aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/unity
Commit message (Collapse)AuthorAgeFilesLines
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-261-13/+16
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-262-6/+14
|
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-161-2/+3
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-4/+4
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-2/+2
|
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-201-4/+3
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-4/+2
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-9/+8
|
* unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-203-14/+17
| | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-201-1/+1
|
* unity: Only do narrowing of responder's TS if we received 0.0.0.0/0Tobias Brunner2014-12-051-2/+84
| | | | | | | | | | | | | | | | | | | | | | | iOS and Mac OS X clients establish individual IPsec SAs for the traffic selectors received in Split-Include attributes (might have been different in earlier releases). If we return 0.0.0.0/0 as TSr that either results in a bunch of Quick Mode exchanges (for each TS), or with the latest client releases an error notify (ATTRIBUTES_NOT_SUPPORTED). We also can't install the IPsec SA with all configured subnets as that would cause conflicts if the client later negotiates SAs for other subnets, which iOS 8 does based on traffic to such subnets. For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept the Quick Mode response. Likewise, we also have to narrow the TS before installing the IPsec SAs and policies. So we basically have to follow the client's proposal and only modify TSr if we received 0.0.0.0/0. Since we don't get the original TS in the narrow hook we handle the inbound QM messages and make note of IKE_SAs on which we received a TSr of 0.0.0.0/0. Fixes #737.
* unity: Do not bump TS to 0.0.0.0/0 as initiator when no Split-Include receivedMartin Willi2014-08-251-1/+21
| | | | | | | When having the unity plugin enabled and both peers send the Unity Vendor ID, we proposed 0.0.0.0/0 as traffic selector, even if no Split-Include has been received on the SA. This can break compatibility with some responders, as they don't narrow the TS themselves, but expect the configured TS.
* unity: Handle narrowing according to roles in the IKE_SATobias Brunner2014-08-251-16/+33
| | | | | | Since the narrow hook types reflect the roles in the Quick Mode exchange the plugin behaved incorrectly if the server initiated the CHILD_SA rekeying.
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attributeTobias Brunner2014-01-231-35/+47
| | | | Cisco clients only handle the first such attribute.
* unity: Change local TS to 0.0.0.0/0 as responderTobias Brunner2014-01-231-4/+7
| | | | | Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is used, otherwise Quick Mode fails.
* unity: Send UNITY_SPLIT_INCLUDE attributes with proper paddingTobias Brunner2014-01-231-11/+16
| | | | | | The additional 6 bytes are not actually padding but are parsed by the Cisco client as protocol and src and dst ports (each two bytes but strangely only the first two in network order).
* unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributesTobias Brunner2013-07-291-50/+97
| | | | | | | Cisco devices seem to add 6 bytes of padding between each address/mask pair. Fixes #366.
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-3/+5
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were ↵Tobias Brunner2013-07-171-11/+32
| | | | received
* unity: Allow UNITY_LOCAL_LAN to be longer than 8 bytesTobias Brunner2013-07-171-1/+1
|
* unity: Fix memory leak in providerTobias Brunner2013-07-171-0/+1
|
* unity: Use plugin features to register listener and attribute handler/providerTobias Brunner2013-06-111-10/+39
|
* unity: Check IKE_SA in only after enumerating virtual IPsTobias Brunner2013-04-051-2/+1
|
* Merge branch 'vip-shunts'Martin Willi2013-03-011-11/+6
|\ | | | | | | | | | | | | | | | | Installs bypass policies for the physical address if a virtual address is assigned, and installs a proper source route to actually use the physical address for bypassed destinations. Conflicts: src/libcharon/plugins/unity/unity_handler.c
| * Include local address for Unity Split-Exclude shunt policiesMartin Willi2013-02-201-10/+5
| | | | | | | | | | If we use a virtual IP, having a shunt policy for just that wouldn't work, as we want a shunt bypass using the local address.
* | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-2/+4
|/
* Filter TS list for Split-Includes before printing them to debug logMartin Willi2013-01-211-10/+34
|
* Fixed some typos, courtesy of codespellTobias Brunner2012-12-201-1/+1
|
* Do not send 0.0.0.0/0 traffic selectors as Split-Include Unity attributesMartin Willi2012-11-221-2/+6
| | | | It seems that iOS devices don't like them.
* Compiler warning fixedTobias Brunner2012-11-021-1/+1
|
* Exclude dynamic TS from Unity Split-Include attributesMartin Willi2012-10-301-0/+1
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-241-1/+1
|
* As Unity responder, don't change the proposed TS at all, racoon doesn't like ↵Martin Willi2012-09-182-7/+8
| | | | that
* As initiator, narrow received Unity attributes to configured TSMartin Willi2012-09-181-4/+11
|
* When using Unity, bump up remote TS as initiator to 0.0.0.0/0, tooMartin Willi2012-09-181-5/+8
|
* Enable Cisco Unity only if Unity vendor id receivedMartin Willi2012-09-183-2/+5
|
* Exchange 0.0.0.0/0 traffic selectors with Unity, narrowing after exchangeMartin Willi2012-09-181-22/+87
|
* Add a Unity attribute provider that adds Split-Includes for TSMartin Willi2012-09-184-1/+232
|
* Check if subset calculation actually yields a TS in Unity narrowingMartin Willi2012-09-181-1/+5
|
* Request Unity configuration attributes for IKEv1 onlyMartin Willi2012-09-181-0/+6
|
* Add Cisco Unity client support for Split-Include and Local-LANMartin Willi2012-09-187-0/+774
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-20 07:25:50 +0000