b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
51ac22579d
ikev2: Send INVALID_MAJOR_VERSION notify using the same exchange type and MID
...
This is per RFC 7296, section 1.5.
2019-12-09 12:26:54 +01:00
bea10205b0
receiver: Don't use commas to separate statements
...
Maybe was in the INIT statement at some point.
2018-09-17 18:51:42 +02:00
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
3a67df3b10
receiver: Restrict init limit to half-open SAs as responder
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-05-23 17:53:20 +02:00
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
735f929ca7
ike: Only consider number of half-open SAs as responder when deciding whether COOKIEs are sent
2015-08-27 11:18:51 +02:00
47a340e1f7
ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag set
...
While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.
We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since
17ec1c74de
2015-08-20 16:05:02 +02:00
161a015782
utils: Use chunk_equals_const() for all cryptographic purposes
2015-04-14 12:02:51 +02:00
75122b90bb
receiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2
...
We sent both a notify using IKEv1 and IKEv2. This is a little more aggressive
than required, RFC 5996 says we "SHOULD send an unauthenticated Notify
message of type INVALID_MAJOR_VERSION containing the highest (closest) version
number it supports".
Fixes #657 .
2014-07-17 09:35:49 +02:00
3ecfc83c6b
payload: Use common prefixes for all payload type identifiers
...
The old identifiers did not use a proper namespace and often clashed with
other defines.
2014-06-04 15:53:03 +02:00
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
a566c5f837
receiver: Avoid cloning packet data when verifying COOKIE payloads
...
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.
Fixes #369 .
2013-07-29 22:04:24 +02:00
654c88bca8
Added charon.initiator_only option which causes charon to ignore IKE initiation requests by peers
2013-04-14 19:57:49 +02:00
68bfee4bc4
Avoid returning COOKIEs right after system boot
...
When the monotonic timer is initialized to 0 right after the system is
booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s).
Since the COOKIE verification code actually produces an overflow for
COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs.
Checking for last_cookie makes sense anyway as that condition must only
apply if we actually sent a COOKIE before.
2013-03-19 16:19:11 +01:00
fdee6b5f5a
Moved packet_t and tun_device_t to networking folder
2012-10-24 15:06:18 +02:00
2b95ab7620
Raise a bus alert when IKE message header parsing fails
2012-10-24 11:34:30 +02:00
2e2feffb67
Don't check interface of inbound message if interfaces are not filtered
...
We don't have a proper kernel-net interface on Android yet, so the check
for a usable interface does not work there.
2012-09-24 17:12:18 +02:00
090c556ce8
Drop packets received on ignored interfaces
2012-09-21 18:16:26 +02:00
5764a9b355
Moved packet_t to libstrongswan
2012-08-08 15:41:02 +02:00
fe4a152b85
Avoid unnecessary copy of packet data when removing Non-ESP marker.
2012-08-08 15:12:25 +02:00
896941d365
Improved how NAT-T keepalives are handled in sockets/receiver.
2012-08-08 15:12:24 +02:00
08b2ce7aa7
Callback for ESP packets added to receiver.
2012-08-08 15:12:24 +02:00
65da43e2fc
Handle Non-ESP marker in receiver and not individual socket plugins.
2012-08-08 15:12:24 +02:00
8bd6a30af1
Add a return value to hasher_t.get_hash()
2012-07-16 14:55:06 +02:00
0c096e9bb5
Check rng return value when generating COOKIE secret in receiver
2012-07-16 14:53:35 +02:00
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
983c667481
Use proper getter for settings in sender and receiver.
2012-05-03 13:57:04 +02:00
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
1b7debcc04
Keep COOKIEs enabled once threshold is hit, until we see no COOKIEs for a few secs
...
Toggling COOKIEs on/off is problematic: After doing a COOKIE exchange as
initiator, we can't know if the completing IKE_SA_INIT message is to our first
request or the one with the COOKIE. If the responder just enabled/disabled
COOKIEs and packets get retransmitted, both might be true. Avoiding COOKIE
behavior toggling improves the situation, but does not solve the problem during
the initial COOKIE activation.
2012-04-17 10:02:21 +02:00
53300baded
Send correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol
2012-03-20 17:31:28 +01:00
be83ea7ebf
Drop IKEv1 main/aggressive modes if peer to aggressive
2012-03-20 17:31:28 +01:00
38bb727c06
Don't accept IKEv2 packets if IKEv2 disabled
2012-03-20 17:31:28 +01:00
38fb67fbf1
Add a payload.get_header_length() method, remove header length definitions
2012-03-20 17:30:42 +01:00
4ed52db2bb
Allow creation of message_t objects for IKEv1 packets.
2012-03-20 17:30:40 +01:00
867701bc6d
Accept and process IKEv1 messages in receiver
2012-03-20 17:30:39 +01:00
526b5afb45
Extended IKE header for IKEv1 support
2012-03-20 17:30:39 +01:00
14bf2f689d
Use CRITICAL job priority class for long running dispatcher jobs
2011-05-16 15:24:15 +02:00
a2302d2322
Added init_limit_half_open and a init_limit_job_load (replacing job_threshold) options, some refactorings
2011-05-16 15:24:14 +02:00
3f06403705
Added a job_threshold option to drop IKE_SA_INITs if a certain job load reached
2011-05-16 15:24:13 +02:00
c2fad1916a
Avoid recursive loop if no socket implementations are loaded.
2010-10-14 17:36:20 +02:00
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
b519071299
Use AEAD wrapper for encryption payload encryption/decryption
2010-08-19 19:02:33 +02:00
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
8f7e8e075a
Fixed typo.
2010-07-05 14:53:56 +02:00
Josh Soref