aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* testing: Disable leak detective when generating CRLsTobias Brunner2016-04-061-0/+4
| | | | | | | | | GnuTLS, which can get loaded by the curl plugin, does not properly cleanup some allocated memory when deinitializing. This causes invalid frees if leak detective is active. Other invalid frees are related to time conversions (tzset). References #1382.
* pkcs11: Skip zero-padding of r and s when preparing EC signatureTobias Brunner2016-04-051-3/+9
| | | | | | They are zero padded to fill the buffer. Fixes #1377.
* chunk: Skip all leading zero bytes in chunk_skip_zero() not just the firstTobias Brunner2016-04-042-14/+18
|
* string: Gracefully handle NULL in str*eq() macrosTobias Brunner2016-04-042-4/+82
|
* byteorder: Explicitly check for htoXeXX macrosTobias Brunner2016-03-311-3/+18
| | | | | Some platforms have XetohXX macros instead of XeXXtoh macros, in which case we'd redefine the htoXeXX macros.
* vici: Fix documentation of some dictionary keys of two request messagesCameron McCord2016-03-311-3/+3
| | | | Closes strongswan/strongswan#40.
* proposal: Use standard integer types for static keywordsTobias Brunner2016-03-311-2/+2
|
* utils: Remove nonsensical typedefs for standard uint typesTobias Brunner2016-03-311-13/+0
|
* Use u_int32_t legacy type in blowfish header fileAndreas Steffen2016-03-241-1/+1
|
* Use standard unsigned integer typesAndreas Steffen2016-03-24584-3430/+3430
|
* updown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SAShota Fukumori2016-03-231-2/+2
| | | | | | | Or the invoked script will get a broken value when `mark=%unique` is used in a configuration. Closes strongswan/strongswan#37.
* connmark: Explicitly include xt_mark.h for older kernelsTobias Brunner2016-03-231-0/+1
| | | | Fixes #1365.
* android: Enable 64-bit ABIsTobias Brunner2016-03-231-1/+1
|
* android: Enable build against API level 21Tobias Brunner2016-03-233-2/+17
| | | | | | | While building against this level in general would break our app on older systems, the NDK will automatically use this level for 64-bit ABI builds (which are not supported in older levels). So to build against 64-bit ABIs we have to support this API level.
* libcharon: Add missing header file to Android.mkTobias Brunner2016-03-231-0/+1
| | | | Not really relevant, just to make sure both file lists are the same.
* testing: Updated updown scripts in libipsec scenarios to latest versionTobias Brunner2016-03-2311-0/+341
|
* ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() ↵Tobias Brunner2016-03-231-23/+38
| | | | | | | | | | | | | was called A thread might check out a new IKE_SA via checkout_new() or checkout_by_config() and start initiating it while the daemon is terminating and the IKE_SA manager is flushed by the main thread. That SA is not tracked yet so the main thread is not waiting for it and the other thread is able to check it in and creating an entry after flush() already terminated causing a memory leak. Fixes #1348.
* ha: Delete cache entry inside the locked mutexThomas Egerer2016-03-231-0/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* swanctl: Fix documented directory name for remote pubkeysTobias Brunner2016-03-221-1/+1
|
* Version bump to 5.4.05.4.0Andreas Steffen2016-03-221-1/+1
|
* kernel-netlink: Fix lookup of next hops for destinations with prefixTobias Brunner2016-03-211-1/+2
| | | | References #1347.
* imc-os: Terminate buffer after fread(3) call to make Coverity happyTobias Brunner2016-03-111-1/+1
|
* imc-os: Correctly check return value of ftell(2)Tobias Brunner2016-03-111-1/+9
|
* Fix some Doxygen issuesTobias Brunner2016-03-113-9/+9
|
* Updated NEWS5.4.0rc1Andreas Steffen2016-03-111-0/+8
|
* man: Updated default proposals in ipsec.conf(5)Tobias Brunner2016-03-111-4/+4
|
* identification: Make `written` signed to fix error checking when printing rangesTobias Brunner2016-03-111-3/+3
|
* vici: Don't hold write lock while running or undoing start actionsTobias Brunner2016-03-111-27/+63
| | | | | | | | | | | | | | Running or undoing start actions might require enumerating IKE_SAs, which in turn might have to enumerate peer configs concurrently, which requires acquiring a read lock. So if we keep holding the write lock while enumerating the SAs we provoke a deadlock. By preventing other threads from acquiring the write lock while handling actions, and thus preventing the modification of the configs, we largely maintain the current synchronous behavior. This way we also don't need to acquire additional refs for config objects as they won't get modified/removed. Fixes #1185.
