aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2
Commit message (Collapse)AuthorAgeFilesLines
* ikev2: Fix size of key material for CAMELLIA-CTRTobias Brunner2015-10-301-0/+1
| | | | Like AES in CTR mode it includes a 4 byte nonce.
* ike-mobike: Send retransmits to the current local and remote addressesTobias Brunner2015-10-301-1/+5
| | | | | | These might have changed by a peer-initiated MOBIKE address update. Fixes #1125.
* child-rekey: Don't add a REKEY_SA notify if the child-create task is ↵Tobias Brunner2015-08-211-6/+9
| | | | deleting the SA
* child-create: Cache proposed IPsec protocolTobias Brunner2015-08-211-10/+13
| | | | | This allows us to DELETE CHILD_SAs on failures that occur before we retrieved the selected proposal.
* child-create: Don't attempt to delete the SA if we don't have all the ↵Tobias Brunner2015-08-211-8/+10
| | | | | | | information Since we only support single protocols we could probably guess it and always send a DELETE.
* child-rekey: Remove redundant migrate() call for child-create sub-taskTobias Brunner2015-08-211-2/+1
| | | | | | | When retrying due to a DH group mismatch this is already done by the child-create task itself. And in other cases where the task returns NEED_MORE we actually will need access to a possible proposal to properly delete it.
* child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group ↵Tobias Brunner2015-08-211-0/+1
| | | | | | | | | | mismatch If the responder declines our KE payload during a CHILD_SA rekeying migrate() is called to reuse the child-create task. But the child-rekey task then calls the same method again. Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
* ikev2: Store outer EAP method used to authenticate remote peer in auth-cfgTobias Brunner2015-08-191-0/+9
| | | | | | | This allows symmetric configuration of EAP methods (i.e. the same value in leftauth and rightauth) when mutual EAP-only authentication is used. Previously the client had to configure rightauth=eap or rightauth=any, which prevented it from using this same config as responder.
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-131-1/+1
|
* ike-rekey: Fix cleanup() callTobias Brunner2015-07-271-2/+2
|
* ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA responseTobias Brunner2015-07-271-1/+2
| | | | | Even when there is no error the CREATE_CHILD_SA response should be sent in the context of the existing IKE_SA.
* ike-rekey: Reset IKE_SA on the bus after destroying new IKE_SATobias Brunner2015-07-271-16/+15
| | | | | | | | | | | | | | | The destroy() method sets the IKE_SA on the bus to NULL, we reset it to the current IKE_SA so any events and log messages that follow happen in the correct context. A practical example where this is problematic is a DH group mismatch, which causes the first CREATE_CHILD_SA exchange to fail. Because the SA was not reset previously, the message() hook for the CREATE_CHILD_SA response, for instance, was triggered outside the context of an IKE_SA, that is, the ike_sa parameter was NULL, which is definitely not expected by several plugins. Fixes #862.
* ikev2: Derive additional 4 byte CHILD_SA nonce keymat for ChaCha20-Poly1305Martin Willi2015-06-291-0/+1
|
* ikev2: Use four byte salt for ChaCha20-Poly1305 AEADMartin Willi2015-06-291-0/+1
|
* ikev2: Enforce remote authentication config before proceeding with own ↵Martin Willi2015-06-051-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | authentication Previously the constraints in the authentication configuration of an initiator were enforced only after all authentication rounds were complete. This posed a problem if an initiator used EAP or PSK authentication while the responder was authenticated with a certificate and if a rogue server was able to authenticate itself with a valid certificate issued by any CA the initiator trusted. Because any constraints for the responder's identity (rightid) or other aspects of the authentication (e.g. rightca) the initiator had were not enforced until the initiator itself finished its authentication such a rogue responder was able to acquire usernames and password hashes from the client. And if a client supported EAP-GTC it was even possible to trick it into sending plaintext passwords. This patch enforces the configured constraints right after the responder's authentication successfully finished for each round and before the initiator starts with its own authentication. Fixes CVE-2015-4171.
* unknown-payload: Use a new private payload type and make original type availableTobias Brunner2015-06-011-8/+10
| | | | | | | | | This fixes a DoS and potential remote code execution vulnerability that was caused because the original payload type that was returned previously was used to cast such payload objects to payloads of the indicated type (e.g. when logging notify payloads with a payload type for the wrong IKE version). Fixes CVE-2015-3991.
* child-create: Destroy nonceg in migrate()Tobias Brunner2015-05-051-1/+2
| | | | | Since another nonce gets allocated later (if any was allocated already) this would have resulted in a leaked nonce context ID when used in charon-tkm.
* child-create: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-14/+12
| | | | As with ike-init we can't return NULL in the task constructor.
