aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * xpc: build with support for the keychain pluginMartin Willi2013-07-183-2/+4
| |
| * xpc: add support for initiate simple IKEv2 EAP connectionsMartin Willi2013-07-181-0/+126
| |
| * xpc: move dispatching to dedicated class, using dedicated threadMartin Willi2013-07-184-86/+304
| |
| * xpc: use non-inlining variant of vstr, compiler does not like itMartin Willi2013-07-181-0/+2
| |
| * xpc: add Xcode project for a charon controlled through XPCMartin Willi2013-07-186-0/+584
| |
| * syslog: setlogmask() to include LOG_INFOMartin Willi2013-07-181-0/+1
| | | | | | | | LOG_INFO seems to be excluded by default on some systems (OS X).
| * keychain: flush certificate cache after reloading System keychainMartin Willi2013-07-181-0/+2
| |
| * keychain: monitor changes in the system keychain, reload when necessaryMartin Willi2013-07-181-0/+65
| |
| * keychain: use SearchCopyNext keychain enumeration for System certs as wellMartin Willi2013-07-181-71/+12
| | | | | | | | | | | | | | SecItemCopyMatching seems to be problematic regarding memory management. And as there does not seem to be a good alternative to enumerate the System Roots keychain using the SecItemCopyMatching API, we stick to the deprecated enumeration functions for now.
| * keychain: load certificates from System Roots KeychainMartin Willi2013-07-181-0/+65
| |
| * keychain: load certificates only once during startup, improving performanceMartin Willi2013-07-183-111/+78
| |
| * keychain: support on-the-fly enumeration of trusted/untrusted certificatesMartin Willi2013-07-182-1/+118
| |
| * keychain: add a stub for a credential plugin using OS X Keychain ServicesMartin Willi2013-07-187-0/+258
| |
| * credmgr: stop querying for secrets once we get a perfect matchMartin Willi2013-07-181-0/+4
| |
| * credmgr: don't use pointers for id_match_t enum valuesMartin Willi2013-07-181-2/+2
| |
| * openssl: parse X.509 extended key usage from extension parsing loopMartin Willi2013-07-181-33/+38
| | | | | | | | | | Otherwise parsing gets aborted if unknown critical extensions are handled as error.
| * openssl: show which critical X.509 extension is not supportedMartin Willi2013-07-181-1/+6
| |
| * hashtable: add common hashtable hash/equals functions for pointer/string keysMartin Willi2013-07-182-3/+68
| |
| * thread: implicitly create thread_t if an external thread calls thread_current()Martin Willi2013-07-181-1/+14
|/
* ike: Fix reestablishing SAs if no child-creating tasks are queuedTobias Brunner2013-07-181-2/+5
|
* ike-sa: uninstall CHILD_SAs before removing virtual IPsMartin Willi2013-07-181-1/+8
| | | | | | a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes for CHILD_SAs might get deleted while removing virtual IPs, resulting in an error when a CHILD_SA tries to uninstall its route.
* unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were ↵Tobias Brunner2013-07-171-11/+32
| | | | received
* unity: Allow UNITY_LOCAL_LAN to be longer than 8 bytesTobias Brunner2013-07-171-1/+1
|
* unity: Fix memory leak in providerTobias Brunner2013-07-171-0/+1
|
* ipsec.conf.5: closeaction is now supported for IKEv1Tobias Brunner2013-07-171-2/+1
|
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-174-2/+115
|
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* Merge branch 'kernel-pfroute-mobility'Tobias Brunner2013-07-174-49/+470
|\ | | | | | | | | | | This improves the behavior of the kernel-pfroute plugin (and sometimes the kernel-pfkey plugin) in case of mobility, mostly when used as as client but also as gateway, if clients are mobile.
