Commit Graph

17602 Commits

Author SHA1 Message Date
Tobias Brunner ef636316d2 vici: Send all queued messages during shutdown
This ensures that e.g. ike/child-updown messages are sent that were
queued but couldn't be sent (even the job to enable to on_write() callback
requires a worker thread that's not around anymore during shutdown).

References #3602.
2020-10-30 09:58:42 +01:00
Tobias Brunner 6586f07162 ikev2: Clear fragments of a retransmitted message if we receive the next one
The message_t object used for defragmentation was only cleared after
all fragments have been received and the message was delivered.  So
if we received only some fragments of a retransmitted message, the
fragments of the next message were not processed (message_t returns
INVALID_ARG if the message ID does not match causing the message to
get ignored).  This rendered the IKE_SA unusable as the client
obviously never retransmitted the fragments of that previous message
after it received our response.
2020-10-29 14:06:19 +01:00
Tobias Brunner 364e69b683 Merge branch 'android-ipv6-transport'
Adds support to use IPv6 as transport addresses for IKE and ESP and a
bunch of fixes.  On Linux servers, this requires at least a 5.8 kernel so
UDP encapsulation for IPv6 is supported.

Fixes #892.
2020-10-29 11:23:48 +01:00
Tobias Brunner 01fee62f46 android: New release after adding IPv6 support and several fixes 2020-10-29 10:57:07 +01:00
Tobias Brunner ec317c29ca android: Throw an exception if UUID can't get parsed
The parser is quite picky and e.g. doesn't accept UUIDs without dashes.
Even without a specific error, this at least points the users into the
right direction.

Fixes #3583.
2020-10-29 10:57:07 +01:00
Tobias Brunner 80337f4f9d android: Prevent illegalStateException when showing power whitelist dialog
If the activity is not active when the service connection is
established and handleIntent() is called, the activity's state is already
saved and any fragment transaction would result in an illegalStateException
due to state loss.  We just ignore this and wait for another initiation
attempt (via onNewIntent()).
2020-10-29 10:22:52 +01:00
Tobias Brunner 264435f626 android: Handle restarts of control activity with power whitelist dialog better
With the flag set, we basically ignore the resent intent, which is not
ideal if we have not yet actually started another activity.  The information
dialog we show first would disappear when closing and reopening the app
or even just rotating it (we hide all dialogs when receiving an intent),
but since the flag was restored, the dialog was not shown again even
when attempting to start other connections.
2020-10-29 10:22:52 +01:00
Tobias Brunner 21476a8d91 android: Make IPv6 transport flag configurable in the GUI 2020-10-29 10:22:52 +01:00
Tobias Brunner 7d10095123 android: Import IPv6 transport flag 2020-10-29 10:22:52 +01:00
Tobias Brunner 3581914387 android: Add flag to enable IPv6 transport addresses 2020-10-29 10:22:51 +01:00
Tobias Brunner 0bc826c2f2 android: IPV6_PKTINFO is supported (i.e. struct in6_pktinfo is available) 2020-10-29 10:22:51 +01:00
Tobias Brunner 294c022fae android: Add ability to lookup IPv6 source addresses 2020-10-29 10:22:51 +01:00
Tobias Brunner 217d8ab81e android: Fix port scanning IMC
Since 9e88bb987d ("Subscribed Scanner IMC/IMV to IETF_FIREWALL PA subtype")
the port filter attribute is requested with a different message type.
2020-10-29 10:22:51 +01:00
Tobias Brunner 1c82e65cbe android: Ignore deprecation warning for legacy code in NetworkManager 2020-10-29 10:22:51 +01:00
Tobias Brunner a7713372d3 android: Replace deprecated getFragmentManager() in TNC-related Fragments 2020-10-29 10:22:51 +01:00
Tobias Brunner e106fce483 android: Consistently use PreferenceManager from AndroidX
android.preference.PreferenceManager has been deprecated.  The one from
AndroidX was already in use in some places.
2020-10-29 10:22:51 +01:00
Tobias Brunner ea303d3f5a android: Update dependencies 2020-10-29 10:22:51 +01:00
Tobias Brunner f71f6f659f android: Set compile-/targetSdkVersion to 29
This will be mandatory for existing apps on Nov 2, 2020.
2020-10-29 10:22:51 +01:00
Tobias Brunner ad2caae301 android: Update Gradle plugin 2020-10-29 10:22:51 +01:00
Tobias Brunner 8f2b6d7094 testing: Ignore hosts that are not running during shutdown
This allows properly terminating the environment if a host has crashed
or was terminated manually for some reason.
2020-10-29 10:22:51 +01:00
Tobias Brunner a689e358e5 kernel-netlink: Ignore deprecated candidate source addresses
The currently used address may get deprecated e.g. if an IPv6 prefix changes.
In this case we should switch to another address.

