5 years agolibipsec: Pass separate inbound/update flags to the IPsec SA manager
Martin Willi [Mon, 9 Mar 2015 17:08:52 +0000 (18:08 +0100)]
libipsec: Pass separate inbound/update flags to the IPsec SA manager

Similar to other kernel interfaces, the libipsec backends uses the flag for
different purposes, and therefore should get separate flags.

5 years agokernel-interface: Add a separate "update" flag to add_sa()
Martin Willi [Mon, 9 Mar 2015 17:04:54 +0000 (18:04 +0100)]
kernel-interface: Add a separate "update" flag to add_sa()

The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.

While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.

5 years agotkm: Use the inbound flag do determine peer role in CHILD_SA exchange
Martin Willi [Mon, 9 Mar 2015 16:44:55 +0000 (17:44 +0100)]
tkm: Use the inbound flag do determine peer role in CHILD_SA exchange

This was not available during initial implementation, but fits just fine to
avoid reconstructing the peer role.

5 years agoRevert "child-sa: Remove the obsolete update logic"
Martin Willi [Mon, 9 Mar 2015 16:52:33 +0000 (17:52 +0100)]
Revert "child-sa: Remove the obsolete update logic"

While the the meaning of the "inbound" flag on the kernel_interface->add_sa()
call is not very clear, we still need that update logic to allow installation of
inbound SAs without SPI allocation. This is used in the HA plugin as a passive

This reverts commit 698ed656.

5 years agoRevert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"
Martin Willi [Mon, 9 Mar 2015 16:47:53 +0000 (17:47 +0100)]
Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"

While this change results in the correct add/update flag during installation,
it exchanges all other values in the child_sa->install() call. We should pass
the correct flag, but determine the add/update flag by other means.

This reverts commit e722ee5d.

5 years agotkm: Disable RFC 7427 signature authentication
Tobias Brunner [Fri, 6 Mar 2015 15:10:41 +0000 (16:10 +0100)]
tkm: Disable RFC 7427 signature authentication

TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.

5 years agoikev2: Move code in pubkey authenticator's build() method into separate functions
Tobias Brunner [Mon, 9 Mar 2015 13:50:34 +0000 (14:50 +0100)]
ikev2: Move code in pubkey authenticator's build() method into separate functions

5 years agoikev2: Try all eligible signature schemes
Tobias Brunner [Fri, 6 Mar 2015 14:27:33 +0000 (15:27 +0100)]
ikev2: Try all eligible signature schemes

Previously, we failed without recovery if a private key did not support
a selected signature scheme (based on key strength and the other peer's
supported hash algorithms).

5 years agofiles: Add simple plugin to load files from file:// URIs
Tobias Brunner [Wed, 11 Feb 2015 11:11:04 +0000 (12:11 +0100)]
files: Add simple plugin to load files from file:// URIs

5 years agodaemon: Remove scheduled jobs before unloading plugins
Tobias Brunner [Thu, 5 Mar 2015 09:08:33 +0000 (10:08 +0100)]
daemon: Remove scheduled jobs before unloading plugins

Especially callback jobs might refer to memory that gets invalid after
the plugins got unlaoded, so make sure we destroy these jobs before.

References #840.

5 years agoscheduler: Add method to remove all scheduled jobs
Tobias Brunner [Thu, 5 Mar 2015 09:07:33 +0000 (10:07 +0100)]
scheduler: Add method to remove all scheduled jobs

References #840.

5 years agoplugin-loader: Increase log level for warning about plugin features that failed to...
Tobias Brunner [Wed, 4 Mar 2015 09:48:33 +0000 (10:48 +0100)]
plugin-loader: Increase log level for warning about plugin features that failed to load

Since we can't get rid of all unmet dependencies (at least not in every
possible plugin configuration) the message is more confusing than
helpful.  In particular because a detailed warning about plugin features
that failed to load due to unmet dependencies is only logged on level 2.

