aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-075-11/+50
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* conf: Match more characters in _ and **Tobias Brunner2017-08-071-1/+1
| | | | \w does not match e.g. / but \S does.
* trap-manager: Don't require that remote is resolvable during installationTobias Brunner2017-08-071-10/+49
| | | | | | | | Initiation might later fail, of course, but we don't really require an IP address when installing, that is, unless the remote traffic selector is dynamic. As that would result in installing a 0.0.0.0/0 remote TS which is not ideal when a single IP is expected as remote.
* child-create: Don't log CHILD_SA initiation until we know the unique IDTobias Brunner2017-08-071-11/+13
|
* child-rekey: Add CHILD_SA name and unique ID to collision log messagesTobias Brunner2017-08-071-8/+13
|
* child-sa: Suppress CHILD_SA state changes if there is no changeTobias Brunner2017-08-071-6/+9
|
* Merge commit 'child-sa-rekey-tkm'Tobias Brunner2017-08-0747-250/+708
|\ | | | | | | | | | | | | | | | | | | | | | | This fixes CHILD_SA rekeying with TKM and changes how we switch to the outbound IPsec SA with Netlink/XFRM (using SPIs on the outbound policy instead of installing the outbound SA delayed). For charon-tkm it changes when esa_select() and esa_reset() are called, now with the outbound policy and the inbound SA, respectively, instead of the outbound SA in both cases. Also fixed is a potential traffic loss when a rekey collision is lost.
| * charon-tkm: Call esa_reset() when the inbound SA is deletedTobias Brunner2017-08-0710-23/+59
| | | | | | | | | | | | | | | | | | After a rekeying the outbound SA and policy is deleted immediately, however, the inbound SA is not removed until a few seconds later, so delayed packets can still be processed. This adds a flag to get_esa_id() that specifies the location of the given SPI.
| * charon-tkm: Remove unused get_other_esa_id() methodTobias Brunner2017-08-073-101/+0
| |
| * child-rekey: Don't install outbound SA in case of lost collisionsTobias Brunner2017-08-074-46/+123
| | | | | | | | | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions.
| * testing: Also capture stderr during test casesTobias Brunner2017-08-071-1/+3
| | | | | | | | The output was not correct otherwise due to the reordering of commands.
| * testing: Clearly mark the tests that failedTobias Brunner2017-08-071-5/+15
| |
| * testing: Add tkm/xfrmproxy-rekey scenarioTobias Brunner2017-08-0711-0/+119
| | | | | | | | | | Similar to the xfrmproxy-expire scenario but here the TKM host is the responder to a rekeying.
| * testing: Add pfkey/net2net-rekey scenarioTobias Brunner2017-08-079-0/+117
| |
| * testing: Add ikev2/net2net-rekey scenarioTobias Brunner2017-08-079-0/+115
| |
| * testing: Add support for counting matching lines in testsTobias Brunner2017-08-071-14/+23
| | | | | | | | | | | | | | Specifying an integer instead of YES in evaltest.dat causes the number to get compared against the actual number of lines matching the pattern. This may be used to count matching packets or log lines.
| * bus: Don't trigger child_updown() for rekeyed CHILD_SAsTobias Brunner2017-08-071-1/+4
| | | | | | | | We don't trigger it either when they are deleted individually.
| * charon-tkm: Don't select new outbound SA until the policy is installedTobias Brunner2017-08-071-22/+40
| | | | | | | | | | | | | | | | | | This tries to avoid packet loss during rekeying by delaying the usage of the new outbound IKE_SA until the old one is deleted. Note that esa_select() is a no-op in the current TKM implementation. And the implementation also doesn't benefit from the delayed deletion of the inbound SA as it calls esa_reset() when the outbound SA is deleted.
| * charon-tkm: Claim to support SPIs on policiesTobias Brunner2017-08-071-0/+7
| | | | | | | | | | This fixes rekeying as the delayed installation of the outbound SA caused the nonce context to be expired already.
| * child-sa: Install outbound SA immediately if kernel supports SPIs on policiesTobias Brunner2017-08-073-26/+47
| |
| * child-sa: Use flags to track installation of outbound SA and policies separatelyTobias Brunner2017-08-073-29/+46
| |
| * kernel-netlink: Set SPI on outbound policyTobias Brunner2017-08-071-4/+10
| | | | | | | | | | This should cause the right SA to get used if there are multiple outbound SAs and the policies are installed properly.
