aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Destroy existing IKE_SAs with same identities when receiving INITIAL_CONTACTMartin Willi2011-01-053-4/+33
|
* Send INITIAL_CONTACT for the first IKE_SA if it has a unique policyMartin Willi2011-01-053-16/+66
|
* Migrated ike_sa_manager_t to INIT/METHOD macros, some cleanupsMartin Willi2011-01-051-189/+180
|
* Provide CRLs received in CERT payloads to trustchain verificationMartin Willi2011-01-051-1/+9
|
* Include the used reserved bytes from ID payloads in AUTH calculationMartin Willi2011-01-0511-39/+126
|
* Migrated psk/pubkey_authenticators to INIT/METHOD macrosMartin Willi2011-01-052-84/+70
|
* Moved check if packet already encoded to ike_sa, avoids message() hook ↵Martin Willi2011-01-051-0/+5
| | | | invocation twice
* Move critical bit checking to ike_sa, notify payload includes unsupported ↵Martin Willi2011-01-053-11/+61
| | | | payload type
* Handle all error notifies in CREATE_CHILD_SA exchangesMartin Willi2011-01-051-0/+14
|
* Ingore messages with exchange type altered to UNDEFINED in message() hookMartin Willi2011-01-051-0/+8
|
* Moved message()-hook invocation to generate_message(), catch pre-generated ↵Martin Willi2011-01-052-2/+1
| | | | IKE_SA_INITs, too
* Support manually triggerd DPD check, even if DPD disabled in configMartin Willi2011-01-051-11/+10
|
* eliminated whitespaceAndreas Steffen2010-12-211-1/+1
|
* Migrated child_create_t to INIT/METHOD macrosAndreas Steffen2010-12-211-83/+55
|
* Do not use TFC padding if peer does not support ESPv3Martin Willi2010-12-203-11/+31
|
* Added a TFC padding option to child_cfgMartin Willi2010-12-201-0/+2
|
* Implemented Traffic Flow Confidentiality padding in kernel_interfaceMartin Willi2010-12-201-1/+2
|
* Install selectors on transport mode IPsec SAs.Jiri Bohac2010-12-131-1/+1
| | | | | | | | | | | | | | | | This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready Logo Program) which is required for USGv6 certification, namely: - IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors - IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector When traffic selectors of a triggered SA are narrowed by the responder, the installed policy and the broader trap policy share the same reqid. Without selectors on the IPsec SA packets matching the trap policy, but not the narrowed policy, would incorrectly be handled by that IPsec SA. Since only one selector can be specified per IPsec SA, there is currently no solution for tunnel mode SAs.
* Never register IKE_SA during checkout_new, as rekeying keeps it checked outMartin Willi2010-12-072-18/+2
|
* Guarantee entry->other is set when calling put_connected_peersThomas Egerer2010-12-061-1/+7
| | | | | | | | | | | Given the original intent of entry->host, the check for DoS attacks, it can happen that this value remains NULL when an entry is created. This is particularly awkward if put_connected_peers is called to check if a connection to a given peer already exists, since it takes the address family into consideration (git commit b74219d0) which is gleaned from entry->host. This patch guarantees that entry->other is a clone of host before put_connected_peers is called.
* Do not checkin a previously destroyed SAThomas Egerer2010-11-161-1/+4
|
* Extend connected peers by peer familyThomas Egerer2010-11-121-5/+16
| | | | | This allows for simultanious IPv4 and IPv6 tunnel for same peers with matching identities.
* Do not add additional addresses to MOBIKE path probing messages.Tobias Brunner2010-10-121-10/+12
|
* Change behavior of responder during roaming.Tobias Brunner2010-10-121-16/+17
| | | | | | If the current source address is not available anymore, the responder uses ike_mobike_t.roam, thus, uses multiple address combinations when trying to notify the initiator.
* Allow responder to use ike_mobike_t.roam.Tobias Brunner2010-10-121-1/+7
| | | | After getting a response the responder updates the IPsec SAs.
* Send list of additional addresses even if current path is still valid.Tobias Brunner2010-10-121-0/+11
|
* Extracted path checking in ike_sa_t.roam into separate functions.Tobias Brunner2010-10-121-46/+68
|
* Added support for responders to change their address via MOBIKE.Tobias Brunner2010-10-121-0/+20
| | | | | | | If the original responder updates its list of additional addresses we check if the remote endpoint changed and update the IPsec SAs if it did, as we assume the original address became unavailable and the responder already updated the SAs on its side.
* Explicitly configure MOBIKE tasks to update the list of additional addresses.Tobias Brunner2010-10-123-2/+15
|
* Improved check for first IKE_AUTH message in ike_mobike task.Tobias Brunner2010-10-121-3/+6
| | | | | If the original responder initiated a MOBIKE exchange, the previous check was not always correct.
* Migrated ike_mobike task to INIT/METHOD macros.Tobias Brunner2010-10-121-67/+46
|
* Simplified apply_port function in mobike task.Tobias Brunner2010-10-121-16/+9
|
* Do not update hosts based on retransmitted messages.Tobias Brunner2010-10-122-15/+23
|
* Do not update remote host if we are behind a NAT.Tobias Brunner2010-10-121-4/+2
|
* NOTIFY error message types include 16383Andreas Steffen2010-09-291-1/+1
|
* Adapted child_sa_t to changed kernel interface.Tobias Brunner2010-09-021-25/+49
|
* Added an option to specify the type of a policy to kernel_ipsec.add_policy.Tobias Brunner2010-09-021-18/+18
| | | | | This will later allow us to support pluto's passthrough and drop policies in charon.
* Replaced the protocol argument in add_policy with an optional SPI for an AH SA.Tobias Brunner2010-09-021-18/+37
|
* Refer to scheduler and processor via lib and not hydra.Tobias Brunner2010-09-028-36/+30
|
* Refer to kernel interface via hydra and not charon.Tobias Brunner2010-09-026-58/+62
|
* Removed references to protocol_id_t from kernel interface.Tobias Brunner2010-09-021-37/+65
| | | | | Instead we use the actual IP protocol identifier (the conversion now happens in child_sa_t and kernel_handler_t).
* Migrated child_sa_t to INIT/METHOD macros.Tobias Brunner2010-09-021-202/+132
|
* Refer to scheduler via hydra and not charon.Tobias Brunner2010-09-026-21/+23
|
* Refer to processor via hydra and not charon.Tobias Brunner2010-09-026-9/+14
|
* Use the AAA Identity for EAP authentication, if givenMartin Willi2010-08-312-1/+14
|
* Moved EAP type/code definitions to a seprate header file in libstrongswanMartin Willi2010-08-312-35/+1
|
* Port floating patch partially reversed.Tobias Brunner2010-08-302-12/+8
| | | | | | If MOBIKE is enabled, we do have to switch to port 4500 with the IKE_AUTH request, that is, before we know whether the other peer actually supports MOBIKE or not.
* Slightly refactored port floating.Tobias Brunner2010-08-305-35/+39
| | | | In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.
* Fixed ME after introduction of AEAD wrapper.Tobias Brunner2010-08-301-1/+1
|
* Migrated delete_payload to INIT/METHOD macros, replaced iteratorMartin Willi2010-08-251-9/+8
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 14:01:38 +0000