| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the
task.
We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).
|
| |
|
|
|
|
|
|
| |
If the responder never sent a message the expected MID is 0. While
the sent MID (M1) SHOULD be increased beyond the known value, it's
not necessarily the case.
Since M2 - 1 would then equal UINT_MAX setting that MID would get ignored
and while we'd return 0 in the notify we'd actually expect 1 afterwards.
|
| | |
|
| |
|
|
|
|
| |
We are very picky to only allow MID 0 for these messages (while we
currently don't support IPSEC_REPLAY_COUNTER_SYNC notifies we accept
them).
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
| |
Such an identity won't equal an actual peer's identity resulting in
sending an INITIAL_CONTACT notify even if there might be an existing
IKE_SA.
|
| | |
|
| |
|
|
|
|
|
|
| |
one retransmit
The counter is already increased when sending the original message.
Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")
|
| |
|
|
| |
Fixes #2051.
|
| |
|
|
|
|
|
|
|
|
| |
If a responder is natted it will usually be a static NAT (unless it's a
mediated connection) in which case adding these notifies makes not much
sense (if the initiator's NAT mapping had changed the responder wouldn't
be able to reach it anyway). It's also problematic as some clients refuse
to respond to DPDs if they contain such notifies.
Fixes #2126.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This might be useful for custom implementations of keymat_t.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Depending on the lifetimes a CHILD_SA we rekeyed as responder might
expire shortly afterwards. We don't want to rekey it again.
When retrying due to an INVALID_KE_PAYLOAD notify the expected state
is CHILD_REKEYING if it is anything else (e.g. due to a collision) we
ignore it.
We also abort the exchange properly if we don't find the CHILD_SA, no
need for an empty INFORMATIONAL exchange anymore.
|
| |
|
|
|
|
|
| |
If a passive rekeying fails due to an INVALID_KE_PAYLOAD we don't want
to consider this task later when resolving collisions. This previously
might have caused the wrong SA to get deleted/installed based on the nonces
in the unsuccessful exchange.
|
| |
|
|
| |
We queue a delayed task that is initiated after a while.
|
| |
|
|
|
|
|
|
|
|
|
| |
Such a task is not initiated unless a certain time has passed. This
allows delaying certain tasks but avoids problems if we'd do this
via a scheduled job (e.g. if the IKE_SA is rekeyed in the meantime).
If the IKE_SA is rekeyed the delay of such tasks is reset when the
tasks are adopted i.e. they get executed immediately on the new IKE_SA.
This hasn't been implemented for IKEv1 yet.
|
| | |
|
| |
|
|
| |
over local ones
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
subtask failed
For instance, if INVALID_KE_PAYLOAD is returned we don't want this task
to affect any active rekeying (no new SA has been established so far).
|
| |
|
|
|
|
|
|
|
|
|
| |
If the peer does not detect the rekey collision and deletes the old
IKE_SA and then receives the colliding rekey request it will respond with
TEMPORARY_FAILURE. That notify may arrive before the DELETE does, in
which case we may just conclude the rekeying initiated by the peer.
Also, since the IKE_SA is destroyed in any case when we receive a delete
there is no point in storing the delete task in collide() as process_i()
in the ike-rekey task will never be called.
|
| | |
|
| |
|
|
|
| |
This simplifies collision handling and we don't need to know about these
tasks when concluding the rekeying we initiated.
|
| |
|
|
|
|
|
|
|
|
| |
collision
We conclude the rekeying before deleting the IKE_SA. Waiting for the
potential TEMPORARY_FAILURE notify is no good because if that response
does not reach us the peer will not retransmit it upon our retransmits
of the rekey request if it already deleted the IKE_SA after receiving
our response to the delete.
|
| |
|
|
|
| |
We treat these as if we concluded the rekeying, the active ike-rekey task
will handle the collision afterwards.
|
| | |
|
| | |
|
| |
|
|
|
| |
As per RFC 7296, 2.25.2 (what we did before was the behavior described
in RFC 4718).
|
| | |
|
| |
|
|
| |
rekeyed/deleted/established
|
| | |
|
| | |
|
| |
|
|
|
| |
RFC 7296 explicitly says we SHOULD reply as usual and forget about our
own close request.
|
| |
|
|
|
|
|
|
|
| |
This makes handling such IKE_SAs more specifically compared to keeping them
in state IKE_CONNECTING or IKE_ESTABLISHED (which we did when we lost a
collision - even triggering the ike_updown event), or using IKE_REKEYING for
them, which would also be ambiguous.
For instance, we can now reject anything but DELETES for such SAs.
|
| | |
|
| |
|
|
|
|
| |
Moving to the new SA only after receiving the DELETE for the old SA was
not ideal as it rendered the new SA unusable (because it simply didn't
exist in the manager) if the DELETE was delayed/got dropped.
|
| |
|
|
|
|
| |
This happens if the peer deletes the redundant SA before we are able to
handle the response. The deleted SA will be in state CHILD_INSTALLED but
we don't want to trigger the child_updown() event for it or recreate it.
|
| | |
|
| |
|
|
|
| |
This happens if there is a rekey collision and the peers disagree on the
DH group.
|
| |
|
|
| |
This allows handling collisions better, in particular with deletions.
|
| |
|
|
|
|
| |
getting deleted
These are the notifies we should return according to RFC 7296.
|
| | |
|
| |
|
|
|
| |
We will later add code to retry creating the CHILD_SA if we are not
rekeying. Rekeying is already rescheduled as with any other errors.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Generally, we will not find the CHILD_SA by searching for it with the
outbound SPI (the initiator of the DELETE sent its inbound SPI) - and if
we found a CHILD_SA it would most likely be the wrong one (one in which
we used the same inbound SPI as the peer used for the one it deletes).
And we don't actually want to destroy the CHILD_SA at this point as we
know we already initiated a DELETE ourselves, which means that task
still has a reference to it and will destroy the CHILD_SA when it
receives the response from the other peer.
|
