Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | p-cscf: Only send requests if virtual IPs of the same family are requested | Tobias Brunner | 2016-03-10 | 1 | -2/+18 | |
| | ||||||
* | p-cscf: Add attribute handler for P-CSCF server addresses | Tobias Brunner | 2016-03-10 | 4 | -1/+243 | |
| | ||||||
* | p-cscf: Add plugin stub | Tobias Brunner | 2016-03-10 | 5 | -0/+132 | |
| | ||||||
* | payloads: Verify P-CSCF configuration attributes like others carrying IP ↵ | Tobias Brunner | 2016-03-10 | 1 | -0/+2 | |
| | | | | addresses | |||||
* | attributes: Define P-CSCF address attributes described in RFC 7651 | Tobias Brunner | 2016-03-10 | 2 | -6/+13 | |
| | ||||||
* | ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checks | Tobias Brunner | 2016-03-10 | 1 | -26/+37 | |
| | ||||||
* | ikev2: Delay online revocation checks during make-before-break reauthentication | Tobias Brunner | 2016-03-10 | 1 | -0/+5 | |
| | | | | | | | | | | | | | | | | | | | | | We do these checks after the SA is fully established. When establishing an SA the responder is always able to install the CHILD_SA created with the IKE_SA before the initiator can do so. During make-before-break reauthentication this could cause traffic sent by the responder to get dropped if the installation of the SA on the initiator is delayed e.g. by OCSP/CRL checks. In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g. with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during make-before-break reauthentication as it wouldn't be able to decrypt the response that the responder sends using the new CHILD_SA. By delaying the revocation checks until the make-before-break reauthentication is completed we avoid the problems described above. Since this only affects reauthentication, not the original IKE_SA, and the delay until the checks are performed is usually not that long this doesn't impose much of a reduction in the overall security. | |||||
* | ikev2: Add task that verifies a peer's certificate | Tobias Brunner | 2016-03-10 | 7 | -2/+183 | |
| | | | | | | On failure the SA is deleted and reestablished as configured. The task is activated after the REAUTH_COMPLETE task so a make-before-break reauth is completed before the new SA might get torn down. | |||||
* | ikev2: Initiate other tasks after a no-op task | Tobias Brunner | 2016-03-10 | 1 | -1/+1 | |
| | ||||||
* | ikev2: Don't do online revocation checks in pubkey authenticator if requested | Tobias Brunner | 2016-03-10 | 1 | -1/+8 | |
| | | | | We also update the auth config so the constraints are not enforced. | |||||
* | ike-sa: Add condition to suspend online certificate revocation checks for an ↵ | Tobias Brunner | 2016-03-10 | 1 | -0/+5 | |
| | | | | IKE_SA | |||||
* | ike-sa: Add method to verify certificates in completed authentication rounds | Tobias Brunner | 2016-03-10 | 2 | -0/+111 | |
| | ||||||
* | auth-cfg: Add a rule to suspend certificate validation constraints | Tobias Brunner | 2016-03-10 | 2 | -0/+18 | |
| | ||||||
* | credential-manager: Check cache queue when destroying trusted certificate ↵ | Tobias Brunner | 2016-03-10 | 1 | -1/+2 | |
| | | | | | | | | | | enumerator We already do this in the trusted public key enumerator (which internally uses the trusted certificate enumerator) but should do so also when this enumerator is used directly (since the public key enumerator has the read lock the additional call will just be skipped there). | |||||
* | credential-manager: Make online revocation checks optional for public key ↵ | Tobias Brunner | 2016-03-10 | 6 | -7/+14 | |
| | | | | enumerator | |||||
* | charon-svc: Inherit all settings from the charon section | Tobias Brunner | 2016-03-08 | 1 | -0/+9 | |
| | | | | Same as with charon-systemd. | |||||
* | charon-systemd: Inherit all settings from the charon section | Tobias Brunner | 2016-03-08 | 1 | -0/+9 | |
| | | | | | | | | Our default config files are very charon specific. So to avoid confusion when only charon-systemd is installed we just default to all settings defined for charon. Since charon-systemd probably won't be used together with charon this should not cause conflicts (settings may still be overridden via the charon-systemd section). | |||||
* | library: Add option to register additional namespaces before calling ↵ | Tobias Brunner | 2016-03-08 | 2 | -2/+43 | |
| | | | | | | | | | | library_init() Because settings are already accessed in library_init(), calling add_fallback() externally after calling library_init() is not ideal. This way namespaces already serve as fallback while library_init() is executed and they are also in the correct order so that libstrongswan is always the last root section. | |||||
* | vici: Replace child configs atomically | Tobias Brunner | 2016-03-08 | 1 | -14/+11 | |
| | | | | This also leaves unmodified configs as they are. | |||||
