| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
| |
This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).
Fixes CVE-2015-3991.
|
| |
|
|
|
|
| |
When using a cipher with sequential IVs, we never must pass an identical IV
to the IV generator. To avoid it when using IKEv2 fragmentation, use the lower
bits of the 64-bit message ID as the fragment number.
|
| |
|
|
|
| |
While no algorithm actually uses such short IVs, we add a check here to ensure
we won't return just the lower bits of the counter.
|
| |
|
|
| |
We allow gaps in IVs, but ensure that an IV is never used more than once.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This fixes support for the secret option, as otherwise the kernel interface
is not registered yet when the trap policy is installed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the server signs the ephemeral DH parameters, it can be tricked to its
lowest supported DH group by a man-in-the-middle:
https://weakdh.org/imperfect-forward-secrecy.pdf
While we at least use 2048-bit DH groups as server, the client accepts any
DH prime the server sends. If it supports export ciphers, only a 512-bit prime
may be used.
As TLS does not define nor negotiate a DH group for cipher suites, the client
actually must accept what the server offers. To avoid downgrades to weak
DH groups, we must reject what we consider insecure. We set this limit to
1024-bit primes. While this breaks compatibility with TLS servers using weaker
primes, this is what we expect servers at least use. Most browser vendors use
the same limit in a similar fix.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The maximum size of a stroke message is currently 64k due to the 2 byte
length field.
Fixes #943.
|
| |
|
|
|
|
|
|
| |
Only one of `--user-install` and `--install-dir` may be set and if
`--user-install` is the default on a system installation will fail
unless we disable it explicitly.
Fixes #914.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installing them might not work well when building distro packages (e.g.
with DESTDIR installs). It might be easier to install them later with a
script in the distro package.
When building from source on the local system it could still be useful to
install the packages directly, which can be enabled with separate configure
options.
The main problem with DESTDIR installations of the Python Egg is that
easy_install creates or modifies a file called easy-install.pth in the
installation directory. So it's not actually possible to simply copy
the results in DESTDIR over to the actual system as that file would have
to be merged with any existing one.
Fixes #914.
|
| |
|
|
|
|
|
| |
We also don't require setup.py to exist during cleanup, as e.g. with
make distcheck the source directory is not writable when the build directory
is cleaned, so setup.py can't be created (to just get removed again anyway
if VICI and the Python Eggs haven't been enabled previously).
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of just implicitly destroying the old SA we properly delete it to
notify the other peer (if the other peer keeps the SA up after the
reauthentication and sends DPDs it might consider us dead even though the
new SA is up, that seems to be the case with racoon). We delay the DELETE
a bit to give the other peer time to get the new SA fully established.
Since DELETE messages are not retransmitted it is still possible that
the other peer misses that we deleted the SA.
|
| |
|
|
|
| |
This was useful for testing purposes of RADIUS accounting, but OS kernels
generally will use the latest SA, so we do the same.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The interface is currently not very nice, but if we ever were able to
safely checkout multiple SAs concurrently we could add something similar
to ike_rekey() and call that when we detect a reauthentication.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There are several situations that the previous code didn't handle that
well, for example, interim updates during rekeying (until the rekeyed SA
was deleted the numbers were too high, then suddenly dropped afterwards),
or rekeying for IKEv1 in general because rekeyed IPsec SAs stay installed
until they expire (so if they were still around when the IKE_SA was
terminated, the reported numbers in the Stop message were too high).
If intermediate updates are not used the cache entries for rekeyed
CHILD_SA will accumulate, we can't clean them up as we don't get
child_updown() events for them.
|
| |
|
|
|
|
|
|
|
|
|
| |
If we sent retransmits for a message and didn't receive a response it might
still arrive later. Such a message will be queued on the socket. The next
read will then return not the expected response but the one for the earlier
request. For this message the verification will fail and the message gets
discarded. But with the earlier code the actual response was never received.
Instead, a subsequent request resulted in the same failure and so on.
Fixes #838.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The only purpose of starter is to control the IKE daemon, so we
terminate it if the daemon executable is not found (e.g. because
DAEMON_NAME is incorrect).
This removes the charonstart setting (it was not actually configurable
anymore).
|
| |
|
|
|
|
| |
Since the removal of pluto this is quite superfluous. The flag itself
might be useful to avoid starting charon if the executable does not
exist for some reason (e.g. if DAEMON_NAME is incorrect).
|
| |
|
|
| |
It segfaults immediately if it is enabled, at least on Ubuntu 14.04.
|
| |
|
|
|
| |
Since another nonce gets allocated later (if any was allocated already)
this would have resulted in a leaked nonce context ID when used in charon-tkm.
|
| |
|
|
| |
As with ike-init we can't return NULL in the task constructor.
|
| |
|
|
|
|
| |
Returning FAILED in the constructor is wrong, but returning NULL doesn't work
either as it's currently assumed tasks always can be created.
Therefore, delay this check until we actually try to allocate a nonce.
|
| | |
|
| |
|
|
|
|
|
| |
As we now pass the vici connection to the command dispatcher callback, we can't
parse the --uri option to create the connection from the same callback. Instead
pre-process the common command options in a separate loop, and ignore the same
options while processing the actual command.
|
| | |
|
| |
|
|
|
|
|
| |
This allows to control the life-cycle of a nonce in the context of the
ike init task. In the TKM use-case the nonce generator cannot be
destroyed before the ike init task is finalized, otherwise the created
nonce is detected as stale.
|
| |
|
|
|
|
|
|
| |
This allows to control the life-cycle of a nonce in the context of the
child create task. In the TKM use-case, it is required to reset the
nonce context if the created nonce is not consumed. This happens if the
child SA negotiation fails and it is detected before the SA is
established via the TKM kernel plugin (i.e. rekey collision).
|
| |
|
|
|
|
|
|
|
|
|
| |
If the nonce generator detects a stale nonce upon destroy(), it resets
the context in the TKM and releases associated resources in the ID
manager and chunk map.
Also, do not acquire the nonce context ID in tkm_nonceg_create function
but rather when the nonce is actually created by get_nonce().
The nonces created with get_nonce must also be registered in the chunk map.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
In the case that multiple ESAs exist (e.g. rekey collision) for a
security policy, make sure to select one of the remaining ESAs.
|
| |
|
|
|
| |
The function gets the ESA id for another entry associated with the same
security policy as the specified ESA.
|
| |
|
|
|
|
| |
Use the new is_first boolean parameter of the
ALERT_KEEP_ON_CHILD_SA_FAILURE alert to determine if the failure was
caused by the first CHILD SA.
|
| |
|
|
|
| |
The parameter indicates if the alert is raised upon failure to establish
the first CHILD SA of an IKE SA.
|
| |
|
|
|
| |
Commit f5fc592 added the reqid to the SAD. The insert call swapped the
order of the esa_id and reqid parameters.
|
| |
|
|
|
|
|
|
| |
If id is not specified and certificate authentication is used, use the
certificate subject name as identity. Simplifies configuration as in most cases
this is the right thing to do.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
| |
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
