Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

Bug #1535951 reported by Ryan Harper on 2016-01-20
60
This bug affects 11 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
High
Ryan Harper

Bug Description

Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

Ryan Harper (raharper) on 2016-01-20
Changed in strongswan (Ubuntu):
assignee: nobody → Ryan Harper (raharper)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in strongswan (Ubuntu):
status: New → Confirmed
Simon Déziel (sdeziel) wrote :

The attached logcheck rules should cover all the normal logs generated by Strongswan using the stock default config. If Debian integrates this ruleset, bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787156 could be closed.

Simon Déziel (sdeziel) wrote :
mrq1 (kubuntu-bugreporter) wrote :

is there any progress on this issue?

FeatureFreeze & DebianImportFreeze are getting close :-/

There is a thread on Ubuntu-devel

Ryan Harper (raharper) wrote :

Yes, quite close. I'll handle the FFE if needed but I feel on-track. I'm preparing the merge debdiff for review.

Threads:
https://lists.ubuntu.com/archives/ubuntu-devel/2016-January/039144.html
https://lists.ubuntu.com/archives/ubuntu-devel/2016-February/039201.html

Please give the test-package a go if you're a strongswan user.

mrq1 (kubuntu-bugreporter) wrote :
Download full text (5.2 KiB)

hi

i used your ppa .. looks great with the default plugin package

but with the extra plugins:

Feb 13 17:22:28 kvm-xenial charon: 00[CFG] mediation client database URI not defined, skipped
Feb 13 17:22:28 kvm-xenial charon: 00[CFG] no threshold configured for systime-fix, disabled
Feb 13 17:22:28 kvm-xenial charon: 00[CFG] coupling file path unspecified
Feb 13 17:22:28 kvm-xenial charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Feb 13 17:22:28 kvm-xenial charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 13 17:22:28 kvm-xenial charon: 00[JOB] spawning 16 worker threads
Feb 13 17:22:28 kvm-xenial charon: 04[DMN] thread 4 received 11
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] dumping 7 stack frame addresses:
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e194cd0]
Feb 13 17:22:28 kvm-xenial charon: 09[DMN] thread 9 received 11
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] dumping 7 stack frame addresses:
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e194cd0]
Feb 13 17:22:28 kvm-xenial charon: 10[DMN] thread 10 received 11
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] dumping 7 stack frame addresses:
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e194cd0]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7fec8d476000 [0x7fec8d478fdc]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7fec8d476000 [0x7fec8d479b5b]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7fec8d476000 [0x7fec8d479f4b]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8610c2]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8610c2]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8610c2]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8619fb]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ...

Read more...

mrq1 (kubuntu-bugreporter) wrote :
Download full text (4.8 KiB)

the startup segfault disappears if a purge the extra-plugin package but NOT if i only remove it :-O

maybe the bug comes with one of the dependency packages?

Feb 13 17:31:24 kvm-xenial charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Feb 13 17:31:24 kvm-xenial charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 13 17:31:24 kvm-xenial charon: 00[JOB] spawning 16 worker threads
Feb 13 17:31:24 kvm-xenial charon: 02[DMN] thread 2 received 11
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] dumping 7 stack frame addresses:
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
Feb 13 17:31:24 kvm-xenial charon: 08[DMN] thread 8 received 11
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] dumping 7 stack frame addresses:
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
Feb 13 17:31:24 kvm-xenial charon: 07[DMN] thread 7 received 11
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] dumping 7 stack frame addresses:
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7f770176d000 [0x7f7701770f4b]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7f770176d000 [0x7f770176ffdc]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7f770176d000 [0x7f7701770b5b]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a69fb]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a69fb]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a69fb]
Feb 13 17:31:24 kvm-xenial cha...

Read more...

Download full text (5.7 KiB)

Ah, yes. I've a fix for that; I hadn't pushed my latest update in to the
ppa. The extra-plugins package need some more privs for the charon binary
in the apparmor profile.

Look for 1ubuntu5 in the ppa in just a bit and see if that fixes up the
issue with the extras plugins.

