aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * android: Add field for MTU to data modelTobias Brunner2015-07-282-4/+30
| |
| * android: Set preferred language for remediation instructionsTobias Brunner2015-07-282-0/+6
| |
| * android: Encode connection settings as single Java string argumentTobias Brunner2015-07-284-78/+54
| | | | | | | | This makes adding new configuration settings easier.
| * android: Add simple utility class to generate settings_t compatible config ↵Tobias Brunner2015-07-281-0/+160
| | | | | | | | snippets
| * unit-tests: Add unit tests for settings_t.load_string[_section]Tobias Brunner2015-07-281-8/+113
| |
| * settings: Add methods and a constructor to parse settings from stringsTobias Brunner2015-07-282-11/+112
| |
| * settings: Extend parser so we can parse settings from a stringTobias Brunner2015-07-282-0/+45
| |
| * starter: Add support for multi-line strings in ipsec.confTobias Brunner2015-07-283-8/+6
| |
| * settings: Add support for multi-line stringsTobias Brunner2015-07-283-16/+20
| | | | | | | | Unterminated strings are now an error.
| * starter: Don't replace rarely used special characters in strings in ipsec.confTobias Brunner2015-07-281-2/+0
| |
| * settings: Don't replace rarely used special charactersTobias Brunner2015-07-281-2/+0
| |
| * android: Don't pass null as root view to inflate()Tobias Brunner2015-07-281-1/+1
| |
| * android: Fix a potential NullPointerException in the IMC state fragmentTobias Brunner2015-07-281-1/+7
| |
| * android: EAP-TNC does not require a client certificateTobias Brunner2015-07-281-1/+1
| | | | | | | | | | Was incorrectly changed with the refactoring in a64089738d3e ("android: Change how features of VPN types are stored and checked").
| * android: Enable charon.initiator_only optionTobias Brunner2015-07-281-0/+2
| |
| * android: Increase the minSdkVersion to 15 and targetSdkVersion to 22Tobias Brunner2015-07-281-2/+2
|/ | | | | There are no devices anymore that use API level 14 (4.0-4.0.2) and 22 is the most recent level.
* testing: Regenerated BLISS certificates due to oracle changesAndreas Steffen2015-07-277-0/+0
|
* Use MGF1 with SHA-512 as BLISS random oracleAndreas Steffen2015-07-275-72/+63
|
* Generalize c_indices generation using SHA-512 random oracle.Markku-Juhani Olavi Saarinen2015-07-271-18/+24
| | | | | | This generalization allows the ring dimension n to be different from the current n = 512 and allows kappa to be > 56. Also the hash octets are consumed in a more consistent manner.
* Fixed several bugs in the BLISS signature generation/verification step.Markku-Juhani Olavi Saarinen2015-07-271-4/+8
| | | | | | | | | | | | | | | | The c_indices derived from the SHA-512 random oracle consist of nine bits (0..511). The leftmost 8 bits of each index are taken on an octet-by-octet basis from the 56 leftmost octets of the SHA-512 hash. The 9th bit needed for the LSB is taken from the extra_bits 64 bit unsigned integer which consists of the 8 rightmost octets of the SHA-512 hash (in network order). If more than 56 indices must be derived then additional rounds of the random oracle are executed until all kappa c_indices have been determined. The bug fix shifts the extra_bits value by one bit in each loop iteration so that the LSB of each index is random. Also iterate through the hash array using the loop variable j not the c_indices variable i.
* ike: Fix memory leak if remote address is keptTobias Brunner2015-07-271-0/+4
|
* ike-rekey: Fix cleanup() callTobias Brunner2015-07-271-2/+2
|
* ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA responseTobias Brunner2015-07-271-1/+2
| | | | | Even when there is no error the CREATE_CHILD_SA response should be sent in the context of the existing IKE_SA.
* ike-rekey: Reset IKE_SA on the bus after destroying new IKE_SATobias Brunner2015-07-271-16/+15
| | | | | | | | | | | | | | | The destroy() method sets the IKE_SA on the bus to NULL, we reset it to the current IKE_SA so any events and log messages that follow happen in the correct context. A practical example where this is problematic is a DH group mismatch, which causes the first CREATE_CHILD_SA exchange to fail. Because the SA was not reset previously, the message() hook for the CREATE_CHILD_SA response, for instance, was triggered outside the context of an IKE_SA, that is, the ike_sa parameter was NULL, which is definitely not expected by several plugins. Fixes #862.
