diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2105.xml | 13 | ||||
| -rw-r--r-- | nixos/modules/services/networking/libreswan.nix | 145 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/libreswan.nix | 134 | ||||
| -rw-r--r-- | pkgs/tools/networking/libreswan/default.nix | 146 |
5 files changed, 333 insertions, 106 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index c73e8eda074cc..a9d1720e94bb1 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -100,6 +100,19 @@ Now nginx uses the zlib-ng library by default. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated + to version 4.4. The package now includes example configurations and manual + pages by default. The NixOS module has been changed to use the upstream + systemd units and write the configuration in the <literal>/etc/ipsec.d/ + </literal> directory. In addition, two new options have been added to + specify connection policies + (<xref linkend="opt-services.libreswan.policies"/>) + and disable send/receive redirects + (<xref linkend="opt-services.libreswan.disableRedirects"/>). + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 81bc4e1cf95cc..1f0423ac3d843 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -9,21 +9,22 @@ let libexec = "${pkgs.libreswan}/libexec/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec"; - trim = chars: str: let - nonchars = filter (x : !(elem x.value chars)) - (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); - in - if length nonchars == 0 then "" - else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; + trim = chars: str: + let + nonchars = filter (x : !(elem x.value chars)) + (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + in + if length nonchars == 0 then "" + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); configText = indent (toString cfg.configSetup); connectionText = concatStrings (mapAttrsToList (n: v: '' conn ${n} ${indent v} - '') cfg.connections); - configFile = pkgs.writeText "ipsec.conf" + + configFile = pkgs.writeText "ipsec-nixos.conf" '' config setup ${configText} @@ -31,6 +32,11 @@ let ${connectionText} ''; + policyFiles = mapAttrs' (name: text: + { name = "ipsec.d/policies/${name}"; + value.source = pkgs.writeText "ipsec-policy-${name}" text; + }) cfg.policies; + in { @@ -41,41 +47,71 @@ in services.libreswan = { - enable = mkEnableOption "libreswan ipsec service"; + enable = mkEnableOption "Libreswan IPsec service"; configSetup = mkOption { type = types.lines; default = '' protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; example = '' secretsfile=/root/ipsec.secrets protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; - description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; + description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; }; connections = mkOption { type = types.attrsOf types.lines; default = {}; - example = { - myconnection = '' - auto=add - left=%defaultroute - leftid=@user - - right=my.vpn.com - - ikev2=no - ikelifetime=8h - ''; - }; - description = "A set of connections to define for the libreswan ipsec service"; + example = literalExample '' + { myconnection = ''' + auto=add + left=%defaultroute + leftid=@user + + right=my.vpn.com + + ikev2=no + ikelifetime=8h + '''; + } + ''; + description = "A set of connections to define for the Libreswan IPsec service"; + }; + + policies = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExample '' + { private-or-clear = ''' + # Attempt opportunistic IPsec for the entire Internet + 0.0.0.0/0 + ::/0 + '''; + } + ''; + description = '' + A set of policies to apply to the IPsec connections. + + <note><para> + The policy name must match the one of connection it needs to apply to. + </para></note> + ''; }; + + disableRedirects = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable send and accept redirects for all nework