Tobias Brunner
6fc6834361
NEWS: Document RFC 5685 support
2016-03-04 16:10:28 +01:00
Tobias Brunner
765db8d2fe
Merge branch 'ike-redirect'
...
This adds support for IKEv2 redirection (RFC 5685). There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients. It is also possible to redirect established IKE_SAs
via VICI/swanctl.
2016-03-04 16:03:07 +01:00
Tobias Brunner
47701e1178
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
...
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA. To prevent this we
ignore the message and wait for the one by the correct responder.
2016-03-04 16:03:00 +01:00
Tobias Brunner
fb7cc16d67
ikev2: Allow tasks to verify request messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
4b83619310
ikev2: Allow tasks to verify response messages before processing them
2016-03-04 16:03:00 +01:00
Tobias Brunner
b4968a952e
task: Add optional pre_process() method
...
This will eventually allow tasks to pre-process and verify received
messages.
2016-03-04 16:03:00 +01:00
Tobias Brunner
f80e910cce
testing: Add ikev2/redirect-active scenario
2016-03-04 16:03:00 +01:00
Tobias Brunner
9282bc39a7
ike-init: Ignore notifies related to redirects during rekeying
...
Also don't query redirect providers in this case.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c6ebd0332e
ike-sa: Add limit for the number of redirects within a defined time period
2016-03-04 16:03:00 +01:00
Tobias Brunner
7505fb8d45
ike-sa: Reauthenticate to the same addresses we currently use
...
If the SA got redirected this would otherwise cause a reauthentication with
the original gateway. Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.
2016-03-04 16:03:00 +01:00
Tobias Brunner
c13eb73719
vici: Don't redirect all SAs if no selectors are given
...
This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).
2016-03-04 16:03:00 +01:00
Tobias Brunner
27074f3155
vici: Match subnets and ranges against peer IP in redirect command
2016-03-04 16:03:00 +01:00
Tobias Brunner
bef4518de7
vici: Match identity with wildcards against remote ID in redirect command
2016-03-04 16:02:59 +01:00
Tobias Brunner
e92364db66
swanctl: Add --redirect command
2016-03-04 16:02:59 +01:00
Tobias Brunner
43b46b26ea
vici: Add redirect command
...
This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.
2016-03-04 16:02:59 +01:00
Tobias Brunner
0d424d2107
redirect-job: Add job to redirect an active IKE_SA
2016-03-04 16:02:59 +01:00
Tobias Brunner
71c7070588
ike-sa: Add redirect() method to actively redirect an IKE_SA
2016-03-04 16:02:59 +01:00
Tobias Brunner
0840385b27
ike-redirect: Add task to redirect active IKE_SAs
2016-03-04 16:02:59 +01:00
Tobias Brunner
f5a9025ce9
ike-auth: Handle REDIRECT notifies during IKE_AUTH
2016-03-04 16:02:59 +01:00
Tobias Brunner
f20e00fe54
ike-sa: Handle redirect requests for established SAs as reestablishment
...
We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs,
which also includes the one actively queued during IKE_AUTH.
To delete the old SA we use the recently added ike_reauth_complete task.
2016-03-04 16:02:59 +01:00
Tobias Brunner
19233ef980
ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers
...
To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA. We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).
2016-03-04 16:02:59 +01:00
Tobias Brunner
fdc4b82728
ike-config: Do not assign attributes for redirected IKE_SAs
2016-03-04 16:02:59 +01:00
Tobias Brunner
b6fcb91762
child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH
2016-03-04 16:02:59 +01:00
Tobias Brunner
d68c05d269
ike-sa: Add a condition to mark redirected IKE_SAs
2016-03-04 16:02:58 +01:00
Tobias Brunner
3d074bce00
ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server
2016-03-04 16:02:58 +01:00
Tobias Brunner
6cde9875e1
ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate
2016-03-04 16:02:58 +01:00
Tobias Brunner
e4af6e6b7a
ike-sa: Keep track of the address of the gateway that redirected us
2016-03-04 16:02:58 +01:00
Tobias Brunner
489d154e63
ikev2: Add option to disable following redirects as client
2016-03-04 16:02:58 +01:00
Tobias Brunner
c126ddd048
ikev2: Handle REDIRECT notifies during IKE_SA_INIT
2016-03-04 16:02:58 +01:00
Tobias Brunner
dd2b335b79
ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers
2016-03-04 16:02:58 +01:00
Tobias Brunner
2beb26b948
redirect-manager: Add helper function to create and parse REDIRECT notify data
...
The same encoding is also used for the REDIRECT_FROM notifies.
2016-03-04 16:02:58 +01:00
Tobias Brunner
fa5cfbdcbf
redirect-manager: Verify type of returned gateway ID
2016-03-04 16:02:58 +01:00
Tobias Brunner
10009b2954
ike-init: Send REDIRECT_SUPPORTED as initiator
2016-03-04 16:02:58 +01:00
Tobias Brunner
099c0b12b6
ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notify
2016-03-04 16:02:58 +01:00
Tobias Brunner
c6aa749c28
ike-sa: Add new extension for IKEv2 redirection (RFC 5685)
2016-03-04 16:02:58 +01:00
Tobias Brunner
32ba44424d
daemon: Create global redirect manager instance
2016-03-04 16:02:58 +01:00
Tobias Brunner
4a6e054122
redirect-manager: Add manager for redirect providers
2016-03-04 16:02:58 +01:00
Tobias Brunner
dbb3f7f921
redirect-provider: Add interface to redirect clients during initial messages
...
This will allow e.g. plugins to decide whether a connecting client is
redirected to a different gateway using RFC 5685.
2016-03-04 16:02:57 +01:00
Andreas Steffen
ad82c95f0a
Set PLUTO port variables to 0 in the case of no port restrictions
2016-03-04 12:52:35 +01:00
Andreas Steffen
5c25780ce0
Added port range support to NEWS
2016-03-04 10:03:12 +01:00
Andreas Steffen
ba919f393d
testing: Added swanctl/protoport-range scenario
2016-03-04 09:52:34 +01:00
Andreas Steffen
0d7202c7c5
Port range support in updown script
2016-03-04 09:52:34 +01:00
Andreas Steffen
6abae81f86
Implemented port ranges in kernel_netlink interface
2016-03-04 09:52:34 +01:00
Thomas Egerer
8ea4cb3e5d
thread: Allow thread ID to be value returned by gettid()
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-03-04 09:12:11 +01:00
Andreas Steffen
f00f679af9
Request missing SWID tags in a directed PA-TNC message
2016-03-04 01:04:44 +01:00
Tobias Brunner
88ce12a927
Merge branch 'libhydra-bye-bye'
...
Moves kernel plugins to libcharon and removes the unused libhydra. The
kernel interface is now accessible under charon->kernel.
2016-03-03 17:39:58 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
dec9e1957f
libhydra: Move all kernel plugins to libcharon
2016-03-03 17:36:11 +01:00
Tobias Brunner
91d80298f9
ikev1: Send and verify IPv6 addresses correctly
...
According to the mode-config draft there is no prefix sent for
IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for
backwards compatibility with older strongSwan releases.
Fixes #1304 .
2016-03-03 17:32:03 +01:00