From 25663e04c3ab01ef8dc9f906608282319cfea2db Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 20 Oct 2016 16:18:38 +0200 Subject: New upstream version 5.5.1 --- src/swanctl/Makefile.am | 2 + src/swanctl/Makefile.in | 12 +++-- src/swanctl/command.h | 2 +- src/swanctl/commands/flush_certs.c | 90 ++++++++++++++++++++++++++++++++++++++ src/swanctl/commands/load_conns.c | 2 +- src/swanctl/commands/load_creds.c | 15 ++++--- src/swanctl/swanctl.8.in | 7 +-- src/swanctl/swanctl.conf | 17 ++++++- src/swanctl/swanctl.conf.5.main | 63 +++++++++++++++++++------- src/swanctl/swanctl.h | 6 +++ src/swanctl/swanctl.opt | 41 +++++++++++++---- 11 files changed, 217 insertions(+), 40 deletions(-) create mode 100644 src/swanctl/commands/flush_certs.c (limited to 'src/swanctl') diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 37a0224c3..9ca759ea3 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -13,6 +13,7 @@ swanctl_SOURCES = \ commands/list_certs.c \ commands/list_pools.c \ commands/list_algs.c \ + commands/flush_certs.c \ commands/load_all.c \ commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ @@ -69,6 +70,7 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true + test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index ebe1aba0d..ff9dca09d 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -119,7 +119,7 @@ am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \ - commands/load_all.$(OBJEXT) \ + commands/flush_certs.$(OBJEXT) commands/load_all.$(OBJEXT) \ commands/load_authorities.$(OBJEXT) \ commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \ commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \ @@ -370,7 +370,6 @@ clearsilver_LIBS = @clearsilver_LIBS@ cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ @@ -404,8 +403,6 @@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ mandir = @mandir@ medsrv_plugins = @medsrv_plugins@ @@ -459,6 +456,8 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ @@ -475,6 +474,7 @@ swanctl_SOURCES = \ commands/list_certs.c \ commands/list_pools.c \ commands/list_algs.c \ + commands/flush_certs.c \ commands/load_all.c \ commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ @@ -621,6 +621,8 @@ commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_algs.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/flush_certs.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \ @@ -653,6 +655,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/flush_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_algs.Po@am__quote@ @@ -1037,6 +1040,7 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true + test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true diff --git a/src/swanctl/command.h b/src/swanctl/command.h index 8d0a2e6b9..7b92ae91a 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 23 +#define MAX_COMMANDS 24 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/flush_certs.c b/src/swanctl/commands/flush_certs.c new file mode 100644 index 000000000..527419f88 --- /dev/null +++ b/src/swanctl/commands/flush_certs.c @@ -0,0 +1,90 @@ +/* + * Copyright (C) 2016 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "command.h" + +static int flush_certs(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *type = NULL; + int ret; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 't': + type = arg; + continue; + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --flush-certs option"); + } + break; + } + req = vici_begin("flush-certs"); + + if (type) + { + vici_add_key_valuef(req, "type", "%s", type); + } + res = vici_submit(req, conn); + + if (!res) + { + ret = errno; + fprintf(stderr, "flush-certs request failed: %s\n", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "flush-certs reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + vici_free_res(res); + + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + flush_certs, 'f', "flush-certs", "flush cached certificates", + {"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]", + "[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"type", 't', 1, "filter by certificate type"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index 87526bc79..2e443a94a 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -221,7 +221,7 @@ static bool load_conn(vici_conn_t *conn, settings_t *cfg, vici_req_t *req; vici_res_t *res; bool ret = TRUE; - char buf[128]; + char buf[BUF_LEN]; snprintf(buf, sizeof(buf), "%s.