Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | NEWS: Added some news | Tobias Brunner | 2017-08-08 | 1 | -1/+13 |
| | |||||
* | conf: Descriptions of several settings updated | Tobias Brunner | 2017-08-08 | 3 | -12/+25 |
| | |||||
* | libimcv: Cast chunk length to int when printing as string | Tobias Brunner | 2017-08-08 | 2 | -2/+4 |
| | |||||
* | sw-collector: Cast chunk length to int when printing as string | Tobias Brunner | 2017-08-08 | 1 | -7/+7 |
| | |||||
* | sw-collector: Fix memory leak after failing to open DB | Tobias Brunner | 2017-08-08 | 1 | -0/+1 |
| | |||||
* | sw-collector: Use correct variable to report failure to open history file | Tobias Brunner | 2017-08-08 | 1 | -4/+5 |
| | |||||
* | Revert "apidoc: Update Doxyfile" | Tobias Brunner | 2017-08-07 | 1 | -276/+149 |
| | | | | | | | This reverts commit 8ec979fd64bca07e73f6f255a7cf26e587bb55d8. Mainly because Travis is still on Trusty and this generates lots of warnings. | ||||
* | Version bump to 5.6.0rc15.6.0rc1 | Andreas Steffen | 2017-08-07 | 2 | -2/+2 |
| | |||||
* | imv-database: Improve performance by creating file_hashes index | Andreas Steffen | 2017-08-07 | 1 | -0/+2 |
| | |||||
* | sw-collector: Add missing Doxygen group | Tobias Brunner | 2017-08-07 | 3 | -3/+5 |
| | | | | Fix location of two classes. | ||||
* | libimcv: Add missing Doxgen group for SWIMA-related classes | Tobias Brunner | 2017-08-07 | 2 | -1/+4 |
| | | | | Fix location of swima_error_t. | ||||
* | apidoc: Update Doxyfile | Tobias Brunner | 2017-08-07 | 1 | -149/+276 |
| | |||||
* | Fixed some typos, courtesy of codespell | Tobias Brunner | 2017-08-07 | 13 | -17/+17 |
| | |||||
* | testing: Add -v option to do-tests to prefix commands with timestamps | Tobias Brunner | 2017-08-07 | 1 | -6/+25 |
| | |||||
* | testing: Move collector.db in tnc/tnccs-20-ev-pt-tls scenario to /etc/db.d | Tobias Brunner | 2017-08-07 | 14 | -47/+5 |
| | | | | | Also move initialization to the pretest script (it's way faster in the in-memory database). | ||||
* | kernel-netlink: Wipe buffer used to read Netlink messages | Tobias Brunner | 2017-08-07 | 1 | -2/+12 |
| | | | | | | | | | When querying SAs the keys will end up in this buffer (the allocated messages that are returned are already wiped). The kernel also returns XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish this here as we only see the response. References #2388. | ||||
* | sha2: Write final hash directly to output buffer | Tobias Brunner | 2017-08-07 | 1 | -56/+26 |
| | | | | | | This avoids having the last output in internal memory that's not wiped. References #2388. | ||||
* | prf-plus: Wipe seed and internal buffer | Tobias Brunner | 2017-08-07 | 1 | -2/+2 |
| | | | | | | | The buffer contains key material we handed out last and the seed can contain the DH secret. References #2388. | ||||
* | child-sa: Allow requesting different unique marks for in/out | Eyal Birger | 2017-08-07 | 5 | -11/+50 |
| | | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78. | ||||
* | conf: Match more characters in _ and ** | Tobias Brunner | 2017-08-07 | 1 | -1/+1 |
| | | | | \w does not match e.g. / but \S does. | ||||
* | trap-manager: Don't require that remote is resolvable during installation | Tobias Brunner | 2017-08-07 | 1 | -10/+49 |
| | | | | | | | | Initiation might later fail, of course, but we don't really require an IP address when installing, that is, unless the remote traffic selector is dynamic. As that would result in installing a 0.0.0.0/0 remote TS which is not ideal when a single IP is expected as remote. | ||||
* | child-create: Don't log CHILD_SA initiation until we know the unique ID | Tobias Brunner | 2017-08-07 | 1 | -11/+13 |
| | |||||
* | child-rekey: Add CHILD_SA name and unique ID to collision log messages | Tobias Brunner | 2017-08-07 | 1 | -8/+13 |
| | |||||
* | child-sa: Suppress CHILD_SA state changes if there is no change | Tobias Brunner | 2017-08-07 | 1 | -6/+9 |
| | |||||
* | Merge commit 'child-sa-rekey-tkm' | Tobias Brunner | 2017-08-07 | 47 | -250/+708 |
|\ | | | | | | | | | | | | | | | | | | | | | | | This fixes CHILD_SA rekeying with TKM and changes how we switch to the outbound IPsec SA with Netlink/XFRM (using SPIs on the outbound policy instead of installing the outbound SA delayed). For charon-tkm it changes when esa_select() and esa_reset() are called, now with the outbound policy and the inbound SA, respectively, instead of the outbound SA in both cases. Also fixed is a potential traffic loss when a rekey collision is lost. | ||||
| * | charon-tkm: Call esa_reset() when the inbound SA is deleted | Tobias Brunner | 2017-08-07 | 10 | -23/+59 |