interfaces. + See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F"> + FAQ</link> page for why this is recommended. + ''; + }; + }; }; @@ -85,43 +121,38 @@ in config = mkIf cfg.enable { + # Install package, systemd units, etc. environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; + systemd.packages = [ pkgs.libreswan ]; + systemd.tmpfiles.packages = [ pkgs.libreswan ]; + + # Install configuration files + environment.etc = { + "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets"; + "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf"; + "ipsec.d/01-nixos.conf".source = configFile; + } // policyFiles; + + # Create NSS database directory + systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; - path = [ - "${pkgs.libreswan}" - "${pkgs.iproute2}" - "${pkgs.procps}" - "${pkgs.nssTools}" - "${pkgs.iptables}" - "${pkgs.nettools}" - ]; - - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; - ExecStartPre = [ - "${libexec}/addconn --config ${configFile} --checkconfig" - "${libexec}/_stackmanager start" - "${ipsec} --checknss" - "${ipsec} --checknflog" - ]; - ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; - ExecStop = "${libexec}/whack --shutdown"; - ExecStopPost = [ - "${pkgs.iproute2}/bin/ip xfrm policy flush" - "${pkgs.iproute2}/bin/ip xfrm state flush" - "${ipsec} --stopnflog" - ]; - ExecReload = "${libexec}/whack --listen"; - }; - + restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + path = with pkgs; [ + libreswan + iproute2 + procps + nssTools + iptables + nettools + ]; + preStart = optionalString cfg.disableRedirects '' + # Disable send/receive redirects + echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects + echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects + ''; }; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index f0b050829234f..5ff31ba6834c3 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -217,6 +217,7 @@ in latestKernel.login = handleTest ./login.nix { latestKernel = true; }; leaps = handleTest ./leaps.nix {}; lidarr = handleTest ./lidarr.nix {}; + libreswan = handleTest ./libreswan.nix {}; lightdm = handleTest ./lightdm.nix {}; limesurvey = handleTest ./limesurvey.nix {}; locate = handleTest ./locate.nix {}; diff --git a/nixos/tests/libreswan.nix b/nixos/tests/libreswan.nix new file mode 100644 index 0000000000000..17ae60af8eed4 --- /dev/null +++ b/nixos/tests/libreswan.nix @@ -0,0 +1,134 @@ +# This test sets up a host-to-host IPsec VPN between Alice and Bob, each on its +# own network and with Eve as the only route between each other. We check that +# Eve can eavesdrop the plaintext traffic between Alice and Bob, but once they +# enable the secure tunnel Eve's spying becomes ineffective. + +import ./make-test-python.nix ({ lib, pkgs, ... }: + +let + + # IPsec tunnel between Alice and Bob + tunnelConfig = { + services.libreswan.enable = true; + services.libreswan.connections.tunnel = + '' + leftid=@alice + left=fd::a + rightid=@bob + right=fd::b + authby=secret + auto=add + ''; + environment.etc."ipsec.d/tunnel.secrets" = + { text = ''@alice @bob : PSK "j1JbIi9WY07rxwcNQ6nbyThKCf9DGxWOyokXIQcAQUnafsNTUJxfsxwk9WYK8fHj"''; + mode = "600"; + }; + }; + + # Common network setup + baseNetwork = { + # shared hosts file + extraHosts = lib.mkVMOverride '' + fd::a alice + fd::b bob + fd::e eve + ''; + # remove all automatic addresses + useDHCP = false; + interfaces.eth1.ipv4.addresses = lib.mkVMOverride []; + interfaces.eth2.ipv4.addresses = lib.mkVMOverride []; + # open a port for testing + firewall.allowedUDPPorts = [ 1234 ]; + }; + + # Adds an address and route from a to b via Eve + addRoute = a: b: { + interfaces.eth1.ipv6.addresses = + [ { address = a; prefixLength = 64; } ]; + interfaces.eth1.ipv6.routes = + [ { address = b; prefixLength = 128; via = "fd::e"; } ]; + }; + +in + +{ + name = "libreswan"; + meta = with lib.maintainers; { + maintainers = [ rnhmjoj ]; + }; + + # Our protagonist + nodes.alice = { ... }: { + virtualisation.vlans = [ 1 ]; + networking = baseNetwork // addRoute "fd::a" "fd::b"; + } // tunnelConfig; + + # Her best friend + nodes.bob = { ... }: { + virtualisation.vlans = [ 2 ]; + networking = baseNetwork // addRoute "fd::b" "fd::a"; + } // tunnelConfig; + + # The malicious network operator + nodes.eve = { ... }: { + virtualisation.vlans = [ 1 2 ]; + networking = lib.mkMerge + [ baseNetwork + { interfaces.br0.ipv6.addresses = + [ { address = "fd::e"; prefixLength = 64; } ]; + bridges.br0.interfaces = [ "eth1" "eth2" ]; + } + ]; + environment.systemPackages = [ pkgs.tcpdump ]; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + }; + + testScript = + '' + def alice_to_bob(msg: str): + """ + Sends a message as Alice to Bob + """ + bob.execute("nc -lu ::0 1234 >/tmp/msg &") + alice.sleep(1) + alice.succeed(f"echo '{msg}' | nc -uw 0 bob 1234") + bob.succeed(f"grep '{msg}' /tmp/msg") + + + def eavesdrop(): + """ + Starts eavesdropping on Alice and Bob + """ + match = "src host alice and dst host bob" + eve.execute(f"tcpdump -i br0 -c 1 -Avv {match} >/tmp/log &") + + + start_all() + + with subtest("Network is up"): + alice.wait_until_succeeds("ping -c1 bob") + + with subtest("Eve can eavesdrop cleartext traffic"): + eavesdrop() + alice_to_bob("I secretly love turnip") + eve.sleep(1) + eve.succeed("grep turnip /tmp/log") + + with subtest("Libreswan is ready"): + alice.wait_for_unit("ipsec") + bob.wait_for_unit("ipsec") + alice.succeed("ipsec verify 1>&2") + + with subtest("Alice and Bob can start the tunnel"): + alice.execute("ipsec auto --start tunnel &") + bob.succeed("ipsec auto --start tunnel") + # apparently this is needed to "wake" the tunnel + bob.execute("ping -c1 alice") + + with subtest("Eve no longer can eavesdrop"): + eavesdrop() + alice_to_bob("Just kidding, I actually like rhubarb") + eve.sleep(1) + eve.fail("grep rhubarb /tmp/log") + ''; +}) diff --git a/pkgs/tools/networking/libreswan/default.nix b/pkgs/tools/networking/libreswan/default.nix index 1059baf13ee58..24b7176e82b50 100644 --- a/pkgs/tools/networking/libreswan/default.nix +++ b/pkgs/tools/networking/libreswan/default.nix @@ -1,71 +1,114 @@ -{ lib, stdenv, fetchurl, makeWrapper, - pkg-config, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr, - bash, iproute2, iptables, procps, coreutils, gnused, gawk, nss, which, python3, - docs ? false, xmlto, libselinux, ldns - }: +{ lib +, stdenv +, fetchurl +, fetchpatch +, nixosTests +, pkg-config +, systemd +, gmp +, unbound +, bison +, flex +, pam +, libevent +, libcap_ng +, curl +, nspr +, bash +, iproute2 +, iptables +, procps +, coreutils +, gnused +, gawk +, nss +, which +, python3 +, libselinux +, ldns +, xmlto +, docbook_xml_dtd_412 +, docbook_xsl +, findXMLCatalogs +}: let + # Tools needed by ipsec scripts binPath = lib.makeBinPath [ - bash iproute2 iptables procps coreutils gnused gawk nss.tools which python3 + iproute2 iptables procps + coreutils gnused gawk + nss.tools which ]; in -assert docs -> xmlto != null; -assert stdenv.isLinux -> libselinux != null; - stdenv.mkDerivation rec { pname = "libreswan"; - version = "3.32"; + version = "4.4"; src = fetchurl { url = "https://download.libreswan.org/${pname}-${version}.tar.gz"; - sha256 = "0bj3g6qwd3ir3gk6hdl9npy3k44shf56vcgjahn30qpmx3z5fsr3"; + sha256 = "0xj974yc0y1r7235zl4jhvxqz3bpb8js2fy9ic820zq9swh0lgsz"; }; strictDeps = true; - # These flags were added to compile v3.18. Try to lift them when updating. - NIX_CFLAGS_COMPILE = toString [ "-Wno-error=redundant-decls" "-Wno-error=format-nonliteral" - # these flags were added to build with gcc7 - "-Wno-error=implicit-fallthrough" - "-Wno-error=format-truncation" - "-Wno-error=pointer-compare" - "-Wno-error=stringop-truncation" - # The following flag allows libreswan v3.32 to work with NSS 3.22, see - # https://github.com/libreswan/libreswan/issues/334. - # This flag should not be needed for libreswan v3.33 (which is not yet released). - "-DNSS_PKCS11_2_0_COMPAT=1" - ]; - nativeBuildInputs = [ bison flex - makeWrapper pkg-config + xmlto + docbook_xml_dtd_412 + docbook_xsl + findXMLCatalogs ]; - buildInputs = [ bash iproute2 iptables systemd coreutils gnused gawk gmp unbound pam libevent - libcap_ng curl nspr nss python3 ldns ] - ++ lib.optional docs xmlto - ++ lib.optional stdenv.isLinux libselinux; + buildInputs = [ + systemd coreutils + gnused gawk gmp unbound pam libevent + libcap_ng curl nspr nss ldns + # needed to patch shebangs + python3 bash + ] ++ lib.optional stdenv.isLinux libselinux; + + patches = [ + # Fix compilation on aarch64, remove on next update + (fetchpatch { + url = "https://github.com/libreswan/libreswan/commit/ea50d36d2886e44317ba5ba841de1d1bf91aee6c.patch"; + sha256 = "1jp89rm9jp55zmiyimyhg7yadj0fwwxaw7i5gyclrs38w3y1aacj"; + }) + ]; prePatch = '' - # Correct bash path - sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk - - # Fix systemd unit directory, and prevent the makefile from trying to reload the - # systemd daemon or create tmpfiles - sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|g' \ - -e 's|TMPFILESDIR=.*$|TMPFILESDIR=$\{out}/tmpfiles.d/|g' \ - -e 's|systemctl|true|g' \ - -e 's|systemd-tmpfiles|true|g' \ - initsystems/systemd/Makefile + # Correct iproute2 path + sed -e 's|"/sbin/ip"|"${iproute2}/bin/ip"|' \ + -e 's|"/sbin/iptables"|"${iptables}/bin/iptables"|' \ + -i initsystems/systemd/ipsec.service.in \ + programs/verify/verify.in + + # Prevent the makefile from trying to + # reload the systemd daemon or create tmpfiles + sed -e 's|systemctl|true|g' \ + -e 's|systemd-tmpfiles|true|g' \ + -i initsystems/systemd/Makefile # Fix the ipsec program from crushing the PATH - sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in + sed -e 's|\(PATH=".*"\):.*$|\1:$PATH|' -i programs/ipsec/ipsec.in # Fix python script to use the correct python - sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in + sed -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' \ + -i programs/verify/verify.in + + # Replace wget with curl to save a dependency + curlArgs='-s --remote-name-all --output-dir' + sed -e "s|wget -q -P|${curl}/bin/curl $curlArgs|g" \ + -i programs/letsencrypt/letsencrypt.in + + # Patch the Makefile: + # 1. correct the pam.d directory install path + # 2. do not create the /var/lib/ directory + sed -e 's|$(DESTDIR)/etc/pam.d|$(out)/etc/pam.d|' \ + -e '/test ! -d $(NSSDIR)/,+3d' \ + -i configs/Makefile ''; # Set appropriate paths for build @@ -73,10 +116,10 @@ stdenv.mkDerivation rec { makeFlags = [ "INITSYSTEM=systemd" - (if docs then "all" else "base") + "UNITDIR=$(out)/etc/systemd/system/" + "TMPFILESDIR=$(out)/lib/tmpfiles.d/" ]; - installTargets = [ (if docs then "install" else "install-base") ]; # Hack to make install work installFlags = [ "FINALVARDIR=\${out}/var" @@ -84,18 +127,23 @@ stdenv.mkDerivation rec { ]; postInstall = '' - for i in $out/bin/* $out/libexec/ipsec/*; do - wrapProgram "$i" --prefix PATH ':' "$out/bin:${binPath}" - done + # Install examples directory (needed for letsencrypt) + cp -r docs/examples $out/share/doc/libreswan/examples + ''; + + postFixup = '' + # Add a PATH to the main "ipsec" script + sed -e '0,/^$/{s||export PATH=${binPath}:$PATH|}' \ + -i $out/bin/ipsec ''; - enableParallelBuilding = true; + passthru.tests.libreswan = nixosTests.libreswan; meta = with lib; { homepage = "https://libreswan.org"; description = "A free software implementation of the VPN protocol based on IPSec and the Internet Key Exchange"; platforms = platforms.linux ++ platforms.freebsd; - license = licenses.gpl2; - maintainers = [ maintainers.afranchuk ]; + license = with licenses; [ gpl2Plus mpl20 ] ; + maintainers = with maintainers; [ afranchuk rnhmjoj ]; }; } |