aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * connmark: Add a plugin stubMartin Willi2015-02-205-0/+154
|/
* load-tester: Support initiating XAuth authenticationMartin Willi2015-02-201-0/+22
| | | | | | | | As with other configuration backends, XAuth is activated with a two round client authentication using pubkey and xauth. In load-tester, this is configured with initiator_auth=pubkey|xauth. Fixes #835.
* Merge branch 'make-before-break'Martin Willi2015-02-2047-99/+597
|\ | | | | | | | | Introduce an alternative make-before-break reauthentication scheme in addition to the traditional break-before-make.
| * NEWS: Introduce make-before-break reauthenticationMartin Willi2015-02-201-0/+9
| |
| * testing: Update description and test evaluation of host2host-transport-natMartin Willi2015-02-203-9/+8
| | | | | | | | | | | | | | | | As we now reuse the reqid for identical SAs, the behavior changes for transport connections to multiple peers behind the same NAT. Instead of rejecting the SA, we now have two valid SAs active. For the reverse path, however, sun sends traffic always over the newer SA, resembling the behavior before we introduced explicit SA conflicts for different reqids.
| * testing: Be a little more flexible in testing for established CHILD_SA modesMartin Willi2015-02-208-21/+21
| | | | | | | | | | As we now print the reqid parameter in the CHILD_SA details, adapt the grep to still match the CHILD_SA mode and protocol.
| * testing: Add a test scenario for make-before-break reauth using a virtual IPMartin Willi2015-02-209-0/+100
| |
| * testing: Add a test scenario for make-before-break reauth without a virtual IPMartin Willi2015-02-209-0/+97
| |
| * mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-207-55/+87
| | | | | | | | | | | | | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
| * ikev2: Schedule a make-before-break completion task to delete old IKE_SAMartin Willi2015-02-208-1/+174
| |
| * ikev2: Allow task to skip exchange by setting undefined exchange typeMartin Willi2015-02-201-0/+5
| |
| * ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-203-2/+89
| |
| * ike-sa-manager: Use IKEv1 uniqueness reauthentication detection for IKEv2, tooMartin Willi2015-02-201-12/+8
|/
* Merge branch 'attr-migrate'Martin Willi2015-02-2078-1266/+382
|\ | | | | | | | | | | | | Migrates the attribute framework and associated plugins from libhydra back to libcharon. libcharon is the only user of this framework since pluto is gone. With these changes, we can pass the full IKE_SA state to attribute providers and handlers, bringing more flexibility to these plugins.
| * attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-2010-79/+61
| |
| * attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-2010-65/+55
| |
| * attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-205-23/+28
| |
| * attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-205-23/+32
| |
| * unit-tester: Drop the old unit-tester libcharon pluginMartin Willi2015-02-2014-957/+0
| | | | | | | | | | | | While it has some tests that we don't directly cover with the new unit tests, most of them require special infrastructure and therefore have not been used for a long time.
| * attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-2040-129/+119
| |
| * libcharon: Add a test runnerMartin Willi2015-02-206-0/+97
| |
| * attr-sql: Move plugin to libcharonMartin Willi2015-02-209-13/+16
| |
| * attr: Move plugin to libcharonMartin Willi2015-02-209-15/+13
| |
| * resolve: Move plugin back to libcharonMartin Willi2015-02-208-12/+11
|/ | | | Since pluto is gone, all existing users build upon libcharon.
* Merge branch 'tkm-reqid-alloc'Martin Willi2015-02-2022-46/+266
|\ | | | | | | | | Fixes expires raised by charon-tkm to actually use a proto/dst/SPI tuple to identify CHILD_SAs.
| * testing: Add tkm xfrmproxy-expire testReto Buerki2015-02-2011-0/+121
| | | | | | | | | | | | This test asserts that the handling of XFRM expire messages from the kernel are handled correctly by the xfrm-proxy and the Esa Event Service (EES) in charon-tkm.
| * testing: Assert ees acquire messages in xfrmproxy testsReto Buerki2015-02-202-0/+2
| |
| * charon-tkm: Use get_dst_host getter in EES callbackReto Buerki2015-02-201-4/+14
| | | | | | | | | | | | Use the new get_dst_host getter to retrieve the destination host from the SAD using the reqid, spi and protocol values received from the xfrm-proxy.
| * charon-tkm: Add get_dst_host getter to SADReto Buerki2015-02-203-0/+79
| | | | | | | | | | This function returns the destination host of an SAD entry for given reqid, spi and protocol arguments or NULL if not found.
| * charon-tkm: Improve SAD get_esa_id log messagesReto Buerki2015-02-201-4/+4
| |
| * charon-tkm: Store reqid in SADReto Buerki2015-02-204-15/+26
| |
| * charon-tkm: Store remote SPI in SADReto Buerki2015-02-201-1/+1
| | | | | | | | | | | | | | | | | | Store the remote instead of the local SPI in the SAD when adding a new entry in the kernel plugin's add_sa() function. Since only one ESA context must be destroyed for an inbound/outbound CHILD SA pair, it does not matter which SPI is used to retrieve it in the del_sa function.
| * charon-tkm: Make CHILD/ESP SA database publicReto Buerki2015-02-203-22/+15
| | | | | | | | | | Make the CHILD/ESP SA database a public member of the global tkm_t struct.
| * charon-tkm: Fix logger entity name in tests.cReto Buerki2015-02-201-2/+2
| | | | | | | | Change 'test_runner' to 'test-runner'.
| * testing: Assert proper ESA deletionReto Buerki2015-02-201-0/+4
|/ | | | | Extend the tkm/host2host-initiator testcase by asserting proper ESA deletion after connection shutdown.
* Merge branch 'reqid-alloc'Martin Willi2015-02-2073-529/+1798
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | With these changes, charon dynamically allocates reqids for CHILD_SAs. This allows the reuse of reqids for identical policies, and basically allows multiple CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA, a new unique identifier for CHILD_SAs is introduced, and the kernel backends use a proto/dst/SPI tuple to identify CHILD_SAs. charon-tkm is not yet updated and expires are actually broken with this merge. As some significant refactorings are required, this is fixed using a separate merge. References #422, #431, #463.
| * ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-208-11/+13
| |
| * unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-203-14/+17
| | | | | | | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
| * ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-205-40/+16
| |
| * migrate-job: Do CHILD_SA reqid lookup locallyMartin Willi2015-02-202-26/+21
| |
| * kernel-interface: Raise mapping event with a proto/SPI/dst tupleMartin Willi2015-02-208-41/+75
| |
| * inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-204-23/+17
| |
| * charon-tkm: Fix compilation of ees_callback.cReto Buerki2015-02-201-3/+5
| | | | | | | | | | | | Update the call to hydra->kernel_interface->expire to make ees_callback.c compile again. The required destination host argument is set to NULL for now.
| * kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-2020-118/+124
| |
| * controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-206-38/+24
| |
| * swanctl: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-2/+2
| |
| * stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
| |
| * vici: Include the CHILD_SA unique ID in list-sa eventMartin Willi2015-02-202-0/+2
| |
| * ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-203-19/+92
| |
| * child-sa-manager: Add a global manager storing CHILD_SA relationsMartin Willi2015-02-206-1/+432
| | | | | | | | | | | | To quickly check out IKE_SAs and find associated CHILD_SAs, the child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-20 16:11:54 +0000