aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2/tasks/child_create.c
Commit message (Collapse)AuthorAgeFilesLines
* child-create: Don't consider a DH group mismatch as failure as responderTobias Brunner2017-09-181-1/+0
| | | | | | | This causes problems e.g. on Android where we handle the alert (and reestablish the IKE_SA) even though it usually is no problem if the peer retries with the requested group. We don't consider it as a failure on the initiator either.
* child-create: Don't log CHILD_SA initiation until we know the unique IDTobias Brunner2017-08-071-11/+13
|
* child-rekey: Don't install outbound SA in case of lost collisionsTobias Brunner2017-08-071-15/+30
| | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions.
* child-sa: Install outbound SA immediately if kernel supports SPIs on policiesTobias Brunner2017-08-071-3/+3
|
* ike: Trigger CHILD_INSTALLED state change after corresponding log messageTobias Brunner2017-07-271-6/+6
| | | | | | | | This way we get the log message in stroke and swanctl as last message when establishing a connection. It's already like this for the IKE_SA where IKE_ESTABLISHED is set after the corresponding log message. Fixes #2364.
* child-sa: Remove state to track installation of half the SA againTobias Brunner2017-05-231-8/+1
|
* ikev2: Delay installation of outbound SAs during rekeying on the responderTobias Brunner2017-05-231-7/+24
| | | | | | | | The responder has all the information needed to install both SAs before the initiator does. So if the responder immediately installs the outbound SA it might send packets using the new SA which the initiator is not yet able to process. This can be avoided by delaying the installation of the outbound SA until the replaced SA is deleted.
* child-sa: Change API used to set/install policiesTobias Brunner2017-05-231-12/+14
| | | | This way we only have to pass the traffic selectors once.
* child-create: Trigger NARROW_RESPONDER_POST hook before installing SAsTobias Brunner2017-05-231-25/+21
| | | | | This makes sure we use the same set of traffic selectors when installing the SAs and installing the policies.
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-231-3/+3
| | | | Makes it potentially easier to add new flags.
* ikev2: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-26/+43
|
* child-create: Retry creating the CHILD_SA if TEMPORARY_FAILURE is receivedTobias Brunner2016-06-171-4/+33
| | | | We queue a delayed task that is initiated after a while.
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-171-2/+4
| | | | over local ones
* child-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-171-1/+1
|
* child-create: Respond with TEMPORARY_FAILURE while rekeying/deleting IKE_SATobias Brunner2016-06-171-2/+2
|
* child-create: Handle TEMPORARY_FAILURE notify as failureTobias Brunner2016-06-171-0/+1
| | | | | We will later add code to retry creating the CHILD_SA if we are not rekeying. Rekeying is already rescheduled as with any other errors.
* Use standard unsigned integer typesAndreas Steffen2016-03-241-14/+14
|
* child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTHTobias Brunner2016-03-041-0/+4
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-031-2/+1
| | | | This moves hydra->kernel_interface to charon->kernel.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-2/+2
|
* child-create: Cache proposed IPsec protocolTobias Brunner2015-08-211-10/+13
| | | | | This allows us to DELETE CHILD_SAs on failures that occur before we retrieved the selected proposal.
* child-create: Don't attempt to delete the SA if we don't have all the ↵Tobias Brunner2015-08-211-8/+10
| | | | | | | information Since we only support single protocols we could probably guess it and always send a DELETE.
* child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group ↵Tobias Brunner2015-08-211-0/+1
| | | | | | | | | | mismatch If the responder declines our KE payload during a CHILD_SA rekeying migrate() is called to reuse the child-create task. But the child-rekey task then calls the same method again. Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
* child-create: Destroy nonceg in migrate()Tobias Brunner2015-05-051-1/+2
| | | | | Since another nonce gets allocated later (if any was allocated already) this would have resulted in a leaked nonce context ID when used in charon-tkm.
* child-create: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-14/+12
| | | | As with ike-init we can't return NULL in the task constructor.
* child-create: Make nonceg a member of child_create structReto Buerki2015-05-041-12/+16
| | | | | | | | This allows to control the life-cycle of a nonce in the context of the child create task. In the TKM use-case, it is required to reset the nonce context if the created nonce is not consumed. This happens if the child SA negotiation fails and it is detected before the SA is established via the TKM kernel plugin (i.e. rekey collision).
* Add bool param to ALERT_KEEP_ON_CHILD_SA_FAILURE alertAdrian-Ken Rueegsegger2015-05-041-2/+6
| | | | | The parameter indicates if the alert is raised upon failure to establish the first CHILD SA of an IKE SA.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-231-2/+22
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-231-3/+17
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-201-1/+1
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-201-7/+4
|
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-201-2/+24
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* child-sa: Introduce a CHILD_RETRYING state to detect DH group retriesMartin Willi2014-11-211-0/+1
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-11/+11
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SAMartin Willi2014-04-171-0/+6
| | | | | | | | | | | If one peer starts reauthentication by deleting the IKE_SA, while the other starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily reject the rekey attempt while we are in the IKE_SA deleting state. RFC 4306/5996 is not exactly clear about this collision, but it should be safe to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry establishing the CHILD_SA on the reauthenticated IKE_SA.
* ikev2: Fix reauthentication if peer assigns a different virtual IPTobias Brunner2014-04-151-1/+1
| | | | | | | | | | | | | | | | | Before this change a reqid set on the create_child_t task was used as indicator of the CHILD_SA being rekeyed. Only if that was not the case would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we don't know which virtual IP the gateway will eventually assign). On the other hand, in case of a rekeying the VIP is expected to remain the same, so the local TS would simply equal the VIP. Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid set. Which meant that the local TS would contain the previously assigned VIP, basically rendering the gateway unable to assign a different VIP to the client as the resulting TS would not match the client's proposal anymore. Fixes #553.
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-121-2/+2
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-171-18/+16
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
|
* ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* ikev2: if installing a CHILD_SA as initiator fails, notify the responderMartin Willi2013-06-111-2/+36
|
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-111-7/+0
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Raise an ALERT_PROPOSAL_MISMATCH_CHILD also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
* Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
|
* Fixed some typos, courtesy of codespellTobias Brunner2012-12-201-1/+1
|
* Raise an alert if IKE SA is keptAdrian-Ken Rueegsegger2012-12-201-0/+1
| | | | | This alert is raised when the establishment of a child SA fails but the IKE SA is kept.
* Raise an alert if kernel policy installation failsMartin Willi2012-12-191-0/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-30 01:07:26 +0000