aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2
Commit message (Collapse)AuthorAgeFilesLines
* ikev2: Derive additional 4 byte CHILD_SA nonce keymat for ChaCha20-Poly1305Martin Willi2015-06-291-0/+1
|
* ikev2: Use four byte salt for ChaCha20-Poly1305 AEADMartin Willi2015-06-291-0/+1
|
* ikev2: Enforce remote authentication config before proceeding with own ↵Martin Willi2015-06-051-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | authentication Previously the constraints in the authentication configuration of an initiator were enforced only after all authentication rounds were complete. This posed a problem if an initiator used EAP or PSK authentication while the responder was authenticated with a certificate and if a rogue server was able to authenticate itself with a valid certificate issued by any CA the initiator trusted. Because any constraints for the responder's identity (rightid) or other aspects of the authentication (e.g. rightca) the initiator had were not enforced until the initiator itself finished its authentication such a rogue responder was able to acquire usernames and password hashes from the client. And if a client supported EAP-GTC it was even possible to trick it into sending plaintext passwords. This patch enforces the configured constraints right after the responder's authentication successfully finished for each round and before the initiator starts with its own authentication. Fixes CVE-2015-4171.
* unknown-payload: Use a new private payload type and make original type availableTobias Brunner2015-06-011-8/+10
| | | | | | | | | This fixes a DoS and potential remote code execution vulnerability that was caused because the original payload type that was returned previously was used to cast such payload objects to payloads of the indicated type (e.g. when logging notify payloads with a payload type for the wrong IKE version). Fixes CVE-2015-3991.
* child-create: Destroy nonceg in migrate()Tobias Brunner2015-05-051-1/+2
| | | | | Since another nonce gets allocated later (if any was allocated already) this would have resulted in a leaked nonce context ID when used in charon-tkm.
* child-create: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-14/+12
| | | | As with ike-init we can't return NULL in the task constructor.
* ike-init: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-13/+21
| | | | | | Returning FAILED in the constructor is wrong, but returning NULL doesn't work either as it's currently assumed tasks always can be created. Therefore, delay this check until we actually try to allocate a nonce.
* ike-init: Fix compiler warningTobias Brunner2015-05-051-2/+0
|
* ike-init: Make nonceg a member of ike_init structReto Buerki2015-05-041-20/+17
| | | | | | | This allows to control the life-cycle of a nonce in the context of the ike init task. In the TKM use-case the nonce generator cannot be destroyed before the ike init task is finalized, otherwise the created nonce is detected as stale.
* child-create: Make nonceg a member of child_create structReto Buerki2015-05-041-12/+16
| | | | | | | | This allows to control the life-cycle of a nonce in the context of the child create task. In the TKM use-case, it is required to reset the nonce context if the created nonce is not consumed. This happens if the child SA negotiation fails and it is detected before the SA is established via the TKM kernel plugin (i.e. rekey collision).
* Add bool param to ALERT_KEEP_ON_CHILD_SA_FAILURE alertAdrian-Ken Rueegsegger2015-05-041-2/+6
| | | | | The parameter indicates if the alert is raised upon failure to establish the first CHILD SA of an IKE SA.
* ike-vendor: Add some Microsoft vendor IDsTobias Brunner2015-04-211-0/+10
|
* utils: Use chunk_equals_const() for all cryptographic purposesMartin Willi2015-04-143-3/+3
|
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-131-4/+11
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-232-3/+42
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-231-0/+1
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-232-7/+34
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-231-2/+2
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-181-0/+29
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauthMartin Willi2015-03-111-1/+0
| | | | | | | | | We are actually not in rekeying state, but just trigger a separate, new IKE_SA as a replacement for the current IKE_SA. Switching to the REKEYING state disables the invocation of both IKE and CHILD_SA updown hooks as initiator, preventing the removal of any firewall rules. Fixes #885.
