aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
* vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-2112-17/+68
|
* ike: Also track initiating IKE_SAs as half-openTobias Brunner2015-08-211-1/+0
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* ikev1: Assign different job priorities for inbound IKEv1 messagesTobias Brunner2015-08-211-2/+12
|
* child-rekey: Don't add a REKEY_SA notify if the child-create task is ↵Tobias Brunner2015-08-211-6/+9
| | | | deleting the SA
* child-create: Cache proposed IPsec protocolTobias Brunner2015-08-211-10/+13
| | | | | This allows us to DELETE CHILD_SAs on failures that occur before we retrieved the selected proposal.
* child-create: Don't attempt to delete the SA if we don't have all the ↵Tobias Brunner2015-08-211-8/+10
| | | | | | | information Since we only support single protocols we could probably guess it and always send a DELETE.
* child-rekey: Remove redundant migrate() call for child-create sub-taskTobias Brunner2015-08-211-2/+1
| | | | | | | When retrying due to a DH group mismatch this is already done by the child-create task itself. And in other cases where the task returns NEED_MORE we actually will need access to a possible proposal to properly delete it.
* child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group ↵Tobias Brunner2015-08-211-0/+1
| | | | | | | | | | mismatch If the responder declines our KE payload during a CHILD_SA rekeying migrate() is called to reuse the child-create task. But the child-rekey task then calls the same method again. Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* ikev1: Fix handling of overlapping Quick Mode exchangesTobias Brunner2015-08-203-2/+70
| | | | | | | | | | | | | In some cases the third message of a Quick Mode exchange might arrive after the first message of a subsequent Quick Mode exchange. Previously these messages were handled incorrectly and the second Quick Mode exchange failed. Some implementations might even try to establish multiple Quick Modes simultaneously, which is explicitly allowed in RFC 2409. We don't fully support that, though, in particular in case of retransmits. Fixes #1076.
* ikev2: Compare initiator flag again, partially reverts 17ec1c74deTobias Brunner2015-08-202-1/+5
| | | | | We should ignore messages that have the flag set incorrectly. This restores RFC compliance which was broken since the mentioned commit.
* ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag setTobias Brunner2015-08-201-1/+3
| | | | | | | | | | | While this doesn't really create any problems it is not 100% correct to accept such messages because, of course, the sender of an IKE_SA_INIT request is always the original initiator of an IKE_SA. We currently don't check the flag later, so we wouldn't notice if the peer doesn't set it in later messages (ike_sa_id_t.equals doesn't compare it anymore since we added support for IKEv1, in particular since 17ec1c74de).
* ikev1: Pass current auth-cfg when looking for key to determine auth methodTobias Brunner2015-08-191-1/+1
| | | | | | | | | If multiple certificates use the same subjects we might choose the wrong one otherwise. This way we use the one referenced with leftcert and stored in the auth-cfg and we actually do the same thing later in the pubkey authenticator. Fixes #1077.
* ikev2: Store outer EAP method used to authenticate remote peer in auth-cfgTobias Brunner2015-08-191-0/+9
| | | | | | | This allows symmetric configuration of EAP methods (i.e. the same value in leftauth and rightauth) when mutual EAP-only authentication is used. Previously the client had to configure rightauth=eap or rightauth=any, which prevented it from using this same config as responder.
* ike: Use the original port when remote resolves to %anyTobias Brunner2015-08-191-1/+3
| | | | | | When reestablishing the IKE_SA we should still use the original port when right resolves to %any as some implementations might not like initial IKE messages on port 4500 (especially for IKEv1).
* trap-manager: Enable auto=route with right=%any for transport mode connectionsTobias Brunner2015-08-191-27/+118
| | | | Fixes #196.
* sql: Also do a reversed ID matchTobias Brunner2015-08-171-2/+9
| | | | | | | This is required for the case where IDr is not sent (i.e. is %any). The backend manager does the same. Fixes #1044.
* ha: Recreate the control FIFO if the file exists but is not a FIFOTobias Brunner2015-08-171-13/+68
| | | | | | This may happen if something like `echo ... > /path/to/fifo` is used before the plugin was able to create the FIFO. In that case we'd end up in a loop always reading the same values from the static file.
