bde5bd47bd
ike-sa-manager: Rename checkout_new() to create_new()
...
We don't actually check that SA out (i.e. it's not registered with the
manager). That was originally different but had to be changed with
86993d6b90
2021-02-12 15:49:08 +01:00
610745e724
unit-tests: Free allocated SPIs in mock IPsec backend
2020-10-27 16:42:01 +01:00
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
02b348403a
Fixed some typos, courtesy of codespell
2019-04-29 15:09:20 +02:00
fbb0feeea9
unit-tests: Add unit tests for childless IKE_SA initiation
2019-04-25 15:23:19 +02:00
1b19469c67
unit-tests: Make childless initiation configurable
2019-04-25 15:23:19 +02:00
e0678a8cc6
unit-tests: Add helper to create but not yet establish two IKE_SAs
2019-04-25 15:23:19 +02:00
202fb101b8
unit-tests: Add macros to assert certain payloads are (not) in a message
2019-04-25 15:23:19 +02:00
9486a2e5b0
ike-cfg: Pass arguments as struct
2019-04-25 14:31:33 +02:00
ecba84a06b
child-delete: Don't send delete for expired CHILD_SAs that were already rekeyed
...
The peer might not have seen the CREATE_CHILD_SA response yet, receiving a
DELETE for the SA could then trigger it to abort the rekeying, causing
the deletion of the newly established SA (it can't know whether the
DELETE was sent due to an expire or because the user manually deleted
it). We just treat this SA as if we received a DELETE for it. This is
not an ideal situation anyway, as it causes some traffic to get dropped,
so it should usually be avoided by setting appropriate soft and hard limits.
References #2815 .
2018-11-22 11:31:53 +01:00
5dff6de8eb
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
2018-09-10 17:45:23 +02:00
35e49ffd2f
unit-tests: Add mock implementation of kernel_net_t
...
This is required for DPDs via ike-mobike task to work (it does a source
address lookup).
2018-06-22 09:20:30 +02:00
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
a79d510354
ike-sa: Add option to force the destruction of an IKE_SA after initiating a delete
2018-05-22 10:06:07 +02:00
16898026a5
child-sa: Add new state to track deleted but not yet destroyed CHILD_SAs
...
This allows us to easily identify SAs we keep around after a rekeying to
process delayed packets.
2018-04-09 17:13:41 +02:00
97ad041e6e
unit-tests: Make sure we reuse the DH group during CHILD_SA rekeying
2018-02-09 10:20:05 +01:00
576d9b907c
ike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling
...
This is currently not an issue for CHILD_SA rekeying tests as these only
check rekeyings of the CHILD_SA created with the IKE_SA, i.e. there is
no previous DH group to reuse.
2018-02-09 10:20:05 +01:00
2307bffe56
proposal: Move proposal_t from libcharon to libstrongswan
...
This allows us to use it without having to initialize libcharon, which
was required for the logging (we probably could have included debug.h
instead of daemon.h to workaround that but this seems more correct).
2017-11-17 18:09:54 +01:00
15e745cf4d
child-rekey: Don't install outbound SA in case of lost collisions
...
This splits the SA installation also on the initiator, so we can avoid
installing the outbound SA if we lost a rekey collision, which might
have caused traffic loss depending on the timing of the DELETEs that are
sent in both directions.
2017-08-07 10:46:00 +02:00
2c116ef589
child-sa: Use flags to track installation of outbound SA and policies separately
2017-08-07 10:44:05 +02:00
67ad553a2c
unit-tests: Stringify direction in message asserts early
...
x86_64-w64-mingw32-gcc on Windows requires this.
2017-07-28 11:18:59 +02:00
525cc46cab
Change interface for enumerator_create_filter() callback
...
