Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | implemented policy rules for OS IMV | Andreas Steffen | 2013-06-21 | 20 | -101/+3220 |
| | |||||
* | check for zero-length device ID | Andreas Steffen | 2013-06-21 | 1 | -0/+6 |
| | |||||
* | ITA-HSR/Device ID attribute & IMV OS state machine | Andreas Steffen | 2013-06-21 | 10 | -169/+519 |
| | |||||
* | execute an _imv_policy script | Andreas Steffen | 2013-06-21 | 6 | -10/+127 |
| | |||||
* | implemented IMV session control | Andreas Steffen | 2013-06-21 | 21 | -429/+953 |
| | |||||
* | Manage files and directories | Andreas Steffen | 2013-06-21 | 4 | -122/+208 |
| | |||||
* | Merge branch 'kernel-libipsec' | Tobias Brunner | 2013-06-21 | 23 | -42/+2039 |
|\ | | | | | | | | | | | | | | | | | | | | | | | | | Adds a new kernel interface plugin that uses TUN devices and libipsec to provide IPsec process in userland. It works on Linux, FreeBSD and Mac OS X. In particular the latter two platforms may gain from this approach as their respective kernels don't provide support for AES-GCM. kernel-pfroute has been improved (source address lookup) and a second plugin (osx-attr) installs configuration attributes (currently DNS servers only) via SystemConfiguration on Mac OS X. | ||||
| * | osx-attr: add plugin installing config attributes using SystemConfiguration | Martin Willi | 2013-06-21 | 7 | -0/+468 |
| | | | | | | | | | | Currently installs DNS servers only, by prepending IP addresses to the DNS configuration of the primary networking service. | ||||
| * | kernel-pfroute: Simplify route lookup after fixing sockaddr parsing | Tobias Brunner | 2013-06-21 | 1 | -90/+19 |
| | | |||||
| * | kernel-pfroute: Alignment of sockaddrs is not always the same | Tobias Brunner | 2013-06-21 | 1 | -1/+8 |
| | | |||||
| * | kernel-pfroute: struct sockaddr arguments are 4 byte aligned | Tobias Brunner | 2013-06-21 | 1 | -4/+8 |
| | | | | | | | | | | | | | | | | | | This was noticed on Mac OS X where, if the default route is returned, RTA_NETMASK has sa_len set to 0, but skipping zero bytes to read the next address makes no sense, of course. Using 0 for sa_len seems a bit strange, in particular, because struct sockaddr has by definition a minimum length of 16 bytes. But it seems FreeBSD actually does the same. | ||||
| * | kernel-libipsec: Ignore failures when installing routes for multicast or ↵ | Tobias Brunner | 2013-06-21 | 1 | -1/+23 |
| | | | | | | | | broadcast policies | ||||
| * | kernel-pfroute: Improve route lookup depending on information we get back | Tobias Brunner | 2013-06-21 | 1 | -12/+96 |
| | | | | | | | | Kernels don't provide the same information for all routes. | ||||
| * | kernel-pfroute: Try to ensure we get a source address or interface name | Tobias Brunner | 2013-06-21 | 1 | -0/+6 |
| | | |||||
| * | ike: Force NAT-T/UDP encapsulation if kernel interface requires it | Tobias Brunner | 2013-06-21 | 2 | -5/+32 |
| | | |||||
| * | kernel-libipsec: Add a feature to request UDP encapsulation of ESP packets | Tobias Brunner | 2013-06-21 | 2 | -0/+9 |
| | | |||||
| * | tun-device: Packets sent over utun devices on Mac OS X have the protocol ↵ | Tobias Brunner | 2013-06-21 | 1 | -0/+11 |
| | | | | | | | | family prepended | ||||
| * | kernel-pfroute: Use DST as nexthop for host routes | Tobias Brunner | 2013-06-21 | 1 | -0/+6 |
| | | | | | | | | These are created as cache/clone on Mac OS X. | ||||
| * | kernel-pfroute: Implement get_source_addr() | Tobias Brunner | 2013-06-21 | 1 | -12/+27 |
| | | |||||
| * | kernel-pfroute: Properly install routes with interface and gateway | Tobias Brunner | 2013-06-21 | 1 | -5/+6 |
| | | |||||
| * | kernel-libipsec: Install a gateway for routes on platforms other than Linux | Tobias Brunner | 2013-06-21 | 1 | -9/+26 |
| | | | | | | | | This seems required e.g. on FreeBSD but doesn't work on Linux. | ||||
| * | kernel-pfroute: Activate TUN device before setting address | Tobias Brunner | 2013-06-21 | 1 | -1/+1 |
| | | | | | | | | | | On FreeBSD, for some reason, we don't learn the interface is up otherwise. Even though ifconfig lists it as up at the same time. | ||||
| * | tun-device: Avoid opening /dev/tunX multiple times (e.g. on FreeBSD) | Tobias Brunner | 2013-06-21 | 1 | -2/+6 |
| | | |||||
| * | kernel-libipsec: Router reads packets from multiple TUN devices | Tobias Brunner | 2013-06-21 | 4 | -16/+268 |
| | | | | | | | | These devices are collected via kernel_listener_t interface. | ||||
| * | kernel-libipsec: Use separate class to route packets between charon, ↵ | Tobias Brunner | 2013-06-21 | 4 | -74/+188 |
