strongswan.git
3 years agoswanctl: list EAP type in --list-conns
Andreas Steffen [Tue, 26 Apr 2016 15:13:20 +0000 (17:13 +0200)]
swanctl: list EAP type in --list-conns

3 years agotesting: -D and -u options in sfdisk are not supported any more
Andreas Steffen [Mon, 25 Apr 2016 17:31:12 +0000 (19:31 +0200)]
testing: -D and -u options in sfdisk are not supported any more

3 years agoidentification: Add support for dmdName RDN (2.5.4.54)
Yannick Cann [Mon, 25 Apr 2016 08:39:41 +0000 (10:39 +0200)]
identification: Add support for dmdName RDN (2.5.4.54)

It's listed in RFC 2256 but was later removed with RFC 4519, but there
are still some certs that use it.

Closes strongswan/strongswan#43.

3 years agoleak-detective: added _IO_file_doallocate to whitelist
Andreas Steffen [Sun, 24 Apr 2016 21:34:44 +0000 (23:34 +0200)]
leak-detective: added _IO_file_doallocate to whitelist

3 years agoswanctl: log errors to stderr
Andreas Steffen [Sun, 24 Apr 2016 21:33:23 +0000 (23:33 +0200)]
swanctl: log errors to stderr

3 years agotesting: updated testing.conf
Andreas Steffen [Sun, 24 Apr 2016 11:36:22 +0000 (13:36 +0200)]
testing: updated testing.conf

3 years agopool: Use correct name to remove index for CHILD_SA TS in SQLite script
Tobias Brunner [Mon, 18 Apr 2016 08:07:15 +0000 (10:07 +0200)]
pool: Use correct name to remove index for CHILD_SA TS in SQLite script

Fixes #1415.

3 years agokernel-pfkey: Add support for manual priorities
Tobias Brunner [Wed, 6 Apr 2016 13:17:06 +0000 (15:17 +0200)]
kernel-pfkey: Add support for manual priorities

Also orders policies with equals priorities by their automatic priority.

3 years agokernel-pfkey: Update priority calculation formula to the new one in kernel-netlink
Tobias Brunner [Mon, 11 Apr 2016 09:19:26 +0000 (11:19 +0200)]
kernel-pfkey: Update priority calculation formula to the new one in kernel-netlink

Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.

3 years agokernel-netlink: Order policies with equal priorities by their automatic priority
Tobias Brunner [Wed, 6 Apr 2016 12:40:28 +0000 (14:40 +0200)]
kernel-netlink: Order policies with equal priorities by their automatic priority

This allows using manual priorities for traps, which have a lower
base priority than the resulting IPsec policies.  This could otherwise
be problematic if, for example, swanctl --install/uninstall is used while
an SA is established combined with e.g. IPComp, where the trap policy does
not look the same as the IPsec policy (which is now otherwise often the case
as the reqids stay the same).

It also orders policies by selector size if manual priorities are configured
and narrowing occurs.

3 years agoMerge branch 'boringssl'
Tobias Brunner [Fri, 15 Apr 2016 08:33:23 +0000 (10:33 +0200)]
Merge branch 'boringssl'

Adds some fixes to the openssl plugin to build against BoringSSL.

Fixes #1374.

3 years agocurl: Add TLS support if libcurl is built against BoringSSL
Tobias Brunner [Mon, 11 Apr 2016 09:33:41 +0000 (11:33 +0200)]
curl: Add TLS support if libcurl is built against BoringSSL

We don't have to rely on the openssl plugin and its threading
initialization as BoringSSL is thread-safe out of the box.

3 years agoopenssl: BoringSSL does not support configuration
Tobias Brunner [Fri, 8 Apr 2016 13:56:25 +0000 (15:56 +0200)]
openssl: BoringSSL does not support configuration

The other initialization functions are still defined but many are
apparently no-ops (this is also true for the threading initialization).

