diff options
Diffstat (limited to 'src/swanctl')
| -rw-r--r-- | src/swanctl/Makefile.am | 1 | ||||
| -rw-r--r-- | src/swanctl/Makefile.in | 15 | ||||
| -rw-r--r-- | src/swanctl/command.c | 9 | ||||
| -rw-r--r-- | src/swanctl/command.h | 2 | ||||
| -rw-r--r-- | src/swanctl/commands/counters.c | 154 | ||||
| -rw-r--r-- | src/swanctl/swanctl.conf | 3 | ||||
| -rw-r--r-- | src/swanctl/swanctl.conf.5.main | 72 | ||||
| -rw-r--r-- | src/swanctl/swanctl.opt | 47 |
8 files changed, 269 insertions, 34 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 19815c51a..3a432c454 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -2,6 +2,7 @@ sbin_PROGRAMS = swanctl swanctl_SOURCES = \ command.c command.h \ + commands/counters.c \ commands/initiate.c \ commands/terminate.c \ commands/rekey.c \ diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index 6da739b88..ea7130bbb 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -112,10 +112,11 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" PROGRAMS = $(sbin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp -am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ - commands/terminate.$(OBJEXT) commands/rekey.$(OBJEXT) \ - commands/redirect.$(OBJEXT) commands/install.$(OBJEXT) \ - commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \ +am_swanctl_OBJECTS = command.$(OBJEXT) commands/counters.$(OBJEXT) \ + commands/initiate.$(OBJEXT) commands/terminate.$(OBJEXT) \ + commands/rekey.$(OBJEXT) commands/redirect.$(OBJEXT) \ + commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \ + commands/list_pols.$(OBJEXT) \ commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \ @@ -264,9 +265,11 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ @@ -469,6 +472,7 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ swanctl_SOURCES = \ command.c command.h \ + commands/counters.c \ commands/initiate.c \ commands/terminate.c \ commands/rekey.c \ @@ -606,6 +610,8 @@ commands/$(am__dirstamp): commands/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) commands/$(DEPDIR) @: > commands/$(DEPDIR)/$(am__dirstamp) +commands/counters.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \ @@ -664,6 +670,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/counters.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/flush_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 7f65d2b0e..225dff617 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -147,6 +147,15 @@ void command_register(command_t command) "MAX_COMMANDS\n"); return; } + for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) + { + if (cmds[i].op == command.op) + { + fprintf(stderr, "unable to register command --%s, short option " + "conflicts with --%s\n", command.cmd, cmds[i].cmd); + return; + } + } cmds[registered] = command; /* append default options, but not to --help */ diff --git a/src/swanctl/command.h b/src/swanctl/command.h index c17811498..0d93ae45c 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 25 +#define MAX_COMMANDS 26 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/counters.c b/src/swanctl/commands/counters.c new file mode 100644 index 000000000..ab386b5d8 --- /dev/null +++ b/src/swanctl/commands/counters.c @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <errno.h> + +#include "command.h" + +CALLBACK(counters_kv, int, + void *null, vici_res_t *res, char *name, void *value, int len) +{ + if (chunk_printable(chunk_create(value, len), NULL, ' ')) + { + printf(" %-22s: %.*s\n", name, len, value); + } + return 0; +} + +CALLBACK(conns_sn, int, + void *null, vici_res_t *res, char *name) +{ + printf("%s:\n", strlen(name) ? name : "global"); + return vici_parse_cb(res, NULL, counters_kv, NULL, NULL); +} + +CALLBACK(counters_sn, int, + void *null, vici_res_t *res, char *name) +{ + return vici_parse_cb(res, conns_sn, NULL, NULL, NULL); +} + +static int counters(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *name = NULL; + int ret; + bool all = FALSE, reset = FALSE; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case 'n': + name = arg; + continue; + case 'a': + all = TRUE; + continue; + case 'R': + reset = TRUE; + continue; + case EOF: + break; + default: + return command_usage("invalid --counters option"); + } + break; + } + if (reset) + { + req = vici_begin("reset-counters"); + } + else + { + req = vici_begin("get-counters"); + } + if (all) + { + vici_add_key_valuef(req, "all", "yes"); + } + else if (name) + { + vici_add_key_valuef(req, "name", "%s", name); + } + + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "%s-counters request failed: %s\n", + reset ? "reset" : "get", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "counters reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (streq(vici_find_str(res, "no", "success"), "yes")) + { + if (reset) + { + printf("reset-counters completed successfully\n"); + } + else if (vici_parse_cb(res, counters_sn, NULL, NULL, NULL) != 0) + { + fprintf(stderr, "parsing get-counters reply failed: %s\n", + strerror(errno)); + } + } + else + { + fprintf(stderr, "%s-counters failed: %s\n", reset ? "reset" : "get", + vici_find_str(res, "", "errmsg")); + ret = 1; + } + } + vici_free_res(res); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + counters, 'C', "counters", "list or reset IKE event counters", + {"[--name <name>|--all] [--reset] [--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"name", 'n', 1, "connection name, omit for global counters"}, + {"all", 'a', 0, "get/reset counters for all tracked connections"}, + {"reset", 'R', 0, "reset the counters"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 1ff5ee8fb..9b87a963a 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -305,6 +305,9 @@ # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 + # Whether to set *mark_in* on the inbound SA. + # mark_in_sa = no + # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index d1aced493..6c73d4775 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -252,11 +252,9 @@ to enforce the uniqueness policy instead. On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer -(determined by the identities of the first authentication round). Only if set to -.RI "" "keep" "" -or -.RI "" "replace" "" -will the client send a notify. +(determined by the identities of the first authentication round). Unless set to +.RI "" "never" "" +the client will send a notify. .TP .BR connections.<conn>.reauth_time " [0s]" @@ -485,6 +483,20 @@ configured any signature scheme constraint (without prefix) will also apply to IKEv2 authentication, unless this is disabled in .RB "" "strongswan.conf" "(5)." +To use RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in e.g. +.RI "" "ike:rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured RSASSA\-PSS signatures will only be used if enabled in +.RB "" "strongswan.conf" "(5)." .TP @@ -726,7 +738,24 @@ section's .RB "" "auth" "" keyword for details), such key types and hash algorithms are also applied as constraints -against IKEv2 signature authentication schemes used by the remote side. +against IKEv2 signature authentication schemes used by the remote side. To +require RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in +e.g. +.RI "" "rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured +RSASSA\-PSS signatures will only be accepted if enabled in +.RB "" "strongswan.conf" "(5)." + To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above @@ -1053,9 +1082,11 @@ Optional interface name to restrict IPsec policies. .TP .BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]" -Netfilter mark and mask for input traffic. On Linux Netfilter may require marks -on each packet to match an SA having that option set. This allows Netfilter -rules to select specific tunnels for incoming traffic. The special value +Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks +on each packet to match an SA/policy having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +SAs/policies for incoming traffic. Note that inbound marks are only set on +policies, by default, unless *mark_in_sa* is enabled. The special value .RI "" "%unique" "" sets a unique mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" @@ -1068,15 +1099,26 @@ The default mask if omitted is 0xffffffff. .TP +.BR connections.<conn>.children.<child>.mark_in_sa " [no]" +Whether to set *mark_in* on the inbound SA. By default, the inbound mark is only +set on the inbound policy. The tuple destination address, protocol and SPI is +unique and the mark is not required to find the correct SA, allowing to mark +traffic after decryption instead (where more specific selectors may be used) to +match different policies. Marking packets before decryption is still possible, +even if no mark is set on the SA. + +.TP .BR connections.<conn>.children.