On Sat, Feb 13, 2016 at 10:39 AM, mrq1 <email address hidden> wrote:

> the startup segfault disappears if a purge the extra-plugin package but
> NOT if i only remove it :-O
>
> maybe the bug comes with one of the dependency packages?
>
> Feb 13 17:31:24 kvm-xenial charon: 00[LIB] loaded plugins: charon
> test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf gmp xcbc hmac ccm gcm attr kernel-netlink resolve socket-default
> connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka
> eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc
> eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
> xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Feb 13 17:31:24 kvm-xenial charon: 00[LIB] dropped capabilities, running
> as uid 0, gid 0
> Feb 13 17:31:24 kvm-xenial charon: 00[JOB] spawning 16 worker threads
> Feb 13 17:31:24 kvm-xenial charon: 02[DMN] thread 2 received 11
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB] dumping 7 stack frame
> addresses:
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
> /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
> Feb 13 17:31:24 kvm-xenial charon: 08[DMN] thread 8 received 11
> Feb 13 17:31:24 kvm-xenial charon: 08[LIB] dumping 7 stack frame
> addresses:
> Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
> /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
> Feb 13 17:31:24 kvm-xenial charon: 07[DMN] thread 7 received 11
> Feb 13 17:31:24 kvm-xenial charon: 07[LIB] dumping 7 stack frame
> addresses:
> Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
> /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
> Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
> Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libipsec.so.0
> @ 0x7f770176d000 [0x7f7701770f4b]
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libipsec.so.0
> @ 0x7f770176d000 [0x7f770176ffdc]
> Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
> Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libipsec.so.0
> @ 0x7f770176d000 [0x7f7701770b5b]
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
> /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
> Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
> Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
> /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
> Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
> Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
> /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
> Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
> Feb 13 17:31:24 kv...

Read more...

mrq1 (kubuntu-bugreporter) wrote :

great! starts now :-)

what about the chapoly plugin? can you enable it in the extra package?
it would be very important for me!

btw: the output of service looks strange to me

# service strongswan status
● strongswan.service - strongSwan IPsec services
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Sat 2016-02-13 19:22:46 CET; 42s ago
  Process: 25807 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
  Process: 25789 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS)
 Main PID: 25643 (code=exited, status=0/SUCCESS)

looks like the service is not running anymore but via
# ipsec statusall
everything looks ok

is the some systemd-integration-magic missing?

thanks!

Ryan Harper (raharper) wrote :
Download full text (3.9 KiB)

On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <email address hidden> wrote:

> great! starts now :-)
>
> what about the chapoly plugin? can you enable it in the extra package?
> it would be very important for me!
>

I can look at enabling it. It's new in 5.3.5. If enabled, can you test
and confirm it works?
Looks like something quite interesting.
https://en.wikipedia.org/wiki/Poly1305

Comments here in the Debian bug indicate that this requires at least 4.2
kernel.
For Xenial, this will be sufficient I suppose.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787

>
> btw: the output of service looks strange to me
>
> # service strongswan status
> ● strongswan.service - strongSwan IPsec services
> Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor
> preset: enabled)
> Active: inactive (dead) since Sat 2016-02-13 19:22:46 CET; 42s ago
> Process: 25807 ExecStopPost=/bin/rm -f /var/run/charon.pid
> /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
> Process: 25789 ExecStop=/usr/sbin/ipsec stop (code=exited,
> status=0/SUCCESS)
> Main PID: 25643 (code=exited, status=0/SUCCESS)
>

That looks like from the initial install; You may need to reload the new
apparmor policy

apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon

And then you can restart it with:

systemctl restart strongswan

and check status

systemctl status strongswan

>
> looks like the service is not running anymore but via
> # ipsec statusall
> everything looks ok
>
> is the some systemd-integration-magic missing?
>

I'm not sure what ipsec statusall invokes to check status.

