aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/tests/suites
Commit message (Collapse)AuthorAgeFilesLines
* child-rekey: Don't install outbound SA in case of lost collisionsTobias Brunner2017-08-071-25/+57
| | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions.
* unit-tests: Check installed IPsec SAs in child-rekey testsTobias Brunner2017-05-231-3/+94
|
* child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-231-122/+362
| | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
* child-sa: Remove state to track installation of half the SA againTobias Brunner2017-05-231-45/+45
|
* ikev2: Delay installation of outbound SAs during rekeying on the responderTobias Brunner2017-05-231-20/+32
| | | | | | | | The responder has all the information needed to install both SAs before the initiator does. So if the responder immediately installs the outbound SA it might send packets using the new SA which the initiator is not yet able to process. This can be avoided by delaying the installation of the outbound SA until the replaced SA is deleted.
* unit-tests: Add test cases for MID sync exchangesTobias Brunner2017-02-081-0/+535
|
* proposal: Copy SPI and proposal number from correct proposal in select()Tobias Brunner2017-02-061-1/+25
| | | | | | | | If charon.prefer_configured_proposals is disabled select() is called on the received proposal. This incorrectly set the SPI to 0 as the configured proposal has no SPI set. Fixes #2190.
* unit-tests: Add more tests for proposal creationTobias Brunner2016-10-051-8/+62
|
* proposal: Make DH groups mandatory in IKE proposals parsed from stringsTobias Brunner2016-10-051-17/+29
| | | | References #2051.
* unit-tests: Add tests for expires after CHILD_SA rekeyingTobias Brunner2016-06-171-0/+129
|
* unit-tests: Add test for CHILD_SA rekey if a retry due to an ↵Tobias Brunner2016-06-171-0/+143
| | | | INVALID_KE_PAYLOAD is delayed
* unit-tests: Add test for collision between IKE_SA rekey and CHILD_SA creationTobias Brunner2016-06-171-0/+106
|
* unit-tests: Add tests for IKE rekeying if INVALID_KE_PAYLOAD notifies are ↵Tobias Brunner2016-06-171-0/+470
| | | | received
* proposal: Handle MODP_NONE in both directions when selecting proposalsTobias Brunner2016-06-171-0/+81
|
* unit-tests: Add test for rekey collision if one CREATE_CHILD_SA response is ↵Tobias Brunner2016-06-171-0/+221
| | | | delayed
* unit-tests: Add tests for IKE_SA rekeying if collision is not detected by ↵Tobias Brunner2016-06-171-0/+340
| | | | one peer
* unit-tests: Add tests for IKE/CHILD delete collisionsTobias Brunner2016-06-171-0/+165
|
* unit-tests: Add tests for IKE/CHILD rekey collisionsTobias Brunner2016-06-171-0/+170
|
* unit-tests: Add tests for collisions between IKE_SA rekeying and deletionTobias Brunner2016-06-171-0/+174
|
* unit-tests: Add tests for IKE SA deletionTobias Brunner2016-06-171-0/+137
|
* unit-tests: Add test for simple IKE rekey collisionTobias Brunner2016-06-171-5/+171
|
* ikev2: Add a new state to track rekeyed IKE_SAsTobias Brunner2016-06-171-1/+1
| | | | | | | | | This makes handling such IKE_SAs more specifically compared to keeping them in state IKE_CONNECTING or IKE_ESTABLISHED (which we did when we lost a collision - even triggering the ike_updown event), or using IKE_REKEYING for them, which would also be ambiguous. For instance, we can now reject anything but DELETES for such SAs.
* unit-tests: Add tests for IKE_SA rekeyingTobias Brunner2016-06-171-0/+109
|
* unit-tests: Add tests where a peer is not aware of a CHILD_SA rekey collisionTobias Brunner2016-06-171-1/+354
|
* unit-tests: Test for rekeying if INVALID_KE_PAYLOAD notifies are receivedTobias Brunner2016-06-171-0/+253
|
* unit-tests: Make IKE and ESP proposals configurableTobias Brunner2016-06-172-13/+13
|
* unit-tests: Add tests for CHILD_SA rekeying/deletion collisionsTobias Brunner2016-06-171-1/+288
|
* ikev2: Use CHILD_REKEYED for replaced CHILD_SAs after rekeyingTobias Brunner2016-06-171-6/+5
| | | | This allows handling collisions better, in particular with deletions.
* unit-tests: Add unit tests for basic CHILD_SA rekeyingTobias Brunner2016-06-171-0/+235
|
* unit-tests: Add another CHILD_SA delete collisionTobias Brunner2016-06-171-1/+56
|
* unit-tests: Call methods on IKE_SAs in their contextTobias Brunner2016-06-171-7/+7
|
* unit-tests: Add a unit test for CHILD_SA DELETE collisionsTobias Brunner2016-06-171-0/+146
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-4/+4
|
* ike-cfg: Add unit tests for ike_cfg_get_family() helperTobias Brunner2015-07-271-0/+118
|
* unit-tests: Add a IKEv2 message encryption test caseMartin Willi2015-07-121-0/+138
| | | | | It uses the ChaCha20Poly1305 test vectors from draft-ietf-ipsecme-chacha20-poly1305-06.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-1/+1
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-0/+230
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 21:59:47 +0000