aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * kernel-pfroute: Return interface to reach destination from get_nexthop()Tobias Brunner2016-06-101-4/+13
| |
| * kernel-pfkey: Install routes with OUT policiesTobias Brunner2016-06-101-31/+30
| |
| * kernel-netlink: Install routes with OUT policiesTobias Brunner2016-06-101-25/+24
| | | | | | | | | | This is the direction we actually need routes in and makes the code easier to read.
| * kernel-pfkey: Don't install routes for drop policies and if protocol/ports ↵Tobias Brunner2016-06-101-3/+10
| | | | | | | | are in the selector
| * kernel-netlink: Don't install routes for drop policies and if protocol/ports ↵Tobias Brunner2016-06-101-96/+106
| | | | | | | | | | | | | | | | | | are in the selector We don't need them for drop policies and they might even mess with other routes we install. Routes for policies with protocol/ports in the selector will always be too broad and might conflict with other routes we install.
| * kernel-pfkey: Also use interface returned by get_nexthop() for IPsec policiesTobias Brunner2016-06-101-1/+3
| | | | | | | | | | An exception is if the local address is virtual, in which case we want the route to be via TUN device.
| * kernel-netlink: Also use interface returned by get_nexthop() for IPsec policiesTobias Brunner2016-06-101-1/+2
| |
| * kernel-pfkey: Use interface to next hop for shunt policiesTobias Brunner2016-06-101-2/+3
| |
| * kernel-netlink: Use interface to next hop for shunt policiesTobias Brunner2016-06-101-10/+13
| | | | | | | | | | | | Using the source address to determine the interface is not correct for net-to-net shunts between two interfaces on which the host has IP addresses for each subnet.
| * kernel-netlink: Return outbound interface in get_nexthop()Tobias Brunner2016-06-101-5/+43
| |
| * kernel-net: Let get_nexthop() return an optional interface nameTobias Brunner2016-06-1010-21/+42
|/ | | | | The returned name should be the interface over which the destination address/net is reachable.
* kernel-interface: Always set `vip` if get_address_by_ts() returns successfullyTobias Brunner2016-06-101-0/+4
|
* kernel-netlink: Let only a single thread work on a specific policyTobias Brunner2016-06-101-25/+69
| | | | | | | | | | | | | Other threads are free to add/update/delete other policies. This tries to prevent race conditions caused by releasing the mutex while sending messages to the kernel. For instance, if break-before-make reauthentication is used and one thread on the responder is delayed in deleting the policies that another thread is concurrently adding for the new SA. This could have resulted in no policies being installed eventually. Fixes #1400.
* kernel-netlink: Add priority and refcount to policy logTobias Brunner2016-06-101-9/+30
|
* kernel-netlink: Consistently print mark in log messages only if setTobias Brunner2016-06-101-108/+82
|
* kernel-netlink: Provide error information for Netlink socketsTobias Brunner2016-06-103-19/+25
| | | | #1467.
* kernel-netlink: Allow definition of a custom priority calculation functionTobias Brunner2016-06-102-3/+18
|
* Merge branch 'ipsec-sa-cfg-equals'Tobias Brunner2016-06-094-3/+29
|\ | | | | | | | | | | | | Fixes the comparison of ipsec_sa_cfg_t instances in case there is padding that's not initialized to zero. Fixes #1503.
| * kernel-pfkey: Use ipsec_sa_cfg_equals()Tobias Brunner2016-06-081-1/+1
| |
| * kernel-netlink: Use ipsec_sa_cfg_equals() and compare marks properlyTobias Brunner2016-06-081-2/+3
| |
| * ipsec: Add function to compare two ipsec_sa_cfg_t instancesTobias Brunner2016-06-082-0/+25
|/ | | | | | memeq() is currently used to compare these but if there is padding that is not initialized the same for two instances the comparison fails. Using this function ensures the objects are compared correctly.
* eap-simaka-pseudonym: Properly store mappingsTobias Brunner2016-06-061-44/+38
| | | | | | | | | | | If a pseudonym changed a new entry was added to the table storing permanent identity objects (that are used as keys in the other table). However, the old mapping was not removed while replacing the mapping in the pseudonym table caused the old pseudonym to get destroyed. This eventually caused crashes when a new pseudonym had the same hash value as such a defunct entry and keys had to be compared. Fixes strongswan/strongswan#46.
* child-sa: Use non-static variable to store generated unique markTobias Brunner2016-06-061-1/+2
| | | | | | If two CHILD_SAs with mark=%unique are created concurrently they could otherwise end up with either the same mark or different marks in both directions.
