| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.
|
| |
|
|
|
|
|
|
|
|
|
| |
Threads might still be allocating SPIs (e.g. triggered by an acquire or
an inbound message) while the main thread calls flush(). If there is a
context switch right after such a thread successfully checked this->rng
in get_spi() and the main thread destroys the RNG instance right then,
that worker thread will cause a segmentation fault when it continues and
attempts to call get_bytes().
Fixes #1014.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Some clients like iOS/Mac OS X don't do a mode config exchange on the
new SA during re-authentication. If we don't adopt the previous virtual
IP Quick Mode rekeying will later fail.
If a client does do Mode Config we directly reassign the VIPs we migrated
from the old SA, without querying the attributes framework.
Fixes #807, #810.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is mandated by the RFCs and it is expected by the task managers.
Initial messages with invalid MID will be treated like regular messages,
so no IKE_SA will be created for them. Instead, if the responder SPI is 0
no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
If an SPI is set and we do find an SA, then we either ignore the message
because the MID is unexpected, or because we don't allow initial messages
on established connections.
There is one exception, though, if an attacker can slip in an IKE_SA_INIT
with both SPIs set before the client's IKE_AUTH is handled by the server,
it does get processed (see next commit).
References #816.
|
| |
|
|
|
|
|
|
|
| |
While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.
Fixes #871.
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
| |
This fails if there are unencrypted payloads before an encrypted
fragment payload in the first fragment.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To check if a received IKE_SA_INIT request is a new request or a
retransmit, charon maintains hashes of the pending IKE_SA_INIT
exchanges.
However, the hash calculation is not reentrant because a single hasher
is used for the whole IKE SA manager. It leads to bogus calculations
under high load and hence dropped messages on responder
(IkeInInvalidSpi incremented).
Don't share a single hasher in the IKE SA manager, create a transient
one whenever a message must be hashed.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
|
| |
|
|
|
| |
The old identifiers did not use a proper namespace and often clashed with
other defines.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is based on one by Christoph Gouault.
Currently, to count the total number of half_open IKE_SAs,
get_half_open_count sums up the count of each segment in the SA hash
table (acquiring a lock for each segment). This procedure does not scale
well when the number of segments increases, as the method is called for
each new negotiation.
Instead, lets maintain a global atomic counter.
This optimization allows the use of big values for charon.ikesa_table_size
and charon.ikesa_table_segments.
|
| | |
|
| |
|
|
| |
for IKEv2 anyway
|
| |
|
|
|
|
|
| |
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
|
| |
|
|
|
|
|
|
|
| |
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
|
| |\
| |
| |
| |
| | |
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.
|
| | | |
| | |
| | |
| | |
| | | |
As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.
|
| | |/ |
|
| |/
|
|
|
| |
In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.
|
| | |
|
| |
|
|
| |
IKE_SA
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received. With this new option
it also ignores these notifies.
|
| |
|
|
| |
LLVMs clang complains about this parameter, so remove it.
|
| |
|
|
|
|
|
| |
If two initiators use the same SPI and also use the same SA proposal the
hash for the initial message would be exactly the same. For IKEv2 and
Aggressive Mode that's not a problem as these messages include random
data (Ni, KEi payloads).
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Also fixes several whitespace errors.
|
| | |
|
| |
|
|
|
|
| |
This change allows to properly handle retransmits of initial IKE
messages when we've already processed them (i.e. our response is now resent
immediately).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
For IKEv1 the previous behavior of always using the initiator's SPI as
key is maintained.
|
| |
|
|
| |
This does not require us to do a lookup for an SA by SPI first.
|
| | |
|
| | |
|