| * kernel-pfroute: Ignore IP address changes if address is %anyTobias Brunner2013-07-171-1/+2
| |
| * kernel-pfroute: Properly enumerate sockaddrs in interface messagesTobias Brunner2013-07-171-9/+26
| | | | | | | | | | The ifa_msghdr and rt_msghdr structs are not compatible (at least not on FreeBSD).
| * kernel-pfroute: Provide name of interfaces on which virtual IPs are installedTobias Brunner2013-07-172-1/+23
| |
| * kernel-pfroute: Ignore virtual IPs in address mapTobias Brunner2013-07-171-13/+9
| | | | | | | | | | As the virtual flag is set after the address has been added to the map, we make sure we ignore virtual IPs when doing lookups.
| * kernel-pfroute: Make sure source addresses are not virtual and usableTobias Brunner2013-07-171-4/+20
| | | | | | | | | | | | | | It seems we sometimes get the virtual IP as source (with rightsubnet=0.0.0.0/0) even if the exclude route is already installed. Might be a timing issue because shortly afterwards the lookup seems to succeed.
| * kernel-pfroute: Don't report an error when trying to reinstall a routeTobias Brunner2013-07-171-0/+4
| |
| * kernel-pfkey: Provide interface name when installing exclude routeTobias Brunner2013-07-171-4/+15
| |
| * kernel-pfroute: Reinstall routes on interface/address changesTobias Brunner2013-07-171-7/+320
| |
| * kernel-pfroute: Trigger a roam event if a new interface appearsTobias Brunner2013-07-171-0/+4
| |
| * kernel-pfroute: Use ref_get() to allocate sequence numbersTobias Brunner2013-07-171-3/+3
| |
| * kernel-pfroute: Make time that is waited for VIPs to appear configurableTobias Brunner2013-07-172-2/+14
| | | | | | | | | | One second might be too short for IPs to appear/disappear, especially on virtualized hosts.
| * kernel-pfroute: Retry route lookup without source address on failureTobias Brunner2013-07-171-1/+16
| | | | | | | | | | The known source address might be gone resulting in an error, making learning a new source address impossible.
| * kernel-pfkey: Remove latest IPsec SA mapping when deleting a policyTobias Brunner2013-07-171-5/+12
| | | | | | | | | | | | | | | | | | | | | | If IPsec SAs are rekeyed due to an address change (e.g. because update_sa is not supported) the exact same policy with the same reqid will be installed, but with different addresses. After the rekeying the old SA and its policies are removed, using the first matching mapping breaks the mapping between the policies and the new SA (at least on FreeBSD, the Linux kernel might only use the reqid for this). Using the oldest matching SA is still an approximation but it solves the above issue.
| * kernel-pfkey: Correctly handle IPSEC_PROTO_ANY in an acquireTobias Brunner2013-07-171-2/+5
|/
* linked-list: Remove barely used has_more() methodTobias Brunner2013-07-174-152/+106
| | | | | | | | This required some refactoring when handling encrypted payloads. Also changed log messages so that "encrypted payload" is logged instead of "encryption payload" (even if we internally still call it that) as that's the name used in RFC 5996.
* linked-list: Don't require an argument for the item when enumeratingTobias Brunner2013-07-172-1/+21
|
* linked-list: Remove unused clone_function() methodTobias Brunner2013-07-173-53/+7
|
* linked-list: Remove barely used find_last() methodTobias Brunner2013-07-175-72/+6
|
* linked-list: Remove unused replace() methodTobias Brunner2013-07-173-65/+51
| | | | | | Its functionality can be replicated by calling insert_before() followed by remove_at(). Not the other way around, though, because remove_at() changes the enumerator position.
* Merge branch 'array'Martin Willi2013-07-1724-683/+1527
|\ | | | | | | | | | | Introduces a new lightweight array collection having minimal memory overhead. The new class replaces various linked lists that are used during the full lifetime of an SA, reducing memory requirements by about 5KB or more per tunnel.
| * child-sa: refactor proxy transport mode address lookupMartin Willi2013-07-171-56/+42
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 18:47:26 +0000