aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* pki: Declare correct section in pki --issue man pageTobias Brunner2014-01-241-1/+1
|
* NEWS: Add unit testing improvementsMartin Willi2014-01-241-0/+5
|
* ike: Restart inactivity counter after doing a CHILD_SA rekeyMartin Willi2014-01-232-3/+6
| | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect.
* child-sa: Add a getter for CHILD_SA install timeMartin Willi2014-01-232-0/+20
|
* Merge branch 'pam-session'Martin Willi2014-01-237-10/+276
|\ | | | | | | Add support for PAM session management in xauth-pam.
| * NEWS: Introduce PAM session managementMartin Willi2014-01-231-0/+3
| |
| * man: Document xauth-pam session optionMartin Willi2014-01-231-0/+3
| |
| * xauth-pam: Open/close a PAM session for each connected clientAndrea Bonomi2014-01-234-9/+265
| | | | | | | | Signed-off-by: Andrea Bonomi <a.bonomi@endian.com>
| * xauth-pam: Sanitize XAuth attributes before passing them to PAMMartin Willi2014-01-231-1/+5
|/
* Merge branch 'vendor-ids'Martin Willi2014-01-231-16/+63
|\ | | | | | | | | Refactors IKEv2 vendor ID handling, and introduces some IDs seen when talking to Cisco devices.
| * ikev2: Add Cisco FRAGMENTATION vendor IDMartin Willi2014-01-231-0/+2
| | | | | | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
| * ikev2: Add Cisco Copyright vendor IDMartin Willi2014-01-231-0/+2
| | | | | | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
| * ikev2: Add Cisco Delete Reason vendor IDMartin Willi2014-01-231-0/+2
| | | | | | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
| * ikev2: Use a more dynamic vendor ID database, as we use with IKEv1Martin Willi2014-01-231-16/+57
|/
* Merge branch 'chunk-mmap'Martin Willi2014-01-2321-270/+475
|\ | | | | | | | | Introduces file mmap/munmap() wrappers and provides a fallback if mmap() is not supported. Replaces all mmap() uses by the new functions.
| * libpts: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-29/+5
| |
| * tnccs: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-232-27/+6
| |
| * pem: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-29/+6
| |
| * stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
| |
| * radattr: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-40/+8
| |
| * libfast: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-29/+10
| |
| * integrity-checker: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-31/+6
| |
| * chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-236-30/+52
| | | | | | | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
| * chunk: Provide a fallback chunk_map() if mmap is not availableMartin Willi2014-01-232-2/+47
| |
| * chunk: Use dynamically allocated buffer in chunk_from_fd()Martin Willi2014-01-2310-25/+183
| | | | | | | | | | | | | | | | When acting on files, we can use fstat() to estimate the buffer size. On non-file FDs, we dynamically increase an allocated buffer. Additionally we slightly change the function signature to properly handle zero-length files and add appropriate unit tests.
| * chunk: Add functions to map file contents to a chunkMartin Willi2014-01-233-1/+149
|/
* Merge branch 'unity-fixes'Tobias Brunner2014-01-232-34/+54
|\ | | | | | | | | | | Improves compatibility with the Cisco and Shrew clients. Fixes #445.
| * unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attributeTobias Brunner2014-01-231-35/+47
| | | | | | | | Cisco clients only handle the first such attribute.
| * unity: Change local TS to 0.0.0.0/0 as responderTobias Brunner2014-01-231-4/+7
| | | | | | | | | | Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is used, otherwise Quick Mode fails.
| * unity: Send UNITY_SPLIT_INCLUDE attributes with proper paddingTobias Brunner2014-01-231-11/+16
|/ | | | | | The additional 6 bytes are not actually padding but are parsed by the Cisco client as protocol and src and dst ports (each two bytes but strangely only the first two in network order).
* Merge branch 'ipcomp'Tobias Brunner2014-01-2341-11/+522
|\ | | | | | | | | | | | | | | Fixes compatibility issues between firewall rules (leftfirewall=yes) and IPComp (compress=yes), plus issues with IPComp when used with multiple subnets in left|rightsubnet. Fixes #436.
| * testing: Add ikev2/host2host-transport-nat scenarioTobias Brunner2014-01-239-0/+146
| |
| * testing: Add ipv6/rw-compress-ikev2 scenarioTobias Brunner2014-01-239-0/+125
| |
| * testing: Add ikev2/compress-nat scenarioTobias Brunner2014-01-2312-0/+187
| |
| * testing: Enable firewall for ikev2/compress scenarioTobias Brunner2014-01-238-7/+14
| | | | | | | | | | Additionally, send a regular (small) ping as the kernel does not compress small packets and handles those differently inbound.
| * kernel-netlink: Set selector on transport mode IPComp SAsTobias Brunner2014-01-231-1/+1
| |
| * kernel-netlink: Selectively add selector on SAs that use IPCompTobias Brunner2014-01-231-1/+7
| | | | | | | | | | | | Don't add a selector to tunnel mode SAs, these might serve multiple traffic selectors but with only one selector on the SA only the traffic matching the first one would actually get tunneled.
| * updown: Increase buffer size for script and environment variablesTobias Brunner2014-01-231-1/+1
| |
| * updown: Allow IPIP traffic if IPComp was negotiatedTobias Brunner2014-01-231-0/+31
| | | | | | | | | | | | | | | | | | | | | | The kernel implicitly creates an IPIP SA if an IPComp SA is installed. This SA is used inbound for small packets that are not compressed. Since the addresses are different (they are the tunnel addresses not those of the tunneled traffic) additional rules are required if the traffic selector does not cover the tunnel addresses (e.g. due to a NAT). For SAs with multiple traffic selectors duplicate rules will get installed.
| * updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiatedTobias Brunner2014-01-232-1/+10
|/
* curl: Replace spaces in URIs with %20Tobias Brunner2014-01-231-3/+14
| | | | | | | cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL URIs with spaces in them. Fixes #454.
* utils: Add strreplace functionTobias Brunner2014-01-233-2/+155
|
* stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminatedTobias Brunner2014-01-231-2/+5
| | | | | Otherwise a malicious user could send an unterminated string to cause unterminated reads.
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-232-2/+18
|
* pki: Make sure no command registers too many optionsTobias Brunner2014-01-232-4/+11
|
* pki: Increase MAX_COMMANDS to cover all currently available commandsTobias Brunner2014-01-231-2/+2
| | | | Fixes #452.
* pki: Print a warning if MAX_COMMANDS is too lowTobias Brunner2014-01-231-0/+7
|
* pki: Properly use ?: when defining option arraysTobias Brunner2014-01-231-2/+2
|
* configure: Add -Wno-format-security to default CFLAGSTobias Brunner2014-01-231-1/+1
| | | | | | Either due to a change in Ubuntu 13.10 or GCC 4.8 -Wno-format has no effect if -Wformat-security is enabled (which it is on Ubuntu) so we also disable the latter by default.
* agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socketTobias Brunner2014-01-234-14/+10
| | | | This is also required if charon-cmd is used with capability dropping.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 00:12:07 +0000