Fixes #3511.
2020-10-29 09:46:14 +01:00
Tobias Brunner 2eb43ca405 kernel-netlink: Update cached address flags
Note that manually adding an IPv6 address without disabling duplicate
address detection (DAD, e.g. via `nodad` when using iproute2) will cause
a roam event due to a flag change after about 1-2 seconds (TENTATIVE is
removed).  If this is a problem, we might have to ignore addresses with
TENTATIVE flag when we receive a RTM_NEWADDR message until that flag is
eventually removed.

Fixes #3511.
2020-10-29 09:46:14 +01:00
Tobias Brunner 266e2dbbea README: Add missing closing quote 2020-10-28 17:09:53 +01:00
Tobias Brunner bce0c5fd74 child-create: Update CHILD_SA IP addresses before installation
We create the child_sa_t object when initiating the CREATE_CHILD_SA
request, however, the IP addresses/ports might have changed once we
eventually receive the response (potentially to a retransmit sent to
a different address).  So update them before installing the SA and
policies.

If the local address changed too and depending on the kernel
implementation, the temporary SA created to allocate the inbound SPI
might remain as it can't be updated.  This could cause issues if e.g.
the address switches back before that SA expired (the updated inbound
SA conflicts with the temporary one), or if that happens close together
and the expire (having to wait for the address update) causes the
updated SA to get deleted.

Fixes #3164.
2020-10-27 16:45:10 +01:00
Tobias Brunner 9118fd39d7 child-sa: Only query/update/delete inbound SA if it was actually installed
We usually can't do any of these things with temporary SAs created while
allocating an SPI.
2020-10-27 16:42:01 +01:00
Tobias Brunner 610745e724 unit-tests: Free allocated SPIs in mock IPsec backend 2020-10-27 16:42:01 +01:00
Tobias Brunner 29b491ed9c child-sa: No need to attempt to update policies if none are configured 2020-10-27 16:42:01 +01:00
Tobias Brunner de69d25596 child-sa: Only reinstall VIPs if any are passed 2020-10-27 16:42:00 +01:00
Tobias Brunner 60caa4f6c6 testing: Use silent rules to build strongSwan 2020-10-27 16:42:00 +01:00
Tobias Brunner f3f93cade9 load-tester: Also request a virtual IPv6 address
Fixes #3595.
2020-10-27 16:40:38 +01:00
Tobias Brunner 1d232d4954 load-tester: Use appropriate family to request addresses from source IP pools
Looks like this wasn't necessary before 40e9089889 ("Strictly enforce
address family match while acquiring mem_pool IPs").

Fixes #3595.
2020-10-27 16:40:05 +01:00
Tobias Brunner 12a3f3ca52 quick-delete: Properly handle failures to restart CHILD_SA
If DESTROY_ME is returned from initiate(), we must not touch the IKE_SA
anymore.
2020-10-27 16:35:45 +01:00
Tobias Brunner c5baa4cbd6 pkcs7: Order DER encoded attributes
The attributes are encoded as a SET OF, which means that in DER encoding
the encoded attributes have to be ordered lexicographically.

