Tobias Brunner
|
6f0cca20d8
|
Implemented table of connected peers without linked_list_t.
|
2012-03-20 17:31:41 +01:00 |
|
Tobias Brunner
|
3489370458
|
Implemented table of half open IKE_SAs without linked_list_t.
|
2012-03-20 17:31:41 +01:00 |
|
Tobias Brunner
|
e49bb4e3e3
|
Don't use linked_list_t for buckets in main IKE_SA hash table.
|
2012-03-20 17:31:41 +01:00 |
|
Tobias Brunner
|
894c52cba2
|
Fixed deadlock if checkin_and_destroy is called during shutdown.
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
4b2f428f40
|
Do not clone hashes of initial IKE messages when storing them in the hash table.
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
20e3d5ea00
|
Store IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.
For IKEv1 the previous behavior of always using the initiator's SPI as
key is maintained.
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
71cf97871f
|
Added separate hashtable for hashes of initial IKE messages.
This does not require us to do a lookup for an SA by SPI first.
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
1726795fa9
|
Store the major IKE version on ike_sa_id_t.
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
8254e7ecb8
|
Implemented handling of UNITY_LOAD_BALANCE as reauthentication.
|
2012-03-20 17:31:40 +01:00 |
|
Martin Willi
|
a7d3b0e098
|
Check if we actually have a packet before retransmitting it
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
eff331f799
|
Parse IKEv1 Cisco Load Balancing notify (can't act on it yet).
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
3a9d5cbc14
|
Fixed transform numbering in IKEv1 proposal.
|
2012-03-20 17:31:40 +01:00 |
|
Tobias Brunner
|
dcbdc914fa
|
Compiler warning fixed.
|
2012-03-20 17:31:40 +01:00 |
|
Martin Willi
|
182d55b229
|
Use correct enum values to detect three message tasks for retransmission
|
2012-03-20 17:31:40 +01:00 |
|
Martin Willi
|
f98af1ddd5
|
Trigger DPD not before IKE_SA state gets updated
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
5ed4b727d0
|
Fix mapping of IKEv1 encapsulation mode
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
7fd7ffc649
|
Use UDP encapsulation even in non-NAT situation if initiator requests it
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
c60246a618
|
Support inactivity timeout in IKEv1 CHILD_SAs
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
a0c17d4157
|
Use a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
4c685e8850
|
Select public key auth method by checking what key we have
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
83b152dd4f
|
Support ECDSA signatures in IKEv1 pubkey authenticator
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
5be386ff8e
|
Exchange certificates when using IKEv1 ECDSA authentication
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
5aef6bd0f3
|
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()
|
2012-03-20 17:31:39 +01:00 |
|
Martin Willi
|
6261c0c3b7
|
Support encoding of IKEv1 ECDSA proposals
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
c791def8c1
|
Added support for authby/xauth_server legacy options
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
c390569a76
|
Renamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
05cb240215
|
Use ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
a994050e9c
|
Don't re-resolve addresses during initiate if they have already been set
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
aa3b53e716
|
Adopt children after syncing a rekeyed IKEv1 SA
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
fed5c33440
|
Synchronize IKEv1 DPD sequence numbers
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
fd6fbf1764
|
Setting message ID on task manager sets DPD sequence numbers in IKEv1
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
783c496966
|
Update state before triggering DPD, as we cancel it if PASSIVE
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
a46b8e16ad
|
Set thread specific SA on bus for each enumerated IKE_SA
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
b226fd300d
|
Sync remote virtual IP for IKEv1 SAs
|
2012-03-20 17:31:38 +01:00 |
|
Martin Willi
|
868d92a402
|
Sync new IKE_SA condition/extension flags
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
c8531b7e69
|
Added support for Phase1 IV synchronization to HA plugin
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
47b8f6ef4b
|
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
ae92641806
|
Create IKEv1 keymat hasher explicitly on sync
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
a0fa7a7f64
|
Clear initiator flag when checking out initial IKEv1 SA from message
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
8bcd9bd161
|
Added support to sync IKEv1 SAs key material in HA plugin
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
23f9e7a18d
|
Pass IKEv1 specific keymat to ike_keys hook
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
264514826c
|
Use a more complete implementation of a HA specific diffie_hellman_t
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
5763367cac
|
Show IKE version in ipsec statusall
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
c3f1839ab7
|
Apply proposal to a HA synced IKE_SA
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
3624b09e21
|
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
6bc6f67b0f
|
Updated HA plugin to new IKEv2 specific keymat functions
|
2012-03-20 17:31:37 +01:00 |
|
Martin Willi
|
3957a6e4f3
|
Get a reference for the child_cfg passed to child_create_create()
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
696fa8e003
|
Invoke bus_t.narrow hook in quick mode exchange
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
f420f51f55
|
Invoke authorization hooks for IKEv1 connections
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
1a0648490c
|
Invoke ike_updown hooks for reauthenticated IKEv1 SAs
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
b6ac063c36
|
Don't invoke a child_updown hook when a quick mode to delete has been rekeyed
