aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radiusMartin Willi2013-07-291-1/+1
| | | | | As eap-radius now provides its own XAuth backend and eap-radius is loaded before xauth-eap, we have to enforce the exact XAuth backend to use.
* Merge branch 'xauth-radius'Martin Willi2013-07-2932-100/+740
|\ | | | | | | | | | | | | Implements verification of XAuth credentials using simple RADIUS User-Name and (encrypted) User-Password attributes. The XAuth backend is implemented in the eap-radius plugin, reusing all existing infrastructure and features found in that plugin, including RADIUS accounting.
| * testing: add a testcase for plain XAuth RADIUS authenticationMartin Willi2013-07-2916-0/+209
| |
| * charon-cmd: add --eap-identity and --xauth-username optionsMartin Willi2013-07-294-0/+37
| |
| * eap-radius: do RADIUS/IKE attribute forwarding in XAuth backendMartin Willi2013-07-292-1/+5
| |
| * eap-radius: support plain XAuth RADIUS authentication using User-PasswordMartin Willi2013-07-294-0/+253
| |
| * libradius: support encryption of User-Password attributesMartin Willi2013-07-291-0/+27
| |
| * utils: add round_up/down() helper functionsMartin Willi2013-07-292-0/+49
| |
| * libradius: refactor generic RADIUS en-/decryption function to a message methodMartin Willi2013-07-293-44/+85
| |
| * eap-radius: export function to build common attributes of Access-RequestMartin Willi2013-07-292-24/+39
| |
| * eap-radius: export function to process common attributes of Access-AcceptMartin Willi2013-07-292-31/+36
|/
* mem-pool: add option for reusing online leases, and disable it by defaultMartin Willi2013-07-291-1/+13
| | | | | | | | | | | Mainly for reauthentication with third party implementations, we allowed to reuse an online lease, but only for the same peer identity and when it explicitly requested the same address. This has always been problematic, because it changes the reqid of the CHILD_SA with the same traffic selectors, breaking the old tunnel. As we now reject such policy overwrites, this usually lets the installation of the new policies fail. We therefore disable reassignment of online leases by default.
* mem-pool: replace per-identity online/offline lists by more efficient arraysMartin Willi2013-07-291-48/+52
| | | | This saves two lists per connected peer identity, up to 0.4KB.
* mem-pool: refcount online lease when reassigning it to another tunnelMartin Willi2013-07-261-5/+28
| | | | | | | When we reassign an online lease for the same peer, we have to refcount it. Otherwise we would set it offline if one of the tunnels goes down, but it is actually still in use by a the second tunnel. This can finally lead in assigning the same virtual IP to different peers.
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* watcher: Made notify array initialization compatible with older GCC versionsTobias Brunner2013-07-251-2/+1
|
* unit-tests: Add additional tests for host_tTobias Brunner2013-07-251-3/+551
|
* imv-attestation: Properly measure complete directoriesTobias Brunner2013-07-251-1/+1
|
* array: Number of items in get_size() is unsignedTobias Brunner2013-07-251-1/+1
| | | | | | Otherwise, array->esize is promoted to int and if array->esize * num results in a value > 0x7fffffff the return value would be incorrect due the implicit sign extension when getting cast to size_t.
* stream: Ensure UNIX socket path is null terminatedTobias Brunner2013-07-241-0/+1
|
* kernel-pfkey: Add sanity check when deleting policiesTobias Brunner2013-07-241-0/+5
|
* imv-os: check_packages() fails if product query failsTobias Brunner2013-07-241-0/+1
|
* pkcs5: Add missing break statements when checking crypto primitivesTobias Brunner2013-07-241-0/+2
|
* imv-scanner: Properly check snprintf() return valueTobias Brunner2013-07-241-5/+9
|
* socket-dynamic: Properly initialize IPv6 addressTobias Brunner2013-07-241-1/+1
|
* unit-tests: Add test for host_create_netmask()Tobias Brunner2013-07-244-1/+100
|
* host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128Tobias Brunner2013-07-241-5/+7
|
* imv-attestation: Use proper cast for length when using %.*sTobias Brunner2013-07-241-2/+2
|
* tnc-ifmap: Use proper cast for length when using %.*sTobias Brunner2013-07-241-5/+6
|
* capabilities: Proper error handling when reading groupsTobias Brunner2013-07-241-1/+8
|
* strongswan.conf: Moved some stuff aroundTobias Brunner2013-07-231-23/+24
|
* ipsec: Add --piddir to retrieve the PID/socket directoryTobias Brunner2013-07-222-3/+11
|
* starter: Properly refer to the ipsec script if it was renamedTobias Brunner2013-07-223-2/+3
|
* coupling: Fix call to call_hook()Tobias Brunner2013-07-221-1/+1
|
* strongswan.conf: Add missing optionsTobias Brunner2013-07-221-10/+47
|
* charon-xpc: Use correct namespace when setting default settingsTobias Brunner2013-07-221-3/+3
|
* tnc-pdp: Fix reading port setting from strongswan.confTobias Brunner2013-07-221-1/+1
|
* fixed typo5.1.0rc1Andreas Steffen2013-07-191-1/+1
|
* updated some TNC scenariosAndreas Steffen2013-07-194-18/+59
|
* processor: force synchronous execute_job() if set_threads(0) has been calledMartin Willi2013-07-191-1/+1
| | | | | | During daemon shutdown, some idle threads might be lingering around even if set_threads(0) already has been called. To avoid any races, we enforce synchronous execution of the job.
* proposal: correctly enumerate registered AEADs to build default IKE proposalMartin Willi2013-07-191-6/+22
| | | | AEADs are not returned (anymore) with the encryption enumerator.
* Version bump to 5.1.0rc1Andreas Steffen2013-07-191-1/+1
|
* tkm: Properly refer to includes now that AM_CPPFLAGS is usedTobias Brunner2013-07-191-1/+1
|
* keychain: Use AM_CPPFLAGS instead of INCLUDESTobias Brunner2013-07-191-1/+1
|
* Fix various API doc issues and typosTobias Brunner2013-07-1826-49/+55
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* identification: parse identities having a "@@" prefix as ID_RFC822_ADDRMartin Willi2013-07-181-11/+10
| | | | Original patch by Gerald Richter.
* NEWS: mention watcher and stream servicesMartin Willi2013-07-181-0/+9
|
* Merge branch 'ipc-service'Martin Willi2013-07-1856-1106/+3141
|\ | | | | | | | | | | | | Adds network transparency and TCP support to the IPC interfaces of different plugins using the new stream and stream service classes. A central watcher thread can watch multiple file descriptors to handle connection requests for these and other services using only a single thread.
| * stream-service: move CAP_CHOWN check from plugins to service constructorMartin Willi2013-07-187-39/+7
| | | | | | | | | | A plugin service can be a TCP socket now, so it does not make much sense to strictly check for CAP_CHOWN.
| * processor: remove the now unused get_threads() method againMartin Willi2013-07-182-17/+0
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 13:12:29 +0000