Fixes #3589.
2020-10-27 11:21:09 +01:00
Tobias Brunner 30d47ea4cb swanctl: Support any key type for decrypted keys
The previous code required explicit support for a particular key type,
of which Ed25519 and Ed448 were missing.  While a fallback to `any` would
have been possible (this is already the case for unencrypted keys in the
`private` and `pkcs8` directories, which are not parsed by swanctl), it's
not necessary (as long as swanctl and the daemon are from the same release)
and does not require the daemon to detect the key type again.

Fixes #3586.
2020-10-27 11:17:44 +01:00
Tobias Brunner 6839256773 vici: Support all defined key types
References #3586.
2020-10-27 11:17:21 +01:00
Martin Willi 7efe92130a revocation: Validate OCSP nonce only if response actually contains a nonce
Commit 27756b081c (revocation: Check that nonce in OCSP response matches)
introduced strict nonce validation to prevent replay attacks with OCSP
responses having a longer lifetime. However, many commercial CAs (such as
Digicert) do not support nonces in responses, as they reuse once-issued OCSP
responses for the OCSP lifetime. This can be problematic for replay attack
scenarios, but is nothing we can fix at our end.

With the mentioned commit, such OCSP responses get completely unusable,
requiring the fallback to CRL based revocation. CRLs don't provide any
replay protection either, so there is nothing gained security-wise, but may
require a download of several megabytes CRL data.

To make use of replay protection where available, but fix OCSP verification
where it is not, do nonce verification only if the response actually contains
a nonce. To be safe against replay attacks, one has to fix the OCSP responder
or use a different CA, but this is not something we can enforce.

Fixes #3557.
2020-10-27 10:51:51 +01:00
Tobias Brunner 706a579e96 charon-nm: Terminate if signaled by NetworkManager
This only happens during shutdown, not after terminating a connection.

Fixes #3579.
2020-10-27 10:44:33 +01:00
Tobias Brunner b422f16d10 sys-logger: Optionally log the level of each message
Fixes #3509.
2020-10-27 10:42:49 +01:00
Tobias Brunner a3f5e38b7f file-logger: Optionally log the level of each message
Fixes #3509.
2020-10-27 10:42:39 +01:00
Thomas Egerer e635d3dcbd drbg: Add missing format specifiers to debug output
Fixes: 737375a2d2 ("drbg: Implemented NIST SP-800-90A DRBG")

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2020-10-13 10:05:43 +02:00
Tobias Brunner c810912d2f libimcv: Fix Doxygen comments for some pts_meas_algo_* functions 2020-10-12 13:48:57 +02:00
Andreas Steffen f3d96b7bc9 Version bump to 5.9.1dr1 2020-10-07 16:54:32 +02:00
Andreas Steffen 3e5a528aec tpm: Auto-detection of legacy TPM 2.0 devices 2020-10-07 16:54:32 +02:00
Andreas Steffen 3ef5b23903 pts: Variable size PCR banks 2020-10-07 16:54:32 +02:00
Andreas Steffen 56de4dc596 libtpmtss: Remove aik_blob debug output 2020-10-07 16:54:32 +02:00
Andreas Steffen d647a8f91d pts: Parse TPM 2.0 BIOS/EFI event log 2020-10-07 16:54:32 +02:00
Andreas Steffen da1d7815ef tpm: TPM 2.0 supports SHA3 and CMAC 2020-10-07 16:54:32 +02:00
Tobias Brunner 78015d14ac Use Botan 2.16.0 for tests 2020-10-07 12:38:52 +02:00
Tobias Brunner 7f170e4c9c openssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag
The x509 plugin accepted CRL signers since forever, to be precise, since
dffb176f2b ("CRLSign keyUsage or CA basicConstraint are sufficient
for CRL validation")).

References #3529.
2020-10-05 15:39:37 +02:00
Tobias Brunner 428c0b293d testing: Build certificates when make-testing is called 2020-09-30 12:52:43 +02:00