Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | openssl: Use proper EVP macro to determine size of a hash | Tobias Brunner | 2016-04-15 | 2 | -2/+2 |
| | |||||
* | android: Remove OPENSSL_NO_EC* defines | Tobias Brunner | 2016-04-15 | 1 | -3/+0 |
| | | | | Current versions of OpenSSL/BoringSSL shipped with Android support ECC. | ||||
* | android: OPENSSL_NO_ENGINE is now properly defined in the headers | Tobias Brunner | 2016-04-15 | 1 | -1/+0 |
| | |||||
* | curl: Handle LibreSSL like OpenSSL in regards to multi-threading | Tobias Brunner | 2016-04-15 | 1 | -1/+1 |
| | | | | | LibreSSL is API compatible so our openssl plugin does not need any changes and it works fine with the curl plugin. | ||||
* | configure: Replace two remaining usages of AC_HAVE_LIBRARY with AC_CHECK_LIB | Tobias Brunner | 2016-04-15 | 1 | -2/+2 |
| | |||||
* | thread: Don't hold mutex when calling cleanup handlers while terminating | Tobias Brunner | 2016-04-13 | 1 | -12/+14 |
| | | | | | | | | | | This could interfere with cleanup handlers that try to acquire mutexes while other threads holding these try to e.g. cancel the threads. As cleanup handlers are only queued by the threads themselves we don't need any synchronization to access the list. Fixes #1401. | ||||
* | testing: Added swanctl/rw-multi-ciphers-ikev1 scenario | Andreas Steffen | 2016-04-12 | 11 | -0/+238 |
| | |||||
* | Ignore Qt Creator project files | Tobias Brunner | 2016-04-11 | 1 | -0/+5 |
| | | | | Closes strongswan/strongswan#32. | ||||
* | Version bump to 5.4.1dr15.4.1dr1 | Andreas Steffen | 2016-04-11 | 1 | -1/+1 |
| | |||||
* | Merge branch 'kernel-policies' | Andreas Steffen | 2016-04-11 | 56 | -1653/+2565 |
|\ | |||||
| * | Extended IPsec kernel policy scheme | Andreas Steffen | 2016-04-09 | 1 | -18/+53 |
| | | | | | | | | | | | | | | | | The kernel policy now considers src and dst port masks as well as restictions to a given network interface. The base priority is 100'000 for passthrough shunts, 200'000 for IPsec policies, 300'000 for IPsec policy traps and 400'000 for fallback drop shunts. The values 1..30'000 can be used for manually set priorities. | ||||
| * | testing: Added swanctl/manual_prio scenario | Andreas Steffen | 2016-04-09 | 11 | -0/+277 |
| | | |||||
| * | Include manual policy priorities and restriction to interfaces in vici ↵ | Andreas Steffen | 2016-04-09 | 2 | -1/+27 |
| | | | | | | | | list-conn command | ||||
| * | Implemented IPsec policies restricted to given network interface | Andreas Steffen | 2016-04-09 | 8 | -14/+66 |
| | | |||||
| * | Support manually-set IPsec policy priorities | Andreas Steffen | 2016-04-09 | 8 | -22/+84 |
| | | |||||
| * | peer-cfg: Use struct to pass data to constructor | Tobias Brunner | 2016-04-09 | 16 | -200/+266 |
| | | |||||
| * | child-cfg: Use struct to pass data to constructor | Tobias Brunner | 2016-04-09 | 16 | -366/+362 |
| | | |||||
| * | kernel-pfkey: Prefer policies with reqid over those without | Tobias Brunner | 2016-04-09 | 1 | -1/+7 |
| | | |||||
| * | kernel-pfkey: Only install templates for regular IPsec policies with reqid | Tobias Brunner | 2016-04-09 | 1 | -32/+35 |
| | | |||||
| * | testing: Add swanctl/net2net-gw scenario | Tobias Brunner | 2016-04-09 | 11 | -0/+204 |
| | | |||||
| * | shunt-manager: Install "outbound" FWD policy | Tobias Brunner | 2016-04-09 | 1 | -2/+8 |
| | | | | | | | | | | | | If there is a default drop policy forwarded traffic might otherwise not be allowed by a specific passthrough policy (while local traffic is allowed). | ||||
| * | kernel-netlink: Prefer policies with reqid over those without | Tobias Brunner | 2016-04-09 | 1 | -1/+7 |
| | | | | | | | | | | | | | | This allows two CHILD_SAs with reversed subnets to install two FWD policies each. Since the outbound policy won't have a reqid set we will end up with the two inbound FWD policies installed in the kernel, with the correct templates to allow decrypted traffic. | ||||
| * | kernel-netlink: Only associate templates with inbound FWD policies | Tobias Brunner | 2016-04-09 | 1 | -1/+1 |
| | | | | | | | | | | | | We can't set a template on the outbound FWD policy (or we'd have to make it optional). Because if the traffic does not come from another (matching) IPsec tunnel it would get dropped due to the template mismatch. | ||||
| * | child-sa: Install "outbound" FWD policy | Tobias Brunner | 2016-04-09 | 1 | -0/+16 |
| | | | | | | | | | | | | | | If there is a DROP shunt that matches outbound forwarded traffic it would get dropped as the FWD policy we install only matches decrypted inbound traffic. That's because the Linux kernel first checks the FWD policies before looking up the OUT policy and SA to encrypt the packets. | ||||