3 years agoopenssl: The member storing the DH exponent length has been renamed in BoringSSL
Tobias Brunner [Fri, 8 Apr 2016 13:55:05 +0000 (15:55 +0200)]
openssl: The member storing the DH exponent length has been renamed in BoringSSL

3 years agoopenssl: Use proper EVP macro to determine size of a hash
Tobias Brunner [Fri, 8 Apr 2016 13:54:08 +0000 (15:54 +0200)]
openssl: Use proper EVP macro to determine size of a hash

3 years agoandroid: Remove OPENSSL_NO_EC* defines
Tobias Brunner [Wed, 13 Apr 2016 07:31:50 +0000 (09:31 +0200)]
android: Remove OPENSSL_NO_EC* defines

Current versions of OpenSSL/BoringSSL shipped with Android support ECC.

3 years agoandroid: OPENSSL_NO_ENGINE is now properly defined in the headers
Tobias Brunner [Fri, 8 Apr 2016 13:52:58 +0000 (15:52 +0200)]
android: OPENSSL_NO_ENGINE is now properly defined in the headers

3 years agocurl: Handle LibreSSL like OpenSSL in regards to multi-threading
Tobias Brunner [Fri, 8 Apr 2016 12:37:21 +0000 (14:37 +0200)]
curl: Handle LibreSSL like OpenSSL in regards to multi-threading

LibreSSL is API compatible so our openssl plugin does not need any
changes and it works fine with the curl plugin.

3 years agoconfigure: Replace two remaining usages of AC_HAVE_LIBRARY with AC_CHECK_LIB
Tobias Brunner [Fri, 8 Apr 2016 12:35:47 +0000 (14:35 +0200)]
configure: Replace two remaining usages of AC_HAVE_LIBRARY with AC_CHECK_LIB

3 years agothread: Don't hold mutex when calling cleanup handlers while terminating
Tobias Brunner [Wed, 13 Apr 2016 09:58:32 +0000 (11:58 +0200)]
thread: Don't hold mutex when calling cleanup handlers while terminating

This could interfere with cleanup handlers that try to acquire
mutexes while other threads holding these try to e.g. cancel the threads.

As cleanup handlers are only queued by the threads themselves we don't need
any synchronization to access the list.

Fixes #1401.

3 years agotesting: Added swanctl/rw-multi-ciphers-ikev1 scenario
Andreas Steffen [Tue, 12 Apr 2016 16:50:58 +0000 (18:50 +0200)]
testing: Added swanctl/rw-multi-ciphers-ikev1 scenario

3 years agoIgnore Qt Creator project files
Tobias Brunner [Mon, 11 Apr 2016 14:11:16 +0000 (16:11 +0200)]
Ignore Qt Creator project files

Closes strongswan/strongswan#32.

3 years agoVersion bump to 5.4.1dr1 5.4.1dr1
Andreas Steffen [Mon, 11 Apr 2016 08:24:12 +0000 (10:24 +0200)]
Version bump to 5.4.1dr1

3 years agoMerge branch 'kernel-policies'
Andreas Steffen [Mon, 11 Apr 2016 08:19:21 +0000 (10:19 +0200)]
Merge branch 'kernel-policies'

3 years agoExtended IPsec kernel policy scheme
Andreas Steffen [Sat, 9 Apr 2016 14:46:37 +0000 (16:46 +0200)]
Extended IPsec kernel policy scheme

The kernel policy now considers src and dst port masks as well as
restictions to a given network interface. The base priority is
100'000 for passthrough shunts, 200'000 for IPsec policies,
300'000 for IPsec policy traps and 400'000 for fallback drop shunts.
The values 1..30'000 can be used for manually set priorities.

