diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-10-27 17:34:50 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-10 11:07:15 +0100 |
| commit | f1cbacc5d1be01938f35d04dfad10e0ed441ce0f (patch) | |
| tree | 198122bc3c8982783874382481aa41f1682b1b5b /src/libcharon/sa/ikev2 | |
| parent | 8ce78e43a4746ce4d3d107ef2ed2f4e13f1c9c8f (diff) | |
| download | strongswan-f1cbacc5d1be01938f35d04dfad10e0ed441ce0f.tar.bz2 strongswan-f1cbacc5d1be01938f35d04dfad10e0ed441ce0f.tar.xz | |
ikev2: Delay online revocation checks during make-before-break reauthentication
We do these checks after the SA is fully established.
When establishing an SA the responder is always able to install the
CHILD_SA created with the IKE_SA before the initiator can do so.
During make-before-break reauthentication this could cause traffic sent
by the responder to get dropped if the installation of the SA on the
initiator is delayed e.g. by OCSP/CRL checks.
In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g.
with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during
make-before-break reauthentication as it wouldn't be able to decrypt the
response that the responder sends using the new CHILD_SA.
By delaying the revocation checks until the make-before-break
reauthentication is completed we avoid the problems described above.
Since this only affects reauthentication, not the original IKE_SA, and the
delay until the checks are performed is usually not that long this
doesn't impose much of a reduction in the overall security.
Diffstat (limited to 'src/libcharon/sa/ikev2')
| -rw-r--r-- | src/libcharon/sa/ikev2/task_manager_v2.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index c573c23c8..c2f972ab1 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -35,6 +35,7 @@ #include <sa/ikev2/tasks/ike_config.h> #include <sa/ikev2/tasks/ike_dpd.h> #include <sa/ikev2/tasks/ike_vendor.h> +#include <sa/ikev2/tasks/ike_verify_peer_cert.h> #include <sa/ikev2/tasks/child_create.h> #include <sa/ikev2/tasks/child_rekey.h> #include <sa/ikev2/tasks/child_delete.h> @@ -1655,8 +1656,12 @@ static void trigger_mbb_reauth(private_task_manager_t *this) } enumerator->destroy(enumerator); + /* suspend online revocation checking until the SA is established */ + new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE); + if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME) { + new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new)); new->queue_task(new, (task_t*)ike_reauth_complete_create(new, this->ike_sa->get_id(this->ike_sa))); charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); |