aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* iv_gen: aead_t implementations provide an IV generatorTobias Brunner2013-10-111-0/+8
|
* Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵Tobias Brunner2013-10-111-1/+1
| | | | for IKEv2 anyway
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-2/+2
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-3/+3
|
* ike: Define keylength for aescmac algorithmMartin Willi2013-10-111-0/+1
|
* ikev1: Delete quick modes with the negotiated SA protocolMartin Willi2013-10-111-1/+1
|
* trap-manager: Install trap with SA protocol of the first configured proposalMartin Willi2013-10-111-4/+12
|
* child-sa: Save protocol during SPI allocationMartin Willi2013-10-111-6/+3
| | | | | This allows us to properly delete the incomplete SA with the correct protocol should negotiation fail.
* ikev1: Negotiate SPI with the first/negotiated proposal protocolMartin Willi2013-10-111-3/+18
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* ikev1: Accept reauthentication attempts with a keep unique policy from same hostMartin Willi2013-09-301-6/+17
| | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
* ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policyMartin Willi2013-09-301-8/+29
| | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth.
* ikev2: Force an update of the host addresses on the first responseTobias Brunner2013-09-231-11/+9
| | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly.
* ike-sa: Resolve hosts before reestablishing an IKE_SATobias Brunner2013-09-231-0/+2
|
* ikev1: Fix double free when searching for redundant CHILD_SAsTobias Brunner2013-09-131-1/+1
| | | | Fixes #411.
* ikev1: For PFS prefer DH group from IKE_SA over first configuredThomas Egerer2013-09-101-18/+54
| | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-041-1/+1
|
* trap-manager: use ike_cfg resolver functionsMartin Willi2013-09-041-4/+2
|
* ike-sa: use ike_cfg resolver functionsMartin Willi2013-09-041-16/+12
|
* ikev1: implement mode config push modeMartin Willi2013-09-045-76/+363
|
* xauth: add a configuration string option to be passed to XAuth instancesMartin Willi2013-09-034-4/+25
| | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module.
* ikev1: Fix calculation of the number of fragmentsTobias Brunner2013-08-151-1/+1
| | | | The old code resulted in too few fragments in some cases.
* ikev1: When sending fragments, use ports to decide if a non-ESP marker is addedTobias Brunner2013-08-151-6/+8
| | | | | This is same same logic used by sender and might apply in some cases (e.g. when initiating to port 4500).
* ikev2: Fix segfault when reestablishing CHILD_SAs due to ↵Tobias Brunner2013-08-131-3/+4
| | | | | | closeaction=restart|hold This regression was introduced with c949a4d5.
* ikev2: Only schedule half-open-timeout delete job after successfully ↵Tobias Brunner2013-07-291-8/+16
| | | | | | | handling IKE_SA_INIT We want to avoid this allocation if the initial message is invalid (e.g. if the message ID is != 0).
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* Fix various API doc issues and typosTobias Brunner2013-07-186-13/+11
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* ike: Fix reestablishing SAs if no child-creating tasks are queuedTobias Brunner2013-07-181-2/+5
|
* ike-sa: uninstall CHILD_SAs before removing virtual IPsMartin Willi2013-07-181-1/+8
| | | | | | a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes for CHILD_SAs might get deleted while removing virtual IPs, resulting in an error when a CHILD_SA tries to uninstall its route.
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-174-2/+115
|
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* child-sa: refactor proxy transport mode address lookupMartin Willi2013-07-171-56/+42
|
* child-sa: replace traffic selector lists by arraysMartin Willi2013-07-171-18/+19
| | | | Saves up to another 0.5KB of memory per CHILD_SA.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-177-59/+78
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ikev2: replace linked lists by arrays in task managerMartin Willi2013-07-171-70/+76
| | | | Eliminates another three lists, 0.5KB per IKE_SA.
* ike-sa: use arrays instead of linked lists in long lived collectionsMartin Willi2013-07-171-116/+98
| | | | This saves about 1.5KB of memory per IKE_SA.
* ike: Resolve hosts only for address families currently supportedTobias Brunner2013-07-051-3/+16
|
* Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restartTobias Brunner2013-07-012-3/+4
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-014-5/+8
|
* ikev2: keep the CHILD_SA we delete as initiator in the list to destroyMartin Willi2013-06-251-6/+5
| | | | | If the responder not correctly send the correct protocol or SPI in the delete response, we should remove the CHILD_SA regardless.
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-212-5/+32
|
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
|
* ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|
* ike: reuse the reqid of an installed trap having the same configMartin Willi2013-06-191-1/+5
| | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend.
* trap-manager: add a method to find reqid for installed traps by configMartin Willi2013-06-192-2/+38
|
* trap-manager: don't check-in nonexisting IKE_SA if acquire failsMartin Willi2013-06-191-2/+1
|
* trap-manager: fix a memleak when installing a trap to %anyMartin Willi2013-06-191-0/+1
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-114-21/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 12:53:12 +0000