ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
strongswan/src
History
Martin Willi 0020b25a45 ikev2: Enforce remote authentication config before proceeding with own authentication 
Previously the constraints in the authentication configuration of an
initiator were enforced only after all authentication rounds were
complete.  This posed a problem if an initiator used EAP or PSK
authentication while the responder was authenticated with a certificate
and if a rogue server was able to authenticate itself with a valid
certificate issued by any CA the initiator trusted.

Because any constraints for the responder's identity (rightid) or other
aspects of the authentication (e.g. rightca) the initiator had were not
enforced until the initiator itself finished its authentication such a rogue
responder was able to acquire usernames and password hashes from the client.
And if a client supported EAP-GTC it was even possible to trick it into
sending plaintext passwords.

This patch enforces the configured constraints right after the responder's
authentication successfully finished for each round and before the initiator
starts with its own authentication.

Fixes CVE-2015-4171.
 		2015-06-05 13:44:42 +02:00
..
_copyright lib: Add global config namespace 2014-02-12 14:34:31 +01:00
_updown _updown: Remove obsolete stuff from default script 2015-03-06 16:51:50 +01:00
aikgen aikgen generates AIK private/public key pairs 2014-05-03 15:28:17 +02:00
charon settings: Use strongswan.conf used during library initialization for reload 2014-09-22 13:40:39 +02:00
charon-cmd settings: Use strongswan.conf used during library initialization for reload 2014-09-22 13:40:39 +02:00
charon-nm charon-nm: Disable leak-detective in charon-nm 2015-05-05 17:53:47 +02:00
charon-svc windows: Use WINAPI call convention for Windows API callbacks 2014-06-06 16:28:28 +02:00
charon-systemd charon-systemd: Optionally load plugin list from charon-systemd.load 2015-03-19 18:37:24 +01:00
charon-tkm charon-tkm: Also store local SPI in SAD 2015-05-04 18:07:52 +02:00
checksum Merged libpts into libimcv 2014-10-05 12:55:37 +02:00
conftest kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqid 2015-02-20 13:34:50 +01:00
dumm dumm: Fix -Wformat warning in ruby extension 2014-12-10 14:29:19 +01:00
frontends osx: Include eap-gtc plugin in build instructions 2015-03-16 09:27:18 +01:00
include kernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution 2013-10-18 09:52:54 +02:00
ipsec ipsec: Update rereadcacerts/aacerts command description in manpage 2015-03-03 13:50:26 +01:00
libcharon ikev2: Enforce remote authentication config before proceeding with own authentication 2015-06-05 13:44:42 +02:00
libfast plugins: Don't link with -rdynamic on Windows 2014-06-04 15:53:02 +02:00
libhydra kernel-netlink: Ignore unusable routes 2015-05-21 14:19:53 +02:00
libimcv Updated SWID attribute list 2015-06-02 06:51:41 +02:00
libipsec libipsec: Insert SAs first, so latest SA with the same reqid gets used 2015-05-21 15:38:31 +02:00
libpttls utils: Use chunk_equals_const() for all cryptographic purposes 2015-04-14 12:02:51 +02:00
libradius libradius: Verify message ID of RADIUS responses 2015-05-21 14:30:11 +02:00
libsimaka libsimaka: Link against Winsock2 on Windows 2015-04-13 09:31:28 +02:00
libstrongswan unit-tests: Add tests for iv_gen_seq_t 2015-06-05 13:44:42 +02:00
libtls libtls: As client, reject DH exchanges using primes smaller than 1024 bit 2015-05-26 11:36:24 +02:00
libtnccs Fixed PB-TNC directionality debug message 2015-04-24 11:16:16 +02:00
libtncif Make access requestor IP address available to TNC server 2015-03-08 17:17:11 +01:00
manager plugins: Don't link with -rdynamic on Windows 2014-06-04 15:53:02 +02:00
medsrv plugins: Don't link with -rdynamic on Windows 2014-06-04 15:53:02 +02:00
pki pki: Choose default digest based on the signature key 2015-03-23 17:22:31 +01:00
pool attr-sql: Move plugin to libcharon 2015-02-20 13:34:55 +01:00
pt-tls-client Optionally announce PB-TNC mutual protocol capability 2015-03-23 22:25:43 +01:00
scepclient android: Add all Android.mk files to the tarball 2014-06-06 10:12:26 +02:00
starter stroke: Dynamically resize stroke messages 2015-05-22 10:40:15 +02:00
stroke stroke: Dynamically resize stroke messages 2015-05-22 10:40:15 +02:00
swanctl swanctl: Fix --uri option 2015-05-05 10:46:48 +02:00
Makefile.am Remove obsolete _updown_espmark script 2015-03-06 16:51:50 +01:00