aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* ike: IKE_SA may fragment IKEv2 messagesTobias Brunner2014-10-101-1/+1
|
* ike: Do not cache MID of IKEv2 fragmentsTobias Brunner2014-10-101-2/+3
| | | | | This fails if there are unencrypted payloads before an encrypted fragment payload in the first fragment.
* message: Fragment and reassemble IKEv2 messagesTobias Brunner2014-10-102-133/+366
|
* message: Handle encrypted fragment payload similar to the encrypted payloadTobias Brunner2014-10-101-16/+91
|
* ikev2: Add encrypted fragment payloadTobias Brunner2014-10-105-12/+455
|
* encrypted_payload: Encrypted payload can be constructed from plaintextTobias Brunner2014-10-102-0/+38
|
* encrypted_payload: Expose generate() to generate the plaintextTobias Brunner2014-10-102-1/+17
|
* encrypted_payload: Extract some utility functionsTobias Brunner2014-10-101-74/+110
|
* message: Split generate() in multiple functionsTobias Brunner2014-10-101-67/+122
|
* ikev2: Negotiate support for IKEv2 fragmentationTobias Brunner2014-10-102-1/+24
|
* ikev2: Add notify for IKEv2 fragmentationTobias Brunner2014-10-102-7/+15
|
* ikev1: Move defragmentation to message_tTobias Brunner2014-10-103-169/+240
|
* ike: Move fragmentation to ike_sa_tTobias Brunner2014-10-103-62/+94
| | | | | | | | | The message() hook on bus_t is now called exactly once before (plain) and once after fragmenting (!plain), not twice for the complete message and again for each individual fragment, as was the case in earlier iterations. For inbound messages the hook is called once for each fragment (!plain) and twice for the reassembled message.
* message: fragment() generates message and fragments and caches themTobias Brunner2014-10-103-58/+109
|
* message: Make packet argument optional in generate()Tobias Brunner2014-10-101-1/+4
|
* ikev1: Move fragment generation to message_tTobias Brunner2014-10-104-136/+247
|
* ike: Rename encryption_payload to encrypted_payloadTobias Brunner2014-10-109-101/+97
|
* ikev1: Fix handling of UNITY_LOAD_BALANCETobias Brunner2014-10-071-3/+3
| | | | | The re-authentication is now handled within the original IKE_SA if it has not yet been established, so we don't want to destroy it.
* ikev1: Don't queue more than one mode config or XAuth taskTobias Brunner2014-10-071-7/+22
| | | | | | | | At the time we reset an IKE_SA (e.g. when re-authenticating a not yet established SA due to a roaming event) such tasks might already be queued by one of the phase 1 tasks. If the SA is initiated again another task will get queued by the phase 1 task. This results in e.g. multiple mode config requests, which most gateways will have problems with.
* ext-auth: Add an ext-auth plugin invoking an external authorization scriptMartin Willi2014-10-066-0/+492
| | | | Original patch courtesy of Vyronas Tsingaras.
* updown: Use process abstraction to invoke updown scriptMartin Willi2014-10-061-246/+215
|
* stroke: Allow specifying the ipsec.secrets location in strongswan.confShea Levy2014-10-021-2/+10
|
* ikev1: Be more verbose if a peer config would match, but is unusable for ModeMartin Willi2014-09-251-0/+12
|
* ikev2: Reorder task activation for established IKE SAsTobias Brunner2014-09-251-11/+11
| | | | We now prefer MOBIKE tasks over delete tasks then the rest.
* Revert "ikev2: Insert MOBIKE tasks at the front of the queue"Tobias Brunner2014-09-251-6/+1
| | | | | | | | This reverts commit 3293d146289d7c05e6c6089ae1f7cdbcea378e63. The position of tasks in the queue does not actually determine the order in which they are activated. Instead this is determined by the statements in task_manager_v2_t.initiate().
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-221-1/+1
|
* vici: Add a command to reload strongswan.confMartin Willi2014-09-221-0/+12
|
* encoding: Accept all exchange types for non IKEv1/IKEv2 major versionsMartin Willi2014-09-221-5/+11
|
* ikev2: Don't treat initial messages as MOBIKE exchangesTobias Brunner2014-09-161-6/+9
| | | | | The MOBIKE task is active during the initial exchanges but we don't want to treat them as actual MOBIKE exchanges (i.e. there is no path probing).