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* ikev2: Try all RSA signature schemes if none is configuredTobias Brunner2015-03-041-4/+19
|
* ikev2: Consider signature schemes in rightauth when sending hash algorithmsTobias Brunner2015-03-041-14/+54
|
* keymat: Use hash algorithm setTobias Brunner2015-03-041-29/+7
|
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-1/+11
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Fall back to SHA-1 signatures for RSATobias Brunner2015-03-041-0/+7
| | | | | This is really just a fallback to "classic" IKEv2 authentication if the other peer supports no stronger hash algorithms.
* ikev2: Select a signature scheme appropriate for the given keyTobias Brunner2015-03-041-18/+13
| | | | | By enumerating hashes we'd use SHA-1 by default. This way stronger signature schemes are preferred.
* ikev2: Log the actual signature scheme used for RFC 7427 authenticationTobias Brunner2015-03-041-4/+6
|
* ikev2: Store signature scheme used to verify peer in auth_cfgTobias Brunner2015-03-041-0/+1
| | | | | | | | | | This enables late connection switching based on the signature scheme used for IKEv2 and allows to enforce stronger signature schemes. This may break existing connections with peers that don't support RFC 7427 if signature schemes are currently used in `rightauth` for certificate chain validation and if the configured schemes are stronger than the default used for IKE (e.g. SHA-1 for RSA).
* ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-041-2/+12
| | | | This is mostly for testing.
* ikev2: Remove private AUTH_BLISS methodTobias Brunner2015-03-041-9/+0
| | | | | | We use the new signature authentication instead for this. This is not backward compatible but we only released one version with BLISS support, and the key format will change anyway with the next release.
* ikev2: Handle RFC 7427 signature authentication in pubkey authenticatorTobias Brunner2015-03-041-49/+178
|
* ikev2: Enable signature authentication by transmitting supported hash algorithmsTobias Brunner2015-03-041-4/+83
|
* keymat: Add facility to store supported hash algorithmsTobias Brunner2015-03-042-1/+70
|
* ikev2: Only accept initial messages in specific statesTobias Brunner2015-03-041-10/+9
| | | | | | | The previous code allowed an attacker to slip in an IKE_SA_INIT with both SPIs and MID 1 set when an IKE_AUTH would be expected instead. References #816.
* ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is receivedTobias Brunner2015-03-041-4/+0
| | | | | | | | | | | | This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0") because it allowed to close any IKE_SA by sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those of that SA. The next commit will prevent SAs from getting created for IKE_SA_INIT messages with invalid MID. Fixes #816.
* ikev2: Merge EAP client authentication details if EAP methods provides themMartin Willi2015-03-031-0/+7
|
* ikev2: Schedule a timeout for the delete message following passive IKE rekeyingMartin Willi2015-03-031-0/+6
| | | | | | | | | | | | | | | | | | | | | | | Under some conditions it can happen that the CREATE_CHILD_SA exchange for rekeying the IKE_SA initiated by the peer is successful, but the delete message does not follow. For example if processing takes just too long locally, the peer might consider us dead, but we won't notice that. As this leaves the old IKE_SA in IKE_REKEYING state, we currently avoid actively initiating any tasks, such as rekeying or scheduled DPD. This leaves the IKE_SA in a dead and unusable state. To avoid that situation, we schedule a timeout to wait for the DELETE message to follow the CREATE_CHILD_SA, before we actively start to delete the IKE_SA. Alternatively we could start a liveness check on the SA after a timeout to see if the peer still has that state and we can expect the delete to follow. But it is unclear if all peers can handle such messages in this very special state, so we currently don't go for that approach. While we could calculate the timeout based on the local retransmission timeout, the peer might use a different scheme, so a fixed timeout works as well. Fixes #742.
* ikev2: Schedule a make-before-break completion task to delete old IKE_SAMartin Willi2015-02-204-0/+168
|
* ikev2: Allow task to skip exchange by setting undefined exchange typeMartin Willi2015-02-201-0/+5
|
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-201-0/+76
|
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-201-4/+2
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-201-2/+2
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-8/+7
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-202-3/+3
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-201-7/+4
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-2/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-201-8/+19
|
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-203-2/+38
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-10 21:37:55 +0000