aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-IdentityTobias Brunner2015-11-121-2/+17
| |
| * auth-cfg: Prefer merged rules over existing ones when moving themTobias Brunner2015-11-121-3/+3
|/ | | | | | This is particularly important for single valued rules (e.g. identities). When copying values this is already handled correctly by the enumerator and add().
* android: Add some (older) unit testsTobias Brunner2015-11-123-0/+381
|
* android: Properly handle shorter types in BufferedByteWriterTobias Brunner2015-11-121-0/+86
| | | | | | | | In Java all integer types are signed, when a negative integer is casted to a larger type (e.g. int to long) then due to sign extension the upper bytes are not 0. So writing that value to a byte array does not produce the expected result. By overloading the putX() methods we make sure to upcast the values correctly.
* android: Migrate to the Gradle build systemTobias Brunner2015-11-12139-71/+327
| | | | | This uses a manual way to trigger the NDK build (the default with on-the-fly Android.mk files does not work for us).
* android: Provide a fallback for sigwaitinfo()Tobias Brunner2015-11-121-1/+29
|
* android: Replace AndroidConfigLocal.h with a header in utils/compatTobias Brunner2015-11-124-5/+16
|
* android: Fix build after updating Linux headersTobias Brunner2015-11-123-3/+0
| | | | | | | | Since we don't use the kernel-netlink plugin anymore and the headers in the NDK are reasonably recent, we don't need this anymore (at least when building the app). Fixes #1172.
* Merge branch 'tkm-spi-label'Tobias Brunner2015-11-119-22/+279
|\ | | | | | | | | Adds the charon-tkm.spi_label and charon-tkm.spi_mask options to encode a specific value/label in otherwise randomly generated IKE SPIs.
| * charon-tkm: Register SPI generator callbackAdrian-Ken Rueegsegger2015-11-111-0/+4
| | | | | | | | Set get_spi callback of IKE SA manager to TKM-specific implementation.
| * charon-tkm: Implement SPI generatorAdrian-Ken Rueegsegger2015-11-112-0/+134
| | | | | | | | | | The get_spi callback returns a random SPI with a label encoded according to the spi_label and spi_mask parameters read from the strongswan.conf.
| * settings: Add settings_value_as_uint64() helper functionTobias Brunner2015-11-113-0/+58
| |
| * ike-sa-manager: Allow plugins to provide IKE SPIs via a callbackTobias Brunner2015-11-112-11/+54
| | | | | | | | | | Plugins must depend on `libcharon-sa-managers` to ensure the manager exists.
| * libcharon: Publish IKE_SA/CHILD_SA managers as custom plugin featureTobias Brunner2015-11-111-11/+29
|/
* ikev1: Also use message hashes for Quick Mode for the early retransmission checkTobias Brunner2015-11-111-4/+8
| | | | | | | | | | We already did so during Phase 1 but because all three Quick Mode message have the same message ID we occasionally dropped the third message as retransmit, so we do it there too. For INFORMATIONAL and TRANSACTION exchanges we don't expect more than one inbound message with the same message ID so we still use them there. Fixes #1198.
* testing: Check for leases in swanctl/ip-pool scenarioAndreas Steffen2015-11-111-0/+2
|
* Version bump to 5.3.4dr35.3.4dr3Andreas Steffen2015-11-101-1/+1
|
* testing: Fixed some more timing issuesAndreas Steffen2015-11-1010-8/+10
|
* kernel-netlink: Allow IPsec policies to replace shunt policiesTobias Brunner2015-11-101-3/+3
| | | | | Shunt policies don't have a reqid set, so we allow unequal reqids in this particular case (i.e. if one of the reqids is 0).
* kernel-pfkey: Make absolutely sure we always delete the right policy cache entryTobias Brunner2015-11-101-3/+8
|
* kernel-netlink: Make absolutely sure we always delete the right policy cache ↵Tobias Brunner2015-11-101-2/+9
| | | | entry
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-1012-150/+162
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* kernel-netlink: Remove the unused policy_history flagTobias Brunner2015-11-101-41/+20
| | | | This was used with pluto, which had its own policy tracking.
* kernel-interface: Return bool for kernel interface registrationThomas Egerer2015-11-104-20/+40
| | | | | | | | If the (un)registering of a kernel interface (net or ipsec) fails, the plugin loader will never know, since the appropriate functions always returns TRUE. By making the (un)register functions return a boolean value, the loader can detect a failure during initializing the kernel interface and abort charon startup if desired.