<child>.mark_out " [0/0x00000000]" -Netfilter mark and mask for output traffic. On Linux Netfilter may require marks -on each packet to match a policy having that option set. This allows Netfilter -rules to select specific tunnels for outgoing traffic. The special value +Netfilter mark and mask for output traffic. On Linux, Netfilter may require +marks on each packet to match a policy/SA having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +policies/SAs for outgoing traffic. The special value .RI "" "%unique" "" -sets a unique mark on each CHILD_SA instance, beyond that the value +sets a unique +mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" -assigns a different unique mark for each CHILD_SA direction -(in/out). +assigns a +different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by .RI "" "/" "." diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index d0a0d21dd..2dd9ea374 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -216,7 +216,7 @@ connections.<conn>.unique = no On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). - Only if set to _keep_ or _replace_ will the client send a notify. + Unless set to _never_ the client will send a notify. connections.<conn>.reauth_time = 0s Time to schedule IKE reauthentication. @@ -395,7 +395,11 @@ connections.<conn>.local<suffix>.auth = pubkey algorithm that matches or exceeds the strength of the signature key. If no constraints with _ike:_ prefix are configured any signature scheme constraint (without _ike:_ prefix) will also apply to IKEv2 authentication, - unless this is disabled in **strongswan.conf**(5). + unless this is disabled in **strongswan.conf**(5). To use RSASSA-PSS + signatures use _rsa/pss_ instead of _pubkey_ or _rsa_ as in e.g. + _ike:rsa/pss-sha256_. If _pubkey_ or _rsa_ constraints are configured + RSASSA-PSS signatures will only be used if enabled in + **strongswan.conf**(5). connections.<conn>.local<suffix>.id = IKE identity to use for authentication round. @@ -589,7 +593,10 @@ connections.<conn>.remote<suffix>.auth = pubkey constraints are configured (refer to the description of the **local** section's **auth** keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication - schemes used by the remote side. + schemes used by the remote side. To require RSASSA-PSS signatures use + _rsa/pss_ instead of _pubkey_ or _rsa_ as in e.g. _rsa/pss-sha256_. If + _pubkey_ or _rsa_ constraints are configured RSASSA-PSS signatures will only + be accepted if enabled in **strongswan.conf**(5). To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed @@ -867,25 +874,37 @@ connections.<conn>.children.<child>.interface = connections.<conn>.children.<child>.mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. - Netfilter mark and mask for input traffic. On Linux Netfilter may require - marks on each packet to match an SA having that option set. This allows - Netfilter rules to select specific tunnels for incoming traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each + Netfilter mark and mask for input traffic. On Linux, Netfilter may require + marks on each packet to match an SA/policy having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific SAs/policies for incoming traffic. Note that inbound marks are + only set on policies, by default, unless *mark_in_sa* is enabled. The + special value _%unique_ sets a unique mark on each CHILD_SA instance, beyond + that the value _%unique-dir_ assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. +connections.<conn>.children.<child>.mark_in_sa = no + Whether to set *mark_in* on the inbound SA. + + Whether to set *mark_in* on the inbound SA. By default, the inbound mark is + only set on the inbound policy. The tuple destination address, protocol and + SPI is unique and the mark is not required to find the correct SA, allowing + to mark traffic after decryption instead (where more specific selectors may + be used) to match different policies. Marking packets before decryption is + still possible, even if no mark is set on the SA. + connections.<conn>.children.<child>.mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. - Netfilter mark and mask for output traffic. On Linux Netfilter may require - marks on each packet to match a policy having that option set. This allows - Netfilter rules to select specific tunnels for outgoing traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance, - beyond that the value _%unique-dir_ assigns a different unique mark for each - CHILD_SA direction (in/out). + Netfilter mark and mask for output traffic. On Linux, Netfilter may require + marks on each packet to match a policy/SA having that option set. This + allows installing duplicate policies and enables Netfilter rules to select + specific policies/SAs for outgoing traffic. The special value _%unique_ sets + a unique mark on each CHILD_SA instance, beyond that the value _%unique-dir_ + assigns a different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. |