aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
| | * Implement second exchange in IKEv1 main modeMartin Willi2012-03-201-25/+143
| | |
| | * Extended KE payload for IKEv1 supportMartin Willi2012-03-202-2/+3
| | |
| | * Extended nonce payload for IKEv1 supportMartin Willi2012-03-202-2/+2
| | |
| | * Handle first exchange in IKEv1 main mode as responderMartin Willi2012-03-201-4/+33
| | |
| | * Added an IKEv1 main mode task stubMartin Willi2012-03-204-24/+190
| | |
| | * Added a stub for a IKEv1 task managerMartin Willi2012-03-202-0/+516
| | |
| | * Use task manager as generic interface, renamed implementation to _v2.Martin Willi2012-03-204-23/+63
| | |
| | * Fix init message arrival check.Tobias Brunner2012-03-201-21/+14
| | |
| | * Allow creation of message_t objects for IKEv1 packets.Tobias Brunner2012-03-203-4/+4
| | |
| | * Extend sa_payload for IKEv1 supportMartin Willi2012-03-202-4/+8
| | |
| | * Use vendor id payload for IKEv1 payloads, tooMartin Willi2012-03-201-1/+2
| | |
| | * Handle IKEv1 messages in managers checkout_by_messageMartin Willi2012-03-201-9/+30
| | |
* | | Removed auth_cfg_t.replace_value() and replaced usages with add().Tobias Brunner2012-04-182-12/+3
| | | | | | | | | | | | | | | replace_value() was used to replace identities. Since for these the latest is now returned by get(), adding the new identity with add() is sufficient.
* | | Added a note about DH/keymat lifecycle for custom implementationsMartin Willi2012-04-171-1/+6
| | |
* | | Reuse existing DH value when retrying IKE_SA_INIT with a COOKIEMartin Willi2012-04-171-2/+5
| | |
* | | Use IP address as ID as responder if not configured or no IDr received.Tobias Brunner2012-04-161-3/+11
| | |
* | | Fall back on IP address as IDi if none is configured at all.Tobias Brunner2012-04-161-7/+7
| | |
* | | Use auth_cfg_t.replace_value where appropriate.Tobias Brunner2012-04-162-26/+5
| | |
* | | Fixed IDi in case neither left nor leftid is configured.Tobias Brunner2012-04-161-0/+21
| | |
* | | Don't invoke child_updown hook twice as responderMartin Willi2012-04-111-3/+8
| | |
* | | Properly initialize src in ike_sa_t.is_any_path_valid().Tobias Brunner2012-04-061-1/+1
| | |
* | | added IKEv2 Generic Secure Password Authentication MethodAndreas Steffen2012-04-032-3/+10
|/ /
* | Simplified some route lookups now that we store all peer addresses in a list.Tobias Brunner2012-03-092-25/+9
| |
* | Renamed list of additional peer addresses as it now stores all known addresses.Tobias Brunner2012-03-093-34/+34
| |
* | Store the peer's current address as additional known address on the IKE_SA.Tobias Brunner2012-03-091-0/+8
| | | | | | | | | | This allows to switch back to the original address after switching to any of the additional addresses.
* | Re-resolve hosts on additional keyingtriesMartin Willi2012-03-061-0/+1
| |
* | Invoke ike_updown hook on authentication failure not before response sentMartin Willi2012-03-051-3/+2
| |
* | Be a little more verbose before starting IKE_SA reauthenticationMartin Willi2012-03-051-2/+9
| |
* | Send an AUTH_LIFETIME update after updating the lifetime, but can not reauth ↵Martin Willi2012-03-053-9/+43
| | | | | | | | actively
* | Set hard timeouts when setting a lifetimeMartin Willi2012-03-051-7/+14
| |
* | Fix IKE_SA timeout debug output on 64bit platformsMartin Willi2012-03-051-3/+4
| |
* | Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.Tobias Brunner2012-02-271-0/+2
| | | | | | | | This requires a Linux kernel >= 2.6.33.