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* forecast: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | Same as the change in the connmark plugin. References #1229.
* connmark: Don't restore CONNMARK for packets that already have a mark setTobias Brunner2016-03-101-2/+17
| | | | | | | | | This allows e.g. modified versions of xl2tpd to set the mark in situations where two clients are using the same source port behind the same NAT, which CONNMARK can't restore properly as only one conntrack entry will exist with the mark set to that of the client that sent the last packet. Fixes #1230.
* connmark: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | | | | | | | By settings a matchmask that covers the complete rule we ensure that the correct rule is deleted (i.e. matches and targets with potentially different marks are also compared). Since data after the passed pointer is actually dereferenced when comparing we definitely have to pass an array that is at least as long as the ipt_entry. Fixes #1229.
* Merge branch 'subnet-identities'Andreas Steffen2016-03-109-114/+626
|\ | | | | | | | | | | | | | | Implemented IKEv1 IPv4/IPv6 address subnet and range identities to be used as owners for shared secrets. swanctl supports configuration of traffic selectors with IPv4/IPv6 address ranges.
| * Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-102-7/+27
| |
| * Updated swanctl/rw-psk-ikev1 scenarioAndreas Steffen2016-03-105-28/+36
| |
| * Implemented IPv4/IPv6 subnet and range identitiesAndreas Steffen2016-03-102-79/+563
|/ | | | | | The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and IPV6_ADDR_RANGE identities have been fully implemented and can be used as owners of shared secrets (PSKs).
* Merge branch 'p-cscf'Tobias Brunner2016-03-1014-24/+474
|\ | | | | | | | | | | | | This adds the p-cscf plugin that can request P-CSCF server addresses from an ePDG via IKEv2 (RFC 7651). Addresses of the same families as requested virtual IPs are requested if enabled in strongswan.conf for a particular connection. The plugin currently writes received addresses to the log.
| * attr: Only enumerate attributes matching the IKE version of the current IKE_SATobias Brunner2016-03-101-19/+49
| | | | | | | | Numerically configured attributes are currently sent for both versions.
| * attr: Add p-cscf keyword for P-CSCF server addressesTobias Brunner2016-03-101-0/+1
| |
| * p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-103-2/+18
| |
| * p-cscf: Only send requests if virtual IPs of the same family are requestedTobias Brunner2016-03-101-2/+18
| |
| * p-cscf: Add attribute handler for P-CSCF server addressesTobias Brunner2016-03-104-1/+243
| |
| * p-cscf: Add plugin stubTobias Brunner2016-03-106-0/+136
| |
| * payloads: Verify P-CSCF configuration attributes like others carrying IP ↵Tobias Brunner2016-03-101-0/+2
| | | | | | | | addresses
| * attributes: Define P-CSCF address attributes described in RFC 7651Tobias Brunner2016-03-102-6/+13
|/
* Merge branch 'mbb-reauth-online-revocation'Tobias Brunner2016-03-1028-14/+477
|\ | | | | | | | | | | | | With these changes initiators of make-before-break reauthentications suspend online revocation checks until after the new IKE_SA and all CHILD_SAs are established. See f1cbacc5d1be for details why that's necessary.
| * NEWS: Added note on online revocation checks during make-before-break ↵Tobias Brunner2016-03-101-0/+9
| | | | | | | | reauthentication
| * testing: Add ikev2/reauth-mbb-revoked scenarioTobias Brunner2016-03-109-0/+105
| |
| * testing: Generate a CRL that has moon's actual certificate revokedTobias Brunner2016-03-101-0/+3
| |
| * ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checksTobias Brunner2016-03-101-26/+37
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 12:06:37 +0000