%s", "connections", section); diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 4647934f7..6278f66b4 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -2,6 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format, req = vici_begin("load-key"); - if (streq(type, "pkcs8")) + if (streq(type, "private") || + streq(type, "pkcs8")) { /* as used by vici */ vici_add_key_valuef(req, "type", "any"); } @@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype, credential_type_t credtype; int subtype; } map[] = { + { "private", CRED_PRIVATE_KEY, KEY_ANY, }, { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, }, { "rsa", CRED_PRIVATE_KEY, KEY_RSA, }, { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, }, @@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg, "eap", "xauth", "ike", + "private", "rsa", "ecdsa", "bliss", @@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); - load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); - load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); - load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); - load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); + load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR); + load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); + load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); + load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); + load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR); diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in index a3074601e..9c5a5a03d 100644 --- a/src/swanctl/swanctl.8.in +++ b/src/swanctl/swanctl.8.in @@ -38,11 +38,9 @@ output. initiate a connection .TP .B "\-t, \-\-terminate" -\-\-terminate\fR terminate a connection .TP .B "\-d, \-\-redirect" -\-\-redirect\fR redirect an IKE_SA .TP .B "\-p, \-\-install" @@ -93,7 +91,10 @@ trace logging output .B "\-S, \-\-stats" show daemon infos and statistics .TP -.B "\-r, \-\-reload-settings" +.B "\-f, \-\-flush\-certs" +flush cached certificates +.TP +.B "\-r, \-\-reload\-settings" reload strongswan.conf(5) configuration .TP .B "\-v, \-\-version" diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 6bc81becf..eb46005e1 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -44,7 +44,7 @@ # dpd_timeout = 0s # Use IKE UDP datagram fragmentation. (yes, no or force). - # fragmentation = no + # fragmentation = yes # Send certificate requests payloads (yes or no). # send_certreq = yes @@ -201,6 +201,9 @@ # Whether to install IPsec policies or not. # policies = yes + # Whether to install outbound FWD IPsec policies or not. + # policies_fwd_out = no + # Action to perform on DPD timeout (clear, trap or restart). # dpd_action = clear @@ -278,6 +281,18 @@ # } + # Private key decryption passphrase for a key in the private folder. + # private { + + # File name in the private folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for private key. + # secret = + + # } + # Private key decryption passphrase for a key in the rsa folder. # rsa { diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 013e35fb7..697bd406a 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -151,22 +151,23 @@ compatibility reasons, with IKEv1 a custom interval may be specified; this option has no effect on connections using IKE2. .TP -.BR connections..fragmentation " [no]" +.BR connections..fragmentation " [yes]" Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 fragmentation). Acceptable values are -.RI "" "yes" "," +.RI "" "yes" "" +(the default), .RI "" "force" "" and -.RI "" "no" "" -(the default). -Fragmented IKE messages sent by a peer are always accepted irrespective of the -value of this option. If set to +.RI "" "no" "." +Fragmented IKE messages sent by a peer are always accepted irrespective of +the value of this option. If set to .RI "" "yes" "," -and the peer supports it, oversized IKE -messages will be sent in fragments. If set to +and the peer supports it, +oversized IKE messages will be sent in fragments. If set to .RI "" "force" "" -(only supported for -IKEv1) the initial IKE message will already be fragmented if required. +(only +supported for IKEv1) the initial IKE message will already be fragmented if +required. .TP .BR connections..send_certreq " [yes]" @@ -594,7 +595,9 @@ the CHILD_SA configuration, which must be unique within the connection. AH proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For AH, this includes an integrity algorithm and an optional Diffie\-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation -uses a separate Diffie\-Hellman exchange using the specified group. +uses a separate Diffie\-Hellman exchange using the specified group (refer to +.RI "" "esp_proposals" "" +for details). In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is @@ -617,14 +620,19 @@ algorithm, an optional Diffie\-Hellman group and an optional Extended Sequence Number Mode indicator. For AEAD proposals, a combined mode algorithm is used instead of the separate encryption/integrity algorithms. -If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non -IKE_AUTH piggybacked) negotiation uses a separate Diffie\-Hellman exchange using -the specified group. Extended Sequence Number support may be indicated with the +If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation +use a separate Diffie\-Hellman exchange using the specified group. However, for +IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always +be derived from the IKE_SA's key material. So any DH group specified here will +only apply when the CHILD_SA is later rekeyed or is created with a separate +CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately +be noticed when the SA is established, but may later cause rekeying to fail. + +Extended Sequence Number support may be indicated with the .RI "" "esn" "" and .RI "" "noesn" "" -values, both may be included to indicate support for both -modes. If omitted, +values, both may be included to indicate support for