In an up-to-date Xenial VM, installing the current packages in the PPA, I
get the following:

# systemctl status strongswan
● strongswan.service - strongSwan IPsec services
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor
preset: enabled)
   Active: active (running) since Sat 2016-02-13 21:50:59 UTC; 18s ago
 Main PID: 2798 (starter)
   CGroup: /system.slice/strongswan.service
           ├─2798 /usr/lib/ipsec/starter --daemon charon
           └─2799 /usr/lib/ipsec/charon --use-syslog

Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading ocsp signer certificates
from '/...ts'
Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading attribute certificates
from '/et...ts'
Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Feb 13 21:50:59 sw1 charon[2799]: 00[LIB] loaded plugins: charon
test-vectors aes ...own
Feb 13 21:50:59 sw1 charon[2799]: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Feb 13 21:50:59 sw1 charon[2799]: 00[JOB] spawning 16 worker threads
Feb 13 21:50:59 sw1 ipsec_starter[2798]: charon (2799) started after 20 ms
Feb 13 21:50:59 sw1 systemd[1]: Started strongSwan IPsec services.
Feb 13 21:51:00 sw1 systemd[1]: Started strongSwan IPsec services.
Hint: Some lines were ellipsized, use -l to show in full.
root@sw1:~#
root@sw1:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic,
x86_64):
  uptime: 30 seconds, since Feb 13 21:51:00 2016
  malloc: sbrk 946176, mmap 0, used 229008,...

Read more...

Simon Déziel (sdeziel) wrote :

On 2016-02-13 12:39 PM, Ryan Harper wrote:
> The extra-plugins package need some more privs for the charon binary
> in the apparmor profile.

Ryan, please take a look at [1] for refreshed AA profiles that could
address many more LP bugs (all mentioned in debian/changelog). Thanks.

Regards,
Simon

1:
https://github.com/simondeziel/ubuntu-strongswan/commit/9f414ee4e04d6d88810c85029cc0dcbaed58fba8

Ryan Harper (raharper) wrote :

Excellent! I had forgotten about that. I'll update.

On Sat, Feb 13, 2016 at 7:00 PM, Simon Déziel <email address hidden>
wrote:

> On 2016-02-13 12:39 PM, Ryan Harper wrote:
> > The extra-plugins package need some more privs for the charon binary
> > in the apparmor profile.
>
> Ryan, please take a look at [1] for refreshed AA profiles that could
> address many more LP bugs (all mentioned in debian/changelog). Thanks.
>
> Regards,
> Simon
>
> 1:
>
> https://github.com/simondeziel/ubuntu-strongswan/commit/9f414ee4e04d6d88810c85029cc0dcbaed58fba8
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1535951
>
> Title:
> Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
>

Simon Déziel (sdeziel) wrote :

On 2016-02-13 05:09 PM, Ryan Harper wrote:
> On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <email address hidden> wrote:
>
>> great! starts now :-)
>>
>> what about the chapoly plugin? can you enable it in the extra package?
>> it would be very important for me!
>>
>
> I can look at enabling it. It's new in 5.3.5.

+1

ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
any problem on the mailing list.

> If enabled, can you test and confirm it works?

I too would be glad to give it a spin and report about it.

> Looks like something quite interesting.
> https://en.wikipedia.org/wiki/Poly1305

Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
these days [2].

> Comments here in the Debian bug indicate that this requires at least 4.2
> kernel.

For the IKE part, the kernel version shouldn't matter. For the ESP part,
you indeed need a recent kernel or you can always use the userspace
implementation (libipsec).

libipsec support is very cool (thanks for enabling it!) as it should
allow running a IPsec in containers.

> For Xenial, this will be sufficient I suppose.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787

The reporter was looking for NTRU (enabled in your PPA build IIRC) and
BLISS. That said, I'm sure the reporter would welcome having another
AEAD cipher available because they are well regarded [3] in terms of
security.

Thanks,
Simon

1: https://wiki.strongswan.org/versions/58
2:
https://en.wikipedia.org/w/index.php?title=Salsa20&redirect=no#ChaCha20_adoption
3: https://www.imperialviolet.org/2015/05/16/aeads.html

Ryan Harper (raharper) wrote :

On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
wrote:

> On 2016-02-13 05:09 PM, Ryan Harper wrote:
> > On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <email address hidden> wrote:
> >
> >> great! starts now :-)
> >>
> >> what about the chapoly plugin? can you enable it in the extra package?
> >> it would be very important for me!
> >>
> >
> > I can look at enabling it. It's new in 5.3.5.
>
> +1
>
> ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
> any problem on the mailing list.
>
> > If enabled, can you test and confirm it works?
>
> I too would be glad to give it a spin and report about it.
>
> > Looks like something quite interesting.
> > https://en.wikipedia.org/wiki/Poly1305
>
> Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
> these days [2].
>

Excellent! I've just uploaded a new version to the PPA; should be ready in
a bit with the new plugin
and updated apparmor profiles from your repo.

