aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/ha/ha_dispatcher.c
Commit message (Collapse)AuthorAgeFilesLines
* child-sa: Change API used to set/install policiesTobias Brunner2017-05-231-9/+7
| | | | This way we only have to pass the traffic selectors once.
* Use standard unsigned integer typesAndreas Steffen2016-03-241-10/+10
|
* ha: Add DH group to CHILD_ADD messageTobias Brunner2016-02-011-1/+8
| | | | References #1267.
* ha: Add DH group to IKE_ADD messageTobias Brunner2016-02-011-0/+8
| | | | | | | | It is required for IKEv1 to determine the DH group of the CHILD SAs during rekeying. It also fixes the status output for HA SAs, which so far haven't shown the DH group on the passive side. Fixes #1267.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-1/+1
|
* ha: Properly initialize algo variables when installing CHILD_SAsTobias Brunner2015-08-041-1/+1
| | | | | | | | | | If AEAD algorithms are used no integrity algorithm will be received from the other HA node. But since AUTH_UNDEFINED is 1024 and not 0 this value was incorrectly added to the proposal, resulting in a failure during key derivation. The variables are now explicitly initialized to 0, as already was the case for the IKE SAs. Fixes #1051.
* ha: Sync remote address in HA_IKE_ADD, tooThomas Egerer2015-08-041-0/+10
| | | | | | | | | | | | When the IKE_SA is synced without the remote address, after a reauthentication charon is not able to find it in its connected_peers table since the destination host will be %any (it's missing in the message, hence the default from the newly created ike_sa_t -- %any -- will be used). By adding the value to the HA_IKE_ADD message, we should be able to solve this problem. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-231-1/+2
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-231-2/+2
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* ha: Always install the CHILD_SAs with the inbound flag set to FALSEMartin Willi2015-02-271-2/+2
| | | | | | | | | The inbound flag is used to determine if we have to install an update or a new SA in the kernel. As we do not have allocated SPIs and therefore can't update an existing SA in the HA plugin, always set the flag to FALSE. Before 698ed656 we had extra logic for that case, but handling it directly in the HA plugin is simpler.
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-201-1/+1
|
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-201-1/+2
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* ha: Don't adopt IKEv1 children when building without IKEv1 supportMartin Willi2014-08-281-0/+2
| | | | | | | The adopt_children_job_create() function is not available when IKEv1 support is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1. Fixes #690.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-8/+2
|
* ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flagTobias Brunner2013-06-131-4/+8
|
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-051-1/+10
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* Support multiple address pools configured on a peer_cfgMartin Willi2012-08-301-6/+7
|
* Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-301-5/+10
|
* Add a return value to keymat_v1_t.{get,update,confirm}_ivMartin Willi2012-07-161-2/+4
|
* Centralized thread cancellation in processor_tTobias Brunner2012-06-251-9/+3
| | | | | | | | | | This ensures that no threads are active when plugins and the rest of the daemon are unloaded. callback_job_t was simplified a lot in the process as its main functionality is now contained in processor_t. The parent-child relationships were abandoned as these were only needed to simplify job cancellation.
* Merge branch 'ikev1-clean' into ikev1-masterMartin Willi2012-03-201-19/+194
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/daemon.c src/libcharon/plugins/eap_ttls/eap_ttls_peer.c src/libcharon/plugins/eap_radius/eap_radius_accounting.c src/libcharon/plugins/eap_radius/eap_radius_forward.c src/libcharon/plugins/farp/farp_listener.c src/libcharon/sa/ike_sa.c src/libcharon/sa/keymat.c src/libcharon/sa/task_manager.c src/libcharon/sa/trap_manager.c src/libstrongswan/plugins/x509/x509_cert.c src/libstrongswan/utils.h Applied lost changes of moved files keymat.c and task_manager.c. Updated listener_t.message hook signature in new plugins.
| * Adopt children after syncing a rekeyed IKEv1 SAMartin Willi2012-03-201-0/+6
| |
| * Sync new IKE_SA condition/extension flagsMartin Willi2012-03-201-0/+4
| |
| * Added support for Phase1 IV synchronization to HA pluginMartin Willi2012-03-201-0/+54
| |
| * Create IKEv1 keymat hasher explicitly on syncMartin Willi2012-03-201-3/+6
| |
| * Added support to sync IKEv1 SAs key material in HA pluginMartin Willi2012-03-201-9/+66
| |
| * Use a more complete implementation of a HA specific diffie_hellman_tMartin Willi2012-03-201-11/+50
| |
| * Apply proposal to a HA synced IKE_SAMartin Willi2012-03-201-0/+1
| |
| * Updated HA plugin to new IKEv2 specific keymat functionsMartin Willi2012-03-201-9/+19
| |
| * Don't compare initiator flag in IKE_SA manager, pass initiator parameter to ↵Martin Willi2012-03-201-1/+2
| | | | | | | | IKE_SA constructor
| * Store IKE version of an SA on ike_sa_t.Tobias Brunner2012-03-201-1/+1
| |
* | Clear peer addresses during HA update.Tobias Brunner2012-03-091-1/+6
| |
* | Renamed list of additional peer addresses as it now stores all known addresses.Tobias Brunner2012-03-091-3/+2
|/
* Sync newer IKE_SA condition/extension flags in ha pluginMartin Willi2011-08-191-0/+5
|
* Use CRITICAL job priority class for long running dispatcher jobsMartin Willi2011-05-161-2/+2
|
* Synchronize ESN support in HA pluginMartin Willi2011-04-201-0/+5
|
* set tfcv3 flag TRUE in ha_dispatcherAndreas Steffen2010-12-261-4/+4
|
* Store proposal number in proposal_t to reuse it in the selected proposalMartin Willi2010-10-281-2/+2
| | | | | According to RFC 5996 3.3.1, we MUST reuse the proposal number of the selected proposal in the SA payload reply.
* Refer to scheduler and processor via lib and not hydra.Tobias Brunner2010-09-021-2/+1
|
* Refer to processor via hydra and not charon.Tobias Brunner2010-09-021-1/+2
|
* Implemented a HA enabled in-memory address poolMartin Willi2010-07-281-1/+26
|
* Reserving does not work, as our pools do not support acquiring arbitrary ↵Martin Willi2010-07-271-30/+0
| | | | | | addresses This reverts commit d1384080b3ba74f366eaf8b5f027babca3f5d607.
* Synchronize EAP-Identity of remote peerMartin Willi2010-07-261-0/+6
|
* Reserve virtual IP of passive IKE_SAs in the local poolMartin Willi2010-07-261-0/+30
|
* Log CHILD_SA segment responsibilityMartin Willi2010-07-261-3/+18
|
* Pass initiator parameter to distinguish between original and exchange initiatorMartin Willi2010-07-261-1/+3
|
* Use a sync message cache to resynchronize IKE_SAs without rekeyingMartin Willi2010-07-261-15/+58
|
* Log received HA message typesMartin Willi2010-07-261-3/+9
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-30 01:07:15 +0000