* ike: Don't trigger message hook when fragmenting pre-generated messagesTobias Brunner2016-06-061-2/+10
| | | | | | | | | This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which are pre-generated in tasks as at least parts of it are used to generate the AUTH payload. The IKE_SA_INIT message will never be fragmented, but the IKEv1 messages might be, so we can't just call generate_message(). Fixes #1478.
* error-notify: Notify listeners upon IKE retransmitThomas Egerer2016-06-062-0/+6
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* task-manager: Add retransmit cleared alertTobias Brunner2016-06-063-0/+16
|
* task-manager: Add retransmit count to retransmit send alertThomas Egerer2016-06-063-4/+7
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* stroke: Permanently store PINs in credential setTobias Brunner2016-06-061-12/+35
| | | | | | | This fixes authentication with tokens that require the PIN for every signature. Fixes #1369.
* controller: Use separate callbacks to track termination and initiation of SAsTobias Brunner2016-06-061-8/+58
| | | | | | | If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which we don't want the controller to detect as success. Fixes #1449.
* ikev1: Queue INFORMATIONAL messages during XAuthTobias Brunner2016-06-061-5/+12
| | | | | | | | | | Some peers send an INITIAL_CONTACT notify after they received our XAuth username. The XAuth task waiting for the third XAuth message handles this incorrectly and closes the IKE_SA as no configuration payloads are contained in the message. We queue the INFORMATIONAL until the XAuth exchange is complete to avoid this issue. Fixes #1434.
* identification: Compare identity types when comparing ID_FQDN/ID_RFC822_ADDR ↵Tobias Brunner2016-06-061-3/+4
| | | | | | identities References #1380.
* ikev2: Handle INITIAL_CONTACT notifies also when peer is authenticated with EAPTobias Brunner2016-06-061-16/+5
| | | | Fixes #1380.
* x509: Properly wrap keyid in authorityKeyIdentifier in attribute certificatesTobias Brunner2016-06-061-1/+2
| | | | | | | The correct encoding got lost in bdec2e4f5291 ("refactored openac and its attribute certificate factory"). Fixes #1370.
* p-cscf: Remove libhydra reference in MakefileTobias Brunner2016-05-271-1/+0
|
* af-alg: Silently skip probing algorithms if AF_ALG is not supportedMartin Willi2016-05-191-0/+19
| | | | | | If the af-alg plugin is enabled, but kernel support is missing, we get an error line during startup for each probed algorithm. This is way too verbose, so just skip probing if AF_ALG is unsupported.
* configure: Check for a potential -lpthread by using -ldlMartin Willi2016-05-181-1/+1
| | | | | Some pthread library variants depend on libdl, hence we must pass such a library to successfully build against libpthread.
* Merge branch 'test-timing'Andreas Steffen2016-05-15116-211/+322
|\
| * testing: Changed gcrypt-ikev1 scenarios to swanctlAndreas Steffen2016-05-1520-126/+148
| |
| * testing: wait until connections are loadedAndreas Steffen2016-05-1598-89/+178
|/
* Version bump to 5.4.1dr45.4.1dr4Andreas Steffen2016-05-131-1/+1
|
* vici: Put source distribution in the dist dir in the build directoryTobias Brunner2016-05-111-1/+3
| | | | This fixes the out-of-tree build.
* mem-cred: Fix memory leak when replacing existing CRLsTobias Brunner2016-05-111-0/+1
| | | | Fixes #1442.
* vici: Add target to build a source package and universal wheel of the Python ↵Tobias Brunner2016-05-111-0/+6
| | | | package
* vici: Add README.rst to be used as description on PyPITobias Brunner2016-05-114-8/+28
|
* vici: Replace dr with dev in version numbers for the Python eggTobias Brunner2016-05-102-5/+7
| | | | | | The versioning scheme used by Python (PEP 440) supports the rcN suffix but development releases have to be named devN, not drN, which are not supported and considered legacy versions.
* vici: Update setup.pyTobias Brunner2016-05-101-4/+5
|
* vici: Ensure we read exactly the specified amount of bytes from the socket ↵Tobias Brunner2016-05-101-2/+9
| | | | | | | in Python recv() will return less bytes than specified (as that's the buffer size) if not as many are ready to be read from the socket.
* Version bump to 5.4.1dr35.4.1dr3Andreas Steffen2016-05-081-1/+1
|
* swanctl: indicate initiator and responder in --list-sasAndreas Steffen2016-05-071-2/+5
|
* Version bump to 5.4.1dr25.4.1dr2Andreas Steffen2016-05-061-1/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 12:24:01 +0000