Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Figure out best options for a custom build of strongSwan #12

Closed
dguido opened this issue Jun 29, 2016 · 4 comments

Comments

@dguido
Copy link
Member

@dguido dguido commented Jun 29, 2016

After we get everything working, we should try to trim down the StrongSwan binaries as much as possible by compiling from source and disabling everything we don't use. As a side benefit, this makes it a more unique target for exploitation and ensures that we're using the latest version.

Here my initial review of Autoconf options:

Enable new good features:
--enable-chapoly
--enable-gcm
--enable-openssl
--enable-rdrand

Enable testing support
--enable-conftest
--enable-integrity-test
--enable-test-vectors

Disable legacy ciphers
--disable-cmac
--disable-des
--disable-ikev1
--disable-md5
--disable-rc2
--disable-sha1
--disable-xcbc

Disable unused features
--disable-attr
--disable-dnskey
--disable-pgp
--disable-pkcs1
--disable-pkcs7
--disable-pkcs8
--disable-resolve
--disable-scepclient
--disable-sshkey
--disable-xauth-generic

We'll also need to figure out package signing and write a script to automate this somehow:

We may be able to limit the privileges of the strongSwan daemon even further by running StrongSwan as a non-root user and then limiting it to cap_net_admin. cap_new_raw may be required if we use connmark since it's required by the iptables library that plugin uses.

@dguido

This comment has been minimized.

Copy link
Member Author

@dguido dguido commented Dec 29, 2016

So, one concrete issue that is resolved by building from source is that we get AES-NI support. AESNI is supported on DigitalOcean by default. It helps extremely low performance VPS providers avoid getting overwhelmed in CPU usage.

@tobiasbrunner

This comment has been minimized.

Copy link

@tobiasbrunner tobiasbrunner commented Dec 30, 2016

So, one concrete issue that is resolved by building from source is that we get AES-NI support.

Enabling the aesni plugin (which I guess is what you are referring to) only has an effect on IKE traffic, of which there isn't a lot. So unless you use the kernel-libipsec plugin (userland IPsec stack) you need a kernel that supports AES-NI.

Some notes on the other options you listed there:

--enable-gcm

Not needed if the openssl plugin is enabled and the installed OpenSSL version supports AES-GCM.

--enable-rdrand

Only useful if the CPU actually supports it (similar to AES-NI).

--enable-conftest

This is a special testing framework that is of no use in production environments.

--enable-test-vectors

This only has an effect if tests are enabled (charon.crypto_test options in strongswan.conf) or when running the unit tests (make check).

--disable-ikev1

Not really a cipher, but if it's not used, disabling it sure makes sense.

--disable-des
--disable-md5
--disable-sha1

These are also provided by the openssl plugin (unless they are disabled in the OpenSSL library against which it is built, or specific OPENSSL_NO_* options were explicitly set when building the plugin). Anyway, some of them might be required (e.g. SHA-1 is required for IKEv2 itself, and some certificates/key formats might still use some of them).

@dguido dguido changed the title Prefer compiling StrongSwan from source rather than from apt Allow compiling StrongSwan from source Dec 30, 2016
@dguido dguido modified the milestone: 1.0 Dec 30, 2016
@dguido dguido added enhancement and removed revisit later labels Dec 31, 2016
@dguido dguido self-assigned this Dec 31, 2016
@dguido dguido modified the milestones: 1.2, 1.0 Jan 1, 2017
@dguido dguido changed the title Allow compiling StrongSwan from source Figure out best options for a custom build of strongSwan Jan 1, 2017
@dguido

This comment has been minimized.

Copy link
Member Author

@dguido dguido commented Jan 1, 2017

Thanks for the tips @tobiasbrunner! My goal is to support only the features that Algo uses and none others. I will ultimately use this to make a PPA specifically for Algo in #194.

Here are my notes so far.

  • The Debian Building Tutorial describes how to use all the deb packaging tools.
  • The Ubuntu Packaging Guide has some fairly minor changes to the process and uses slightly different tools.
  • Hardening Walkthrough describes some of the compiler options available to deb packages.
  • 16.04 includes strongSwan 5.3.5 but you can clone their 5.5.1 package from git://anonscm.debian.org/pkg-swan/strongswan.git
apt-get update
mkdir strongswan; cd strongswan

# dpkg-dev provides apt-get source
# devscripts provides debuild
# debian-keyring provides gpg keys needed to verify signing
apt-get install dpkg-dev devscripts debian-keyring

# Pull down the source and build dependencies from Debian
apt-get source strongswan; cd strongswan-5.3.5
apt-get build-dep strongswan

# modify debian/rules here
nano -w debian/rules

# binary only build, do not sign changes or source
# add -tc to clean build artifacts between builds
debuild -b -uc -us

Here is what I trimmed the Debian CONFIGUREARGS down to.

CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
                --enable-acert \
                --enable-addrblock \
                --enable-aesni \
                --enable-chapoly \
                --enable-connmark \
                --enable-coupling \
                --enable-error-notify \
                --enable-gcm \
                --enable-integrity-test \
                --enable-lookip \
                --enable-openssl \
                --disable-blowfish \
                --disable-cmac \
                --disable-des \
                --disable-dnskey \
                --disable-fast \
                --disable-ikev1 \
                --disable-md5 \
                --disable-pkcs1 \
                --disable-rc2 \
                --disable-sha1 \
                --disable-sshkey \
                --disable-xcbc

This results in the following build configuration:

 strongSwan will be built with the following plugins
-----------------------------------------------------
libstrongswan: pkcs11 aesni aes sha2 rdrand random nonce x509 revocation constraints acert pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl af-alg fips-prf gmp chapoly hmac gcm
libcharon:     attr resolve socket-default connmark farp stroke updown dhcp lookip error-notify coupling addrblock
libhydra:      kernel-netlink
libtnccs:     

Finally, the following entries need to be deleted from files in the debian directory:

libcharon-extra-plugins.install:
usr/lib/ipsec/plugins/libstrongswan-dhcp.so
usr/lib/ipsec/plugins/libstrongswan-certexpire.so
usr/lib/ipsec/plugins/libstrongswan-eap*.so
usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
usr/lib/ipsec/plugins/libstrongswan-led.so
usr/lib/ipsec/plugins/libstrongswan-unity.so
usr/lib/ipsec/plugins/libstrongswan-xauth-*.so
usr/share/strongswan/templates/config/plugins/certexpire.conf
usr/share/strongswan/templates/config/plugins/eap-*.conf
usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf
usr/share/strongswan/templates/config/plugins/led.conf
usr/share/strongswan/templates/config/plugins/unity.conf
usr/share/strongswan/templates/config/plugins/xauth-*.conf
etc/strongswan.d/charon/certexpire.conf
etc/strongswan.d/charon/eap-*.conf
etc/strongswan.d/charon/kernel-libipsec.conf
etc/strongswan.d/charon/led.conf
etc/strongswan.d/charon/unity.conf
etc/strongswan.d/charon/xauth-*.conf
usr/lib/ipsec/libipsec.so*
usr/lib/ipsec/libpttls.so*
usr/lib/ipsec/libradius.so*
usr/lib/ipsec/libsimaka.so*
usr/lib/ipsec/libtls.so*
usr/lib/ipsec/pt-tls-client

libstrongswan.install:
usr/lib/ipsec/plugins/libstrongswan-ccm.so
usr/lib/ipsec/plugins/libstrongswan-dnskey.so
usr/lib/ipsec/plugins/libstrongswan-md4.so
usr/lib/ipsec/plugins/libstrongswan-md5.so
usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
usr/lib/ipsec/plugins/libstrongswan-rc2.so
usr/lib/ipsec/plugins/libstrongswan-sha1.so
usr/lib/ipsec/plugins/libstrongswan-sshkey.so
usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
usr/lib/ipsec/plugins/libstrongswan-xcbc.so
usr/share/strongswan/templates/config/plugins/dnskey.conf
usr/share/strongswan/templates/config/plugins/md4.conf
usr/share/strongswan/templates/config/plugins/md5.conf
usr/share/strongswan/templates/config/plugins/pkcs1.conf
usr/share/strongswan/templates/config/plugins/rc2.conf
usr/share/strongswan/templates/config/plugins/sha1.conf
usr/share/strongswan/templates/config/plugins/sshkey.conf
usr/share/strongswan/templates/config/plugins/test-vectors.conf
usr/share/strongswan/templates/config/plugins/xcbc.conf
etc/strongswan.d/charon/dnskey.conf
etc/strongswan.d/charon/md4.conf
etc/strongswan.d/charon/md5.conf
etc/strongswan.d/charon/pkcs1.conf
etc/strongswan.d/charon/rc2.conf
etc/strongswan.d/charon/sha1.conf
etc/strongswan.d/charon/sshkey.conf
etc/strongswan.d/charon/test-vectors.conf
etc/strongswan.d/charon/xcbc.conf

