aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * left|rightrsasigkey accepts SSH keys but the key format has to be specified ↵Tobias Brunner2013-05-076-21/+37
| | | | | | | | | | | | | | explicitly The default is now PKCS#1. With the dns: and ssh: prefixes other formats can be selected.
| * sshkey: Added builder for SSHKEY RSA keysTobias Brunner2013-05-076-1/+142
| |
| * Add sshkey plugin stub that will parse RFC 4253 public keysTobias Brunner2013-05-075-0/+140
| |
| * Try to load raw keys from ipsec.conf as PKCS#1 blob firstTobias Brunner2013-05-071-5/+12
| | | | | | | | | | The DNSKEY builder is quite eager and parses pretty much anything as RSA key, so this has to be done before.
| * charon-cmd: Add --agent option to authenticate using ssh-agent(1)Tobias Brunner2013-05-074-0/+72
| | | | | | | | | | | | The socket path is read from the SSH_AUTH_SOCK environment variable. So using this with sudo might require the -E command line (or an appropriate sudoers config) to preserve the environment.
| * charon-cmd: Use loose matching of gateway identityTobias Brunner2013-05-071-0/+1
| |
| * charon-cmd: Load pubkey plugin to load raw keysTobias Brunner2013-05-071-1/+1
|/
* testing: Don't run tests when building tkmTobias Brunner2013-05-071-1/+1
| | | | | | | The problem with XML/Ada described in 9c2aba27 actually occurs when running the tests here. Really fixes #336.
* testing: Don't run tests when building tkm-rpcTobias Brunner2013-05-061-1/+1
| | | | | | | | | There are issues with some versions of the XML/Ada library on i386, blocking the build of the testing environment when these tests are run. TKM tests won't work in such a case but at least make-testing does not block with this patch. Fixes #336.
* Merge branch 'tun-vip'Martin Willi2013-05-0620-385/+1162
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | Beside some OS X love, this merge introduces virtual IP and route installation support on the pfkey/pfroute kernel interfaces. Each virtual IP gets installed on a dedicated TUN device. As Linux-like source routes are not supported, routes for the negotiated traffic selectors get installed using the TUN device. To prevent IKE packets from using those routes, special exclude routes get installed to the IKE gateway. This works for most road-warrior deployments, but certainly does not for some more exotic configurations, such as those using virtual-IP-to-host. Mobility is not yet supported, either.
| * kernel-pfroute: allow only one thread to do a route look up simultaneouslyMartin Willi2013-05-061-1/+8
| | | | | | | | Otherwise we mess up the sequence number another thread is waiting for.
| * kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-0610-16/+50
| |
| * child-sa: query SAD/SPD just for what we actually need to update statisticsMartin Willi2013-05-061-2/+5
| |
| * kernel-pfkey: be less verbose about unexpected sequence numbersMartin Willi2013-05-061-1/+1
| |
| * kernel-pfkey: install exclude routes if kernel-net requires themMartin Willi2013-05-061-0/+152
| |
| * kernel-pfroute: add a feature flag requesting "exclude" routesMartin Willi2013-05-062-0/+9
| | | | | | | | | | | | | | | | If routes installed along with policies covering the peer address affect local IKE/ESP packets, they won't get routed correctly. To work around this issue, the kernel interface can install "exclude" routes for the IKE peer. Not all networking backends require this workaround, hence we export a flag for it if it is required.
| * kernel-pfroute: remove unused interface address refcountingMartin Willi2013-05-061-11/+0
| |
| * kernel-pfroute: mark IPs installed on tun device as virtualMartin Willi2013-05-061-1/+24
| |
| * kernel-pfroute: install virtual IPs using dedicated tun devicesMartin Willi2013-05-061-5/+91
| |
| * kernel-pfkey: when installing a route for a virtual IP, use its interfaceMartin Willi2013-05-061-1/+10
| | | | | | | | | | When installing a route over a tun device for a virtual IP, the route must be set over the tun, not the IKE interface.
