Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Tobias Brunner
a21fac9a85
Log configured IKE_SA proposals as initiator
2012-08-24 13:43:14 +02:00
Tobias Brunner
d2b4dff5dd
Log configured CHILD_SA proposals as initiator
2012-08-24 13:43:14 +02:00
Tobias Brunner
1184493407
Fall back to local address as IKEv1 identity if nothing else is configured
2012-08-24 12:55:01 +02:00
Tobias Brunner
20915d6fa7
Apply send delay before adding non-ESP marker
...
Otherwise the packet header could not be parsed correctly when NAT-T is
used.
2012-08-24 11:23:36 +02:00
Andreas Steffen
014d007000
use pen_type_t for PA Message Subtype
2012-08-23 10:49:00 +02:00
Tobias Brunner
078755d099
Added a method to enumerate registered EAP methods
2012-08-21 16:48:47 +02:00
Martin Willi
e0d3014a17
Add a DNS attribute handler to updown, passing servers to updown script
2012-08-21 09:38:01 +02:00
Martin Willi
63e460542c
Add a stroke attribute_handler requesting DNS servers given with leftdns
2012-08-21 09:38:01 +02:00
Martin Willi
9937ca069a
Serve ipsec.conf rightdns servers through stroke attribute provider
2012-08-21 09:38:01 +02:00
Martin Willi
17319aa28d
Add a left/rightdns keyword to configure connection specific DNS attributes
2012-08-21 09:38:00 +02:00
Martin Willi
f26796deb5
Remove unused src/dst variables in send_no_marker()
2012-08-21 09:34:32 +02:00
Martin Willi
10bdc7a968
Remove the unused second IKE_SA entry match function argument
...
LLVMs clang complains about this parameter, so remove it.
2012-08-20 17:42:14 +02:00
Adrian-Ken Rueegsegger
acf27437cd
Add keymat_t constructor registration function
...
Using the register_constructor function enables custom keymat_t
implementations per IKE version. If no constructor is registered the
default behavior is preserved.
2012-08-20 13:02:47 +02:00
Tobias Brunner
ba27bf2af0
CAP_AUDIT_WRITE is now required by xauth-pam not eap-gtc plugin
2012-08-17 14:24:48 +02:00
Tobias Brunner
113d2a6b99
Removed manual EAP method registration in eap-gtc plugin
2012-08-17 14:24:37 +02:00
Tobias Brunner
91c0e0e3d9
Enable build of eap-tls, eap-ttls and eap-peap on Android
2012-08-17 13:55:44 +02:00
Tobias Brunner
aaefeafb49
Enable UDP decapsulation for both address families
...
Since the 3.5 Linux kernel both UDP implementations have a separate static
flag to indicate whether ANY sockets enabled UDP decapsulation.
As we only ever enabled it for one address family (in earlier versions IPv4
only, now for IPv6, if supported, and for IPv4 otherwise) UDP decapsulation
wouldn't work anymore (at least for one address family).
2012-08-16 15:26:37 +02:00
Tobias Brunner
11b514bff6
Correctly transmit EAP-MSCHAPv2 user name if it contains a domain part
2012-08-16 10:03:49 +02:00
Tobias Brunner
09ae3d79ca
Merge branch 'android-app'
...
This branch introduces a userland IPsec implementation (libipsec) and an
Android App which targets the VpnService API that is provided by Android 4+.
The implementation is based on the bachelor thesis 'Userland IPsec for
Android 4' by Giuliano Grassi and Ralf Sager.
2012-08-13 12:07:52 +02:00
Tobias Brunner
e4ef4c9877
Merge branch 'android-ndk'
...
This branch comes with some preliminary changes for the user-land IPsec
implementation and the Android App.
One important change is that the UDP ports used by the socket-default plugin
were made configurable (either via ./configure or strongswan.conf).
Also, the plugin does randomly allocate a port if it is configured to 0,
which is useful for client implementations. A consequence of these
changes is that the local UDP port used when creating ike_cfg_t objects has
to be fetched from the socket.
2012-08-13 10:45:39 +02:00
Tobias Brunner
000668d308
Doxygen fix
2012-08-11 16:50:22 +02:00
Martin Willi
cd55a3cb77
Use actual daemon name to enable XAuth/PSK with aggressive mode
2012-08-10 11:53:18 +02:00
Martin Willi
27128c1e32
EAP-GTC can use any XAuth backend, including xauth-pam
...
