Tobias Brunner
bde5bd47bd
ike-sa-manager: Rename checkout_new() to create_new()
...
We don't actually check that SA out (i.e. it's not registered with the
manager). That was originally different but had to be changed with
86993d6b90
to avoid that SAs created for rekeying don't block other
threads on the manager.
2021-02-12 15:49:08 +01:00
Tobias Brunner
610745e724
unit-tests: Free allocated SPIs in mock IPsec backend
2020-10-27 16:42:01 +01:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
02b348403a
Fixed some typos, courtesy of codespell
2019-04-29 15:09:20 +02:00
Tobias Brunner
fbb0feeea9
unit-tests: Add unit tests for childless IKE_SA initiation
2019-04-25 15:23:19 +02:00
Tobias Brunner
1b19469c67
unit-tests: Make childless initiation configurable
2019-04-25 15:23:19 +02:00
Tobias Brunner
e0678a8cc6
unit-tests: Add helper to create but not yet establish two IKE_SAs
2019-04-25 15:23:19 +02:00
Tobias Brunner
202fb101b8
unit-tests: Add macros to assert certain payloads are (not) in a message
2019-04-25 15:23:19 +02:00
Tobias Brunner
9486a2e5b0
ike-cfg: Pass arguments as struct
2019-04-25 14:31:33 +02:00
Tobias Brunner
ecba84a06b
child-delete: Don't send delete for expired CHILD_SAs that were already rekeyed
...
The peer might not have seen the CREATE_CHILD_SA response yet, receiving a
DELETE for the SA could then trigger it to abort the rekeying, causing
the deletion of the newly established SA (it can't know whether the
DELETE was sent due to an expire or because the user manually deleted
it). We just treat this SA as if we received a DELETE for it. This is
not an ideal situation anyway, as it causes some traffic to get dropped,
so it should usually be avoided by setting appropriate soft and hard limits.
References #2815 .
2018-11-22 11:31:53 +01:00
Tobias Brunner
5dff6de8eb
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
2018-09-10 17:45:23 +02:00
Tobias Brunner
35e49ffd2f
unit-tests: Add mock implementation of kernel_net_t
...
This is required for DPDs via ike-mobike task to work (it does a source
address lookup).
2018-06-22 09:20:30 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
a79d510354
ike-sa: Add option to force the destruction of an IKE_SA after initiating a delete
2018-05-22 10:06:07 +02:00
Tobias Brunner
16898026a5
child-sa: Add new state to track deleted but not yet destroyed CHILD_SAs
...
This allows us to easily identify SAs we keep around after a rekeying to
process delayed packets.
2018-04-09 17:13:41 +02:00
Tobias Brunner
97ad041e6e
unit-tests: Make sure we reuse the DH group during CHILD_SA rekeying
2018-02-09 10:20:05 +01:00
Tobias Brunner
576d9b907c
ike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling
...
This is currently not an issue for CHILD_SA rekeying tests as these only
check rekeyings of the CHILD_SA created with the IKE_SA, i.e. there is
no previous DH group to reuse.
2018-02-09 10:20:05 +01:00
Tobias Brunner
2307bffe56
proposal: Move proposal_t from libcharon to libstrongswan
...
This allows us to use it without having to initialize libcharon, which
was required for the logging (we probably could have included debug.h
instead of daemon.h to workaround that but this seems more correct).
2017-11-17 18:09:54 +01:00
Tobias Brunner
15e745cf4d
child-rekey: Don't install outbound SA in case of lost collisions
...
This splits the SA installation also on the initiator, so we can avoid
installing the outbound SA if we lost a rekey collision, which might
have caused traffic loss depending on the timing of the DELETEs that are
sent in both directions.
2017-08-07 10:46:00 +02:00
Tobias Brunner
2c116ef589
child-sa: Use flags to track installation of outbound SA and policies separately
2017-08-07 10:44:05 +02:00
Tobias Brunner
67ad553a2c
unit-tests: Stringify direction in message asserts early
...
x86_64-w64-mingw32-gcc on Windows requires this.
2017-07-28 11:18:59 +02:00
Tobias Brunner
525cc46cab
Change interface for enumerator_create_filter() callback
...