One question, the profile included /dev/tun, and in my Xenial setups, I
need
/dev/net/tun so I've both allowed in the profile. Not clear to me if it's
useful/needed
to have both, or if only one is sufficient.

> > Comments here in the Debian bug indicate that this requires at least 4.2
> > kernel.
>
> For the IKE part, the kernel version shouldn't matter. For the ESP part,
> you indeed need a recent kernel or you can always use the userspace
> implementation (libipsec).
>
>
OK

> libipsec support is very cool (thanks for enabling it!) as it should
> allow running a IPsec in containers.
>
>
Please do confirm if that's working. I suspect they'll need to be
privileged containers
or will need some additional permissions/configs for unprivileged since
it'll want access to
/dev/net/tun which won't be present by default.

I'd like to capture how to run strongswan in containers like LXD so if
you've any experience
with getting that working it'd be very helpful for us to document.

> > For Xenial, this will be sufficient I suppose.
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787
>
> The reporter was looking for NTRU (enabled in your PPA build IIRC) and
>

Yes

> BLISS. That said, I'm sure the reporter would welcome having another
> AEAD cipher available because they are well regarded [3] in terms of
> security.
>
> Thanks,
> Simon
>
> 1: https://wiki.strongswan.org/versions/58
> 2:
>
> https://en.wikipedia.org/w/index.php?title=Salsa20&redirect=no#ChaCha20_adoption
> 3: https://www.imperialviolet.org/2015/05/16/aeads.html
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1535951
>
> Title:
> Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
>

mrq1 (kubuntu-bugreporter) wrote :

thanks for the fast pace!

> should be ready in a bit with the new plugin

NOPE. still no chapoly & ntru plugin included

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic, x86_64):
  uptime: 10 minutes, since Feb 14 08:59:01 2016
  malloc: sbrk 1650688, mmap 0, used 547408, free 1103280
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity

i installed a new virtual machine and installed the ppa-strongswan

looks like it is not enough to
# apt install libcharon-extra-plugins
this package does not depend on
# apt install strongswan
which it should!

now starts the testing ;-)

mrq1 (kubuntu-bugreporter) wrote :

looks good so far :-)

i think the kernel-libipsec plugin should not be loaded by default

the plugin works only with UDP encapsulated packets

(look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec)

and this will break most of the "normal"/LAN setups

i would build and include the plugin but disable the loading with

/etc/strongswan.d/charon/kernel-libipsec.conf
> load = no

Simon Déziel (sdeziel) wrote :

On 2016-02-13 10:03 PM, Ryan Harper wrote:
> On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
> wrote:
>
>> On 2016-02-13 05:09 PM, Ryan Harper wrote:
>>> On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <email address hidden> wrote:
>>>
>>>> great! starts now :-)
>>>>
>>>> what about the chapoly plugin? can you enable it in the extra package?
>>>> it would be very important for me!
>>>>
>>>
>>> I can look at enabling it. It's new in 5.3.5.
>>
>> +1
>>
>> ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
>> any problem on the mailing list.
>>
>>> If enabled, can you test and confirm it works?
>>
>> I too would be glad to give it a spin and report about it.
>>
>>> Looks like something quite interesting.
>>> https://en.wikipedia.org/wiki/Poly1305
>>
>> Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
>> these days [2].
>>
>
> Excellent! I've just uploaded a new version to the PPA; should be ready in
> a bit with the new plugin
> and updated apparmor profiles from your repo.

Thanks, will try it out.

> One question, the profile included /dev/tun, and in my Xenial setups, I
> need
> /dev/net/tun so I've both allowed in the profile. Not clear to me if it's
> useful/needed
> to have both, or if only one is sufficient.

