strongswan.git
3 years agoike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
Tobias Brunner [Thu, 21 May 2015 12:56:01 +0000 (14:56 +0200)]
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message

An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA.  To prevent this we
ignore the message and wait for the one by the correct responder.

3 years agoikev2: Allow tasks to verify request messages before processing them
Tobias Brunner [Thu, 21 May 2015 12:48:35 +0000 (14:48 +0200)]
ikev2: Allow tasks to verify request messages before processing them

3 years agoikev2: Allow tasks to verify response messages before processing them
Tobias Brunner [Thu, 21 May 2015 12:45:52 +0000 (14:45 +0200)]
ikev2: Allow tasks to verify response messages before processing them

3 years agotask: Add optional pre_process() method
Tobias Brunner [Thu, 21 May 2015 12:38:02 +0000 (14:38 +0200)]
task: Add optional pre_process() method

This will eventually allow tasks to pre-process and verify received
messages.

3 years agotesting: Add ikev2/redirect-active scenario
Tobias Brunner [Tue, 12 May 2015 14:53:04 +0000 (16:53 +0200)]
testing: Add ikev2/redirect-active scenario

3 years agoike-init: Ignore notifies related to redirects during rekeying
Tobias Brunner [Thu, 30 Apr 2015 10:57:19 +0000 (12:57 +0200)]
ike-init: Ignore notifies related to redirects during rekeying

Also don't query redirect providers in this case.

3 years agoike-sa: Add limit for the number of redirects within a defined time period
Tobias Brunner [Thu, 30 Apr 2015 10:44:56 +0000 (12:44 +0200)]
ike-sa: Add limit for the number of redirects within a defined time period

3 years agoike-sa: Reauthenticate to the same addresses we currently use
Tobias Brunner [Thu, 30 Apr 2015 10:26:41 +0000 (12:26 +0200)]
ike-sa: Reauthenticate to the same addresses we currently use

If the SA got redirected this would otherwise cause a reauthentication with
the original gateway.  Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.

3 years agovici: Don't redirect all SAs if no selectors are given
Tobias Brunner [Tue, 12 May 2015 15:49:46 +0000 (17:49 +0200)]
vici: Don't redirect all SAs if no selectors are given

This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).

3 years agovici: Match subnets and ranges against peer IP in redirect command
Tobias Brunner [Thu, 30 Apr 2015 08:56:27 +0000 (10:56 +0200)]
vici: Match subnets and ranges against peer IP in redirect command

3 years agovici: Match identity with wildcards against remote ID in redirect command
Tobias Brunner [Tue, 28 Apr 2015 16:33:31 +0000 (18:33 +0200)]
vici: Match identity with wildcards against remote ID in redirect command

3 years agoswanctl: Add --redirect command
Tobias Brunner [Tue, 28 Apr 2015 16:00:01 +0000 (18:00 +0200)]
swanctl: Add --redirect command

3 years agovici: Add redirect command
Tobias Brunner [Tue, 28 Apr 2015 15:45:52 +0000 (17:45 +0200)]
vici: Add redirect command

This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.

3 years agoredirect-job: Add job to redirect an active IKE_SA
Tobias Brunner [Tue, 28 Apr 2015 15:29:42 +0000 (17:29 +0200)]
redirect-job: Add job to redirect an active IKE_SA

3 years agoike-sa: Add redirect() method to actively redirect an IKE_SA
Tobias Brunner [Tue, 28 Apr 2015 12:50:11 +0000 (14:50 +0200)]
ike-sa: Add redirect() method to actively redirect an IKE_SA

3 years agoike-redirect: Add task to redirect active IKE_SAs
Tobias Brunner [Tue, 28 Apr 2015 12:10:43 +0000 (14:10 +0200)]
ike-redirect: Add task to redirect active IKE_SAs

3 years agoike-auth: Handle REDIRECT notifies during IKE_AUTH
Tobias Brunner [Fri, 24 Apr 2015 14:59:44 +0000 (16:59 +0200)]
ike-auth: Handle REDIRECT notifies during IKE_AUTH

3 years agoike-sa: Handle redirect requests for established SAs as reestablishment
Tobias Brunner [Fri, 24 Apr 2015 14:57:43 +0000 (16:57 +0200)]
ike-sa: Handle redirect requests for established SAs as reestablishment

We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs,
which also includes the one actively queued during IKE_AUTH.

To delete the old SA we use the recently added ike_reauth_complete task.