5 years agotls-peer: Make sure to use the right trusted public key for peer
Tobias Brunner [Fri, 20 Feb 2015 10:29:02 +0000 (11:29 +0100)]
tls-peer: Make sure to use the right trusted public key for peer

In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key.  By comparing the certificate with the
one sent by the peer we make sure to use the right one.

Fixes #849.

5 years agopkcs11: Convert RFC 3279 ECDSA signatures when verifying
Tobias Brunner [Thu, 5 Mar 2015 14:14:40 +0000 (15:14 +0100)]
pkcs11: Convert RFC 3279 ECDSA signatures when verifying

References #873.

5 years agopkcs11: Properly encode RFC 3279 ECDSA signatures
Tobias Brunner [Thu, 5 Mar 2015 13:36:39 +0000 (14:36 +0100)]
pkcs11: Properly encode RFC 3279 ECDSA signatures

Fixes #873.

5 years agopkcs11: Properly encode EC_POINTs created on a token
Tobias Brunner [Thu, 5 Mar 2015 15:17:36 +0000 (16:17 +0100)]
pkcs11: Properly encode EC_POINTs created on a token

Some tokens might not fail when creating EC public keys in the incorrect
format, but they will later not be able to use them to verify signatures.

References #872.

5 years agopkcs11: Properly handle EC_POINTs returned as ASN.1 octet string
Tobias Brunner [Thu, 5 Mar 2015 13:33:59 +0000 (14:33 +0100)]
pkcs11: Properly handle EC_POINTs returned as ASN.1 octet string

This is the correct encoding but we internally only use unwrapped keys
and some tokens return them unwrapped.

Fixes #872.

5 years agoUpdated products in imv database
Andreas Steffen [Sun, 22 Feb 2015 21:27:35 +0000 (22:27 +0100)]
Updated products in imv database

5 years agoattest: output trusted flag and device description
Andreas Steffen [Sun, 22 Feb 2015 18:07:30 +0000 (19:07 +0100)]
attest: output trusted flag and device description

5 years agoMake access requestor IP address available to TNC server
Andreas Steffen [Thu, 19 Feb 2015 10:44:11 +0000 (11:44 +0100)]
Make access requestor IP address available to TNC server

5 years agotesting: Update modified updown scripts to the latest template
Tobias Brunner [Tue, 17 Feb 2015 14:01:09 +0000 (15:01 +0100)]
testing: Update modified updown scripts to the latest template

This avoids confusion and makes identifying the changes needed for each
scenario easier.

5 years agoRemove obsolete _updown_espmark script
Tobias Brunner [Tue, 17 Feb 2015 13:51:53 +0000 (14:51 +0100)]
Remove obsolete _updown_espmark script

According to NEWS it was created to support kernels < 2.6.16.

5 years ago_updown: Remove obsolete stuff from default script
Tobias Brunner [Tue, 17 Feb 2015 13:46:00 +0000 (14:46 +0100)]
_updown: Remove obsolete stuff from default script

5 years agoikev1: Set protocol ID and SPIs in INITIAL-CONTACT notification payloads
Tobias Brunner [Tue, 10 Feb 2015 18:03:44 +0000 (19:03 +0100)]
ikev1: Set protocol ID and SPIs in INITIAL-CONTACT notification payloads

The payload we sent before is not compliant with RFC 2407 and thus some
peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error).

Fixes #819.

5 years agox509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuer
Tobias Brunner [Thu, 18 Dec 2014 08:13:38 +0000 (09:13 +0100)]
x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuer

Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and
authorityKeyIdentifier.  If that's the case we can't force the
calculation of the hash to compare that to authorityKeyIdentifier in the CRL,
instead we use the subjectKeyIdentifier stored in the issuer certificate, if
available.  Otherwise, we fall back to the SHA-1 hash (or comparing the
DNs) as before.

