Merge pull request #123254 from rnhmjoj/ipsec

libreswan: 3.2 -> 4.4

nixos/doc/manual/release-notes/rl-2105.xml

@@ -100,6 +100,19 @@
       Now nginx uses the zlib-ng library by default.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated
+     to version 4.4. The package now includes example configurations and manual
+     pages by default. The NixOS module has been changed to use the upstream
+     systemd units and write the configuration in the <literal>/etc/ipsec.d/
+     </literal> directory. In addition, two new options have been added to
+     specify connection policies
+     (<xref linkend="opt-services.libreswan.policies"/>)
+     and disable send/receive redirects
+     (<xref linkend="opt-services.libreswan.disableRedirects"/>).
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/networking/libreswan.nix

@@ -9,21 +9,22 @@ let
   libexec = "${pkgs.libreswan}/libexec/ipsec";
   ipsec = "${pkgs.libreswan}/sbin/ipsec";
 
-  trim = chars: str: let
+  trim = chars: str:
-      nonchars = filter (x : !(elem x.value chars))
+  let
-                  (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));
+    nonchars = filter (x : !(elem x.value chars))
-    in
+               (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));
-      if length nonchars == 0 then ""
+  in
-      else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
+    if length nonchars == 0 then ""
+    else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
   indent = str: concatStrings (concatMap (s: ["  " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));
   configText = indent (toString cfg.configSetup);
   connectionText = concatStrings (mapAttrsToList (n: v:
     ''
       conn ${n}
       ${indent v}
-
     '') cfg.connections);
-  configFile = pkgs.writeText "ipsec.conf"
+
+  configFile = pkgs.writeText "ipsec-nixos.conf"
     ''
       config setup
       ${configText}
@@ -31,6 +32,11 @@ let
       ${connectionText}
     '';
 
+  policyFiles = mapAttrs' (name: text:
+    { name = "ipsec.d/policies/${name}";
+      value.source = pkgs.writeText "ipsec-policy-${name}" text;
+    }) cfg.policies;
+
 in
 
 {
@@ -41,41 +47,71 @@ in
 
     services.libreswan = {
 
-      enable = mkEnableOption "libreswan ipsec service";
+      enable = mkEnableOption "Libreswan IPsec service";
 
       configSetup = mkOption {
         type = types.lines;
         default = ''
             protostack=netkey
-            nat_traversal=yes
             virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
         '';
         example = ''
             secretsfile=/root/ipsec.secrets
             protostack=netkey
-            nat_traversal=yes
             virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
         '';
-        description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";
+        description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";
       };
 
       connections = mkOption {
         type = types.attrsOf types.lines;
         default = {};
-        example = {
+        example = literalExample ''
-          myconnection = ''
+          { myconnection = '''
-            auto=add
+              auto=add
-            left=%defaultroute
+              left=%defaultroute
-            leftid=@user
+              leftid=@user
 
-            right=my.vpn.com
+              right=my.vpn.com
 
-            ikev2=no
+              ikev2=no
-            ikelifetime=8h
+              ikelifetime=8h
-          '';
+            ''';
-        };
+          }
-        description = "A set of connections to define for the libreswan ipsec service";
+        '';
+        description = "A set of connections to define for the Libreswan IPsec service";
       };
+
+      policies = mkOption {
+        type = types.attrsOf types.lines;
+        default = {};
+        example = literalExample ''
+          { private-or-clear = '''
+              # Attempt opportunistic IPsec for the entire Internet
+              0.0.0.0/0
+              ::/0
+            ''';
+          }
+        '';
+        description = ''
+          A set of policies to apply to the IPsec connections.
+
+          <note><para>
+            The policy name must match the one of connection it needs to apply to.
+          </para></note>
+        '';
+      };
+
+      disableRedirects = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to disable send and accept redirects for all nework interfaces.
+          See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F">
+          FAQ</link> page for why this is recommended.
+        '';
+      };
+
     };
 
   };
@@ -85,43 +121,38 @@ in
 
   config = mkIf cfg.enable {
 
+    # Install package, systemd units, etc.
     environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];
+    systemd.packages = [ pkgs.libreswan ];
+    systemd.tmpfiles.packages = [ pkgs.libreswan ];
+
+    # Install configuration files
+    environment.etc = {
+      "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets";
+      "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";
+      "ipsec.d/01-nixos.conf".source = configFile;
+    } // policyFiles;
+
+    # Create NSS database directory
+    systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];
 
