Martin Willi
|
5ce59d4c06
|
Added an aggressive mode peer_cfg option
|
2012-03-20 17:31:34 +01:00 |
Martin Willi
|
a347c1ac43
|
Fix sending of CERTREQ/CERT payloads in aggressive mode
|
2012-03-20 17:31:34 +01:00 |
Martin Willi
|
ebc7bcb550
|
Encrypt payloads of third aggressive mode message
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
ee325b555f
|
Implemented aggressive mode using Phase 1 helper class
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
b4bd875612
|
Make use of the new Phase 1 helper class in main mode
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
c29a89b80d
|
Implemented a common Phase 1 helper class to use by main and aggressive modes
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
44dcd5944a
|
Fix error handling if no PSK found for main mode
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
90731f38c9
|
Install quick mode CHILD_SAs with negotiated encapsulation mode
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
927c1dd9d2
|
Support IKEv1 proposal encodings having both lifebytes and a lifetime
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
b147679a2c
|
Try to detect reauthentication as responder and adopt children to new SA
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
3a0b67bce5
|
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
cb1a145ce2
|
Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities
|
2012-03-20 17:31:33 +01:00 |
Martin Willi
|
beab4a90ae
|
Query for XAuth identity in get_other_eap_id(), too
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
1b79299b89
|
Set ISAKMP SA state to rekeying after triggering reauthentication
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
c9d68d17f0
|
Include peer config overtime in negotiated ISAKMP SA lifetime
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
4f49b06843
|
Initiate IKEv1 reauthentication, take over all children
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
17c64d5ff9
|
Establish IKE_SA only once as XAuth responder
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
9c64f214f1
|
Support initiation of childless IKEv1 ISAKMP SAs
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
7e9e1f96df
|
Don't trigger reauthentication if initiator authenticated using XAuth
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
2da3ff7a52
|
Set a condition flag if peer has been authenticated using XAuth
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
54773729a8
|
Queue Mode Config tasks after main mode as initiator, not as responder
|
2012-03-20 17:31:32 +01:00 |
Clavister OpenSource
|
d71092ceed
|
Setting Mode Cfg identifier for CFG_ACK messages.
|
2012-03-20 17:31:32 +01:00 |
Clavister OpenSource
|
e32820f593
|
Add functions to set mode cfg identifier
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
462c9a4f72
|
Try all matching XAuth secrets we find, not only the first one
|
2012-03-20 17:31:32 +01:00 |
Martin Willi
|
3d86d76b86
|
Fixed create_shared_enumerator method description
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
f56c3c53f6
|
As responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
31bd5c8c0e
|
Reply quick mode with the same SA lifetime that we received
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
3a925f74ab
|
Do not query CHILD_SA during delete if they already expired
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
07202a2bf1
|
Be less verbose when deleting SAs triggered by a hard expire
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
23eb447c9a
|
Implemented CHILD_SA rekeying
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
634ac410a2
|
Don't return FAILED if a CHILD_SA to delete could not be found
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
14dc794165
|
Support installing of quick mode SAs with a specific reqid
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
5f1df0a060
|
Double check that we could select a TS as quick mode responder
|
2012-03-20 17:31:31 +01:00 |
Martin Willi
|
f5a84055fe
|
Implemented responder retransmission, currently enabled for quick mode only
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
dc8e964775
|
Queue IKEv1 INFORMATIONALS with higher priority to process notifies first
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
96f98a8c11
|
Accept IKEv1 INVALID_KE_INFORMATION notifies without data
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
253d7e3eff
|
Don't process notifies in quick mode task when we get an INFORMATIONAL
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
9276f7121c
|
Always queue a new passive task when receiving an IKEv1 INFORMATIONAL
|
2012-03-20 17:31:30 +01:00 |
Tobias Brunner
|
db1dc81329
|
IKEv1 ATTRIBUTES_NOT_SUPPORTED error notify added.
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
8a395e889c
|
Fixed leak of a hash when checking out by hash
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
dd5c3787dc
|
Give a hint that decryption failed if payload length invalid
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
07b8ec7c00
|
Cast keymat safely, not based on external input
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
3bacc1f429
|
Added a keymat_t version to cast it safely
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
3d54ae94d9
|
Handle initiation of not supported IKE versions properly
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
daee47ba46
|
Send a delete for every CHILD_SA before deleting IKE_SA
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
6379c679ae
|
Set used auth_class in PSKv1 authenticator to comply to constraints
|
2012-03-20 17:31:30 +01:00 |
Martin Willi
|
8573b18d22
|
Fixed scheduling of IKEv2 init tasks in a second keyingtry
|
2012-03-20 17:31:29 +01:00 |
Martin Willi
|
8ed976c061
|
Don't requeue IKEv1 init tasks if they already exist in a second keyingtry
|
2012-03-20 17:31:29 +01:00 |
Tobias Brunner
|
fd5d6bb08e
|
Use IPSEC DOI also for ISAKMP SA deletes.
|
2012-03-20 17:31:29 +01:00 |
Martin Willi
|
d9c1dae293
|
Implemented resetting of IKEv1 task manager, enabling additional keyingtries
|
2012-03-20 17:31:29 +01:00 |