5 years agokernel-pfkey: Add option to set receive buffer size of event socket
Tobias Brunner [Mon, 15 Dec 2014 15:43:03 +0000 (16:43 +0100)]
kernel-pfkey: Add option to set receive buffer size of event socket

If many requests are sent to the kernel the events generated by these
requests may fill the receive buffer before the daemon is able to read
these messages.

Fixes #783.

5 years agouse SHA512 for moon's BLISS signature
Andreas Steffen [Wed, 4 Mar 2015 13:08:37 +0000 (14:08 +0100)]
use SHA512 for moon's BLISS signature

5 years agoMerge branch 'ikev2-signature-authentication'
Tobias Brunner [Wed, 4 Mar 2015 12:56:50 +0000 (13:56 +0100)]
Merge branch 'ikev2-signature-authentication'

This adds support for RFC 7427 signature authentication in IKEv2,
enabling the use of stronger signature schemes (e.g. RSA with SHA-2)
for IKE authentication.

Public key constraints defined in `rightauth` are now also checked
against IKEv2 signature schemes (may be disabled via strongswan.conf).

Fixes #863.

5 years agoNEWS: Introduce RFC 7427 signature authentication
Tobias Brunner [Fri, 27 Feb 2015 18:19:13 +0000 (19:19 +0100)]
NEWS: Introduce RFC 7427 signature authentication

5 years agoman: Add documentation about IKEv2 signature schemes
Tobias Brunner [Fri, 27 Feb 2015 18:11:53 +0000 (19:11 +0100)]
man: Add documentation about IKEv2 signature schemes

5 years agotesting: Test classic public key authentication in ikev2/net2net-cert scenario
Tobias Brunner [Tue, 3 Mar 2015 18:38:51 +0000 (19:38 +0100)]
testing: Test classic public key authentication in ikev2/net2net-cert scenario

5 years agotesting: Disable signature authentication on dave in openssl-ikev2/ecdsa-certs scenario
Tobias Brunner [Tue, 3 Mar 2015 18:37:53 +0000 (19:37 +0100)]
testing: Disable signature authentication on dave in openssl-ikev2/ecdsa-certs scenario

5 years agoikev2: Try all RSA signature schemes if none is configured
Tobias Brunner [Tue, 3 Mar 2015 18:32:35 +0000 (19:32 +0100)]
ikev2: Try all RSA signature schemes if none is configured

5 years agoikev2: Consider signature schemes in rightauth when sending hash algorithms
Tobias Brunner [Tue, 3 Mar 2015 17:15:35 +0000 (18:15 +0100)]
ikev2: Consider signature schemes in rightauth when sending hash algorithms

5 years agotkm: Implement hash algorithm storage methods of keymat_v2_t interface
Tobias Brunner [Tue, 3 Mar 2015 17:09:33 +0000 (18:09 +0100)]
tkm: Implement hash algorithm storage methods of keymat_v2_t interface

5 years agokeymat: Use hash algorithm set
Tobias Brunner [Tue, 3 Mar 2015 17:07:09 +0000 (18:07 +0100)]
keymat: Use hash algorithm set

5 years agohash-algorithm-set: Add class to manage a set of hash algorithms
Tobias Brunner [Tue, 3 Mar 2015 17:03:28 +0000 (18:03 +0100)]
hash-algorithm-set: Add class to manage a set of hash algorithms

5 years agoikev2: Add an option to disable constraints against signature schemes
Tobias Brunner [Fri, 27 Feb 2015 17:45:56 +0000 (18:45 +0100)]
ikev2: Add an option to disable constraints against signature schemes

If this is disabled the schemes configured in `rightauth` are only
checked against signature schemes used in the certificate chain and
signature schemes used during IKEv2 are ignored.

Disabling this could be helpful if existing connections with peers that
don't support RFC 7427 use signature schemes in `rightauth` to verify
certificate chains.

