aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2/tasks/child_delete.c
Commit message (Collapse)AuthorAgeFilesLines
* child-delete: Only let SAs expire naturally if they not already didTobias Brunner2017-09-151-1/+1
|
* child-rekey: Don't install outbound SA in case of lost collisionsTobias Brunner2017-08-071-1/+0
| | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions.
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-261-6/+7
| | | | This avoids the unportable five pointer hack.
* child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-231-4/+40
| | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
* child-sa: Remove state to track installation of half the SA againTobias Brunner2017-05-231-1/+0
|
* child-delete: Track flags per individual CHILD_SATobias Brunner2017-05-231-47/+78
|
* ikev2: Delay installation of outbound SAs during rekeying on the responderTobias Brunner2017-05-231-2/+62
| | | | | | | | The responder has all the information needed to install both SAs before the initiator does. So if the responder immediately installs the outbound SA it might send packets using the new SA which the initiator is not yet able to process. This can be avoided by delaying the installation of the outbound SA until the replaced SA is deleted.
* child-delete: Reply as usual when concurrently rekeying the IKE_SATobias Brunner2016-06-171-5/+1
| | | | | As per RFC 7296, 2.25.2 (what we did before was the behavior described in RFC 4718).
* child-delete: Check if the deleted CHILD_SA is the redundant SA of a collisionTobias Brunner2016-06-171-4/+39
| | | | | | This happens if the peer deletes the redundant SA before we are able to handle the response. The deleted SA will be in state CHILD_INSTALLED but we don't want to trigger the child_updown() event for it or recreate it.
* ikev2: Use CHILD_REKEYED for replaced CHILD_SAs after rekeyingTobias Brunner2016-06-171-4/+6
| | | | This allows handling collisions better, in particular with deletions.
* child-delete: Remove unnecessary call to destroy_child_sa()Tobias Brunner2016-06-171-2/+0
| | | | | | | | | | | | Generally, we will not find the CHILD_SA by searching for it with the outbound SPI (the initiator of the DELETE sent its inbound SPI) - and if we found a CHILD_SA it would most likely be the wrong one (one in which we used the same inbound SPI as the peer used for the one it deletes). And we don't actually want to destroy the CHILD_SA at this point as we know we already initiated a DELETE ourselves, which means that task still has a reference to it and will destroy the CHILD_SA when it receives the response from the other peer.
* Use standard unsigned integer typesAndreas Steffen2016-03-241-6/+6
|
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-2/+2
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-201-2/+2
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-3/+3
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeyingMartin Willi2014-03-311-0/+12
| | | | | Works around issues related to system time changes and kernel backends using that system time, such as Linux XFRM.
* ikev2: Fix segfault when reestablishing CHILD_SAs due to ↵Tobias Brunner2013-08-131-3/+4
| | | | | | closeaction=restart|hold This regression was introduced with c949a4d5.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-171-5/+9
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restartTobias Brunner2013-07-011-2/+2
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+2
|
* ikev2: keep the CHILD_SA we delete as initiator in the list to destroyMartin Willi2013-06-251-6/+5
| | | | | If the responder not correctly send the correct protocol or SPI in the delete response, we should remove the CHILD_SA regardless.
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-2/+2
| | | | packets
* Do not query CHILD_SA during delete if they already expiredMartin Willi2012-03-201-11/+30
|
* Separated libcharon/sa directory with ikev1 and ikev2 subfoldersMartin Willi2012-03-201-0/+391
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 13:35:46 +0000