* Merge branch 'trap-shunt-updates'Tobias Brunner2015-07-274-43/+193
|\ | | | | | | | | | | | | | | | | | | Changes how acquires are tracked in the trap manager, which fixes several race conditions. Also fixes races between threads installing trap policies and the main thread trying to flush the trap policies. Similar changes were added to the shunt manager which previously used no locking at all. Fixes #1014.
| * daemon: Flush shunts before unloading pluginsTobias Brunner2015-07-271-0/+4
| |
| * shunt-manager: Add flush() method to properly uninstall shuntsTobias Brunner2015-07-272-4/+46
| | | | | | | | | | This will allow us to uninstall shunts before unloading the kernel-interface plugins.
| * shunt-manager: Remove stored entries if installation failsTobias Brunner2015-07-271-2/+11
| |
| * shunt-manager: Add a lock to safely access the list of shunt policiesTobias Brunner2015-07-271-3/+17
| |
| * trap-manager: Resolve race conditions between flush() and install()Tobias Brunner2015-07-271-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | When flush() is called there might be threads in install() waiting for trap policies to get installed (without holding the lock). We have to wait until they updated the entries with the respective CHILD_SAs before destroying the list. We also have to prevent further trap policy installations (and wait until threads in install() are really finished), otherwise we might end up destroying CHILD_SA objects after the kernel interface implementations have already been unloaded (avoiding this is the whole point of calling flush() before unloading the plugins).
| * trap-manager: Changed how acquires we acted on are trackedTobias Brunner2015-07-271-36/+86
| | | | | | | | | | | | | | | | | | This fixes potential race conditions in case complete() or flush() is executed before or concurrently with a thread that handles an acquire. It will also simplify tracking multiple acquires created for the same trap policy in the future. Also fixes the behavior in some error situations.
| * trap-manager: Properly check-in IKE_SA if initiating failsTobias Brunner2015-07-271-2/+2
|/ | | | | | | | | This basically reverts f4e822c1b422 ("trap-manager: don't check-in nonexisting IKE_SA if acquire fails"). As checkout_by_config() could return an already existing and established IKE_SA we have to properly destroy it, for instance, in case other threads are waiting to check it out. checkin_and_destroy() should handle the case of a new SA properly (it produces a log message on level 1, though).
* ike: Fall back to the current remote IP if it resolves to %anyTobias Brunner2015-07-271-1/+6
| | | | | | | | | In some situations it might be valid for a host that configures right=%any to reestablish or reauthenticate an IKE_SA. Using %any would immediately abort the initiation causing the new SA to fail (which might already have the existing CHILD_SAs assigned). Fixes #1027.
* Merge branch 'remote-host-family'Tobias Brunner2015-07-278-2/+203
|\ | | | | | | | | | | | | Considers the address family of locally defined addresses when resolving the remote host. Fixes #993.
| * ike: Use address family of local address when resolving remote hostTobias Brunner2015-07-271-1/+14
| | | | | | | | | | | | | | If static local addresses are configured we should use their address family as a hint when resolving the remote address. We don't do this if %any is configured as this might break existing configurations (%any4 and %any6 are however used as hint).
| * ike-cfg: Add unit tests for ike_cfg_get_family() helperTobias Brunner2015-07-273-0/+120
| |
| * ike-cfg: Add helper function to determine address family of IP addressesTobias Brunner2015-07-272-1/+59
| | | | | | | | | | All configured static addresses (hostnames, ranges or subnets are not considered) must be of the same family, otherwise AF_UNSPEC is returned.
| * host: Properly handle NULL in host_create_from_string[_and_family]Tobias Brunner2015-07-272-0/+10
|/
* Improved legibility of swanctl CRL listings5.3.3dr1Andreas Steffen2015-07-221-1/+4
|
* testing: Updated loop ca certificatesAndreas Steffen2015-07-2212-25/+77
|
* testing: Added swanctl --list-authorities output to do-testsAndreas Steffen2015-07-221-1/+5
|
* testing: Updated all swanctl scenarios and added some new onesAndreas Steffen2015-07-22102-104/+1744
|
* tests: Introduced IPV6 flag in tests.confAndreas Steffen2015-07-2120-1/+77
|
* tests: Introduced SWANCTL flag in test.confAndreas Steffen2015-07-219-23/+57
|
* tests: fixed evaltest of swanctl/rw-cert scenarioAndreas Steffen2015-07-211-2/+2
|
* tests: fixed description of swanctl ip-pool scenariosAndreas Steffen2015-07-212-9/+8
|
* Version bump to 5.3.3dr1Andreas Steffen2015-07-211-1/+1
|
* vici: Certification Authority support added.Andreas Steffen2015-07-2119-15/+1553
| | | | | | CDP and OCSP URIs for a one or multiple certification authorities can be added via the VICI interface. swanctl allows to read definitions from a new authorities section.
* vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets ↵Andreas Steffen2015-07-201-6/+20
| | | | are defined
* testing: Do not attempt to start the test environment if hosts are still runningTobias Brunner2015-07-151-0/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 07:02:04 +0000