3 years agoike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers
Tobias Brunner [Thu, 23 Apr 2015 14:43:35 +0000 (16:43 +0200)]
ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers

To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA.  We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).

3 years agoike-config: Do not assign attributes for redirected IKE_SAs
Tobias Brunner [Tue, 28 Apr 2015 16:15:35 +0000 (18:15 +0200)]
ike-config: Do not assign attributes for redirected IKE_SAs

3 years agochild-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH
Tobias Brunner [Thu, 23 Apr 2015 14:36:49 +0000 (16:36 +0200)]
child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH

3 years agoike-sa: Add a condition to mark redirected IKE_SAs
Tobias Brunner [Thu, 23 Apr 2015 14:31:39 +0000 (16:31 +0200)]
ike-sa: Add a condition to mark redirected IKE_SAs

3 years agoike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server
Tobias Brunner [Thu, 23 Apr 2015 10:29:03 +0000 (12:29 +0200)]
ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server

3 years agoike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate
Tobias Brunner [Thu, 23 Apr 2015 10:23:46 +0000 (12:23 +0200)]
ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate

3 years agoike-sa: Keep track of the address of the gateway that redirected us
Tobias Brunner [Thu, 23 Apr 2015 10:16:21 +0000 (12:16 +0200)]
ike-sa: Keep track of the address of the gateway that redirected us

3 years agoikev2: Add option to disable following redirects as client
Tobias Brunner [Mon, 20 Apr 2015 15:36:45 +0000 (17:36 +0200)]
ikev2: Add option to disable following redirects as client

3 years agoikev2: Handle REDIRECT notifies during IKE_SA_INIT
Tobias Brunner [Thu, 23 Apr 2015 09:50:31 +0000 (11:50 +0200)]
ikev2: Handle REDIRECT notifies during IKE_SA_INIT

3 years agoike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers
Tobias Brunner [Wed, 22 Apr 2015 15:02:23 +0000 (17:02 +0200)]
ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers

3 years agoredirect-manager: Add helper function to create and parse REDIRECT notify data
Tobias Brunner [Wed, 22 Apr 2015 12:34:53 +0000 (14:34 +0200)]
redirect-manager: Add helper function to create and parse REDIRECT notify data

The same encoding is also used for the REDIRECT_FROM notifies.

3 years agoredirect-manager: Verify type of returned gateway ID
Tobias Brunner [Wed, 22 Apr 2015 12:19:54 +0000 (14:19 +0200)]
redirect-manager: Verify type of returned gateway ID

3 years agoike-init: Send REDIRECT_SUPPORTED as initiator
Tobias Brunner [Mon, 20 Apr 2015 13:16:10 +0000 (15:16 +0200)]
ike-init: Send REDIRECT_SUPPORTED as initiator

3 years agoike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notify
Tobias Brunner [Mon, 20 Apr 2015 12:59:08 +0000 (14:59 +0200)]
ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notify

3 years agoike-sa: Add new extension for IKEv2 redirection (RFC 5685)
Tobias Brunner [Mon, 20 Apr 2015 12:56:21 +0000 (14:56 +0200)]
ike-sa: Add new extension for IKEv2 redirection (RFC 5685)

3 years agodaemon: Create global redirect manager instance
Tobias Brunner [Mon, 20 Apr 2015 12:41:09 +0000 (14:41 +0200)]
daemon: Create global redirect manager instance

3 years agoredirect-manager: Add manager for redirect providers
Tobias Brunner [Mon, 20 Apr 2015 12:38:17 +0000 (14:38 +0200)]
redirect-manager: Add manager for redirect providers

3 years agoredirect-provider: Add interface to redirect clients during initial messages
Tobias Brunner [Mon, 20 Apr 2015 12:05:16 +0000 (14:05 +0200)]
redirect-provider: Add interface to redirect clients during initial messages

This will allow e.g. plugins to decide whether a connecting client is
redirected to a different gateway using RFC 5685.

