034a462901
ikev2: Initiate other tasks after a no-op task
2016-03-10 11:07:14 +01:00
a05cff1ec0
ikev2: Don't do online revocation checks in pubkey authenticator if requested
...
We also update the auth config so the constraints are not enforced.
2016-03-10 11:07:14 +01:00
e19162a509
ike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA
2016-03-10 11:07:14 +01:00
1b9c1ae018
ike-sa: Add method to verify certificates in completed authentication rounds
2016-03-10 11:07:14 +01:00
ef9171ad1e
auth-cfg: Add a rule to suspend certificate validation constraints
2016-03-10 11:07:14 +01:00
f371effc5d
credential-manager: Check cache queue when destroying trusted certificate enumerator
...
We already do this in the trusted public key enumerator (which
internally uses the trusted certificate enumerator) but should do so
also when this enumerator is used directly (since the public key
enumerator has the read lock the additional call will just be skipped
there).
2016-03-10 11:07:14 +01:00
5452e3d66e
credential-manager: Make online revocation checks optional for public key enumerator
2016-03-10 11:07:14 +01:00
819da83fcc
Merge branch 'charon-conf-fallback'
...
Makes charon-systemd and charon-svc also load settings from the charon
section in strongswan.conf.
Fixes #1300 .
2016-03-08 10:56:27 +01:00
2e190dca04
charon-svc: Inherit all settings from the charon section
...
Same as with charon-systemd.
2016-03-08 10:56:19 +01:00
bc4e689db1
charon-systemd: Inherit all settings from the charon section
...
Our default config files are very charon specific. So to avoid
confusion when only charon-systemd is installed we just default to all
settings defined for charon. Since charon-systemd probably won't be used
together with charon this should not cause conflicts (settings may still
be overridden via the charon-systemd section).
2016-03-08 10:56:19 +01:00
5c8dc908d0
library: Add option to register additional namespaces before calling library_init()
...
Because settings are already accessed in library_init(), calling
add_fallback() externally after calling library_init() is not ideal.
This way namespaces already serve as fallback while library_init() is
executed and they are also in the correct order so that libstrongswan is
always the last root section.
2016-03-08 10:56:19 +01:00
101abed566
vici: Replace child configs atomically
...
This also leaves unmodified configs as they are.
2016-03-08 10:21:58 +01:00
622c2b2c33
peer-cfg: Add method to atomically replace child configs
2016-03-08 10:21:58 +01:00
8db4f19ad9
ike-cfg: Use new method to compare proposal lists in equals()
2016-03-08 10:21:57 +01:00
f6a5e6b6a9
peer-cfg: Use new method to compare linked lists in equals()
...
This also compares the complete lists not only the first two items.
2016-03-08 10:21:57 +01:00
3af23606bf
child-cfg: Add equals() method
2016-03-08 10:21:57 +01:00
348b0ffbc6
linked-list: Add method to compare two lists of objects for equality
2016-03-08 10:21:57 +01:00
229cdf6bc8
vici: Order auth rounds by optional `round` parameter instead of by position in the request
2016-03-08 10:04:55 +01:00
fab4c845ec
ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messages
...
Some implementations might otherwise not recognize the NAT-D payload
type. Also moves SIG and HASH payloads last in these messages.
Fixes #1239 .
2016-03-07 14:13:12 +01:00
d8adcb8ff9
ike-sa-manager: Log a checkin/failure message for every checkout
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-07 11:16:52 +01:00
c2523355a4
testing: Added swanctl/mult-auth-rsa-eap-sim-id scenario
2016-03-06 19:09:03 +01:00
70ff382e41
testing: Added swanctl/xauth-rsa scenario
2016-03-06 12:28:55 +01:00
99b794a4cf
Display IKE ports with swanctl --list-sas
2016-03-05 18:19:00 +01:00
724f590711
Version bump to 5.4.0rc1
2016-03-05 18:18:12 +01:00
07b0eac4b1
testing: attr-sql is a charon plugin
2016-03-05 15:53:22 +01:00
26d2011b14
testing: Added swanctl/rw-psk-ikev1 scenario
2016-03-05 13:50:41 +01:00
1989c7a381
testing: Include IKE port information in evaltests
2016-03-05 13:44:06 +01:00
fe1f915b07
Version bump to 5.4.0dr8
2016-03-04 20:55:55 +01:00
ec9566ae24
ike-sa-manager: Log some additional details like SPIs when checking out SAs
2016-03-04 18:43:27 +01:00
67e28a3afa
smp: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
e32504352d
vici: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
fac9fd7368
byteorder: Simplify htoun64/untoh64 functions
2016-03-04 18:43:26 +01:00
14de79604a
byteorder: Always define be64toh/htobe64 macros
2016-03-04 18:43:26 +01:00
5b45e15ad3
Merge branch 'ike-sig-contraints'
...
Signature scheme constraints against IKEv2 authentication may now be
configured independently of constraints against trustchains.
2016-03-04 16:43:24 +01:00
c171afeaed
NEWS: Add note about IKEv2 signature scheme constraints
2016-03-04 16:42:30 +01:00
130c485be6
swanctl: Document signature scheme constraints
2016-03-04 16:19:54 +01:00
1ecec95dff
vici: Add support for pubkey constraints with EAP-TLS
...
This is a feature currently supported by stroke.
2016-03-04 16:19:54 +01:00
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
e37e6d6dca
ikev2: Always store signature scheme in auth-cfg
...
As we use a different rule we can always store the scheme.
2016-03-04 16:19:53 +01:00
c8a0781334
ikev2: Diversify signature scheme rule
...
This allows for different signature schemes for IKE authentication and
trustchain verification.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-04 16:19:53 +01:00
6fc6834361
NEWS: Document RFC 5685 support
2016-03-04 16:10:28 +01:00
765db8d2fe
Merge branch 'ike-redirect'
...
This adds support for IKEv2 redirection (RFC 5685). There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients. It is also possible to redirect established IKE_SAs
via VICI/swanctl.
2016-03-04 16:03:07 +01:00
47701e1178
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
...
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA. To prevent this we
ignore the message and wait for the one by the correct responder.
2016-03-04 16:03:00 +01:00
fb7cc16d67
ikev2: Allow tasks to verify request messages before processing them
2016-03-04 16:03:00 +01:00
4b83619310
ikev2: Allow tasks to verify response messages before processing them
2016-03-04 16:03:00 +01:00
b4968a952e
task: Add optional pre_process() method
...
This will eventually allow tasks to pre-process and verify received
messages.
2016-03-04 16:03:00 +01:00
f80e910cce
testing: Add ikev2/redirect-active scenario
2016-03-04 16:03:00 +01:00
9282bc39a7
ike-init: Ignore notifies related to redirects during rekeying
...
Also don't query redirect providers in this case.
2016-03-04 16:03:00 +01:00
c6ebd0332e
ike-sa: Add limit for the number of redirects within a defined time period
2016-03-04 16:03:00 +01:00
Tobias Brunner