libstrongswan-extra-plugins.install:
usr/lib/ipsec/plugins/libstrongswan-attr-sql.so
usr/lib/ipsec/plugins/libstrongswan-bliss.so
usr/lib/ipsec/plugins/libstrongswan-cmac.so
usr/lib/ipsec/plugins/libstrongswan-ctr.so
usr/lib/ipsec/plugins/libstrongswan-curl.so
usr/lib/ipsec/plugins/libstrongswan-dnscert.so
usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
usr/lib/ipsec/plugins/libstrongswan-ipseckey.so
usr/lib/ipsec/plugins/libstrongswan-ldap.so
usr/lib/ipsec/plugins/libstrongswan-load-tester.so
usr/lib/ipsec/plugins/libstrongswan-mysql.so
usr/lib/ipsec/plugins/libstrongswan-ntru.so
usr/lib/ipsec/plugins/libstrongswan-radattr.so
usr/lib/ipsec/plugins/libstrongswan-soup.so
usr/lib/ipsec/plugins/libstrongswan-sqlite.so
usr/lib/ipsec/plugins/libstrongswan-sql.so
usr/lib/ipsec/plugins/libstrongswan-systime-fix.so
usr/lib/ipsec/plugins/libstrongswan-unbound.so
usr/lib/ipsec/plugins/libstrongswan-whitelist.so
usr/share/strongswan/templates/config/plugins/attr-sql.conf
usr/share/strongswan/templates/config/plugins/ccm.conf
usr/share/strongswan/templates/config/plugins/bliss.conf
usr/share/strongswan/templates/config/plugins/cmac.conf
usr/share/strongswan/templates/config/plugins/ctr.conf
usr/share/strongswan/templates/config/plugins/curl.conf
usr/share/strongswan/templates/config/plugins/dnscert.conf
usr/share/strongswan/templates/config/plugins/gcrypt.conf
usr/share/strongswan/templates/config/plugins/ipseckey.conf
usr/share/strongswan/templates/config/plugins/ldap.conf
usr/share/strongswan/templates/config/plugins/load-tester.conf
usr/share/strongswan/templates/config/plugins/mysql.conf
usr/share/strongswan/templates/config/plugins/ntru.conf
usr/share/strongswan/templates/config/plugins/radattr.conf
usr/share/strongswan/templates/config/plugins/soup.conf
usr/share/strongswan/templates/config/plugins/sql.conf
usr/share/strongswan/templates/config/plugins/sqlite.conf
usr/share/strongswan/templates/config/plugins/systime-fix.conf
usr/share/strongswan/templates/config/plugins/unbound.conf
usr/share/strongswan/templates/config/plugins/whitelist.conf
usr/share/strongswan/templates/database/sql/mysql.sql
usr/share/strongswan/templates/database/sql/sqlite.sql
etc/strongswan.d/charon/attr-sql.conf
etc/strongswan.d/charon/ccm.conf
etc/strongswan.d/charon/bliss.conf
etc/strongswan.d/charon/cmac.conf
etc/strongswan.d/charon/ctr.conf
etc/strongswan.d/charon/curl.conf
etc/strongswan.d/charon/dnscert.conf
etc/strongswan.d/charon/gcrypt.conf
etc/strongswan.d/charon/ipseckey.conf
etc/strongswan.d/charon/ldap.conf
etc/strongswan.d/charon/load-tester.conf
etc/strongswan.d/charon/mysql.conf
etc/strongswan.d/charon/ntru.conf
etc/strongswan.d/charon/radattr.conf
etc/strongswan.d/charon/soup.conf
etc/strongswan.d/charon/sql.conf
etc/strongswan.d/charon/sqlite.conf
etc/strongswan.d/charon/systime-fix.conf
etc/strongswan.d/charon/unbound.conf
etc/strongswan.d/charon/whitelist.conf
usr/lib/ipsec/load-tester
usr/lib/ipsec/whitelist

libstrongswan-standard-plugins.install:
usr/lib/ipsec/plugins/libstrongswan-agent.so
usr/share/strongswan/templates/config/plugins/agent.conf
etc/strongswan.d/charon/agent.conf

strongswan-starter.install:
usr/lib/ipsec/pool
usr/share/strongswan/templates/config/strongswan.d/pool.conf
etc/strongswan.d/pool.conf

rm strongswan-tnc-ifmap.install
rm strongswan-tnc-base.install
rm strongswan-tnc-client.install
rm strongswan-tnc-pdp.install
rm strongswan-tnc-server.install

charon-cmd.install:
usr/sbin/charon-cmd
usr/share/man/man8/charon-cmd.8

add to libstrongswan-extra-plugins:
usr/share/strongswan/templates/config/plugins/aesni.conf
usr/lib/ipsec/plugins/libstrongswan-aesni.so
etc/strongswan.d/charon/aesni.conf

Suggestions to trim this down further are welcome!

@tobiasbrunner

This comment has been minimized.

Copy link

@tobiasbrunner tobiasbrunner commented Jan 16, 2017

You might want to consider using --disable-defaults and then explicitly enable all the features you want. That way new stuff won't get enabled automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.