3 years agoSet PLUTO port variables to 0 in the case of no port restrictions
Andreas Steffen [Fri, 4 Mar 2016 11:52:35 +0000 (12:52 +0100)]
Set PLUTO port variables to 0 in the case of no port restrictions

3 years agoAdded port range support to NEWS
Andreas Steffen [Fri, 4 Mar 2016 09:03:12 +0000 (10:03 +0100)]
Added port range support to NEWS

3 years agotesting: Added swanctl/protoport-range scenario
Andreas Steffen [Thu, 3 Mar 2016 14:01:12 +0000 (15:01 +0100)]
testing: Added swanctl/protoport-range scenario

3 years agoPort range support in updown script
Andreas Steffen [Thu, 3 Mar 2016 12:29:59 +0000 (13:29 +0100)]
Port range support in updown script

3 years agoImplemented port ranges in kernel_netlink interface
Andreas Steffen [Thu, 3 Mar 2016 11:24:41 +0000 (12:24 +0100)]
Implemented port ranges in kernel_netlink interface

3 years agothread: Allow thread ID to be value returned by gettid()
Thomas Egerer [Fri, 12 Feb 2016 16:09:47 +0000 (17:09 +0100)]
thread: Allow thread ID to be value returned by gettid()

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agoRequest missing SWID tags in a directed PA-TNC message
Andreas Steffen [Fri, 4 Mar 2016 00:04:44 +0000 (01:04 +0100)]
Request missing SWID tags in a directed PA-TNC message

3 years agoMerge branch 'libhydra-bye-bye'
Tobias Brunner [Thu, 3 Mar 2016 16:39:27 +0000 (17:39 +0100)]
Merge branch 'libhydra-bye-bye'

Moves kernel plugins to libcharon and removes the unused libhydra.  The
kernel interface is now accessible under charon->kernel.

3 years agolibhydra: Remove empty unused library
Tobias Brunner [Fri, 12 Feb 2016 15:35:54 +0000 (16:35 +0100)]
libhydra: Remove empty unused library

3 years agolibhydra: Move kernel interface to libcharon
Tobias Brunner [Fri, 12 Feb 2016 14:30:18 +0000 (15:30 +0100)]
libhydra: Move kernel interface to libcharon

This moves hydra->kernel_interface to charon->kernel.

3 years agolibhydra: Move all kernel plugins to libcharon
Tobias Brunner [Fri, 12 Feb 2016 14:21:54 +0000 (15:21 +0100)]
libhydra: Move all kernel plugins to libcharon

3 years agoikev1: Send and verify IPv6 addresses correctly
Tobias Brunner [Wed, 10 Feb 2016 09:11:31 +0000 (10:11 +0100)]
ikev1: Send and verify IPv6 addresses correctly

According to the mode-config draft there is no prefix sent for
IPv6 addresses in IKEv1.  We still accept 17 bytes long addresses for
backwards compatibility with older strongSwan releases.

Fixes #1304.

3 years agoikev1: Allow immediate deletion of rekeyed CHILD_SAs
Tobias Brunner [Wed, 17 Feb 2016 16:31:51 +0000 (17:31 +0100)]
ikev1: Allow immediate deletion of rekeyed CHILD_SAs

When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached.  In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA.  This may result in a very large number of
stale CHILD_SAs and kernel states.  With enough connections configured this
will ultimately exhaust the memory of the system.

This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.

Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).

3 years agoikev1: Avoid modifying local auth config when detecting pubkey method
Tobias Brunner [Thu, 17 Dec 2015 17:18:09 +0000 (18:18 +0100)]
ikev1: Avoid modifying local auth config when detecting pubkey method

If it was necessary to pass the local certificates we could probably
clone the config (but we don't do that either when later looking for the
key to actually authenticate).
Passing auth adds the same subject cert to the config over and over
again (I guess we could also try to prevent that by searching for
duplicates).

3 years agoforecast: Fix alignment when adding rules
Tobias Brunner [Mon, 30 Nov 2015 15:30:22 +0000 (16:30 +0100)]
forecast: Fix alignment when adding rules

Basically the same issue as with the connmark plugin.

Fixes #1212.

3 years agoconnmark: Fix alignment when adding rules
Tobias Brunner [Mon, 30 Nov 2015 15:04:35 +0000 (16:04 +0100)]
connmark: Fix alignment when adding rules

The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN.  That was not necessarily the case when
initializing the complete message as struct.

Fixes #1212.

3 years agoike: Keep track of send keepalive jobs to avoid scheduling more than one per IKE_SA
Tobias Brunner [Mon, 16 Nov 2015 16:14:18 +0000 (17:14 +0100)]
ike: Keep track of send keepalive jobs to avoid scheduling more than one per IKE_SA

3 years agoike: Don't send NAT keepalives if we have no path to the other peer
Tobias Brunner [Mon, 16 Nov 2015 16:01:46 +0000 (17:01 +0100)]
ike: Don't send NAT keepalives if we have no path to the other peer

If there is no path to the other peer there is no point in trying to
send a NAT keepalive.

If the condition changes back and forth within the keepalive interval there
is a chance that multiple jobs get queued.

