aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* Use subset matching instead of is_contained_in() to select a child_cfgMartin Willi2013-06-131-4/+8
| | | | | | | If one selector has a wider IP range than the other, but the other has a wider port/protocol selector than the first one, none is completely contained in the other. The check for a match using is_contained_in() therefore would fail. Using get_subset() can handle such cases, fixing configuration selection.
* ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flagTobias Brunner2013-06-131-4/+8
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-115-22/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
* Use ref_get() to make sure CHILD_SA reqids are uniqueMartin Willi2013-06-111-2/+9
|
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* ikev2: if installing a CHILD_SA as initiator fails, notify the responderMartin Willi2013-06-111-2/+36
|
* ikev2: raise LOCAL_AUTH_FAILED when receiving INFORMATIONAL with AUTH_FAILEDMartin Willi2013-06-111-0/+8
|
* ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+6
| | | | | | RFC 5996 compatible implementations MAY send an INFORMATIONAL message with an AUTHENTICATION_FAILED if the initiator failed to authenticate us. Handle such a message like a DELETE for an IKE_SA.
* ikev2: if responder authentication fails, send AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+29
| | | | | | | According to RFC 5996, we MAY send an INFORMATIONAL message having an AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close the IKE_SA after one message has been sent, avoiding the danger that an unauthenticated IKE_SA stays alive.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-112-33/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Properly compare CHILD_SAs during rekey collisionTobias Brunner2013-06-111-5/+12
| | | | | | | The previous code did not properly check for the situation when the DELETE for a redundant CHILD_SA created by a responder during a CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning CREATE_CHILD_SA request.
* Removed stray *_plugin_create() declarations from header filesTobias Brunner2013-06-113-15/+0
|
* eap-radius: Do initialization in a plugin feature callbackTobias Brunner2013-06-111-28/+47
|
* Refactored plugin-loader with improved dependency resolutionTobias Brunner2013-06-111-0/+1
| | | | | | With the new implementation the plugins don't have to be listed in any special order, dependencies are properly resolved. The order only matters if two plugins provide the same feature.
* android-log: Use plugin featuresTobias Brunner2013-06-111-2/+12
|
* android-dns: Use plugin features to register attribute handlerTobias Brunner2013-06-111-5/+31
|
* maemo: Use plugin featuresTobias Brunner2013-06-111-2/+12
|
* medsrv: Use plugin features with dependency on database implementationTobias Brunner2013-06-111-31/+56
|
* medcli: Use plugin features with dependency on database implementationTobias Brunner2013-06-111-35/+60
|
* whitelist: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* updown: Use plugin features to register listener and attribute handlerTobias Brunner2013-06-111-20/+44
|
* unity: Use plugin features to register listener and attribute handler/providerTobias Brunner2013-06-111-10/+39
|
* unit-tester: Use plugin featuresTobias Brunner2013-06-111-4/+28
|
* uci: Use plugin features to register backend and credential setTobias Brunner2013-06-111-7/+32
|
* systime-fix: Use plugin features to register validatorTobias Brunner2013-06-111-24/+51
|
* smp: Use plugin featuresTobias Brunner2013-06-111-2/+12
|
* radattr: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* lookip: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* led: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* ipseckey: Allow en-/disabling at runtime using plugin reload featureTobias Brunner2013-06-111-12/+26
|
* ipseckey: Use plugin features and depend on RESOLVERTobias Brunner2013-06-112-28/+53
| | | | Also fixed a double-free of the resolver instance.
* ha: Use plugin features to register listeners and attribute providerTobias Brunner2013-06-111-9/+37
|
* farp: Use plugin features to register listenerTobias Brunner2013-06-111-5/+29
|
* error-notify: Use plugin features to register listenerTobias Brunner2013-06-111-3/+29
|
* duplicheck: Use plugin features to register listenerTobias Brunner2013-06-111-3/+29
|
* coupling: Use plugin features and soft depend on SHA1Tobias Brunner2013-06-111-12/+40
|
* certexpire: Use plugin features to register listenerTobias Brunner2013-06-111-4/+30
|
* addrblock: Use plugin features with soft dependency on X.509 decodingTobias Brunner2013-06-111-5/+34
|
* dhcp: Use plugin features with dependency to RNG implementationTobias Brunner2013-06-111-17/+45
|
* sql: Use plugin features with dependency to database backendTobias Brunner2013-06-111-33/+62
|
* Socket plugins soft depend on the kernel-ipsec plugin featureTobias Brunner2013-06-112-0/+2
| | | | | On most platforms calls to methods to bypass the IKE sockets and enabling UDP decapsulation are required.
* Converted test for recursive mutex_tTobias Brunner2013-06-113-102/+0
|
* Converted tests for chunk_tTobias Brunner2013-06-113-84/+0
|
* Converted and added tests for hashtable_tTobias Brunner2013-06-113-114/+1
|
* Converted tests for identification_tTobias Brunner2013-06-113-254/+0
|
* Remove obsolete enumerator/linked_list tests in unit_tester pluginTobias Brunner2013-06-113-312/+0
|
* updown: pass IKE_SA unique ID in PLUTO_UNIQUEIDEmanuil Hristov2013-05-161-1/+2
|
* Raise LOCAL_AUTH_FAILED alert after receiving AUTHENTICATION_FAILUREMartin Willi2013-05-152-1/+2
|
* stroke: Add second password if providedTobias Brunner2013-05-081-0/+13
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 22:36:45 +0000