| * | kernel-netlink: Associate routes with IN policies instead of FWD policies | Tobias Brunner | 2016-04-09 | 1 | -21/+21 |
| | | | | | | | | | | | | This allows us to install more than one FWD policy. We already do this in the kernel-pfkey plugin (there the original reason was that not all kernels support FWD policies). | ||||
| * | kernel: Use structs to pass information to the kernel-ipsec interface | Tobias Brunner | 2016-04-09 | 12 | -983/+1140 |
|/ | |||||
* | testing: List conntrack table on sun in ikev2/host2host-transport-connmark ↵ | Tobias Brunner | 2016-04-06 | 1 | -0/+1 |
| | | | | scenario | ||||
* | testing: Version bump to 5.4.0 | Tobias Brunner | 2016-04-06 | 1 | -1/+1 |
| | | | | References #1382. | ||||
* | testing: Disable leak detective when generating CRLs | Tobias Brunner | 2016-04-06 | 1 | -0/+4 |
| | | | | | | | | | GnuTLS, which can get loaded by the curl plugin, does not properly cleanup some allocated memory when deinitializing. This causes invalid frees if leak detective is active. Other invalid frees are related to time conversions (tzset). References #1382. | ||||
* | pkcs11: Skip zero-padding of r and s when preparing EC signature | Tobias Brunner | 2016-04-05 | 1 | -3/+9 |
| | | | | | | They are zero padded to fill the buffer. Fixes #1377. | ||||
* | chunk: Skip all leading zero bytes in chunk_skip_zero() not just the first | Tobias Brunner | 2016-04-04 | 2 | -14/+18 |
| | |||||
* | string: Gracefully handle NULL in str*eq() macros | Tobias Brunner | 2016-04-04 | 2 | -4/+82 |
| | |||||
* | byteorder: Explicitly check for htoXeXX macros | Tobias Brunner | 2016-03-31 | 1 | -3/+18 |
| | | | | | Some platforms have XetohXX macros instead of XeXXtoh macros, in which case we'd redefine the htoXeXX macros. | ||||
* | vici: Fix documentation of some dictionary keys of two request messages | Cameron McCord | 2016-03-31 | 1 | -3/+3 |
| | | | | Closes strongswan/strongswan#40. | ||||
* | proposal: Use standard integer types for static keywords | Tobias Brunner | 2016-03-31 | 1 | -2/+2 |
| | |||||
* | utils: Remove nonsensical typedefs for standard uint types | Tobias Brunner | 2016-03-31 | 1 | -13/+0 |
| | |||||
* | Use u_int32_t legacy type in blowfish header file | Andreas Steffen | 2016-03-24 | 1 | -1/+1 |
| | |||||
* | Use standard unsigned integer types | Andreas Steffen | 2016-03-24 | 584 | -3430/+3430 |
| | |||||
* | updown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SA | Shota Fukumori | 2016-03-23 | 1 | -2/+2 |
| | | | | | | | Or the invoked script will get a broken value when `mark=%unique` is used in a configuration. Closes strongswan/strongswan#37. | ||||
* | connmark: Explicitly include xt_mark.h for older kernels | Tobias Brunner | 2016-03-23 | 1 | -0/+1 |
| | | | | Fixes #1365. | ||||
* | android: Enable 64-bit ABIs | Tobias Brunner | 2016-03-23 | 1 | -1/+1 |
| | |||||
* | android: Enable build against API level 21 | Tobias Brunner | 2016-03-23 | 3 | -2/+17 |
| | | | | | | | While building against this level in general would break our app on older systems, the NDK will automatically use this level for 64-bit ABI builds (which are not supported in older levels). So to build against 64-bit ABIs we have to support this API level. | ||||
* | libcharon: Add missing header file to Android.mk | Tobias Brunner | 2016-03-23 | 1 | -0/+1 |
| | | | | Not really relevant, just to make sure both file lists are the same. | ||||
* | testing: Updated updown scripts in libipsec scenarios to latest version | Tobias Brunner | 2016-03-23 | 11 | -0/+341 |
| | |||||
* | ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() ↵ | Tobias Brunner | 2016-03-23 | 1 | -23/+38 |
| | | | | | | | | | | | | | was called A thread might check out a new IKE_SA via checkout_new() or checkout_by_config() and start initiating it while the daemon is terminating and the IKE_SA manager is flushed by the main thread. That SA is not tracked yet so the main thread is not waiting for it and the other thread is able to check it in and creating an entry after flush() already terminated causing a memory leak. Fixes #1348. | ||||
* | ha: Delete cache entry inside the locked mutex | Thomas Egerer | 2016-03-23 | 1 | -0/+2 |
| | | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | ||||
* | swanctl: Fix documented directory name for remote pubkeys | Tobias Brunner | 2016-03-22 | 1 | -1/+1 |
| | |||||
* | Version bump to 5.4.05.4.0 | Andreas Steffen | 2016-03-22 | 1 | -1/+1 |
| | |||||
* | kernel-netlink: Fix lookup of next hops for destinations with prefix | Tobias Brunner | 2016-03-21 | 1 | -1/+2 |
| | | | | References #1347. | ||||
* | imc-os: Terminate buffer after fread(3) call to make Coverity happy | Tobias Brunner | 2016-03-11 | 1 | -1/+1 |
| |