Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | osx: Version bump to 5.3.2-1 | Martin Willi | 2015-06-18 | 1 | -1/+1 |
| | |||||
* | osx: Use CodeSignOnCopy for privileged helper, as suggested by XCode | Martin Willi | 2015-06-18 | 1 | -2/+2 |
| | |||||
* | charon-xpc: Use DNS non-append/replace mode in osx-attr plugin | Martin Willi | 2015-06-18 | 1 | -0/+2 |
| | |||||
* | osx: Include eap-gtc plugin in build instructions | Martin Willi | 2015-03-16 | 1 | -1/+1 |
| | |||||
* | libipsec: Pass separate inbound/update flags to the IPsec SA manager | Martin Willi | 2015-03-09 | 1 | -2/+3 |
| | | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags. | ||||
* | attribute-handler: Pass full IKE_SA to handler backends | Martin Willi | 2015-02-20 | 1 | -4/+3 |
| | |||||
* | attributes: Move the configuration attributes framework to libcharon | Martin Willi | 2015-02-20 | 1 | -4/+4 |
| | |||||
* | ike: Consistently log CHILD_SAs with their unique_id instead of their reqid | Martin Willi | 2015-02-20 | 1 | -1/+1 |
| | |||||
* | ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqid | Martin Willi | 2015-02-20 | 1 | -2/+1 |
| | |||||
* | kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqid | Martin Willi | 2015-02-20 | 1 | -3/+3 |
| | |||||
* | kernel-interface: Pass full list of traffic selectors to add_sa() | Martin Willi | 2015-02-20 | 1 | -1/+1 |
| | | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information. | ||||
* | libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa() | Martin Willi | 2015-02-20 | 1 | -2/+1 |
| | |||||
* | kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods | Martin Willi | 2015-02-20 | 1 | -2/+2 |
| | | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary. | ||||
* | libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi() | Martin Willi | 2015-02-19 | 1 | -1/+1 |
| | |||||
* | osx: Update the README with App related bits | Martin Willi | 2014-12-17 | 1 | -9/+15 |
| | |||||
* | osx: Initial import of the Objective-C App graphical user interface | Martin Willi | 2014-12-17 | 27 | -9/+4681 |
| | |||||
* | charon-xpc: Add a work-around to trigger IP address add events after boot | Martin Willi | 2014-12-16 | 1 | -0/+24 |
| | |||||
* | android: New release based on 5.2.1 and after adding EAP-TLS | Tobias Brunner | 2014-11-06 | 1 | -3/+3 |
| | | | | | Also enables support for IKEv2 fragmentation, provides improved MOBIKE handling and optionally enables PFS for CHILD_SAs. | ||||
* | android: Build binaries for MIPS | Tobias Brunner | 2014-11-06 | 1 | -1/+1 |
| | |||||
* | android: Increase fragment size | Tobias Brunner | 2014-11-06 | 1 | -0/+3 |
| | | | | We use the same value we use as MTU on TUN devices. | ||||
* | android: Enable IKEv2 fragmentation | Tobias Brunner | 2014-11-06 | 1 | -1/+1 |
| | |||||
* | android: Use %any as AAA identity, but disable EAP-only authentication | Tobias Brunner | 2014-11-06 | 1 | -5/+3 |
| | | | | | | | Without verification of the identity we can't prevent a malicious user with a valid certificate from impersonating the AAA server and thus the VPN gateway. So unless we make the AAA identity configurable we have to prevent EAP-only authentication. | ||||
* | android: Add support for signature schemes used by EAP-TLS | Tobias Brunner | 2014-11-06 | 1 | -19/+34 |
| | |||||
* | android: Allow enumeration of untrusted certificates | Tobias Brunner | 2014-11-06 | 1 | -1/+1 |
| | |||||
* | android: Handle EAP-TLS in Android service | Tobias Brunner | 2014-11-06 | 1 | -6/+19 |
| | |||||
* | android: Enable EAP-TLS plugin in the app | Tobias Brunner | 2014-11-06 | 1 | -1/+1 |
| | |||||
* | android: Add EAP-TLS VPN type to the GUI | Tobias Brunner | 2014-11-06 | 6 | -1/+7 |
| | |||||
* | android: Change how features of VPN types are stored and checked | Tobias Brunner | 2014-11-06 | 5 | -59/+41 |
| | |||||
* | android: Fix PA-TNC construction based on data passed via JNI | Tobias Brunner | 2014-10-15 | 1 | -3/+2 |
| | |||||
* | android: Implement get_contracts() method in IMC state object | Tobias Brunner | 2014-10-14 | 1 | -0/+14 |