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
2017-05-26 13:56:44 +02:00
10c7a66806
unit-tests: Check installed IPsec SAs in child-rekey tests
2017-05-23 18:46:50 +02:00
72655fe411
unit-tests: Add assert to check for installed IPsec SAs
2017-05-23 18:46:50 +02:00
2b581b59f0
unit-tests: Migrate cached IPsec SAs to new IKE_SAs during rekeying
2017-05-23 18:46:49 +02:00
d80055baae
unit-tests: Keep track of installed IPsec SAs in mock kernel_ipsec_t implementation
2017-05-23 18:46:49 +02:00
44107cb7b7
child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAs
...
After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't
destroy the CHILD_SA (and the inbound SA) immediately. We delay it
a few seconds or until the SA expires to allow delayed packets to get
processed. The CHILD_SA remains in state CHILD_DELETING until it finally
gets destroyed.
2017-05-23 18:46:49 +02:00
0cbf75eb94
child-sa: Remove state to track installation of half the SA again
2017-05-23 18:46:49 +02:00
d94c122439
unit-tests: Overload helper macro to check for outbound SA state
2017-05-23 18:46:49 +02:00
dc3710e987
ikev2: Delay installation of outbound SAs during rekeying on the responder
...
The responder has all the information needed to install both SAs before
the initiator does. So if the responder immediately installs the outbound
SA it might send packets using the new SA which the initiator is not yet
able to process. This can be avoided by delaying the installation of the
outbound SA until the replaced SA is deleted.
2017-05-23 18:46:06 +02:00
2f6ec15dff
unit-tests: Add test cases for MID sync exchanges
2017-02-08 15:11:00 +01:00
22f13dcecd
proposal: Copy SPI and proposal number from correct proposal in select()
...
If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.
Fixes #2190 .
2017-02-06 11:14:31 +01:00
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
89054d9dcb
unit-tests: Enable optional logging in libcharon unit tests
2016-10-05 14:27:05 +02:00
9e5065d877
unit-tests: Add more tests for proposal creation
2016-10-05 14:27:05 +02:00
9b191d5975
proposal: Make DH groups mandatory in IKE proposals parsed from strings
...
References #2051 .
2016-10-05 14:26:55 +02:00
a6d7aed78a
libcharon: Add exchange_tests to .gitignore
2016-07-25 14:01:26 +02:00
5435a9a062
unit-tests: Add tests for expires after CHILD_SA rekeying
2016-06-17 18:48:08 +02:00
d707a19733
unit-tests: Add test for CHILD_SA rekey if a retry due to an INVALID_KE_PAYLOAD is delayed
2016-06-17 18:48:08 +02:00
b4f24ac0f6
unit-tests: Add test for collision between IKE_SA rekey and CHILD_SA creation
2016-06-17 18:48:08 +02:00
46cbdcace9
unit-tests: Add tests for IKE rekeying if INVALID_KE_PAYLOAD notifies are received
2016-06-17 18:48:07 +02:00
aae9510148
proposal: Handle MODP_NONE in both directions when selecting proposals
2016-06-17 18:48:07 +02:00
2e33d1f9ae
unit-tests: Add test for rekey collision if one CREATE_CHILD_SA response is delayed
2016-06-17 18:48:06 +02:00
566134b25a
unit-tests: Add tests for IKE_SA rekeying if collision is not detected by one peer
2016-06-17 18:48:06 +02:00
0a2cad40a6
unit-tests: Add tests for IKE/CHILD delete collisions
2016-06-17 18:48:06 +02:00
7b3eccfff4
unit-tests: Add tests for IKE/CHILD rekey collisions
2016-06-17 18:48:05 +02:00
7015994a94
unit-tests: Add tests for collisions between IKE_SA rekeying and deletion
2016-06-17 18:48:05 +02:00
72c295df5b
unit-tests: Add tests for IKE SA deletion
2016-06-17 18:48:05 +02:00
40d9a4c892
unit-tests: Only deliver messages to the SA they are addressed to
2016-06-17 18:48:05 +02:00
498a46d22f
unit-tests: Add test for simple IKE rekey collision
2016-06-17 18:48:05 +02:00
Tobias Brunner