This makes EAP-GTC a generic plain password authentication method,
as it is used with XAuth. Instead of verifying credentials with
PAM, any backend can be configured. The default is xauth-pam,
providing the same functionality as EAP-GTC in strongSwan 4.x.
2012-08-10 10:43:44 +02:00
Martin Willi
b9e4916321
Add xauth-pam, an XAuth backend verifying credentials with PAM
2012-08-10 10:43:44 +02:00
Andreas Steffen
da21793679
make max_message_size parameter consistent with similar options
2012-08-09 14:11:08 +02:00
Tobias Brunner
053276e69a
Use a CALLBACK feature to create charon's sender and receiver
2012-08-08 15:41:02 +02:00
Tobias Brunner
5764a9b355
Moved packet_t to libstrongswan
2012-08-08 15:41:02 +02:00
Tobias Brunner
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
Tobias Brunner
6d11dd5770
Only log the sending of regular packets in sender_t
...
When sender_t is used to send ESP packets this would otherwise cause an extreme
amount of debug messages.
With this change all messages sent via sender_t.send_no_marker() cause no extra
DBG1 log message, but for debugging purposes the socket plugins do log the same
message again with DBG2 for all packets.
2012-08-08 15:41:02 +02:00
Tobias Brunner
6fbf4472ea
Added option to prevent socket-default from setting the source address on outbound packets
2012-08-08 15:39:07 +02:00
Tobias Brunner
224ab4c59b
socket-default plugin allocates random ports if configured to 0.
...
Also added strongswan.conf options to change the ports.
2012-08-08 15:30:27 +02:00
Tobias Brunner
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
Tobias Brunner
a7babe25ee
Added get_port() method to socket_t to learn the listening port.
2012-08-08 15:12:25 +02:00
Tobias Brunner
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
Tobias Brunner
30dc7dff4d
Avoid double-free when prepending Non-ESP marker.
2012-08-08 15:12:25 +02:00
Tobias Brunner
fb6c52adcd
Function added to send packets without Non-ESP marker.
2012-08-08 15:12:25 +02:00
Tobias Brunner
fe4a152b85
Avoid unnecessary copy of packet data when removing Non-ESP marker.
2012-08-08 15:12:25 +02:00
Tobias Brunner
73470cfe57
Added packet_t.skip_bytes method to skip bytes at the start of a packet.
2012-08-08 15:12:25 +02:00
Tobias Brunner
896941d365
Improved how NAT-T keepalives are handled in sockets/receiver.
2012-08-08 15:12:24 +02:00
Tobias Brunner
e49abcede0
Let kernel interfaces decide how to enable UDP decapsulation of ESP packets.
2012-08-08 15:12:24 +02:00
Tobias Brunner
08b2ce7aa7
Callback for ESP packets added to receiver.
2012-08-08 15:12:24 +02:00
Tobias Brunner
064da8b96b
Add Non-ESP marker in sender and not individual socket plugins.
2012-08-08 15:12:24 +02:00
Tobias Brunner
65da43e2fc
Handle Non-ESP marker in receiver and not individual socket plugins.
2012-08-08 15:12:24 +02:00
Tobias Brunner
162621ed57
Moved Android specific logger to separate plugin.
...
This is mainly because the other parts of the existing android plugin
can not be built in the NDK (access to keystore and system properties are
not part of the stable NDK libraries).
2012-08-08 15:07:43 +02:00
Tobias Brunner
657a3ba609
Link android plugin against liblog in the NDK.
...
Doesn't seem to hurt the build within the source tree.
2012-08-08 15:07:43 +02:00
Tobias Brunner
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
Martin Willi
4e98ca1800
Remove queued IKEv1 message before processing it
...
Avoids destruction or processing of a queued message in
recursive process_message() call.
2012-08-08 14:54:03 +02:00
Tobias Brunner
6204c1182d
Include src address in hash of initial message for Main Mode
...
If two initiators use the same SPI and also use the same SA proposal the
hash for the initial message would be exactly the same. For IKEv2 and
Aggressive Mode that's not a problem as these messages include random
data (Ni, KEi payloads).