3 years agotesting: Added swanctl/manual_prio scenario
Andreas Steffen [Wed, 6 Apr 2016 14:08:38 +0000 (16:08 +0200)]
testing: Added swanctl/manual_prio scenario

3 years agoInclude manual policy priorities and restriction to interfaces in vici list-conn...
Andreas Steffen [Mon, 28 Mar 2016 07:03:21 +0000 (09:03 +0200)]
Include manual policy priorities and restriction to interfaces in vici list-conn command

3 years agoImplemented IPsec policies restricted to given network interface
Andreas Steffen [Sun, 27 Mar 2016 08:18:19 +0000 (10:18 +0200)]
Implemented IPsec policies restricted to given network interface

3 years agoSupport manually-set IPsec policy priorities
Andreas Steffen [Thu, 24 Mar 2016 17:35:27 +0000 (18:35 +0100)]
Support manually-set IPsec policy priorities

3 years agopeer-cfg: Use struct to pass data to constructor
Tobias Brunner [Mon, 4 Apr 2016 16:41:17 +0000 (18:41 +0200)]
peer-cfg: Use struct to pass data to constructor

3 years agochild-cfg: Use struct to pass data to constructor
Tobias Brunner [Mon, 4 Apr 2016 14:09:23 +0000 (16:09 +0200)]
child-cfg: Use struct to pass data to constructor

3 years agokernel-pfkey: Prefer policies with reqid over those without
Tobias Brunner [Mon, 4 Apr 2016 13:06:44 +0000 (15:06 +0200)]
kernel-pfkey: Prefer policies with reqid over those without

3 years agokernel-pfkey: Only install templates for regular IPsec policies with reqid
Tobias Brunner [Mon, 4 Apr 2016 13:06:11 +0000 (15:06 +0200)]
kernel-pfkey: Only install templates for regular IPsec policies with reqid

3 years agotesting: Add swanctl/net2net-gw scenario
Tobias Brunner [Fri, 1 Apr 2016 17:05:02 +0000 (19:05 +0200)]
testing: Add swanctl/net2net-gw scenario

3 years agoshunt-manager: Install "outbound" FWD policy
Tobias Brunner [Mon, 4 Apr 2016 08:49:35 +0000 (10:49 +0200)]
shunt-manager: Install "outbound" FWD policy

If there is a default drop policy forwarded traffic might otherwise not
be allowed by a specific passthrough policy (while local traffic is
allowed).

3 years agokernel-netlink: Prefer policies with reqid over those without
Tobias Brunner [Fri, 1 Apr 2016 15:06:10 +0000 (17:06 +0200)]
kernel-netlink: Prefer policies with reqid over those without

This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.

3 years agokernel-netlink: Only associate templates with inbound FWD policies
Tobias Brunner [Fri, 1 Apr 2016 14:51:51 +0000 (16:51 +0200)]
kernel-netlink: Only associate templates with inbound FWD policies

We can't set a template on the outbound FWD policy (or we'd have to make
it optional).  Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.

3 years agochild-sa: Install "outbound" FWD policy
Tobias Brunner [Fri, 1 Apr 2016 14:41:05 +0000 (16:41 +0200)]
child-sa: Install "outbound" FWD policy

If there is a DROP shunt that matches outbound forwarded traffic it
would get dropped as the FWD policy we install only matches decrypted
inbound traffic.  That's because the Linux kernel first checks the FWD
policies before looking up the OUT policy and SA to encrypt the packets.

3 years agokernel-netlink: Associate routes with IN policies instead of FWD policies
Tobias Brunner [Fri, 1 Apr 2016 14:26:07 +0000 (16:26 +0200)]
kernel-netlink: Associate routes with IN policies instead of FWD policies

This allows us to install more than one FWD policy.  We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).

3 years agokernel: Use structs to pass information to the kernel-ipsec interface
Tobias Brunner [Thu, 31 Mar 2016 14:01:40 +0000 (16:01 +0200)]
kernel: Use structs to pass information to the kernel-ipsec interface

3 years agotesting: List conntrack table on sun in ikev2/host2host-transport-connmark scenario
Tobias Brunner [Wed, 6 Apr 2016 11:56:36 +0000 (13:56 +0200)]
testing: List conntrack table on sun in ikev2/host2host-transport-connmark scenario

3 years agotesting: Version bump to 5.4.0
Tobias Brunner [Wed, 6 Apr 2016 09:17:27 +0000 (11:17 +0200)]
testing: Version bump to 5.4.0

References #1382.

