Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Fixed some typos | Tobias Brunner | 2013-10-29 | 2 | -2/+2 | |
| | ||||||
* | trap-manager: Make sure a config is not trapped twice | Tobias Brunner | 2013-10-17 | 1 | -4/+16 | |
| | ||||||
* | iv_gen: aead_t implementations provide an IV generator | Tobias Brunner | 2013-10-11 | 1 | -0/+8 | |
| | ||||||
* | Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵ | Tobias Brunner | 2013-10-11 | 1 | -1/+1 | |
| | | | | for IKEv2 anyway | |||||
* | kernel: Use a time_t to report use time in query_policy() | Martin Willi | 2013-10-11 | 1 | -2/+2 | |
| | ||||||
* | kernel: Use a time_t to report use time in query_sa() | Martin Willi | 2013-10-11 | 1 | -3/+3 | |
| | ||||||
* | ike: Define keylength for aescmac algorithm | Martin Willi | 2013-10-11 | 1 | -0/+1 | |
| | ||||||
* | ikev1: Delete quick modes with the negotiated SA protocol | Martin Willi | 2013-10-11 | 1 | -1/+1 | |
| | ||||||
* | trap-manager: Install trap with SA protocol of the first configured proposal | Martin Willi | 2013-10-11 | 1 | -4/+12 | |
| | ||||||
* | child-sa: Save protocol during SPI allocation | Martin Willi | 2013-10-11 | 1 | -6/+3 | |
| | | | | | This allows us to properly delete the incomplete SA with the correct protocol should negotiation fail. | |||||
* | ikev1: Negotiate SPI with the first/negotiated proposal protocol | Martin Willi | 2013-10-11 | 1 | -3/+18 | |
| | ||||||
* | ikev2: Allocate SPI with the protocol of the first/negotiated proposal | Martin Willi | 2013-10-11 | 1 | -2/+16 | |
| | ||||||
* | ikev1: Accept reauthentication attempts with a keep unique policy from same host | Martin Willi | 2013-09-30 | 1 | -6/+17 | |
| | | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old). | |||||
* | ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy | Martin Willi | 2013-09-30 | 1 | -8/+29 | |
| | | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth. | |||||
* | ikev2: Force an update of the host addresses on the first response | Tobias Brunner | 2013-09-23 | 1 | -11/+9 | |
| | | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly. | |||||
* | ike-sa: Resolve hosts before reestablishing an IKE_SA | Tobias Brunner | 2013-09-23 | 1 | -0/+2 | |
| | ||||||
* | ikev1: Fix double free when searching for redundant CHILD_SAs | Tobias Brunner | 2013-09-13 | 1 | -1/+1 | |
| | | | | Fixes #411. | |||||
* | ikev1: For PFS prefer DH group from IKE_SA over first configured | Thomas Egerer | 2013-09-10 | 1 | -18/+54 | |
| | | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA. | |||||
* | ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr | Martin Willi | 2013-09-04 | 1 | -1/+1 | |
| | ||||||
* | trap-manager: use ike_cfg resolver functions | Martin Willi | 2013-09-04 | 1 | -4/+2 | |
| | ||||||
* | ike-sa: use ike_cfg resolver functions | Martin Willi | 2013-09-04 | 1 | -16/+12 | |
| | ||||||
* | ikev1: implement mode config push mode | Martin Willi | 2013-09-04 | 5 | -76/+363 | |
| | ||||||
* | xauth: add a configuration string option to be passed to XAuth instances | Martin Willi | 2013-09-03 | 4 | -4/+25 | |
| | | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module. | |||||
* | ikev1: Fix calculation of the number of fragments | Tobias Brunner | 2013-08-15 | 1 | -1/+1 | |
| | | | | The old code resulted in too few fragments in some cases. | |||||
* | ikev1: When sending fragments, use ports to decide if a non-ESP marker is added | Tobias Brunner | 2013-08-15 | 1 | -6/+8 | |
| | | | | | This is same same logic used by sender and might apply in some cases (e.g. when initiating to port 4500). | |||||
* | ikev2: Fix segfault when reestablishing CHILD_SAs due to ↵ | Tobias Brunner | 2013-08-13 | 1 | -3/+4 | |
| | | | | | | closeaction=restart|hold This regression was introduced with c949a4d5. | |||||
* | ikev2: Only schedule half-open-timeout delete job after successfully ↵ | Tobias Brunner | 2013-07-29 | 1 | -8/+16 | |
