aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* shunt-manager: Resolve %dynamic to %any4/6 before installing policiesTobias Brunner2015-09-161-7/+22
| | | | | | | | left|rightsubnet default to %dynamic, which is basically 0.0.0.0/0 until an address is assigned to it. So if only one side was undefined and the other traffic selector was IPv6 an address family mismatch would occur. References #595.
* shunt-manager: Don't install policies in case of an address family or IP ↵Tobias Brunner2015-09-161-0/+20
| | | | | | protocol mismatch References #595.
* openssl: Explicitly include openssl/bn.hTobias Brunner2015-09-165-0/+5
| | | | | | | | If OpenSSL is compiled with OPENSSL_NO_DEPRECATED some of the headers we include don't include openssl/bn.h anymore. Therefore, we have to explicitly include it ourselves where we use BN_* functions. Fixes #1113.
* unit-tests: Add a test to verify that there is no partial matching of RDNsTobias Brunner2015-09-091-0/+1
|
* scepclient: Remove copyright and license from man pageTobias Brunner2015-09-091-9/+0
|
* include: Add linux/socket.hTobias Brunner2015-09-072-1/+22
| | | | | | | | | | | | | __kernel_sa_family_t is defined and used since Linux 3.1, so on systems with older kernels (like CentOS 6.7, which still ships a 2.6.32 kernel) the build with the current UAPI headers fails. And using the native headers on such system does not really work either because we use structs, defines, and enum values from the newer headers in the kernel-netlink plugin. __kernel_sa_family_t is defined in linux/socket.h so we ship that too (in particular the simplified UAPI version from Linux 3.7+). Fixes #1099.
* Version bump to 5.3.35.3.3Andreas Steffen2015-09-062-1/+8
|
* testing: added ikev2/alg-chacha20poly1305 scenarioAndreas Steffen2015-09-019-0/+106
|
* testing: update to Linux 4.2 kernelAndreas Steffen2015-09-013-4/+4471
|
* Version bump to 5.3.3rc25.3.3rc2Andreas Steffen2015-09-011-1/+1
|
* imv-os: Add some useful usage output to the pacman utilityTobias Brunner2015-08-311-2/+8
| | | | Fixes #487.
* kernel-netlink: Properly set port mask for ICMP type/code if only set on one ↵Tobias Brunner2015-08-311-7/+8
| | | | | | | | | | | | side If only one traffic selector had a port (type/code) the other side had the port mask set to 0, which canceled out the applied type/code. It also fixes the installation of ICMP type/code on big-endian hosts. Fixes #1091. References #595.
* kernel-pfkey: Properly encode ICMP type/code if only set on one sideTobias Brunner2015-08-311-34/+20
| | | | References #595.
* testing: Updated environment variable documentation in updown scriptsTobias Brunner2015-08-3114-14/+126
|
* libimcv: Updated Android.mk fileTobias Brunner2015-08-311-2/+5
|
* NEWS: Added additional newsTobias Brunner2015-08-281-13/+33
|
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* conf: Add documentation for new osx-attr optionTobias Brunner2015-08-282-0/+4
|
* pki: Add new type options to --issue command usage outputTobias Brunner2015-08-271-2/+2
|
* conf: Fix declaration of default values for imc-hcd optionsTobias Brunner2015-08-271-5/+5
|
* starter: Remove documentation for starter.load optionTobias Brunner2015-08-271-3/+0
|
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* trap-manager: Cleanup local address in error casesTobias Brunner2015-08-271-0/+2
|
* imv-os: Properly free strings for invalid input in pacmanTobias Brunner2015-08-271-0/+11
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* swanctl: Correctly build man page in out-of-tree builds from the repositoryTobias Brunner2015-08-271-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2015-08-273-3/+3
|
* Fix some Doxygen issuesTobias Brunner2015-08-277-8/+11
|
* unit-tests: Additional test cases to increase coverageTobias Brunner2015-08-272-9/+611
|
* traffic-selector: Use calc_netbits() in RFC 3779 constructorTobias Brunner2015-08-271-2/+1
| | | | This properly detects prefixes encoded as ranges.
* ike: Fix half-open count for initiating SAs when initially checked inTobias Brunner2015-08-271-0/+6
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-276-19/+45
| | | | whether COOKIEs are sent
* Version bump to 5.3.3rc1Andreas Steffen2015-08-251-1/+1
|
* Added some spaces in swanctl.confAndreas Steffen2015-08-252-8/+8
|
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* Merge branch 'starter-kernel-flush'Tobias Brunner2015-08-216-34/+71
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removes flushing of the IPsec state in the kernel when starter terminates. We can't easily flush only the policies created for IPsec SAs (and if installpolicies=no is used we don't want to flush policies anyway). Also, since existing policies don't cause errors anymore these aren't really an issue anymore (I think this was one of the main reasons to flush the state). This behavior is also specific to starter, so nothing is flushed when charon is used via systemd/swanctl. This will also allow us to merge libhydra with libcharon in a future release. If the previous behavior is needed it can easily be replicated with some external tools (we could also write a simple utility that does this). Additional checks in the test environment make sure that the daemon cleans up the state properly.
| * testing: Let test scenarios fail if IPsec SAs or policies are not removedTobias Brunner2015-08-211-0/+18
| | | | | | | | | | The IKE daemon should delete all installed SAs and policies when everything works properly, so we fail the test if that's not the case.
| * testing: Flush state and policies before every scenarioTobias Brunner2015-08-211-0/+8
| | | | | | | | Similar to conntrack we make sure we are working on a clean slate.
| * starter: Don't flush SAs in the kernelTobias Brunner2015-08-213-14/+0
| | | | | | | | | | If starter is not used we don't do that either. And this allows us to move the stuff in libhydra back to libcharon.
| * starter: Don't flush policies in the kernelTobias Brunner2015-08-211-1/+0
| | | | | | | | | | | | | | | | | | | | | | We can't control which policies we flush, so if policies are installed and used outside of strongSwan for other protocols we'd flush them too. And if installpolicies=no is used we probably shouldn't flush policies either. Luckily already existing policies are not treated as fatal errors anymore, so not flushing policies should not be that much of an issue (in case of a crash in dynamic setups, e.g. with virtual IPs, policies could be left behind even after restarting the connections and properly terminating the daemon).
| * kernel-pfkey: Only flush SAs of types we actually manageTobias Brunner2015-08-211-13/+26
| |
| * kernel-netlink: Only flush SAs of types we actually manageTobias Brunner2015-08-211-6/+19
|/
* Merge branch 'init-limits'Tobias Brunner2015-08-2120-21/+171
|\ | | | | | | | | | | | | IKE_SAs that are initiated are now counted towards the half-open IKE_SAs limit. Optionally it is possible to enforce limits towards the number of half-open IKE_SAs and the job load also when initiating SAs. This is currently only possible via VICI.
| * vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | | | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
| * vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
| |
| * controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-2115-20/+71
| |
| * ike: Also track initiating IKE_SAs as half-openTobias Brunner2015-08-211-1/+0
|/
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-212-33/+51
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* ikev1: Assign different job priorities for inbound IKEv1 messagesTobias Brunner2015-08-211-2/+12
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 19:54:07 +0000