3 years agotesting: Disable leak detective when generating CRLs
Tobias Brunner [Tue, 24 Nov 2015 14:28:11 +0000 (15:28 +0100)]
testing: Disable leak detective when generating CRLs

GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing.  This causes invalid frees if
leak detective is active.  Other invalid frees are related to time
conversions (tzset).

References #1382.

3 years agopkcs11: Skip zero-padding of r and s when preparing EC signature
Tobias Brunner [Mon, 4 Apr 2016 13:35:43 +0000 (15:35 +0200)]
pkcs11: Skip zero-padding of r and s when preparing EC signature

They are zero padded to fill the buffer.

Fixes #1377.

3 years agochunk: Skip all leading zero bytes in chunk_skip_zero() not just the first
Tobias Brunner [Mon, 4 Apr 2016 13:29:16 +0000 (15:29 +0200)]
chunk: Skip all leading zero bytes in chunk_skip_zero() not just the first

3 years agostring: Gracefully handle NULL in str*eq() macros
Tobias Brunner [Fri, 1 Apr 2016 17:03:22 +0000 (19:03 +0200)]
string: Gracefully handle NULL in str*eq() macros

3 years agobyteorder: Explicitly check for htoXeXX macros
Tobias Brunner [Thu, 31 Mar 2016 17:47:31 +0000 (19:47 +0200)]
byteorder: Explicitly check for htoXeXX macros

Some platforms have XetohXX macros instead of XeXXtoh macros, in which
case we'd redefine the htoXeXX macros.

3 years agovici: Fix documentation of some dictionary keys of two request messages
Cameron McCord [Wed, 30 Mar 2016 11:01:37 +0000 (05:01 -0600)]
vici: Fix documentation of some dictionary keys of two request messages

Closes strongswan/strongswan#40.

3 years agoproposal: Use standard integer types for static keywords
Tobias Brunner [Wed, 30 Mar 2016 11:48:51 +0000 (13:48 +0200)]
proposal: Use standard integer types for static keywords

3 years agoutils: Remove nonsensical typedefs for standard uint types
Tobias Brunner [Wed, 30 Mar 2016 07:12:09 +0000 (09:12 +0200)]
utils: Remove nonsensical typedefs for standard uint types

3 years agoUse u_int32_t legacy type in blowfish header file
Andreas Steffen [Thu, 24 Mar 2016 19:58:32 +0000 (20:58 +0100)]
Use u_int32_t legacy type in blowfish header file

3 years agoUse standard unsigned integer types
Andreas Steffen [Tue, 22 Mar 2016 12:22:01 +0000 (13:22 +0100)]
Use standard unsigned integer types

3 years agoupdown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SA
Shota Fukumori [Sat, 12 Mar 2016 15:05:01 +0000 (00:05 +0900)]
updown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SA

Or the invoked script will get a broken value when `mark=%unique` is
used in a configuration.

Closes strongswan/strongswan#37.

3 years agoconnmark: Explicitly include xt_mark.h for older kernels
Tobias Brunner [Wed, 23 Mar 2016 13:40:29 +0000 (14:40 +0100)]
connmark: Explicitly include xt_mark.h for older kernels

Fixes #1365.

3 years agoandroid: Enable 64-bit ABIs
Tobias Brunner [Tue, 26 Jan 2016 16:26:04 +0000 (17:26 +0100)]
android: Enable 64-bit ABIs

3 years agoandroid: Enable build against API level 21
Tobias Brunner [Tue, 26 Jan 2016 16:23:02 +0000 (17:23 +0100)]
android: Enable build against API level 21

While building against this level in general would break our app on
older systems, the NDK will automatically use this level for 64-bit
ABI builds (which are not supported in older levels).  So to build
against 64-bit ABIs we have to support this API level.

3 years agolibcharon: Add missing header file to Android.mk
Tobias Brunner [Wed, 23 Mar 2016 13:16:32 +0000 (14:16 +0100)]
libcharon: Add missing header file to Android.mk

Not really relevant, just to make sure both file lists are the same.