3 years agovici: Provide ports of local and remote IKE endpoints
Tobias Brunner [Tue, 19 Jan 2016 12:34:11 +0000 (13:34 +0100)]
vici: Provide ports of local and remote IKE endpoints

3 years agoduplicheck: Include required headers for FreeBSD
Denis Volpato Martins [Thu, 25 Feb 2016 13:52:59 +0000 (10:52 -0300)]
duplicheck: Include required headers for FreeBSD

Closes strongswan/strongswan#34.

3 years agocharon: Add custom logger to daemon
Thomas Egerer [Mon, 1 Feb 2016 13:52:49 +0000 (14:52 +0100)]
charon: Add custom logger to daemon

This logger can be used to easily register custom logging instances
using __attribute__((constructor)) benefiting from the global reload
mechanism (with reset of log levels).

Note that this is not intended to be used from plugins, which are loaded
after loggers have already been initialized.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agovici: Correctly document 'up' key for updown events
Tobias Brunner [Wed, 3 Feb 2016 15:33:24 +0000 (16:33 +0100)]
vici: Correctly document 'up' key for updown events

Instead of sending 'no' it is omitted when an SA goes down.

3 years agoikev2: Use config value for sending of vendor IDs
Thomas Egerer [Tue, 2 Feb 2016 16:01:50 +0000 (17:01 +0100)]
ikev2: Use config value for sending of vendor IDs

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agoswanctl: Fix minor typos in documentation
Chris Patterson [Fri, 26 Feb 2016 14:32:39 +0000 (09:32 -0500)]
swanctl: Fix minor typos in documentation

"UPD" should be "UDP".

Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
3 years agotesting: Added swanctl/shunt-policies-nat-rw
Andreas Steffen [Sun, 28 Feb 2016 21:25:50 +0000 (22:25 +0100)]
testing: Added swanctl/shunt-policies-nat-rw

3 years agotesting: Some minor fixes in test scenarios
Andreas Steffen [Sun, 28 Feb 2016 21:25:21 +0000 (22:25 +0100)]
testing: Some minor fixes in test scenarios

3 years agoVersion bump to 5.4.0dr7 5.4.0dr7
Andreas Steffen [Sun, 28 Feb 2016 14:56:06 +0000 (15:56 +0100)]
Version bump to 5.4.0dr7

3 years agotesting: Added swanctl/protoport-dual scenario
Andreas Steffen [Sun, 28 Feb 2016 13:33:48 +0000 (14:33 +0100)]
testing: Added swanctl/protoport-dual scenario

3 years agotesting: converted af-alg scenarios to swanctl
Andreas Steffen [Fri, 26 Feb 2016 12:31:36 +0000 (13:31 +0100)]
testing: converted af-alg scenarios to swanctl

3 years agotesting: Use absolute path to the _updown script in SQL scenarios
Tobias Brunner [Wed, 17 Feb 2016 10:55:45 +0000 (11:55 +0100)]
testing: Use absolute path to the _updown script in SQL scenarios

/usr/local/sbin is not included in PATH set by the charon init script and
since the ipsec script is obsolete when using swanctl it makes sense to
change this anyway.

3 years agoike-sa-manager: Store a reference to the thread that checked out an IKE_SA
Tobias Brunner [Wed, 10 Feb 2016 15:41:52 +0000 (16:41 +0100)]
ike-sa-manager: Store a reference to the thread that checked out an IKE_SA

This could be helpful when debugging deadlocks that manifest around
wait_for_entry(), as it helps identifying other involved threads (the
thread object is seen in the thread_main() call in each thread's backtrace).

3 years agotesting: Increased ping interval in ikev2/trap-any scenario
Andreas Steffen [Tue, 16 Feb 2016 17:21:19 +0000 (18:21 +0100)]
testing: Increased ping interval in ikev2/trap-any scenario

3 years agoVersion bump to 5.4.0dr6 5.4.0dr6
Andreas Steffen [Tue, 16 Feb 2016 17:17:44 +0000 (18:17 +0100)]
Version bump to 5.4.0dr6

3 years agoCorrected the description of the swanctl/dhcp-dynamic scenario
Andreas Steffen [Tue, 16 Feb 2016 17:17:17 +0000 (18:17 +0100)]
Corrected the description of the swanctl/dhcp-dynamic scenario

3 years agoFix of the mutual TNC measurement use case
Andreas Steffen [Tue, 16 Feb 2016 17:00:27 +0000 (18:00 +0100)]
Fix of the mutual TNC measurement use case

If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.

