ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
14,838 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

14838 Commits

Author SHA1 Message Date
Tobias Brunner 6fc6834361 NEWS: Document RFC 5685 support 2016-03-04 16:10:28 +01:00
Tobias Brunner 765db8d2fe Merge branch 'ike-redirect' 
This adds support for IKEv2 redirection (RFC 5685).  There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients.  It is also possible to redirect established IKE_SAs
via VICI/swanctl.
 2016-03-04 16:03:07 +01:00
Tobias Brunner 47701e1178 ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message 
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA.  To prevent this we
ignore the message and wait for the one by the correct responder.
 2016-03-04 16:03:00 +01:00
Tobias Brunner fb7cc16d67 ikev2: Allow tasks to verify request messages before processing them 2016-03-04 16:03:00 +01:00
Tobias Brunner 4b83619310 ikev2: Allow tasks to verify response messages before processing them 2016-03-04 16:03:00 +01:00
Tobias Brunner b4968a952e task: Add optional pre_process() method 
This will eventually allow tasks to pre-process and verify received
messages.
 2016-03-04 16:03:00 +01:00
Tobias Brunner f80e910cce testing: Add ikev2/redirect-active scenario 2016-03-04 16:03:00 +01:00
Tobias Brunner 9282bc39a7 ike-init: Ignore notifies related to redirects during rekeying 
Also don't query redirect providers in this case.
 2016-03-04 16:03:00 +01:00
Tobias Brunner c6ebd0332e ike-sa: Add limit for the number of redirects within a defined time period 2016-03-04 16:03:00 +01:00
Tobias Brunner 7505fb8d45 ike-sa: Reauthenticate to the same addresses we currently use 
If the SA got redirected this would otherwise cause a reauthentication with
the original gateway.  Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.
 2016-03-04 16:03:00 +01:00
Tobias Brunner c13eb73719 vici: Don't redirect all SAs if no selectors are given 
This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).
 2016-03-04 16:03:00 +01:00
Tobias Brunner 27074f3155 vici: Match subnets and ranges against peer IP in redirect command 2016-03-04 16:03:00 +01:00
Tobias Brunner bef4518de7 vici: Match identity with wildcards against remote ID in redirect command 2016-03-04 16:02:59 +01:00
Tobias Brunner e92364db66 swanctl: Add --redirect command 2016-03-04 16:02:59 +01:00
Tobias Brunner 43b46b26ea vici: Add redirect command 
This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.
 2016-03-04 16:02:59 +01:00
Tobias Brunner 0d424d2107 redirect-job: Add job to redirect an active IKE_SA 2016-03-04 16:02:59 +01:00
Tobias Brunner 71c7070588 ike-sa: Add redirect() method to actively redirect an IKE_SA 2016-03-04 16:02:59 +01:00
Tobias Brunner 0840385b27 ike-redirect: Add task to redirect active IKE_SAs 2016-03-04 16:02:59 +01:00
Tobias Brunner f5a9025ce9 ike-auth: Handle REDIRECT notifies during IKE_AUTH 2016-03-04 16:02:59 +01:00
Tobias Brunner f20e00fe54 ike-sa: Handle redirect requests for established SAs as reestablishment 
We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs,
which also includes the one actively queued during IKE_AUTH.

