Martin Willi
719c33b41a
Send INITIAL_CONTACT even if we have a unique policy
2011-01-10 11:54:10 +01:00
Martin Willi
1ed482d808
Fix nonce comparison in rekey collisions, lowest nonce loses
2011-01-07 15:51:35 +01:00
Martin Willi
6f5892f5c7
Destroy existing IKE_SAs with same identities when receiving INITIAL_CONTACT
2011-01-05 16:46:08 +01:00
Martin Willi
a4a1e24d37
Send INITIAL_CONTACT for the first IKE_SA if it has a unique policy
2011-01-05 16:46:08 +01:00
Martin Willi
240bd7dbb7
Migrated ike_sa_manager_t to INIT/METHOD macros, some cleanups
2011-01-05 16:46:08 +01:00
Martin Willi
3a89b3c52f
Provide CRLs received in CERT payloads to trustchain verification
2011-01-05 16:46:06 +01:00
Martin Willi
5f15faebc8
Include the used reserved bytes from ID payloads in AUTH calculation
2011-01-05 16:45:53 +01:00
Martin Willi
502edf425f
Migrated psk/pubkey_authenticators to INIT/METHOD macros
2011-01-05 16:45:53 +01:00
Martin Willi
9ca5d0280e
Moved check if packet already encoded to ike_sa, avoids message() hook invocation twice
2011-01-05 16:45:52 +01:00
Martin Willi
c67de660d2
Move critical bit checking to ike_sa, notify payload includes unsupported payload type
2011-01-05 16:45:44 +01:00
Martin Willi
e7099aa24e
Handle all error notifies in CREATE_CHILD_SA exchanges
2011-01-05 16:45:44 +01:00
Martin Willi
c146c3c4e1
Ingore messages with exchange type altered to UNDEFINED in message() hook
2011-01-05 16:45:42 +01:00
Martin Willi
89fda1abb5
Moved message()-hook invocation to generate_message(), catch pre-generated IKE_SA_INITs, too
2011-01-05 16:45:41 +01:00
Martin Willi
6c2d466b90
Support manually triggerd DPD check, even if DPD disabled in config
2011-01-05 16:45:40 +01:00
Andreas Steffen
905ab99fc1
eliminated whitespace
2010-12-21 17:51:27 +01:00
Andreas Steffen
cf16a29dac
Migrated child_create_t to INIT/METHOD macros
2010-12-21 17:49:07 +01:00
Martin Willi
55df72e6d5
Do not use TFC padding if peer does not support ESPv3
2010-12-20 09:45:39 +01:00
Martin Willi
37788b1d06
Added a TFC padding option to child_cfg
2010-12-20 09:45:39 +01:00
Martin Willi
d86bb6ef4d
Implemented Traffic Flow Confidentiality padding in kernel_interface
2010-12-20 09:45:39 +01:00
Jiri Bohac
19b7f763b3
Install selectors on transport mode IPsec SAs.
...
This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:
- IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
of the set of traffic selectors
- IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid. Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA. Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.
2010-12-13 15:28:40 +01:00
Martin Willi
86993d6b90
Never register IKE_SA during checkout_new, as rekeying keeps it checked out
2010-12-07 16:30:38 +01:00
Thomas Egerer
76ce213c43
Guarantee entry->other is set when calling put_connected_peers
...
Given the original intent of entry->host, the check for DoS attacks, it
can happen that this value remains NULL when an entry is created. This
is particularly awkward if put_connected_peers is called to check if a
connection to a given peer already exists, since it takes the address
family into consideration (git commit b74219d0) which is gleaned from
entry->host.
This patch guarantees that entry->other is a clone of host before
put_connected_peers is called.
2010-12-06 10:56:57 +01:00
Thomas Egerer
e66420566c
Do not checkin a previously destroyed SA
2010-11-16 10:25:33 +01:00
Thomas Egerer
8f927116be
Extend connected peers by peer family
...
This allows for simultanious IPv4 and IPv6 tunnel for same peers with
matching identities.
2010-11-12 16:28:04 +01:00
Tobias Brunner
1dbf0ed982
Do not add additional addresses to MOBIKE path probing messages.
2010-10-12 11:11:06 +02:00
Tobias Brunner
5774408898
Change behavior of responder during roaming.
...
If the current source address is not available anymore, the responder
uses ike_mobike_t.roam, thus, uses multiple address combinations when
trying to notify the initiator.
2010-10-12 11:11:05 +02:00
Tobias Brunner
c5770f864f
Allow responder to use ike_mobike_t.roam.
...
After getting a response the responder updates the IPsec SAs.
2010-10-12 11:11:05 +02:00
Tobias Brunner
261b2572d1
Send list of additional addresses even if current path is still valid.
2010-10-12 11:11:05 +02:00
Tobias Brunner
bab56a4abb
Extracted path checking in ike_sa_t.roam into separate functions.
2010-10-12 11:11:05 +02:00
Tobias Brunner
769c69facc
Added support for responders to change their address via MOBIKE.
...
If the original responder updates its list of additional addresses we
check if the remote endpoint changed and update the IPsec SAs if it did,
as we assume the original address became unavailable and the responder
already updated the SAs on its side.
