aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev1
Commit message (Collapse)AuthorAgeFilesLines
* certificate: Return signature scheme and parameters from issued_by() methodTobias Brunner2017-11-081-0/+1
| | | | | This also required some include restructuring (avoid including library.h in headers) to avoid unresolvable circular dependencies.
* private-key: Add optional parameters argument to sign() methodTobias Brunner2017-11-081-1/+1
|
* public-key: Add optional parameters argument to verify() methodTobias Brunner2017-11-081-1/+1
|
* ike: Do not send initial contact only for UNIQUE_NEVERThomas Egerer2017-11-021-2/+1
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Trigger CHILD_INSTALLED state change after corresponding log messageTobias Brunner2017-07-271-4/+3
| | | | | | | | This way we get the log message in stroke and swanctl as last message when establishing a connection. It's already like this for the IKE_SA where IKE_ESTABLISHED is set after the corresponding log message. Fixes #2364.
* ikev1: Only delete redundant CHILD_SAs if configuredTobias Brunner2017-06-261-1/+5
| | | | | | | | | If we find a redundant CHILD_SA (the peer probably rekeyed the SA before us) we might not want to delete the old SA because the peer might still use it (same applies to old CHILD_SAs after rekeyings). So only delete them if configured to do so. Fixes #2358.
* ike: Apply retransmission_limit before applying the jitterTobias Brunner2017-05-261-4/+4
|
* child-sa: Change API used to set/install policiesTobias Brunner2017-05-231-16/+17
| | | | This way we only have to pass the traffic selectors once.
* ike: Use optional jitter to calculate retransmission timeoutsTobias Brunner2017-05-231-4/+27
| | | | | Also adds an optional limit to avoid very high retransmission timeouts with high numbers of retries.
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-231-2/+2
| | | | Makes it potentially easier to add new flags.
* ikev1: First do PSK lookups based on identities then fallback to IPsTobias Brunner2017-03-201-36/+34
| | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223.
* quick-mode: Correctly prepare NAT-OA payloads as responderTobias Brunner2017-03-061-8/+13
| | | | | | The initiator's address was sent back twice previously. Fixes #2268.
* ikev1: Respond to DPDs for rekeyed IKE_SAsTobias Brunner2017-02-171-0/+6
| | | | | | | | | Some devices always use the oldest IKE_SA to send DPDs and will delete all IKE_SAs when there is no response. If uniqueness is not enforced rekeyed IKE_SAs might not get deleted until they expire so we should respond to DPDs. References #2090.
* ike: Add getter for the current message ID to task managerTobias Brunner2017-02-081-0/+7
|
* ikev1: Factor out IV and QM managementTobias Brunner2017-02-084-261/+498
| | | | This simplifies implementing a custom keymat_v1_t.
* keymat: Allow keymat to modify signature scheme(s)Thomas Egerer2017-02-084-6/+10
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Minor code optimization in task managerThomas Egerer2016-12-071-11/+5
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* task-manager: Only trigger retransmit cleared alert if there was at least ↵Tobias Brunner2016-10-051-1/+1
| | | | | | | | one retransmit The counter is already increased when sending the original message. Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")
* ikev1: Activate task to delete the IKE_SA in state IKE_REKEYINGTobias Brunner2016-10-041-0/+8
| | | | It does not have any CHILD_SAs attached at that point.
* ikev1: Delete Quick Mode SAs before the ISAKMP SATobias Brunner2016-10-041-2/+2
| | | | | After the ISAKMP_DELETE task has been executed the IKE_SA is destroyed so we wouldn't be able to send deletes for the Quick Mode SAs.
* ikev1: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-14/+26
|
* ikev1: Send derived IKE_SA keys to busTobias Brunner2016-10-041-14/+11
|
* ikev1: Ignore the last two bytes of the Cisco Unity vendor IDTobias Brunner2016-08-241-0/+3
| | | | | | | | | These seem to indicate the major and minor version of the protocol, like e.g. for the DPD vendor ID. Some implementations seem to send versions other than 1.0 so we just ignore these for now when checking for known vendor IDs. Fixes #2088.
