aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * unit-tests: test with /dev/urandom if random plugin is in useMartin Willi2013-06-211-0/+6
| |
| * unit-tests: test supported ECDSA schemes onlyMartin Willi2013-06-211-0/+14
| |
| * Move test-runners has_feature() function to plugin loaderMartin Willi2013-06-213-32/+40
| |
| * unit-tests: enforce CET/CEST timezone to properly test non-UTC time formattingMartin Willi2013-06-211-0/+6
| |
| * unit-tests: don't use ck_assert() to test a cleared chunk, as it allocates dataMartin Willi2013-06-211-3/+10
| | | | | | | | The new allocation might be in the freed area, affecting the test result.
| * unit-tests: define 64-bit constats with ULL, fixing compiler warning on 32-bitMartin Willi2013-06-211-2/+2
| |
| * Limit cleanup of .gc{no,da} files to src and scripts subfoldersMartin Willi2013-06-211-2/+2
| | | | | | | | | | Other folders in the build tree might not be related to the strongSwan tree, or are not even accessible.
| * unit-tests: test some zeroed ECDSA signatures that never should succeedMartin Willi2013-06-211-0/+63
| |
| * unit-tests: perform signing/validation with keys ECDSA keys generated or loadedMartin Willi2013-06-211-0/+47
| |
| * unit-tests: add an ECDSA test case loading keysMartin Willi2013-06-211-0/+61
| |
| * unit-tests: perform a first ECDSA test case if ECDSA is supportedMartin Willi2013-06-214-1/+58
| |
| * unit-tests: add a helper function checking if a plugin feature is availableMartin Willi2013-06-211-0/+32
| |
| * unit-tests: add a test case checking if all test vectors have been passedMartin Willi2013-06-214-1/+44
| |
| * crypto-factory: count the number of test vector failures during registrationMartin Willi2013-06-212-30/+73
| |
| * unit-tests: load all libstrongswan plugins in test-runnerMartin Willi2013-06-212-0/+7
|/
* stroke: Add statusall-nb as alias for statusallnbTobias Brunner2013-06-212-1/+2
|
* stroke: Add non-blocking versions of up and downTobias Brunner2013-06-213-5/+23
| | | | | | stroke up-nb and stroke down-nb do not block until the command has finished. Instead, they return right after initiating the respective operation.
* starter: Make ipsec.conf path configurable via command lineTobias Brunner2013-06-211-3/+14
|
* pubkey: Improve comparison of raw public key certificate objectsTobias Brunner2013-06-211-1/+11
|
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* charon-cmd: use a copy of pid in initiate callbackMartin Willi2013-06-201-6/+7
| | | | | When cancelling a connection that gets established, cmd_connection_t gets freed before terminate() is called. This results in kill()ing invalid PID.
* charon-cmd: add IKEv1 aggressive mode profilesMartin Willi2013-06-203-10/+35
|
* NEWS: Add first bunch of 5.1.0 highlightsMartin Willi2013-06-201-0/+19
|
* Merge branch 'nat-transport'Martin Willi2013-06-194-60/+306
|\ | | | | | | | | | | Enable transport mode in NAT situations when using IKEv2. Additionally brings an extended leftsubnet format, where each subnet can take a separate protocol and port.
| * man: update ipsec.conf.5, describing new proto/port definition within leftsubnetMartin Willi2013-06-191-24/+34
| |
| * stroke: support %dynamic in left/rightsubnet for dynamic selectorsMartin Willi2013-06-191-2/+10
| | | | | | | | | | | | | | This has the same meaning as omitting left/rightsubnet, i.e. replace it by the IKE address. Supporting %dynamic allows configurations with multiple dynamic selectors in a left/rightsubnet, each with potentially different proto/port selectors.
| * kernel-netlink: install selectors on SA for transport/BEET mode without ↵Martin Willi2013-06-191-0/+6
| | | | | | | | | | | | | | | | proto/port If a transport/BEET SA has different selectors for different proto/ports, installing just the proto/port of the first SA would break any additional selector.