3 years agotesting: Updated updown scripts in libipsec scenarios to latest version
Tobias Brunner [Wed, 23 Mar 2016 13:13:07 +0000 (14:13 +0100)]
testing: Updated updown scripts in libipsec scenarios to latest version

3 years agoike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() was called
Tobias Brunner [Tue, 22 Mar 2016 13:22:19 +0000 (14:22 +0100)]
ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() was called

A thread might check out a new IKE_SA via checkout_new() or
checkout_by_config() and start initiating it while the daemon is
terminating and the IKE_SA manager is flushed by the main thread.
That SA is not tracked yet so the main thread is not waiting for it and
the other thread is able to check it in and creating an entry after flush()
already terminated causing a memory leak.

Fixes #1348.

3 years agoha: Delete cache entry inside the locked mutex
Thomas Egerer [Mon, 21 Mar 2016 13:46:11 +0000 (14:46 +0100)]
ha: Delete cache entry inside the locked mutex

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agoswanctl: Fix documented directory name for remote pubkeys
Tobias Brunner [Tue, 22 Mar 2016 17:06:22 +0000 (18:06 +0100)]
swanctl: Fix documented directory name for remote pubkeys

3 years agoVersion bump to 5.4.0 5.4.0
Andreas Steffen [Tue, 22 Mar 2016 10:20:36 +0000 (11:20 +0100)]
Version bump to 5.4.0

3 years agokernel-netlink: Fix lookup of next hops for destinations with prefix
Tobias Brunner [Fri, 11 Mar 2016 17:39:35 +0000 (18:39 +0100)]
kernel-netlink: Fix lookup of next hops for destinations with prefix

References #1347.

3 years agoimc-os: Terminate buffer after fread(3) call to make Coverity happy
Tobias Brunner [Fri, 11 Mar 2016 13:40:55 +0000 (14:40 +0100)]
imc-os: Terminate buffer after fread(3) call to make Coverity happy

3 years agoimc-os: Correctly check return value of ftell(2)
Tobias Brunner [Fri, 11 Mar 2016 13:22:19 +0000 (14:22 +0100)]
imc-os: Correctly check return value of ftell(2)

3 years agoFix some Doxygen issues
Tobias Brunner [Fri, 11 Mar 2016 10:25:25 +0000 (11:25 +0100)]
Fix some Doxygen issues

3 years agoUpdated NEWS 5.4.0rc1
Andreas Steffen [Fri, 11 Mar 2016 10:31:02 +0000 (11:31 +0100)]
Updated NEWS

3 years agoman: Updated default proposals in ipsec.conf(5)
Tobias Brunner [Fri, 11 Mar 2016 09:24:36 +0000 (10:24 +0100)]
man: Updated default proposals in ipsec.conf(5)

3 years agoidentification: Make `written` signed to fix error checking when printing ranges
Tobias Brunner [Fri, 11 Mar 2016 09:06:58 +0000 (10:06 +0100)]
identification: Make `written` signed to fix error checking when printing ranges

3 years agovici: Don't hold write lock while running or undoing start actions
Tobias Brunner [Wed, 10 Feb 2016 11:09:37 +0000 (12:09 +0100)]
vici: Don't hold write lock while running or undoing start actions

Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock.  So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.

By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior.  This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.

Fixes #1185.

3 years agoInitialize ts variable
Andreas Steffen [Fri, 11 Mar 2016 07:29:15 +0000 (08:29 +0100)]
Initialize ts variable

3 years agoforecast: Compare the complete rules when deleting them
Tobias Brunner [Wed, 9 Mar 2016 11:10:12 +0000 (12:10 +0100)]
forecast: Compare the complete rules when deleting them

Same as the change in the connmark plugin.

References #1229.

3 years agoconnmark: Don't restore CONNMARK for packets that already have a mark set
Tobias Brunner [Mon, 7 Mar 2016 15:52:43 +0000 (16:52 +0100)]
connmark: Don't restore CONNMARK for packets that already have a mark set

This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.

Fixes #1230.

3 years agoconnmark: Compare the complete rules when deleting them
Tobias Brunner [Mon, 7 Mar 2016 14:32:02 +0000 (15:32 +0100)]
connmark: Compare the complete rules when deleting them

By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).

Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.

Fixes #1229.

3 years agoMerge branch 'subnet-identities'
Andreas Steffen [Thu, 10 Mar 2016 14:26:03 +0000 (15:26 +0100)]
Merge branch 'subnet-identities'

Implemented IKEv1 IPv4/IPv6 address subnet and range identities to
be used as owners for shared secrets.

swanctl supports configuration of traffic selectors with IPv4/IPv6
address ranges.

3 years agoSupport of IP address ranges in traffic selectors
Andreas Steffen [Thu, 10 Mar 2016 11:00:56 +0000 (12:00 +0100)]
Support of IP address ranges in traffic selectors

3 years agoUpdated swanctl/rw-psk-ikev1 scenario
Andreas Steffen [Thu, 10 Mar 2016 07:02:44 +0000 (08:02 +0100)]
Updated swanctl/rw-psk-ikev1 scenario

3 years agoImplemented IPv4/IPv6 subnet and range identities
Andreas Steffen [Tue, 8 Mar 2016 21:27:30 +0000 (22:27 +0100)]
Implemented IPv4/IPv6 subnet and range identities

The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and
IPV6_ADDR_RANGE identities have been fully implemented and can be
used as owners of shared secrets (PSKs).

3 years agoMerge branch 'p-cscf'
Tobias Brunner [Thu, 10 Mar 2016 11:00:56 +0000 (12:00 +0100)]
Merge branch 'p-cscf'

This adds the p-cscf plugin that can request P-CSCF server addresses from
an ePDG via IKEv2 (RFC 7651).  Addresses of the same families as requested
virtual IPs are requested if enabled in strongswan.conf for a particular
connection.  The plugin currently writes received addresses to the log.

3 years agoattr: Only enumerate attributes matching the IKE version of the current IKE_SA
Tobias Brunner [Thu, 11 Feb 2016 14:47:32 +0000 (15:47 +0100)]
attr: Only enumerate attributes matching the IKE version of the current IKE_SA

Numerically configured attributes are currently sent for both versions.

3 years agoattr: Add p-cscf keyword for P-CSCF server addresses
Tobias Brunner [Fri, 5 Feb 2016 15:47:26 +0000 (16:47 +0100)]
attr: Add p-cscf keyword for P-CSCF server addresses

3 years agop-cscf: Make sending requests configurable and disable it by default
Tobias Brunner [Thu, 4 Feb 2016 17:41:14 +0000 (18:41 +0100)]
p-cscf: Make sending requests configurable and disable it by default

3 years agop-cscf: Only send requests if virtual IPs of the same family are requested
Tobias Brunner [Thu, 4 Feb 2016 17:35:07 +0000 (18:35 +0100)]
p-cscf: Only send requests if virtual IPs of the same family are requested

3 years agop-cscf: Add attribute handler for P-CSCF server addresses
Tobias Brunner [Thu, 4 Feb 2016 17:26:29 +0000 (18:26 +0100)]
p-cscf: Add attribute handler for P-CSCF server addresses

3 years agop-cscf: Add plugin stub
Tobias Brunner [Wed, 3 Feb 2016 16:49:48 +0000 (17:49 +0100)]
p-cscf: Add plugin stub

3 years agopayloads: Verify P-CSCF configuration attributes like others carrying IP addresses
Tobias Brunner [Wed, 3 Feb 2016 16:34:34 +0000 (17:34 +0100)]
payloads: Verify P-CSCF configuration attributes like others carrying IP addresses

3 years agoattributes: Define P-CSCF address attributes described in RFC 7651
Tobias Brunner [Wed, 3 Feb 2016 16:32:16 +0000 (17:32 +0100)]
attributes: Define P-CSCF address attributes described in RFC 7651

3 years agoMerge branch 'mbb-reauth-online-revocation'
Tobias Brunner [Thu, 10 Mar 2016 10:48:12 +0000 (11:48 +0100)]
Merge branch 'mbb-reauth-online-revocation'

With these changes initiators of make-before-break reauthentications
suspend online revocation checks until after the new IKE_SA and all
CHILD_SAs are established.  See f1cbacc5d1be for details why that's
necessary.

