summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev1
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2018-06-04 09:59:21 +0200
committerYves-Alexis Perez <corsac@debian.org>2018-06-04 09:59:21 +0200
commit51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch)
tree2a03e117d072c55cfe2863d26b73e64d933e7ad8 /src/libcharon/sa/ikev1
parent7793611ee71b576dd9c66dee327349fa64e38740 (diff)
downloadvyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz
vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip
New upstream version 5.6.3
Diffstat (limited to 'src/libcharon/sa/ikev1')
-rw-r--r--src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c27
-rw-r--r--src/libcharon/sa/ikev1/iv_manager.c2
-rw-r--r--src/libcharon/sa/ikev1/iv_manager.h2
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c2
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.h2
-rw-r--r--src/libcharon/sa/ikev1/tasks/aggressive_mode.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_delete.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_natd.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_natd.h2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_vendor.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/main_mode.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_delete.c3
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c24
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.h2
14 files changed, 57 insertions, 19 deletions
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index 41be15a08..9e5833efc 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -18,6 +18,7 @@
#include <daemon.h>
#include <sa/ikev1/keymat_v1.h>
#include <encoding/payloads/hash_payload.h>
+#include <credentials/certificates/x509.h>
typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t;
@@ -130,6 +131,29 @@ METHOD(authenticator_t, build, status_t,
return status;
}
+/**
+ * Check if the end-entity certificate, if any, is compliant with RFC 4945
+ */
+static bool is_compliant_cert(auth_cfg_t *auth)
+{
+ certificate_t *cert;
+ x509_t *x509;
+
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert || cert->get_type(cert) != CERT_X509)
+ {
+ return TRUE;
+ }
+ x509 = (x509_t*)cert;
+ if (x509->get_flags(x509) & X509_IKE_COMPLIANT)
+ {
+ return TRUE;
+ }
+ DBG1(DBG_IKE, "rejecting certificate without digitalSignature or "
+ "nonRepudiation keyUsage flags");
+ return FALSE;
+}
+
METHOD(authenticator_t, process, status_t,
private_pubkey_v1_authenticator_t *this, message_t *message)
{
@@ -176,7 +200,8 @@ METHOD(authenticator_t, process, status_t,
id, auth, TRUE);
while (enumerator->enumerate(enumerator, &public, &current_auth))
{
- if (public->verify(public, scheme, NULL, hash, sig))
+ if (public->verify(public, scheme, NULL, hash, sig) &&
+ is_compliant_cert(current_auth))
{
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
id, signature_scheme_names, scheme);
diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c
index 2a6e5c04f..c48a0deb1 100644
--- a/src/libcharon/sa/ikev1/iv_manager.c
+++ b/src/libcharon/sa/ikev1/iv_manager.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2016 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/iv_manager.h b/src/libcharon/sa/ikev1/iv_manager.h
index c5273fed9..cae4f3508 100644
--- a/src/libcharon/sa/ikev1/iv_manager.h
+++ b/src/libcharon/sa/ikev1/iv_manager.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2016 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 673a7a131..1de05b4ec 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
index ada5bdb04..269816a59 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.h
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 9b5f676a3..82d647a6c 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index df0293d4f..e4379cabf 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index d17948cd0..81e63740e 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -2,7 +2,7 @@
* Copyright (C) 2006-2011 Tobias Brunner,
* Copyright (C) 2006-2007 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
index 63947fc73..aec8f85bf 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index dc86fc504..6a296f221 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2012-2013 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 4c16adba3..1f764e547 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index 66ef50811..0191a45a8 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -135,6 +135,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
my_ts->destroy(my_ts);
other_ts->destroy(other_ts);
+ child_sa->set_state(child_sa, CHILD_DELETED);
if (!rekeyed)
{
charon->bus->child_updown(charon->bus, child_sa, FALSE);
@@ -154,7 +155,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
case ACTION_ROUTE:
charon->traps->install(charon->traps,
this->ike_sa->get_peer_cfg(this->ike_sa),
- child_cfg, child_sa->get_reqid(child_sa));
+ child_cfg);
break;
default:
break;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 77592e59a..5e5b61e7f 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2012-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
@@ -1005,14 +1005,25 @@ static bool has_notify_errors(private_quick_mode_t *this, message_t *message)
/**
* Check if this is a rekey for an existing CHILD_SA, reuse reqid if so
*/
-static void check_for_rekeyed_child(private_quick_mode_t *this)
+static void check_for_rekeyed_child(private_quick_mode_t *this, bool responder)
{
enumerator_t *enumerator, *policies;
- traffic_selector_t *local, *remote;
+ traffic_selector_t *local, *remote, *my_ts, *other_ts;
child_sa_t *child_sa;
proposal_t *proposal;
char *name;
+ if (responder)
+ {
+ my_ts = this->tsr;
+ other_ts = this->tsi;
+ }
+ else
+ {
+ my_ts = this->tsi;
+ other_ts = this->tsr;
+ }
+
name = this->config->get_name(this->config);
enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
while (this->reqid == 0 && enumerator->enumerate(enumerator, &child_sa))
@@ -1026,8 +1037,8 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
case CHILD_REKEYING:
policies = child_sa->create_policy_enumerator(child_sa);
if (policies->enumerate(policies, &local, &remote) &&
- local->equals(local, this->tsr) &&
- remote->equals(remote, this->tsi) &&
+ local->equals(local, my_ts) &&
+ remote->equals(remote, other_ts) &&
this->proposal->equals(this->proposal, proposal))
{
this->reqid = child_sa->get_reqid(child_sa);
@@ -1165,7 +1176,7 @@ METHOD(task_t, process_r, status_t,
}
}
- check_for_rekeyed_child(this);
+ check_for_rekeyed_child(this, TRUE);
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
@@ -1366,6 +1377,7 @@ METHOD(task_t, process_i, status_t,
{
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
+ check_for_rekeyed_child(this, FALSE);
if (!install(this))
{
return send_notify(this, NO_PROPOSAL_CHOSEN);
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index fe684568a..0d4c5b47c 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 16:30:12 +0000