aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * kernel-netlink: Add non-dumping variants of echo and stress testsMartin Willi2014-11-211-0/+84
| |
| * kernel-netlink: Add test cases for successful and timing out retransmissionsMartin Willi2014-11-212-0/+90
| |
| * kernel-netlink: Add a compile-time hook to simulate request message lossMartin Willi2014-11-211-0/+15
| |
| * kernel-netlink: Implement configurable Netlink request retransmissionMartin Willi2014-11-211-15/+86
| |
| * kernel-netlink: Add a stress test with several threads doing Netlink exchangesMartin Willi2014-11-211-0/+62
| |
| * kernel-netlink: Retry netlink query while kernel returns EBUSYMartin Willi2014-11-211-3/+37
| | | | | | | | | | | | If the kernel can't execute a Netlink query because a different query is already active, it returns EBUSY. As this can happen now as we support parallel queries, retry on this error condition.
| * kernel-netlink: Support parallel Netlink queriesMartin Willi2014-11-211-74/+192
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of locking the socket exclusively to wait for replies, use watcher to wait for and read in responses asynchronously. This allows multiple parallel Netlink queries, which can significantly improve performance if the kernel Netlink layer has longer latencies and supports parallel queries. For vanilla Linux, parallel queries don't make much sense, as it usually returns EBUSY for the relevant dump requests. This requires a retry, and in the end makes queries more expensive under high load. Instead of checking the Netlink message sequence number to detect multi-part messages, this code now relies on the NLM_F_MULTI flag to detect them. This has previously been avoided (by 1d51abb7). It is unclear if the flag did not work correctly on very old Linux kernels, or if the flag was not used appropriately by strongSwan. The flag seems to work just fine back to 2.6.18, which is a kernel still in use by RedHat/CentOS 5.
| * kernel-netlink: Add a simple send message test querying available linksMartin Willi2014-11-213-0/+70
| |
| * kernel-netlink: Add a stub for a test-runnerMartin Willi2014-11-214-0/+85
|/
* mem-pool: Fix potential memory leak and lost leases when reassigning leasesTobias Brunner2014-11-111-2/+6
| | | | | | | | | | | | | | | | If no offline leases are available for the current client and assigning online leases is disabled, and if all IPs of the pool have already been assigned to clients we look for offline leases that previously were assigned to other clients. In case the current client has online leases the previous code would replace the existing mapping entry and besides resulting in a memory leak the online leases would be lost forever (even if the client later releases the addresses). If this happens repeatedly the number of available addresses would decrease even though the total number of online and offline leases seen in `ipsec leases` would indicate that there are free addresses available. Fixes #764.
* android: New release based on 5.2.1 and after adding EAP-TLSTobias Brunner2014-11-061-3/+3
| | | | | Also enables support for IKEv2 fragmentation, provides improved MOBIKE handling and optionally enables PFS for CHILD_SAs.
* android: Build binaries for MIPSTobias Brunner2014-11-061-1/+1
|
* android: Increase fragment sizeTobias Brunner2014-11-061-0/+3
| | | | We use the same value we use as MTU on TUN devices.
* android: Enable IKEv2 fragmentationTobias Brunner2014-11-061-1/+1
|
* Merge branch 'android-eap-tls'Tobias Brunner2014-11-0614-87/+101
|\ | | | | | | | | | | | | | | | | | | | | | | | | This adds support for EAP-TLS authentication on Android. EAP-only authentication is currently not allowed because the AAA identity is not configurable, so to prevent anyone with a valid certificate from impersonating the AAA server and thus the gateway, we authenticate the gateway (like we do with other authentication methods). Also, it's currently not possible to select a specific CA certificate to authenticate the AAA server certificate, so it either must be issued by the same CA as that of the gateway or automatic CA certificate selection must be used.
| * android: Use %any as AAA identity, but disable EAP-only authenticationTobias Brunner2014-11-061-5/+3
| | | | | | | | | | | | | | Without verification of the identity we can't prevent a malicious user with a valid certificate from impersonating the AAA server and thus the VPN gateway. So unless we make the AAA identity configurable we have to prevent EAP-only authentication.
