aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* shunt-manager: Install "outbound" FWD policyTobias Brunner2016-04-091-2/+8
| | | | | | If there is a default drop policy forwarded traffic might otherwise not be allowed by a specific passthrough policy (while local traffic is allowed).
* child-sa: Install "outbound" FWD policyTobias Brunner2016-04-091-0/+16
| | | | | | | If there is a DROP shunt that matches outbound forwarded traffic it would get dropped as the FWD policy we install only matches decrypted inbound traffic. That's because the Linux kernel first checks the FWD policies before looking up the OUT policy and SA to encrypt the packets.
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-092-97/+236
|
* Use standard unsigned integer typesAndreas Steffen2016-03-2451-337/+337
|
* ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() ↵Tobias Brunner2016-03-231-23/+38
| | | | | | | | | | | | | was called A thread might check out a new IKE_SA via checkout_new() or checkout_by_config() and start initiating it while the daemon is terminating and the IKE_SA manager is flushed by the main thread. That SA is not tracked yet so the main thread is not waiting for it and the other thread is able to check it in and creating an entry after flush() already terminated causing a memory leak. Fixes #1348.
* Fix some Doxygen issuesTobias Brunner2016-03-111-1/+1
|
* ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checksTobias Brunner2016-03-101-26/+37
|
* ikev2: Delay online revocation checks during make-before-break reauthenticationTobias Brunner2016-03-101-0/+5
| | | | | | | | | | | | | | | | | | | | | We do these checks after the SA is fully established. When establishing an SA the responder is always able to install the CHILD_SA created with the IKE_SA before the initiator can do so. During make-before-break reauthentication this could cause traffic sent by the responder to get dropped if the installation of the SA on the initiator is delayed e.g. by OCSP/CRL checks. In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g. with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during make-before-break reauthentication as it wouldn't be able to decrypt the response that the responder sends using the new CHILD_SA. By delaying the revocation checks until the make-before-break reauthentication is completed we avoid the problems described above. Since this only affects reauthentication, not the original IKE_SA, and the delay until the checks are performed is usually not that long this doesn't impose much of a reduction in the overall security.
* ikev2: Add task that verifies a peer's certificateTobias Brunner2016-03-105-0/+179
| | | | | | On failure the SA is deleted and reestablished as configured. The task is activated after the REAUTH_COMPLETE task so a make-before-break reauth is completed before the new SA might get torn down.
* ikev2: Initiate other tasks after a no-op taskTobias Brunner2016-03-101-1/+1
|
* ikev2: Don't do online revocation checks in pubkey authenticator if requestedTobias Brunner2016-03-101-1/+8
| | | | We also update the auth config so the constraints are not enforced.
* ike-sa: Add condition to suspend online certificate revocation checks for an ↵Tobias Brunner2016-03-101-0/+5
| | | | IKE_SA
* ike-sa: Add method to verify certificates in completed authentication roundsTobias Brunner2016-03-102-0/+111
|
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-2/+2
| | | | enumerator
* ike-sa-manager: Log a checkin/failure message for every checkoutThomas Egerer2016-03-071-8/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-sa-manager: Log some additional details like SPIs when checking out SAsTobias Brunner2016-03-041-7/+16
|
* ikev2: Always store signature scheme in auth-cfgTobias Brunner2016-03-041-12/+1
| | | | As we use a different rule we can always store the scheme.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-3/+4
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-init: Verify REDIRECT notify before processing IKE_SA_INIT messageTobias Brunner2016-03-041-7/+51
| | | | | | An attacker could blindly send a message with invalid nonce data (or none at all) to DoS an initiator if we just destroy the SA. To prevent this we ignore the message and wait for the one by the correct responder.
* ikev2: Allow tasks to verify request messages before processing themTobias Brunner2016-03-041-4/+47
|
* ikev2: Allow tasks to verify response messages before processing themTobias Brunner2016-03-041-1/+27
|
* task: Add optional pre_process() methodTobias Brunner2016-03-041-1/+13
| | | | | This will eventually allow tasks to pre-process and verify received messages.
