aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* migrate-job: Do CHILD_SA reqid lookup locallyMartin Willi2015-02-202-26/+21
|
* kernel-interface: Raise mapping event with a proto/SPI/dst tupleMartin Willi2015-02-203-16/+37
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-204-23/+17
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-209-60/+51
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-205-37/+23
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* vici: Include the CHILD_SA unique ID in list-sa eventMartin Willi2015-02-202-0/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-203-19/+92
|
* child-sa-manager: Add a global manager storing CHILD_SA relationsMartin Willi2015-02-206-1/+432
| | | | | | To quickly check out IKE_SAs and find associated CHILD_SAs, the child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-2010-11/+110
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* child-sa: Introduce a unique CHILD_SA identifierMartin Willi2015-02-202-0/+24
| | | | | As the reqid is not that unique even among multiple IKE_SAs anymore, we need an identifier to uniquely identify a specific CHILD_SA instance.
* child-sa: Delegate reqid allocation to the kernel interfaceMartin Willi2015-02-201-15/+46
|
* child-sa: Sort traffic selectors after adding CHILD_SA policiesMartin Willi2015-02-201-0/+3
| | | | Having traffic selectors sorted properly makes comparing them much simpler.
* child-sa: Remove the obsolete update logicMartin Willi2015-02-201-6/+1
| | | | | | The kernel backend uses an inbound parameter these days, where it makes no sense to pass the update flag. The kernel backend decides itself how it handles SA installation based on the inbound flag.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-204-11/+9
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-201-2/+1
|
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-204-8/+8
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-191-1/+1
|
* ha: Perform child rekeying outside of CHILD_SA enumeratorThomas Egerer2015-02-191-7/+22
| | | | | | | | | | | | | | | | When rekey_child_sa is called while enumerating the children of an IKE_SA, and the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas) invalidating the current element of the child_sa_enumerator. The enumerate function of linked_list_t will then advance to an element with unpredictable contents most likely resulting in an segmentation violation. A similar behavior should be observed when delete_child_sa is called. This patch creates a list of protocol/spi values while holding the child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren after releasing the enumerator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* vici: Fix ruby gem author emailMartin Willi2015-01-221-1/+1
|
* vici: Fix README example encoding element type values, off by oneMartin Willi2015-01-211-10/+10
| | | | | | | While we fixed the wrong values in the description with d39e04b5, the example values are still off by one. Fixes #828.
* ikev2: Only touch the DH object if we have a matching proposalTobias Brunner2014-12-231-11/+17
|
* apple: Redefine some additional clashing Mach typesMartin Willi2014-12-161-0/+2
| | | | | | While they usually are not included in a normal strongSwan build, the XPC header indirectly defines these Mach types. To build charon-xpc, which uses both XPC and strongSwan includes, we have to redefine these types.
* Fixed some typos, courtesy of codespellTobias Brunner2014-12-151-1/+1
|
* ike: Allow creation of internally used payloadsTobias Brunner2014-12-121-1/+1
| | | | | | | Since 42e0a317c64b ("ike: Only parse payloads valid for the current IKE version") payload types are checked before creating objects. This check failed for internally used payload types (e.g. proposal substructures), which have a type >= 256, i.e. outside the IKE payload type range.
* vici: Use silent builder destroy function in vici_free_req()Martin Willi2014-12-121-7/+1
|
* vici: Add a destroy method to builder, allowing cancellation without errorMartin Willi2014-12-122-4/+18
| | | | | When cancelling a builder, finalize throws an error which we might prefer to avoid.
* eap-radius: Use the single-server legacy server options as fallbackMartin Willi2014-12-121-3/+10
|
* ikev1: Use same map for AH and ESP authentication algorithmsTobias Brunner2014-12-091-152/+120
| | | | | | The transform identifier used in AH transforms is not the same as the authentication algorithm identifier used in the transform attributes in AH (and ESP) transforms.
* ikev1: Accept IPComp proposals with 4 octet long CPI valuesTobias Brunner2014-12-051-2/+2
| | | | | While they SHOULD be sent as 16-bit values according to RFC 3173 a responder MUST be able to accept CPI values encoded in four bytes.
