Tobias Brunner [Mon, 1 Feb 2016 17:16:16 +0000 (18:16 +0100)]
auth-cfg: Make IKE signature schemes configurable
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
Tobias Brunner [Fri, 4 Mar 2016 15:03:07 +0000 (16:03 +0100)]
Merge branch 'ike-redirect'
This adds support for IKEv2 redirection (RFC 5685). There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients. It is also possible to redirect established IKE_SAs
via VICI/swanctl.
Tobias Brunner [Thu, 21 May 2015 12:56:01 +0000 (14:56 +0200)]
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA. To prevent this we
ignore the message and wait for the one by the correct responder.
ike-sa: Reauthenticate to the same addresses we currently use
If the SA got redirected this would otherwise cause a reauthentication with
the original gateway. Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.
ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers
To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA. We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).
Tobias Brunner [Wed, 10 Feb 2016 09:11:31 +0000 (10:11 +0100)]
ikev1: Send and verify IPv6 addresses correctly
According to the mode-config draft there is no prefix sent for
IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for
backwards compatibility with older strongSwan releases.
Tobias Brunner [Wed, 17 Feb 2016 16:31:51 +0000 (17:31 +0100)]
ikev1: Allow immediate deletion of rekeyed CHILD_SAs
When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached. In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA. This may result in a very large number of
stale CHILD_SAs and kernel states. With enough connections configured this
will ultimately exhaust the memory of the system.
This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.
Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
Tobias Brunner [Thu, 17 Dec 2015 17:18:09 +0000 (18:18 +0100)]
ikev1: Avoid modifying local auth config when detecting pubkey method
If it was necessary to pass the local certificates we could probably
clone the config (but we don't do that either when later looking for the
key to actually authenticate).
Passing auth adds the same subject cert to the config over and over
again (I guess we could also try to prevent that by searching for
duplicates).
Tobias Brunner [Mon, 30 Nov 2015 15:04:35 +0000 (16:04 +0100)]
connmark: Fix alignment when adding rules
The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN. That was not necessarily the case when
initializing the complete message as struct.
Thomas Egerer [Mon, 1 Feb 2016 13:52:49 +0000 (14:52 +0100)]
charon: Add custom logger to daemon
This logger can be used to easily register custom logging instances
using __attribute__((constructor)) benefiting from the global reload
mechanism (with reset of log levels).
Note that this is not intended to be used from plugins, which are loaded
after loggers have already been initialized.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Tobias Brunner [Wed, 17 Feb 2016 10:55:45 +0000 (11:55 +0100)]
testing: Use absolute path to the _updown script in SQL scenarios
/usr/local/sbin is not included in PATH set by the charon init script and
since the ipsec script is obsolete when using swanctl it makes sense to
change this anyway.
Tobias Brunner [Wed, 10 Feb 2016 15:41:52 +0000 (16:41 +0100)]
ike-sa-manager: Store a reference to the thread that checked out an IKE_SA
This could be helpful when debugging deadlocks that manifest around
wait_for_entry(), as it helps identifying other involved threads (the
thread object is seen in the thread_main() call in each thread's backtrace).
Andreas Steffen [Tue, 16 Feb 2016 17:00:27 +0000 (18:00 +0100)]
Fix of the mutual TNC measurement use case
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
Tobias Brunner [Thu, 4 Feb 2016 09:14:22 +0000 (10:14 +0100)]
libipsec: Don't attempt deletion of any non-IPsec policies
An example are the fallback drop policies installed when updating SAs.
We ignore such policies in add_policy() so there is no point in attempting
to remove them. Since they use different priorities than regular policies
this did not result in policies getting deleted unintentionally but there
was an irritating log message on level 2 that indicated otherwise.
Tobias Brunner [Mon, 1 Feb 2016 14:29:25 +0000 (15:29 +0100)]
peer-cfg: Set DPD timeout to at least DPD delay
If DPD timeout is set but to a value smaller than the DPD delay the code
in task_manager_v1.c:queue_liveliness_check will run into an integer
underrun.
Tobias Brunner [Fri, 18 Dec 2015 14:23:30 +0000 (15:23 +0100)]
ikev1: Always enable charon.reuse_ikesa
With IKEv1 we have to reuse IKE_SAs as otherwise the responder might
detect the new SA as reauthentication and will "adopt" the CHILD_SAs of
the original IKE_SA, while the initiator will not do so. This could
cause CHILD_SA rekeying to fail later.
Tobias Brunner [Mon, 18 Jan 2016 16:03:46 +0000 (17:03 +0100)]
load-tester: Register kernel-ipsec implementation as plugin feature
Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied.
This changed with db61c37690b5 ("kernel-interface: Return bool for
kernel interface registration") as the registration of further
kernel-ipsec implementations now fails and therefore even if other
plugins are loaded the dependency will not be satisfied anymore.
Tobias Brunner [Tue, 15 Dec 2015 16:15:32 +0000 (17:15 +0100)]
child-rekey: Suppress updown event when deleting redundant CHILD_SAs
When handling a rekey collision we might have to delete an already
installed redundant CHILD_SA (or expect the other peer to do so).
We don't want to trigger updown events for these as neither do we do
so for successfully rekeyed CHILD_SAs.
Tobias Brunner [Tue, 26 Jan 2016 10:13:13 +0000 (11:13 +0100)]
ha: Properly sync IKEv1 IV if gateway is initiator
To handle Phase 2 exchanges on the other HA host we need to sync the last
block of the last Phase 1 message (or the last expected IV). If the
gateway is the initiator of a Main Mode SA the last message is an
inbound message. When handling such messages the expected IV is not
updated until it is successfully decrypted so we can't sync the IV
when processing the still encrypted (!plain) message. However, as responder,
i.e. if the last message is an outbound message, the reverse applies, that
is, we get the next IV after successfully encrypting the message, not
while handling the plain message.
Tobias Brunner [Tue, 19 Jan 2016 13:42:17 +0000 (14:42 +0100)]
ha: Add DH group to IKE_ADD message
It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.
Tobias Brunner [Mon, 18 Jan 2016 16:33:29 +0000 (17:33 +0100)]
ike-sa-manager: Don't update entries for init messages after unlocking segment
If the retransmit of an initial message is processed concurrently with the
original message it might not have been handled as intended as the
thread processing the retransmit might not have seen the correct value
of entry->processing set by the thread handling the original request.
For IKEv1, i.e. without proper message IDs, there might still be races e.g.
when receiving a retransmit of the initial IKE message while processing the
initiator's second request.