2012-08-08 14:47:36 +02:00
Adrian-Ken Rueegsegger
9c2f08860d
Add DH group 15 (MODP-3072) to IKE proposal
2012-08-06 11:22:33 +02:00
Martin Willi
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
Martin Willi
f02a305569
Fix linking of addrblock plugin when building monolithic
...
Fixes #212 .
2012-08-03 10:50:21 +02:00
Martin Willi
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
Martin Willi
f701ba8389
Lookup IKEv1 PSK even if the peer identity is not known
2012-07-31 15:39:33 +02:00
Tobias Brunner
63ac6d00b0
Proper fallback if capability dropping is not available
2012-07-27 14:46:42 +02:00
Tobias Brunner
d511a71daa
Include stdint.h for UINTxx_MAX defines
...
Fixes #205 .
2012-07-27 13:47:59 +02:00
Martin Willi
777bcdc0d5
Don't include acquiring packet traffic selectors in IKEv1
...
As we only can negotiate a single TS in IKEv1, don't prepend the
triggering packet TS, as we do in IKEv2. Otherwise we don't establish
the TS of the configuration, but only that of the triggering packet.
Fixes #207 .
2012-07-26 15:45:49 +02:00
Martin Willi
8b560a4565
Implement late peer config switching after XAuth authentication
...
If additional authentication constraints, such as group membership,
is not fulfilled by an XAuth backend, we search for another
peer configuration that fulfills all constraints, including those
from phase1.
2012-07-26 15:17:36 +02:00
Martin Willi
40ca05cff8
Check if XAuth round complies to configured authentication round
2012-07-26 12:40:27 +02:00
Martin Willi
874f7c7e2c
Don't add ANY identity constraint to auth config, as XAuth rounds don't use one
2012-07-26 12:38:34 +02:00
Martin Willi
9191946a63
Merge auth config items added from XAuth backends to IKE_SA
2012-07-26 12:07:48 +02:00
Martin Willi
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
Martin Willi
81419807f5
Release leaking child config after uninstalling shunt policy
2012-07-23 17:15:40 +02:00
Martin Willi
73514b3217
Don't print hexdumps on loglevel 1 if hash verification fails
2012-07-20 17:36:27 +02:00
Martin Willi
09e3717525
Fix EAP-MSCHAPv2 master key derivation, broken with 87dd205b
2012-07-18 16:46:05 +02:00
Martin Willi
6719889e0a
Use centralized hasher names in coupling plugin
2012-07-17 17:32:03 +02:00
Andreas Steffen
931da8202b
handled return values in tnc-pdp
2012-07-16 22:54:38 +02:00
Martin Willi
ff9e46772f
Handle PRF failures in eap-aka-3gpp2
2012-07-16 14:55:08 +02:00
Martin Willi
a564e4ca77
Refactored error handling in keymat_v1_t
2012-07-16 14:55:07 +02:00
Martin Willi
4decfae6c2
Clean up error handling in keymat_v2_t
2012-07-16 14:55:07 +02:00
Martin Willi
511f0b18b9
Cleaned up memory management and return values for encryption payload
2012-07-16 14:55:07 +02:00
Martin Willi
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
Martin Willi
e185612dd8
Add a return value to keymat_v1_t.{get,update,confirm}_iv
2012-07-16 14:55:06 +02:00
Martin Willi
8bd6a30af1
Add a return value to hasher_t.get_hash()
2012-07-16 14:55:06 +02:00
Martin Willi
ce73fc19db
Add a return value to crypter_t.set_key()
2012-07-16 14:53:38 +02:00
Martin Willi
3b96189a2a
Add a return value to crypter_t.decrypt()
2012-07-16 14:53:38 +02:00
Martin Willi
e35abbe588
Add a return value to crypter_t.encrypt
2012-07-16 14:53:37 +02:00
Tobias Brunner
e59f983160
Check rng return value when generating identity in eap-simaka-reauth plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
e37f9ac2c9
Check rng return value when generating pseudonym in eap-simaka-pseudonym plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