| | | | | | | | | | | | | | | | | | | After a rekeying the outbound SA and policy is deleted immediately, however, the inbound SA is not removed until a few seconds later, so delayed packets can still be processed. This adds a flag to get_esa_id() that specifies the location of the given SPI. | ||||
| * | charon-tkm: Remove unused get_other_esa_id() method | Tobias Brunner | 2017-08-07 | 3 | -101/+0 |
| | | |||||
| * | child-rekey: Don't install outbound SA in case of lost collisions | Tobias Brunner | 2017-08-07 | 4 | -46/+123 |
| | | | | | | | | | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions. | ||||
| * | testing: Also capture stderr during test cases | Tobias Brunner | 2017-08-07 | 1 | -1/+3 |
| | | | | | | | | The output was not correct otherwise due to the reordering of commands. | ||||
| * | testing: Clearly mark the tests that failed | Tobias Brunner | 2017-08-07 | 1 | -5/+15 |
| | | |||||
| * | testing: Add tkm/xfrmproxy-rekey scenario | Tobias Brunner | 2017-08-07 | 11 | -0/+119 |
| | | | | | | | | | | Similar to the xfrmproxy-expire scenario but here the TKM host is the responder to a rekeying. | ||||
| * | testing: Add pfkey/net2net-rekey scenario | Tobias Brunner | 2017-08-07 | 9 | -0/+117 |
| | | |||||
| * | testing: Add ikev2/net2net-rekey scenario | Tobias Brunner | 2017-08-07 | 9 | -0/+115 |
| | | |||||
| * | testing: Add support for counting matching lines in tests | Tobias Brunner | 2017-08-07 | 1 | -14/+23 |
| | | | | | | | | | | | | | | Specifying an integer instead of YES in evaltest.dat causes the number to get compared against the actual number of lines matching the pattern. This may be used to count matching packets or log lines. | ||||
| * | bus: Don't trigger child_updown() for rekeyed CHILD_SAs | Tobias Brunner | 2017-08-07 | 1 | -1/+4 |
| | | | | | | | | We don't trigger it either when they are deleted individually. | ||||
| * | charon-tkm: Don't select new outbound SA until the policy is installed | Tobias Brunner | 2017-08-07 | 1 | -22/+40 |
| | | | | | | | | | | | | | | | | | | This tries to avoid packet loss during rekeying by delaying the usage of the new outbound IKE_SA until the old one is deleted. Note that esa_select() is a no-op in the current TKM implementation. And the implementation also doesn't benefit from the delayed deletion of the inbound SA as it calls esa_reset() when the outbound SA is deleted. | ||||
| * | charon-tkm: Claim to support SPIs on policies | Tobias Brunner | 2017-08-07 | 1 | -0/+7 |
| | | | | | | | | | | This fixes rekeying as the delayed installation of the outbound SA caused the nonce context to be expired already. | ||||
| * | child-sa: Install outbound SA immediately if kernel supports SPIs on policies | Tobias Brunner | 2017-08-07 | 3 | -26/+47 |
| | | |||||
| * | child-sa: Use flags to track installation of outbound SA and policies separately | Tobias Brunner | 2017-08-07 | 3 | -29/+46 |
| | | |||||
| * | kernel-netlink: Set SPI on outbound policy | Tobias Brunner | 2017-08-07 | 1 | -4/+10 |
| | | | | | | | | | | This should cause the right SA to get used if there are multiple outbound SAs and the policies are installed properly. | ||||
| * | kernel-interface: Not all kernel interfaces support SPIs on policies | Tobias Brunner | 2017-08-07 | 1 | -0/+2 |
|/ | |||||
* | Version bump to 5.6.0dr45.6.0dr4 | Andreas Steffen | 2017-08-04 | 3 | -3/+5 |
| | |||||
* | testing: Added tnc/tnccs-20-ev-pt-tls scenario | Andreas Steffen | 2017-08-04 | 41 | -22/+526 |
| | |||||
* | swid-gen: Share SWID generator between sw-collector, imc-swima and imc-swid | Andreas Steffen | 2017-08-04 | 15 | -445/+561 |
| | |||||
* | sw-collector: Added --full option | Andreas Steffen | 2017-08-03 | 3 | -28/+110 |
| | |||||
* | sw-collector: Added --installed/removed options | Andreas Steffen | 2017-08-03 | 5 | -43/+109 |
| | |||||
* | Merge branch 'appveyor' | Tobias Brunner | 2017-08-02 | 5 | -12/+48 |
|\ | | | | | | | Build and run unit tests on AppVeyor Windows containers. | ||||
| * | appveyor: Build against OpenSSL | Tobias Brunner | 2017-07-28 | 1 | -0/+5 |
| | | | | | | | | This is mainly for the RNG needed for the exchange tests. | ||||
| * | unit-tests: Double escape backslashes in Windows paths in settings test | Tobias Brunner | 2017-07-28 | 1 | -2/+6 |
| | | | | | | | | | | That's required when these are used as include paths in settings file strings. | ||||
| * | unit-tests: Stringify direction in message asserts early | Tobias Brunner | 2017-07-28 | 1 | -6/+6 |
| | | | | | | | | x86_64-w64-mingw32-gcc on Windows requires this. |