SAs from the same src, especially when traffic is UDP
encapsulated.
This commit removes the assignment of the child_sa mark_in to the inbound SA.
Policies can be arbitrated by existing means - e.g, via netfilter policy
matching or using VTI interfaces - without the need to classify the flows prior
to state matching.
Since the reqid allocator regards the mark value, there is no risk of matching
the wrong policy.
And as explicit marking was required for route-based VPN to work before this
change, it should not cause regressions in existing setups.
Closesstrongswan/strongswan#59.
For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is
what we do when doing userspace route calculations. For kernel-based route
lookups, however, the RTA_PREFSRC attribute is ignored and we must specify
RTA_SRC for policy based route lookups.
For gateways with many connections, installing routes is often disabled,
as we can use a static route configuration to achieve proper routing with
a single rule. If this is the case, there is no need to dump all routes and
do userspace route lookups, as there is no need to exclude routes we installed
ourself.
Doing kernel-based route lookups is not only faster with may routes, but also
can use the full power of Linux policy based routing; something we can hardly
rebuild in userspace when calculating routes.
When using vici over RPyC and its (awesome) splitbrain, encoding and decoding
strings fails in vici, most likely because of the Monkey-Patch magic splitbrain
uses.
When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses
the correct method to encode/decode the string, making vici useable in
splitbrain contexts.
If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the
task.
We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).
If the responder never sent a message the expected MID is 0. While
the sent MID (M1) SHOULD be increased beyond the known value, it's
not necessarily the case.
Since M2 - 1 would then equal UINT_MAX setting that MID would get ignored
and while we'd return 0 in the notify we'd actually expect 1 afterwards.
While trap and regular policies now often look the same (mainly because
reqids are kept constant) trap policies still need to have a lower priority
than regular policies to handle unroute/route correctly if e.g. IPComp
is used or the mode changes. But if we use a completely different
priority range that's lower than that of regular policies it is not possible
to install overlapping trap policies. By differentiating trap from
regular policies via the priority's LSB this issue is avoided while
still maintaining the proper ordering of trap and regular policies.
Fixes#1243.
If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.
Fixes#2190.
The Optimistic Duplicate Address Detection (DAD) seems to fail in some
cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable.
Fixes#2183.
This implements rule 6 of RFC 6724 using the default priority table,
so that e.g. global addresses are preferred over ULAs (which also have
global scope) when the destination is a global address.
Fixes#2138.
By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4. For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
The Python VICI library does not check if the socket is closed.
If the daemon closes the connection, _recvall() spins forever.
Closesstrongswan/strongswan#56.
Recent research demonstrates that at least for 1024-bit DH groups, it is
possible to create specially crafted primes having a backdoor. From the
prime itself this is not detectable, creating a perfect NOBUS attack.
http://eprint.iacr.org/2016/961
For the primes defined in RFC 5114 no information is provided on how these
have been selected. In the default proposal we included one of the 2048-bit
primes only, where it is questionable if constructing a backdoored prime is
feasible. Nevertheless, this patch removes the group from the set of default
proposals as well.
The log level was incorrectly set to the same value for all groups.
Fixes: dac15e03c8 ("bus: Fix maximum log levels when mixing log/vlog
implementing loggers")
Fix for "Permission denied (you must be root)" error when calling
iptc_init(), which opens a RAW socket to communicate with the kernel,
when built with "--with-capabilities=libcap".
Closes strongswan/strongswan#53.
Fixes#2157.
A wrong variable is used (route instead of best), so much that the
returned interface belongs to the last seen route instead of the best
choice route.
get_route() may therefore return mismatching interface and gateway.
Fixes: 66e9165bc6 ("kernel-netlink: Return outbound interface in get_nexthop()")
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
We parse aes*gmac as encryption algorithm, which we have to map to an
integrity algorithm. We also make sure we remove all other encryption
algorithms and ensure there is an integrity algorithm.
If a responder is natted it will usually be a static NAT (unless it's a
mediated connection) in which case adding these notifies makes not much
sense (if the initiator's NAT mapping had changed the responder wouldn't
be able to reach it anyway). It's also problematic as some clients refuse
to respond to DPDs if they contain such notifies.
Fixes#2126.
If we silently delete the IKE_SA the other peer might still use it even
if only to send DPDs. If we don't answer to DPDs that might result in the
deletion of the new IKE_SA too.
This is the minimum size an IPv6 implementation must support. This makes
it the default for IPv4 too, which presumably is also generally routable
(otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
The maximum would not get set correctly when a logger is removed and the
first remaining logger in the list (the one with the highest log level) does
e.g. only implement vlog() while there are other loggers that implement log().
This would result in only max_vlevel getting set correctly while max_level
would incorrectly get set to -1 so that log() would not get called for any
of the loggers anymore.
References #574.
The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark. So to match only unmarked packets we
have to be able to set 0/0xffffffff.
If the number of flows over a gateway exceeds the flow cache size of the Linux
kernel, policy lookup gets very expensive. Policies covering more than a single
address don't get hash-indexed by default, which results in wasting most of
the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use.
Starting with several hundred policies the overhead gets inacceptable.
Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet
to perform indexed lookup. With correctly chosen netbits, this can completely
eliminate the performance impact of policy lookups, freeing the resources
for ESP crypto.
WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a
NULL pointer dereference if a socket policy is installed while hash thresholds
are changed. And because the hashtable rebuild triggered by the threshold
change that causes this is scheduled it might also happen if the socket
policies are seemingly installed after setting the thresholds.
The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when
rebuilding hash tables") - is included since 4.8 (and might get backported).
As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled
to replace the socket policies that allow IKE traffic with port specific
bypass policies.
They are only required if drop policies would otherwise prevent
forwarding traffic. This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.
When fresh CRLs are released with a high update frequency (e.g.
every 24 hours) or OCSP is used then the certificate cache gets
quickly filled with stale CRLs or OCSP responses. The new VICI
flush-certs command allows to flush e.g. cached CRLs or OCSP
responses only. Without the type argument all kind of certificates
(e.g. also received end entity and intermediate CA certificates)
are purged.
Some tasks might get removed immediately once the IKE_SA_INIT response has
been handled even if there were notifies that require a restart of the
IKE_SA (e.g. COOKIE or INVALID_KE_PAYLOAD). Such a task is ike_vendor,
which caused vendor IDs not to get sent in a retry. This change ensures
all required tasks are queued after the reset, which some callers did
already anyway.
These seem to indicate the major and minor version of the protocol, like
e.g. for the DPD vendor ID. Some implementations seem to send versions
other than 1.0 so we just ignore these for now when checking for known
vendor IDs.
Fixes#2088.
Tobias Brunner