Good catch. The path always have been /dev/net/tun even in previous
releases so please drop the erroneous /dev/tun rule I added.

>>> Comments here in the Debian bug indicate that this requires at least 4.2
>>> kernel.
>>
>> For the IKE part, the kernel version shouldn't matter. For the ESP part,
>> you indeed need a recent kernel or you can always use the userspace
>> implementation (libipsec).
>>
>>
> OK
>
>
>> libipsec support is very cool (thanks for enabling it!) as it should
>> allow running a IPsec in containers.
>>
>>
> Please do confirm if that's working. I suspect they'll need to be
> privileged containers
> or will need some additional permissions/configs for unprivileged since
> it'll want access to
> /dev/net/tun which won't be present by default.
>
> I'd like to capture how to run strongswan in containers like LXD so if
> you've any experience

I'd expect it to be pretty close to running OpenVPN in a container. I'll
check that out on LXD and let you know.

Ryan Harper (raharper) wrote :

On Sun, Feb 14, 2016 at 2:12 AM, mrq1 <email address hidden> wrote:

> thanks for the fast pace!
>
> > should be ready in a bit with the new plugin
>
> NOPE. still no chapoly & ntru plugin included
>

chapoly and ntru are part of libstrongswan-extra-plugins

>
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic,
> x86_64):
> uptime: 10 minutes, since Feb 14 08:59:01 2016
> malloc: sbrk 1650688, mmap 0, used 547408, free 1103280
> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke
> updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
> dhcp lookip error-notify certexpire led addrblock unity
>

You might need to restart after upgrade: systemctl restart strongswan

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic,
x86_64):
  uptime: 99 seconds, since Feb 14 14:40:22 2016
  malloc: sbrk 2834432, mmap 532480, used 1004336, free 1830096
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2
md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg
fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru curl soup mysql
sqlite attr kernel-libipsec kernel-netlink resolve socket-default connmark
farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
  192.168.122.147
  10.0.3.1
Connections:
Security Associations (0 up, 0 connecting):
  none

> i installed a new virtual machine and installed the ppa-strongswan
>
> looks like it is not enough to
> # apt install libcharon-extra-plugins
> this package does not depend on
> # apt install strongswan
> which it should!
>

if you apt-get install libstrongswan-extra-plugins, this will pull in the
strongswan package.

>
> now starts the testing ;-)
>

Excellent!

>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1535951
>
> Title:
> Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
>

mrq1 (kubuntu-bugreporter) wrote :

> chapoly and ntru are part of libstrongswan-extra-plugins

you are right!

i mixed up libcharon-extra-plugins & libstrongswan-extra-plugins
(had only the first one)

my tests are looking good so far.

chapoly & ntru are working as expected, great work!

the MOBIKE handling has much improved since 5.1.2 :-)

Simon Déziel (sdeziel) wrote :

On 2016-02-14 09:00 AM, Simon Deziel wrote:
> On 2016-02-13 10:03 PM, Ryan Harper wrote:
>> On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
>>> libipsec support is very cool (thanks for enabling it!) as it should
>>> allow running a IPsec in containers.
>>>
>>>
>> Please do confirm if that's working. I suspect they'll need to be
>> privileged containers
>> or will need some additional permissions/configs for unprivileged since
>> it'll want access to
>> /dev/net/tun which won't be present by default.

Correct, for unprivileged containers, one has to make the tun device
available using:

 lxc config device add $CTNAME tun unix-char path=/dev/net/tun

Then it works.

Thanks,
Simon

Ryan Harper (raharper) wrote :

On Sun, Feb 14, 2016 at 3:36 AM, mrq1 <email address hidden> wrote:

> looks good so far :-)
>
> i think the kernel-libipsec plugin should not be loaded by default
>
> the plugin works only with UDP encapsulated packets
>
> (look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
> libipsec)
>
> and this will break most of the "normal"/LAN setups
>

The kernel-libipsec plugin is optional; a user must apt-get install
libstrongswan-extra-plugins.
I've installed the extra plugins in a VM which uses NAT configuration and
none of the
networking was broken if the kernel-libipsec module was loaded (but
unconfigured).

