aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* ha: Perform child rekeying outside of CHILD_SA enumeratorThomas Egerer2015-02-191-7/+22
| | | | | | | | | | | | | | | | When rekey_child_sa is called while enumerating the children of an IKE_SA, and the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas) invalidating the current element of the child_sa_enumerator. The enumerate function of linked_list_t will then advance to an element with unpredictable contents most likely resulting in an segmentation violation. A similar behavior should be observed when delete_child_sa is called. This patch creates a list of protocol/spi values while holding the child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren after releasing the enumerator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* vici: Fix ruby gem author emailMartin Willi2015-01-221-1/+1
|
* vici: Fix README example encoding element type values, off by oneMartin Willi2015-01-211-10/+10
| | | | | | | While we fixed the wrong values in the description with d39e04b5, the example values are still off by one. Fixes #828.
* Fixed some typos, courtesy of codespellTobias Brunner2014-12-151-1/+1
|
* vici: Use silent builder destroy function in vici_free_req()Martin Willi2014-12-121-7/+1
|
* vici: Add a destroy method to builder, allowing cancellation without errorMartin Willi2014-12-122-4/+18
| | | | | When cancelling a builder, finalize throws an error which we might prefer to avoid.
* eap-radius: Use the single-server legacy server options as fallbackMartin Willi2014-12-121-3/+10
|
* unity: Only do narrowing of responder's TS if we received 0.0.0.0/0Tobias Brunner2014-12-051-2/+84
| | | | | | | | | | | | | | | | | | | | | | | iOS and Mac OS X clients establish individual IPsec SAs for the traffic selectors received in Split-Include attributes (might have been different in earlier releases). If we return 0.0.0.0/0 as TSr that either results in a bunch of Quick Mode exchanges (for each TS), or with the latest client releases an error notify (ATTRIBUTES_NOT_SUPPORTED). We also can't install the IPsec SA with all configured subnets as that would cause conflicts if the client later negotiates SAs for other subnets, which iOS 8 does based on traffic to such subnets. For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept the Quick Mode response. Likewise, we also have to narrow the TS before installing the IPsec SAs and policies. So we basically have to follow the client's proposal and only modify TSr if we received 0.0.0.0/0. Since we don't get the original TS in the narrow hook we handle the inbound QM messages and make note of IKE_SAs on which we received a TSr of 0.0.0.0/0. Fixes #737.
* kernel-wfp: Install outbound ALE connect rules for IPsecMartin Willi2014-12-041-16/+43
| | | | | | Similar to the inbound rules, the ALE filter processes IP-in-IP packets for outbound tunnel mode traffic. When using an outbound default-drop policy, Windows does not allow connection initiation without these explicit rules.
* kernel-wfp: Install inbound ALE IP-in-IP filtersMartin Willi2014-12-041-41/+159
| | | | | | | | | | | When processing inbound tunnel mode packets, Windows decrypts packets and filters them as IP-in-IP packets. We therefore require an ALE filter that calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them when using a default-drop policy. Without these rules, any outbound packet created an ALE state that allows inbound packets as well. Processing inbound packets without any outbound traffic fails without these rules.
* kernel-wfp: Add missing IPsec sublayer GUIDsMartin Willi2014-12-041-0/+6
|
* kernel-wfp: Define IPsec related ALE layers and callout GUIDsMartin Willi2014-12-042-0/+40
|
* kernel-wfp: Fix logging of MM/QM/EM NetEvent failuresMartin Willi2014-12-041-0/+12
|
* vici: Make sure to send/recv all requested bytes over socketMartin Willi2014-12-041-3/+22
| | | | | | As the underlying C functions, send/recv on ruby sockets are not guaranteed to send/recv all requested bytes. Use wrapper functions to make sure we get all bytes needed.
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-292-5/+19
| | | | pki tool
* kernel-libipsec: Use poll(2) instead of selectMartin Willi2014-11-211-54/+56
|
* socket-default: Use round-robin selection of sockets to read fromMartin Willi2014-11-211-5/+13
| | | | | If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket over others. To handle all with equal priority, use a round-robin selection.
* socket-default: Use poll(2) instead of selectMartin Willi2014-11-211-46/+20
| | | | | It is not only simpler, but also allows the use of arbitrary high fd numbers, which silently fails with select().
* vici: Add support for address range definitions of poolsTobias Brunner2014-10-301-5/+35
|
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* updown: Explicitly pass caller PATH to updown scriptMartin Willi2014-10-221-0/+1
| | | | | | | | | When invoking /bin/sh, its default PATH is used. On some systems, that does not include the PATH where the ipsec script is installed, as charon is invoked with a custom PATH. Explicitly setting the PATH of charon should fix this case, properly invoking the (default) updown script. Fixes #745.
