aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* | | added some new TCG IF-M message subtypes and attributesAndreas Steffen2013-03-024-4/+36
| | |
* | | version bump to 5.0.3dr3Andreas Steffen2013-03-021-1/+1
| | |
* | | android: Mitigate race condition on reauthenticationTobias Brunner2013-03-011-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | If the TUN device gets recreated while another thread in handle_plain() has not yet called select(2) but already stored the file descriptor of the old TUN device in its FD set, select() will fail with EBADF. Fixes #301.
* | | openssl: The EVP GCM interface requires at least OpenSSL 1.0.1Tobias Brunner2013-03-012-0/+8
| | |
* | | Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ \ \ | | | | | | | | | | | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * | | Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| | | |
| * | | Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| | | |
| * | | Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| |/ /
* | | Merge branch 'multi-cert'Martin Willi2013-03-014-27/+113
|\ \ \ | | | | | | | | | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests.
| * | | After merging the used trustchain with config, move used certificate to frontMartin Willi2013-01-181-0/+24
| | | |
| * | | Add ipsec.conf.5 updates regarding multiple certificates in leftcertMartin Willi2013-01-181-0/+4
| | | |
| * | | Try to build a trustchain for all configured certificates before enforcing oneMartin Willi2013-01-181-1/+29
| | | | | | | | | | | | | | | | | | | | This enables the daemon to select from multiple configured certificates by building trustchains against the received certificate requests.
| * | | Load multiple comma seperarated certificates in the leftcert optionMartin Willi2013-01-181-15/+32
| | | |
| * | | Make AUTH_RULE_SUBJECT cert multi-valuedMartin Willi2013-01-181-11/+24
| | | | | | | | | | | | | | | | | | | | Constraints having multiple subject certs defined are fulfilled if authentication used one of the listed certificates.
* | | | Merge branch 'systime'Martin Willi2013-03-019-10/+525
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Add a systime-fix plugin allowing an embedded system to validate certificates if the system time has not been synchronized after boot. Certificates of established tunnels can be re-validated after the system time gets valid.
| * | | | systime-fix disables certificate lifetime validation if system time not syncedMartin Willi2013-02-194-0/+326
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The system time can be periodically checked. If it gets valid, certificates get rechecked with the current lifetime. If certificates are invalid, associated IKE_SAs can be closed or reauthenticated.
| * | | | Add a stub for systime-fix, a plugin handling certificate lifetimes gracefullyMartin Willi2013-02-195-0/+130
| | | | |
| * | | | Add a cert_validator hook allowing plugins to provide custom lifetime checkingMartin Willi2013-02-192-10/+64
| | | | |
| * | | | Make cert_validator_t.validate optional to implementMartin Willi2013-02-192-0/+5
| | |_|/ | |/| |
* | | | Merge branch 'ikev1-rekeying'Martin Willi2013-03-012-0/+25
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | | | After IKEv1 reauthentication, reinstall VIP routes after migrating CHILD_SAsMartin Willi2013-02-201-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled. The CHILD_SAs get migrated, but any associated route gets removed from the kernel. Reinstall routes after adding the virtual IP again.
| * | | | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| | | | |
* | | | | Merge branch 'vip-shunts'Martin Willi2013-03-012-15/+19
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Installs bypass policies for the physical address if a virtual address is assigned, and installs a proper source route to actually use the physical address for bypassed destinations. Conflicts: src/libcharon/plugins/unity/unity_handler.c
| * | | | | Install a route for shunt policiesMartin Willi2013-02-201-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we install a virtual IP, its source route would render the shunt policy useless, as locally generated traffic wouldn't match. Having a route for each shunt policy with higher priority chooses the correct source address for bypassed destinations.
| * | | | | Include local address for Unity Split-Exclude shunt policiesMartin Willi2013-02-201-10/+5
| |/ / / / | | | | | | | | | | | | | | | | | | | | If we use a virtual IP, having a shunt policy for just that wouldn't work, as we want a shunt bypass using the local address.
* | | | | Merge branch 'opaque-ports'Martin Willi2013-03-0119-118/+199
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | | | | Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
| | | | | |
| * | | | | Document ipsec.conf leftprotoport extensions in manpageMartin Willi2013-02-211-0/+8
| | | | | |
| * | | | | Optionally support port ranges in leftprotoportMartin Willi2013-02-211-4/+20
| | | | | |
| * | | | | Support %opaque keyword in leftprotoport for "opaque" portsMartin Willi2013-02-211-0/+5
| | | | | |
| * | | | | Pass complete port range over stroke interface for more flexibilityMartin Willi2013-02-217-24/+21
| | | | | |
| * | | | | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-2111-36/+46
| | | | | |
| * | | | | Print OPAQUE traffic selectors as what they are, not as port rangeMartin Willi2013-02-211-0/+4
| | | | | |
| * | | | | Support "opaque" ports in traffic selector subset calculationMartin Willi2013-02-211-6/+32
| | | | | |
| * | | | | Slightly refactor traffic_selector_t.get_subset()Martin Willi2013-02-211-61/+68
| | | | | |
| * | | | | Migrate remaining traffic selector methods to METHOD macroMartin Willi2013-02-211-19/+18
| | |/ / / | |/| | |
* | | | | When running with an unprivileged user, initialize supplementary groupsMartin Willi2013-03-012-2/+38
| | | | |
* | | | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | | | |
* | | | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | | | | |
* | | | | | Merge branch 'tfc-notify'Martin Willi2013-03-016-2/+68
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | | | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | | | | | |
| * | | | | | Indicate support for processing ESPv3 TFC padding in Netlink IPsec backendMartin Willi2013-03-011-1/+7
| | | | | | |
| * | | | | | Introduce "features" for the kernel backends returning kernel capabilitiesMartin Willi2013-03-014-1/+52
| | |/ / / / | |/| | | |
* | | | | | testing: Add a script to easily connect to a host via SSHTobias Brunner2013-02-281-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This doesn't require any entries in /etc/hosts and the correct SSH config is used to allow password-less access.
* | | | | | openssl: Provide AES-GCM implementationTobias Brunner2013-02-284-1/+312
| | | | | |
* | | | | | Fix cleanup in crypto_tester if AEAD implementation failsTobias Brunner2013-02-281-1/+4
| | | | | |
* | | | | | Order of arguments in Doxygen comment fixedTobias Brunner2013-02-282-2/+2
| | | | | |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 19:18:58 +0000