However, I'm interested if you can expand on what setup would break? We
certainly don't want
break or surprise users so I'd like understand what "breaks" if the module
is loaded by default.

>
> i would build and include the plugin but disable the loading with
>
> /etc/strongswan.d/charon/kernel-libipsec.conf
> > load = no
>

This would be a change compared to all other plugins so I'd like to
understand why
this plugin in the default configuration breaks any normal/LAN setups.

> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1535951
>
> Title:
> Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
>

>> i think the kernel-libipsec plugin should not be loaded by default
>>
>> the plugin works only with UDP encapsulated packets
>>
>> (look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
>> libipsec)
>>
>> and this will break most of the "normal"/LAN setups
>>
>
> The kernel-libipsec plugin is optional; a user must apt-get install
> libstrongswan-extra-plugins.
> I've installed the extra plugins in a VM which uses NAT configuration and
> none of the
> networking was broken if the kernel-libipsec module was loaded (but
> unconfigured).

There is nothing to configure, as long as it gets loaded before any of
the other kernel-ipsec implementations (that's the default) it gets used
as IPsec backend (i.e. IPsec is then handled in userland, not the
kernel). As described on the wiki page, it is not generally recommended
to be used.

> However, I'm interested if you can expand on what setup would break? We
> certainly don't want
> break or surprise users so I'd like understand what "breaks" if the module
> is loaded by default.

Refer to the wiki page above. One example are host-to-host tunnels,
which require additional configuration, then there are the performance
limitations.

>> i would build and include the plugin but disable the loading with
>>
>> /etc/strongswan.d/charon/kernel-libipsec.conf
>>> load = no

That would be an option, another is to put the plugin and config snippet
into a separate package.

Regards,
Tobias

mrq1 (kubuntu-bugreporter) wrote :

it looks like strongswan is faking a nat situation if the kernel-libipsec
is used, so there are only problems with transport & beet mode ..

btw: did you get this audit entries too?

# grep audit /var/log/syslog
Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(1455605791.501:866): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31139/fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(1455607230.525:867): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31165/fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(1455608224.480:868): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31720/fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(1455608469.642:869): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31743/fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(1455608490.474:870): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31836/fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Ryan Harper (raharper) wrote :

On Tue, Feb 16, 2016 at 8:46 AM, mrq1 <email address hidden> wrote:

> it looks like strongswan is faking a nat situation if the kernel-libipsec
> is used, so there are only problems with transport & beet mode ..
>

It sounds like it could be confusing. I'd prefer not to have a one-off for
just this
package but if it's disruptive then it's likely warranted.

> btw: did you get this audit entries too?
>

No. Are you running 1ubuntu6 and have you reloaded the apparmor profile
and restarted strongswan?

sudo apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon
sudo systemctl restart strongswan

Simon Déziel (sdeziel) wrote :

On 2016-02-16 09:46 AM, mrq1 wrote:
> it looks like strongswan is faking a nat situation if the kernel-libipsec
> is used

This is by design as kernel-libipsec requires ESPinUDP.

As Tobias (Strongswan upstream) said, it's best to not have this on by
default.

> btw: did you get this audit entries too?
>
> # grep audit /var/log/syslog
> Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(1455605791.501:866): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31139/fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(1455607230.525:867): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31165/fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(1455608224.480:868): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31720/fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(1455608469.642:869): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31743/fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(1455608490.474:870): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31836/fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I don't get those but I only tested libipsec in a container where there
is no Apparmor. Maybe it's libipsec specific?

Can you add this to the profile and see if it helps:

  owner @{PROC}/@{pid}/fd/ r,

Ryan Harper (raharper) wrote :

I've pushed the latest revisions into the PPA:

strongswan (5.3.5-1ubuntu7) xenial; urgency=medium

  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec

The attachment "Ubuntu debdiff between 5.1.2-0ubuntu8 and 5.3.5-1ubuntu1" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in strongswan (Ubuntu):
importance: Undecided → High
Changed in strongswan (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.