aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2/tasks/ike_auth.c
Commit message (Collapse)AuthorAgeFilesLines
* ike: Do not send initial contact only for UNIQUE_NEVERThomas Egerer2017-11-021-1/+0
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTHTobias Brunner2017-02-081-0/+7
|
* ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcardsTobias Brunner2017-02-061-1/+2
| | | | | | Such an identity won't equal an actual peer's identity resulting in sending an INITIAL_CONTACT notify even if there might be an existing IKE_SA.
* ikev2: Handle INITIAL_CONTACT notifies also when peer is authenticated with EAPTobias Brunner2016-06-061-16/+5
| | | | Fixes #1380.
* Use standard unsigned integer typesAndreas Steffen2016-03-241-1/+1
|
* ike-auth: Handle REDIRECT notifies during IKE_AUTHTobias Brunner2016-03-041-22/+44
|
* ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providersTobias Brunner2016-03-041-27/+51
| | | | | | To prevent the creation of the CHILD_SA we set a condition on the IKE_SA. We also schedule a delete job in case the client does not terminate the IKE_SA (which is a SHOULD in RFC 5685).
* ikev2: Enforce remote authentication config before proceeding with own ↵Martin Willi2015-06-051-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | authentication Previously the constraints in the authentication configuration of an initiator were enforced only after all authentication rounds were complete. This posed a problem if an initiator used EAP or PSK authentication while the responder was authenticated with a certificate and if a rogue server was able to authenticate itself with a valid certificate issued by any CA the initiator trusted. Because any constraints for the responder's identity (rightid) or other aspects of the authentication (e.g. rightca) the initiator had were not enforced until the initiator itself finished its authentication such a rogue responder was able to acquire usernames and password hashes from the client. And if a client supported EAP-GTC it was even possible to trick it into sending plaintext passwords. This patch enforces the configured constraints right after the responder's authentication successfully finished for each round and before the initiator starts with its own authentication. Fixes CVE-2015-4171.
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-14/+14
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-121-1/+1
|
* ikev2: if responder authentication fails, send AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+29
| | | | | | | According to RFC 5996, we MAY send an INFORMATIONAL message having an AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close the IKE_SA after one message has been sent, avoiding the danger that an unauthenticated IKE_SA stays alive.
* Raise LOCAL_AUTH_FAILED alert after receiving AUTHENTICATION_FAILUREMartin Willi2013-05-151-0/+1
|
* Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-261-1/+8
|
* Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
|
* Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
|
* Raise alerts when enforcing IKE_SA unique policyMartin Willi2012-12-191-0/+1
|
* Raise an alert of generating local authentication data failsMartin Willi2012-12-191-6/+10
|
* Fix GPL license header to properly "sed" itMartin Willi2012-11-301-1/+1
|
* Add AUTH_RULE_IDENTITY_LOOSE which allows to use IDr loosely as initiatorTobias Brunner2012-09-181-1/+2
| | | | | | If it is set on an auth config IDr will not be sent, and later the configured identity will not only be checked against the returned IDr, but also against other identities contained in the responder's certificate.
* Add uniqueids=never to ignore INITIAL_CONTACT notifiesTobias Brunner2012-09-101-1/+2
| | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies.
* Use name from initialization to access settings in libcharon.Tobias Brunner2012-05-031-1/+1
| | | | Also fixes several whitespace errors.
* Merge branch 'ikev1'Martin Willi2012-05-021-7/+17
| | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/encoding/generator.c src/libcharon/encoding/payloads/notify_payload.c src/libcharon/encoding/payloads/notify_payload.h src/libcharon/encoding/payloads/payload.c src/libcharon/network/receiver.c src/libcharon/sa/authenticator.c src/libcharon/sa/authenticator.h src/libcharon/sa/ikev2/tasks/ike_init.c src/libcharon/sa/task_manager.c src/libstrongswan/credentials/auth_cfg.c
* Separated libcharon/sa directory with ikev1 and ikev2 subfoldersMartin Willi2012-03-201-0/+1098
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 15:39:14 +0000