Tobias Brunner
034a462901
ikev2: Initiate other tasks after a no-op task
2016-03-10 11:07:14 +01:00
Tobias Brunner
a05cff1ec0
ikev2: Don't do online revocation checks in pubkey authenticator if requested
...
We also update the auth config so the constraints are not enforced.
2016-03-10 11:07:14 +01:00
Tobias Brunner
e19162a509
ike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA
2016-03-10 11:07:14 +01:00
Tobias Brunner
1b9c1ae018
ike-sa: Add method to verify certificates in completed authentication rounds
2016-03-10 11:07:14 +01:00
Tobias Brunner
5452e3d66e
credential-manager: Make online revocation checks optional for public key enumerator
2016-03-10 11:07:14 +01:00
Tobias Brunner
101abed566
vici: Replace child configs atomically
...
This also leaves unmodified configs as they are.
2016-03-08 10:21:58 +01:00
Tobias Brunner
622c2b2c33
peer-cfg: Add method to atomically replace child configs
2016-03-08 10:21:58 +01:00
Tobias Brunner
8db4f19ad9
ike-cfg: Use new method to compare proposal lists in equals()
2016-03-08 10:21:57 +01:00
Tobias Brunner
f6a5e6b6a9
peer-cfg: Use new method to compare linked lists in equals()
...
This also compares the complete lists not only the first two items.
2016-03-08 10:21:57 +01:00
Tobias Brunner
3af23606bf
child-cfg: Add equals() method
2016-03-08 10:21:57 +01:00
Tobias Brunner
229cdf6bc8
vici: Order auth rounds by optional `round` parameter instead of by position in the request
2016-03-08 10:04:55 +01:00
Tobias Brunner
fab4c845ec
ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messages
...
Some implementations might otherwise not recognize the NAT-D payload
type. Also moves SIG and HASH payloads last in these messages.
Fixes #1239 .
2016-03-07 14:13:12 +01:00
Thomas Egerer
d8adcb8ff9
ike-sa-manager: Log a checkin/failure message for every checkout
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-07 11:16:52 +01:00
Tobias Brunner
ec9566ae24
ike-sa-manager: Log some additional details like SPIs when checking out SAs
2016-03-04 18:43:27 +01:00
Tobias Brunner
67e28a3afa
smp: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
e32504352d
vici: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
1ecec95dff
vici: Add support for pubkey constraints with EAP-TLS
...
This is a feature currently supported by stroke.
2016-03-04 16:19:54 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Tobias Brunner
e37e6d6dca
ikev2: Always store signature scheme in auth-cfg
...
As we use a different rule we can always store the scheme.
2016-03-04 16:19:53 +01:00
Thomas Egerer
c8a0781334
ikev2: Diversify signature scheme rule
...
This allows for different signature schemes for IKE authentication and
trustchain verification.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-04 16:19:53 +01:00
Tobias Brunner
47701e1178
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
...
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA. To prevent this we
ignore the message and wait for the one by the correct responder.
2016-03-04 16:03:00 +01:00
Tobias Brunner
fb7cc16d67
ikev2: Allow tasks to verify request messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
4b83619310
ikev2: Allow tasks to verify response messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
b4968a952e
task: Add optional pre_process() method
...
This will eventually allow tasks to pre-process and verify received
messages.
2016-03-04 16:03:00 +01:00
Tobias Brunner
9282bc39a7
ike-init: Ignore notifies related to redirects during rekeying
...
Also don't query redirect providers in this case.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c6ebd0332e
ike-sa: Add limit for the number of redirects within a defined time period
2016-03-04 16:03:00 +01:00
Tobias Brunner
7505fb8d45
ike-sa: Reauthenticate to the same addresses we currently use
...
If the SA got redirected this would otherwise cause a reauthentication with
the original gateway. Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c13eb73719
vici: Don't redirect all SAs if no selectors are given
...
This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).
2016-03-04 16:03:00 +01:00
Tobias Brunner
27074f3155
vici: Match subnets and ranges against peer IP in redirect command
2016-03-04 16:03:00 +01:00
Tobias Brunner
bef4518de7
vici: Match identity with wildcards against remote ID in redirect command
2016-03-04 16:02:59 +01:00
Tobias Brunner
43b46b26ea
vici: Add redirect command
...
This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.
2016-03-04 16:02:59 +01:00
Tobias Brunner
0d424d2107
redirect-job: Add job to redirect an active IKE_SA
2016-03-04 16:02:59 +01:00
Tobias Brunner
71c7070588
ike-sa: Add redirect() method to actively redirect an IKE_SA
2016-03-04 16:02:59 +01:00
Tobias Brunner
0840385b27
ike-redirect: Add task to redirect active IKE_SAs
2016-03-04 16:02:59 +01:00
Tobias Brunner
f5a9025ce9
ike-auth: Handle REDIRECT notifies during IKE_AUTH
2016-03-04 16:02:59 +01:00
Tobias Brunner
f20e00fe54
ike-sa: Handle redirect requests for established SAs as reestablishment
...
We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs,
which also includes the one actively queued during IKE_AUTH.
To delete the old SA we use the recently added ike_reauth_complete task.
2016-03-04 16:02:59 +01:00
Tobias Brunner
19233ef980
ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers
...
To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA. We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).
2016-03-04 16:02:59 +01:00
Tobias Brunner
fdc4b82728
ike-config: Do not assign attributes for redirected IKE_SAs
2016-03-04 16:02:59 +01:00
Tobias Brunner
b6fcb91762
child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH
2016-03-04 16:02:59 +01:00
Tobias Brunner
d68c05d269
ike-sa: Add a condition to mark redirected IKE_SAs
2016-03-04 16:02:58 +01:00
Tobias Brunner
3d074bce00
ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server
2016-03-04 16:02:58 +01:00
Tobias Brunner
6cde9875e1
ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate
2016-03-04 16:02:58 +01:00
Tobias Brunner
e4af6e6b7a
ike-sa: Keep track of the address of the gateway that redirected us
2016-03-04 16:02:58 +01:00
Tobias Brunner
489d154e63
ikev2: Add option to disable following redirects as client
2016-03-04 16:02:58 +01:00
Tobias Brunner
c126ddd048
ikev2: Handle REDIRECT notifies during IKE_SA_INIT
2016-03-04 16:02:58 +01:00
Tobias Brunner
dd2b335b79
ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers
2016-03-04 16:02:58 +01:00
Tobias Brunner
2beb26b948
redirect-manager: Add helper function to create and parse REDIRECT notify data
...
The same encoding is also used for the REDIRECT_FROM notifies.
2016-03-04 16:02:58 +01:00
Tobias Brunner
fa5cfbdcbf
redirect-manager: Verify type of returned gateway ID
2016-03-04 16:02:58 +01:00
Tobias Brunner
10009b2954
ike-init: Send REDIRECT_SUPPORTED as initiator
2016-03-04 16:02:58 +01:00