8beeb8e116
Check rng return value when generating nonces in eap-aka plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
18ce1bb721
Check rng return value when generating nonces in eap-sim plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
10b6ca5fb2
Check rng return value when generating RAND in eap-aka-3gpp2 plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
162f489a27
Check rng return value when generating challenges in eap-md5 and mschapv2 plugins
2012-07-16 14:53:36 +02:00
Tobias Brunner
7ae2671036
Check rng return value when generating Transaction IDs in DHCP plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
f1c78cfee7
Check rng return value when generating ME CONNECT_ID and KEY
2012-07-16 14:53:35 +02:00
Tobias Brunner
1bb9c51e87
Check rng return value when generating IKEv1 message IDs
2012-07-16 14:53:35 +02:00
Tobias Brunner
504918348d
Check rng return value when generating COOKIE2 during MOBIKE
2012-07-16 14:53:35 +02:00
Tobias Brunner
0c096e9bb5
Check rng return value when generating COOKIE secret in receiver
2012-07-16 14:53:35 +02:00
Tobias Brunner
92f207477c
Check rng return value when generating fake NAT detection payloads
2012-07-16 14:53:35 +02:00
Tobias Brunner
ca9b68eb9e
Check rng return value when encrypting encryption payload
2012-07-16 14:53:35 +02:00
Tobias Brunner
5d91d8c469
Check rng return value when generating SPIs in ike_sa_manager_t
2012-07-16 14:53:35 +02:00
Reto Buerki
605985d122
Nonce: Let get_nonce, allocate_nonce return boolean
2012-07-16 14:53:34 +02:00
Martin Willi
f3ca96b2bf
Add a return value to prf_t.set_key()
2012-07-16 14:53:34 +02:00
Martin Willi
ecc080b393
Add a return value to prf_t.allocate_bytes()
2012-07-16 14:53:34 +02:00
Martin Willi
a7e6539135
Use a bool return value in keymat_v1_t.get_hash_phase2()
2012-07-16 14:53:34 +02:00
Martin Willi
e4c5c1d03e
Add a return value to keymat_v1_t.get_hash()
2012-07-16 14:53:34 +02:00
Martin Willi
bb1e0c59e1
Add a return value to keymat_v2_t.get_auth_octets()
2012-07-16 14:53:34 +02:00
Martin Willi
2baae8e3ea
Add a return value to keymat_v2_t.get_psk_sig()
2012-07-16 14:53:34 +02:00
Martin Willi
bc47488323
Add a return value to prf_t.get_bytes()
2012-07-16 14:53:33 +02:00
Martin Willi
edd54734c8
prf_plus_create() can return NULL on failure
2012-07-16 14:53:33 +02:00
Martin Willi
5d79e6c6b4
Add a return value to prf_plus_t.allocate_bytes()
2012-07-16 14:53:33 +02:00
Martin Willi
2d56575d52
Add a return value to signer_t.set_key()
2012-07-16 14:53:33 +02:00
Martin Willi
86d2cdc1ed
Add a return value to simaka_crypto_t.derive_keys_*()
2012-07-16 14:53:33 +02:00
Martin Willi
5fb719e0de
Add a return value to radius_message_t.sign()
2012-07-16 14:53:33 +02:00
Martin Willi
264e702109
Add a return value to simaka_message_t.generate()
2012-07-16 14:53:33 +02:00
Martin Willi
ad08730a4b
Add a return value to aead_t.set_key()
2012-07-16 14:53:32 +02:00
Martin Willi
e2ed7bfd22
Add a return value to aead_t.encrypt()
2012-07-16 14:53:32 +02:00
Martin Willi
d19f0ae3e0
Don't modify the message string passed to logger, as it gets reused
2012-07-13 15:43:04 +02:00
Martin Willi
c6343cf0ad
Log to a malloc()ed buffer if the on-stack buffer is not large enough
2012-07-13 13:23:29 +02:00
Martin Willi
1b40b74de0
Pass opaque data to printf hooks and print_in_hook()
2012-07-13 13:23:29 +02:00
Tobias Brunner
893c3a4ead
Simplify NAT-D payload creation if UDP encapsulation is forced
...
We don't need any address lookups in that case as the content of the
payload is generated randomly anyway.
