aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Clearly mark switch cases that fall through.Tobias Brunner2011-04-191-0/+1
|
* Neither rekey nor del can be NULL.Tobias Brunner2011-04-141-2/+2
|
* display EAP identifiers in HEX formatAndreas Steffen2011-04-061-4/+4
|
* log the EAP identifier also for vendor specific EAP methodsAndreas Steffen2011-04-051-2/+2
|
* log the initial value of the EAP identifierAndreas Steffen2011-04-051-5/+6
|
* added get_identifier() and set_identifier() methodsAndreas Steffen2011-04-051-3/+18
|
* Move establish/inherit of rekeyed IKE_SAs to delete messagesMartin Willi2011-03-155-58/+54
| | | | | | | | Having the inherit() function delayed to the IKE_SA establish procedure was problematic. The task destroy function was never a good place and results in locking/cleanup problems. After establishing the SA, it should be really checked in ASAP to avoid any triggered DPD checks to get lost.
* Wrap IKE delete after rekey into rekey task for responder, tooMartin Willi2011-03-151-1/+18
|
* Migrated ike_rekey task to INIT/METHOD macrosMartin Willi2011-03-151-59/+40
|
* Migrated sim_manager to INIT/METHOD macrosMartin Willi2011-03-081-150/+92
|
* Protect sim card/provider/hook (un-)registration with a rwlockMartin Willi2011-03-081-0/+58
|
* Splitted sim_manager.h header to sim_{card,provider,hooks}.hMartin Willi2011-03-084-226/+305
|
* Slightly change IKE_SA destruction order to inherit properly during ↵Martin Willi2011-02-282-3/+3
| | | | ike_rekey task destruction
* Report correct key size if a cipher is not supportedMartin Willi2011-02-071-1/+1
|
* Some typos fixed.Tobias Brunner2011-02-071-1/+1
|
* Invoke the per-round authorize() hook before purging current auth info on IKE_SAMartin Willi2011-02-031-10/+10
|
* Migrated ike_auth to INIT/METHOD macros, fixes missing initial_contact ↵Martin Willi2011-02-021-56/+34
| | | | initialization
* Do not use destroyed rng/hasher if IKE_SA has been flush()edMartin Willi2011-02-011-3/+9
|
* Do not log potentially hundreds of cert requests for unknown CAs at level 1Martin Willi2011-01-281-1/+8
|
* Revert "Send INITIAL_CONTACT even if we have a unique policy"Martin Willi2011-01-131-1/+2
| | | | | | | | It makes sense to omit INITIAL_CONTACT if don't have a unique policy, as a client might want to connect from different devices to the same account. This reverts commit 719c33b41a1f9fe9b2585df3e7aa804a760c361c.
* Force port update as responder when initiator switches to 4500 in IKE_AUTHMartin Willi2011-01-123-5/+6
|
* Avoid variable name overloadingMartin Willi2011-01-121-7/+11
|
* Send INITIAL_CONTACT even if we have a unique policyMartin Willi2011-01-101-2/+1
|
* Fix nonce comparison in rekey collisions, lowest nonce losesMartin Willi2011-01-072-7/+7
|
* Destroy existing IKE_SAs with same identities when receiving INITIAL_CONTACTMartin Willi2011-01-053-4/+33
|
* Send INITIAL_CONTACT for the first IKE_SA if it has a unique policyMartin Willi2011-01-053-16/+66
|
* Migrated ike_sa_manager_t to INIT/METHOD macros, some cleanupsMartin Willi2011-01-051-189/+180
|
* Provide CRLs received in CERT payloads to trustchain verificationMartin Willi2011-01-051-1/+9
|
* Include the used reserved bytes from ID payloads in AUTH calculationMartin Willi2011-01-0511-39/+126
|
* Migrated psk/pubkey_authenticators to INIT/METHOD macrosMartin Willi2011-01-052-84/+70
|
* Moved check if packet already encoded to ike_sa, avoids message() hook ↵Martin Willi2011-01-051-0/+5
| | | | invocation twice
* Move critical bit checking to ike_sa, notify payload includes unsupported ↵Martin Willi2011-01-053-11/+61
| | | | payload type
* Handle all error notifies in CREATE_CHILD_SA exchangesMartin Willi2011-01-051-0/+14
|
* Ingore messages with exchange type altered to UNDEFINED in message() hookMartin Willi2011-01-051-0/+8
|
* Moved message()-hook invocation to generate_message(), catch pre-generated ↵Martin Willi2011-01-052-2/+1
| | | | IKE_SA_INITs, too
* Support manually triggerd DPD check, even if DPD disabled in configMartin Willi2011-01-051-11/+10
|
* eliminated whitespaceAndreas Steffen2010-12-211-1/+1
|
* Migrated child_create_t to INIT/METHOD macrosAndreas Steffen2010-12-211-83/+55
|
* Do not use TFC padding if peer does not support ESPv3Martin Willi2010-12-203-11/+31
|
* Added a TFC padding option to child_cfgMartin Willi2010-12-201-0/+2
|
* Implemented Traffic Flow Confidentiality padding in kernel_interfaceMartin Willi2010-12-201-1/+2
|
* Install selectors on transport mode IPsec SAs.Jiri Bohac2010-12-131-1/+1
| | | | | | | | | | | | | | | | This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready Logo Program) which is required for USGv6 certification, namely: - IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors - IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector When traffic selectors of a triggered SA are narrowed by the responder, the installed policy and the broader trap policy share the same reqid. Without selectors on the IPsec SA packets matching the trap policy, but not the narrowed policy, would incorrectly be handled by that IPsec SA. Since only one selector can be specified per IPsec SA, there is currently no solution for tunnel mode SAs.
* Never register IKE_SA during checkout_new, as rekeying keeps it checked outMartin Willi2010-12-072-18/+2
|
* Guarantee entry->other is set when calling put_connected_peersThomas Egerer2010-12-061-1/+7
| | | | | | | | | | | Given the original intent of entry->host, the check for DoS attacks, it can happen that this value remains NULL when an entry is created. This is particularly awkward if put_connected_peers is called to check if a connection to a given peer already exists, since it takes the address family into consideration (git commit b74219d0) which is gleaned from entry->host. This patch guarantees that entry->other is a clone of host before put_connected_peers is called.
* Do not checkin a previously destroyed SAThomas Egerer2010-11-161-1/+4
|
* Extend connected peers by peer familyThomas Egerer2010-11-121-5/+16
| | | | | This allows for simultanious IPv4 and IPv6 tunnel for same peers with matching identities.
* Do not add additional addresses to MOBIKE path probing messages.Tobias Brunner2010-10-121-10/+12
|
* Change behavior of responder during roaming.Tobias Brunner2010-10-121-16/+17
| | | | | | If the current source address is not available anymore, the responder uses ike_mobike_t.roam, thus, uses multiple address combinations when trying to notify the initiator.
* Allow responder to use ike_mobike_t.roam.Tobias Brunner2010-10-121-1/+7
| | | | After getting a response the responder updates the IPsec SAs.
* Send list of additional addresses even if current path is still valid.Tobias Brunner2010-10-121-0/+11
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 08:49:08 +0000