* | Trigger DPD not before IKE_SA state gets updatedMartin Willi2012-02-021-6/+8
| |
* | Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE stateMartin Willi2012-02-021-0/+26
| |
* | Destroy active task list before queued tasksThomas Egerer2012-01-181-3/+3
| | | | | | | | | | | | | | Since active task's destruction might result in adopting tasks from a rekeyed ike sa it seems better to first destroy the active task list and then destroy all queued tasks. This way adoption is possible at all, while otherwise the queued task list would be empty.
* | Fixed additional typos in comments and log messages.Tobias Brunner2012-01-121-1/+1
| |
* | Fix deadlock in trap_manager_t during acquire.Tobias Brunner2011-12-231-28/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also fixes a TOCTOU issue regarding the use of entry_t.pending. The deadlock was caused because the rwlock was being locked while waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here is the description by Thomas Egerer (the reporter of this issue): " The deadlock occurs when the following happens (in the given order): a) an IKE_SA is built and a thread is processing the IKE_AUTH request, which can take a bit longer when a smartcard is involved. This causes the ike_sa_manager to lock a particular IKE_SA exclusively. b) an acquire is triggered which causes the rwlock in the trap_manager to be read-locked, the subsequent call to ike_sa_manager->checkout_by_config has to wait until a) unlocks it's ike_sa. c) a child_cfg contained in the peer_cfg belonging to the ike_sa a) has locked is routed causes the child_configs contained in the peer config to be locked by c) while the actual routing code within trap_manager tries to writelock it's rwlock. That's about it. As soon as a) finishes authentication of the peer and tries to find a matching child sa it will try to lock the child configs of the peer config which is not possible since it has been locked by c). Thread | Resource locked | Resource desired -------+--------------------------------+-------------------------------- (a) | ike_sa in ike_sa_manager | child_cfgs of peer_cfg | | (b) | rwlock in trap-manager (read) | ike_sa in ike_sa_manager | | (c) | child_cfgs of peer_cfg | rwlock in trap-manager (write) " With this patch thread (b) now does not hold the lock while waiting for the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently lock the mutex in the peer_cfg which then finally allows (b) to checkout the IKE_SA.
* | Fixed flush() method of trap_manager_t.Tobias Brunner2011-12-231-3/+9
|/ | | | | A segmentation fault could have happened during destruction of the trap manager after calling flush().
* Change order of destroy/get_ref function callsThomas Egerer2011-11-041-1/+1
| | | | | Since DESTROY_IF might destroy the peer_cfg, a get_ref on a freed object is subject to fail.
* Log if charon failed to establish a CHILD_SA but keeps the IKE_SA up.Tobias Brunner2011-10-211-0/+4
|
* Don't use union members directly in plugin_feature_t.Tobias Brunner2011-10-141-1/+1
|
* Added a generic callback to register EAP methods using plugin featuresMartin Willi2011-10-142-0/+35
|
* Fixed unintentional fall-through in task_manager.Tobias Brunner2011-10-061-0/+1
| | | | Reported by Howard Windsor.
* Fixed compilation of ike_me_t.Tobias Brunner2011-10-041-2/+2
|
* Migrated child_delete to INIT/METHOD macrosAndreas Steffen2011-10-041-49/+36
|
* Migrated child_rekey to INIT/METHOD macrosAndreas Steffen2011-10-041-50/+36
|
* Migrated ike_auth_lifetime to INIT/METHOD macrosAndreas Steffen2011-10-041-39/+30
|
* Migrated ike_cert_post to INIT/METHOD macrosAndreas Steffen2011-10-041-40/+31
|
* Migrated ike_cert_pre to INIT/METHOD macrosAndreas Steffen2011-10-041-42/+31
|
* Migrated ike_config to INIT/METHOD macrosAndreas Steffen2011-10-031-42/+32
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 23:23:55 +0000