aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * kernel-netlink: Use recv() instead of recvfrom()Martin Willi2014-09-241-11/+3
| | | | | | | | | | As we are not interested in the returned address, there is really no need in passing that argument.
| * kernel-netlink: Avoid casting the NLMSG_DATA() return valueMartin Willi2014-09-243-26/+26
| | | | | | | | There is really no need for doing so, and it makes the code just unreadable.
| * kernel-netlink: Define netlink buffer as an union having a netlink headerMartin Willi2014-09-244-21/+24
|/ | | | | This allows us to streamline the netlink buffers, and avoid extensive casting.
* Merge branch 'systemd'Martin Willi2014-09-2437-119/+981
|\ | | | | | | | | | | Introduces a systemd specific charon-systemd IKE daemon based on libcharon. Uses systemd APIs for startup control and journal logging and a new systemd service unit using swanctl as configuration backend.
| * travis: Disable build of native systemd IKE daemonMartin Willi2014-09-221-0/+1
| | | | | | | | | | Travis still uses Ubuntu 12.04, where no systemd libraries are available. Skip systemd support on Travis until we have a more recent Ubuntu distribution.
| * man: Skip installation of ipsec.conf/secrets manpages when not building starterMartin Willi2014-09-221-1/+5
| |
| * init: Update starter systemd service to distinguish it from strongswan-swanctlMartin Willi2014-09-222-1/+2
| |
| * init: Provide a service file for charon-systemd using swanctlMartin Willi2014-09-225-0/+28
| |
| * systemd: Check if ./configure detected a systemd system unit directoryMartin Willi2014-09-221-0/+7
| |
| * systemd: Discover and check systemd libraries with pkg-config during configureMartin Willi2014-09-222-1/+12
| |
| * systemd: Add a native systemd journal loggerMartin Willi2014-09-224-2/+200
| |
| * plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-229-12/+44
| |
| * systemd: Provide a charon-systemd daemon targeting full systemd integrationMartin Willi2014-09-226-5/+250
| |
| * swanctl: Complete --load-creds command summaryMartin Willi2014-09-221-1/+1
| |
| * swanctl: Fix description of load-pools command summaryMartin Willi2014-09-221-1/+1
| |
| * swanctl: Add a --load-all command, performing --load-{creds,pools,conns}Martin Willi2014-09-2210-97/+329
| |
| * swanctl: Add a --reload-settings commandMartin Willi2014-09-225-2/+93
| |
| * vici: Add a command to reload strongswan.confMartin Willi2014-09-221-0/+12
|/
* encoding: Accept all exchange types for non IKEv1/IKEv2 major versionsMartin Willi2014-09-221-5/+11
|
* settings: Make loading a NULL or empty pattern a (nop-)successMartin Willi2014-09-221-1/+1
|
* settings: Use strongswan.conf used during library initialization for reloadMartin Willi2014-09-224-14/+4
| | | | | | | | Since 4b670a20 we require an explicit strongswan.conf to re-load configurations. However, the define was missing in the build, breaking SIGHUP based config reloading. Fixes #651.
* library: Store the used root strongswan.conf configurationMartin Willi2014-09-222-7/+12
|
* testing: Use multiple jobs to install strongSwanTobias Brunner2014-09-191-1/+1
|
* testing: Add a script to build the current (or an arbitrary) source treeTobias Brunner2014-09-191-0/+65
| | | | | | | | | | | | | | This allows to (relatively) quickly (re-)build and install the current or an arbitrary strongSwan source tree within the root image. bindfs is used to bind mount the source directory using the regular user and group (only works if sudo is used to run the script) so that newly created files are not owned by root. As with building the root image in general the guests must not be running while executing this script. The guest images are automatically rebuilt after the root image has been updated so configuration files and other modifications in guests will be lost.
* testing: Add packages to rebuild strongSwan from the repositoryTobias Brunner2014-09-191-1/+2
|
* testing: Make strongSwan build recipe more configurableTobias Brunner2014-09-191-4/+13
|
* swanctl: Document --stats commandTobias Brunner2014-09-191-0/+3
|
* testing: Update certs and keys in tkm testsReto Buerki2014-09-176-0/+0
| | | | References #705.
* testing: Update x509-ada version to 0.1.1Reto Buerki2014-09-171-1/+1
| | | | Fixes #705.
* ikev2: Don't treat initial messages as MOBIKE exchangesTobias Brunner2014-09-161-6/+9
| | | | | The MOBIKE task is active during the initial exchanges but we don't want to treat them as actual MOBIKE exchanges (i.e. there is no path probing).