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
2017-05-26 13:56:44 +02:00
Tobias Brunner
10c7a66806
unit-tests: Check installed IPsec SAs in child-rekey tests
2017-05-23 18:46:50 +02:00
Tobias Brunner
72655fe411
unit-tests: Add assert to check for installed IPsec SAs
2017-05-23 18:46:50 +02:00
Tobias Brunner
2b581b59f0
unit-tests: Migrate cached IPsec SAs to new IKE_SAs during rekeying
2017-05-23 18:46:49 +02:00
Tobias Brunner
d80055baae
unit-tests: Keep track of installed IPsec SAs in mock kernel_ipsec_t implementation
2017-05-23 18:46:49 +02:00
Tobias Brunner
44107cb7b7
child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAs
...
After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't
destroy the CHILD_SA (and the inbound SA) immediately. We delay it
a few seconds or until the SA expires to allow delayed packets to get
processed. The CHILD_SA remains in state CHILD_DELETING until it finally
gets destroyed.
2017-05-23 18:46:49 +02:00
Tobias Brunner
0cbf75eb94
child-sa: Remove state to track installation of half the SA again
2017-05-23 18:46:49 +02:00
Tobias Brunner
d94c122439
unit-tests: Overload helper macro to check for outbound SA state
2017-05-23 18:46:49 +02:00
Tobias Brunner
dc3710e987
ikev2: Delay installation of outbound SAs during rekeying on the responder
...
The responder has all the information needed to install both SAs before
the initiator does. So if the responder immediately installs the outbound
SA it might send packets using the new SA which the initiator is not yet
able to process. This can be avoided by delaying the installation of the
outbound SA until the replaced SA is deleted.
2017-05-23 18:46:06 +02:00
Tobias Brunner
2f6ec15dff
unit-tests: Add test cases for MID sync exchanges
2017-02-08 15:11:00 +01:00
Tobias Brunner
22f13dcecd
proposal: Copy SPI and proposal number from correct proposal in select()
...
If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.
Fixes #2190 .
2017-02-06 11:14:31 +01:00
Tobias Brunner
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
Tobias Brunner
89054d9dcb
unit-tests: Enable optional logging in libcharon unit tests
2016-10-05 14:27:05 +02:00
Tobias Brunner
9e5065d877
unit-tests: Add more tests for proposal creation
2016-10-05 14:27:05 +02:00
Tobias Brunner
9b191d5975
proposal: Make DH groups mandatory in IKE proposals parsed from strings
...
References #2051 .
2016-10-05 14:26:55 +02:00
Tobias Brunner
a6d7aed78a
libcharon: Add exchange_tests to .gitignore
2016-07-25 14:01:26 +02:00
Tobias Brunner
5435a9a062
unit-tests: Add tests for expires after CHILD_SA rekeying
2016-06-17 18:48:08 +02:00
Tobias Brunner
d707a19733
unit-tests: Add test for CHILD_SA rekey if a retry due to an INVALID_KE_PAYLOAD is delayed
2016-06-17 18:48:08 +02:00
Tobias Brunner
b4f24ac0f6
unit-tests: Add test for collision between IKE_SA rekey and CHILD_SA creation
2016-06-17 18:48:08 +02:00
Tobias Brunner
46cbdcace9
unit-tests: Add tests for IKE rekeying if INVALID_KE_PAYLOAD notifies are received
2016-06-17 18:48:07 +02:00
Tobias Brunner
aae9510148
proposal: Handle MODP_NONE in both directions when selecting proposals
2016-06-17 18:48:07 +02:00
Tobias Brunner
2e33d1f9ae
unit-tests: Add test for rekey collision if one CREATE_CHILD_SA response is delayed
2016-06-17 18:48:06 +02:00
Tobias Brunner
566134b25a
unit-tests: Add tests for IKE_SA rekeying if collision is not detected by one peer
2016-06-17 18:48:06 +02:00
Tobias Brunner
0a2cad40a6
unit-tests: Add tests for IKE/CHILD delete collisions
2016-06-17 18:48:06 +02:00
Tobias Brunner
7b3eccfff4
unit-tests: Add tests for IKE/CHILD rekey collisions
2016-06-17 18:48:05 +02:00
Tobias Brunner
7015994a94
unit-tests: Add tests for collisions between IKE_SA rekeying and deletion
2016-06-17 18:48:05 +02:00
Tobias Brunner
72c295df5b
unit-tests: Add tests for IKE SA deletion
2016-06-17 18:48:05 +02:00
Tobias Brunner
40d9a4c892
unit-tests: Only deliver messages to the SA they are addressed to
2016-06-17 18:48:05 +02:00
Tobias Brunner
498a46d22f
unit-tests: Add test for simple IKE rekey collision
2016-06-17 18:48:05 +02:00