3 years agoNEWS: Added note on online revocation checks during make-before-break reauthentication
Tobias Brunner [Thu, 10 Mar 2016 10:46:44 +0000 (11:46 +0100)]
NEWS: Added note on online revocation checks during make-before-break reauthentication

3 years agotesting: Add ikev2/reauth-mbb-revoked scenario
Tobias Brunner [Tue, 27 Oct 2015 16:42:45 +0000 (17:42 +0100)]
testing: Add ikev2/reauth-mbb-revoked scenario

3 years agotesting: Generate a CRL that has moon's actual certificate revoked
Tobias Brunner [Tue, 27 Oct 2015 16:42:15 +0000 (17:42 +0100)]
testing: Generate a CRL that has moon's actual certificate revoked

3 years agoike-sa: Improve interaction between flush_auth_cfg and delayed revocation checks
Tobias Brunner [Wed, 28 Oct 2015 15:09:59 +0000 (16:09 +0100)]
ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checks

3 years agoikev2: Delay online revocation checks during make-before-break reauthentication
Tobias Brunner [Tue, 27 Oct 2015 16:34:50 +0000 (17:34 +0100)]
ikev2: Delay online revocation checks during make-before-break reauthentication

We do these checks after the SA is fully established.

When establishing an SA the responder is always able to install the
CHILD_SA created with the IKE_SA before the initiator can do so.
During make-before-break reauthentication this could cause traffic sent
by the responder to get dropped if the installation of the SA on the
initiator is delayed e.g. by OCSP/CRL checks.

In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g.
with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during
make-before-break reauthentication as it wouldn't be able to decrypt the
response that the responder sends using the new CHILD_SA.

By delaying the revocation checks until the make-before-break
reauthentication is completed we avoid the problems described above.
Since this only affects reauthentication, not the original IKE_SA, and the
delay until the checks are performed is usually not that long this
doesn't impose much of a reduction in the overall security.

3 years agoikev2: Add task that verifies a peer's certificate
Tobias Brunner [Tue, 27 Oct 2015 16:31:43 +0000 (17:31 +0100)]
ikev2: Add task that verifies a peer's certificate

On failure the SA is deleted and reestablished as configured.  The task
is activated after the REAUTH_COMPLETE task so a make-before-break reauth
is completed before the new SA might get torn down.

3 years agoikev2: Initiate other tasks after a no-op task
Tobias Brunner [Tue, 27 Oct 2015 16:29:53 +0000 (17:29 +0100)]
ikev2: Initiate other tasks after a no-op task

3 years agoikev2: Don't do online revocation checks in pubkey authenticator if requested
Tobias Brunner [Tue, 27 Oct 2015 16:28:20 +0000 (17:28 +0100)]
ikev2: Don't do online revocation checks in pubkey authenticator if requested

We also update the auth config so the constraints are not enforced.

3 years agoike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA
Tobias Brunner [Tue, 27 Oct 2015 16:27:02 +0000 (17:27 +0100)]
ike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA

3 years agoike-sa: Add method to verify certificates in completed authentication rounds
Tobias Brunner [Tue, 27 Oct 2015 16:25:22 +0000 (17:25 +0100)]
ike-sa: Add method to verify certificates in completed authentication rounds

3 years agoauth-cfg: Add a rule to suspend certificate validation constraints
Tobias Brunner [Tue, 27 Oct 2015 16:21:18 +0000 (17:21 +0100)]
auth-cfg: Add a rule to suspend certificate validation constraints

3 years agocredential-manager: Check cache queue when destroying trusted certificate enumerator
Tobias Brunner [Tue, 27 Oct 2015 16:17:54 +0000 (17:17 +0100)]
credential-manager: Check cache queue when destroying trusted certificate enumerator

We already do this in the trusted public key enumerator (which
internally uses the trusted certificate enumerator) but should do so
also when this enumerator is used directly (since the public key
enumerator has the read lock the additional call will just be skipped
there).