Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | diffie-hellman: Add a bool return value to get_my_public_value() | Martin Willi | 2015-03-23 | 2 | -4/+7 |
| | |||||
* | diffie-hellman: Use bool instead of status_t as get_shared_secret() return value | Martin Willi | 2015-03-23 | 3 | -4/+4 |
| | | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations. | ||||
* | ha: Destroy synced IKE_SA if no configuration is found during update | Martin Willi | 2015-03-10 | 1 | -0/+3 |
| | |||||
* | Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE" | Martin Willi | 2015-03-09 | 1 | -2/+2 |
| | | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d. | ||||
* | ha: Always install the CHILD_SAs with the inbound flag set to FALSE | Martin Willi | 2015-02-27 | 1 | -2/+2 |
| | | | | | | | | | The inbound flag is used to determine if we have to install an update or a new SA in the kernel. As we do not have allocated SPIs and therefore can't update an existing SA in the HA plugin, always set the flag to FALSE. Before 698ed656 we had extra logic for that case, but handling it directly in the HA plugin is simpler. | ||||
* | attribute-provider: Pass full IKE_SA to provider backends | Martin Willi | 2015-02-20 | 1 | -2/+2 |
| | |||||
* | attributes: Move the configuration attributes framework to libcharon | Martin Willi | 2015-02-20 | 1 | -6/+4 |
| | |||||
* | ike: Consistently log CHILD_SAs with their unique_id instead of their reqid | Martin Willi | 2015-02-20 | 2 | -2/+2 |
| | |||||
* | child-sa: Replace reqid based marks by "unique" marks | Martin Willi | 2015-02-20 | 1 | -1/+2 |
| | | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid. | ||||
* | ha: Perform child rekeying outside of CHILD_SA enumerator | Thomas Egerer | 2015-02-19 | 1 | -7/+22 |
| | | | | | | | | | | | | | | | | When rekey_child_sa is called while enumerating the children of an IKE_SA, and the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas) invalidating the current element of the child_sa_enumerator. The enumerate function of linked_list_t will then advance to an element with unpredictable contents most likely resulting in an segmentation violation. A similar behavior should be observed when delete_child_sa is called. This patch creates a list of protocol/spi values while holding the child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren after releasing the enumerator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | ||||
* | ha: Don't adopt IKEv1 children when building without IKEv1 support | Martin Willi | 2014-08-28 | 1 | -0/+2 |
| | | | | | | | The adopt_children_job_create() function is not available when IKEv1 support is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1. Fixes #690. | ||||
* | plugins: Don't link with -rdynamic on Windows | Martin Willi | 2014-06-04 | 1 | -1/+1 |
| | |||||
* | ike: Add an additional but separate AEAD proposal to CHILD config | Martin Willi | 2014-05-16 | 1 | -0/+1 |
| | | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless. | ||||
* | ike: Add an additional but separate AEAD proposal to IKE config, if supported | Martin Willi | 2014-05-16 | 1 | -0/+1 |
| | |||||
* | ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeying | Martin Willi | 2014-04-17 | 1 | -8/+2 |
| | |||||
* | Properly hash pointers for hash tables where appropriate | Tobias Brunner | 2014-03-31 | 1 | -17/+1 |
| | | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket. | ||||
* | libcharon: Use lib->ns instead of charon->name | Tobias Brunner | 2014-02-12 | 3 | -11/+11 |
| | |||||
* | Use exact mask when calling umask(2) | Tobias Brunner | 2013-10-29 | 1 | -1/+1 |
| | | | | | | Due to the previous negation the high bits of the mask were set, which at least some versions of the Android build system prevent with a compile-time check. | ||||
* | ike: support multiple addresses, ranges and subnets in IKE address config | Martin Willi | 2013-09-04 | 1 | -2/+2 |
| | | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets. | ||||
* | peer-cfg: add a pull/push mode option to use with mode config | Martin Willi | 2013-09-04 | 1 | -2/+2 |
| | |||||
* | capabilities: Some plugins don't actually require capabilities at runtime | Tobias Brunner | 2013-07-18 | 1 | -1/+2 |