5 years agostroke: Enable BLISS-based public key constraints
Tobias Brunner [Mon, 2 Mar 2015 14:40:30 +0000 (15:40 +0100)]
stroke: Enable BLISS-based public key constraints

5 years agocredential-manager: Store BLISS key strength in auth config
Tobias Brunner [Mon, 2 Mar 2015 14:51:16 +0000 (15:51 +0100)]
credential-manager: Store BLISS key strength in auth config

5 years agoauth-cfg: Add BLISS key strength constraint
Tobias Brunner [Mon, 2 Mar 2015 14:49:53 +0000 (15:49 +0100)]
auth-cfg: Add BLISS key strength constraint

5 years agotesting: Don't check for exact IKEv2 fragment size
Tobias Brunner [Fri, 27 Feb 2015 16:58:47 +0000 (17:58 +0100)]
testing: Don't check for exact IKEv2 fragment size

Because SHA-256 is now used for signatures the size of the two IKE_AUTH
messages changed.

5 years agotesting: Update test conditions because signature schemes are now logged
Tobias Brunner [Thu, 26 Feb 2015 17:34:38 +0000 (18:34 +0100)]
testing: Update test conditions because signature schemes are now logged

RFC 7427 signature authentication is now used between strongSwan hosts
by default, which causes the actual signature schemes to get logged.

5 years agotesting: Add ikev2/rw-sig-auth scenario
Tobias Brunner [Thu, 26 Feb 2015 17:24:47 +0000 (18:24 +0100)]
testing: Add ikev2/rw-sig-auth scenario

5 years agotesting: Add ikev2/net2net-cert-sha2 scenario
Tobias Brunner [Thu, 26 Feb 2015 08:18:10 +0000 (09:18 +0100)]
testing: Add ikev2/net2net-cert-sha2 scenario

5 years agoikev2: Fall back to SHA-1 signatures for RSA
Tobias Brunner [Thu, 26 Feb 2015 16:36:41 +0000 (17:36 +0100)]
ikev2: Fall back to SHA-1 signatures for RSA

This is really just a fallback to "classic" IKEv2 authentication if the other
peer supports no stronger hash algorithms.

5 years agoikev2: Select a signature scheme appropriate for the given key
Tobias Brunner [Thu, 26 Feb 2015 16:32:50 +0000 (17:32 +0100)]
ikev2: Select a signature scheme appropriate for the given key

By enumerating hashes we'd use SHA-1 by default.  This way stronger
signature schemes are preferred.

5 years agopublic-key: Add helper to determine acceptable signature schemes for keys
Tobias Brunner [Thu, 26 Feb 2015 16:31:18 +0000 (17:31 +0100)]
public-key: Add helper to determine acceptable signature schemes for keys

5 years agoikev2: Log the actual signature scheme used for RFC 7427 authentication
Tobias Brunner [Wed, 25 Feb 2015 15:58:45 +0000 (16:58 +0100)]
ikev2: Log the actual signature scheme used for RFC 7427 authentication

5 years agoikev2: Store signature scheme used to verify peer in auth_cfg
Tobias Brunner [Wed, 25 Feb 2015 15:44:46 +0000 (16:44 +0100)]
ikev2: Store signature scheme used to verify peer in auth_cfg

This enables late connection switching based on the signature scheme used
for IKEv2 and allows to enforce stronger signature schemes.

This may break existing connections with peers that don't support RFC 7427
if signature schemes are currently used in `rightauth` for certificate chain
validation and if the configured schemes are stronger than the default used
for IKE (e.g. SHA-1 for RSA).

5 years agoikev2: Add a global option to disable RFC 7427 signature authentication
Tobias Brunner [Wed, 25 Feb 2015 15:23:03 +0000 (16:23 +0100)]
ikev2: Add a global option to disable RFC 7427 signature authentication

This is mostly for testing.

5 years agoikev2: Remove private AUTH_BLISS method
Tobias Brunner [Tue, 24 Feb 2015 15:53:02 +0000 (16:53 +0100)]
ikev2: Remove private AUTH_BLISS method

We use the new signature authentication instead for this.  This is not
backward compatible but we only released one version with BLISS support,
and the key format will change anyway with the next release.