* ike1: Flush active queue when queueing a delete of the IKE_SATobias Brunner2016-07-191-0/+3
| | | | | | | | | | | By aborting the active task we don't have to wait for potential retransmits if the other peer does not respond to the current task. Since IKEv1 has no sequential message IDs and INFORMATIONALs are no real exchanges this should not be a problem. Fixes #1537 References #429, #1410 Closes strongswan/strongswan#48
* ikev2: Add possibility to delay initiation of a queued taskTobias Brunner2016-06-171-3/+10
| | | | | | | | | | | Such a task is not initiated unless a certain time has passed. This allows delaying certain tasks but avoids problems if we'd do this via a scheduled job (e.g. if the IKE_SA is rekeyed in the meantime). If the IKE_SA is rekeyed the delay of such tasks is reset when the tasks are adopted i.e. they get executed immediately on the new IKE_SA. This hasn't been implemented for IKEv1 yet.
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-173-6/+13
| | | | over local ones
* child-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-171-4/+4
|
* ike-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-172-4/+4
|
* quick-mode: Fix reporting lifebytes if lifetime is configuredTobias Brunner2016-06-171-2/+2
|
* task-manager: Add retransmit cleared alertTobias Brunner2016-06-061-0/+6
|
* task-manager: Add retransmit count to retransmit send alertThomas Egerer2016-06-061-1/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Queue INFORMATIONAL messages during XAuthTobias Brunner2016-06-061-5/+12
| | | | | | | | | | Some peers send an INITIAL_CONTACT notify after they received our XAuth username. The XAuth task waiting for the third XAuth message handles this incorrectly and closes the IKE_SA as no configuration payloads are contained in the message. We queue the INFORMATIONAL until the XAuth exchange is complete to avoid this issue. Fixes #1434.
* ikev1: Activate DELETE tasks before other tasks in state ESTABLISHEDTobias Brunner2016-05-061-7/+7
| | | | Fixes #1410.
* ikev1: Don't use rekeyed CHILD_SAs for rekey detectionTobias Brunner2016-05-061-4/+4
| | | | | | | | | | | | An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING state. And we actually want to change the currently installed CHILD_SA to that state and later CHILD_REKEYED and properly call e.g. child_rekey() and not do this again with an old CHILD_SA. Instead let's only check installed or currently rekeying CHILD_SAs (in case of a rekey collision). It's also uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted and recreated a CHILD_SA after a rekeying. But in that case we don't want to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).
* ikev1: Don't call updown hook etc. when deleting redundant CHILD_SAsTobias Brunner2016-05-061-0/+1
| | | | Fixes #1421.
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-041-1/+1
|
* Use standard unsigned integer typesAndreas Steffen2016-03-2416-99/+99
|
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-101-1/+1
| | | | enumerator
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-032-3/+1
| | | | This moves hydra->kernel_interface to charon->kernel.
* ikev1: Send and verify IPv6 addresses correctlyTobias Brunner2016-03-031-26/+11
| | | | | | | | According to the mode-config draft there is no prefix sent for IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for backwards compatibility with older strongSwan releases. Fixes #1304.
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-031-1/+17
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Avoid modifying local auth config when detecting pubkey methodTobias Brunner2016-03-031-1/+1
| | | | | | | | | If it was necessary to pass the local certificates we could probably clone the config (but we don't do that either when later looking for the key to actually authenticate). Passing auth adds the same subject cert to the config over and over again (I guess we could also try to prevent that by searching for duplicates).
* ikev1: Log successful authentication with signature schemeThomas Egerer2016-02-011-1/+1
| | | | | | Output is now identical to that of the IKEv2 pubkey authenticator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* mode-config: Reassign migrated virtual IP if client requests %anyTobias Brunner2015-11-121-1/+3
| | | | | | | | | If we mistakenly detect a new IKE_SA as a reauthentication the client won't request the previous virtual IP, but since we already migrated it we already triggered the assign_vips() hook, so we should reassign the migrated virtual IP. Fixes #1152.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-102-3/+3
|
* ikev1: Fix calculation of DPD timeoutTobias Brunner2015-11-091-0/+2
| | | | | A DPD timeout job is queued whenever a DPD is sent, i.e. after the DPD delay already has elapsed, so we have to compensate for that.
* xauth: Call authorize() hook also when xauth-noauth is usedTobias Brunner2015-11-091-2/+8
| | | | Fixes #1138.
* ikev1: Handle queued INFORMATIONAL message after receiving the last AM requestTobias Brunner2015-10-301-0/+16
|
* ikev1: Queue INFORMATIONAL request if AM is not complete yetTobias Brunner2015-10-301-6/+13
|
* ikev1: Handle queued TRANSACTION messages only after processing repliesTobias Brunner2015-10-301-1/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 10:34:56 +0000