2012-07-13 11:13:43 +02:00
Andreas Steffen
22e97e4f1f
updated Copyright info
2012-07-13 10:42:40 +02:00
Andreas Steffen
968c83cdeb
restrict PA-TNC messages to maximum size
2012-07-12 21:26:18 +02:00
Tobias Brunner
8d98f7fef6
Avoid that any % characters (e.g. in %any) are evaluated when logging via stroke
2012-07-12 16:58:00 +02:00
Andreas Steffen
c9c3da66a8
removed unused variables
2012-07-11 23:15:44 +02:00
Andreas Steffen
c56667f1db
fixed logging of unsupported TNCCS version
2012-07-11 17:09:05 +02:00
Andreas Steffen
1de4af66d5
PB-TNC Client sends empty CLOSE batch only in DECIDED state
2012-07-11 17:09:05 +02:00
Andreas Steffen
a287a3cdcd
have_recommendation() accepts NULL arguments
2012-07-11 17:09:05 +02:00
Andreas Steffen
b8b678a567
send empty SDATA batch if no recommendation is available yet, but in order to avoid loops only if no empty CDATA batch was received
2012-07-11 17:09:05 +02:00
Andreas Steffen
a5c79d0175
moved batch size calculation into pb_tnc_batch_t
2012-07-11 17:09:05 +02:00
Andreas Steffen
d7dcbc95a9
make maximum PB-TNC batch size configurable
2012-07-11 17:09:05 +02:00
Andreas Steffen
3a16bec8f9
limit the size of a PB-TNC batch to the maximum EAP-TNC packet size
2012-07-11 17:09:05 +02:00
Andreas Steffen
6245edf37e
eliminate message length field in EAP-TNC
2012-07-11 17:09:05 +02:00
Andreas Steffen
a04c51aea9
due to single fragment, total length does not have to be included
2012-07-11 17:09:04 +02:00
Andreas Steffen
4492ffc907
EAP-TNC does not support fragmentation
2012-07-11 17:09:04 +02:00
Martin Willi
07836f559d
Send cert request based on peers configured authentication class
2012-07-10 17:15:59 +02:00
Martin Willi
3128e7fa7c
Don't send CERTREQs when initiating aggressive mode PSK
2012-07-09 12:05:23 +02:00
Martin Willi
0619ddfaa4
Refactored heavily #ifdefd capability code to its own libstrongswan class
2012-07-04 11:01:40 +02:00
Tobias Brunner
644c6c968d
Use spin locks to update IKE_SAs in controller_t
...
This ensures the listeners don't miss any events after the SAs have been
checked out in the asynchronously executed jobs. This is a matter of
memory visibility and not primary a matter of exclusive access.
2012-07-04 10:13:50 +02:00
Tobias Brunner
c9355ea4a0
Fixed job handling in controller_t
...
Also IKE_SAs are now checked out in the jobs and not before.
2012-07-04 10:13:49 +02:00
Martin Willi
9d2968e272
As a responder, don't start a TRANSACTION request if we expect one from the initiator
2012-06-29 13:40:31 +02:00
Andreas Steffen
5f451f2d6a
IMCs and IMVs might depend on X.509 certificates or trusted public keys
2012-06-28 17:55:02 +02:00
Martin Willi
0f018a7324
Show some uname() info in "ipsec statusall"
2012-06-28 11:56:40 +02:00
Tobias Brunner
bd858af851
libcharon also requires kernel interfaces and a socket implementation
2012-06-27 12:15:09 +02:00
Martin Willi
271377905d
Defer quick mode initiation if we expect a mode config request
2012-06-27 11:42:56 +02:00
Martin Willi
8ff45cfd99
Queue a mode config task as responder if we need a virtual IP
2012-06-27 11:42:56 +02:00
Martin Willi
c2a391746c
Add basic support for XAuth responder authentication
2012-06-27 11:42:56 +02:00
Martin Willi
a9aa75b90e
Map XAuth responder authentication methods between IKEv1 and IKEv2
2012-06-27 11:42:56 +02:00
Martin Willi
dc6d259635
Show remote EAP/XAuth identity in "statusall" on a separate line
2012-06-27 11:42:00 +02:00
Tobias Brunner
aa54ecef44
Use static plugin features in libcharon to define essential dependencies
2012-06-27 11:31:16 +02:00
Martin Willi
5def45b890
Ignore a received %any virtual IP for installation
2012-06-26 18:00:40 +02:00
Tobias Brunner
9866c26c5b
Also build charon's IKEv1 implementation on Android
2012-06-26 07:56:15 +02:00
Tobias Brunner
8497c5d147
Missing source file added to libcharon's Android.mk
2012-06-26 07:56:15 +02:00
Tobias Brunner
e0efd7c121
Make rescheduling a job more predictable
...