5 years agoikev2: Handle RFC 7427 signature authentication in pubkey authenticator
Tobias Brunner [Mon, 23 Feb 2015 16:54:14 +0000 (17:54 +0100)]
ikev2: Handle RFC 7427 signature authentication in pubkey authenticator

5 years agohasher: Add helper to determine hash algorithm from signature scheme
Tobias Brunner [Tue, 24 Feb 2015 14:35:33 +0000 (15:35 +0100)]
hasher: Add helper to determine hash algorithm from signature scheme

5 years agopublic-key: Add helper to map signature schemes to ASN.1 OIDs
Tobias Brunner [Mon, 23 Feb 2015 16:38:05 +0000 (17:38 +0100)]
public-key: Add helper to map signature schemes to ASN.1 OIDs

There is a similar function to map key_type_t and hasher_t to an OID,
but this maps schemes directly (and to use the other function we'd
have to have a function to map schemes to hash algorithms first).

5 years agopublic-key: Add helper to determine key type from signature scheme
Tobias Brunner [Mon, 23 Feb 2015 15:56:31 +0000 (16:56 +0100)]
public-key: Add helper to determine key type from signature scheme

5 years agoikev2: Enable signature authentication by transmitting supported hash algorithms
Tobias Brunner [Mon, 23 Feb 2015 14:53:23 +0000 (15:53 +0100)]
ikev2: Enable signature authentication by transmitting supported hash algorithms

5 years agokeymat: Add facility to store supported hash algorithms
Tobias Brunner [Tue, 24 Feb 2015 12:55:40 +0000 (13:55 +0100)]
keymat: Add facility to store supported hash algorithms

5 years agohasher: Add filter function for algorithms permitted by RFC 7427
Tobias Brunner [Wed, 25 Feb 2015 15:06:45 +0000 (16:06 +0100)]
hasher: Add filter function for algorithms permitted by RFC 7427

5 years agohasher: Redefine hash algorithms to match values defined by RFC 7427
Tobias Brunner [Wed, 25 Feb 2015 15:05:35 +0000 (16:05 +0100)]
hasher: Redefine hash algorithms to match values defined by RFC 7427

Other algorithms are defined in private use range.

5 years agoikev2: Add SIGNATURE_HASH_ALGORITHMS notify payload
Tobias Brunner [Mon, 23 Feb 2015 12:54:41 +0000 (13:54 +0100)]
ikev2: Add SIGNATURE_HASH_ALGORITHMS notify payload

5 years agoikev2: Add new authentication method defined by RFC 7427
Tobias Brunner [Mon, 23 Feb 2015 12:48:34 +0000 (13:48 +0100)]
ikev2: Add new authentication method defined by RFC 7427

5 years agoikev2: Only accept initial messages in specific states
Tobias Brunner [Wed, 25 Feb 2015 07:30:33 +0000 (08:30 +0100)]
ikev2: Only accept initial messages in specific states

The previous code allowed an attacker to slip in an IKE_SA_INIT with
both SPIs and MID 1 set when an IKE_AUTH would be expected instead.

References #816.

5 years agoike-sa-manager: Make sure the message ID of initial messages is 0
Tobias Brunner [Wed, 25 Feb 2015 07:09:11 +0000 (08:09 +0100)]
ike-sa-manager: Make sure the message ID of initial messages is 0

It is mandated by the RFCs and it is expected by the task managers.

Initial messages with invalid MID will be treated like regular messages,
so no IKE_SA will be created for them.  Instead, if the responder SPI is 0
no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
If an SPI is set and we do find an SA, then we either ignore the message
because the MID is unexpected, or because we don't allow initial messages
on established connections.

There is one exception, though, if an attacker can slip in an IKE_SA_INIT
with both SPIs set before the client's IKE_AUTH is handled by the server,
it does get processed (see next commit).