To delete the old SA we use the recently added ike_reauth_complete task.
 2016-03-04 16:02:59 +01:00
Tobias Brunner 19233ef980 ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers 
To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA.  We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).
 2016-03-04 16:02:59 +01:00
Tobias Brunner fdc4b82728 ike-config: Do not assign attributes for redirected IKE_SAs 2016-03-04 16:02:59 +01:00
Tobias Brunner b6fcb91762 child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH 2016-03-04 16:02:59 +01:00
Tobias Brunner d68c05d269 ike-sa: Add a condition to mark redirected IKE_SAs 2016-03-04 16:02:58 +01:00
Tobias Brunner 3d074bce00 ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server 2016-03-04 16:02:58 +01:00
Tobias Brunner 6cde9875e1 ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate 2016-03-04 16:02:58 +01:00
Tobias Brunner e4af6e6b7a ike-sa: Keep track of the address of the gateway that redirected us 2016-03-04 16:02:58 +01:00
Tobias Brunner 489d154e63 ikev2: Add option to disable following redirects as client 2016-03-04 16:02:58 +01:00
Tobias Brunner c126ddd048 ikev2: Handle REDIRECT notifies during IKE_SA_INIT 2016-03-04 16:02:58 +01:00
Tobias Brunner dd2b335b79 ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers 2016-03-04 16:02:58 +01:00
Tobias Brunner 2beb26b948 redirect-manager: Add helper function to create and parse REDIRECT notify data 
The same encoding is also used for the REDIRECT_FROM notifies.
 2016-03-04 16:02:58 +01:00
Tobias Brunner fa5cfbdcbf redirect-manager: Verify type of returned gateway ID 2016-03-04 16:02:58 +01:00
Tobias Brunner 10009b2954 ike-init: Send REDIRECT_SUPPORTED as initiator 2016-03-04 16:02:58 +01:00
Tobias Brunner 099c0b12b6 ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notify 2016-03-04 16:02:58 +01:00
Tobias Brunner c6aa749c28 ike-sa: Add new extension for IKEv2 redirection (RFC 5685) 2016-03-04 16:02:58 +01:00
Tobias Brunner 32ba44424d daemon: Create global redirect manager instance 2016-03-04 16:02:58 +01:00
Tobias Brunner 4a6e054122 redirect-manager: Add manager for redirect providers 2016-03-04 16:02:58 +01:00
Tobias Brunner dbb3f7f921 redirect-provider: Add interface to redirect clients during initial messages 
This will allow e.g. plugins to decide whether a connecting client is
redirected to a different gateway using RFC 5685.
 2016-03-04 16:02:57 +01:00
Andreas Steffen ad82c95f0a Set PLUTO port variables to 0 in the case of no port restrictions 2016-03-04 12:52:35 +01:00
Andreas Steffen 5c25780ce0 Added port range support to NEWS 2016-03-04 10:03:12 +01:00
Andreas Steffen ba919f393d testing: Added swanctl/protoport-range scenario 2016-03-04 09:52:34 +01:00
Andreas Steffen 0d7202c7c5 Port range support in updown script 2016-03-04 09:52:34 +01:00
Andreas Steffen 6abae81f86 Implemented port ranges in kernel_netlink interface 2016-03-04 09:52:34 +01:00
Thomas Egerer 8ea4cb3e5d thread: Allow thread ID to be value returned by gettid() 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2016-03-04 09:12:11 +01:00
Andreas Steffen f00f679af9 Request missing SWID tags in a directed PA-TNC message 2016-03-04 01:04:44 +01:00
Tobias Brunner 88ce12a927 Merge branch 'libhydra-bye-bye' 
Moves kernel plugins to libcharon and removes the unused libhydra.  The
kernel interface is now accessible under charon->kernel.
 2016-03-03 17:39:58 +01:00
Tobias Brunner 28649f6d91 libhydra: Remove empty unused library 2016-03-03 17:36:11 +01:00
Tobias Brunner 8394ea2a42 libhydra: Move kernel interface to libcharon 
This moves hydra->kernel_interface to charon->kernel.
 2016-03-03 17:36:11 +01:00
Tobias Brunner dec9e1957f libhydra: Move all kernel plugins to libcharon 2016-03-03 17:36:11 +01:00
Tobias Brunner 91d80298f9 ikev1: Send and verify IPv6 addresses correctly 
According to the mode-config draft there is no prefix sent for
IPv6 addresses in IKEv1.  We still accept 17 bytes long addresses for
backwards compatibility with older strongSwan releases.

Fixes #1304.
 2016-03-03 17:32:03 +01:00