aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2/tasks
Commit message (Collapse)AuthorAgeFilesLines
...
* ike-vendor: Add some Microsoft vendor IDsTobias Brunner2015-04-211-0/+10
|
* utils: Use chunk_equals_const() for all cryptographic purposesMartin Willi2015-04-141-1/+1
|
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-232-3/+42
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-231-0/+1
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-232-7/+34
|
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-181-0/+29
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* ikev2: Consider signature schemes in rightauth when sending hash algorithmsTobias Brunner2015-03-041-14/+54
|
* ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-041-2/+12
| | | | This is mostly for testing.
* ikev2: Enable signature authentication by transmitting supported hash algorithmsTobias Brunner2015-03-041-4/+83
|
* ikev2: Schedule a timeout for the delete message following passive IKE rekeyingMartin Willi2015-03-031-0/+6
| | | | | | | | | | | | | | | | | | | | | | | Under some conditions it can happen that the CREATE_CHILD_SA exchange for rekeying the IKE_SA initiated by the peer is successful, but the delete message does not follow. For example if processing takes just too long locally, the peer might consider us dead, but we won't notice that. As this leaves the old IKE_SA in IKE_REKEYING state, we currently avoid actively initiating any tasks, such as rekeying or scheduled DPD. This leaves the IKE_SA in a dead and unusable state. To avoid that situation, we schedule a timeout to wait for the DELETE message to follow the CREATE_CHILD_SA, before we actively start to delete the IKE_SA. Alternatively we could start a liveness check on the SA after a timeout to see if the peer still has that state and we can expect the delete to follow. But it is unclear if all peers can handle such messages in this very special state, so we currently don't go for that approach. While we could calculate the timeout based on the local retransmission timeout, the peer might use a different scheme, so a fixed timeout works as well. Fixes #742.
* ikev2: Schedule a make-before-break completion task to delete old IKE_SAMartin Willi2015-02-203-0/+160
|
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-201-4/+2
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-201-2/+2
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-8/+7
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-202-3/+3
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-201-7/+4
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-2/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-201-8/+19
|
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-203-2/+38
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* ikev2: Only touch the DH object if we have a matching proposalTobias Brunner2014-12-231-11/+17
|
* ikev2: Fix handling of more than one hash-and-URL certificate payloadsTobias Brunner2014-12-041-2/+2
|
* ikev2: Fix ike_rekey switch statement broken with last commitMartin Willi2014-11-241-1/+1
|
* ikev2: Prevent IKE_SA rekeying if we are currently retrying a CHILD_SA rekeyMartin Willi2014-11-211-0/+1
|
* child-sa: Introduce a CHILD_RETRYING state to detect DH group retriesMartin Willi2014-11-211-0/+1
|
* ikev2: Negotiate support for IKEv2 fragmentationTobias Brunner2014-10-101-0/+23
|
* ike-mobike: Allow calling transmit() even when not currently path probingTobias Brunner2014-09-121-5/+17
| | | | Path probing is enabled if the current path is not available anymore.
* ike-mobike: Return FALSE in transmit() if no path was availableTobias Brunner2014-09-122-3/+7
|
* ike-mobike: Add method to enable path probingTobias Brunner2014-09-122-0/+12
|
* ike-mobike: Skip peer addresses we can't send packets to when checking pathsTobias Brunner2014-09-121-5/+18
|
* ikev2: Migrate number of pending MOBIKE updatesTobias Brunner2014-09-121-0/+5
| | | | | This will probably never be more than 1 since we only have one task queued at a time and we don't migrate running tasks.
* ikev2: Properly keep track of pending MOBIKE updatesTobias Brunner2014-09-121-8/+27
| | | | | | | | Because we only queue one MOBIKE task at a time, but destroy superfluous ones only after we already increased the counter for pending MOBIKE updates, we have to reduce the counter when such tasks are destroyed. Otherwise, the queued task would assume another task is queued when it is running and ignore any successful response.
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-171-0/+2
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-5/+2
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-0413-68/+68
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SAMartin Willi2014-04-171-0/+6
| | | | | | | | | | | If one peer starts reauthentication by deleting the IKE_SA, while the other starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily reject the rekey attempt while we are in the IKE_SA deleting state. RFC 4306/5996 is not exactly clear about this collision, but it should be safe to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry establishing the CHILD_SA on the reauthenticated IKE_SA.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-11/+3
|
* ikev2: Fix reauthentication if peer assigns a different virtual IPTobias Brunner2014-04-151-1/+1
| | | | | | | | | | | | | | | | | Before this change a reqid set on the create_child_t task was used as indicator of the CHILD_SA being rekeyed. Only if that was not the case would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we don't know which virtual IP the gateway will eventually assign). On the other hand, in case of a rekeying the VIP is expected to remain the same, so the local TS would simply equal the VIP. Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid set. Which meant that the local TS would contain the previously assigned VIP, basically rendering the gateway unable to assign a different VIP to the client as the resulting TS would not match the client's proposal anymore. Fixes #553.
* ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeyingMartin Willi2014-03-311-0/+12
| | | | | Works around issues related to system time changes and kernel backends using that system time, such as Linux XFRM.
* ikev2: Cache all received attribute certificates to auth configMartin Willi2014-03-311-1/+27
|
* ikev2: Send all known and valid attribute certificates for subject certMartin Willi2014-03-311-0/+46
|
* ikev2: Slightly refactor certificate payload construction to separate functionsMartin Willi2014-03-311-37/+56
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-124-5/+5
|
* ikev2: Add Cisco FRAGMENTATION vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Copyright vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Delete Reason vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Use a more dynamic vendor ID database, as we use with IKEv1Martin Willi2014-01-231-16/+57
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* ikev2: Fix segfault when reestablishing CHILD_SAs due to ↵Tobias Brunner2013-08-131-3/+4
| | | | | | closeaction=restart|hold This regression was introduced with c949a4d5.
* Fix various API doc issues and typosTobias Brunner2013-07-181-1/+1
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-172-23/+25
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 22:33:54 +0000