719c33b41a
Send INITIAL_CONTACT even if we have a unique policy
2011-01-10 11:54:10 +01:00
1ed482d808
Fix nonce comparison in rekey collisions, lowest nonce loses
2011-01-07 15:51:35 +01:00
6f5892f5c7
Destroy existing IKE_SAs with same identities when receiving INITIAL_CONTACT
2011-01-05 16:46:08 +01:00
a4a1e24d37
Send INITIAL_CONTACT for the first IKE_SA if it has a unique policy
2011-01-05 16:46:08 +01:00
240bd7dbb7
Migrated ike_sa_manager_t to INIT/METHOD macros, some cleanups
2011-01-05 16:46:08 +01:00
3a89b3c52f
Provide CRLs received in CERT payloads to trustchain verification
2011-01-05 16:46:06 +01:00
5f15faebc8
Include the used reserved bytes from ID payloads in AUTH calculation
2011-01-05 16:45:53 +01:00
502edf425f
Migrated psk/pubkey_authenticators to INIT/METHOD macros
2011-01-05 16:45:53 +01:00
9ca5d0280e
Moved check if packet already encoded to ike_sa, avoids message() hook invocation twice
2011-01-05 16:45:52 +01:00
c67de660d2
Move critical bit checking to ike_sa, notify payload includes unsupported payload type
2011-01-05 16:45:44 +01:00
e7099aa24e
Handle all error notifies in CREATE_CHILD_SA exchanges
2011-01-05 16:45:44 +01:00
c146c3c4e1
Ingore messages with exchange type altered to UNDEFINED in message() hook
2011-01-05 16:45:42 +01:00
89fda1abb5
Moved message()-hook invocation to generate_message(), catch pre-generated IKE_SA_INITs, too
2011-01-05 16:45:41 +01:00
6c2d466b90
Support manually triggerd DPD check, even if DPD disabled in config
2011-01-05 16:45:40 +01:00
905ab99fc1
eliminated whitespace
2010-12-21 17:51:27 +01:00
cf16a29dac
Migrated child_create_t to INIT/METHOD macros
2010-12-21 17:49:07 +01:00
55df72e6d5
Do not use TFC padding if peer does not support ESPv3
2010-12-20 09:45:39 +01:00
37788b1d06
Added a TFC padding option to child_cfg
2010-12-20 09:45:39 +01:00
d86bb6ef4d
Implemented Traffic Flow Confidentiality padding in kernel_interface
2010-12-20 09:45:39 +01:00
19b7f763b3
Install selectors on transport mode IPsec SAs.
...
This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:
- IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
of the set of traffic selectors
- IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid. Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA. Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.
2010-12-13 15:28:40 +01:00
86993d6b90
Never register IKE_SA during checkout_new, as rekeying keeps it checked out
2010-12-07 16:30:38 +01:00
76ce213c43
Guarantee entry->other is set when calling put_connected_peers
...
Given the original intent of entry->host, the check for DoS attacks, it
can happen that this value remains NULL when an entry is created. This
is particularly awkward if put_connected_peers is called to check if a
connection to a given peer already exists, since it takes the address
family into consideration (git commit b74219d0) which is gleaned from
entry->host.
This patch guarantees that entry->other is a clone of host before
put_connected_peers is called.
2010-12-06 10:56:57 +01:00
e66420566c
Do not checkin a previously destroyed SA
2010-11-16 10:25:33 +01:00
8f927116be
Extend connected peers by peer family
...
This allows for simultanious IPv4 and IPv6 tunnel for same peers with
matching identities.
2010-11-12 16:28:04 +01:00
1dbf0ed982
Do not add additional addresses to MOBIKE path probing messages.
2010-10-12 11:11:06 +02:00
5774408898
Change behavior of responder during roaming.
...
If the current source address is not available anymore, the responder
uses ike_mobike_t.roam, thus, uses multiple address combinations when
trying to notify the initiator.
2010-10-12 11:11:05 +02:00
c5770f864f
Allow responder to use ike_mobike_t.roam.
...
After getting a response the responder updates the IPsec SAs.
2010-10-12 11:11:05 +02:00
261b2572d1
Send list of additional addresses even if current path is still valid.
2010-10-12 11:11:05 +02:00
bab56a4abb
Extracted path checking in ike_sa_t.roam into separate functions.
2010-10-12 11:11:05 +02:00
769c69facc
Added support for responders to change their address via MOBIKE.
...