| * kernel-interface: get_address_by_ts() can tell if a returned IP is virtualMartin Willi2013-05-065-6/+31
| |
| * kernel-interface: support enumeration of virtual-only IPsMartin Willi2013-05-063-9/+20
| |
| * kernel-pfkey: refactor route installation to a dedicate functionMartin Willi2013-05-061-74/+81
| |
| * kernel-pfroute: split /0 routes to avoid conflict with default routeMartin Willi2013-05-061-0/+15
| |
| * kernel-pfkey: check if we have a gateway before comparing themMartin Willi2013-05-061-0/+1
| |
| * kernel-pfkey: install route along with input, not forward policiesMartin Willi2013-05-061-20/+20
| | | | | | | | | | | | As forwarding policies are not available on all systems (OS X), using the forward policy to attach the route is a bad pick. Using input policies allows OS X to install routes.
| * kernel-pfroute: rescan address list for an interface if its state changesMartin Willi2013-05-061-0/+43
| | | | | | | | | | It seems that we don't get address notifications if the interface is down on OS X.
| * kernel-pfroute: add newly appearing interfaces to the interface cacheMartin Willi2013-05-061-1/+22
| |
| * kernel-pfroute: implement get_nexthop()Martin Willi2013-05-061-6/+73
| |
| * kernel-pfroute: install and uninstall routesMartin Willi2013-05-061-2/+129
| |
| * kernel-pfroute: collect replies received for our own queriesMartin Willi2013-05-061-4/+40
| |
| * kernel-pfroute: refactor PF_ROUTE message processing, use an enumeratorMartin Willi2013-05-061-35/+117
| |
| * kernel-pfkey: use an int to set esp_port with a sysctl on OS XMartin Willi2013-05-061-2/+4
| |
| * kernel-pfroute: use INIT() macro for allocationsMartin Willi2013-05-061-17/+21
| |
| * kernel-pfroute: use only a single PF_ROUTE socket for both events and queriesMartin Willi2013-05-061-27/+11
| |
| * kernel-pfroute: fix length check when receiving PF_ROUTE messagesMartin Willi2013-05-061-1/+1
| |
| * kernel-pfkey: remove obsolete pluto specific behaviorMartin Willi2013-05-061-5/+1
| |
| * kernel-netlink: remove obsolete pluto specific behaviorMartin Willi2013-05-061-7/+1
| |
| * tun_device: add a getter for the address previously passed to set_address()Martin Willi2013-05-062-0/+32
| |
| * tun_device: add a getter for the underlying file descriptorMartin Willi2013-05-062-0/+14
| |
| * tun-device: use host_create_netmask() to calculate interface netmaskMartin Willi2013-05-061-49/+12
| |
| * host: add a netmask constructor taking the number of network bitsMartin Willi2013-05-062-0/+57
| |
| * host: remove unused host_t.get_differences() methodMartin Willi2013-05-062-39/+0
| |
| * host: print %#H format specifiers not as %any, but with the portMartin Willi2013-05-061-1/+1
| |
| * host: initialize sockaddr->sa_len if it is availableMartin Willi2013-05-061-0/+14
| |
| * child-sa: pass traffic selector to add_sa() regardless of IPsec modeMartin Willi2013-05-061-14/+11
| | | | | | | | | | This lets the kernel backend decide what to do with it, and in fact all kernel interfaces already handle this correctly.
| * socket-default: to bind to one dynamic port on OS X, create v4 socket before v6Martin Willi2013-05-061-1/+7
| | | | | | | | | | It seems that the order of binding sockets of different address families to the same dynamic port must be v6-before-v4 on Linux, but v4-before-v6 on OS X.
| * socket-default: refactor socket pair opening to a functionMartin Willi2013-05-061-27/+23
| |
| * socket-default: Don't try to send packet if we haven't a socket for given familyMartin Willi2013-05-061-3/+4
| |
| * socket-default: Use -1 if socket is not available, as 0 is actually a valid fdMartin Willi2013-05-061-20/+23
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 05:46:20 +0000