aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* android: Forward initiator flag to libipsec when adding IPsec SATobias Brunner2013-06-131-2/+2
|
* libipsec: Add initiator flag to definition of ipsec_sa_mgr_t.add_sa()Tobias Brunner2013-06-131-2/+4
|
* Use subset matching instead of is_contained_in() to select a child_cfgMartin Willi2013-06-131-4/+8
| | | | | | | If one selector has a wider IP range than the other, but the other has a wider port/protocol selector than the first one, none is completely contained in the other. The check for a match using is_contained_in() therefore would fail. Using get_subset() can handle such cases, fixing configuration selection.
* ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flagTobias Brunner2013-06-131-4/+8
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-1114-35/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
* Use ref_get() to make sure CHILD_SA reqids are uniqueMartin Willi2013-06-111-2/+9
|
* utils: ref_get() returns the new value of the reference counterMartin Willi2013-06-112-4/+9
| | | | This allows us to use ref_get() for getting unique values.
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* ikev2: if installing a CHILD_SA as initiator fails, notify the responderMartin Willi2013-06-111-2/+36
|
* ikev2: raise LOCAL_AUTH_FAILED when receiving INFORMATIONAL with AUTH_FAILEDMartin Willi2013-06-111-0/+8
|
* ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+6
| | | | | | RFC 5996 compatible implementations MAY send an INFORMATIONAL message with an AUTHENTICATION_FAILED if the initiator failed to authenticate us. Handle such a message like a DELETE for an IKE_SA.
* ikev2: if responder authentication fails, send AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+29
| | | | | | | According to RFC 5996, we MAY send an INFORMATIONAL message having an AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close the IKE_SA after one message has been sent, avoiding the danger that an unauthenticated IKE_SA stays alive.
* scepclient: support a --bind option to fetch from a specific source IPMartin Willi2013-06-113-6/+27
|
* curl: add an option to fetch bound to a local source addressMartin Willi2013-06-113-0/+23
|
* fetcher: add missing "continue" when handling FETCH_CALLBACKMartin Willi2013-06-111-1/+1
|
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-112-33/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* leak-detective: Resolve hooked functions during initializationTobias Brunner2013-06-111-1/+4
| | | | | | | | | If uses of dlopen(), e.g. when loading plugins, produce errors an error string could get allocated dynamically. At this point realloc() might not yet be resolved and when dlsym() is later called by leak detective to do so the error string might get freed while leak detective is disabled and real_free() will be called with a pointer into one of leak detective's memory blocks instead of a pointer to the block itself, causing a SIGSEGV.
* Properly compare CHILD_SAs during rekey collisionTobias Brunner2013-06-111-5/+12
| | | | | | | The previous code did not properly check for the situation when the DELETE for a redundant CHILD_SA created by a responder during a CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning CREATE_CHILD_SA request.
* Removed stray *_plugin_create() declarations from header filesTobias Brunner2013-06-113-15/+0
|
* eap-radius: Do initialization in a plugin feature callbackTobias Brunner2013-06-111-28/+47
|
* Refactored plugin-loader with improved dependency resolutionTobias Brunner2013-06-113-238/+480
| | | | | | With the new implementation the plugins don't have to be listed in any special order, dependencies are properly resolved. The order only matters if two plugins provide the same feature.
* android-log: Use plugin featuresTobias Brunner2013-06-111-2/+12
|
* android-dns: Use plugin features to register attribute handlerTobias Brunner2013-06-111-5/+31
|
* maemo: Use plugin featuresTobias Brunner2013-06-111-2/+12
|
* medsrv: Use plugin features with dependency on database implementationTobias Brunner2013-06-111-31/+56
|
* medcli: Use plugin features with dependency on database implementationTobias Brunner2013-06-111-35/+60
|
* whitelist: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* updown: Use plugin features to register listener and attribute handlerTobias Brunner2013-06-111-20/+44
|
* unity: Use plugin features to register listener and attribute handler/providerTobias Brunner2013-06-111-10/+39
|
* unit-tester: Use plugin featuresTobias Brunner2013-06-111-4/+28
|
* uci: Use plugin features to register backend and credential setTobias Brunner2013-06-111-7/+32
|
* systime-fix: Use plugin features to register validatorTobias Brunner2013-06-111-24/+51
|
* smp: Use plugin featuresTobias Brunner2013-06-111-2/+12
|
* radattr: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* lookip: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* led: Use plugin features to register listenerTobias Brunner2013-06-111-4/+29
|
* test-vectors: Use plugin featuresTobias Brunner2013-06-111-1/+12
|
* revocation: Use plugin features with soft dependencies on fetcher and ↵Tobias Brunner2013-06-111-3/+35
| | | | en-/decoding
* padlock: Use plugin features to properly register algorithmsTobias Brunner2013-06-111-39/+43
|
* pkcs11: Use plugin_features_add() in get_features()Tobias Brunner2013-06-111-21/+8
|
* plugin-feature: Added helper function to extend arrays of plugin featuresTobias Brunner2013-06-111-0/+21
|
* constraints: Use plugin features with soft dependency on X.509 decodingTobias Brunner2013-06-111-3/+31
|
* blowfish: Use plugin features to properly register crypterTobias Brunner2013-06-111-8/+13
|
* resolve: Use plugin features to register attribute handlerTobias Brunner2013-06-112-4/+31
|
* attr: Use plugin features to register attribute providerTobias Brunner2013-06-111-2/+31
|
* ipseckey: Allow en-/disabling at runtime using plugin reload featureTobias Brunner2013-06-111-12/+26
|
* ipseckey: Use plugin features and depend on RESOLVERTobias Brunner2013-06-112-28/+53
| | | | Also fixed a double-free of the resolver instance.
* unbound: Use plugin features and provide RESOLVERTobias Brunner2013-06-111-3/+12
|
* plugin-feature: Add feature for DNSSEC-enabled resolversTobias Brunner2013-06-112-0/+15
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 04:37:45 +0000