aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * vici: Use default Unix vici socket if none passed to ruby constructorMartin Willi2015-03-182-4/+7
| | | | | | | | | | While we currently have a static path instead of one generated with Autotools, this at least is congruent to what we have in the Python library.
| * vici: Support non-Unix sockets for vici connections using PythonMartin Willi2015-03-182-7/+9
| |
| * vici: Add python egg setuptools building and installation using easy_installMartin Willi2015-03-181-0/+15
| | | | | | | | | | | | An uninstall target is currently not supported, as there is no trivial way with either plain setuptools or with easy_install. pip would probably be the best choice, but we currently don't depend on it.
| * vici: Generate a version specific setup.py for setuptools installationMartin Willi2015-03-183-0/+41
| |
| * vici: Include python package in distributionMartin Willi2015-03-183-0/+10
| |
| * configure: Add --enable-python-eggs and --with-pythoneggdir optionsMartin Willi2015-03-181-0/+15
| | | | | | | | | | Detect easy_install for Python egg installation to install any egg we provide in strongSwan.
| * vici: Add python package MIT licenseBjörn Schuberg2015-03-182-0/+20
| |
| * vici: Expose Session as a top-level symbol in python packageBjörn Schuberg2015-03-181-0/+1
| |
| * vici: Introduce main API Session class in python packageBjörn Schuberg2015-03-181-1/+244
| |
| * vici: Add a python vici command execution handlerBjörn Schuberg2015-03-182-1/+134
| |
| * vici: Add vici python protocol handlerBjörn Schuberg2015-03-184-0/+199
|/
* Merge branch 'swanctl-pkcs12'Martin Willi2015-03-184-59/+246
|\ | | | | | | | | | | Add support for loading PKCS#12 containers from a swanctl/pkcs12 directory. Fixes #815.
| * swanctl: Cache entered PKCS#12 decryption secretMartin Willi2015-03-181-6/+23
| | | | | | | | | | It is usually used more than once, but most likely the same for decryption and MAC verification.
| * swanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directoryMartin Willi2015-03-184-0/+128
| |
| * swanctl: Generalize private key decryption to support other credential typesMartin Willi2015-03-181-55/+97
|/
* encoding: Verify the length of KE payload data for known groupsMartin Willi2015-03-181-0/+67
| | | | | | | IKE is very strict in the length of KE payloads, and it should be safe to strictly verify their length. Not doing so is no direct threat, but allows DDoS amplification by sending short KE payloads for large groups using the target as the source address.
* ikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeyingMartin Willi2015-03-181-0/+6
|
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-185-0/+176
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* Version bump to 5.3.0dr2Andreas Steffen2015-03-161-1/+1
|
* Replace kid by aik_id in ITA TBOOT functional componentAndreas Steffen2015-03-161-7/+2
|
* Fixed two BLISS key type identifier stringsAndreas Steffen2015-03-161-2/+2
|
* charon-systemd: Add missing semicolonMartin Willi2015-03-161-1/+1
| | | | References #887, fixes f3c83322.
* osx: Include eap-gtc plugin in build instructionsMartin Willi2015-03-161-1/+1
|
* Added availability of TNC AR IP address to IMVs to NEWS5.3.0dr1Andreas Steffen2015-03-151-0/+4
|
* Create TPM TBOOT Measurement groupAndreas Steffen2015-03-151-0/+18
|
* vici: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-4/+4
| | | | Fixes #886.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* charon-systemd: Add support to configure user and group via strongswan.confTobias Brunner2015-03-131-6/+19
| | | | Fixes #887.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* testing: Remove obsolete leftnexthop option from configsTobias Brunner2015-03-126-6/+0
|
* ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauthMartin Willi2015-03-111-1/+0
| | | | | | | | | We are actually not in rekeying state, but just trigger a separate, new IKE_SA as a replacement for the current IKE_SA. Switching to the REKEYING state disables the invocation of both IKE and CHILD_SA updown hooks as initiator, preventing the removal of any firewall rules. Fixes #885.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* ikev1: Don't handle DPD timeout job if IKE_SA got passiveMartin Willi2015-03-101-0/+6
| | | | | | While a passively installed IKE_SA does not queue a DPD timeout job, one that switches from active to passive might execute it. Ignore such a queued job if the IKE_SA is in passive state.
* testing: Don't check for exact IKEv1 fragment sizeMartin Willi2015-03-101-2/+2
| | | | | Similar to 7a9c0d51, the exact packet size depends on many factors we don't want to consider in this test case.
* testing: Fix active/passive role description in ha/both-active test caseMartin Willi2015-03-101-2/+2
|
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-094-6/+10
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-0910-17/+19
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* tkm: Use the inbound flag do determine peer role in CHILD_SA exchangeMartin Willi2015-03-091-5/+1
| | | | | This was not available during initial implementation, but fits just fine to avoid reconstructing the peer role.
* Revert "child-sa: Remove the obsolete update logic"Martin Willi2015-03-091-1/+6
| | | | | | | | | While the the meaning of the "inbound" flag on the kernel_interface->add_sa() call is not very clear, we still need that update logic to allow installation of inbound SAs without SPI allocation. This is used in the HA plugin as a passive node. This reverts commit 698ed656.
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* tkm: Disable RFC 7427 signature authenticationTobias Brunner2015-03-091-0/+4
| | | | | | TKM can't verify such signatures so we'd fail in the authorize hook. Skipping the algorithm identifier doesn't help if the peer uses anything other than SHA-1, so config changes would be required.
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* files: Add simple plugin to load files from file:// URIsTobias Brunner2015-03-097-1/+305
|
* daemon: Remove scheduled jobs before unloading pluginsTobias Brunner2015-03-091-1/+2
| | | | | | | Especially callback jobs might refer to memory that gets invalid after the plugins got unlaoded, so make sure we destroy these jobs before. References #840.
* scheduler: Add method to remove all scheduled jobsTobias Brunner2015-03-092-5/+21
| | | | References #840.
* plugin-loader: Increase log level for warning about plugin features that ↵Tobias Brunner2015-03-091-3/+3
| | | | | | | | | failed to load Since we can't get rid of all unmet dependencies (at least not in every possible plugin configuration) the message is more confusing than helpful. In particular because a detailed warning about plugin features that failed to load due to unmet dependencies is only logged on level 2.
* tls-peer: Make sure to use the right trusted public key for peerTobias Brunner2015-03-091-4/+8
| | | | | | | | | In case a CA certificate uses the same subject DN as the server the previous code could end up trying to verify the server's signature with the CA certificate's public key. By comparing the certificate with the one sent by the peer we make sure to use the right one. Fixes #849.
* pkcs11: Convert RFC 3279 ECDSA signatures when verifyingTobias Brunner2015-03-091-4/+33
| | | | References #873.
* pkcs11: Properly encode RFC 3279 ECDSA signaturesTobias Brunner2015-03-091-2/+19
| | | | Fixes #873.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 19:24:56 +0000