Tobias Brunner
67e28a3afa
smp: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
e32504352d
vici: Correctly return IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
fac9fd7368
byteorder: Simplify htoun64/untoh64 functions
2016-03-04 18:43:26 +01:00
Tobias Brunner
14de79604a
byteorder: Always define be64toh/htobe64 macros
2016-03-04 18:43:26 +01:00
Tobias Brunner
5b45e15ad3
Merge branch 'ike-sig-contraints'
...
Signature scheme constraints against IKEv2 authentication may now be
configured independently of constraints against trustchains.
2016-03-04 16:43:24 +01:00
Tobias Brunner
c171afeaed
NEWS: Add note about IKEv2 signature scheme constraints
2016-03-04 16:42:30 +01:00
Tobias Brunner
130c485be6
swanctl: Document signature scheme constraints
2016-03-04 16:19:54 +01:00
Tobias Brunner
1ecec95dff
vici: Add support for pubkey constraints with EAP-TLS
...
This is a feature currently supported by stroke.
2016-03-04 16:19:54 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Tobias Brunner
e37e6d6dca
ikev2: Always store signature scheme in auth-cfg
...
As we use a different rule we can always store the scheme.
2016-03-04 16:19:53 +01:00
Thomas Egerer
c8a0781334
ikev2: Diversify signature scheme rule
...
This allows for different signature schemes for IKE authentication and
trustchain verification.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-04 16:19:53 +01:00
Tobias Brunner
6fc6834361
NEWS: Document RFC 5685 support
2016-03-04 16:10:28 +01:00
Tobias Brunner
765db8d2fe
Merge branch 'ike-redirect'
...
This adds support for IKEv2 redirection (RFC 5685). There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients. It is also possible to redirect established IKE_SAs
via VICI/swanctl.
2016-03-04 16:03:07 +01:00
Tobias Brunner
47701e1178
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
...
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA. To prevent this we
ignore the message and wait for the one by the correct responder.
2016-03-04 16:03:00 +01:00
Tobias Brunner
fb7cc16d67
ikev2: Allow tasks to verify request messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
4b83619310
ikev2: Allow tasks to verify response messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
b4968a952e
task: Add optional pre_process() method
...
This will eventually allow tasks to pre-process and verify received
messages.
2016-03-04 16:03:00 +01:00
Tobias Brunner
f80e910cce
testing: Add ikev2/redirect-active scenario
2016-03-04 16:03:00 +01:00
Tobias Brunner
9282bc39a7
ike-init: Ignore notifies related to redirects during rekeying
...
Also don't query redirect providers in this case.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c6ebd0332e
ike-sa: Add limit for the number of redirects within a defined time period
2016-03-04 16:03:00 +01:00
Tobias Brunner
7505fb8d45
ike-sa: Reauthenticate to the same addresses we currently use
...
If the SA got redirected this would otherwise cause a reauthentication with
the original gateway. Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c13eb73719
vici: Don't redirect all SAs if no selectors are given
...
This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).
2016-03-04 16:03:00 +01:00
Tobias Brunner
27074f3155
vici: Match subnets and ranges against peer IP in redirect command
2016-03-04 16:03:00 +01:00
Tobias Brunner
bef4518de7
vici: Match identity with wildcards against remote ID in redirect command
2016-03-04 16:02:59 +01:00
Tobias Brunner
e92364db66
swanctl: Add --redirect command
2016-03-04 16:02:59 +01:00
Tobias Brunner
43b46b26ea
vici: Add redirect command
...
This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.
2016-03-04 16:02:59 +01:00
Tobias Brunner
0d424d2107
redirect-job: Add job to redirect an active IKE_SA
2016-03-04 16:02:59 +01:00
Tobias Brunner
71c7070588
ike-sa: Add redirect() method to actively redirect an IKE_SA
2016-03-04 16:02:59 +01:00
Tobias Brunner
0840385b27
ike-redirect: Add task to redirect active IKE_SAs
2016-03-04 16:02:59 +01:00
Tobias Brunner
f5a9025ce9
ike-auth: Handle REDIRECT notifies during IKE_AUTH
2016-03-04 16:02:59 +01:00
Tobias Brunner
f20e00fe54
ike-sa: Handle redirect requests for established SAs as reestablishment
...
We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs,
which also includes the one actively queued during IKE_AUTH.
To delete the old SA we use the recently added ike_reauth_complete task.
2016-03-04 16:02:59 +01:00
Tobias Brunner
19233ef980
ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers
...
To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA. We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).
2016-03-04 16:02:59 +01:00
Tobias Brunner
fdc4b82728
ike-config: Do not assign attributes for redirected IKE_SAs
2016-03-04 16:02:59 +01:00
Tobias Brunner
b6fcb91762
child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH
2016-03-04 16:02:59 +01:00
Tobias Brunner
d68c05d269
ike-sa: Add a condition to mark redirected IKE_SAs
2016-03-04 16:02:58 +01:00
Tobias Brunner
3d074bce00
ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server
2016-03-04 16:02:58 +01:00
Tobias Brunner
6cde9875e1
ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate
2016-03-04 16:02:58 +01:00
Tobias Brunner
e4af6e6b7a
ike-sa: Keep track of the address of the gateway that redirected us
2016-03-04 16:02:58 +01:00
Tobias Brunner
489d154e63
ikev2: Add option to disable following redirects as client
2016-03-04 16:02:58 +01:00
Tobias Brunner
c126ddd048
ikev2: Handle REDIRECT notifies during IKE_SA_INIT
2016-03-04 16:02:58 +01:00
Tobias Brunner
dd2b335b79
ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers
2016-03-04 16:02:58 +01:00
Tobias Brunner
2beb26b948
redirect-manager: Add helper function to create and parse REDIRECT notify data
...
The same encoding is also used for the REDIRECT_FROM notifies.
2016-03-04 16:02:58 +01:00
Tobias Brunner
fa5cfbdcbf
redirect-manager: Verify type of returned gateway ID
2016-03-04 16:02:58 +01:00
Tobias Brunner
10009b2954
ike-init: Send REDIRECT_SUPPORTED as initiator
2016-03-04 16:02:58 +01:00
Tobias Brunner
099c0b12b6
ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notify
2016-03-04 16:02:58 +01:00
Tobias Brunner
c6aa749c28
ike-sa: Add new extension for IKEv2 redirection (RFC 5685)
2016-03-04 16:02:58 +01:00
Tobias Brunner
32ba44424d
daemon: Create global redirect manager instance
2016-03-04 16:02:58 +01:00
Tobias Brunner
4a6e054122
redirect-manager: Add manager for redirect providers
2016-03-04 16:02:58 +01:00
Tobias Brunner
dbb3f7f921
redirect-provider: Add interface to redirect clients during initial messages
...
This will allow e.g. plugins to decide whether a connecting client is
redirected to a different gateway using RFC 5685.
2016-03-04 16:02:57 +01:00