Tobias Brunner
034a462901
ikev2: Initiate other tasks after a no-op task
2016-03-10 11:07:14 +01:00
Tobias Brunner
a05cff1ec0
ikev2: Don't do online revocation checks in pubkey authenticator if requested
...
We also update the auth config so the constraints are not enforced.
2016-03-10 11:07:14 +01:00
Tobias Brunner
e19162a509
ike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA
2016-03-10 11:07:14 +01:00
Tobias Brunner
1b9c1ae018
ike-sa: Add method to verify certificates in completed authentication rounds
2016-03-10 11:07:14 +01:00
Tobias Brunner
ef9171ad1e
auth-cfg: Add a rule to suspend certificate validation constraints
2016-03-10 11:07:14 +01:00
Tobias Brunner
f371effc5d
credential-manager: Check cache queue when destroying trusted certificate enumerator
...
We already do this in the trusted public key enumerator (which
internally uses the trusted certificate enumerator) but should do so
also when this enumerator is used directly (since the public key
enumerator has the read lock the additional call will just be skipped
there).
2016-03-10 11:07:14 +01:00
Tobias Brunner
5452e3d66e
credential-manager: Make online revocation checks optional for public key enumerator
2016-03-10 11:07:14 +01:00
Tobias Brunner
819da83fcc
Merge branch 'charon-conf-fallback'
...
Makes charon-systemd and charon-svc also load settings from the charon
section in strongswan.conf.
Fixes #1300 .
2016-03-08 10:56:27 +01:00
Tobias Brunner
2e190dca04
charon-svc: Inherit all settings from the charon section
...
Same as with charon-systemd.
2016-03-08 10:56:19 +01:00
Tobias Brunner
bc4e689db1
charon-systemd: Inherit all settings from the charon section
...
Our default config files are very charon specific. So to avoid
confusion when only charon-systemd is installed we just default to all
settings defined for charon. Since charon-systemd probably won't be used
together with charon this should not cause conflicts (settings may still
be overridden via the charon-systemd section).
2016-03-08 10:56:19 +01:00
Tobias Brunner
5c8dc908d0
library: Add option to register additional namespaces before calling library_init()
...
Because settings are already accessed in library_init(), calling
add_fallback() externally after calling library_init() is not ideal.
This way namespaces already serve as fallback while library_init() is
executed and they are also in the correct order so that libstrongswan is
always the last root section.
2016-03-08 10:56:19 +01:00
Tobias Brunner
101abed566
vici: Replace child configs atomically
...
This also leaves unmodified configs as they are.
2016-03-08 10:21:58 +01:00
Tobias Brunner
622c2b2c33
peer-cfg: Add method to atomically replace child configs
2016-03-08 10:21:58 +01:00
Tobias Brunner
8db4f19ad9
ike-cfg: Use new method to compare proposal lists in equals()
2016-03-08 10:21:57 +01:00
Tobias Brunner
f6a5e6b6a9
peer-cfg: Use new method to compare linked lists in equals()
...
This also compares the complete lists not only the first two items.
2016-03-08 10:21:57 +01:00
Tobias Brunner
3af23606bf
child-cfg: Add equals() method
2016-03-08 10:21:57 +01:00
Tobias Brunner
348b0ffbc6
linked-list: Add method to compare two lists of objects for equality
2016-03-08 10:21:57 +01:00
Tobias Brunner
229cdf6bc8
vici: Order auth rounds by optional `round` parameter instead of by position in the request
2016-03-08 10:04:55 +01:00
Tobias Brunner
fab4c845ec
ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messages
...
Some implementations might otherwise not recognize the NAT-D payload
type. Also moves SIG and HASH payloads last in these messages.
Fixes #1239 .
