aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/child_sa.c
Commit message (Collapse)AuthorAgeFilesLines
* child-sa: Set replay window on both inbound and outbound SAMartin Willi2014-06-181-6/+2
| | | | | | | | While the outbound SA actually does not need a replay window, the kernel rejects zero replay windows on SAs using ESN. The ESN flag is required to use the full sequence number in ICV calculation, hence we set the replay window. This restores the behavior we had before 30c009c2.
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+6
|
* child-sa: Pass the number of total policies tied to an SA to the kernelMartin Willi2014-06-041-0/+8
| | | | | This will be useful if the kernel backend has to know how many policies follow an SA install, for example if it must install all policies concurrently.
* kernel-interface: Add a flag to indicate no policy updates requiredMartin Willi2014-06-041-3/+14
|
* child-sa: Reclaim old state if SA updating is not supportedMartin Willi2014-05-091-0/+2
| | | | | If the state stays at UPDATING, the fallback using IKEv1 rekeying fails as the task manager refuses to rekey a CHILD_SA in non-INSTALLED state.
* child-sa: Add a getter for CHILD_SA install timeMartin Willi2014-01-231-0/+13
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-2/+2
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-3/+3
|
* child-sa: Save protocol during SPI allocationMartin Willi2013-10-111-6/+3
| | | | | This allows us to properly delete the incomplete SA with the correct protocol should negotiation fail.
* child-sa: refactor proxy transport mode address lookupMartin Willi2013-07-171-56/+42
|
* child-sa: replace traffic selector lists by arraysMartin Willi2013-07-171-18/+19
| | | | Saves up to another 0.5KB of memory per CHILD_SA.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-171-4/+8
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ike: reuse the reqid of an installed trap having the same configMartin Willi2013-06-191-1/+5
| | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend.
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* Use ref_get() to make sure CHILD_SA reqids are uniqueMartin Willi2013-06-111-2/+9
|
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-5/+19
|
* child-sa: query SAD/SPD just for what we actually need to update statisticsMartin Willi2013-05-061-2/+5
|
* child-sa: pass traffic selector to add_sa() regardless of IPsec modeMartin Willi2013-05-061-14/+11
| | | | | This lets the kernel backend decide what to do with it, and in fact all kernel interfaces already handle this correctly.
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-1/+6
| | | | packets
* kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-141-3/+15
|
* Don't wait while removing external IPs used for load testingMartin Willi2012-11-291-1/+1
|
* Install virtual IPs via interface name, and use an interface lookup where ↵Martin Willi2012-11-291-2/+9
| | | | required
* Add an optional kernel-interface parameter to install IPs with a custom prefixMartin Willi2012-11-291-2/+2
|
* Derive a dynamic TS to multiple virtual IPsMartin Willi2012-09-181-3/+7
|
* Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-301-9/+12
|
* Store shorter soft lifetime of in- and outbound SAs onlyMartin Willi2012-06-081-1/+8
|
* Mark CHILD_SAs used for trap policies to uninstall them properly.Tobias Brunner2012-06-041-6/+13
| | | | | | | If the installation failed the state is not CHILD_ROUTED which means the wrong priority is used to uninstall the policies. This is a problem for kernel interfaces that keep track of installed policies as now the proper policy is not found (if the priority is considered).
* Added a getter for CHILD_SA marksMartin Willi2012-03-221-0/+11
|
* Define a special XFRM mark_t.value that dynamically uses the CHILD_SA reqidMartin Willi2012-03-221-0/+9
|
* typos: initator->initiator, authenticaion->authentication.Tobias Brunner2011-08-151-1/+1
|
* Update fallback drop policies if required.Tobias Brunner2011-07-291-2/+20
|
* Install fallback drop policies for all three directions.Tobias Brunner2011-07-281-65/+66
|
* Install fallback drop policies to avoid transmitting unencrypted packets.Tobias Brunner2011-07-271-0/+17
| | | | | | | During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy is first uninstalled and then the new one is installed. In the short time in between, where no policy is available in the kernel, unencrypted packets could have been transmitted.
* Remove policies in kernel interfaces based on their priority.Tobias Brunner2011-07-271-15/+21
| | | | | | This allows to unroute a connection while the same connection is currently established. In this case both CHILD_SAs share the same reqid but the installed policies have different priorities.
* Add the reqid to kernel_ipsec_t.del_policy.Tobias Brunner2011-07-061-6/+12
|
* Install ESN SAs if such a proposal has been negotiatedMartin Willi2011-04-201-1/+4
|
* Added an esn parameter to the kernel interface add_sa functionsMartin Willi2011-04-201-1/+1
|
* Do not use TFC padding if peer does not support ESPv3Martin Willi2010-12-201-2/+5
|
* Added a TFC padding option to child_cfgMartin Willi2010-12-201-0/+2
|
* Implemented Traffic Flow Confidentiality padding in kernel_interfaceMartin Willi2010-12-201-1/+2
|
* Install selectors on transport mode IPsec SAs.Jiri Bohac2010-12-131-1/+1
| | | | | | | | | | | | | | | | This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready Logo Program) which is required for USGv6 certification, namely: - IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors - IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector When traffic selectors of a triggered SA are narrowed by the responder, the installed policy and the broader trap policy share the same reqid. Without selectors on the IPsec SA packets matching the trap policy, but not the narrowed policy, would incorrectly be handled by that IPsec SA. Since only one selector can be specified per IPsec SA, there is currently no solution for tunnel mode SAs.
* Adapted child_sa_t to changed kernel interface.Tobias Brunner2010-09-021-25/+49
|
* Added an option to specify the type of a policy to kernel_ipsec.add_policy.Tobias Brunner2010-09-021-18/+18
| | | | | This will later allow us to support pluto's passthrough and drop policies in charon.
* Replaced the protocol argument in add_policy with an optional SPI for an AH SA.Tobias Brunner2010-09-021-18/+37
|
* Refer to kernel interface via hydra and not charon.Tobias Brunner2010-09-021-31/+32
|
* Removed references to protocol_id_t from kernel interface.Tobias Brunner2010-09-021-37/+65
| | | | | Instead we use the actual IP protocol identifier (the conversion now happens in child_sa_t and kernel_handler_t).
* Migrated child_sa_t to INIT/METHOD macros.Tobias Brunner2010-09-021-202/+132
|
* support of xfrm marks for IKEv2Andreas Steffen2010-07-021-34/+48
|
* Wrap getters for dpd/close action into CHILD_SA, allows us to override themMartin Willi2010-06-021-0/+48
|
* Use reqid from connection config if present.Reto Buerki2010-05-041-2/+6
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 21:56:59 +0000