As the startup timestamp needs 10 characters, we only have left 4 characters
for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs
or more established, resulting in non-unique session identifiers.
Martin Willi [Wed, 11 Mar 2015 13:41:37 +0000 (14:41 +0100)]
ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth
We are actually not in rekeying state, but just trigger a separate, new IKE_SA
as a replacement for the current IKE_SA. Switching to the REKEYING state
disables the invocation of both IKE and CHILD_SA updown hooks as initiator,
preventing the removal of any firewall rules.
Martin Willi [Tue, 10 Mar 2015 12:59:49 +0000 (13:59 +0100)]
ikev1: Don't handle DPD timeout job if IKE_SA got passive
While a passively installed IKE_SA does not queue a DPD timeout job, one that
switches from active to passive might execute it. Ignore such a queued job if
the IKE_SA is in passive state.
Martin Willi [Mon, 9 Mar 2015 17:04:54 +0000 (18:04 +0100)]
kernel-interface: Add a separate "update" flag to add_sa()
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
Martin Willi [Mon, 9 Mar 2015 16:52:33 +0000 (17:52 +0100)]
Revert "child-sa: Remove the obsolete update logic"
While the the meaning of the "inbound" flag on the kernel_interface->add_sa()
call is not very clear, we still need that update logic to allow installation of
inbound SAs without SPI allocation. This is used in the HA plugin as a passive
node.
Martin Willi [Mon, 9 Mar 2015 16:47:53 +0000 (17:47 +0100)]
Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"
While this change results in the correct add/update flag during installation,
it exchanges all other values in the child_sa->install() call. We should pass
the correct flag, but determine the add/update flag by other means.
Tobias Brunner [Fri, 6 Mar 2015 15:10:41 +0000 (16:10 +0100)]
tkm: Disable RFC 7427 signature authentication
TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.
Tobias Brunner [Fri, 6 Mar 2015 14:27:33 +0000 (15:27 +0100)]
ikev2: Try all eligible signature schemes
Previously, we failed without recovery if a private key did not support
a selected signature scheme (based on key strength and the other peer's
supported hash algorithms).
Tobias Brunner [Wed, 4 Mar 2015 09:48:33 +0000 (10:48 +0100)]
plugin-loader: Increase log level for warning about plugin features that failed to load
Since we can't get rid of all unmet dependencies (at least not in every
possible plugin configuration) the message is more confusing than
helpful. In particular because a detailed warning about plugin features
that failed to load due to unmet dependencies is only logged on level 2.
Tobias Brunner [Fri, 20 Feb 2015 10:29:02 +0000 (11:29 +0100)]
tls-peer: Make sure to use the right trusted public key for peer
In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key. By comparing the certificate with the
one sent by the peer we make sure to use the right one.
Tobias Brunner [Thu, 18 Dec 2014 08:13:38 +0000 (09:13 +0100)]
x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuer
Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and
authorityKeyIdentifier. If that's the case we can't force the
calculation of the hash to compare that to authorityKeyIdentifier in the CRL,
instead we use the subjectKeyIdentifier stored in the issuer certificate, if
available. Otherwise, we fall back to the SHA-1 hash (or comparing the
DNs) as before.
Tobias Brunner [Mon, 15 Dec 2014 15:43:03 +0000 (16:43 +0100)]
kernel-pfkey: Add option to set receive buffer size of event socket
If many requests are sent to the kernel the events generated by these
requests may fill the receive buffer before the daemon is able to read
these messages.
Tobias Brunner [Wed, 4 Mar 2015 12:56:50 +0000 (13:56 +0100)]
Merge branch 'ikev2-signature-authentication'
This adds support for RFC 7427 signature authentication in IKEv2,
enabling the use of stronger signature schemes (e.g. RSA with SHA-2)
for IKE authentication.
Public key constraints defined in `rightauth` are now also checked
against IKEv2 signature schemes (may be disabled via strongswan.conf).
Tobias Brunner [Fri, 27 Feb 2015 17:45:56 +0000 (18:45 +0100)]
ikev2: Add an option to disable constraints against signature schemes
If this is disabled the schemes configured in `rightauth` are only
checked against signature schemes used in the certificate chain and
signature schemes used during IKEv2 are ignored.
Disabling this could be helpful if existing connections with peers that
don't support RFC 7427 use signature schemes in `rightauth` to verify
certificate chains.
Tobias Brunner [Wed, 25 Feb 2015 15:44:46 +0000 (16:44 +0100)]
ikev2: Store signature scheme used to verify peer in auth_cfg
This enables late connection switching based on the signature scheme used
for IKEv2 and allows to enforce stronger signature schemes.
This may break existing connections with peers that don't support RFC 7427
if signature schemes are currently used in `rightauth` for certificate chain
validation and if the configured schemes are stronger than the default used
for IKE (e.g. SHA-1 for RSA).
Tobias Brunner [Tue, 24 Feb 2015 15:53:02 +0000 (16:53 +0100)]
ikev2: Remove private AUTH_BLISS method
We use the new signature authentication instead for this. This is not
backward compatible but we only released one version with BLISS support,
and the key format will change anyway with the next release.
Tobias Brunner [Mon, 23 Feb 2015 16:38:05 +0000 (17:38 +0100)]
public-key: Add helper to map signature schemes to ASN.1 OIDs
There is a similar function to map key_type_t and hasher_t to an OID,
but this maps schemes directly (and to use the other function we'd
have to have a function to map schemes to hash algorithms first).
Tobias Brunner [Wed, 25 Feb 2015 07:09:11 +0000 (08:09 +0100)]
ike-sa-manager: Make sure the message ID of initial messages is 0
It is mandated by the RFCs and it is expected by the task managers.
Initial messages with invalid MID will be treated like regular messages,
so no IKE_SA will be created for them. Instead, if the responder SPI is 0
no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
If an SPI is set and we do find an SA, then we either ignore the message
because the MID is unexpected, or because we don't allow initial messages
on established connections.
There is one exception, though, if an attacker can slip in an IKE_SA_INIT
with both SPIs set before the client's IKE_AUTH is handled by the server,
it does get processed (see next commit).
Tobias Brunner [Wed, 25 Feb 2015 07:18:58 +0000 (08:18 +0100)]
ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
does not have message ID 0") because it allowed to close any IKE_SA by
sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
of that SA.
The next commit will prevent SAs from getting created for IKE_SA_INIT messages
with invalid MID.
Martin Willi [Wed, 4 Mar 2015 10:16:00 +0000 (11:16 +0100)]
ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication
While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.
Martin Willi [Tue, 3 Mar 2015 13:08:55 +0000 (14:08 +0100)]
Merge branch 'eap-constraints'
Introduces basic support for EAP server module authentication constraints. With
EAP-(T)TLS, public key, signature and end entity or CA certificate constraints
can be enforced for connections.
Martin Willi [Fri, 6 Feb 2015 11:43:33 +0000 (12:43 +0100)]
stroke: Serve ca section CA certificates directly, not over central CA set
This makes these CA certificates independent from the purge issued by reread
commands. Certificates loaded by CA sections can be removed through ipsec.conf
update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts
can individually be reread using ipsec rereadcacerts.