| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
| |
message
|
| |
|
|
|
|
| |
configurable
Fixes #1128.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
are handled delayed
If we haven't received the third QM message for multiple exchanges the
return value of NEED_MORE for passive tasks that are not responsible for
a specific exchange would trigger a fourth empty QM message.
Fixes: 4de361d92c54 ("ikev1: Fix handling of overlapping Quick Mode exchanges")
References #1076.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the current segment was held while checking for duplicate
SAs, which requires acquiring all segments. If multiple threads did this
concurrently this resulted in a deadlock as they couldn't acquire the
segments held by the other threads attempting to do the same. With the
default configuration only one segment is used, which prevents the problem
as only one thread can check in an IKE SA concurrently.
Fixes: a064eaa8a63a ("Handling of initial contact")
|
| |
|
|
|
|
|
|
| |
left|rightsubnet default to %dynamic, which is basically 0.0.0.0/0 until an
address is assigned to it. So if only one side was undefined and the other
traffic selector was IPv6 an address family mismatch would occur.
References #595.
|
| |
|
|
|
|
| |
protocol mismatch
References #595.
|
| | |
|
| | |
|
| |
|
|
| |
whether COOKIEs are sent
|
| | |
|
| |
|
|
| |
deleting the SA
|
| |
|
|
|
| |
This allows us to DELETE CHILD_SAs on failures that occur before we
retrieved the selected proposal.
|
| |
|
|
|
|
|
| |
information
Since we only support single protocols we could probably guess it and always
send a DELETE.
|
| |
|
|
|
|
|
| |
When retrying due to a DH group mismatch this is already done by the
child-create task itself. And in other cases where the task returns
NEED_MORE we actually will need access to a possible proposal to properly
delete it.
|
| |
|
|
|
|
|
|
|
|
| |
mismatch
If the responder declines our KE payload during a CHILD_SA rekeying migrate()
is called to reuse the child-create task. But the child-rekey task then
calls the same method again.
Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases the third message of a Quick Mode exchange might arrive
after the first message of a subsequent Quick Mode exchange. Previously
these messages were handled incorrectly and the second Quick Mode
exchange failed.
Some implementations might even try to establish multiple Quick Modes
simultaneously, which is explicitly allowed in RFC 2409. We don't fully
support that, though, in particular in case of retransmits.
Fixes #1076.
|
| |
|
|
|
| |
We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.
|
| |
|
|
|
|
|
|
|
| |
If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.
Fixes #1077.
|
| |
|
|
|
|
|
| |
This allows symmetric configuration of EAP methods (i.e. the same value
in leftauth and rightauth) when mutual EAP-only authentication is used.
Previously the client had to configure rightauth=eap or rightauth=any,
which prevented it from using this same config as responder.
|
| |
|
|
|
|
| |
When reestablishing the IKE_SA we should still use the original port
when right resolves to %any as some implementations might not like
initial IKE messages on port 4500 (especially for IKEv1).
|
| |
|
|
| |
Fixes #196.
|
| |
|
|
|
|
|
|
|
|
|
| |
During a rekeying we want to reuse the current reqid, but if the new SA
does not allocate it via kernel-interface the state there will disappear
when the old SA is destroyed after the rekeying. When the IKE_SA is
later reauthenticated with make-before-break reauthentication the new
CHILD_SAs there will get new reqids as no existing state is found in the
kernel-interface, breaking policy installation in the kernel.
Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
|
| |
|
|
|
|
|
|
|
|
|
| |
Vendor specific EAP methods may be registered with:
PLUGIN_CALLBACK(eap_method_register, <constructor>),
PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>),
Same for client implementations via EAP_PEER_VENDOR.
References #969.
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| |
|
|
|
| |
Even when there is no error the CREATE_CHILD_SA response should be sent
in the context of the existing IKE_SA.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The destroy() method sets the IKE_SA on the bus to NULL, we reset it to
the current IKE_SA so any events and log messages that follow happen in
the correct context.