This avoids race conditions between calls to cancel() and jobs that like
to be rescheduled. If jobs were able to reschedule themselves it would
theoretically be possible that two worker threads have the same job
assigned (the one currently executing the job and the one executing the
same but rescheduled job if it already is time to execute it), this means
that cancel() could be called twice for that job.
Creating a new job based on the current one and reschedule that is also
OK, but rescheduling itself is more efficient for jobs that need to be
executed often.
2012-06-25 17:49:12 +02:00
Tobias Brunner
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
Tobias Brunner
7fec83af28
Give processor_t more control over the lifecycle of a job
...
Jobs are now destroyed by the processor, but they are allowed to
reschedule themselves. That is, parts of the reschedule functionality
already provided by callback_job_t is moved to the processor. Not yet
fully supported is JOB_REQUEUE_DIRECT and canceling jobs.
Note: job_t.destroy() is now called not only for queued jobs but also
after execution or cancellation of jobs. job_t.status can be used to
decide what to do in said method.
2012-06-25 17:10:28 +02:00
Andreas Steffen
554a697a84
support Cisco Unity VID
2012-06-25 11:09:06 +02:00
Martin Willi
0ba1ddaa24
Enforce uniqueids=keep based on XAuth identity
2012-06-25 10:18:35 +02:00
Martin Willi
f145ea29e0
Don't send XAUTH_OK if a hook prevents SA to establish
2012-06-25 10:18:35 +02:00
Martin Willi
0c32b9c62f
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes
2012-06-25 10:18:35 +02:00
Martin Willi
dd1381e7d3
Show EAP/XAuth identity in "ipsec status", if available
2012-06-25 10:18:35 +02:00
Martin Willi
0fbfcf2a3a
Use XAuth/EAP remote identity for uniqueness check
2012-06-25 10:18:34 +02:00
Martin Willi
de5e8fb4e0
Add missing XAuth name variable when complaining about missing XAuth backend
2012-06-25 10:09:27 +02:00
Tobias Brunner
e91157a4b6
Fix SIGSEGV if kernel install fails during Quick Mode as responder.
2012-06-22 11:34:38 +02:00
Tobias Brunner
aa8898bc45
Fixed compile error because of charon->name in certexpire plugin.
2012-06-21 13:59:18 +02:00
Martin Willi
e2dd114f37
Select requested virtual IP family based on remote TS, if no local TS available
2012-06-20 10:02:01 +02:00
Martin Willi
af518b450e
Adopt children as XAuth initiator (which is IKE responder)
2012-06-14 14:49:19 +02:00
Martin Willi
137035cc78
Show what kind of *Swan we run in "ipsec status"
2012-06-14 10:25:48 +02:00
Martin Willi
b31a56f128
Require a scary option to respond to Aggressive Mode PSK requests
...
While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.
2012-06-14 10:25:48 +02:00
Tobias Brunner
f7cbc0fafe
Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.
2012-06-13 15:02:10 +02:00
Martin Willi
e35bbb9740
Added signature scheme options left/rightauth
2012-06-12 15:01:39 +02:00
Martin Willi
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
Andreas Steffen
fd03443f42
added missing parameter in get_my_addr() and get_other_addr() calls
2012-06-09 14:06:45 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Martin Willi
e5f0f9ff96
Enforce uniqueness policy in IKEv1 main and aggressive modes
2012-06-08 16:15:22 +02:00
Martin Willi
82ad53b776
Try to rekey without KE exchange if peer returns INVALID_KE_PAYLOAD(NONE)
...
According to RFC5996, implementations should just ignore the KE payload
if they select a non-PFS proposals. Some implementations don't, but
return MODP_NONE in INVALID_KE_PAYLOAD, hence we accept that, too.
2012-06-08 10:35:02 +02:00
Martin Willi
2d4c347af9
While checking for redundant quick modes, compare traffic selectors
...
If a configuration is instanced more than once using narrowing,
we should keep all unique quick modes up during rekeying.
2012-06-08 10:22:03 +02:00
Martin Willi
106b938b6b
Store shorter soft lifetime of in- and outbound SAs only
2012-06-08 10:22:03 +02:00
Martin Willi
7a5f372c57
Initiate quick mode rekeying with narrowed traffic selectors
2012-06-08 10:22:03 +02:00
Martin Willi
d61f2906d4
Use traffic selectors passed to quick mode constructor as initiator
2012-06-08 10:22:03 +02:00
Martin Willi
1e24fa4614
Instead of rekeying, delete a quick mode if we have a fresher instance
...