* ike: Only parse payloads valid for the current IKE versionTobias Brunner2014-12-054-3/+33
|
* ike: Make check for known payloads depend on IKE versionTobias Brunner2014-12-054-26/+41
|
* unity: Only do narrowing of responder's TS if we received 0.0.0.0/0Tobias Brunner2014-12-051-2/+84
| | | | | | | | | | | | | | | | | | | | | | | iOS and Mac OS X clients establish individual IPsec SAs for the traffic selectors received in Split-Include attributes (might have been different in earlier releases). If we return 0.0.0.0/0 as TSr that either results in a bunch of Quick Mode exchanges (for each TS), or with the latest client releases an error notify (ATTRIBUTES_NOT_SUPPORTED). We also can't install the IPsec SA with all configured subnets as that would cause conflicts if the client later negotiates SAs for other subnets, which iOS 8 does based on traffic to such subnets. For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept the Quick Mode response. Likewise, we also have to narrow the TS before installing the IPsec SAs and policies. So we basically have to follow the client's proposal and only modify TSr if we received 0.0.0.0/0. Since we don't get the original TS in the narrow hook we handle the inbound QM messages and make note of IKE_SAs on which we received a TSr of 0.0.0.0/0. Fixes #737.
* id-payload: Enable multiple calls to get_ts() for subnet traffic selectorsTobias Brunner2014-12-051-2/+5
| | | | The second call resulted in a /32 subnet previously.
* ikev2: Fix handling of more than one hash-and-URL certificate payloadsTobias Brunner2014-12-041-2/+2
|
* kernel-wfp: Install outbound ALE connect rules for IPsecMartin Willi2014-12-041-16/+43
| | | | | | Similar to the inbound rules, the ALE filter processes IP-in-IP packets for outbound tunnel mode traffic. When using an outbound default-drop policy, Windows does not allow connection initiation without these explicit rules.
* kernel-wfp: Install inbound ALE IP-in-IP filtersMartin Willi2014-12-041-41/+159
| | | | | | | | | | | When processing inbound tunnel mode packets, Windows decrypts packets and filters them as IP-in-IP packets. We therefore require an ALE filter that calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them when using a default-drop policy. Without these rules, any outbound packet created an ALE state that allows inbound packets as well. Processing inbound packets without any outbound traffic fails without these rules.
* kernel-wfp: Add missing IPsec sublayer GUIDsMartin Willi2014-12-041-0/+6
|
* kernel-wfp: Define IPsec related ALE layers and callout GUIDsMartin Willi2014-12-042-0/+40
|
* kernel-wfp: Fix logging of MM/QM/EM NetEvent failuresMartin Willi2014-12-041-0/+12
|
* vici: Make sure to send/recv all requested bytes over socketMartin Willi2014-12-041-3/+22
| | | | | | As the underlying C functions, send/recv on ruby sockets are not guaranteed to send/recv all requested bytes. Use wrapper functions to make sure we get all bytes needed.
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-295-8/+45
| | | | pki tool
* ikev2: Fix ike_rekey switch statement broken with last commitMartin Willi2014-11-241-1/+1
|
* ikev2: Prevent IKE_SA rekeying if we are currently retrying a CHILD_SA rekeyMartin Willi2014-11-211-0/+1
|
* controller: Keep following initiate() if the first DH guess was wrongMartin Willi2014-11-211-0/+12
|
* child-sa: Introduce a CHILD_RETRYING state to detect DH group retriesMartin Willi2014-11-213-0/+7
|
* kernel-libipsec: Use poll(2) instead of selectMartin Willi2014-11-211-54/+56
|
* socket-default: Use round-robin selection of sockets to read fromMartin Willi2014-11-211-5/+13
| | | | | If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket over others. To handle all with equal priority, use a round-robin selection.
* socket-default: Use poll(2) instead of selectMartin Willi2014-11-211-46/+20
| | | | | It is not only simpler, but also allows the use of arbitrary high fd numbers, which silently fails with select().
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 20:06:32 +0000