* | peer-cfg: Add method to atomically replace child configs | Tobias Brunner | 2016-03-08 | 2 | -2/+128 | |
| | ||||||
* | ike-cfg: Use new method to compare proposal lists in equals() | Tobias Brunner | 2016-03-08 | 1 | -20/+4 | |
| | ||||||
* | peer-cfg: Use new method to compare linked lists in equals() | Tobias Brunner | 2016-03-08 | 1 | -36/+3 | |
| | | | | This also compares the complete lists not only the first two items. | |||||
* | child-cfg: Add equals() method | Tobias Brunner | 2016-03-08 | 2 | -2/+62 | |
| | ||||||
* | linked-list: Add method to compare two lists of objects for equality | Tobias Brunner | 2016-03-08 | 3 | -2/+166 | |
| | ||||||
* | vici: Order auth rounds by optional `round` parameter instead of by position ↵ | Tobias Brunner | 2016-03-08 | 2 | -40/+74 | |
| | | | | in the request | |||||
* | ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messages | Tobias Brunner | 2016-03-07 | 1 | -6/+6 | |
| | | | | | | | Some implementations might otherwise not recognize the NAT-D payload type. Also moves SIG and HASH payloads last in these messages. Fixes #1239. | |||||
* | ike-sa-manager: Log a checkin/failure message for every checkout | Thomas Egerer | 2016-03-07 | 1 | -8/+32 | |
| | | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | |||||
* | Display IKE ports with swanctl --list-sas | Andreas Steffen | 2016-03-05 | 1 | -4/+9 | |
| | ||||||
* | ike-sa-manager: Log some additional details like SPIs when checking out SAs | Tobias Brunner | 2016-03-04 | 1 | -7/+16 | |
| | ||||||
* | smp: Correctly return IKE SPIs stored in network order | Tobias Brunner | 2016-03-04 | 1 | -4/+4 | |
| | ||||||
* | vici: Correctly return IKE SPIs stored in network order | Tobias Brunner | 2016-03-04 | 1 | -2/+4 | |
| | ||||||
* | stroke: Correctly print IKE SPIs stored in network order | Tobias Brunner | 2016-03-04 | 1 | -2/+4 | |
| | ||||||
* | byteorder: Simplify htoun64/untoh64 functions | Tobias Brunner | 2016-03-04 | 1 | -27/+0 | |
| | ||||||
* | byteorder: Always define be64toh/htobe64 macros | Tobias Brunner | 2016-03-04 | 1 | -20/+30 | |
| | ||||||
* | swanctl: Document signature scheme constraints | Tobias Brunner | 2016-03-04 | 1 | -1/+30 | |
| | ||||||
* | vici: Add support for pubkey constraints with EAP-TLS | Tobias Brunner | 2016-03-04 | 1 | -0/+8 | |
| | | | | This is a feature currently supported by stroke. | |||||
* | auth-cfg: Make IKE signature schemes configurable | Tobias Brunner | 2016-03-04 | 7 | -42/+194 | |
| | | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints. | |||||
* | ikev2: Always store signature scheme in auth-cfg | Tobias Brunner | 2016-03-04 | 1 | -12/+1 | |
| | | | | As we use a different rule we can always store the scheme. | |||||
* | ikev2: Diversify signature scheme rule | Thomas Egerer | 2016-03-04 | 4 | -33/+72 | |
| | | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | |||||
* | ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message | Tobias Brunner | 2016-03-04 | 1 | -7/+51 | |
| | | | | | | An attacker could blindly send a message with invalid nonce data (or none at all) to DoS an initiator if we just destroy the SA. To prevent this we ignore the message and wait for the one by the correct responder. | |||||
* | ikev2: Allow tasks to verify request messages before processing them | Tobias Brunner | 2016-03-04 | 1 | -4/+47 | |
| | ||||||
* | ikev2: Allow tasks to verify response messages before processing them | Tobias Brunner | 2016-03-04 | 1 | -1/+27 | |
| | ||||||
* | task: Add optional pre_process() method | Tobias Brunner | 2016-03-04 | 1 | -1/+13 | |
| | | | | | This will eventually allow tasks to pre-process and verify received messages. | |||||
* | ike-init: Ignore notifies related to redirects during rekeying | Tobias Brunner | 2016-03-04 | 1 | -3/+13 | |
| | | | | Also don't query redirect providers in this case. | |||||
* | ike-sa: Add limit for the number of redirects within a defined time period | Tobias Brunner | 2016-03-04 | 2 | -0/+54 | |
| | ||||||
* | ike-sa: Reauthenticate to the same addresses we currently use | Tobias Brunner | 2016-03-04 | 1 | -2/+5 | |
| | | | | | | If the SA got redirected this would otherwise cause a reauthentication with the original gateway. Reestablishing the SA to the original gateway, if e.g. the new gateway is not reachable makes sense though. | |||||
* | vici: Don't redirect all SAs if no selectors are given | Tobias Brunner | 2016-03-04 | 1 | -1/+1 | |
| | | | | | This avoid confusion and redirecting all SAs can now easily be done explicitly (e.g. peer_ip=0.0.0.0/0). | |||||
* | vici: Match subnets and ranges against peer IP in redirect command | Tobias Brunner | 2016-03-04 | 3 | -13/+43 | |
| | ||||||
* | vici: Match identity with wildcards against remote ID in redirect command | Tobias Brunner | 2016-03-04 | 3 | -6/+10 | |
| | ||||||
* | swanctl: Add --redirect command | Tobias Brunner | 2016-03-04 | 4 | -1/+138 | |
| |