* trap-manager: Also clean up remote address in error casesTobias Brunner2015-11-101-0/+2
| | | | Fixes #1201.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-1011-22/+21
|
* swanctl: Add option to query leases with --get-poolsTobias Brunner2015-11-101-3/+29
|
* vici: Add option to query leases of poolsTobias Brunner2015-11-102-3/+36
| | | | | We could later perhaps add filter parameters similar to those of the `ipsec leases` command (pool name/virtual IP).
* swanctl: List virtual IPs in --list-sasTobias Brunner2015-11-101-1/+11
|
* vici: Return local and remote virtual IPs when listing SAsTobias Brunner2015-11-102-0/+36
|
* socket-dynamic: Refactor setting source address when sending messagesTobias Brunner2015-11-091-32/+62
| | | | Basically the same change as the one for the socket-default plugin.
* socket-default: Refactor setting source address when sending messagesTobias Brunner2015-11-091-46/+107
| | | | | | | | | | | This ensures we don't pass data (via msg_control) defined in a different scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might optimize the memcpy() call away causing the packets not to get sent from the intended source address. It also makes the code clearer than with all these ifdefs. Fixes #1171.
* socket-default: Refactor retrieval of destination address of received packetsTobias Brunner2015-11-091-39/+89
| | | | This makes the code a bit clearer than with the interleaved ifdefs.
* Merge branch 'medsrv-js-css'Tobias Brunner2015-11-098-376/+18
|\ | | | | | | | | | | | | Removes the outdated version of MooTools and actually all JavaScript code as that stuff can now be done with CSS directly. Fixes #1190.
| * medsrv: Replace remaining JavaScript code with CSSTobias Brunner2015-11-094-371/+14
| |
| * medsrv: Replace the JavaScript focus() calls with HTML5's autofocusTobias Brunner2015-11-095-5/+4
|/
* conftest: Add configuration option to report milliseconds in file loggerTobias Brunner2015-11-091-2/+4
|
* file-logger: Add option to print milliseconds within the current second ↵Tobias Brunner2015-11-095-13/+40
| | | | | | | | after timestamp For this to look right time_format should end with %S or %T. Closes strongswan/strongswan#18.
* ike-natd: Create fake NAT-D payloads in a more static wayTobias Brunner2015-11-091-20/+8
| | | | | | | | | | | | | | | In some scenarios an IKE_SA might get restarted multiple times (e.g. due to retransmits and delayed INVALID_KE_PAYLOAD notifies) so that two IKE_SA_INIT messages might be sent that only differ in the previously randomly generated NAT_DETECTION_SOURCE_IP payload. This could cause an authentication failure on the responder if the two peers don't use the same IKE_SA_INIT message in their InitiatorSignedOctets. While the payload is generated in a reproducible way it will still change when the daemon is restarted, which should make detecting the payloads as fake a bit harder (compared to e.g. just using 0.0.0.0:0 as address). Fixes #1131.
* testing: Added Debian 7.9 to IMV database5.3.4dr2Andreas Steffen2015-11-091-0/+48
|
* testing: Reduce runtime of all tests that use SQLite databases by storing ↵Tobias Brunner2015-11-09161-312/+319
| | | | them in ramfs
* testing: tnc/tnccs-20-hcd-eap scenario does not use SWID IMV/strongTNCTobias Brunner2015-11-094-114/+1
|
* testing: Add test config to create and remove a directory for DBs stored in ↵Tobias Brunner2015-11-091-1/+23
| | | | ramfs
* testing: Improve runtime of TNC tests by storing the SQLite DB in ramfsTobias Brunner2015-11-0914-9/+30
| | | | This saves about 50%-70% of the time needed for scenarios that use a DB.
* testing: Fix test constraints in ikev2/rw-ntru-bliss scenarioTobias Brunner2015-11-091-4/+4
| | | | | Changed with a88d958933ef ("Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemes").
* testing: Use sha3 plugin in ikev2/rw-cert scenarioAndreas Steffen2015-11-093-3/+3
|
* mediation: Reschedule initiate mediation job if SA is not yet foundTobias Brunner2015-11-091-0/+4
| | | | | | | | | If the job gets queued for a newly created IKE_SA it might not yet be checked in when the job is running, reschedule the job in that case. This should fix the two p2pnat test scenarios, which occasionally failed because one of the peers did not initiate the connection to the mediation server.
* testing: Report the actual strongSwan and kernel versionsTobias Brunner2015-11-091-0/+6
|
* testing: Record strongSwan version when building from tarballTobias Brunner2015-11-091-0/+1
|
* testing: Record strongSwan version when building from source treeTobias Brunner2015-11-091-0/+11
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 09:51:27 +0000