* ike-init: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-13/+21
| | | | | | Returning FAILED in the constructor is wrong, but returning NULL doesn't work either as it's currently assumed tasks always can be created. Therefore, delay this check until we actually try to allocate a nonce.
* ike-init: Fix compiler warningTobias Brunner2015-05-051-2/+0
|
* ike-init: Make nonceg a member of ike_init structReto Buerki2015-05-041-20/+17
| | | | | | | This allows to control the life-cycle of a nonce in the context of the ike init task. In the TKM use-case the nonce generator cannot be destroyed before the ike init task is finalized, otherwise the created nonce is detected as stale.
* child-create: Make nonceg a member of child_create structReto Buerki2015-05-041-12/+16
| | | | | | | | This allows to control the life-cycle of a nonce in the context of the child create task. In the TKM use-case, it is required to reset the nonce context if the created nonce is not consumed. This happens if the child SA negotiation fails and it is detected before the SA is established via the TKM kernel plugin (i.e. rekey collision).
* Add bool param to ALERT_KEEP_ON_CHILD_SA_FAILURE alertAdrian-Ken Rueegsegger2015-05-041-2/+6
| | | | | The parameter indicates if the alert is raised upon failure to establish the first CHILD SA of an IKE SA.
* ike-vendor: Add some Microsoft vendor IDsTobias Brunner2015-04-211-0/+10
|
* utils: Use chunk_equals_const() for all cryptographic purposesMartin Willi2015-04-143-3/+3
|
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-131-4/+11
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-232-3/+42
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-231-0/+1
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-232-7/+34
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-231-2/+2
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-181-0/+29
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauthMartin Willi2015-03-111-1/+0
| | | | | | | | | We are actually not in rekeying state, but just trigger a separate, new IKE_SA as a replacement for the current IKE_SA. Switching to the REKEYING state disables the invocation of both IKE and CHILD_SA updown hooks as initiator, preventing the removal of any firewall rules. Fixes #885.
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* ikev2: Try all RSA signature schemes if none is configuredTobias Brunner2015-03-041-4/+19
|
* ikev2: Consider signature schemes in rightauth when sending hash algorithmsTobias Brunner2015-03-041-14/+54
|
* keymat: Use hash algorithm setTobias Brunner2015-03-041-29/+7
|
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-1/+11
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Fall back to SHA-1 signatures for RSATobias Brunner2015-03-041-0/+7
| | | | | This is really just a fallback to "classic" IKEv2 authentication if the other peer supports no stronger hash algorithms.
* ikev2: Select a signature scheme appropriate for the given keyTobias Brunner2015-03-041-18/+13
| | | | | By enumerating hashes we'd use SHA-1 by default. This way stronger signature schemes are preferred.
* ikev2: Log the actual signature scheme used for RFC 7427 authenticationTobias Brunner2015-03-041-4/+6
|
* ikev2: Store signature scheme used to verify peer in auth_cfgTobias Brunner2015-03-041-0/+1
| | | | | | | | | | This enables late connection switching based on the signature scheme used for IKEv2 and allows to enforce stronger signature schemes. This may break existing connections with peers that don't support RFC 7427 if signature schemes are currently used in `rightauth` for certificate chain validation and if the configured schemes are stronger than the default used for IKE (e.g. SHA-1 for RSA).
* ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-041-2/+12
| | | | This is mostly for testing.
* ikev2: Remove private AUTH_BLISS methodTobias Brunner2015-03-041-9/+0
| | | | | | We use the new signature authentication instead for this. This is not backward compatible but we only released one version with BLISS support, and the key format will change anyway with the next release.
* ikev2: Handle RFC 7427 signature authentication in pubkey authenticatorTobias Brunner2015-03-041-49/+178
|
* ikev2: Enable signature authentication by transmitting supported hash algorithmsTobias Brunner2015-03-041-4/+83
|
* keymat: Add facility to store supported hash algorithmsTobias Brunner2015-03-042-1/+70
|
* ikev2: Only accept initial messages in specific statesTobias Brunner2015-03-041-10/+9
| | | | | | | The previous code allowed an attacker to slip in an IKE_SA_INIT with both SPIs and MID 1 set when an IKE_AUTH would be expected instead. References #816.
* ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is receivedTobias Brunner2015-03-041-4/+0
| | | | | | | | | | | | This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0") because it allowed to close any IKE_SA by sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those of that SA. The next commit will prevent SAs from getting created for IKE_SA_INIT messages with invalid MID. Fixes #816.
* ikev2: Merge EAP client authentication details if EAP methods provides themMartin Willi2015-03-031-0/+7
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 17:10:54 +0000