aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Do not log potentially hundreds of cert requests for unknown CAs at level 1Martin Willi2011-01-281-1/+8
|
* Revert "Send INITIAL_CONTACT even if we have a unique policy"Martin Willi2011-01-131-1/+2
| | | | | | | | It makes sense to omit INITIAL_CONTACT if don't have a unique policy, as a client might want to connect from different devices to the same account. This reverts commit 719c33b41a1f9fe9b2585df3e7aa804a760c361c.
* Force port update as responder when initiator switches to 4500 in IKE_AUTHMartin Willi2011-01-123-5/+6
|
* Avoid variable name overloadingMartin Willi2011-01-121-7/+11
|
* Send INITIAL_CONTACT even if we have a unique policyMartin Willi2011-01-101-2/+1
|
* Fix nonce comparison in rekey collisions, lowest nonce losesMartin Willi2011-01-072-7/+7
|
* Destroy existing IKE_SAs with same identities when receiving INITIAL_CONTACTMartin Willi2011-01-053-4/+33
|
* Send INITIAL_CONTACT for the first IKE_SA if it has a unique policyMartin Willi2011-01-053-16/+66
|
* Migrated ike_sa_manager_t to INIT/METHOD macros, some cleanupsMartin Willi2011-01-051-189/+180
|
* Provide CRLs received in CERT payloads to trustchain verificationMartin Willi2011-01-051-1/+9
|
* Include the used reserved bytes from ID payloads in AUTH calculationMartin Willi2011-01-0511-39/+126
|
* Migrated psk/pubkey_authenticators to INIT/METHOD macrosMartin Willi2011-01-052-84/+70
|
* Moved check if packet already encoded to ike_sa, avoids message() hook ↵Martin Willi2011-01-051-0/+5
| | | | invocation twice
* Move critical bit checking to ike_sa, notify payload includes unsupported ↵Martin Willi2011-01-053-11/+61
| | | | payload type
* Handle all error notifies in CREATE_CHILD_SA exchangesMartin Willi2011-01-051-0/+14
|
* Ingore messages with exchange type altered to UNDEFINED in message() hookMartin Willi2011-01-051-0/+8
|
* Moved message()-hook invocation to generate_message(), catch pre-generated ↵Martin Willi2011-01-052-2/+1
| | | | IKE_SA_INITs, too
* Support manually triggerd DPD check, even if DPD disabled in configMartin Willi2011-01-051-11/+10
|
* eliminated whitespaceAndreas Steffen2010-12-211-1/+1
|
* Migrated child_create_t to INIT/METHOD macrosAndreas Steffen2010-12-211-83/+55
|
* Do not use TFC padding if peer does not support ESPv3Martin Willi2010-12-203-11/+31
|
* Added a TFC padding option to child_cfgMartin Willi2010-12-201-0/+2
|
* Implemented Traffic Flow Confidentiality padding in kernel_interfaceMartin Willi2010-12-201-1/+2
|
* Install selectors on transport mode IPsec SAs.Jiri Bohac2010-12-131-1/+1
| | | | | | | | | | | | | | | | This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready Logo Program) which is required for USGv6 certification, namely: - IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors - IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector When traffic selectors of a triggered SA are narrowed by the responder, the installed policy and the broader trap policy share the same reqid. Without selectors on the IPsec SA packets matching the trap policy, but not the narrowed policy, would incorrectly be handled by that IPsec SA. Since only one selector can be specified per IPsec SA, there is currently no solution for tunnel mode SAs.
* Never register IKE_SA during checkout_new, as rekeying keeps it checked outMartin Willi2010-12-072-18/+2
|
* Guarantee entry->other is set when calling put_connected_peersThomas Egerer2010-12-061-1/+7
| | | | | | | | | | | Given the original intent of entry->host, the check for DoS attacks, it can happen that this value remains NULL when an entry is created. This is particularly awkward if put_connected_peers is called to check if a connection to a given peer already exists, since it takes the address family into consideration (git commit b74219d0) which is gleaned from entry->host. This patch guarantees that entry->other is a clone of host before put_connected_peers is called.
* Do not checkin a previously destroyed SAThomas Egerer2010-11-161-1/+4
|
* Extend connected peers by peer familyThomas Egerer2010-11-121-5/+16
| | | | | This allows for simultanious IPv4 and IPv6 tunnel for same peers with matching identities.
* Do not add additional addresses to MOBIKE path probing messages.Tobias Brunner2010-10-121-10/+12
|
* Change behavior of responder during roaming.Tobias Brunner2010-10-121-16/+17
| | | | | | If the current source address is not available anymore, the responder uses ike_mobike_t.roam, thus, uses multiple address combinations when trying to notify the initiator.
* Allow responder to use ike_mobike_t.roam.Tobias Brunner2010-10-121-1/+7
| | | | After getting a response the responder updates the IPsec SAs.
* Send list of additional addresses even if current path is still valid.Tobias Brunner2010-10-121-0/+11
|
* Extracted path checking in ike_sa_t.roam into separate functions.Tobias Brunner2010-10-121-46/+68
|
* Added support for responders to change their address via MOBIKE.Tobias Brunner2010-10-121-0/+20
| | | | | | | If the original responder updates its list of additional addresses we check if the remote endpoint changed and update the IPsec SAs if it did, as we assume the original address became unavailable and the responder already updated the SAs on its side.
* Explicitly configure MOBIKE tasks to update the list of additional addresses.Tobias Brunner2010-10-123-2/+15
|
* Improved check for first IKE_AUTH message in ike_mobike task.Tobias Brunner2010-10-121-3/+6
| | | | | If the original responder initiated a MOBIKE exchange, the previous check was not always correct.
* Migrated ike_mobike task to INIT/METHOD macros.Tobias Brunner2010-10-121-67/+46
|
* Simplified apply_port function in mobike task.Tobias Brunner2010-10-121-16/+9
|
* Do not update hosts based on retransmitted messages.Tobias Brunner2010-10-122-15/+23
|
* Do not update remote host if we are behind a NAT.Tobias Brunner2010-10-121-4/+2
|
* NOTIFY error message types include 16383Andreas Steffen2010-09-291-1/+1
|
* Adapted child_sa_t to changed kernel interface.Tobias Brunner2010-09-021-25/+49
|
* Added an option to specify the type of a policy to kernel_ipsec.add_policy.Tobias Brunner2010-09-021-18/+18
| | | | | This will later allow us to support pluto's passthrough and drop policies in charon.
* Replaced the protocol argument in add_policy with an optional SPI for an AH SA.Tobias Brunner2010-09-021-18/+37
|
* Refer to scheduler and processor via lib and not hydra.Tobias Brunner2010-09-028-36/+30
|
* Refer to kernel interface via hydra and not charon.Tobias Brunner2010-09-026-58/+62
|
* Removed references to protocol_id_t from kernel interface.Tobias Brunner2010-09-021-37/+65
| | | | | Instead we use the actual IP protocol identifier (the conversion now happens in child_sa_t and kernel_handler_t).
* Migrated child_sa_t to INIT/METHOD macros.Tobias Brunner2010-09-021-202/+132
|
* Refer to scheduler via hydra and not charon.Tobias Brunner2010-09-026-21/+23
|
* Refer to processor via hydra and not charon.Tobias Brunner2010-09-026-9/+14
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 00:36:14 +0000