If the original responder updates its list of additional addresses we
check if the remote endpoint changed and update the IPsec SAs if it did,
as we assume the original address became unavailable and the responder
already updated the SAs on its side.
2010-10-12 11:11:05 +02:00
13876431d6
Explicitly configure MOBIKE tasks to update the list of additional addresses.
2010-10-12 11:11:05 +02:00
31e7dc4dfd
Improved check for first IKE_AUTH message in ike_mobike task.
...
If the original responder initiated a MOBIKE exchange, the previous
check was not always correct.
2010-10-12 11:11:05 +02:00
c817e7bb90
Migrated ike_mobike task to INIT/METHOD macros.
2010-10-12 11:11:05 +02:00
be90134211
Simplified apply_port function in mobike task.
2010-10-12 11:11:04 +02:00
cd26eedc5c
Do not update hosts based on retransmitted messages.
2010-10-12 11:11:04 +02:00
d5bd775126
Do not update remote host if we are behind a NAT.
2010-10-12 11:11:04 +02:00
3c354b6d11
NOTIFY error message types include 16383
2010-09-29 19:01:36 +02:00
71b6d2ff5e
Adapted child_sa_t to changed kernel interface.
2010-09-02 19:04:22 +02:00
bd7a2f3bfc
Added an option to specify the type of a policy to kernel_ipsec.add_policy.
...
This will later allow us to support pluto's passthrough and drop
policies in charon.
2010-09-02 19:04:19 +02:00
b4872c1e09
Replaced the protocol argument in add_policy with an optional SPI for an AH SA.
2010-09-02 19:04:19 +02:00
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
9f166d9ac2
Removed references to protocol_id_t from kernel interface.
...
Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).
2010-09-02 19:01:25 +02:00
9d94174242
Migrated child_sa_t to INIT/METHOD macros.
2010-09-02 19:01:25 +02:00
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
36eafea232
Use the AAA Identity for EAP authentication, if given
2010-08-31 18:10:23 +02:00
f13a03add0
Moved EAP type/code definitions to a seprate header file in libstrongswan
2010-08-31 15:35:29 +02:00
2402dee177
Port floating patch partially reversed.
...
If MOBIKE is enabled, we do have to switch to port 4500 with the
IKE_AUTH request, that is, before we know whether the other peer
actually supports MOBIKE or not.
2010-08-30 14:54:31 +02:00
277f02ce9e
Slightly refactored port floating.
...
In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.
2010-08-30 13:42:58 +02:00
fde2d34d0f
Fixed ME after introduction of AEAD wrapper.
2010-08-30 10:48:09 +02:00
5299719569
Migrated delete_payload to INIT/METHOD macros, replaced iterator
2010-08-25 17:03:00 +02:00
e54e86cb49
Check if colliding rekey actually created an IKE_INIT
...
In some cases (especially if a child is half-open) the colliding
rekey-job might not have created the ike_init member. If so, the
nonce check fails with SIGSEGV.
2010-08-25 10:16:42 +02:00
2e64455ee1
Fixed crypter keymat derivation bug
2010-08-19 19:28:08 +02:00
84eb3aa456
Implemented IKEv2 keymat derivation for AEAD algorithms
2010-08-19 19:02:34 +02:00
b519071299
Use AEAD wrapper for encryption payload encryption/decryption
2010-08-19 19:02:33 +02:00
5555b900b2
Migrated keymat to INIT/METHOD macros
2010-08-19 12:35:53 +02:00
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
53115857ae
some simplifications using the INIT macro
2010-08-17 20:09:32 +02:00
c03b0d7e6b
Added support for Camellia cipher to xcbc
2010-08-13 17:11:54 +02:00
45c4021bd0
Migrated eap_authenticator to INIT/METHOD macros
2010-08-13 15:58:53 +02:00
fe6ae23d1f
Migrated eap_manager to INIT/METHOD macros
2010-08-13 15:32:37 +02:00
87799b0c00
moved eap_from_string() fomr libcharon to libstrongswan to make it available in starter
2010-08-13 15:07:53 +02:00
4412ee86c5
recognize eap-ttls method
2010-08-12 23:58:54 +02:00
a944d2092b
Use bits instead of bytes for a private/public key
2010-08-10 18:46:30 +02:00
30d8e8d04d
fix error-type range in parsing of NOTIFY payloads
2010-08-06 11:47:35 +02:00
83628fd600
Accept EAP_ONLY_AUTHENTICATION notifies from any client, now that IANA allocated an ID.