* ikev1: Assume a default key length of 128-bit for AES-CBCTobias Brunner2015-08-171-0/+11
| | | | | | | | | | Some implementations don't send a Key Length attribute for AES-128. This was allowed for IKE in early drafts of RFC 3602, however, some implementations also seem to do it for ESP, where it never was allowed. And the final version of RFC 3602 demands a Key Length attribute for both phases so they shouldn't do it anymore anyway. Fixes #1064.
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* child-sa: Fix refcounting of allocated reqidsTobias Brunner2015-08-171-3/+12
| | | | | | | | | | | During a rekeying we want to reuse the current reqid, but if the new SA does not allocate it via kernel-interface the state there will disappear when the old SA is destroyed after the rekeying. When the IKE_SA is later reauthenticated with make-before-break reauthentication the new CHILD_SAs there will get new reqids as no existing state is found in the kernel-interface, breaking policy installation in the kernel. Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
* plugin-feature: Add vendor specific EAP method registration macrosTobias Brunner2015-08-171-1/+2
| | | | | | | | | | | Vendor specific EAP methods may be registered with: PLUGIN_CALLBACK(eap_method_register, <constructor>), PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>), Same for client implementations via EAP_PEER_VENDOR. References #969.
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-171-1/+10
| | | | | | These are defined in RFC 6911. Fixes #1001.
* vici: Add listen methods to receive arbitrary events in Python libraryTobias Brunner2015-08-171-0/+34
|
* vici: Move event (un-)registration to a helper method in Python libraryTobias Brunner2015-08-173-49/+60
| | | | | Also make sure events are unregistered in case of exceptions in streamed_request().
* vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
|
* vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
|
* vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
* vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-151-0/+4
|
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-132-2/+2
|
* Fixed some typosTobias Brunner2015-08-132-5/+5
|
* whitelist: Use hash() method so DNs with different string types matchTobias Brunner2015-08-061-1/+1
| | | | | | | | | | strongSwan uses PrintableString when encoding DNs from strings (if the character set permits it, otherwise T61String is currently used) but certificates might be encoded with UTF8String even for simple ASCII strings. By ignoring this string type when hashing RDNs we make sure the same hash results in this case as long as the actual string values are the same. Fixes #991.
* updown: Pass virtual IPs assigned to a peer to the updown scriptTobias Brunner2015-08-061-7/+11
| | | | | | Previously only received virtual IPs were available. References #1008.
* eap-radius: Don't send RADIUS Accounting Start messages twiceTobias Brunner2015-08-061-0/+5
| | | | | | | | If a client does Mode Config during reauthentication the assign_vips() event might be triggered twice, we should not send another Start message in that case. Fixes #937.
* eap-radius: Change trigger for Accounting Start messages for IKEv1Tobias Brunner2015-08-061-5/+12
| | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937.
* ha: Properly initialize algo variables when installing CHILD_SAsTobias Brunner2015-08-041-1/+1
| | | | | | | | | | If AEAD algorithms are used no integrity algorithm will be received from the other HA node. But since AUTH_UNDEFINED is 1024 and not 0 this value was incorrectly added to the proposal, resulting in a failure during key derivation. The variables are now explicitly initialized to 0, as already was the case for the IKE SAs. Fixes #1051.
* ha: Sync remote address in HA_IKE_ADD, tooThomas Egerer2015-08-042-0/+11
| | | | | | | | | | | | When the IKE_SA is synced without the remote address, after a reauthentication charon is not able to find it in its connected_peers table since the destination host will be %any (it's missing in the message, hence the default from the newly created ike_sa_t -- %any -- will be used). By adding the value to the HA_IKE_ADD message, we should be able to solve this problem. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* jobs: Don't execute rekey CHILD_SA job on passive IKE_SAsThomas Egerer2015-08-041-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Disable NAT keepalives in state PASSIVEThomas Egerer2015-08-041-3/+12
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ha: Use the same init values for jhash() as Linux 4.1Tobias Brunner2015-07-311-2/+19
|
* sql: Fix memory leak in SQL loggerTobias Brunner2015-07-281-0/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 06:58:15 +0000