Tobias Brunner [Mon, 23 Mar 2015 09:58:30 +0000 (10:58 +0100)]
ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SA
OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs.
This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd
meant to delete the old one.
What isakmpd does might not be standard compliant. As RFC 2408 puts
it:
Deletion which is concerned with an ISAKMP SA will contain a
Protocol-Id of ISAKMP and the SPIs are the initiator and responder
cookies from the ISAKMP Header.
This could either be interpreted as "copy the SPIs from the ISAKMP
header of the current message to the DELETE payload" (which is what
strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs
for IKE), or as clarification that ISAKMP "cookies" are actually the
SPIs meant to be put in the payload (but that any ISAKMP SA may be
deleted).
Tobias Brunner [Mon, 16 Mar 2015 17:25:22 +0000 (18:25 +0100)]
pki: Use SHA-256 as default for signatures
Since the BLISS private key supports this we don't do any special
handling anymore (if the user choses a digest that is not supported,
signing will simply fail later because no signature scheme will be found).
Tobias Brunner [Thu, 12 Mar 2015 10:50:20 +0000 (11:50 +0100)]
trap-manager: Add option to ignore traffic selectors from acquire events
The specific traffic selectors from the acquire events, which are derived
from the triggering packet, are usually prepended to those from the
config. Some implementations might not be able to handle these properly.
Tobias Brunner [Fri, 20 Mar 2015 15:32:56 +0000 (16:32 +0100)]
encoding: Don't verify length of IKEv1 KE payloads
The verification introduced with 84738b1aed95 ("encoding: Verify the length
of KE payload data for known groups") can't be done for IKEv1 as the KE
payload does not contain the DH group.
Martin Willi [Thu, 19 Mar 2015 11:17:03 +0000 (12:17 +0100)]
apidoc: Limit INPUT to src subdirectory and README.md
While 0909bf6c explicitly includes the whole source tree (to cover README.md),
this has the unpleasant side effect of covering a workspace under "testing"
with all its sources, or any other potential subdirectory that exists.
Martin Willi [Thu, 19 Mar 2015 10:24:31 +0000 (11:24 +0100)]
attr-sql: Rename sql_attribute_t to attr_sql_provider_t
As the plugin has its origins in the sql plugin, it still uses the naming
scheme for the attribute provider implementation. Rename the class to better
match the naming scheme we use in any other plugin
Tobias Brunner [Fri, 20 Feb 2015 15:57:13 +0000 (16:57 +0100)]
ikev1: Adopt virtual IPs on new IKE_SA during re-authentication
Some clients like iOS/Mac OS X don't do a mode config exchange on the
new SA during re-authentication. If we don't adopt the previous virtual
IP Quick Mode rekeying will later fail.
If a client does do Mode Config we directly reassign the VIPs we migrated
from the old SA, without querying the attributes framework.
Martin Willi [Mon, 2 Mar 2015 14:25:55 +0000 (15:25 +0100)]
vici: Return a Python generator instead of a list for streamed responses
In addition that it may reduce memory usage and improve performance for large
responses, it returns immediate results. This is important for longer lasting
commands, such as initiate/terminate, where immediate log feedback is preferable
when interactively calling such commands.
Martin Willi [Fri, 27 Feb 2015 13:28:47 +0000 (14:28 +0100)]
vici: Return authentication rounds with unique names
To simplify handling of authentication rounds in dictionaries/hashtables on the
client side, we assign unique names to each authentication round when listing
connection.
Martin Willi [Wed, 25 Feb 2015 15:20:10 +0000 (16:20 +0100)]
vici: Add python egg setuptools building and installation using easy_install
An uninstall target is currently not supported, as there is no trivial way with
either plain setuptools or with easy_install. pip would probably be the best
choice, but we currently don't depend on it.
Martin Willi [Tue, 3 Feb 2015 15:40:14 +0000 (16:40 +0100)]
encoding: Verify the length of KE payload data for known groups
IKE is very strict in the length of KE payloads, and it should be safe to
strictly verify their length. Not doing so is no direct threat, but allows DDoS
amplification by sending short KE payloads for large groups using the target
as the source address.
Martin Willi [Wed, 11 Mar 2015 10:30:51 +0000 (11:30 +0100)]
ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SA
If additional tasks get queued before/while rekeying an IKE_SA, these get
migrated to the new IKE_SA. We previously did not trigger initiation of these
tasks, though, leaving the task unexecuted until a new task gets queued.
As the startup timestamp needs 10 characters, we only have left 4 characters
for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs
or more established, resulting in non-unique session identifiers.
Martin Willi [Wed, 11 Mar 2015 13:41:37 +0000 (14:41 +0100)]
ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth
We are actually not in rekeying state, but just trigger a separate, new IKE_SA
as a replacement for the current IKE_SA. Switching to the REKEYING state
disables the invocation of both IKE and CHILD_SA updown hooks as initiator,
preventing the removal of any firewall rules.
Martin Willi [Tue, 10 Mar 2015 12:59:49 +0000 (13:59 +0100)]
ikev1: Don't handle DPD timeout job if IKE_SA got passive
While a passively installed IKE_SA does not queue a DPD timeout job, one that
switches from active to passive might execute it. Ignore such a queued job if
the IKE_SA is in passive state.
Martin Willi [Mon, 9 Mar 2015 17:04:54 +0000 (18:04 +0100)]
kernel-interface: Add a separate "update" flag to add_sa()
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
Martin Willi [Mon, 9 Mar 2015 16:52:33 +0000 (17:52 +0100)]
Revert "child-sa: Remove the obsolete update logic"
While the the meaning of the "inbound" flag on the kernel_interface->add_sa()
call is not very clear, we still need that update logic to allow installation of
inbound SAs without SPI allocation. This is used in the HA plugin as a passive
node.
Martin Willi [Mon, 9 Mar 2015 16:47:53 +0000 (17:47 +0100)]
Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"
While this change results in the correct add/update flag during installation,
it exchanges all other values in the child_sa->install() call. We should pass
the correct flag, but determine the add/update flag by other means.
Tobias Brunner [Fri, 6 Mar 2015 15:10:41 +0000 (16:10 +0100)]
tkm: Disable RFC 7427 signature authentication
TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.
Tobias Brunner [Fri, 6 Mar 2015 14:27:33 +0000 (15:27 +0100)]
ikev2: Try all eligible signature schemes
Previously, we failed without recovery if a private key did not support
a selected signature scheme (based on key strength and the other peer's
supported hash algorithms).
Tobias Brunner [Wed, 4 Mar 2015 09:48:33 +0000 (10:48 +0100)]
plugin-loader: Increase log level for warning about plugin features that failed to load
Since we can't get rid of all unmet dependencies (at least not in every
possible plugin configuration) the message is more confusing than
helpful. In particular because a detailed warning about plugin features
that failed to load due to unmet dependencies is only logged on level 2.
Tobias Brunner [Fri, 20 Feb 2015 10:29:02 +0000 (11:29 +0100)]
tls-peer: Make sure to use the right trusted public key for peer
In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key. By comparing the certificate with the
one sent by the peer we make sure to use the right one.