| * stroke: support a specific proto/port for each net defined in left/rightsubnetMartin Willi2013-06-191-3/+105
| |
| * ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
| |
| * ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|/
* Merge branch 'consistent-reqid'Martin Willi2013-06-194-9/+62
|\ | | | | | | | | | | | | | | | | | | Checks if a trap policy exists when installing a CHILD_SA as responder, reuse that reqid and keeping the trap untouched. This makes auto=route on both sides more reliable. In addition, we no prevent to refcount an existing policy if the reqid differs; this should not happen anymore. We now can properly reject new CHILD_SAs in such conflicts, instead of silently breaking an existing policy.
| * ike: reuse the reqid of an installed trap having the same configMartin Willi2013-06-191-1/+5
| | | | | | | | | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend.
| * trap-manager: add a method to find reqid for installed traps by configMartin Willi2013-06-192-2/+38
| |
| * trap-manager: don't check-in nonexisting IKE_SA if acquire failsMartin Willi2013-06-191-2/+1
| |
| * trap-manager: fix a memleak when installing a trap to %anyMartin Willi2013-06-191-0/+1
| |
| * kernel-netlink: reject policy refcount if the reqid differsMartin Willi2013-06-191-4/+17
|/ | | | | | | | | | | | | Previously we silently replaced an existing policy with a new one if the reqid changed for the same selectors. This will break an old policy in the favour of the new one (for example if two clients behind the same NAT use transport mode). With this change any new policy gets rejected if the reqid differs. This will make sure we break no existing policy. For rekeying and acquires we still can have overlapping policies (as we use the same reqid), but for unrelated connections this is not true anymore (it wasn't actually before, we just silently broke the existing policy).
* stroke: add exportconn{cert,chain} commands in addition to exportx509Martin Willi2013-06-195-7/+80
| | | | | The new commands either export a single end entity certificate or the full trust chain for a specific connection name.
* Raise an alert if the responding peer narrowed traffic selectorsMartin Willi2013-06-192-7/+28
|
* backtrace: use backtrace_symbols() only if we have backtrace() and dladdr() ↵Martin Willi2013-06-191-5/+16
| | | | fails
* utils: Remove volatile qualifier from refcount_t typedefTobias Brunner2013-06-191-2/+1
| | | | | It's not really required anymore (if it ever was) and may cause compiler warnings when using the non atomic versions of ref_get/ref_put.
* dhcp: search for transactions only for connections having a poolname "dhcp"Martin Willi2013-06-181-1/+6
| | | | | | When a connection has a single pool that queries recursively the DHCP backend, we shouldn't return any attributes directly from DHCP when queried for that pool.
* starter: ignore return value of sete[gu]id(), now having warn_unused_resultMartin Willi2013-06-181-5/+4
|
* socket-default: Make sure sockets are open when checking with FD_ISSETTobias Brunner2013-06-141-4/+4
|
* socket-default: Properly initialize NAT-T port if opening regular socket failedTobias Brunner2013-06-141-1/+2
|
* android: Forward initiator flag to libipsec when adding IPsec SATobias Brunner2013-06-131-2/+2
|
* libipsec: Add initiator flag to definition of ipsec_sa_mgr_t.add_sa()Tobias Brunner2013-06-131-2/+4
|
* Use subset matching instead of is_contained_in() to select a child_cfgMartin Willi2013-06-131-4/+8
| | | | | | | If one selector has a wider IP range than the other, but the other has a wider port/protocol selector than the first one, none is completely contained in the other. The check for a match using is_contained_in() therefore would fail. Using get_subset() can handle such cases, fixing configuration selection.
* ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flagTobias Brunner2013-06-131-4/+8
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-1114-35/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* Merge branch 'unique-sas'Martin Willi2013-06-114-8/+20
|\ | | | | | | Makes IKE_SA unique ID and CHILD_SA reqid counters atomic.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 15:20:47 +0000