References #816.

5 years agoikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
Tobias Brunner [Wed, 25 Feb 2015 07:18:58 +0000 (08:18 +0100)]
ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received

This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
does not have message ID 0") because it allowed to close any IKE_SA by
sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
of that SA.

The next commit will prevent SAs from getting created for IKE_SA_INIT messages
with invalid MID.

Fixes #816.

5 years agoikev2: Don't adopt any CHILD_SA during make-before-break reauthentication
Martin Willi [Wed, 4 Mar 2015 10:16:00 +0000 (11:16 +0100)]
ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication

While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.

Fixes #871.

6 years agounit-tests: Base attributes get adopted by seg-env/seg-contract
Tobias Brunner [Mon, 2 Mar 2015 13:09:35 +0000 (14:09 +0100)]
unit-tests: Base attributes get adopted by seg-env/seg-contract

6 years agoseg-env: Destroy base attribute if segmentation is not possible
Tobias Brunner [Mon, 2 Mar 2015 13:07:40 +0000 (14:07 +0100)]
seg-env: Destroy base attribute if segmentation is not possible

6 years agoMerge branch 'eap-constraints'
Martin Willi [Tue, 3 Mar 2015 13:08:55 +0000 (14:08 +0100)]
Merge branch 'eap-constraints'

Introduces basic support for EAP server module authentication constraints. With
EAP-(T)TLS, public key, signature and end entity or CA certificate constraints
can be enforced for connections.

Fixes #762.

6 years agoNEWS: Introduce EAP constraints support for EAP-(T)TLS
Martin Willi [Thu, 29 Jan 2015 10:57:44 +0000 (11:57 +0100)]
NEWS: Introduce EAP constraints support for EAP-(T)TLS

6 years agoman: Describe trust chain constraints configuration for EAP methods
Martin Willi [Thu, 29 Jan 2015 10:41:08 +0000 (11:41 +0100)]
man: Describe trust chain constraints configuration for EAP methods

6 years agostroke: Support public key constraints for EAP methods
Martin Willi [Thu, 29 Jan 2015 10:27:26 +0000 (11:27 +0100)]
stroke: Support public key constraints for EAP methods

6 years agoeap-ttls: Support EAP auth information getter in EAP-TTLS
Martin Willi [Thu, 29 Jan 2015 10:18:30 +0000 (11:18 +0100)]
eap-ttls: Support EAP auth information getter in EAP-TTLS

6 years agoeap-tls: Support EAP auth information getter in EAP-TLS
Martin Willi [Thu, 29 Jan 2015 10:15:17 +0000 (11:15 +0100)]
eap-tls: Support EAP auth information getter in EAP-TLS

6 years agolibtls: Add getters for TLS handshake authentication details
Martin Willi [Thu, 29 Jan 2015 10:13:42 +0000 (11:13 +0100)]
libtls: Add getters for TLS handshake authentication details

6 years agolibtls: Merge trustchain auth verification details done during TLS handhsake
Martin Willi [Thu, 29 Jan 2015 10:12:28 +0000 (11:12 +0100)]
libtls: Merge trustchain auth verification details done during TLS handhsake

6 years agoikev2: Merge EAP client authentication details if EAP methods provides them
Martin Willi [Thu, 29 Jan 2015 10:21:00 +0000 (11:21 +0100)]
ikev2: Merge EAP client authentication details if EAP methods provides them

6 years agoeap: Add an optional authentication details getter to the EAP method interface
Martin Willi [Thu, 29 Jan 2015 10:14:21 +0000 (11:14 +0100)]
eap: Add an optional authentication details getter to the EAP method interface

6 years agoMerge branch 'stroke-purge-on-reread'
Martin Willi [Tue, 3 Mar 2015 12:52:35 +0000 (13:52 +0100)]
Merge branch 'stroke-purge-on-reread'

Remove all previously loaded certificates during "ipsec reread", finally
allowing the removal of CA certificates from a running daemon.

