aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* utils: Add wrappers for memcpy(3), memmove(3) and memset(3)Tobias Brunner2014-06-241-1/+33
| | | | | | | | These wrappers guarantee that calls to these functions are noops if the number of bytes is 0, as calling them with NULL pointers is undefined according to the C standard, even if the number of bytes is 0 (most implementations probably ignore the pointers anyway in this case, but lets make sure).
* pki: Also check for MAX_COMMANDS when building getopt_long argumentsTobias Brunner2014-06-241-1/+1
| | | | Completes 87e53819a6 and 0a8c399a21.
* Auxiliary swid_tagstats table boosts performanceAndreas Steffen2014-06-231-0/+14
|
* Merge branch 'algorithm-order'Tobias Brunner2014-06-204-5/+327
|\ | | | | | | | | | | | | | | Restores the behavior we had before 2e22333fb (except for RNGs), that is, algorithms are stored in the registration order again. Which is not optimal as we must rely on plugins to register them in a sensible order, but ordering them by identifier definitely caused weaker algorithms to be proposed first in the default proposal, which was even worse.
| * unit-tests: Add tests for DH factoryTobias Brunner2014-06-201-0/+157
| |
| * crypto-factory: Only sort RNGs by algorithm identifierTobias Brunner2014-06-201-5/+13
| | | | | | | | | | Others remain in the order in which they were added, grouped by algorithm identifier and sorted by benchmarking speed, if provided.
| * unit-tests: Add test for crypto_factory_t's rng_create methodTobias Brunner2014-06-203-0/+157
|/
* kernel-netlink: Install virtual IPv6 addresses as deprecatedTobias Brunner2014-06-201-0/+11
| | | | | | | | This should prevent the kernel's IPv6 source address selection algorithm from using this address unless it is forced to by our source route. This is helpful if split tunneling is used. Fixes #598.
* vici: Install libvici in ipseclibdir like we do with other librariesTobias Brunner2014-06-191-1/+1
|
* Merge branch 'shunt-policies-routes'Tobias Brunner2014-06-1910-34/+65
|\ | | | | | | Fixes #599.
| * kernel-netlink: Pass prefix when looking up next hop for shunt policiesTobias Brunner2014-06-191-1/+12
| |
| * kernel-netlink: Add support for destination prefix when determining next hopTobias Brunner2014-06-191-20/+35
| |
| * kernel-interface: Add destination prefix to get_nexthop()Tobias Brunner2014-06-1910-13/+18
|/ | | | | This allows to determine the next hop to reach a subnet, for instance, when installing routes for shunt policies.
* Merge branch 'passthrough-policies-priority'Tobias Brunner2014-06-1932-3298/+165
|\ | | | | | | | | | | | | Introduces a new priority class for policies, which allows us to install passthrough policies with a strictly higher priority than IPsec policies, which was not the case previously depending on the traffic selectors.
| * testing: Add ikev2/shunt-policies-nat-rw scenarioTobias Brunner2014-06-1912-0/+171
| |
| * testing: Remove ikev2/shunt-policies scenarioTobias Brunner2014-06-1910-166/+0
| | | | | | | | | | This scenario doesn't really apply anymore (especially its use of drop policies).
| * shunt-manager: Install passthrough policies with highest priorityTobias Brunner2014-06-191-9/+34
| | | | | | | | | | | | This avoids conflicts with regular IPsec policies. Similarly, use the lowest priority for drop policies.
| * libipsec: Add support for new policy priority classTobias Brunner2014-06-191-1/+4
| |
| * kernel-pfkey: Add support for new policy priority classTobias Brunner2014-06-191-2/+5
| |
| * kernel-netlink: Add support for new policy priority classTobias Brunner2014-06-191-2/+5
| |
| * ipsec: Add a fourth priority class for bypass policiesTobias Brunner2014-06-191-1/+3
| |
| * Remove kernel-klips pluginTobias Brunner2014-06-1910-3174/+0
|/
* kernel-netlink: Follow RFC 6724 when selecting IPv6 source addressesTobias Brunner2014-06-192-26/+174
| | | | | | | | Instead of using the first address we find on an interface we should consider properties like an address' scope or whether it is temporary or public. Fixes #543.
