aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-1211-26/+26
|
* ikev1: Fix config switching due to failed authentication during Aggressive modeTobias Brunner2014-02-121-3/+1
| | | | | | | The encoded ID payload gets destroyed by the authenticator, which caused a segmentation fault after the switch. Fixes #501.
* child-sa: Add a getter for CHILD_SA install timeMartin Willi2014-01-232-0/+20
|
* ikev2: Add Cisco FRAGMENTATION vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Copyright vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Delete Reason vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Use a more dynamic vendor ID database, as we use with IKEv1Martin Willi2014-01-231-16/+57
|
* ike: Simplify error handling if name resolution failedTobias Brunner2014-01-231-16/+3
| | | | | | | This avoids a second name resolution attempt just to determine if %any etc. was configured. Fixes #440.
* ike: Use proper hostname(s) when name resolution failedTobias Brunner2014-01-231-1/+1
| | | | | | Was wrong since 0edce687675df8f10f4026fa12a8fc3b3dd003f5. Fixes #440.
* ikev2: Wipe (optional) shared secret during CHILD_SA key derivationTobias Brunner2014-01-231-11/+14
|
* ike_sa: Defer task manager destruction after child destructionThomas Egerer2014-01-164-9/+16
| | | | | | | | | | This patch exports the task manager's flush to allow flushing of all queues with one function call from ike_sa->destroy. It allows the access of intact children during task destructoin (see git-commit e44ebdcf) and allows the access of the task manager in child_state_change hook. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log SK_p consistently on level 4Tobias Brunner2013-11-281-1/+1
|
* trap-manager: Reset IKE_SA on bus_t if initiating failsTobias Brunner2013-11-211-0/+1
|
* trap-manager: Prevent deadlock when installing trap policiesTobias Brunner2013-11-211-40/+46
| | | | | | | | | | | Because the write lock was held while calling add_policies() on child_sa_t, which finishes with a call to child_state_change() on bus_t, a deadlock would ensue if CHILD_SAs are concurrently being established, which also causes a call to child_state_change() that will require the read lock in trap_manager_t. No locks are now being held while creating the CHILD_SA and installing the trap policies.
* ikev2: Properly free DH secret in case of errors during IKE key derivationTobias Brunner2013-11-061-0/+3
| | | | Fixes #437.
* ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeyingMartin Willi2013-11-011-0/+8
| | | | | | | Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which is perfectly valid. For short(er) DPD delays, this leads to the situation where we send a DPD request during set_state(), but the IKE_SA has no hosts set yet. Avoid that DPD by resetting the INBOUND timestamp during set_state().
* ikev1: Properly initialize list of fragments in case fragment ID is 0Volker Rümelin2013-10-311-1/+1
| | | | Fixes CVE-2013-6076.
* Fixed some typosTobias Brunner2013-10-292-2/+2
|
* trap-manager: Make sure a config is not trapped twiceTobias Brunner2013-10-171-4/+16
|
* iv_gen: aead_t implementations provide an IV generatorTobias Brunner2013-10-111-0/+8
|
* Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵Tobias Brunner2013-10-111-1/+1
| | | | for IKEv2 anyway
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-2/+2
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-3/+3
|
* ike: Define keylength for aescmac algorithmMartin Willi2013-10-111-0/+1
|
* ikev1: Delete quick modes with the negotiated SA protocolMartin Willi2013-10-111-1/+1
|
* trap-manager: Install trap with SA protocol of the first configured proposalMartin Willi2013-10-111-4/+12
|
* child-sa: Save protocol during SPI allocationMartin Willi2013-10-111-6/+3
| | | | | This allows us to properly delete the incomplete SA with the correct protocol should negotiation fail.
* ikev1: Negotiate SPI with the first/negotiated proposal protocolMartin Willi2013-10-111-3/+18
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* ikev1: Accept reauthentication attempts with a keep unique policy from same hostMartin Willi2013-09-301-6/+17
| | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
* ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policyMartin Willi2013-09-301-8/+29
| | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth.
* ikev2: Force an update of the host addresses on the first responseTobias Brunner2013-09-231-11/+9
| | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly.
* ike-sa: Resolve hosts before reestablishing an IKE_SATobias Brunner2013-09-231-0/+2
|
* ikev1: Fix double free when searching for redundant CHILD_SAsTobias Brunner2013-09-131-1/+1
| | | | Fixes #411.
* ikev1: For PFS prefer DH group from IKE_SA over first configuredThomas Egerer2013-09-101-18/+54
| | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-041-1/+1
|
* trap-manager: use ike_cfg resolver functionsMartin Willi2013-09-041-4/+2
|
* ike-sa: use ike_cfg resolver functionsMartin Willi2013-09-041-16/+12
|
* ikev1: implement mode config push modeMartin Willi2013-09-045-76/+363
|
* xauth: add a configuration string option to be passed to XAuth instancesMartin Willi2013-09-034-4/+25
| | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module.
* ikev1: Fix calculation of the number of fragmentsTobias Brunner2013-08-151-1/+1
| | | | The old code resulted in too few fragments in some cases.
* ikev1: When sending fragments, use ports to decide if a non-ESP marker is addedTobias Brunner2013-08-151-6/+8
| | | | | This is same same logic used by sender and might apply in some cases (e.g. when initiating to port 4500).
* ikev2: Fix segfault when reestablishing CHILD_SAs due to ↵Tobias Brunner2013-08-131-3/+4
| | | | | | closeaction=restart|hold This regression was introduced with c949a4d5.
* ikev2: Only schedule half-open-timeout delete job after successfully ↵Tobias Brunner2013-07-291-8/+16
| | | | | | | handling IKE_SA_INIT We want to avoid this allocation if the initial message is invalid (e.g. if the message ID is != 0).
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* Fix various API doc issues and typosTobias Brunner2013-07-186-13/+11
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* ike: Fix reestablishing SAs if no child-creating tasks are queuedTobias Brunner2013-07-181-2/+5
|
* ike-sa: uninstall CHILD_SAs before removing virtual IPsMartin Willi2013-07-181-1/+8
| | | | | | a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes for CHILD_SAs might get deleted while removing virtual IPs, resulting in an error when a CHILD_SA tries to uninstall its route.
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-174-2/+115
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 17:31:09 +0000