* vici: Return default value for get_int() if message value is empty stringMartin Willi2014-10-142-1/+5
| | | | | This is the behavior of some strtol() implementations, and it makes sense, so force it.
* vici: Add vici.gemspec.in and vici.rb to distributionTobias Brunner2014-10-141-0/+2
|
* vici: Cancel processor before calling library_deinit()Martin Willi2014-10-101-0/+1
| | | | | For non-direct libstrongswan users, the deinitialization segfaults because of the missing worker thread cancellation.
* vici: Reduce debug level during thread spawningMartin Willi2014-10-101-0/+2
| | | | We want to avoid libvici users to get a cluttered stderr for no real error.
* vici: Don't include-depend on libstrongswan for boolean typesMartin Willi2014-10-102-4/+2
| | | | | | | | As we want to avoid the libstrongswan include dependencies for libvici, avoid the use of the bool type. Unfortunately this change may break the ABI for vici_dump(). As this function is mostly for debugging purposes, we do it nonetheless; my apologies if somebody already relies on the ABI stability of that function.
* vici: Document the ruby gem and add some simple examplesMartin Willi2014-10-101-0/+58
|
* vici: Add some simple libvici examples to the READMEMartin Willi2014-10-101-2/+116
|
* vici: Document the available vici command and event messagesMartin Willi2014-10-101-1/+509
|
* vici: Use "gem"-assisted vici ruby gem building and installationMartin Willi2014-10-104-1/+29
|
* vici: Add a ruby gem providing a native vici interfaceMartin Willi2014-10-103-0/+586
|
* vici: Return a success result for the clear-creds commandMartin Willi2014-10-101-4/+1
| | | | | Even if the command actually can't fail, this looks more aligned to similar commands.
* vici: Fix message encoding type values in documentationMartin Willi2014-10-101-6/+6
|
* eap-radius: Add option to set interval for interim accounting updatesTobias Brunner2014-10-101-0/+10
| | | | | | Any interval returned by the RADIUS server in the Access-Accept message overrides the configured interval. But it might be useful if RADIUS is only used for accounting.
* packet: Define a global default maximum size for IKE packetsTobias Brunner2014-10-103-12/+3
|
* ext-auth: Add an ext-auth plugin invoking an external authorization scriptMartin Willi2014-10-065-0/+485
| | | | Original patch courtesy of Vyronas Tsingaras.
* updown: Use process abstraction to invoke updown scriptMartin Willi2014-10-061-246/+215
|
* stroke: Allow specifying the ipsec.secrets location in strongswan.confShea Levy2014-10-021-2/+10
|
* vici: Add a command to reload strongswan.confMartin Willi2014-09-221-0/+12
|
* eap-radius: Forward Cisco and Microsoft specific DNS/NBNS attributesTobias Brunner2014-09-091-0/+50
| | | | Fixes #677.
* ha: Don't adopt IKEv1 children when building without IKEv1 supportMartin Willi2014-08-281-0/+2
| | | | | | | The adopt_children_job_create() function is not available when IKEv1 support is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1. Fixes #690.
* unity: Do not bump TS to 0.0.0.0/0 as initiator when no Split-Include receivedMartin Willi2014-08-251-1/+21
| | | | | | | When having the unity plugin enabled and both peers send the Unity Vendor ID, we proposed 0.0.0.0/0 as traffic selector, even if no Split-Include has been received on the SA. This can break compatibility with some responders, as they don't narrow the TS themselves, but expect the configured TS.
* unity: Handle narrowing according to roles in the IKE_SATobias Brunner2014-08-251-16/+33
| | | | | | Since the narrow hook types reflect the roles in the Quick Mode exchange the plugin behaved incorrectly if the server initiated the CHILD_SA rekeying.
* xauth-pam: Add workaround for null-terminated passwordsTobias Brunner2014-07-071-1/+6
| | | | Fixes #631.
* stroke: Don't log unspecified options of conn and ca sectionsTobias Brunner2014-06-301-37/+50
|
* libvici: Add missing argument to Doxygen commentTobias Brunner2014-06-301-0/+1
|
* Fixed some typosTobias Brunner2014-06-302-2/+2
|
* updown: Force subnet address to be numericTobias Brunner2014-06-251-2/+2
|
* eap-radius: Increase buffer for accounting attributes to maximum attribute sizeMartin Willi2014-06-251-1/+1
| | | | Fixes #624.
* vici: Install libvici in ipseclibdir like we do with other librariesTobias Brunner2014-06-191-1/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-18 19:43:48 +0000