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
669d8bded2
|
Invoke child_rekey hook instead of child_updown when rekeying a quick mode
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
5b7fc76861
|
Don't invoke updown hook when flushing SAs for IKEv1, tasks will do it
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
c654d949f3
|
Fix "incoming" flag passed to bus_t.message() hook
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
477559cab5
|
Continue with next exchange after sending an INFORMATIONAL
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
1b82eb23a2
|
Handle retransmission of DPD exchange, both as initiator and responder
|
2012-03-20 17:31:36 +01:00 |
|
Martin Willi
|
11aadd7722
|
Disable DPD checking for peers not supporting it
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
214d4e4090
|
Added missing DPD task name
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
ff6b084ac4
|
Confirm message reception time only if DPD sequence number valid
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
2ddd45c9a7
|
Simplified DPD handling by using a task for a single message only
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
5ac4c2e1a9
|
Added missing short enum names for DPD notify types
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
bb2d4e1882
|
Print IKEv1 notify types in message summary
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
5f2f864efc
|
Support IKEv1 notifies in message_t.get_notify()
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
3fca5bd123
|
Check if we have an RNG for IKEv1 task manager before using it
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
31689338d6
|
Remove unused DPD sequence number getter on task manager
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
1e624ce876
|
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
|
2012-03-20 17:31:35 +01:00 |
|
Clavister OpenSource
|
c9a160953e
|
Send DPD vendor ID
|
2012-03-20 17:31:35 +01:00 |
|
Clavister OpenSource
|
3e6b740336
|
Isakmp_dpd task added.
|
2012-03-20 17:31:35 +01:00 |
|
Clavister OpenSource
|
36c8169629
|
DPD_R_U_THERE defines added
|
2012-03-20 17:31:35 +01:00 |
|
Martin Willi
|
346dad30d4
|
Request and handle retransmission of a lost third aggressive mode message
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
37c12bd31e
|
Streamlined debug output when initiating IKEv1 IKE_SAs
|
2012-03-20 17:31:34 +01:00 |
|
Tobias Brunner
|
bd8d1f1d9c
|
Accept unencrypted Aggressive Mode messages.
Racoon does not encrypt the third message during Aggressive Mode.
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
c40963b457
|
Enforce encapsulation mode of configuration, in case initiator proposes both
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
e129168ba6
|
Added a "aggressive" ipsec.conf connection option
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
830ab2ae7f
|
Handle aggressive mode task in IKEv1 task manager
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
91c212fd6a
|
Select IKEv1 configurations by main/aggressive mode option
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
5ce59d4c06
|
Added an aggressive mode peer_cfg option
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
a347c1ac43
|
Fix sending of CERTREQ/CERT payloads in aggressive mode
|
2012-03-20 17:31:34 +01:00 |
|
Martin Willi
|
ebc7bcb550
|
Encrypt payloads of third aggressive mode message
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
ee325b555f
|
Implemented aggressive mode using Phase 1 helper class
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
b4bd875612
|
Make use of the new Phase 1 helper class in main mode
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
c29a89b80d
|
Implemented a common Phase 1 helper class to use by main and aggressive modes
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
44dcd5944a
|
Fix error handling if no PSK found for main mode
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
90731f38c9
|
Install quick mode CHILD_SAs with negotiated encapsulation mode
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
927c1dd9d2
|
Support IKEv1 proposal encodings having both lifebytes and a lifetime
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
b147679a2c
|
Try to detect reauthentication as responder and adopt children to new SA
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
3a0b67bce5
|
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
cb1a145ce2
|
Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities
|
2012-03-20 17:31:33 +01:00 |
|
Martin Willi
|
beab4a90ae
|
Query for XAuth identity in get_other_eap_id(), too
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
1b79299b89
|
Set ISAKMP SA state to rekeying after triggering reauthentication
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
c9d68d17f0
|
Include peer config overtime in negotiated ISAKMP SA lifetime
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
4f49b06843
|
Initiate IKEv1 reauthentication, take over all children
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
17c64d5ff9
|
Establish IKE_SA only once as XAuth responder
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
9c64f214f1
|
Support initiation of childless IKEv1 ISAKMP SAs
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
7e9e1f96df
|
Don't trigger reauthentication if initiator authenticated using XAuth
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
2da3ff7a52
|
Set a condition flag if peer has been authenticated using XAuth
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
54773729a8
|
Queue Mode Config tasks after main mode as initiator, not as responder
|
2012-03-20 17:31:32 +01:00 |
|
Clavister OpenSource
|
d71092ceed
|
Setting Mode Cfg identifier for CFG_ACK messages.
|
2012-03-20 17:31:32 +01:00 |
|
Clavister OpenSource
|
e32820f593
|
Add functions to set mode cfg identifier
|
2012-03-20 17:31:32 +01:00 |
|
Martin Willi
|
462c9a4f72
|
Try all matching XAuth secrets we find, not only the first one
|
2012-03-20 17:31:32 +01:00 |