2010-10-12 11:11:05 +02:00
Tobias Brunner
13876431d6
Explicitly configure MOBIKE tasks to update the list of additional addresses.
2010-10-12 11:11:05 +02:00
Tobias Brunner
31e7dc4dfd
Improved check for first IKE_AUTH message in ike_mobike task.
...
If the original responder initiated a MOBIKE exchange, the previous
check was not always correct.
2010-10-12 11:11:05 +02:00
Tobias Brunner
c817e7bb90
Migrated ike_mobike task to INIT/METHOD macros.
2010-10-12 11:11:05 +02:00
Tobias Brunner
be90134211
Simplified apply_port function in mobike task.
2010-10-12 11:11:04 +02:00
Tobias Brunner
cd26eedc5c
Do not update hosts based on retransmitted messages.
2010-10-12 11:11:04 +02:00
Tobias Brunner
d5bd775126
Do not update remote host if we are behind a NAT.
2010-10-12 11:11:04 +02:00
Andreas Steffen
3c354b6d11
NOTIFY error message types include 16383
2010-09-29 19:01:36 +02:00
Tobias Brunner
71b6d2ff5e
Adapted child_sa_t to changed kernel interface.
2010-09-02 19:04:22 +02:00
Tobias Brunner
bd7a2f3bfc
Added an option to specify the type of a policy to kernel_ipsec.add_policy.
...
This will later allow us to support pluto's passthrough and drop
policies in charon.
2010-09-02 19:04:19 +02:00
Tobias Brunner
b4872c1e09
Replaced the protocol argument in add_policy with an optional SPI for an AH SA.
2010-09-02 19:04:19 +02:00
Tobias Brunner
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
Tobias Brunner
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
Tobias Brunner
9f166d9ac2
Removed references to protocol_id_t from kernel interface.
...
Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).
2010-09-02 19:01:25 +02:00
Tobias Brunner
9d94174242
Migrated child_sa_t to INIT/METHOD macros.
2010-09-02 19:01:25 +02:00
Tobias Brunner
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
Tobias Brunner
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
Martin Willi
36eafea232
Use the AAA Identity for EAP authentication, if given
2010-08-31 18:10:23 +02:00
Martin Willi
f13a03add0
Moved EAP type/code definitions to a seprate header file in libstrongswan
2010-08-31 15:35:29 +02:00
Tobias Brunner
2402dee177
Port floating patch partially reversed.
...
If MOBIKE is enabled, we do have to switch to port 4500 with the
IKE_AUTH request, that is, before we know whether the other peer
actually supports MOBIKE or not.
2010-08-30 14:54:31 +02:00
Tobias Brunner
277f02ce9e
Slightly refactored port floating.
...
In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.
2010-08-30 13:42:58 +02:00
Tobias Brunner
fde2d34d0f
Fixed ME after introduction of AEAD wrapper.
2010-08-30 10:48:09 +02:00
Martin Willi
5299719569
Migrated delete_payload to INIT/METHOD macros, replaced iterator
2010-08-25 17:03:00 +02:00
Thomas Egerer
e54e86cb49
Check if colliding rekey actually created an IKE_INIT
...
In some cases (especially if a child is half-open) the colliding
rekey-job might not have created the ike_init member. If so, the
nonce check fails with SIGSEGV.
2010-08-25 10:16:42 +02:00
Martin Willi
2e64455ee1
Fixed crypter keymat derivation bug
2010-08-19 19:28:08 +02:00
Martin Willi
84eb3aa456
Implemented IKEv2 keymat derivation for AEAD algorithms
2010-08-19 19:02:34 +02:00
Martin Willi
b519071299
Use AEAD wrapper for encryption payload encryption/decryption
2010-08-19 19:02:33 +02:00
Martin Willi
5555b900b2
Migrated keymat to INIT/METHOD macros
2010-08-19 12:35:53 +02:00
Martin Willi
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
Andreas Steffen
53115857ae
some simplifications using the INIT macro
2010-08-17 20:09:32 +02:00
Martin Willi
c03b0d7e6b
Added support for Camellia cipher to xcbc
2010-08-13 17:11:54 +02:00
Andreas Steffen
45c4021bd0
Migrated eap_authenticator to INIT/METHOD macros
2010-08-13 15:58:53 +02:00
Andreas Steffen
fe6ae23d1f
Migrated eap_manager to INIT/METHOD macros
2010-08-13 15:32:37 +02:00
Andreas Steffen
87799b0c00
moved eap_from_string() fomr libcharon to libstrongswan to make it available in starter
2010-08-13 15:07:53 +02:00
Andreas Steffen
4412ee86c5
recognize eap-ttls method
2010-08-12 23:58:54 +02:00
Martin Willi
a944d2092b
Use bits instead of bytes for a private/public key
2010-08-10 18:46:30 +02:00
Jiri Bohac
30d8e8d04d
fix error-type range in parsing of NOTIFY payloads
2010-08-06 11:47:35 +02:00
Tobias Brunner
83628fd600
Accept EAP_ONLY_AUTHENTICATION notifies from any client, now that IANA allocated an ID.