     systemd.services.ipsec = {
       description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
-      path = [
-        "${pkgs.libreswan}"
-        "${pkgs.iproute2}"
-        "${pkgs.procps}"
-        "${pkgs.nssTools}"
-        "${pkgs.iptables}"
-        "${pkgs.nettools}"
-      ];
-
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
-
+      restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles;
-      serviceConfig = {
+      path = with pkgs; [
-        Type = "simple";
+        libreswan
-        Restart = "always";
+        iproute2
-        EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";
+        procps
-        ExecStartPre = [
+        nssTools
-          "${libexec}/addconn --config ${configFile} --checkconfig"
+        iptables
-          "${libexec}/_stackmanager start"
+        nettools
-          "${ipsec} --checknss"
+      ];
-          "${ipsec} --checknflog"
+      preStart = optionalString cfg.disableRedirects ''
-        ];
+        # Disable send/receive redirects
-        ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";
+        echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects
-        ExecStop = "${libexec}/whack --shutdown";
+        echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
-        ExecStopPost = [
+      '';
-          "${pkgs.iproute2}/bin/ip xfrm policy flush"
-          "${pkgs.iproute2}/bin/ip xfrm state flush"
-          "${ipsec} --stopnflog"
-        ];
-        ExecReload = "${libexec}/whack --listen";
-      };
-
     };
 
   };

nixos/tests/all-tests.nix

@@ -217,6 +217,7 @@ in
   latestKernel.login = handleTest ./login.nix { latestKernel = true; };
   leaps = handleTest ./leaps.nix {};
   lidarr = handleTest ./lidarr.nix {};
+  libreswan = handleTest ./libreswan.nix {};
   lightdm = handleTest ./lightdm.nix {};
   limesurvey = handleTest ./limesurvey.nix {};
   locate = handleTest ./locate.nix {};

nixos/tests/libreswan.nix

@@ -0,0 +1,134 @@
+# This test sets up a host-to-host IPsec VPN between Alice and Bob, each on its
+# own network and with Eve as the only route between each other. We check that
+# Eve can eavesdrop the plaintext traffic between Alice and Bob, but once they
+# enable the secure tunnel Eve's spying becomes ineffective.
+
+import ./make-test-python.nix ({ lib, pkgs, ... }:
+
+let
+
+  # IPsec tunnel between Alice and Bob
+  tunnelConfig = {
+    services.libreswan.enable = true;
+    services.libreswan.connections.tunnel =
+      ''
+        leftid=@alice
+        left=fd::a
+        rightid=@bob
+        right=fd::b
+        authby=secret
+        auto=add
+      '';
+    environment.etc."ipsec.d/tunnel.secrets" =
+      { text = ''@alice @bob : PSK "j1JbIi9WY07rxwcNQ6nbyThKCf9DGxWOyokXIQcAQUnafsNTUJxfsxwk9WYK8fHj"'';
+        mode = "600";
+      };
+  };
+
+  # Common network setup
+  baseNetwork = {
+    # shared hosts file
+    extraHosts = lib.mkVMOverride ''
+      fd::a alice
+      fd::b bob
+      fd::e eve
+    '';
+    # remove all automatic addresses
+    useDHCP = false;
+    interfaces.eth1.ipv4.addresses = lib.mkVMOverride [];
+    interfaces.eth2.ipv4.addresses = lib.mkVMOverride [];
+    # open a port for testing
+    firewall.allowedUDPPorts = [ 1234 ];
+  };
+
+  # Adds an address and route from a to b via Eve
+  addRoute = a: b: {
+    interfaces.eth1.ipv6.addresses =
+      [ { address = a; prefixLength = 64; } ];
+    interfaces.eth1.ipv6.routes =
+      [ { address = b; prefixLength = 128; via = "fd::e"; } ];
+  };
+
+in
+
+{
+  name = "libreswan";
+  meta = with lib.maintainers; {
+    maintainers = [ rnhmjoj ];
+  };
+
+  # Our protagonist
+  nodes.alice = { ... }: {
+    virtualisation.vlans = [ 1 ];
+    networking = baseNetwork // addRoute "fd::a" "fd::b";
+  } // tunnelConfig;
+
+  # Her best friend
+  nodes.bob = { ... }: {
+    virtualisation.vlans = [ 2 ];
+    networking = baseNetwork // addRoute "fd::b" "fd::a";
+  } // tunnelConfig;
+
+  # The malicious network operator
+  nodes.eve = { ... }: {
+    virtualisation.vlans = [ 1 2 ];
+    networking = lib.mkMerge
+      [ baseNetwork
+        { interfaces.br0.ipv6.addresses =
+            [ { address = "fd::e"; prefixLength = 64; } ];
+          bridges.br0.interfaces = [ "eth1" "eth2" ];
+        }
+      ];
+    environment.systemPackages = [ pkgs.tcpdump ];
+    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
+  };
+
+  testScript =
+    ''
+      def alice_to_bob(msg: str):
+          """
+          Sends a message as Alice to Bob
+          """
+          bob.execute("nc -lu ::0 1234 >/tmp/msg &")
+          alice.sleep(1)
+          alice.succeed(f"echo '{msg}' | nc -uw 0 bob 1234")
+          bob.succeed(f"grep '{msg}' /tmp/msg")
+
+
+      def eavesdrop():
+          """
+          Starts eavesdropping on Alice and Bob
+          """
+          match = "src host alice and dst host bob"
+          eve.execute(f"tcpdump -i br0 -c 1 -Avv {match} >/tmp/log &")
+
+
+      start_all()
+
+      with subtest("Network is up"):
+          alice.wait_until_succeeds("ping -c1 bob")
+
+      with subtest("Eve can eavesdrop cleartext traffic"):
+          eavesdrop()
+          alice_to_bob("I secretly love turnip")
+          eve.sleep(1)
+          eve.succeed("grep turnip /tmp/log")
+
+      with subtest("Libreswan is ready"):
+          alice.wait_for_unit("ipsec")
+          bob.wait_for_unit("ipsec")
+          alice.succeed("ipsec verify 1>&2")
+
+      with subtest("Alice and Bob can start the tunnel"):
+          alice.execute("ipsec auto --start tunnel &")
+          bob.succeed("ipsec auto --start tunnel")
+          # apparently this is needed to "wake" the tunnel
+          bob.execute("ping -c1 alice")
+
+      with subtest("Eve no longer can eavesdrop"):
+          eavesdrop()
+          alice_to_bob("Just kidding, I actually like rhubarb")
+          eve.sleep(1)
+          eve.fail("grep rhubarb /tmp/log")
+    '';
+})