| | | | | | | | handling IKE_SA_INIT We want to avoid this allocation if the initial message is invalid (e.g. if the message ID is != 0). | |||||
* | ikev1: Always send ID payloads (traffic selectors) during Quick Mode | Tobias Brunner | 2013-07-25 | 1 | -26/+4 | |
| | | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319. | |||||
* | Fix various API doc issues and typos | Tobias Brunner | 2013-07-18 | 6 | -13/+11 | |
| | | | | Partially based on an old patch by Adrian-Ken Rueegsegger. | |||||
* | ike: Fix reestablishing SAs if no child-creating tasks are queued | Tobias Brunner | 2013-07-18 | 1 | -2/+5 | |
| | ||||||
* | ike-sa: uninstall CHILD_SAs before removing virtual IPs | Martin Willi | 2013-07-18 | 1 | -1/+8 | |
| | | | | | | a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes for CHILD_SAs might get deleted while removing virtual IPs, resulting in an error when a CHILD_SA tries to uninstall its route. | |||||
* | ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer | Tobias Brunner | 2013-07-17 | 1 | -0/+5 | |
| | | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it. | |||||
* | ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA | Tobias Brunner | 2013-07-17 | 4 | -2/+115 | |
| | ||||||
* | ikev1: Support closeaction of CHILD_SA. | Oliver Smith | 2013-07-17 | 1 | -7/+49 | |
| | | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2. | |||||
* | child-sa: refactor proxy transport mode address lookup | Martin Willi | 2013-07-17 | 1 | -56/+42 | |
| | ||||||
* | child-sa: replace traffic selector lists by arrays | Martin Willi | 2013-07-17 | 1 | -18/+19 | |
| | | | | Saves up to another 0.5KB of memory per CHILD_SA. | |||||
* | child-sa: replace get_traffic_selectors() with create_ts_enumerator() | Martin Willi | 2013-07-17 | 7 | -59/+78 | |
| | | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently. | |||||
* | ikev2: replace linked lists by arrays in task manager | Martin Willi | 2013-07-17 | 1 | -70/+76 | |
| | | | | Eliminates another three lists, 0.5KB per IKE_SA. | |||||
* | ike-sa: use arrays instead of linked lists in long lived collections | Martin Willi | 2013-07-17 | 1 | -116/+98 | |
| | | | | This saves about 1.5KB of memory per IKE_SA. | |||||
* | ike: Resolve hosts only for address families currently supported | Tobias Brunner | 2013-07-05 | 1 | -3/+16 | |
| | ||||||
* | Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restart | Tobias Brunner | 2013-07-01 | 2 | -3/+4 | |
| | ||||||
* | Reuse reqid for trap policies installed for dpd|closeaction=hold | Tobias Brunner | 2013-07-01 | 4 | -5/+8 | |
| | ||||||
* | ikev2: keep the CHILD_SA we delete as initiator in the list to destroy | Martin Willi | 2013-06-25 | 1 | -6/+5 | |
| | | | | | If the responder not correctly send the correct protocol or SPI in the delete response, we should remove the CHILD_SA regardless. | |||||
* | ike: Force NAT-T/UDP encapsulation if kernel interface requires it | Tobias Brunner | 2013-06-21 | 2 | -5/+32 | |
| | ||||||
* | ikev2: use protocol of selected proposal to delete a failed CHILD_SA | Martin Willi | 2013-06-20 | 1 | -2/+2 | |
| | | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA. | |||||
* | ikev2: properly fall back to tunnel mode if transport/BEET mode not configured | Martin Willi | 2013-06-19 | 1 | -2/+8 | |
| | ||||||
* | ikev2: support transport mode over NAT | Martin Willi | 2013-06-19 | 1 | -36/+150 | |
| | ||||||
* | ike: reuse the reqid of an installed trap having the same config | Martin Willi | 2013-06-19 | 1 | -1/+5 | |
| | | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend. | |||||
* | trap-manager: add a method to find reqid for installed traps by config | Martin Willi | 2013-06-19 | 2 | -2/+38 | |
| | ||||||
* | trap-manager: don't check-in nonexisting IKE_SA if acquire fails | Martin Willi | 2013-06-19 | 1 | -2/+1 | |
| |