In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.

The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.

3 years agokernel-netlink: Allow Netlink send buffer size to be configured via compile option
Tobias Brunner [Fri, 12 Feb 2016 14:08:34 +0000 (15:08 +0100)]
kernel-netlink: Allow Netlink send buffer size to be configured via compile option

The receive buffer size can already be changed via strongswan.conf if
necessary.

3 years agoutils: Add enum name for pseudo log group 'any'
Tobias Brunner [Fri, 5 Feb 2016 14:41:39 +0000 (15:41 +0100)]
utils: Add enum name for pseudo log group 'any'

3 years agolibipsec: Pass the same data to del_policy() as to add_policy()
Tobias Brunner [Thu, 4 Feb 2016 09:57:31 +0000 (10:57 +0100)]
libipsec: Pass the same data to del_policy() as to add_policy()

We already do this for the other kernel interfaces.

Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")

3 years agolibipsec: Don't attempt deletion of any non-IPsec policies
Tobias Brunner [Thu, 4 Feb 2016 09:14:22 +0000 (10:14 +0100)]
libipsec: Don't attempt deletion of any non-IPsec policies

An example are the fallback drop policies installed when updating SAs.
We ignore such policies in add_policy() so there is no point in attempting
to remove them.  Since they use different priorities than regular policies
this did not result in policies getting deleted unintentionally but there
was an irritating log message on level 2 that indicated otherwise.

3 years agotesting: Added swanctl/dhcp-dynamic scenario
Andreas Steffen [Wed, 3 Feb 2016 11:10:59 +0000 (12:10 +0100)]
testing: Added swanctl/dhcp-dynamic scenario

3 years agoikev2: Add debug message about failed IKE authentication
Thomas Egerer [Tue, 2 Feb 2016 15:13:46 +0000 (16:13 +0100)]
ikev2: Add debug message about failed IKE authentication

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agoikev1: Log successful authentication with signature scheme
Thomas Egerer [Mon, 1 Feb 2016 14:33:38 +0000 (15:33 +0100)]
ikev1: Log successful authentication with signature scheme

Output is now identical to that of the IKEv2 pubkey authenticator.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agopeer-cfg: Set DPD timeout to at least DPD delay
Tobias Brunner [Mon, 1 Feb 2016 14:29:25 +0000 (15:29 +0100)]
peer-cfg: Set DPD timeout to at least DPD delay

If DPD timeout is set but to a value smaller than the DPD delay the code
in task_manager_v1.c:queue_liveliness_check will run into an integer
underrun.

3 years agoikev1: Always enable charon.reuse_ikesa
Tobias Brunner [Fri, 18 Dec 2015 14:23:30 +0000 (15:23 +0100)]
ikev1: Always enable charon.reuse_ikesa

With IKEv1 we have to reuse IKE_SAs as otherwise the responder might
detect the new SA as reauthentication and will "adopt" the CHILD_SAs of
the original IKE_SA, while the initiator will not do so.  This could
cause CHILD_SA rekeying to fail later.

Fixes #1236.

3 years agoload-tester: Register kernel-ipsec implementation as plugin feature
Tobias Brunner [Mon, 18 Jan 2016 16:03:46 +0000 (17:03 +0100)]
load-tester: Register kernel-ipsec implementation as plugin feature

Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied.

This changed with db61c37690b5 ("kernel-interface: Return bool for
kernel interface registration") as the registration of further
kernel-ipsec implementations now fails and therefore even if other
plugins are loaded the dependency will not be satisfied anymore.

References #953.

3 years agochild-rekey: Suppress updown event when deleting redundant CHILD_SAs
Tobias Brunner [Tue, 15 Dec 2015 16:15:32 +0000 (17:15 +0100)]
child-rekey: Suppress updown event when deleting redundant CHILD_SAs

When handling a rekey collision we might have to delete an already
installed redundant CHILD_SA (or expect the other peer to do so).
We don't want to trigger updown events for these as neither do we do
so for successfully rekeyed CHILD_SAs.

Fixes #853.