pkgs/tools/networking/libreswan/default.nix

@@ -1,71 +1,114 @@
-{ lib, stdenv, fetchurl, makeWrapper,
+{ lib
-  pkg-config, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr,
+, stdenv
-  bash, iproute2, iptables, procps, coreutils, gnused, gawk, nss, which, python3,
+, fetchurl
-  docs ? false, xmlto, libselinux, ldns
+, fetchpatch
-  }:
+, nixosTests
+, pkg-config
+, systemd
+, gmp
+, unbound
+, bison
+, flex
+, pam
+, libevent
+, libcap_ng
+, curl
+, nspr
+, bash
+, iproute2
+, iptables
+, procps
+, coreutils
+, gnused
+, gawk
+, nss
+, which
+, python3
+, libselinux
+, ldns
+, xmlto
+, docbook_xml_dtd_412
+, docbook_xsl
+, findXMLCatalogs
+}:
 
 let
+  # Tools needed by ipsec scripts
   binPath = lib.makeBinPath [
-    bash iproute2 iptables procps coreutils gnused gawk nss.tools which python3
+    iproute2 iptables procps
+    coreutils gnused gawk
+    nss.tools which
   ];
 in
 
-assert docs -> xmlto != null;
-assert stdenv.isLinux -> libselinux != null;
-
 stdenv.mkDerivation rec {
   pname = "libreswan";
-  version = "3.32";
+  version = "4.4";
 
   src = fetchurl {
     url = "https://download.libreswan.org/${pname}-${version}.tar.gz";
-    sha256 = "0bj3g6qwd3ir3gk6hdl9npy3k44shf56vcgjahn30qpmx3z5fsr3";
+    sha256 = "0xj974yc0y1r7235zl4jhvxqz3bpb8js2fy9ic820zq9swh0lgsz";
   };
 
   strictDeps = true;
 
-  # These flags were added to compile v3.18. Try to lift them when updating.
-  NIX_CFLAGS_COMPILE = toString [ "-Wno-error=redundant-decls" "-Wno-error=format-nonliteral"
-    # these flags were added to build with gcc7
-    "-Wno-error=implicit-fallthrough"
-    "-Wno-error=format-truncation"
-    "-Wno-error=pointer-compare"
-    "-Wno-error=stringop-truncation"
-    # The following flag allows libreswan v3.32 to work with NSS 3.22, see
-    # https://github.com/libreswan/libreswan/issues/334.
-    # This flag should not be needed for libreswan v3.33 (which is not yet released).
-    "-DNSS_PKCS11_2_0_COMPAT=1"
-  ];
-
   nativeBuildInputs = [
     bison
     flex
-    makeWrapper
     pkg-config
+    xmlto
+    docbook_xml_dtd_412
+    docbook_xsl
+    findXMLCatalogs
   ];
 