| * kernel-interface: Not all kernel interfaces support SPIs on policiesTobias Brunner2017-08-071-0/+2
|/
* Version bump to 5.6.0dr45.6.0dr4Andreas Steffen2017-08-043-3/+5
|
* testing: Added tnc/tnccs-20-ev-pt-tls scenarioAndreas Steffen2017-08-0441-22/+526
|
* swid-gen: Share SWID generator between sw-collector, imc-swima and imc-swidAndreas Steffen2017-08-0415-445/+561
|
* sw-collector: Added --full optionAndreas Steffen2017-08-033-28/+110
|
* sw-collector: Added --installed/removed optionsAndreas Steffen2017-08-035-43/+109
|
* Merge branch 'appveyor'Tobias Brunner2017-08-025-12/+48
|\ | | | | | | Build and run unit tests on AppVeyor Windows containers.
| * appveyor: Build against OpenSSLTobias Brunner2017-07-281-0/+5
| | | | | | | | This is mainly for the RNG needed for the exchange tests.
| * unit-tests: Double escape backslashes in Windows paths in settings testTobias Brunner2017-07-281-2/+6
| | | | | | | | | | That's required when these are used as include paths in settings file strings.
| * unit-tests: Stringify direction in message asserts earlyTobias Brunner2017-07-281-6/+6
| | | | | | | | x86_64-w64-mingw32-gcc on Windows requires this.
| * unit-tests: iv_gen_seq has a dependency on RNG_STRONGTobias Brunner2017-07-281-1/+1
| | | | | | | | We currently don't have an RNG in Windows builds.
| * appveyor: Run tests on AppVeyor Windows containersTobias Brunner2017-07-282-3/+30
|/ | | | | We can't enable leak detective as it is so slow then that we run into a timeout (60 minutes).
* peer-cfg: Use an rwlock instead of a mutex to safely access child-cfgsTobias Brunner2017-07-271-15/+15
| | | | | | | | | | If multiple threads want to enumerate child-cfgs and potentially lock other locks (e.g. check out IKE_SAs) while doing so a deadlock could be caused (as was the case with VICI configs with start_action=start). It should also improve performance for roadwarrior connections and lots of clients connecting concurrently. Fixes #2374.
* credential-manager: Log issuer identity if not foundTobias Brunner2017-07-271-0/+2
|
* auth-cfg: Don't limit subjectAltName check to received certificatesTobias Brunner2017-07-271-1/+1
| | | | Otherwise this won't work if the certificate is only locally available.
* swanctl: Read default socket from swanctl.socket optionTobias Brunner2017-07-272-1/+8
| | | | | | | Also read from swanctl.plugins.vici.socket so we get libstrongswan.plugins.vici.socket if it is defined. Fixes #2372.
* swanctl: Include config snippets from conf.d subdirectoryTobias Brunner2017-07-272-0/+3
| | | | Fixes #2371.
* conf: Add support to generate include statements in .conf filesTobias Brunner2017-07-271-7/+33
|
* curl: Enable following redirectsTobias Brunner2017-07-273-0/+13
| | | | | | | The maximum number of redirects can be limited. The functionality can also be disabled. Fixes #2366.
* ikev2: AES-CMAC-PRF-128 only uses the first 64 bits of each nonceTobias Brunner2017-07-271-2/+5
| | | | References #2377.
* error-notify: Don't stop sending notifies after removing a disconnected listenerTobias Brunner2017-07-271-2/+1
| | | | | | | This prevented new listeners from receiving notifies if they joined after another listener disconnected previously, and if they themselves disconnected their old connection would prevent them again from getting notifies.
* farp: Only remove one tracked entryTobias Brunner2017-07-271-0/+1
| | | | | | | | | Multiple CHILD_SAs sharing the same traffic selectors (e.g. during make-before-break reauthentication) also have the same reqid assigned. If all matching entries are removed we could end up without entry even though an SA exists that still uses these traffic selectors. Fixes #2373.
* ike: Trigger CHILD_INSTALLED state change after corresponding log messageTobias Brunner2017-07-272-10/+9
| | | | | | | | This way we get the log message in stroke and swanctl as last message when establishing a connection. It's already like this for the IKE_SA where IKE_ESTABLISHED is set after the corresponding log message. Fixes #2364.
* sw-collector: sw-collector.first_file setting retrieves creation date from ↵Andreas Steffen2017-07-262-2/+52
| | | | file stats
* swima-collector: Fix compile error if SWID_DIRECTORY is not definedTobias Brunner2017-07-241-1/+10
|
* libimcv: Add missing files to Android.mkTobias Brunner2017-07-241-0/+11
|
* Version bump to 5.6.0dr35.6.0dr3Andreas Steffen2017-07-182-2/+2
|
* testing: Fixed the path of pt-tls-clientAndreas Steffen2017-07-183-5/+5
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 06:58:38 +0000