* ike-init: Ignore notifies related to redirects during rekeyingTobias Brunner2016-03-041-3/+13
| | | | Also don't query redirect providers in this case.
* ike-sa: Add limit for the number of redirects within a defined time periodTobias Brunner2016-03-042-0/+54
|
* ike-sa: Reauthenticate to the same addresses we currently useTobias Brunner2016-03-041-2/+5
| | | | | | If the SA got redirected this would otherwise cause a reauthentication with the original gateway. Reestablishing the SA to the original gateway, if e.g. the new gateway is not reachable makes sense though.
* ike-sa: Add redirect() method to actively redirect an IKE_SATobias Brunner2016-03-042-0/+50
|
* ike-redirect: Add task to redirect active IKE_SAsTobias Brunner2016-03-045-0/+218
|
* ike-auth: Handle REDIRECT notifies during IKE_AUTHTobias Brunner2016-03-041-22/+44
|
* ike-sa: Handle redirect requests for established SAs as reestablishmentTobias Brunner2016-03-041-82/+174
| | | | | | | We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs, which also includes the one actively queued during IKE_AUTH. To delete the old SA we use the recently added ike_reauth_complete task.
* ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providersTobias Brunner2016-03-041-27/+51
| | | | | | To prevent the creation of the CHILD_SA we set a condition on the IKE_SA. We also schedule a delete job in case the client does not terminate the IKE_SA (which is a SHOULD in RFC 5685).
* ike-config: Do not assign attributes for redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTHTobias Brunner2016-03-041-0/+4
|
* ike-sa: Add a condition to mark redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as serverTobias Brunner2016-03-041-0/+17
|
* ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriateTobias Brunner2016-03-041-1/+19
|
* ike-sa: Keep track of the address of the gateway that redirected usTobias Brunner2016-03-042-1/+27
|
* ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-042-1/+20
|
* ikev2: Handle REDIRECT notifies during IKE_SA_INITTobias Brunner2016-03-043-0/+64
|
* ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providersTobias Brunner2016-03-041-0/+17
|
* redirect-manager: Add helper function to create and parse REDIRECT notify dataTobias Brunner2016-03-042-11/+162
| | | | The same encoding is also used for the REDIRECT_FROM notifies.
* redirect-manager: Verify type of returned gateway IDTobias Brunner2016-03-041-1/+12
|
* ike-init: Send REDIRECT_SUPPORTED as initiatorTobias Brunner2016-03-041-0/+5
|
* ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notifyTobias Brunner2016-03-041-0/+4
|
* ike-sa: Add new extension for IKEv2 redirection (RFC 5685)Tobias Brunner2016-03-041-1/+6
|
* redirect-manager: Add manager for redirect providersTobias Brunner2016-03-042-0/+221
|
* redirect-provider: Add interface to redirect clients during initial messagesTobias Brunner2016-03-041-0/+59
| | | | | This will allow e.g. plugins to decide whether a connecting client is redirected to a different gateway using RFC 5685.
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-0310-95/+75
| | | | This moves hydra->kernel_interface to charon->kernel.
* ikev1: Send and verify IPv6 addresses correctlyTobias Brunner2016-03-031-26/+11
| | | | | | | | According to the mode-config draft there is no prefix sent for IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for backwards compatibility with older strongSwan releases. Fixes #1304.
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-031-1/+17
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Avoid modifying local auth config when detecting pubkey methodTobias Brunner2016-03-031-1/+1
| | | | | | | | | If it was necessary to pass the local certificates we could probably clone the config (but we don't do that either when later looking for the key to actually authenticate). Passing auth adds the same subject cert to the config over and over again (I guess we could also try to prevent that by searching for duplicates).
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 08:53:30 +0000