* Merge branch 'ipsec.conf-parser'Tobias Brunner2014-06-1928-1591/+2505
|\ | | | | | | | | | | | | | | | | | | | | | | | | Replaces the ipsec.conf parser in starter. The new parser is also based on flex/bison but it simply returns key/value collections of all sections. It already resolves also= and allows overriding options in all included sections (not only %default), options set in included section can also be cleared again (key=). It provides other improvements too, like quoted strings (with escape sequences), unlimited includes and better whitespace/comment handling. Fixes #423. Fixes #560.
| * starter: Don't directly refer to source files in Makefile for unit testsTobias Brunner2014-06-192-5/+8
| | | | | | | | | | Older versions of automake have trouble recursively cleaning such constructs properly.
| * starter: Explicitly allow @# at the beginning of stringsTobias Brunner2014-06-192-1/+4
| | | | | | | | | | Since we treat everything after # as comment identities of type ID_KEY_ID couldn't be parsed otherwise, unless quoted.
| * starter: Add --conftest option to test ipsec.conf syntaxTobias Brunner2014-06-191-0/+27
| |
| * starter: Remove old parserTobias Brunner2014-06-196-545/+4
| |
| * starter: Use new parser to read config fileTobias Brunner2014-06-194-769/+493
| |
| * starter: Move kw_entry_t definitionTobias Brunner2014-06-192-9/+10
| |
| * starter: Remove unused ARG_LST argument typeTobias Brunner2014-06-192-147/+5
| |
| * starter: Add tests for ipsec.conf parserTobias Brunner2014-06-197-0/+608
| |
| * unit-tests: Make fixture functions optionalTobias Brunner2014-06-191-2/+8
| |
| * starter: Add new bison/flex based parser for ipsec.confTobias Brunner2014-06-197-12/+1257
| | | | | | | | | | | | | | | | | | The parser simply returns key/value pairs of all sections, it already resolves also= and allows overriding options in all included sections (not only %default), options set in included section can also be cleared again (key=). It provides other improvements too, like quoted strings (with escape sequences), unlimited includes and better whitespace/comment handling.
| * starter: Remove out of date READMETobias Brunner2014-06-191-101/+0
| |
| * collections: Add interface for read-only dictionariesTobias Brunner2014-06-192-1/+56
| |
| * hashtable: Add destroy_function methodTobias Brunner2014-06-192-11/+37
|/
* stroke: Add --daemon optionTobias Brunner2014-06-191-124/+154
|
* starter: Use stream abstraction to communicate with stroke pluginTobias Brunner2014-06-191-33/+16
|
* stroke: Use stream abstraction to communicate with stroke pluginTobias Brunner2014-06-191-43/+23
| | | | | Without this changing charon.plugins.stroke.socket would not really work.
* winhttp: Fix a typo to properly release connection handleMartin Willi2014-06-191-1/+1
| | | | Fixes a rather large memory leak in HTTP fetches.
* load-tester: Add a crl option to include a CRL uri in generated certificatesMartin Willi2014-06-191-1/+21
|
* bus: Properly va_copy() argument list before passing it to printf() functionsMartin Willi2014-06-191-1/+3
| | | | | | | | As we later potentially use args again, we can't consume it with printf functions without copying it first. Clone list before passing it to any consuming function. Fixes #621.
* child-sa: Set replay window on both inbound and outbound SAMartin Willi2014-06-181-6/+2
| | | | | | | | While the outbound SA actually does not need a replay window, the kernel rejects zero replay windows on SAs using ESN. The ESN flag is required to use the full sequence number in ICV calculation, hence we set the replay window. This restores the behavior we had before 30c009c2.
* kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windowsMartin Willi2014-06-181-1/+1
| | | | | | Trying to disable replay windows using the ESN attribute fails with EINVAL. Use non-ESN legacy format to disable replay windows, even if ESN has been negotiated over IKE.
* Added swanctl/net2net-route scenarioAndreas Steffen2014-06-189-0/+145
|
* Added swanctl/net2net-start scenarioAndreas Steffen2014-06-189-0/+140
|
* Minor changes in swanctl scenariosAndreas Steffen2014-06-187-5/+8
|
* The policy_started check is not needed any moreAndreas Steffen2014-06-181-4/+0
|
* Added swanctl --list-pols and swanctl --stats do scenario logAndreas Steffen2014-06-181-3/+12
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 03:50:33 +0000