Fixes #842, #700, #305.

6 years agoipsec: Update rereadcacerts/aacerts command description in manpage
Martin Willi [Fri, 6 Feb 2015 13:23:17 +0000 (14:23 +0100)]
ipsec: Update rereadcacerts/aacerts command description in manpage

6 years agostroke: Serve ca section CA certificates directly, not over central CA set
Martin Willi [Fri, 6 Feb 2015 11:43:33 +0000 (12:43 +0100)]
stroke: Serve ca section CA certificates directly, not over central CA set

This makes these CA certificates independent from the purge issued by reread
commands. Certificates loaded by CA sections can be removed through ipsec.conf
update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts
can individually be reread using ipsec rereadcacerts.

6 years agomem-cred: Add a method to unify certificate references, without adding it
Martin Willi [Fri, 6 Feb 2015 11:34:30 +0000 (12:34 +0100)]
mem-cred: Add a method to unify certificate references, without adding it

In contrast to add_cert_ref(), get_cert_ref() does not add the certificate to
the set, but only finds a reference to the same certificate, if found.

6 years agostroke: Purge existing CA/AA certificates during reread
Martin Willi [Fri, 6 Feb 2015 11:22:32 +0000 (12:22 +0100)]
stroke: Purge existing CA/AA certificates during reread

6 years agostroke: Use separate credential sets for CA/AA certificates
Martin Willi [Fri, 6 Feb 2015 11:21:12 +0000 (12:21 +0100)]
stroke: Use separate credential sets for CA/AA certificates

6 years agostroke: Refactor load_certdir function
Martin Willi [Fri, 6 Feb 2015 10:58:17 +0000 (11:58 +0100)]
stroke: Refactor load_certdir function

6 years agovici: Don't use a default rand_time larger than half of rekey/reauth_time
Martin Willi [Tue, 3 Feb 2015 10:56:15 +0000 (11:56 +0100)]
vici: Don't use a default rand_time larger than half of rekey/reauth_time

6 years agovici: If a IKE reauth_time is configured, disable the default rekey_time
Martin Willi [Tue, 3 Feb 2015 10:53:09 +0000 (11:53 +0100)]
vici: If a IKE reauth_time is configured, disable the default rekey_time

6 years agoikev2: Schedule a timeout for the delete message following passive IKE rekeying
Martin Willi [Tue, 25 Nov 2014 13:21:34 +0000 (14:21 +0100)]
ikev2: Schedule a timeout for the delete message following passive IKE rekeying

Under some conditions it can happen that the CREATE_CHILD_SA exchange for
rekeying the IKE_SA initiated by the peer is successful, but the delete message
does not follow. For example if processing takes just too long locally, the
peer might consider us dead, but we won't notice that.

As this leaves the old IKE_SA in IKE_REKEYING state, we currently avoid actively
initiating any tasks, such as rekeying or scheduled DPD. This leaves the IKE_SA
in a dead and unusable state. To avoid that situation, we schedule a timeout
to wait for the DELETE message to follow the CREATE_CHILD_SA, before we
actively start to delete the IKE_SA.

Alternatively we could start a liveness check on the SA after a timeout to see
if the peer still has that state and we can expect the delete to follow. But
it is unclear if all peers can handle such messages in this very special state,
so we currently don't go for that approach.

While we could calculate the timeout based on the local retransmission timeout,
the peer might use a different scheme, so a fixed timeout works as well.

Fixes #742.

6 years agokernel-netlink: Respect kernel routing priorities for IKE routes
Martin Willi [Thu, 15 Jan 2015 14:05:42 +0000 (15:05 +0100)]
kernel-netlink: Respect kernel routing priorities for IKE routes

If a system uses routing metrics, we should honor them when doing (manual)
routing lookups for IKE. When enumerating routes, the kernel reports priorities
with the RTA_PRIORITY attribute, not RTA_METRICS. We prefer routes with a
lower priority value, and fall back to longest prefix match priorities if
the priority value is equal.