2016-03-07 14:13:12 +01:00
Thomas Egerer
d8adcb8ff9
ike-sa-manager: Log a checkin/failure message for every checkout
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-07 11:16:52 +01:00
Andreas Steffen
c2523355a4
testing: Added swanctl/mult-auth-rsa-eap-sim-id scenario
2016-03-06 19:09:03 +01:00
Andreas Steffen
70ff382e41
testing: Added swanctl/xauth-rsa scenario
2016-03-06 12:28:55 +01:00
Andreas Steffen
99b794a4cf
Display IKE ports with swanctl --list-sas
2016-03-05 18:19:00 +01:00
Andreas Steffen
724f590711
Version bump to 5.4.0rc1
2016-03-05 18:18:12 +01:00
Andreas Steffen
07b0eac4b1
testing: attr-sql is a charon plugin
2016-03-05 15:53:22 +01:00
Andreas Steffen
26d2011b14
testing: Added swanctl/rw-psk-ikev1 scenario
2016-03-05 13:50:41 +01:00
Andreas Steffen
1989c7a381
testing: Include IKE port information in evaltests
2016-03-05 13:44:06 +01:00
Andreas Steffen
fe1f915b07
Version bump to 5.4.0dr8
2016-03-04 20:55:55 +01:00
Tobias Brunner
ec9566ae24
ike-sa-manager: Log some additional details like SPIs when checking out SAs
2016-03-04 18:43:27 +01:00
Tobias Brunner
67e28a3afa
smp: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
e32504352d
vici: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
fac9fd7368
byteorder: Simplify htoun64/untoh64 functions
2016-03-04 18:43:26 +01:00
Tobias Brunner
14de79604a
byteorder: Always define be64toh/htobe64 macros
2016-03-04 18:43:26 +01:00
Tobias Brunner
5b45e15ad3
Merge branch 'ike-sig-contraints'
...
Signature scheme constraints against IKEv2 authentication may now be
configured independently of constraints against trustchains.
2016-03-04 16:43:24 +01:00
Tobias Brunner
c171afeaed
NEWS: Add note about IKEv2 signature scheme constraints
2016-03-04 16:42:30 +01:00
Tobias Brunner
130c485be6
swanctl: Document signature scheme constraints
2016-03-04 16:19:54 +01:00
Tobias Brunner
1ecec95dff
vici: Add support for pubkey constraints with EAP-TLS
...
This is a feature currently supported by stroke.
2016-03-04 16:19:54 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Tobias Brunner
e37e6d6dca
ikev2: Always store signature scheme in auth-cfg
...
As we use a different rule we can always store the scheme.
2016-03-04 16:19:53 +01:00
Thomas Egerer
c8a0781334
ikev2: Diversify signature scheme rule
...
This allows for different signature schemes for IKE authentication and
trustchain verification.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-04 16:19:53 +01:00
Tobias Brunner
6fc6834361
NEWS: Document RFC 5685 support
2016-03-04 16:10:28 +01:00
Tobias Brunner
765db8d2fe
Merge branch 'ike-redirect'
...
This adds support for IKEv2 redirection (RFC 5685). There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients. It is also possible to redirect established IKE_SAs
via VICI/swanctl.
2016-03-04 16:03:07 +01:00
Tobias Brunner
47701e1178
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
...
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA. To prevent this we
ignore the message and wait for the one by the correct responder.
2016-03-04 16:03:00 +01:00
Tobias Brunner
fb7cc16d67
ikev2: Allow tasks to verify request messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
4b83619310
ikev2: Allow tasks to verify response messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
b4968a952e
task: Add optional pre_process() method
...
This will eventually allow tasks to pre-process and verify received
messages.
2016-03-04 16:03:00 +01:00
Tobias Brunner
f80e910cce
testing: Add ikev2/redirect-active scenario
2016-03-04 16:03:00 +01:00
Tobias Brunner
9282bc39a7
ike-init: Ignore notifies related to redirects during rekeying
...
Also don't query redirect providers in this case.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c6ebd0332e
ike-sa: Add limit for the number of redirects within a defined time period
2016-03-04 16:03:00 +01:00