aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Version bump to 5.3.35.3.3Andreas Steffen2015-09-062-1/+8
|
* testing: added ikev2/alg-chacha20poly1305 scenarioAndreas Steffen2015-09-019-0/+106
|
* testing: update to Linux 4.2 kernelAndreas Steffen2015-09-013-4/+4471
|
* Version bump to 5.3.3rc25.3.3rc2Andreas Steffen2015-09-011-1/+1
|
* imv-os: Add some useful usage output to the pacman utilityTobias Brunner2015-08-311-2/+8
| | | | Fixes #487.
* kernel-netlink: Properly set port mask for ICMP type/code if only set on one ↵Tobias Brunner2015-08-311-7/+8
| | | | | | | | | | | | side If only one traffic selector had a port (type/code) the other side had the port mask set to 0, which canceled out the applied type/code. It also fixes the installation of ICMP type/code on big-endian hosts. Fixes #1091. References #595.
* kernel-pfkey: Properly encode ICMP type/code if only set on one sideTobias Brunner2015-08-311-34/+20
| | | | References #595.
* testing: Updated environment variable documentation in updown scriptsTobias Brunner2015-08-3114-14/+126
|
* libimcv: Updated Android.mk fileTobias Brunner2015-08-311-2/+5
|
* NEWS: Added additional newsTobias Brunner2015-08-281-13/+33
|
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* conf: Add documentation for new osx-attr optionTobias Brunner2015-08-282-0/+4
|
* pki: Add new type options to --issue command usage outputTobias Brunner2015-08-271-2/+2
|
* conf: Fix declaration of default values for imc-hcd optionsTobias Brunner2015-08-271-5/+5
|
* starter: Remove documentation for starter.load optionTobias Brunner2015-08-271-3/+0
|
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* trap-manager: Cleanup local address in error casesTobias Brunner2015-08-271-0/+2
|
* imv-os: Properly free strings for invalid input in pacmanTobias Brunner2015-08-271-0/+11
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* swanctl: Correctly build man page in out-of-tree builds from the repositoryTobias Brunner2015-08-271-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2015-08-273-3/+3
|
* Fix some Doxygen issuesTobias Brunner2015-08-277-8/+11
|
* unit-tests: Additional test cases to increase coverageTobias Brunner2015-08-272-9/+611
|
* traffic-selector: Use calc_netbits() in RFC 3779 constructorTobias Brunner2015-08-271-2/+1
| | | | This properly detects prefixes encoded as ranges.
* ike: Fix half-open count for initiating SAs when initially checked inTobias Brunner2015-08-271-0/+6
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-276-19/+45
| | | | whether COOKIEs are sent
* Version bump to 5.3.3rc1Andreas Steffen2015-08-251-1/+1
|
* Added some spaces in swanctl.confAndreas Steffen2015-08-252-8/+8
|
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* Merge branch 'starter-kernel-flush'Tobias Brunner2015-08-216-34/+71
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removes flushing of the IPsec state in the kernel when starter terminates. We can't easily flush only the policies created for IPsec SAs (and if installpolicies=no is used we don't want to flush policies anyway). Also, since existing policies don't cause errors anymore these aren't really an issue anymore (I think this was one of the main reasons to flush the state). This behavior is also specific to starter, so nothing is flushed when charon is used via systemd/swanctl. This will also allow us to merge libhydra with libcharon in a future release. If the previous behavior is needed it can easily be replicated with some external tools (we could also write a simple utility that does this). Additional checks in the test environment make sure that the daemon cleans up the state properly.
| * testing: Let test scenarios fail if IPsec SAs or policies are not removedTobias Brunner2015-08-211-0/+18
| | | | | | | | | | The IKE daemon should delete all installed SAs and policies when everything works properly, so we fail the test if that's not the case.
| * testing: Flush state and policies before every scenarioTobias Brunner2015-08-211-0/+8
| | | | | | | | Similar to conntrack we make sure we are working on a clean slate.
| * starter: Don't flush SAs in the kernelTobias Brunner2015-08-213-14/+0
| | | | | | | | | | If starter is not used we don't do that either. And this allows us to move the stuff in libhydra back to libcharon.
| * starter: Don't flush policies in the kernelTobias Brunner2015-08-211-1/+0
| | | | | | | | | | | | | | | | | | | | | | We can't control which policies we flush, so if policies are installed and used outside of strongSwan for other protocols we'd flush them too. And if installpolicies=no is used we probably shouldn't flush policies either. Luckily already existing policies are not treated as fatal errors anymore, so not flushing policies should not be that much of an issue (in case of a crash in dynamic setups, e.g. with virtual IPs, policies could be left behind even after restarting the connections and properly terminating the daemon).
| * kernel-pfkey: Only flush SAs of types we actually manageTobias Brunner2015-08-211-13/+26
| |
| * kernel-netlink: Only flush SAs of types we actually manageTobias Brunner2015-08-211-6/+19
|/
* Merge branch 'init-limits'Tobias Brunner2015-08-2120-21/+171
|\ | | | | | | | | | | | | IKE_SAs that are initiated are now counted towards the half-open IKE_SAs limit. Optionally it is possible to enforce limits towards the number of half-open IKE_SAs and the job load also when initiating SAs. This is currently only possible via VICI.
| * vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | | | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
| * vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
| |
| * controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-2115-20/+71
| |
| * ike: Also track initiating IKE_SAs as half-openTobias Brunner2015-08-211-1/+0
|/
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-212-33/+51
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* ikev1: Assign different job priorities for inbound IKEv1 messagesTobias Brunner2015-08-211-2/+12
|
* testing: Fix typo in p2pnat/behind-same-nat scenarioTobias Brunner2015-08-211-2/+2
|
* child-rekey: Don't add a REKEY_SA notify if the child-create task is ↵Tobias Brunner2015-08-211-6/+9
| | | | deleting the SA
* child-create: Cache proposed IPsec protocolTobias Brunner2015-08-211-10/+13
| | | | | This allows us to DELETE CHILD_SAs on failures that occur before we retrieved the selected proposal.
* child-create: Don't attempt to delete the SA if we don't have all the ↵Tobias Brunner2015-08-211-8/+10
| | | | | | | information Since we only support single protocols we could probably guess it and always send a DELETE.
* child-rekey: Remove redundant migrate() call for child-create sub-taskTobias Brunner2015-08-211-2/+1
| | | | | | | When retrying due to a DH group mismatch this is already done by the child-create task itself. And in other cases where the task returns NEED_MORE we actually will need access to a possible proposal to properly delete it.
* child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group ↵Tobias Brunner2015-08-211-0/+1
| | | | | | | | | | mismatch If the responder declines our KE payload during a CHILD_SA rekeying migrate() is called to reuse the child-create task. But the child-rekey task then calls the same method again. Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 22:30:08 +0000