aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2
Commit message (Collapse)AuthorAgeFilesLines
...
* ike-mobike: Skip peer addresses we can't send packets to when checking pathsTobias Brunner2014-09-121-5/+18
|
* ikev2: Insert MOBIKE tasks at the front of the queueTobias Brunner2014-09-121-1/+6
| | | | | In case we have no usable path to the other peer there is no point in initiating any other tasks (like rekeying).
* ikev2: Migrate number of pending MOBIKE updatesTobias Brunner2014-09-121-0/+5
| | | | | This will probably never be more than 1 since we only have one task queued at a time and we don't migrate running tasks.
* ikev2: Properly keep track of pending MOBIKE updatesTobias Brunner2014-09-121-8/+27
| | | | | | | | Because we only queue one MOBIKE task at a time, but destroy superfluous ones only after we already increased the counter for pending MOBIKE updates, we have to reduce the counter when such tasks are destroyed. Otherwise, the queued task would assume another task is queued when it is running and ignore any successful response.
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-171-0/+2
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-5/+2
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-0418-79/+79
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SAMartin Willi2014-04-171-0/+6
| | | | | | | | | | | If one peer starts reauthentication by deleting the IKE_SA, while the other starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily reject the rekey attempt while we are in the IKE_SA deleting state. RFC 4306/5996 is not exactly clear about this collision, but it should be safe to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry establishing the CHILD_SA on the reauthenticated IKE_SA.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-11/+3
|
* ikev2: Fix reauthentication if peer assigns a different virtual IPTobias Brunner2014-04-151-1/+1
| | | | | | | | | | | | | | | | | Before this change a reqid set on the create_child_t task was used as indicator of the CHILD_SA being rekeyed. Only if that was not the case would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we don't know which virtual IP the gateway will eventually assign). On the other hand, in case of a rekeying the VIP is expected to remain the same, so the local TS would simply equal the VIP. Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid set. Which meant that the local TS would contain the previously assigned VIP, basically rendering the gateway unable to assign a different VIP to the client as the resulting TS would not match the client's proposal anymore. Fixes #553.
* ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAsMartin Willi2014-04-141-0/+9
| | | | | | | Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338.
* aead: Support custom AEAD salt sizesMartin Willi2014-03-311-2/+27
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeyingMartin Willi2014-03-311-0/+12
| | | | | Works around issues related to system time changes and kernel backends using that system time, such as Linux XFRM.
* ikev2: Cache all received attribute certificates to auth configMartin Willi2014-03-311-1/+27
|
* ikev2: Send all known and valid attribute certificates for subject certMartin Willi2014-03-311-0/+46
|
* ikev2: Slightly refactor certificate payload construction to separate functionsMartin Willi2014-03-311-37/+56
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-125-9/+9
|
* ikev2: Add Cisco FRAGMENTATION vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Copyright vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Delete Reason vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Use a more dynamic vendor ID database, as we use with IKEv1Martin Willi2014-01-231-16/+57
|
* ikev2: Wipe (optional) shared secret during CHILD_SA key derivationTobias Brunner2014-01-231-11/+14
|
* ike_sa: Defer task manager destruction after child destructionThomas Egerer2014-01-161-4/+3
| | | | | | | | | | This patch exports the task manager's flush to allow flushing of all queues with one function call from ike_sa->destroy. It allows the access of intact children during task destructoin (see git-commit e44ebdcf) and allows the access of the task manager in child_state_change hook. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log SK_p consistently on level 4Tobias Brunner2013-11-281-1/+1
|
* ikev2: Properly free DH secret in case of errors during IKE key derivationTobias Brunner2013-11-061-0/+3
| | | | Fixes #437.
* Fixed some typosTobias Brunner2013-10-291-1/+1
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* ikev2: Force an update of the host addresses on the first responseTobias Brunner2013-09-231-11/+9
| | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly.
* ikev2: Fix segfault when reestablishing CHILD_SAs due to ↵Tobias Brunner2013-08-131-3/+4
| | | | | | closeaction=restart|hold This regression was introduced with c949a4d5.
* ikev2: Only schedule half-open-timeout delete job after successfully ↵Tobias Brunner2013-07-291-8/+16
| | | | | | | handling IKE_SA_INIT We want to avoid this allocation if the initial message is invalid (e.g. if the message ID is != 0).
* Fix various API doc issues and typosTobias Brunner2013-07-181-1/+1
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-171-0/+34
|
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-172-23/+25
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ikev2: replace linked lists by arrays in task managerMartin Willi2013-07-171-70/+76
| | | | Eliminates another three lists, 0.5KB per IKE_SA.
* Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restartTobias Brunner2013-07-011-2/+2
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+2
|
* ikev2: keep the CHILD_SA we delete as initiator in the list to destroyMartin Willi2013-06-251-6/+5
| | | | | If the responder not correctly send the correct protocol or SPI in the delete response, we should remove the CHILD_SA regardless.
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-211-3/+16
|
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
|
* ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* ikev2: if installing a CHILD_SA as initiator fails, notify the responderMartin Willi2013-06-111-2/+36
|
* ikev2: raise LOCAL_AUTH_FAILED when receiving INFORMATIONAL with AUTH_FAILEDMartin Willi2013-06-111-0/+8
|
* ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+6
| | | | | | RFC 5996 compatible implementations MAY send an INFORMATIONAL message with an AUTHENTICATION_FAILED if the initiator failed to authenticate us. Handle such a message like a DELETE for an IKE_SA.
* ikev2: if responder authentication fails, send AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+29
| | | | | | | According to RFC 5996, we MAY send an INFORMATIONAL message having an AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close the IKE_SA after one message has been sent, avoiding the danger that an unauthenticated IKE_SA stays alive.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-111-7/+0
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Properly compare CHILD_SAs during rekey collisionTobias Brunner2013-06-111-5/+12
| | | | | | | The previous code did not properly check for the situation when the DELETE for a redundant CHILD_SA created by a responder during a CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning CREATE_CHILD_SA request.
* Raise LOCAL_AUTH_FAILED alert after receiving AUTHENTICATION_FAILUREMartin Willi2013-05-151-0/+1
|
* Raise an ALERT_PROPOSAL_MISMATCH_CHILD also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 16:29:32 +0000