| | |||||
* | android: libpts does not exist anymore, don't attempt to load it | Tobias Brunner | 2014-10-14 | 1 | -1/+0 |
| | |||||
* | android: Update receive_message() to new imc_msg_t.receive() signature | Tobias Brunner | 2014-10-13 | 1 | -2/+4 |
| | |||||
* | android: Remove references to libpts | Tobias Brunner | 2014-10-13 | 3 | -8/+2 |
| | |||||
* | plugin-loader: Support a reload() callback for static features | Martin Willi | 2014-09-22 | 1 | -2/+2 |
| | |||||
* | android: Reduce CHILD_SA lifetime | Tobias Brunner | 2014-09-12 | 1 | -2/+2 |
| | |||||
* | android: Add DH groups to ESP proposals | Tobias Brunner | 2014-09-12 | 1 | -2/+12 |
| | |||||
* | android: Reestablish IKE_SA if CHILD_SA rekeying failed | Tobias Brunner | 2014-09-12 | 1 | -3/+36 |
| | |||||
* | android: Report error if CHILD_SA rekeying fails | Tobias Brunner | 2014-09-12 | 1 | -0/+6 |
| | |||||
* | android: Add support for querying use stats of a CHILD_SA | Tobias Brunner | 2014-09-09 | 1 | -1/+2 |
| | |||||
* | dns-proxy: Don't use proxy socket if we fail to bypass it | Tobias Brunner | 2014-07-30 | 1 | -0/+2 |
| | | | | | | | | | This will result in an infinite loop as packets sent over that socket will again pass through the TUN device and the DNS proxy. Apparently, bypassing fails when airplane mode is enabled. Fixes #662. | ||||
* | android: New release after adding certificate import, DNS proxy and GUI changes | Tobias Brunner | 2014-07-22 | 1 | -2/+2 |
| | |||||
* | android: For keyingtries > 0 notify the GUI if the limit is reached when ↵ | Tobias Brunner | 2014-07-22 | 1 | -0/+17 |
| | | | | | | | | | | reestablishing The IKE_SA is destroyed anyway, so letting the GUI remain in "connecting" state would be incorrect. We still use keyingtries=0 for now, though. And we still abort after the first failed attempt initially, in case there is a configuration error. | ||||
* | android: Terminate IKE_SA if initial IKE_SA_INIT fails | Tobias Brunner | 2014-07-22 | 1 | -1/+23 |
| | | | | | | | | | | Since VpnStateService.disconnect() is now not called until the error dialog is dismissed the daemon would continue to try connecting. So while the error dialog is shown the connection might actually be successfully established in the background, which is not intended. This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of the second connection attempt (due to keyingtries=0). | ||||
* | android: Only allow DNS queries for the configured hostname | Tobias Brunner | 2014-07-22 | 1 | -0/+2 |
| | |||||
* | android: Add optional filter functionality to DNS proxy | Tobias Brunner | 2014-07-22 | 2 | -3/+119 |
| | | | | | If specified only queries for a list of allowed host names will be proxied. | ||||
* | android: Recreate the TUN device without DNS when reestablishing IKE_SAs | Tobias Brunner | 2014-07-22 | 1 | -0/+38 |
| | | | | | This enables DNS resolution while reestablishing if the VPN gateway pushed DNS servers to the client that are only reachable via VPN. | ||||
* | android: Add method to BuilderAdapter to re-establish without DNS-related data | Tobias Brunner | 2014-07-22 | 3 | -5/+113 |
| | | | | | | Non-DNS data is cached in the BuilderAdapter so the TUN device can be recreated easily (since the CHILD_SA is gone we couldn't actually gather that information). | ||||
* | android: Use DNS proxy when reestablishing IKE_SAs | Tobias Brunner | 2014-07-22 | 1 | -4/+44 |
| | |||||
* | bus: Add ike_reestablish_pre hook, called before DNS resolution | Tobias Brunner | 2014-07-22 | 1 | -4/+5 |
| | | | | | The old hook is renamed to ike_reestablish_post and is now also called when the initiation of the new IKE_SA failed. | ||||
* | android: Add DNS proxy implementation | Tobias Brunner | 2014-07-22 | 3 | -0/+388 |
| | | | | | | | This class proxies DNS requests over VPN-protected UDP sockets. It is not really Android specific and might be useful for kernel-libipsec or libipsec in general too, so we could maybe move it later to libipsec (might need some portability work). |