A practical example where this is problematic is a DH group mismatch,
which causes the first CREATE_CHILD_SA exchange to fail. Because the SA
was not reset previously, the message() hook for the CREATE_CHILD_SA
response, for instance, was triggered outside the context of an IKE_SA,
that is, the ike_sa parameter was NULL, which is definitely not expected
by several plugins.
Fixes #862.
|
| |
|
|
|
| |
This will allow us to uninstall shunts before unloading the
kernel-interface plugins.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When flush() is called there might be threads in install() waiting for
trap policies to get installed (without holding the lock). We have to
wait until they updated the entries with the respective CHILD_SAs before
destroying the list.
We also have to prevent further trap policy installations (and wait until
threads in install() are really finished), otherwise we might end up
destroying CHILD_SA objects after the kernel interface implementations
have already been unloaded (avoiding this is the whole point of calling
flush() before unloading the plugins).
|
| |
|
|
|
|
|
|
|
| |
This fixes potential race conditions in case complete() or flush() is
executed before or concurrently with a thread that handles an acquire.
It will also simplify tracking multiple acquires created for the same
trap policy in the future.
Also fixes the behavior in some error situations.
|
| |
|
|
|
|
|
|
|
| |
This basically reverts f4e822c1b422 ("trap-manager: don't check-in
nonexisting IKE_SA if acquire fails"). As checkout_by_config() could
return an already existing and established IKE_SA we have to properly
destroy it, for instance, in case other threads are waiting to check
it out. checkin_and_destroy() should handle the case of a new SA
properly (it produces a log message on level 1, though).
|
| |
|
|
|
|
|
|
|
| |
In some situations it might be valid for a host that configures
right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
immediately abort the initiation causing the new SA to fail (which
might already have the existing CHILD_SAs assigned).
Fixes #1027.
|
| |
|
|
|
|
|
| |
If static local addresses are configured we should use their address family
as a hint when resolving the remote address.
We don't do this if %any is configured as this might break existing
configurations (%any4 and %any6 are however used as hint).
|
| |
|
|
|
|
|
|
|
|
|
| |
Threads might still be allocating SPIs (e.g. triggered by an acquire or
an inbound message) while the main thread calls flush(). If there is a
context switch right after such a thread successfully checked this->rng
in get_spi() and the main thread destroys the RNG instance right then,
that worker thread will cause a segmentation fault when it continues and
attempts to call get_bytes().
Fixes #1014.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
authentication
Previously the constraints in the authentication configuration of an
initiator were enforced only after all authentication rounds were
complete. This posed a problem if an initiator used EAP or PSK
authentication while the responder was authenticated with a certificate
and if a rogue server was able to authenticate itself with a valid
certificate issued by any CA the initiator trusted.
Because any constraints for the responder's identity (rightid) or other
aspects of the authentication (e.g. rightca) the initiator had were not
enforced until the initiator itself finished its authentication such a rogue
responder was able to acquire usernames and password hashes from the client.
And if a client supported EAP-GTC it was even possible to trick it into
sending plaintext passwords.
This patch enforces the configured constraints right after the responder's
authentication successfully finished for each round and before the initiator
starts with its own authentication.
Fixes CVE-2015-4171.
|
| |
|
|
|
|
|
| |
Global reqid allocation (94eb09ac) broke fixed reqid allocation. Resupport them
by bypassing allocation in the kernel if a fixed reqid has been configured.
Fixes #976.
|
| |
|
|
|
|
|
|
|
| |
This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).
Fixes CVE-2015-3991.
|
| | |
|
| |
|
|
|
| |
Since another nonce gets allocated later (if any was allocated already)
this would have resulted in a leaked nonce context ID when used in charon-tkm.
|
| |
|
|
| |
As with ike-init we can't return NULL in the task constructor.
|
| |
|
|
|
|
| |
Returning FAILED in the constructor is wrong, but returning NULL doesn't work
either as it's currently assumed tasks always can be created.
Therefore, delay this check until we actually try to allocate a nonce.
|
| | |
|