3 years agotesting: Don't attempt to start the daemon twice in ha/active-passive scenario
Tobias Brunner [Tue, 26 Jan 2016 10:24:36 +0000 (11:24 +0100)]
testing: Don't attempt to start the daemon twice in ha/active-passive scenario

3 years agoha: Properly sync IKEv1 IV if gateway is initiator
Tobias Brunner [Tue, 26 Jan 2016 10:13:13 +0000 (11:13 +0100)]
ha: Properly sync IKEv1 IV if gateway is initiator

To handle Phase 2 exchanges on the other HA host we need to sync the last
block of the last Phase 1 message (or the last expected IV).  If the
gateway is the initiator of a Main Mode SA the last message is an
inbound message.  When handling such messages the expected IV is not
updated until it is successfully decrypted so we can't sync the IV
when processing the still encrypted (!plain) message.  However, as responder,
i.e. if the last message is an outbound message, the reverse applies, that
is, we get the next IV after successfully encrypting the message, not
while handling the plain message.

Fixes #1267.

3 years agoha: Add DH group to CHILD_ADD message
Tobias Brunner [Tue, 19 Jan 2016 14:00:23 +0000 (15:00 +0100)]
ha: Add DH group to CHILD_ADD message

References #1267.

3 years agoha: Add DH group to IKE_ADD message
Tobias Brunner [Tue, 19 Jan 2016 13:42:17 +0000 (14:42 +0100)]
ha: Add DH group to IKE_ADD message

It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.

Fixes #1267.

3 years agoike-sa-manager: Don't update entries for init messages after unlocking segment
Tobias Brunner [Mon, 18 Jan 2016 16:33:29 +0000 (17:33 +0100)]
ike-sa-manager: Don't update entries for init messages after unlocking segment

If the retransmit of an initial message is processed concurrently with the
original message it might not have been handled as intended as the
thread processing the retransmit might not have seen the correct value
of entry->processing set by the thread handling the original request.

For IKEv1, i.e. without proper message IDs, there might still be races e.g.
when receiving a retransmit of the initial IKE message while processing the
initiator's second request.

Fixes #1269.

3 years agounit-tests: The pseudonym RDN is now recognized, so use something more exotic
Tobias Brunner [Thu, 28 Jan 2016 14:56:49 +0000 (15:56 +0100)]
unit-tests: The pseudonym RDN is now recognized, so use something more exotic

3 years agoVersion bump to 5.4.0dr5 5.4.0dr5
Andreas Steffen [Thu, 28 Jan 2016 08:41:05 +0000 (09:41 +0100)]
Version bump to 5.4.0dr5

3 years agoSupport pseudonym RDN
Andreas Steffen [Wed, 27 Jan 2016 10:38:18 +0000 (11:38 +0100)]
Support pseudonym RDN

3 years agotesting: Added swanctl/config-payload scenario
Andreas Steffen [Thu, 14 Jan 2016 05:31:28 +0000 (06:31 +0100)]
testing: Added swanctl/config-payload scenario

3 years agotesting: Use include statement in swanctl/rw-pubkey-keyid scenario
Andreas Steffen [Thu, 14 Jan 2016 00:44:17 +0000 (01:44 +0100)]
testing: Use include statement in swanctl/rw-pubkey-keyid scenario

3 years agoVersion bump to 5.4.0dr4 5.4.0dr4
Andreas Steffen [Sun, 10 Jan 2016 00:39:08 +0000 (01:39 +0100)]
Version bump to 5.4.0dr4

3 years agovici: Support multiple named raw ublic keys
Andreas Steffen [Sat, 9 Jan 2016 23:12:57 +0000 (00:12 +0100)]
vici: Support multiple named raw ublic keys

3 years agotesting: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario
Andreas Steffen [Tue, 5 Jan 2016 22:54:06 +0000 (23:54 +0100)]
testing: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario

3 years agoswanctl: Load pubkeys with load-creds
Andreas Steffen [Tue, 5 Jan 2016 22:52:55 +0000 (23:52 +0100)]
swanctl: Load pubkeys with load-creds

3 years agotesting: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec
Andreas Steffen [Tue, 5 Jan 2016 04:35:21 +0000 (05:35 +0100)]
testing: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec

3 years agovici: list-cert sends subject, not-before and not-after attributes for pubkeys
Andreas Steffen [Tue, 5 Jan 2016 04:34:12 +0000 (05:34 +0100)]
vici: list-cert sends subject, not-before and not-after attributes for pubkeys

3 years agovici: Support of raw public keys
Andreas Steffen [Mon, 4 Jan 2016 09:34:21 +0000 (10:34 +0100)]
vici: Support of raw public keys

3 years agotesting: Fixed description of swanctl/frags-iv4 scenario
Andreas Steffen [Fri, 8 Jan 2016 23:17:31 +0000 (00:17 +0100)]
testing: Fixed description of swanctl/frags-iv4 scenario