* ikev1: Don't cache last block of INFORMATIONAL messages as IVTobias Brunner2014-09-121-2/+2
| | | | | | | | | We don't expect a response with the same MID, but apparently some devices (e.g. FRITZ!Box) do that for DPDs, while still treating the response as a new exchange. By storing the last message block as IV we can't decrypt the first block of such a response. Fixes #661.
* ikev1: Log IV when encrypting messagesTobias Brunner2014-09-121-0/+1
|
* ikev1: Skip unusable IPComp proposalsTobias Brunner2014-09-121-1/+1
| | | | Fixes #661.
* ikev1: Properly handle different proposal numbering schemesTobias Brunner2014-09-121-5/+10
| | | | | | | | | | | | | | | | | | While the examples in RFC 2408 show proposal numbers starting at 1 and increasing by one for each subsequent proposal this is not mandatory. Actually, IKEv1 proposals may start at any number, the only requirement is that the proposal numbers increase monotonically they don't have to do so consecutively. Most implementations follow the examples and start numbering at 1 (charon, racoon, Shrew, Cisco, Windows XP, FRITZ!Box) but pluto was one of the implementations that started with 0 and there might be others out there. The previous assumption that implementations always start numbering proposals at 0 caused problems with clients that start numbering with 1 and whose first proposal consists of multiple protocols (e.g. ESP+IPComp). Fixes #661.
* ikev2: Reduce timeout if path probing was enabledTobias Brunner2014-09-121-6/+13
|
* ikev2: Defer MOBIKE updates if no path is availableTobias Brunner2014-09-121-7/+14
|
* ike-mobike: Allow calling transmit() even when not currently path probingTobias Brunner2014-09-121-5/+17
| | | | Path probing is enabled if the current path is not available anymore.
* ikev2: Defer path probing if no path is currently availableTobias Brunner2014-09-121-1/+20
| | | | | We do the same before initiating the task, so we should probably do it too when we already initiated it, not just time out and destroy the SA.
* ike-mobike: Return FALSE in transmit() if no path was availableTobias Brunner2014-09-122-3/+7
|
* ikev2: Enable path probing for currently active MOBIKE taskTobias Brunner2014-09-121-0/+18
| | | | | | | This might not be the case if e.g. an address appeared but the old one is still available but not actually usable. Without this the MOBIKE task would eventually time out even though we might be able to switch to a working address.
* ike-mobike: Add method to enable path probingTobias Brunner2014-09-122-0/+12
|
* ike-mobike: Skip peer addresses we can't send packets to when checking pathsTobias Brunner2014-09-121-5/+18
|
* ikev2: Skip peer addresses we can't send packets to when looking for valid pathsTobias Brunner2014-09-121-0/+18
|
* ikev2: Insert MOBIKE tasks at the front of the queueTobias Brunner2014-09-121-1/+6
| | | | | In case we have no usable path to the other peer there is no point in initiating any other tasks (like rekeying).
* ikev2: Migrate number of pending MOBIKE updatesTobias Brunner2014-09-121-0/+5
| | | | | This will probably never be more than 1 since we only have one task queued at a time and we don't migrate running tasks.
* ikev2: Properly keep track of pending MOBIKE updatesTobias Brunner2014-09-121-8/+27
| | | | | | | | Because we only queue one MOBIKE task at a time, but destroy superfluous ones only after we already increased the counter for pending MOBIKE updates, we have to reduce the counter when such tasks are destroyed. Otherwise, the queued task would assume another task is queued when it is running and ignore any successful response.
* child-cfg: Ignore duplicate proposalsTobias Brunner2014-09-121-0/+11
| | | | | If ESP proposals are added once with and once without DH groups duplicates result during IKE_AUTH when DH groups are stripped.
* proposal: Fix equals()Tobias Brunner2014-09-121-5/+5
|
* eap-radius: Forward Cisco and Microsoft specific DNS/NBNS attributesTobias Brunner2014-09-091-0/+50
| | | | Fixes #677.
* ikev1: Make sure proposed IPsec mode matches our ownTobias Brunner2014-09-091-1/+2
| | | | References #557.
* ike: Reset IKE_SA in state CONNECTING instead of reauthenticatingTobias Brunner2014-09-091-0/+8
| | | | | | | | Due to how reauthentication works for IKEv1 we could get a second IKE_SA, which might cause problems, when connectivity problems arise when the connection is initially established. Fixes #670.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 16:19:15 +0000