Merge branch 'vici-alerts'

Exposes alerts via vici protocol. Closes strongswan/strongswan#2894
bus: Clarify that ALERT_TS_NARROWED is issued for local narrowing as well
2025-10-03 00:00:24 -04:00 · 2025-10-02 10:22:51 +02:00 · 2025-10-02 10:22:36 +02:00 · 2025-10-02 10:22:36 +02:00 · 2025-10-02 10:22:32 +02:00 · 2025-10-02 10:02:49 +02:00
8 changed files with 132 additions and 13 deletions
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -27,7 +27,7 @@ jobs:
  macos:
    strategy:
      matrix:
-        os: [macos-latest, macos-13]
+        os: [macos-latest, macos-14]
    needs: pre-check
    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
    runs-on: ${{ matrix.os }}
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -94,7 +94,7 @@ build_tss2()

 build_openssl()
 {
-	SSL_REV=openssl-3.5.2
+	SSL_REV=openssl-3.6.0
 	SSL_DIR=$DEPS_BUILD_DIR/openssl
 	SSL_INS=$DEPS_PREFIX/ssl
 	SSL_OPT="-d shared no-dtls no-ssl3 no-zlib no-idea no-psk
@ -388,18 +388,19 @@ macos)
 	# use the same options as in the Homebrew Formula
 	CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
 			--enable-curl --enable-eap-gtc --enable-eap-identity
-			--enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
-			--enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
+			--enable-eap-md5 --enable-eap-mschapv2 --enable-eap-peap
+			--enable-dhcp --enable-farp --enable-ikev1 --enable-ikev2
+			--enable-kernel-libipsec --enable-kernel-pfkey
 			--enable-kernel-pfroute --enable-nonce --enable-openssl
 			--enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
-			--enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
-			--enable-socket-default --enable-sshkey --enable-stroke
-			--enable-swanctl --enable-unity --enable-updown
-			--enable-x509 --enable-xauth-generic"
-	DEPS="automake autoconf libtool bison gperf pkgconf openssl@1.1 curl"
+			--enable-pkcs8 --enable-pkcs11 --enable-pki --enable-pubkey
+			--enable-revocation --enable-socket-default --enable-sshkey
+			--enable-stroke --enable-swanctl --enable-unity --enable-updown
+			--enable-x509 --enable-xauth-generic --enable-drbg"
+	DEPS="automake autoconf libtool bison gperf pkgconf openssl@3 curl"
 	BREW_PREFIX=$(brew --prefix)
 	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
-	for pkg in openssl@1.1 curl
+	for pkg in openssl@3 curl
 	do
 		PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
 		CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@ -124,7 +124,7 @@ enum alert_t {
 	/** traffic selectors do not match, arguments are two linked_list_t
 	 *  containing traffic_selector_t for initiator and for responder */
 	ALERT_TS_MISMATCH,
-	/** traffic selectors have been narrowed by the peer, arguments are
+	/** traffic selectors have been narrowed by us or the peer, arguments are
 	 *  an int (TRUE for local TS), a linked_list_t* (final TS list), and the
 	 *  child_cfg_t*. */
 	ALERT_TS_NARROWED,
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@ -1034,6 +1034,57 @@ The _child-rekey_ event is issued when a CHILD_SA is rekeyed.
 		}
 	}