6 years agoenum: Extend printf hook to print flags
Thomas Egerer [Thu, 22 Jan 2015 17:23:42 +0000 (18:23 +0100)]
enum: Extend printf hook to print flags

Signed-off-by: Thomas Egerer <>
6 years agounit-tests: Don't fail host_create_from_dns() test if IPv6 not supported
Martin Willi [Mon, 2 Mar 2015 13:05:44 +0000 (14:05 +0100)]
unit-tests: Don't fail host_create_from_dns() test if IPv6 not supported

On some systems, such as the Ubuntu daily build machine, localhost does not
resolve to an IPv6 address. Accept such a lookup failure.

6 years agobliss: Add generated Huffman codes to the repository
Tobias Brunner [Tue, 17 Feb 2015 15:47:29 +0000 (16:47 +0100)]
bliss: Add generated Huffman codes to the repository

While these files are generated they don't really change and are not
architecture dependant.  The previous solution prevented cross-compilation
from the repository as `bliss_huffman` was built for the target system but
was then executed on the build host to create the source files, which
naturally was bound to fail.

The `recreate-bliss-huffman` make target can be used inside the bliss
directory to update the source files if needed.

Fixes #812.

6 years agoFixed a memory leak in the attribute segmentation code
Andreas Steffen [Fri, 27 Feb 2015 14:13:07 +0000 (15:13 +0100)]
Fixed a memory leak in the attribute segmentation code

6 years agovici: Support ruby gem out-of-tree builds
Martin Willi [Fri, 27 Feb 2015 10:40:50 +0000 (11:40 +0100)]
vici: Support ruby gem out-of-tree builds

Referencing $(srcdir) in the gemspec is not really an option, as "gem build"
includes the full path in the gem, so we need to build in $(srcdir). As there
does not seem to be a way to control the output of "gem build", we manually
move the gem to $(builddir) in OOT builds.

6 years agoha: Always install the CHILD_SAs with the inbound flag set to FALSE
Martin Willi [Fri, 27 Feb 2015 09:54:38 +0000 (10:54 +0100)]
ha: Always install the CHILD_SAs with the inbound flag set to FALSE

The inbound flag is used to determine if we have to install an update or a new
SA in the kernel. As we do not have allocated SPIs and therefore can't update
an existing SA in the HA plugin, always set the flag to FALSE.

Before 698ed656 we had extra logic for that case, but handling it directly in
the HA plugin is simpler.

6 years agoUpdated Ubuntu 14.04 kernel version
Andreas Steffen [Fri, 27 Feb 2015 07:45:37 +0000 (08:45 +0100)]
Updated Ubuntu 14.04 kernel version

6 years agoFixed compiler warnings
Andreas Steffen [Fri, 27 Feb 2015 07:44:16 +0000 (08:44 +0100)]
Fixed compiler warnings

6 years agotravis: Disable unwind backtraces regardless of LEAK_DETECTIVE option
Martin Willi [Thu, 26 Feb 2015 09:39:50 +0000 (10:39 +0100)]
travis: Disable unwind backtraces regardless of LEAK_DETECTIVE option

While d0d85683 works around a crasher related to the use of libunwind, other
build hangs have been seen in the all test cases. Try to
--disable-unwind-backtraces to see if libunwind is really related to those
and if it fixes these issues.

6 years agoVersion bump to 5.3.0dr1
Andreas Steffen [Thu, 26 Feb 2015 08:12:54 +0000 (09:12 +0100)]
Version bump to 5.3.0dr1

6 years agoAllow SHA256 and SHA384 data hash for BLISS signatures.
Andreas Steffen [Wed, 25 Feb 2015 20:12:30 +0000 (21:12 +0100)]
Allow SHA256 and SHA384 data hash for BLISS signatures.

The default is SHA512 since this hash function is also
used for the c_indices random oracle.