aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* bus: Add an ike_update() hook invoked when peer endpoints changeMartin Willi2015-02-201-0/+2
|
* ikev2: Schedule a make-before-break completion task to delete old IKE_SAMartin Willi2015-02-206-1/+172
|
* ikev2: Allow task to skip exchange by setting undefined exchange typeMartin Willi2015-02-201-0/+5
|
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-202-2/+79
|
* ike-sa-manager: Use IKEv1 uniqueness reauthentication detection for IKEv2, tooMartin Willi2015-02-201-12/+8
|
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-203-9/+5
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-203-10/+8
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-203-25/+24
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-205-8/+10
|
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-202-36/+13
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-202-13/+7
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-2/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-202-15/+77
|
* child-sa-manager: Add a global manager storing CHILD_SA relationsMartin Willi2015-02-202-0/+422
| | | | | | To quickly check out IKE_SAs and find associated CHILD_SAs, the child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-209-10/+108
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* child-sa: Introduce a unique CHILD_SA identifierMartin Willi2015-02-202-0/+24
| | | | | As the reqid is not that unique even among multiple IKE_SAs anymore, we need an identifier to uniquely identify a specific CHILD_SA instance.
* child-sa: Delegate reqid allocation to the kernel interfaceMartin Willi2015-02-201-15/+46
|
* child-sa: Sort traffic selectors after adding CHILD_SA policiesMartin Willi2015-02-201-0/+3
| | | | Having traffic selectors sorted properly makes comparing them much simpler.
* child-sa: Remove the obsolete update logicMartin Willi2015-02-201-6/+1
| | | | | | The kernel backend uses an inbound parameter these days, where it makes no sense to pass the update flag. The kernel backend decides itself how it handles SA installation based on the inbound flag.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-8/+6
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-2/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* ikev2: Only touch the DH object if we have a matching proposalTobias Brunner2014-12-231-11/+17
|
* apple: Redefine some additional clashing Mach typesMartin Willi2014-12-161-0/+2
| | | | | | While they usually are not included in a normal strongSwan build, the XPC header indirectly defines these Mach types. To build charon-xpc, which uses both XPC and strongSwan includes, we have to redefine these types.
* ike: Make check for known payloads depend on IKE versionTobias Brunner2014-12-051-1/+1
|
* ikev2: Fix handling of more than one hash-and-URL certificate payloadsTobias Brunner2014-12-041-2/+2
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-293-3/+26
| | | | pki tool
* ikev2: Fix ike_rekey switch statement broken with last commitMartin Willi2014-11-241-1/+1
|
* ikev2: Prevent IKE_SA rekeying if we are currently retrying a CHILD_SA rekeyMartin Willi2014-11-211-0/+1
|
* child-sa: Introduce a CHILD_RETRYING state to detect DH group retriesMartin Willi2014-11-213-0/+7
|
* ikev1: Don't inherit children if INITITAL_CONTACT was seenThomas Egerer2014-10-301-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Do remote address updates also when behind static NATsTobias Brunner2014-10-131-4/+7
| | | | | | | | We assume that a responder is behind a static NAT (e.g. port forwarding) and allow remote address updates in such situations. The problem described in RFC 5996 is only an issue if the NAT mapping can expire.
* ikev1: Add fragmentation support for Windows peersVolker Rümelin2014-10-103-13/+58
| | | | | | | | I still think ipsec/l2tp with fragmentation support is a useful fallback option in case the Windows IKEv2 connection fails because of fragmentation problems. Tested with Windows XP, 7 and 8.1.
* ikev2: Send retransmits using the latest known addressesTobias Brunner2014-10-101-1/+3
| | | | | | | For instance, if a DPD exchange is initiated by the gateway when a mobile client is roaming and it then gets a new IP address and sends an address update via MOBIKE, the DPD retransmits would still be sent to the old address and the SA would eventually get closed.
* ikev2: Send and receive fragmented IKE messagesTobias Brunner2014-10-101-44/+169
| | | | | If a fragmented message is retransmitted only the first packet is passed to the alert() hook.
* ike: IKE_SA may fragment IKEv2 messagesTobias Brunner2014-10-101-1/+1
|
* ike: Do not cache MID of IKEv2 fragmentsTobias Brunner2014-10-101-2/+3
| | | | | This fails if there are unencrypted payloads before an encrypted fragment payload in the first fragment.
* ikev2: Negotiate support for IKEv2 fragmentationTobias Brunner2014-10-102-1/+24
|
* ikev1: Move defragmentation to message_tTobias Brunner2014-10-101-167/+16
|
* ike: Move fragmentation to ike_sa_tTobias Brunner2014-10-103-62/+94
| | | | | | | | | The message() hook on bus_t is now called exactly once before (plain) and once after fragmenting (!plain), not twice for the complete message and again for each individual fragment, as was the case in earlier iterations. For inbound messages the hook is called once for each fragment (!plain) and twice for the reassembled message.
* message: fragment() generates message and fragments and caches themTobias Brunner2014-10-101-31/+11
|
* ikev1: Move fragment generation to message_tTobias Brunner2014-10-101-132/+118
|
* ikev1: Fix handling of UNITY_LOAD_BALANCETobias Brunner2014-10-071-3/+3
| | | | | The re-authentication is now handled within the original IKE_SA if it has not yet been established, so we don't want to destroy it.
* ikev1: Don't queue more than one mode config or XAuth taskTobias Brunner2014-10-071-7/+22
| | | | | | | | At the time we reset an IKE_SA (e.g. when re-authenticating a not yet established SA due to a roaming event) such tasks might already be queued by one of the phase 1 tasks. If the SA is initiated again another task will get queued by the phase 1 task. This results in e.g. multiple mode config requests, which most gateways will have problems with.
* ikev1: Be more verbose if a peer config would match, but is unusable for ModeMartin Willi2014-09-251-0/+12
|
* ikev2: Reorder task activation for established IKE SAsTobias Brunner2014-09-251-11/+11
| | | | We now prefer MOBIKE tasks over delete tasks then the rest.
* Revert "ikev2: Insert MOBIKE tasks at the front of the queue"Tobias Brunner2014-09-251-6/+1
| | | | | | | | This reverts commit 3293d146289d7c05e6c6089ae1f7cdbcea378e63. The position of tasks in the queue does not actually determine the order in which they are activated. Instead this is determined by the statements in task_manager_v2_t.initiate().
* ikev2: Don't treat initial messages as MOBIKE exchangesTobias Brunner2014-09-161-6/+9
| | | | | The MOBIKE task is active during the initial exchanges but we don't want to treat them as actual MOBIKE exchanges (i.e. there is no path probing).
* ikev2: Reduce timeout if path probing was enabledTobias Brunner2014-09-121-6/+13
|
* ikev2: Defer MOBIKE updates if no path is availableTobias Brunner2014-09-121-7/+14
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-22 07:18:47 +0000