-  buildInputs = [ bash iproute2 iptables systemd coreutils gnused gawk gmp unbound pam libevent
+  buildInputs = [
-                  libcap_ng curl nspr nss python3 ldns ]
+    systemd coreutils
-                ++ lib.optional docs xmlto
+    gnused gawk gmp unbound pam libevent
-                ++ lib.optional stdenv.isLinux libselinux;
+    libcap_ng curl nspr nss ldns
+    # needed to patch shebangs
+    python3 bash
+  ] ++ lib.optional stdenv.isLinux libselinux;
+
+  patches = [
+    # Fix compilation on aarch64, remove on next update
+    (fetchpatch {
+      url = "https://github.com/libreswan/libreswan/commit/ea50d36d2886e44317ba5ba841de1d1bf91aee6c.patch";
+      sha256 = "1jp89rm9jp55zmiyimyhg7yadj0fwwxaw7i5gyclrs38w3y1aacj";
+    })
+  ];
 
   prePatch = ''
-    # Correct bash path
+    # Correct iproute2 path
-    sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk
+    sed -e 's|"/sbin/ip"|"${iproute2}/bin/ip"|' \
+        -e 's|"/sbin/iptables"|"${iptables}/bin/iptables"|' \
+        -i initsystems/systemd/ipsec.service.in \
+           programs/verify/verify.in
 
-    # Fix systemd unit directory, and prevent the makefile from trying to reload the
+    # Prevent the makefile from trying to
-    # systemd daemon or create tmpfiles
+    # reload the systemd daemon or create tmpfiles
-    sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|g' \
+    sed -e 's|systemctl|true|g' \
-      -e 's|TMPFILESDIR=.*$|TMPFILESDIR=$\{out}/tmpfiles.d/|g' \
+        -e 's|systemd-tmpfiles|true|g' \
-      -e 's|systemctl|true|g' \
+        -i initsystems/systemd/Makefile
-      -e 's|systemd-tmpfiles|true|g' \
-      initsystems/systemd/Makefile
 
     # Fix the ipsec program from crushing the PATH
-    sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in
+    sed -e 's|\(PATH=".*"\):.*$|\1:$PATH|' -i programs/ipsec/ipsec.in
 
     # Fix python script to use the correct python
-    sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in
+    sed -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' \
+        -i programs/verify/verify.in
+
+    # Replace wget with curl to save a dependency
+    curlArgs='-s --remote-name-all --output-dir'
+    sed -e "s|wget -q -P|${curl}/bin/curl $curlArgs|g" \
+        -i programs/letsencrypt/letsencrypt.in
+
+    # Patch the Makefile:
+    # 1. correct the pam.d directory install path
+    # 2. do not create the /var/lib/ directory
+    sed -e 's|$(DESTDIR)/etc/pam.d|$(out)/etc/pam.d|' \
+        -e '/test ! -d $(NSSDIR)/,+3d' \
+        -i configs/Makefile
   '';
 
   # Set appropriate paths for build
@@ -73,10 +116,10 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "INITSYSTEM=systemd"
-    (if docs then "all" else "base")
+    "UNITDIR=$(out)/etc/systemd/system/"
+    "TMPFILESDIR=$(out)/lib/tmpfiles.d/"
   ];
 
-  installTargets = [ (if docs then "install" else "install-base") ];
   # Hack to make install work
   installFlags = [
     "FINALVARDIR=\${out}/var"
@@ -84,18 +127,23 @@ stdenv.mkDerivation rec {
   ];
 
   postInstall = ''
-    for i in $out/bin/* $out/libexec/ipsec/*; do
+    # Install examples directory (needed for letsencrypt)
-      wrapProgram "$i" --prefix PATH ':' "$out/bin:${binPath}"
+    cp -r docs/examples $out/share/doc/libreswan/examples
-    done
   '';
 
-  enableParallelBuilding = true;
+  postFixup = ''
+    # Add a PATH to the main "ipsec" script
+    sed -e '0,/^$/{s||export PATH=${binPath}:$PATH|}' \
+        -i $out/bin/ipsec
+  '';
+
+  passthru.tests.libreswan = nixosTests.libreswan;
 
   meta = with lib; {
     homepage = "https://libreswan.org";
     description = "A free software implementation of the VPN protocol based on IPSec and the Internet Key Exchange";
     platforms = platforms.linux ++ platforms.freebsd;
-    license = licenses.gpl2;
+    license = with licenses; [ gpl2Plus mpl20 ] ;
-    maintainers = [ maintainers.afranchuk ];
+    maintainers = with maintainers; [ afranchuk rnhmjoj ];
   };
 }