both modes. If omitted, .RI "" "noesn" "" is assumed. @@ -820,6 +828,12 @@ defined traffic from IPsec processing or drop it, respectively. Whether to install IPsec policies or not. Disabling this can be useful in some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. +.TP +.BR connections..children..policies_fwd_out " [no]" +Whether to install outbound FWD IPsec policies or not. Enabling this is required +in case there is a drop policy that would match and block forwarded traffic for +this CHILD_SA. + .TP .BR connections..children..dpd_action " [clear]" Action to perform for this CHILD_SA on DPD timeout. The default @@ -1021,6 +1035,23 @@ be specified, each having an prefix, if a secret is shared between multiple peers. +.TP +.B secrets.private +.br +Private key decryption passphrase for a key in the +.RI "" "private" "" +folder. + +.TP +.BR secrets.private.file " []" +File name in the +.RI "" "private" "" +folder for which this passphrase should be used. + +.TP +.BR secrets.private.secret " []" +Value of decryption passphrase for private key. + .TP .B secrets.rsa .br diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index 560e89513..eac1fc6d0 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -2,6 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -64,6 +65,11 @@ */ #define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey" +/** + * Directory for private keys + */ +#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private" + /** * Directory for RSA private keys */ diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index fe5b293fb..a7d6d9fc3 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -139,12 +139,12 @@ connections..dpd_timeout = 0s checking. For compatibility reasons, with IKEv1 a custom interval may be specified; this option has no effect on connections using IKE2. -connections..fragmentation = no +connections..fragmentation = yes Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_). Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 - fragmentation). Acceptable values are _yes_, _force_ and _no_ (the - default). Fragmented IKE messages sent by a peer are always accepted + fragmentation). Acceptable values are _yes_ (the default), _force_ and + _no_. Fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option. If set to _yes_, and the peer supports it, oversized IKE messages will be sent in fragments. If set to _force_ (only supported for IKEv1) the initial IKE message will already @@ -472,7 +472,7 @@ connections..children..ah_proposals = For AH, this includes an integrity algorithm and an optional Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation uses a separate Diffie-Hellman exchange using the specified - group. + group (refer to _esp_proposals_ for details). In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per @@ -495,11 +495,18 @@ connections..children..esp_proposals = default mode algorithm is used instead of the separate encryption/integrity algorithms. - If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non - IKE_AUTH piggybacked) negotiation uses a separate Diffie-Hellman exchange - using the specified group. Extended Sequence Number support may be indicated - with the _esn_ and _noesn_ values, both may be included to indicate support - for both modes. If omitted, _noesn_ is assumed. + If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial + negotiation use a separate Diffie-Hellman exchange using the specified + group. However, for IKEv2, the keys of the CHILD_SA created implicitly with + the IKE_SA will always be derived from the IKE_SA's key material. So any DH + group specified here will only apply when the CHILD_SA is later rekeyed or + is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch + might, therefore, not immediately be noticed when the SA is established, but + may later cause rekeying to fail. + + Extended Sequence Number support may be indicated with the _esn_ and _noesn_ + values, both may be included to indicate support for both modes. If omitted, + _noesn_ is assumed. In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per @@ -652,6 +659,13 @@ connections..children..policies = yes Whether to install IPsec policies or not. Disabling this can be useful in some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. +connections..children..policies_fwd_out = no + Whether to install outbound FWD IPsec policies or not. + + Whether to install outbound FWD IPsec policies or not. Enabling this is + required in case there is a drop policy that would match and block forwarded + traffic for this CHILD_SA. + connections..children..dpd_action = clear Action to perform on DPD timeout (_clear_, _trap_ or _restart_). @@ -821,6 +835,15 @@ secrets.ike.id = may be specified, each having an _id_ prefix, if a secret is shared between multiple peers. +secrets.private { # } + Private key decryption passphrase for a key in the _private_ folder. + +secrets.private.file = + File name in the _private_ folder for which this passphrase should be used. + +secrets.private.secret + Value of decryption passphrase for private key. + secrets.rsa { # } Private key decryption passphrase for a key in the _rsa_ folder. -- cgit v1.2.3