| * android: Add support for signature schemes used by EAP-TLSTobias Brunner2014-11-061-19/+34
| |
| * android: Allow enumeration of untrusted certificatesTobias Brunner2014-11-061-1/+1
| |
| * android: Handle EAP-TLS in Android serviceTobias Brunner2014-11-061-6/+19
| |
| * android: Enable EAP-TLS plugin in the appTobias Brunner2014-11-061-1/+1
| |
| * android: Add EAP-TLS VPN type to the GUITobias Brunner2014-11-066-1/+7
| |
| * android: Change how features of VPN types are stored and checkedTobias Brunner2014-11-065-59/+41
|/
* testing: Update tkm/multiple-clients/evaltest.datReto Buerki2014-10-311-2/+1
| | | | | | Since the CC context is now properly reset in the bus listener plugin, the second connection from host dave re-uses the first CC ID. Adjust the expect string on gateway sun accordingly.
* charon-tkm: Properly reset CC context in listenerReto Buerki2014-10-311-7/+13
| | | | | | Make sure that the acquired CC context is correctly reset and the associated ID released in the authorize() function of the TKM bus listener.
* charon-tkm: Add missing comma to enumReto Buerki2014-10-311-1/+1
| | | | Add missing comma to tkm_context_kind_names enum definition.
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
* Merge branch 'mem-pool-range'Tobias Brunner2014-10-3016-42/+590
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | Adds support to configure address pools as ranges (from-to) in ipsec.conf and swanctl.conf. The first and last addresses in subnet based pools are now skipped properly and the pools' sizes are adjusted accordingly. Which is also the case if pools are configured with an offset, e.g. 192.168.0.100/24, which reduces the number of available addresses from 254 to 155, and assignment now starts at .100 not .101, i.e. .100-.254 are assignable to clients. References #744.
| * host: Ignore spaces around - when parsing rangesTobias Brunner2014-10-303-9/+23
| |
| * ike-cfg: Use host_create_from_range() helperTobias Brunner2014-10-301-16/+1
| |
| * vici: Add support for address range definitions of poolsTobias Brunner2014-10-302-9/+39
| |
| * stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-302-8/+36
| |
| * host: Add function to create two hosts from a range definitionTobias Brunner2014-10-303-0/+124
| |
| * mem-pool: Add basic unit testsTobias Brunner2014-10-303-0/+233
| |
| * libhydra: Add test runnerTobias Brunner2014-10-306-0/+92
| |
| * mem-pool: Correctly ignore first and last addresses of subnets and adjust sizeTobias Brunner2014-10-301-7/+49
|/ | | | | | | Previously one more than the first and last address was ignored. And if the base address is not the network ID of the subnet we should not skip it. But we should adjust the size as it does not represent the actual number of IP addresses assignable.
* ikev1: Don't inherit children if INITITAL_CONTACT was seenThomas Egerer2014-10-301-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Merge branch 'policy-constraints'Martin Willi2014-10-308-53/+1255
|\ | | | | | | | | | | | | | | | | | | | | | | Fixes handling of invalid policies in end entity certificates by not rejecting the full certificate, but just invalidating the affected policy. Additionally adds a bunch of unit tests for the constraints plugin, and some minor fixes to the nameConstraints handling. Currently we still reject CAs that use invalid policy mapping; we should accept such certificates and just invalid affected policies in a next iteration. Fixes #453.
| * pki: Print and document the name constraint type for DNS or email constraintsMartin Willi2014-10-303-6/+46
| | | | | | | | | | As email constraints may be for a specific host, it is not clear from the name itself if it is a DNS or email constraint.
| * constraints: Add permitted/excludedNameConstraints checkMartin Willi2014-10-303-0/+400
| |
| * constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | | | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
| * constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
| |
| * constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
| |
| * constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
| |
| * constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | | | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
| * constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|/
* Merge branch 'id-type-prefix'Martin Willi2014-10-306-57/+212
|\ | | | | | | Introduce generic identity prefixes to enforce a specific type.
| * NEWS: Mention identity prefixesMartin Willi2014-10-301-0/+9
| |
| * swanctl: Document identity type prefixesMartin Willi2014-10-301-3/+18
| |
| * man: Document identification type prefixes in ipsec.conf(5)Martin Willi2014-10-301-2/+27
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 03:15:51 +0000