| | |||||
* | automake: replace INCLUDES by AM_CPPFLAGS | Martin Willi | 2013-07-18 | 1 | -5/+7 |
| | | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only. | ||||
* | child-sa: replace get_traffic_selectors() with create_ts_enumerator() | Martin Willi | 2013-07-17 | 1 | -5/+11 |
| | | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently. | ||||
* | Reuse reqid for trap policies installed for dpd|closeaction=hold | Tobias Brunner | 2013-07-01 | 1 | -1/+1 |
| | |||||
* | capabilities: CAP_CHOWN might be required by many plugins opening UNIX sockets | Tobias Brunner | 2013-06-25 | 1 | -0/+6 |
| | | | | | But as the sockets will be created with the user/group of the running process this might not be required as no change may be needed. | ||||
* | capabilities: Move global capabilities_t instance to libstrongswan | Tobias Brunner | 2013-06-25 | 2 | -4/+4 |
| | |||||
* | ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flag | Tobias Brunner | 2013-06-13 | 1 | -4/+8 |
| | |||||
* | ha: Use plugin features to register listeners and attribute provider | Tobias Brunner | 2013-06-11 | 1 | -9/+37 |
| | |||||
* | Add an option to autobalance a HA cluster automatically | Martin Willi | 2013-03-19 | 1 | -0/+59 |
| | |||||
* | Check if for some reason we handle a HA segment on both nodes | Martin Willi | 2013-03-19 | 1 | -1/+15 |
| | |||||
* | Acquire HA segment lock while sending heartbeat | Martin Willi | 2013-03-19 | 1 | -0/+2 |
| | |||||
* | Fix scheduling of heartbeat sending in HA plugin | Martin Willi | 2013-03-19 | 1 | -2/+11 |
| | | | | | | e0efd7c1 switches to automated job rescheduling for HA heartbeat. However, send_status() is initially called directly, which will not reschedule the job as required. | ||||
* | Fix compiler warning in HA plugin | Martin Willi | 2013-03-19 | 1 | -1/+1 |
| | |||||
* | Add a DSCP configuration value to IKE configs | Martin Willi | 2013-02-06 | 1 | -2/+1 |
| | |||||
* | Added an option that allows to force IKEv1 fragmentation | Tobias Brunner | 2013-01-12 | 1 | -1/+1 |
| | |||||
* | Use a connection specific option to en-/disable IKEv1 fragmentation | Tobias Brunner | 2012-12-24 | 1 | -1/+1 |
| | |||||
* | Moved data structures to new collections subfolder | Tobias Brunner | 2012-10-24 | 4 | -5/+5 |
| | |||||
* | Moved host_t and host_resolver_t to a new networking subfolder | Tobias Brunner | 2012-10-24 | 2 | -2/+2 |
| | |||||
* | Remove version argument on peer_cfg constructor, use ike_cfg version instead | Martin Willi | 2012-10-24 | 1 | -1/+1 |
| | |||||
* | Add IKE version information to ike_cfg_t | Martin Willi | 2012-10-24 | 1 | -1/+1 |
| | |||||
* | Added missing continue statement in ha socket error handling | Tobias Brunner | 2012-09-28 | 1 | -0/+1 |
| | |||||
* | Pass full pool list to release_address | Martin Willi | 2012-09-11 | 1 | -3/+17 |
| | |||||
* | Pass the full list of pools to acquire_address, enumerate in providers | Martin Willi | 2012-09-11 | 1 | -5/+13 |
| | | | | | | | | If the provider has access to the full pool list, it can enumerate them twice, for example to search for existing leases first, and only search for new leases in a second step. Fixes lease enumeration in attr-sql using multiple pools. | ||||
* | Clear virtual IPs before storing assigned ones on the IKE_SA | Tobias Brunner | 2012-09-05 | 1 | -1/+10 |
| | | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA. | ||||
* | Check address family in HA virtual IP backend | Martin Willi | 2012-08-30 | 1 | -0/+6 |
| | |||||
* | Support multiple address pools configured on a peer_cfg | Martin Willi | 2012-08-30 | 2 | -7/+8 |
| | |||||
* | Support multiple virtual IPs on peer_cfg and ike_sa classes | Martin Willi | 2012-08-30 | 3 | -28/+41 |
| | |||||
* | Replaced usages of CHARON_*_PORT with calls to get_port(). | Tobias Brunner | 2012-08-08 | 1 | -1/+2 |
| | |||||
* | Make the UDP ports charon listens for packets on (and uses as source ports) ↵ | Tobias Brunner | 2012-08-08 | 1 | -1/+1 |
| | | | | configurable. | ||||
* | Cleaned up memory management and return values for encryption payload | Martin Willi | 2012-07-16 | 1 | -1/+0 |
| |