aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* charon-tkm: Fix logger entity name in tests.cReto Buerki2015-02-201-2/+2
| | | | Change 'test_runner' to 'test-runner'.
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-208-11/+13
|
* unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-203-14/+17
| | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-205-40/+16
|
* migrate-job: Do CHILD_SA reqid lookup locallyMartin Willi2015-02-202-26/+21
|
* kernel-interface: Raise mapping event with a proto/SPI/dst tupleMartin Willi2015-02-208-41/+75
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-204-23/+17
|
* charon-tkm: Fix compilation of ees_callback.cReto Buerki2015-02-201-3/+5
| | | | | | Update the call to hydra->kernel_interface->expire to make ees_callback.c compile again. The required destination host argument is set to NULL for now.
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-2020-118/+124
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-206-38/+24
|
* swanctl: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-2/+2
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* vici: Include the CHILD_SA unique ID in list-sa eventMartin Willi2015-02-202-0/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-203-19/+92
|
* child-sa-manager: Add a global manager storing CHILD_SA relationsMartin Willi2015-02-206-1/+432
| | | | | | To quickly check out IKE_SAs and find associated CHILD_SAs, the child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-2013-74/+126
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* child-sa: Introduce a unique CHILD_SA identifierMartin Willi2015-02-202-0/+24
| | | | | As the reqid is not that unique even among multiple IKE_SAs anymore, we need an identifier to uniquely identify a specific CHILD_SA instance.
* child-sa: Delegate reqid allocation to the kernel interfaceMartin Willi2015-02-201-15/+46
|
* kernel-interface: Add reqid allocation and release functionsMartin Willi2015-02-202-1/+329
| | | | | | | | | To reassign reqids where appropriate, we explicitly allocate or confirm them centrally on the kernel-interface. Currently the state is stored in the kernel-interface wrapper for all backends, but we may add appropriate methods to each backend to implement a custom reqid allocation logic, if required.
* traffic-selector: Add a hash() methodMartin Willi2015-02-202-0/+20
|
* child-sa: Sort traffic selectors after adding CHILD_SA policiesMartin Willi2015-02-201-0/+3
| | | | Having traffic selectors sorted properly makes comparing them much simpler.
* unit-tests: Add an initial set of traffic selector unit testsMartin Willi2015-02-203-0/+281
|
* traffic-selector: Add a compare function to sort traffic selectorsMartin Willi2015-02-202-34/+86
|
* child-sa: Remove the obsolete update logicMartin Willi2015-02-201-6/+1
| | | | | | The kernel backend uses an inbound parameter these days, where it makes no sense to pass the update flag. The kernel backend decides itself how it handles SA installation based on the inbound flag.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-2011-34/+28
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-206-18/+7
|
* kernel-pfkey: Don't update during add_sa(), but delete SPI allocation stateMartin Willi2015-02-201-7/+18
|
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-2011-56/+43
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-194-9/+6
|
* libtls: Don't send TLS close notifies in EAP after application succeedsMartin Willi2015-02-193-3/+38
| | | | | | | | | | | | | With the introduction of PT-TLS, we started sending TLS close notifies after the application layer completes (7bbf7aa9). While this makes sense for TCP based transports, it is not required in EAP methods. In EAP, handshake completion can be directly signaled using the outer EAP-SUCCESS message. This also saves one round-trip in the EAP exchange. Windows 7/8 does not seem to like TLS close notifies at all in EAP, and either stalls (EAP-TTLS) or disconnects (PEAP). Fixes #556.
* ha: Perform child rekeying outside of CHILD_SA enumeratorThomas Egerer2015-02-191-7/+22
| | | | | | | | | | | | | | | | When rekey_child_sa is called while enumerating the children of an IKE_SA, and the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas) invalidating the current element of the child_sa_enumerator. The enumerate function of linked_list_t will then advance to an element with unpredictable contents most likely resulting in an segmentation violation. A similar behavior should be observed when delete_child_sa is called. This patch creates a list of protocol/spi values while holding the child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren after releasing the enumerator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* stroke: Double the stroke message string buffer sizeMartin Willi2015-02-061-1/+1
|
* starter: Fail sending stroke message if a string exceeds the buffer sizeMartin Willi2015-02-061-1/+13
| | | | | | | Instead of silently setting the string value to NULL, we fail completely in sending the message to notify the user. Fixes #844.
* x509: Fix public key reference leak if authority key identifier does not matchMartin Willi2015-02-061-10/+12
|
* vici: Fix ruby gem author emailMartin Willi2015-01-221-1/+1
|
* trusted_enumerate requires an additional argumentAndreas Steffen2015-01-211-1/+1
|
* vici: Fix README example encoding element type values, off by oneMartin Willi2015-01-211-10/+10
| | | | | | | While we fixed the wrong values in the description with d39e04b5, the example values are still off by one. Fixes #828.
* libtls: Check for CHANGE_CIPHER_SPEC type only if upper layer returns NEED_MOREMartin Willi2015-01-121-6/+5
| | | | | | | A type is returned only if upper layers successfully created a record, that is returns NEED_MORE. If we do not check for the return value, we might check a previous record or the uninitialized type variable and falsely reset the sequence number.
* starter: Fix mark_out.mask in starter_cmp_conn()Maks Naumov2015-01-121-1/+1
|
* _updown: Remove obsolete man pagesTobias Brunner2015-01-054-33/+0
|
* unit-tests: Adapted to coverity fixesAndreas Steffen2014-12-232-12/+27
|
* Fixed bad bit shift and sign extension errorsAndreas Steffen2014-12-234-10/+34
|
* bliss: Remove unnecessary cast to doubleTobias Brunner2014-12-231-1/+1
| | | | | | Coverity is still not happy when the result of an integer division is assigned to a double (without e.g. casting the result to an int first to indicate the intent). The shift should avoid this issue.
* bliss: Log type if unsupportedTobias Brunner2014-12-231-1/+1
|
* bliss: Make sure sampler exists after checking for it earlierTobias Brunner2014-12-231-2/+2
|
* pts: Do not override status with SUCCESS if length is invalidTobias Brunner2014-12-231-1/+2
|
* ikev2: Only touch the DH object if we have a matching proposalTobias Brunner2014-12-231-11/+17
|
* crypto: Define MODP_CUSTOM outside of IKE DH rangeTobias Brunner2014-12-239-14/+17
| | | | | | | | | Before this fix it was possible to crash charon with an IKE_SA_INIT message containing a KE payload with DH group MODP_CUSTOM(1025). Defining MODP_CUSTOM outside of the two byte IKE DH identifier range prevents it from getting negotiated. Fixes CVE-2014-9221.
* pki: Document correct output formats for --pkcs12 --exportTobias Brunner2014-12-191-2/+2
|
* pki: Properly clean up if output format for --pkcs12 is wrongTobias Brunner2014-12-191-0/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 06:38:53 +0000