aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* ikev1: Don't use rekeyed CHILD_SAs for rekey detectionTobias Brunner2016-05-061-4/+4
| | | | | | | | | | | | An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING state. And we actually want to change the currently installed CHILD_SA to that state and later CHILD_REKEYED and properly call e.g. child_rekey() and not do this again with an old CHILD_SA. Instead let's only check installed or currently rekeying CHILD_SAs (in case of a rekey collision). It's also uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted and recreated a CHILD_SA after a rekeying. But in that case we don't want to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).
* ikev1: Don't call updown hook etc. when deleting redundant CHILD_SAsTobias Brunner2016-05-061-0/+1
| | | | Fixes #1421.
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-042-2/+2
|
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-092-2/+20
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-092-20/+43
|
* shunt-manager: Install "outbound" FWD policyTobias Brunner2016-04-091-2/+8
| | | | | | If there is a default drop policy forwarded traffic might otherwise not be allowed by a specific passthrough policy (while local traffic is allowed).
* child-sa: Install "outbound" FWD policyTobias Brunner2016-04-091-0/+16
| | | | | | | If there is a DROP shunt that matches outbound forwarded traffic it would get dropped as the FWD policy we install only matches decrypted inbound traffic. That's because the Linux kernel first checks the FWD policies before looking up the OUT policy and SA to encrypt the packets.
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-092-97/+236
|
* Use standard unsigned integer typesAndreas Steffen2016-03-2451-337/+337
|
* ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() ↵Tobias Brunner2016-03-231-23/+38
| | | | | | | | | | | | | was called A thread might check out a new IKE_SA via checkout_new() or checkout_by_config() and start initiating it while the daemon is terminating and the IKE_SA manager is flushed by the main thread. That SA is not tracked yet so the main thread is not waiting for it and the other thread is able to check it in and creating an entry after flush() already terminated causing a memory leak. Fixes #1348.
* Fix some Doxygen issuesTobias Brunner2016-03-111-1/+1
|
* ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checksTobias Brunner2016-03-101-26/+37
|
* ikev2: Delay online revocation checks during make-before-break reauthenticationTobias Brunner2016-03-101-0/+5
| | | | | | | | | | | | | | | | | | | | | We do these checks after the SA is fully established. When establishing an SA the responder is always able to install the CHILD_SA created with the IKE_SA before the initiator can do so. During make-before-break reauthentication this could cause traffic sent by the responder to get dropped if the installation of the SA on the initiator is delayed e.g. by OCSP/CRL checks. In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g. with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during make-before-break reauthentication as it wouldn't be able to decrypt the response that the responder sends using the new CHILD_SA. By delaying the revocation checks until the make-before-break reauthentication is completed we avoid the problems described above. Since this only affects reauthentication, not the original IKE_SA, and the delay until the checks are performed is usually not that long this doesn't impose much of a reduction in the overall security.
* ikev2: Add task that verifies a peer's certificateTobias Brunner2016-03-105-0/+179
| | | | | | On failure the SA is deleted and reestablished as configured. The task is activated after the REAUTH_COMPLETE task so a make-before-break reauth is completed before the new SA might get torn down.
* ikev2: Initiate other tasks after a no-op taskTobias Brunner2016-03-101-1/+1
|
* ikev2: Don't do online revocation checks in pubkey authenticator if requestedTobias Brunner2016-03-101-1/+8
| | | | We also update the auth config so the constraints are not enforced.
* ike-sa: Add condition to suspend online certificate revocation checks for an ↵Tobias Brunner2016-03-101-0/+5
| | | | IKE_SA
* ike-sa: Add method to verify certificates in completed authentication roundsTobias Brunner2016-03-102-0/+111
|
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-2/+2
| | | | enumerator
* ike-sa-manager: Log a checkin/failure message for every checkoutThomas Egerer2016-03-071-8/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-sa-manager: Log some additional details like SPIs when checking out SAsTobias Brunner2016-03-041-7/+16
|
* ikev2: Always store signature scheme in auth-cfgTobias Brunner2016-03-041-12/+1
| | | | As we use a different rule we can always store the scheme.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-3/+4
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-init: Verify REDIRECT notify before processing IKE_SA_INIT messageTobias Brunner2016-03-041-7/+51
| | | | | | An attacker could blindly send a message with invalid nonce data (or none at all) to DoS an initiator if we just destroy the SA. To prevent this we ignore the message and wait for the one by the correct responder.
* ikev2: Allow tasks to verify request messages before processing themTobias Brunner2016-03-041-4/+47
|
* ikev2: Allow tasks to verify response messages before processing themTobias Brunner2016-03-041-1/+27
|
* task: Add optional pre_process() methodTobias Brunner2016-03-041-1/+13
| | | | | This will eventually allow tasks to pre-process and verify received messages.
* ike-init: Ignore notifies related to redirects during rekeyingTobias Brunner2016-03-041-3/+13
| | | | Also don't query redirect providers in this case.
* ike-sa: Add limit for the number of redirects within a defined time periodTobias Brunner2016-03-042-0/+54
|
* ike-sa: Reauthenticate to the same addresses we currently useTobias Brunner2016-03-041-2/+5
| | | | | | If the SA got redirected this would otherwise cause a reauthentication with the original gateway. Reestablishing the SA to the original gateway, if e.g. the new gateway is not reachable makes sense though.
* ike-sa: Add redirect() method to actively redirect an IKE_SATobias Brunner2016-03-042-0/+50
|
* ike-redirect: Add task to redirect active IKE_SAsTobias Brunner2016-03-045-0/+218
|
* ike-auth: Handle REDIRECT notifies during IKE_AUTHTobias Brunner2016-03-041-22/+44
|
* ike-sa: Handle redirect requests for established SAs as reestablishmentTobias Brunner2016-03-041-82/+174
| | | | | | | We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs, which also includes the one actively queued during IKE_AUTH. To delete the old SA we use the recently added ike_reauth_complete task.
* ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providersTobias Brunner2016-03-041-27/+51
| | | | | | To prevent the creation of the CHILD_SA we set a condition on the IKE_SA. We also schedule a delete job in case the client does not terminate the IKE_SA (which is a SHOULD in RFC 5685).
* ike-config: Do not assign attributes for redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTHTobias Brunner2016-03-041-0/+4
|
* ike-sa: Add a condition to mark redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as serverTobias Brunner2016-03-041-0/+17
|
* ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriateTobias Brunner2016-03-041-1/+19
|
* ike-sa: Keep track of the address of the gateway that redirected usTobias Brunner2016-03-042-1/+27
|
* ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-042-1/+20
|
* ikev2: Handle REDIRECT notifies during IKE_SA_INITTobias Brunner2016-03-043-0/+64
|
* ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providersTobias Brunner2016-03-041-0/+17
|
* redirect-manager: Add helper function to create and parse REDIRECT notify dataTobias Brunner2016-03-042-11/+162
| | | | The same encoding is also used for the REDIRECT_FROM notifies.
* redirect-manager: Verify type of returned gateway IDTobias Brunner2016-03-041-1/+12
|
* ike-init: Send REDIRECT_SUPPORTED as initiatorTobias Brunner2016-03-041-0/+5
|
* ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notifyTobias Brunner2016-03-041-0/+4
|
* ike-sa: Add new extension for IKEv2 redirection (RFC 5685)Tobias Brunner2016-03-041-1/+6
|
* redirect-manager: Add manager for redirect providersTobias Brunner2016-03-042-0/+221
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 21:03:01 +0000