aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove queued IKEv1 message before processing itMartin Willi2012-08-081-3/+5
| | | | | Avoids destruction or processing of a queued message in recursive process_message() call.
* Include src address in hash of initial message for Main ModeTobias Brunner2012-08-081-5/+31
| | | | | | | If two initiators use the same SPI and also use the same SA proposal the hash for the initial message would be exactly the same. For IKEv2 and Aggressive Mode that's not a problem as these messages include random data (Ni, KEi payloads).
* Block XAuth transaction on established IKE_SAs, but allow Mode ConfigMartin Willi2012-08-032-2/+1
|
* Reject initial exchange messages early once IKE_SA is establishedMartin Willi2012-08-021-0/+18
|
* Lookup IKEv1 PSK even if the peer identity is not knownMartin Willi2012-07-311-1/+1
|
* Don't include acquiring packet traffic selectors in IKEv1Martin Willi2012-07-261-0/+5
| | | | | | | | As we only can negotiate a single TS in IKEv1, don't prepend the triggering packet TS, as we do in IKEv2. Otherwise we don't establish the TS of the configuration, but only that of the triggering packet. Fixes #207.
* Implement late peer config switching after XAuth authenticationMartin Willi2012-07-261-15/+80
| | | | | | | If additional authentication constraints, such as group membership, is not fulfilled by an XAuth backend, we search for another peer configuration that fulfills all constraints, including those from phase1.
* Check if XAuth round complies to configured authentication roundMartin Willi2012-07-261-7/+18
|
* Merge auth config items added from XAuth backends to IKE_SAMartin Willi2012-07-261-0/+1
|
* Release leaking child config after uninstalling shunt policyMartin Willi2012-07-231-0/+1
|
* Refactored error handling in keymat_v1_tMartin Willi2012-07-161-25/+27
|
* Clean up error handling in keymat_v2_tMartin Willi2012-07-161-87/+65
|
* Cleaned up memory management and return values for encryption payloadMartin Willi2012-07-161-1/+4
|
* Add a return value to hasher_t.allocate_hash()Martin Willi2012-07-166-20/+80
|
* Add a return value to keymat_v1_t.{get,update,confirm}_ivMartin Willi2012-07-162-13/+31
|
* Add a return value to crypter_t.set_key()Martin Willi2012-07-162-5/+22
|
* Add a return value to crypter_t.decrypt()Martin Willi2012-07-161-2/+1
|
* Add a return value to crypter_t.encryptMartin Willi2012-07-161-2/+1
|
* Check rng return value when generating ME CONNECT_ID and KEYTobias Brunner2012-07-161-2/+14
|
* Check rng return value when generating IKEv1 message IDsTobias Brunner2012-07-161-8/+20
|
* Check rng return value when generating COOKIE2 during MOBIKETobias Brunner2012-07-161-6/+11
|
* Check rng return value when generating fake NAT detection payloadsTobias Brunner2012-07-162-4/+5
|
* Check rng return value when generating SPIs in ike_sa_manager_tTobias Brunner2012-07-161-35/+67
|
* Nonce: Let get_nonce, allocate_nonce return booleanReto Buerki2012-07-164-5/+31
|
* Add a return value to prf_t.set_key()Martin Willi2012-07-162-23/+41
|
* Add a return value to prf_t.allocate_bytes()Martin Willi2012-07-162-22/+71
|
* Use a bool return value in keymat_v1_t.get_hash_phase2()Martin Willi2012-07-162-27/+27
|
* Add a return value to keymat_v1_t.get_hash()Martin Willi2012-07-164-17/+35
|
* Add a return value to keymat_v2_t.get_auth_octets()Martin Willi2012-07-163-17/+24
|
* Add a return value to keymat_v2_t.get_psk_sig()Martin Willi2012-07-164-24/+39
|
* Add a return value to prf_t.get_bytes()Martin Willi2012-07-161-9/+19
|
* prf_plus_create() can return NULL on failureMartin Willi2012-07-162-0/+20
|
* Add a return value to prf_plus_t.allocate_bytes()Martin Willi2012-07-162-17/+76
|
* Add a return value to signer_t.set_key()Martin Willi2012-07-161-2/+14
|
* Add a return value to aead_t.set_key()Martin Willi2012-07-162-3/+12
|
* Add a return value to aead_t.encrypt()Martin Willi2012-07-161-1/+2
|
* Simplify NAT-D payload creation if UDP encapsulation is forcedTobias Brunner2012-07-131-2/+2
| | | | | We don't need any address lookups in that case as the content of the payload is generated randomly anyway.
* Send cert request based on peers configured authentication classMartin Willi2012-07-101-3/+30
|
* Don't send CERTREQs when initiating aggressive mode PSKMartin Willi2012-07-091-0/+4
|
* As a responder, don't start a TRANSACTION request if we expect one from the ↵Martin Willi2012-06-292-2/+4
| | | | initiator
* Defer quick mode initiation if we expect a mode config requestMartin Willi2012-06-271-1/+20
|
* Queue a mode config task as responder if we need a virtual IPMartin Willi2012-06-272-4/+16
|
* Add basic support for XAuth responder authenticationMartin Willi2012-06-272-8/+10
|
* Ignore a received %any virtual IP for installationMartin Willi2012-06-261-1/+2
|
* Centralized thread cancellation in processor_tTobias Brunner2012-06-251-8/+19
| | | | | | | | | | This ensures that no threads are active when plugins and the rest of the daemon are unloaded. callback_job_t was simplified a lot in the process as its main functionality is now contained in processor_t. The parent-child relationships were abandoned as these were only needed to simplify job cancellation.
* support Cisco Unity VIDAndreas Steffen2012-06-252-3/+11
|
* Enforce uniqueids=keep based on XAuth identityMartin Willi2012-06-251-0/+6
|
* Don't send XAUTH_OK if a hook prevents SA to establishMartin Willi2012-06-251-4/+14
|
* Enforce uniqueids=keep only for non-XAuth Main/Agressive ModesMartin Willi2012-06-252-28/+28
|
* Use XAuth/EAP remote identity for uniqueness checkMartin Willi2012-06-252-2/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-10 17:23:10 +0000