2010-08-04 12:58:53 +02:00
Martin Willi
65858b83f8
Destroy IKE_SA Managers crypto primitives during flush, the plugins are gone in destroy
2010-08-04 09:26:21 +02:00
Martin Willi
2107953804
Added EAP-TLS plugin stub
2010-08-03 15:39:24 +02:00
Thomas Egerer
86a73f16ab
Do not touch child from collision if peer deleted it
2010-08-03 10:32:38 +02:00
Martin Willi
b2e447e24a
Pass the CREATE_CHILD_SA initiator flag to the child_keys parameter
2010-07-26 13:53:53 +02:00
Martin Willi
5b6c220d13
Added log statement if peer requests EAP, but current config does not allow it
2010-07-21 17:09:15 +02:00
Martin Willi
0406eeaacb
Support different encoding types in certificate.get_encoding()
2010-07-13 13:53:20 +02:00
Martin Willi
da9724e6d0
Renamed key_encod{ing,der}_t and constants, prepare for generic credential encoding
2010-07-13 11:29:35 +02:00
Martin Willi
e57a29c731
Moved X509 ipAddrBlock checking to the addrblock plugin
2010-07-13 10:26:07 +02:00
Martin Willi
be715344c2
Added a hook to narrow traffic selectors for CHILD_SAs
2010-07-13 10:26:07 +02:00
Martin Willi
2ccc02a4fd
Moved credential manager to libstrongswan
2010-07-13 10:26:07 +02:00
Heiko Hund
ec7adea007
Added support for named attribute groups
...
Add the possibility to group attributes by a name and assign these
groups to connections. This allows a more granular configuration of
which client will receive what atrributes.
2010-07-09 13:09:31 +02:00
Martin Willi
4cc9afe35f
Print identity to a lease address on the same line for simpler greping
2010-07-08 17:44:19 +02:00
Martin Willi
53913d764e
Use the responder side configured EAP-Identity directly, if given
2010-07-05 09:41:04 +02:00
Martin Willi
ec6caa1367
Copy EAP specific attributes to auth config only
2010-07-05 09:41:04 +02:00
Andreas Steffen
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
Martin Willi
02571374c4
Recreate IKE_SA_INIT related tasks only if they have completed
2010-06-30 13:48:47 +02:00
Thomas Egerer
31d0efd7e9
Use enumerator for queued_tasks migration to avoid infinite loop
2010-06-30 13:24:43 +02:00
Thomas Egerer
6d61e334f7
Correct check of traffic selectors before destruction
2010-06-29 09:22:50 +02:00
Thomas Egerer
7f1eb89517
Migrate queued_tasks tasks, to avoid dangling pointers
2010-06-29 09:20:05 +02:00
Thomas Egerer
03ffa88531
Add extra information in debug output for IKE_SA check{out, in}
...
This output helps tracing checkout and checkin of IKE_SAs when there is
more than one IKE_SAs with the same name. I also added the type of
in-air-exchange to the debug output issued by the task_manager in case
a task initiation is delayed, came in handy for me.
2010-06-07 15:12:13 +02:00
Martin Willi
550d9085fa
Flush auth configs, create new keymat during SA reset
2010-06-07 14:59:39 +02:00
Martin Willi
dbdb69f908
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
2010-06-07 14:58:57 +02:00
Martin Willi
8b56ec20f3
Reacquire keymat from new IKE_SA during task migration
2010-06-07 14:56:24 +02:00
Martin Willi
ea340ee840
Wrap task enumerator in ike_sa
2010-06-07 11:37:55 +02:00
Martin Willi
8bced61b76
Migrated ike_sa_t to INIT/METHOD macros
2010-06-07 09:30:27 +00:00
Martin Willi
665c18bd85
Added support for task enumeration in task_manager_t
2010-06-07 10:45:25 +02:00
Martin Willi
9560a3166f
Migrated task_manager_t to INIT/METHOD macros
2010-06-07 10:37:00 +02:00
Martin Willi
2f57e6da0e
Disable close action for a redundant CHILD_SA resulting from a rekey collision
...
If a rekey collision is detected, the winning peer of the nonce compare
will delete the redundant CHILD_SA. The other peer should not enforce the
close action on this CHILD, as it would reestablish the redundat CHILD_SA.
Thanks to Thomas Egerer from secunet for pointing this out and the initial
patchset.
2010-06-02 11:48:52 +02:00
Martin Willi
fe02d99b96
Use wrapped getters for close/dpd action
2010-06-02 11:48:51 +02:00
Martin Willi
4c401ea216
Wrap getters for dpd/close action into CHILD_SA, allows us to override them
2010-06-02 11:48:44 +02:00
Tobias Brunner
d070e0a6d1
Do not install trap policy if remote host is %any.
2010-05-28 15:43:12 +02:00
Martin Willi
ea409980b9
Handle collisions between rekey and the following delete properly
2010-05-18 12:21:38 +02:00
Reto Buerki
71a66a623e
Use reqid from connection config if present.
2010-05-04 14:38:34 +02:00