+### alert ###
+
+The _alert_ event is issued for specific error conditions. Some alerts can
+be associated with an IKE_SA; if so, the IKE_SA details are included under an
+_ike-sa_ property.
+
+	{
+		type = <alert type>
+		ike-sa = {
+			<IKE_SA config name> = {
+				<same data as in list-sas event, but without child-sas section>
+			}
+		}
+	}
+
+The _type_ property currently has one of the following fixed string values:
+
+  * _authorization-failed_: an authorization hook failed
+  * _cert-exceeded-path-len_: Certificate trustchain length exceeds limit
+  * _cert-expired_: Certificate rejected; it has expired
+  * _cert-no-issuer_:  Certificate rejected; no trusted issuer found
+  * _cert-policy-violation_: Certificate rejected; other policy violation
+  * _cert-revoked_: Certificate rejected; it has been revoked
+  * _cert-untrusted-root_: Certificate rejected; root not trusted
+  * _cert-validation-failed_: Certificate rejected: Validating status failed
+  * _half-open-timeout_: received half-open timeout before IKE_SA established
+  * _ike-sa-expired_: IKE_SA hit hard lifetime limit before it could be rekeyed
+  * _install-child-policy-failed_: Installation of IPsec Policy failed
+  * _install-child-sa-failed_: Installation of IPsec SAs failed
+  * _invalid-ike-spi_: received IKE message with invalid SPI
+  * _keep-on-child-sa-failure_: IKE_SA kept on failed child SA establishment
+  * _local-auth-failed_: local peer authentication failed (by us or by peer)
+  * _parse-error-body_: received IKE message with invalid body
+  * _parse-error-header_: received IKE message with invalid header
+  * _peer-addr-failed_: failed to resolve peer address
+  * _peer-auth-failed_: peer authentication failed
+  * _peer-init-unreachable_: peer did not respond to initial message
+  * _proposal-mismatch-child_: CHILD proposals do not match
+  * _proposal-mismatch-ike_: IKE proposals do not match
+  * _radius-not-responding_: a RADIUS server did not respond
+  * _retransmit-receive_: received a retransmit for a message
+  * _retransmit-send_: sending a retransmit for a message
+  * _retransmit-send-cleared_: received response for retransmitted request
+  * _retransmit-send-timeout_: sending retransmits timed out
+  * _shutdown-signal_: a shutdown signal has been received
+  * _ts-mismatch_: traffic selectors do not match
+  * _ts-narrowed_: traffic selectors have been narrowed (by us or by peer)
+  * _unique-keep_: IKE_SA deleted because of "keep" unique policy
+  * _unique-replace_: IKE_SA deleted because of "replace" unique policy
+  * _vip-failure_: allocating virtual IP failed
+
 # libvici C client library #

 libvici is the reference implementation of a C client library implementing
--- a/src/libcharon/plugins/vici/python/setup.py.in
+++ b/src/libcharon/plugins/vici/python/setup.py.in
@ -18,7 +18,6 @@ setup(
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Developers",
        "Intended Audience :: System Administrators",
-        "License :: OSI Approved :: MIT License",
        "Natural Language :: English",
        "Programming Language :: Python :: 3.8",
        "Programming Language :: Python :: 3.9",
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@ -82,6 +82,42 @@ ENUM(vici_counter_type_names,
 	"info-out-resp",
 );

+ENUM(alert_names, ALERT_RADIUS_NOT_RESPONDING, ALERT_CERT_POLICY_VIOLATION,
+	"radius-not-responding",
+	"shutdown-signal",
+	"local-auth-failed",
+	"peer-auth-failed",
+	"peer-addr-failed",
+	"peer-init-unreachable",
+	"invalid-ike-spi",
+	"parse-error-header",
+	"parse-error-body",
+	"retransmit-send",
+	"retransmit-send-cleared",
+	"retransmit-send-timeout",
+	"retransmit-receive",
+	"half-open-timeout",
+	"proposal-mismatch-ike",
+	"proposal-mismatch-child",
+	"ts-mismatch",
+	"ts-narrowed",
+	"install-child-sa-failed",
+	"install-child-policy-failed",
+	"unique-replace",
+	"unique-keep",
+	"keep-on-child-sa-failure",
+	"vip-failure",
+	"authorization-failed",
+	"ike-sa-expired",
+	"cert-expired",
+	"cert-revoked",
+	"cert-validation-failed",
+	"cert-no-issuer",
+	"cert-untrusted-root",
+	"cert-exceeded-path-len",
+	"cert-policy-violation",
+);
+
 typedef struct private_vici_query_t private_vici_query_t;

 /**
@ -1778,6 +1814,7 @@ static void manage_commands(private_vici_query_t *this, bool reg)
 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
 	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
 	this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
+	this->dispatcher->manage_event(this->dispatcher, "alert", reg);
 	manage_command(this, "list-sas", list_sas, reg);
 	manage_command(this, "list-policies", list_policies, reg);
 	manage_command(this, "list-conns", list_conns, reg);
@ -1957,6 +1994,32 @@ METHOD(listener_t, child_rekey, bool,
 	return TRUE;
 }