2010-08-04 12:58:53 +02:00
65858b83f8
Destroy IKE_SA Managers crypto primitives during flush, the plugins are gone in destroy
2010-08-04 09:26:21 +02:00
2107953804
Added EAP-TLS plugin stub
2010-08-03 15:39:24 +02:00
86a73f16ab
Do not touch child from collision if peer deleted it
2010-08-03 10:32:38 +02:00
b2e447e24a
Pass the CREATE_CHILD_SA initiator flag to the child_keys parameter
2010-07-26 13:53:53 +02:00
5b6c220d13
Added log statement if peer requests EAP, but current config does not allow it
2010-07-21 17:09:15 +02:00
0406eeaacb
Support different encoding types in certificate.get_encoding()
2010-07-13 13:53:20 +02:00
da9724e6d0
Renamed key_encod{ing,der}_t and constants, prepare for generic credential encoding
2010-07-13 11:29:35 +02:00
e57a29c731
Moved X509 ipAddrBlock checking to the addrblock plugin
2010-07-13 10:26:07 +02:00
be715344c2
Added a hook to narrow traffic selectors for CHILD_SAs
2010-07-13 10:26:07 +02:00
2ccc02a4fd
Moved credential manager to libstrongswan
2010-07-13 10:26:07 +02:00
ec7adea007
Added support for named attribute groups
...
Add the possibility to group attributes by a name and assign these
groups to connections. This allows a more granular configuration of
which client will receive what atrributes.
2010-07-09 13:09:31 +02:00
4cc9afe35f
Print identity to a lease address on the same line for simpler greping
2010-07-08 17:44:19 +02:00
53913d764e
Use the responder side configured EAP-Identity directly, if given
2010-07-05 09:41:04 +02:00
ec6caa1367
Copy EAP specific attributes to auth config only
2010-07-05 09:41:04 +02:00
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
02571374c4
Recreate IKE_SA_INIT related tasks only if they have completed
2010-06-30 13:48:47 +02:00
31d0efd7e9
Use enumerator for queued_tasks migration to avoid infinite loop
2010-06-30 13:24:43 +02:00
6d61e334f7
Correct check of traffic selectors before destruction
2010-06-29 09:22:50 +02:00
7f1eb89517
Migrate queued_tasks tasks, to avoid dangling pointers
2010-06-29 09:20:05 +02:00
03ffa88531
Add extra information in debug output for IKE_SA check{out, in}
...
This output helps tracing checkout and checkin of IKE_SAs when there is
more than one IKE_SAs with the same name. I also added the type of
in-air-exchange to the debug output issued by the task_manager in case
a task initiation is delayed, came in handy for me.
2010-06-07 15:12:13 +02:00
550d9085fa
Flush auth configs, create new keymat during SA reset
2010-06-07 14:59:39 +02:00
dbdb69f908
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
2010-06-07 14:58:57 +02:00
8b56ec20f3
Reacquire keymat from new IKE_SA during task migration
2010-06-07 14:56:24 +02:00
ea340ee840
Wrap task enumerator in ike_sa
2010-06-07 11:37:55 +02:00
8bced61b76
Migrated ike_sa_t to INIT/METHOD macros
2010-06-07 09:30:27 +00:00
665c18bd85
Added support for task enumeration in task_manager_t
2010-06-07 10:45:25 +02:00
9560a3166f
Migrated task_manager_t to INIT/METHOD macros
2010-06-07 10:37:00 +02:00
2f57e6da0e
Disable close action for a redundant CHILD_SA resulting from a rekey collision
...
If a rekey collision is detected, the winning peer of the nonce compare
will delete the redundant CHILD_SA. The other peer should not enforce the
close action on this CHILD, as it would reestablish the redundat CHILD_SA.
Thanks to Thomas Egerer from secunet for pointing this out and the initial
patchset.
2010-06-02 11:48:52 +02:00
fe02d99b96
Use wrapped getters for close/dpd action
2010-06-02 11:48:51 +02:00
4c401ea216
Wrap getters for dpd/close action into CHILD_SA, allows us to override them
2010-06-02 11:48:44 +02:00
d070e0a6d1
Do not install trap policy if remote host is %any.
2010-05-28 15:43:12 +02:00
ea409980b9
Handle collisions between rekey and the following delete properly
2010-05-18 12:21:38 +02:00
71a66a623e
Use reqid from connection config if present.
2010-05-04 14:38:34 +02:00
Martin Willi