If both peers initiate quick mode rekeying simultaneously, we end up
with duplicate SAs for a configuration. This can't be avoided, nor do
the standards provide an appropriate solution. Instead of closing one
SA immediately, we keep both. But once rekeying triggers, we don't
refresh the SA with the shorter soft lifetime, but delete it.
2012-06-08 10:22:03 +02:00
Martin Willi
ab24a32edf
As responder, enforce the same configuration while rekeying CHILD_SAs
2012-06-06 16:06:49 +02:00
Martin Willi
21043198ff
Show expiration time of rekeyed CHILD_SAs in statusall
2012-06-05 10:29:43 +02:00
Tobias Brunner
c8f7a114b6
Mark CHILD_SAs used for trap policies to uninstall them properly.
...
If the installation failed the state is not CHILD_ROUTED which means the
wrong priority is used to uninstall the policies. This is a problem for
kernel interfaces that keep track of installed policies as now the proper
policy is not found (if the priority is considered).
2012-06-04 18:04:48 +02:00
Tobias Brunner
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
Tobias Brunner
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
Tobias Brunner
eac9d77059
Job added to re-initiate an IKE_SA.
2012-05-30 15:32:52 +02:00
Tobias Brunner
53915f14ae
Fix MOBIKE address update if responder address changed.
...
Use the source address of the current MOBIKE message as peer address
instead of assuming the address cached on the IKE_SA is still valid.
2012-05-25 17:05:53 +02:00
Tobias Brunner
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
Tobias Brunner
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
Tobias Brunner
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
Tobias Brunner
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
Tobias Brunner
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
Tobias Brunner
daab61e51f
Added encapsulation mode transform attribute to IPComp proposal.
2012-05-25 09:26:42 +02:00
Tobias Brunner
6695b48582
Add an additional proposal without IPComp to SA payload.
2012-05-24 15:32:28 +02:00
Tobias Brunner
3451ecd7ac
Added log message if peer does not accept/provide IPComp proposal.
2012-05-24 15:32:28 +02:00
Tobias Brunner
47b448b807
Added support to negotiate IPComp during Quick Mode.
2012-05-24 15:32:28 +02:00
Tobias Brunner
647cd741e8
Added support for IKEv1 IPComp proposals in SA payload.
2012-05-24 15:32:28 +02:00
Tobias Brunner
7a75cae856
Added support for IKEv1 IPComp proposals in proposal substructure.
2012-05-24 15:32:27 +02:00
Tobias Brunner
00e11bcefd
Fix memleak during Quick Mode in case no SPI can be allocated from kernel.
2012-05-24 15:32:27 +02:00
Tobias Brunner
624bb24d12
Properly filter IKEv1 proposals consisting of multiple proposal payloads.
...
Since a proposal_t object is created for each transform contained in the
proposal payload, it does not work to simply remove the last proposal_t
object added to the list (there may be several other extracted from the
previous proposal payload).
2012-05-24 15:32:27 +02:00
Martin Willi
3c475660c5
Apply IDir before deriving keys as aggressive initiator
2012-05-23 12:27:47 +02:00
Martin Willi
523ce7c20c
Use received identity to look up PSK as aggressive responder
2012-05-23 12:18:45 +02:00
Martin Willi
51754f6654
Check if we actually have an initiating packet to free while processing responses
2012-05-23 11:50:12 +02:00
Andreas Steffen
2ac996cb71
list IKEv1 Aggressive Mode in ipsec statusall
2012-05-23 11:12:27 +02:00
Tobias Brunner
1a624ff45a
Switch to alternative peer config in IKEv1 Main and Aggressive Mode.
2012-05-21 15:49:25 +02:00
Martin Willi
17949695bf
Cancel pending retransmits when flushing active task queue
2012-05-21 14:57:33 +02:00
Martin Willi
4ce92ef350
Cancel active quick mode task when receiving INFORMATIONAL error
2012-05-21 14:57:33 +02:00
Martin Willi
7ce504e182
Flush task queues explicitly, not implicitly if task returns ALREADY_DONE
2012-05-21 14:17:09 +02:00