+METHOD(listener_t, alert, bool,
+	private_vici_query_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+	vici_builder_t *b;
+
+	if (!this->dispatcher->has_event_listeners(this->dispatcher, "alert"))
+	{
+		return TRUE;
+	}
+
+	b = vici_builder_create();
+	b->add_kv(b, "type", "%N", alert_names, alert);
+	if (ike_sa)
+	{
+		b->begin_section(b, "ike-sa");
+		b->begin_section(b, ike_sa->get_name(ike_sa));
+		list_ike(this, b, ike_sa, time_monotonic(NULL));
+		b->end_section(b);
+		b->end_section(b);
+	}
+
+	this->dispatcher->raise_event(this->dispatcher, "alert", 0, b->finalize(b));
+
+	return TRUE;
+}
+
 METHOD(vici_query_t, destroy, void,
 	private_vici_query_t *this)
 {
@ -1974,6 +2037,7 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
 	INIT(this,
 		.public = {
 			.listener = {
+				.alert = _alert,
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
 				.ike_update = _ike_update,
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@ -2490,6 +2490,10 @@ static void raise_alerts(private_child_create_t *this, notify_type_t type)
 			charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, list);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			break;
+		case TS_UNACCEPTABLE:
+			charon->bus->alert(charon->bus, ALERT_TS_MISMATCH,
+							   this->tsi, this->tsr);
+			break;
 		default:
 			break;
 	}
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@ -444,7 +444,7 @@ static status_t process_client_hello(private_tls_server_t *this,
 	if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
 	{
 		DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
-			 TLS_MISSING_EXTENSION);
+			 TLS_EXT_SIGNATURE_ALGORITHMS);
 		this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
 		return NEED_MORE;
 	}
Author	SHA1	Message	Date
Tobias Brunner	404111b46f	Merge branch 'vici-alerts' Exposes alerts via vici protocol. Closes strongswan/strongswan#2894	2025-10-02 10:22:51 +02:00
Martin Willi	f5f04b7d20	bus: Clarify that ALERT_TS_NARROWED is issued for local narrowing as well	2025-10-02 10:22:36 +02:00
Martin Willi	86a50d1618	child-create: Raise an ALERT_TS_MISMATCH when receiving TS_UNACCEPTABLE When sending a TS_UNACCEPTABLE notify, a ALERT_TS_MISMATCH is sent, but not when receiving one. This seems inconsistent compared to proposal mismatch handling, so extend the child_create task to raise such an alert.	2025-10-02 10:22:36 +02:00
Martin Willi	d46529fe2d	vici: Raise alert events from the bus alert listener hook The bus alert infrastructure is currently exposed through the error-notify plugin using a dedicated socket using a rather archaic message format. Vici clients would need a dedicated socket connection just to receive such alert messages, making their implementation more complex. With vici, it is rather trivial to expose bus alerts through a dedicated event message that vici clients may subscribe to. Add such an "alert" event type to vici. Alert names are mapped to strings for simple consumption by clients. For now, the error-notify string message is omitted from events, as it mostly contains static information without much value; instead add the IKE_SA details for alerts associated to an IKE_SA. Other alert specific data may be added in the future if needed; preferably using a structured format instead of the arbitrary string messages used by error-notify. To allow future extensions, wrap IKE_SA details under a dedicated "ike-sa" property.	2025-10-02 10:22:32 +02:00
Tobias Brunner	b83aed1362	libtls: Use correct constant in error message Closes strongswan/strongswan#2896 Fixes: e7313962808c ("tls-server: Check if peer sent hash and signature algorithms")	2025-10-02 10:02:49 +02:00
Tobias Brunner	eb2d8768d8	github: Use OpenSSL 3 for macOS builds and enable additional plugins The Homebrew formula has been using OpenSSL 3 for a while. The eap-peap and pkcs11 plugins also have been enabled in the formula. The dhcp plugin is enabled to test the port (the farp plugin was already enabled since its port to FreeBSD/macOS). The drbg plugin is enabled to run the ML-KEM test vectors.	2025-10-02 09:03:37 +02:00
Tobias Brunner	6a55de1fa2	github: Build on macOS 14 instead of the deprecated macOS 13 While macos-13 was running on Intel, both macos-latest (macOS 15) and macos-14 run on ARM64. While there are Intel-based images for 14 and 15, they will only be available until August 2027 (and there aren't any Intel devices anymore anyway).	2025-10-01 19:08:51 +02:00
Tobias Brunner	d0770e5362	github: Use OpenSSL 3.6.0 for tests	2025-10-01 19:08:49 +02:00
Tobias Brunner	61daa338c7	vici: Remove deprecated license classifier in Python metadata	2025-10-01 19:08:34 +02:00