tteras/strongswan/src/libcharon/network, branch master tteras' strongSwan tree receiver: Restrict init limit to half-open SAs as responder 2017-05-23T15:53:20+00:00 Thomas Egerer thomas.egerer@secunet.com 2017-03-10T09:45:48+00:00 3a67df3b10ffb29c880823572b8fa01787931bdb Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Use standard unsigned integer types 2016-03-24T17:52:48+00:00 Andreas Steffen andreas.steffen@strongswan.org 2016-03-22T12:22:01+00:00 b12c53ce77beb8e04b044d0c0dc9249ddba72200 






libhydra: Move kernel interface to libcharon
2016-03-03T16:36:11+00:00

Tobias Brunner
tobias@strongswan.org

2016-02-12T14:30:18+00:00

8394ea2a42eb23ba22471d913dcf47e6067109e1

This moves hydra->kernel_interface to charon->kernel.





This moves hydra->kernel_interface to charon->kernel.







ike: Only consider number of half-open SAs as responder when deciding whether COOKIEs are sent
2015-08-27T09:18:51+00:00

Tobias Brunner
tobias@strongswan.org

2015-08-24T10:18:16+00:00

735f929ca72cd5c563b0669d3fd51156f24b5379












ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag set
2015-08-20T14:05:02+00:00

Tobias Brunner
tobias@strongswan.org

2015-06-10T13:53:08+00:00

47a340e1f7fb2f6e05d7ca350969c4b4e0680cdf

While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.

We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since
17ec1c74de).





While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.

We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since
17ec1c74de).







utils: Use chunk_equals_const() for all cryptographic purposes
2015-04-14T10:02:51+00:00

Martin Willi
martin@revosec.ch

2015-04-11T13:56:42+00:00

161a015782dbd7acf291f621d50cde24a6ed813d












receiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2
2014-07-17T07:35:49+00:00

Martin Willi
martin@revosec.ch

2014-07-17T07:32:22+00:00

75122b90bbc5985f1427fcef98742c296da93b94

We sent both a notify using IKEv1 and IKEv2. This is a little more aggressive
than required, RFC 5996 says we "SHOULD send an unauthenticated Notify
message of type INVALID_MAJOR_VERSION containing the highest (closest) version
number it supports".

Fixes #657.





We sent both a notify using IKEv1 and IKEv2. This is a little more aggressive
than required, RFC 5996 says we "SHOULD send an unauthenticated Notify
message of type INVALID_MAJOR_VERSION containing the highest (closest) version
number it supports".

Fixes #657.







payload: Use common prefixes for all payload type identifiers
2014-06-04T13:53:03+00:00

Martin Willi
martin@revosec.ch

2013-10-29T09:09:39+00:00

3ecfc83c6be2e96d01bf8ee805737e9e14262a01

The old identifiers did not use a proper namespace and often clashed with
other defines.





The old identifiers did not use a proper namespace and often clashed with
other defines.







libcharon: Use lib->ns instead of charon->name
2014-02-12T13:34:32+00:00

Tobias Brunner
tobias@strongswan.org

2014-01-22T14:18:58+00:00

d223fe807a0a7fe6f358420256d11d407f7c9f07












Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11T13:13:25+00:00

Tobias Brunner
tobias@strongswan.org

2013-10-03T08:14:49+00:00

e2c9a03d15144293d3e7559a3d7d22d3776f4eb3