| | | | | | | | | libipsec and TUN device | ||||
| * | kernel-pfroute: Raise tun event when creating/destroying TUN devices for ↵ | Tobias Brunner | 2013-06-21 | 1 | -1/+6 |
| | | | | | | | | virtual IPs | ||||
| * | kernel: Add an event kernel interfaces can raise if they create/destroy a ↵ | Tobias Brunner | 2013-06-21 | 3 | -5/+43 |
| | | | | | | | | TUN device | ||||
| * | printf-hook: Avoid double-free when freeing Vstr config | Tobias Brunner | 2013-06-21 | 1 | -1/+0 |
| | | | | | | | | | | | | | | Thread-specific objects get freed when the thread value object is destroyed (wasn't the case earlier, i.e. before 2b19dd35), which may cause the second call to vstr_free_conf() to fail in an assert in Vstr (depending on how it was built). | ||||
| * | kernel-libipsec: Track policies and automatically install routes | Tobias Brunner | 2013-06-21 | 1 | -5/+455 |
| | | | | | | | | | | | | | | | | The routes direct traffic matching the remote traffic selector to the TUN device. If the remote traffic selector includes the IKE peer a very specific route is installed to allow IKE traffic. | ||||
| * | kernel-libipsec: Handle packets between charon socket, libipsec and TUN device | Tobias Brunner | 2013-06-21 | 1 | -0/+85 |
| | | |||||
| * | kernel-libipsec: Create a TUN device and use it to install virtual IPs | Tobias Brunner | 2013-06-21 | 2 | -0/+40 |
| | | |||||
| * | kernel-libipsec: Add plugin that implements kernel_ipsec_t using libipsec | Tobias Brunner | 2013-06-21 | 7 | -0/+400 |
| | | |||||
| * | kernel-netlink: Routes don't require a gateway/nexthop | Tobias Brunner | 2013-06-21 | 1 | -5/+9 |
|/ | |||||
* | charon-cmd: Document auxiliary options | Tobias Brunner | 2013-06-21 | 1 | -0/+15 |
| | |||||
* | charon-cmd: Link strongswan.conf(5) and charon-cmd(8) man pages | Tobias Brunner | 2013-06-21 | 2 | -4/+33 |
| | |||||
* | charon-cmd: Use fixed number of character to align command descriptions | Tobias Brunner | 2013-06-21 | 1 | -16/+15 |
| | | | | | If the command and argument is longer than that write the first line of description to the following line. | ||||
* | charon-cmd: Shortened and fixed command descriptions | Tobias Brunner | 2013-06-21 | 1 | -2/+2 |
| | |||||
* | charon-cmd: Simplify usage output for authentication profiles | Tobias Brunner | 2013-06-21 | 1 | -11/+3 |
| | | | | The man page describes the min full. | ||||
* | charon-cmd: Add Aggressive Mode profiles to man page | Tobias Brunner | 2013-06-21 | 1 | -6/+10 |
| | |||||
* | charon-cmd: Add man page for charon-cmd(8) | Tobias Brunner | 2013-06-21 | 2 | -0/+123 |
| | |||||
* | charon-cmd: Add --debug argument to set the default log level | Tobias Brunner | 2013-06-21 | 3 | -2/+13 |
| | |||||
* | charon-cmd: Handle simple command line arguments like --help before the others | Tobias Brunner | 2013-06-21 | 1 | -3/+14 |
| | |||||
* | plugin-loader: Move logging of failed features to status() | Tobias Brunner | 2013-06-21 | 1 | -7/+11 |
| | | | | | | | | | Still log an error message if critical features fail, as loaded plugins/features are not logged in that case. This way loaded plugins are printed before failed features and the relation is easier to make for users. It also allows programs to log this message on a different level. | ||||
* | plugin-loader: Add method to print loaded plugins on a given log level | Tobias Brunner | 2013-06-21 | 10 | -4/+26 |
| | |||||
* | plugin-loader: Collect statistics while loading features, print them in case ↵ | Tobias Brunner | 2013-06-21 | 1 | -69/+40 |
| | | | | | | | features failed to load There is no need to explicitly search for failed features in critical plugins as this is now detected while loading the features. | ||||
* | plugin-loader: Use different log level if failed feature is in critical plugin | Tobias Brunner | 2013-06-21 | 1 | -2/+16 |
| | |||||
* | plugin-loader: Log message when failing to load plugin | Tobias Brunner | 2013-06-21 | 1 | -0/+8 |
| | |||||
* | plugin-loader: Reduce verbosity while loading plugins | Tobias Brunner | 2013-06-21 | 1 | -4/+4 |
| | |||||
* | Fix crash if the initiator has no suitable proposal available | Tobias Brunner | 2013-06-21 | 1 | -0/+5 |
| | | | | Could be triggered with a typo in the ike or esp options when ! is used. | ||||
* | Merge branch 'unit-tests-ecdsa' | Martin Willi | 2013-06-21 | 17 | -160/+866 |
|\ | | | | | | | | | | | Adds support for testing plugin functionality to test-runner. Introduces some good/bad tests for ECDSA/RSA which would have caught those RSA/ECDSA signature vulnerabilities. |