* ikev1: Don't cache last block of INFORMATIONAL messages as IVTobias Brunner2014-09-121-2/+2
| | | | | | | | | We don't expect a response with the same MID, but apparently some devices (e.g. FRITZ!Box) do that for DPDs, while still treating the response as a new exchange. By storing the last message block as IV we can't decrypt the first block of such a response. Fixes #661.
* ikev1: Log IV when encrypting messagesTobias Brunner2014-09-121-0/+1
|
* ikev1: Skip unusable IPComp proposalsTobias Brunner2014-09-121-1/+1
| | | | Fixes #661.
* ikev1: Properly handle different proposal numbering schemesTobias Brunner2014-09-121-5/+10
| | | | | | | | | | | | | | | | | | While the examples in RFC 2408 show proposal numbers starting at 1 and increasing by one for each subsequent proposal this is not mandatory. Actually, IKEv1 proposals may start at any number, the only requirement is that the proposal numbers increase monotonically they don't have to do so consecutively. Most implementations follow the examples and start numbering at 1 (charon, racoon, Shrew, Cisco, Windows XP, FRITZ!Box) but pluto was one of the implementations that started with 0 and there might be others out there. The previous assumption that implementations always start numbering proposals at 0 caused problems with clients that start numbering with 1 and whose first proposal consists of multiple protocols (e.g. ESP+IPComp). Fixes #661.
* kernel-netlink: Optionally install protocol and ports on transport mode SAsTobias Brunner2014-09-122-6/+27
|
* Merge branch 'mobike-fixes'Tobias Brunner2014-09-124-28/+167
|\ | | | | | | | | | | | | These changes improve the handling of MOBIKE tasks, for instance, when retransmitting and no path is available. Fixes #632.
| * ikev2: Reduce timeout if path probing was enabledTobias Brunner2014-09-121-6/+13
| |
| * ikev2: Defer MOBIKE updates if no path is availableTobias Brunner2014-09-121-7/+14
| |
| * ike-mobike: Allow calling transmit() even when not currently path probingTobias Brunner2014-09-121-5/+17
| | | | | | | | Path probing is enabled if the current path is not available anymore.
| * ikev2: Defer path probing if no path is currently availableTobias Brunner2014-09-121-1/+20
| | | | | | | | | | We do the same before initiating the task, so we should probably do it too when we already initiated it, not just time out and destroy the SA.
| * ike-mobike: Return FALSE in transmit() if no path was availableTobias Brunner2014-09-122-3/+7
| |
| * ikev2: Enable path probing for currently active MOBIKE taskTobias Brunner2014-09-121-0/+18
| | | | | | | | | | | | | | This might not be the case if e.g. an address appeared but the old one is still available but not actually usable. Without this the MOBIKE task would eventually time out even though we might be able to switch to a working address.
| * ike-mobike: Add method to enable path probingTobias Brunner2014-09-122-0/+12
| |
| * ike-mobike: Skip peer addresses we can't send packets to when checking pathsTobias Brunner2014-09-121-5/+18
| |
| * ikev2: Skip peer addresses we can't send packets to when looking for valid pathsTobias Brunner2014-09-121-0/+18
| |
| * ikev2: Insert MOBIKE tasks at the front of the queueTobias Brunner2014-09-121-1/+6
| | | | | | | | | | In case we have no usable path to the other peer there is no point in initiating any other tasks (like rekeying).
| * ikev2: Migrate number of pending MOBIKE updatesTobias Brunner2014-09-121-0/+5
| | | | | | | | | | This will probably never be more than 1 since we only have one task queued at a time and we don't migrate running tasks.
| * ikev2: Properly keep track of pending MOBIKE updatesTobias Brunner2014-09-121-8/+27
|/ | | | | | | | Because we only queue one MOBIKE task at a time, but destroy superfluous ones only after we already increased the counter for pending MOBIKE updates, we have to reduce the counter when such tasks are destroyed. Otherwise, the queued task would assume another task is queued when it is running and ignore any successful response.
* Merge branch 'android-pfs'Tobias Brunner2014-09-123-9/+69
|\ | | | | | | | | Changes how CHILD_SA rekeying errors are handled in the Android app and adds CHILD_SA proposals with DH groups.
| * android: Reduce CHILD_SA lifetimeTobias Brunner2014-09-121-2/+2
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 15:39:24 +0000