aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-104-6/+6
|
* vici: Add option to query leases of poolsTobias Brunner2015-11-102-3/+36
| | | | | We could later perhaps add filter parameters similar to those of the `ipsec leases` command (pool name/virtual IP).
* vici: Return local and remote virtual IPs when listing SAsTobias Brunner2015-11-102-0/+36
|
* socket-dynamic: Refactor setting source address when sending messagesTobias Brunner2015-11-091-32/+62
| | | | Basically the same change as the one for the socket-default plugin.
* socket-default: Refactor setting source address when sending messagesTobias Brunner2015-11-091-46/+107
| | | | | | | | | | | This ensures we don't pass data (via msg_control) defined in a different scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might optimize the memcpy() call away causing the packets not to get sent from the intended source address. It also makes the code clearer than with all these ifdefs. Fixes #1171.
* socket-default: Refactor retrieval of destination address of received packetsTobias Brunner2015-11-091-39/+89
| | | | This makes the code a bit clearer than with the interleaved ifdefs.
* vici: Add NAT information when listing IKE_SAsTobias Brunner2015-11-092-0/+21
| | | | | | | | | | The `nat-local` and `nat-remote` keys contain information on the NAT status of the local and remote IKE endpoints, respectively. If a responder did not detect a NAT but is configured to fake a NAT situation this is indicated by `nat-fake` (if an initiator fakes a NAT situation `nat-local` is set). If any NAT is detected or faked `nat-any` is set. Closes strongswan/strongswan#16.
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* Fix some Doxygen issuesTobias Brunner2015-08-272-2/+2
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-272-2/+2
| | | | whether COOKIEs are sent
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
* vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-218-10/+10
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* sql: Also do a reversed ID matchTobias Brunner2015-08-171-2/+9
| | | | | | | This is required for the case where IDr is not sent (i.e. is %any). The backend manager does the same. Fixes #1044.
* ha: Recreate the control FIFO if the file exists but is not a FIFOTobias Brunner2015-08-171-13/+68
| | | | | | This may happen if something like `echo ... > /path/to/fifo` is used before the plugin was able to create the FIFO. In that case we'd end up in a loop always reading the same values from the static file.
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-171-1/+10
| | | | | | These are defined in RFC 6911. Fixes #1001.
* vici: Add listen methods to receive arbitrary events in Python libraryTobias Brunner2015-08-171-0/+34
|
* vici: Move event (un-)registration to a helper method in Python libraryTobias Brunner2015-08-173-49/+60
| | | | | Also make sure events are unregistered in case of exceptions in streamed_request().
* vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
|
* vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
|
* vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
* vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-151-0/+4
|
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-131-1/+1
|
* Fixed some typosTobias Brunner2015-08-131-4/+4
|
* whitelist: Use hash() method so DNs with different string types matchTobias Brunner2015-08-061-1/+1
| | | | | | | | | | strongSwan uses PrintableString when encoding DNs from strings (if the character set permits it, otherwise T61String is currently used) but certificates might be encoded with UTF8String even for simple ASCII strings. By ignoring this string type when hashing RDNs we make sure the same hash results in this case as long as the actual string values are the same. Fixes #991.
* updown: Pass virtual IPs assigned to a peer to the updown scriptTobias Brunner2015-08-061-7/+11
| | | | | | Previously only received virtual IPs were available. References #1008.
* eap-radius: Don't send RADIUS Accounting Start messages twiceTobias Brunner2015-08-061-0/+5
| | | | | | | | If a client does Mode Config during reauthentication the assign_vips() event might be triggered twice, we should not send another Start message in that case. Fixes #937.
* eap-radius: Change trigger for Accounting Start messages for IKEv1Tobias Brunner2015-08-061-5/+12
| | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937.
* ha: Properly initialize algo variables when installing CHILD_SAsTobias Brunner2015-08-041-1/+1
| | | | | | | | | | If AEAD algorithms are used no integrity algorithm will be received from the other HA node. But since AUTH_UNDEFINED is 1024 and not 0 this value was incorrectly added to the proposal, resulting in a failure during key derivation. The variables are now explicitly initialized to 0, as already was the case for the IKE SAs. Fixes #1051.
* ha: Sync remote address in HA_IKE_ADD, tooThomas Egerer2015-08-042-0/+11
| | | | | | | | | | | | When the IKE_SA is synced without the remote address, after a reauthentication charon is not able to find it in its connected_peers table since the destination host will be %any (it's missing in the message, hence the default from the newly created ike_sa_t -- %any -- will be used). By adding the value to the HA_IKE_ADD message, we should be able to solve this problem. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ha: Use the same init values for jhash() as Linux 4.1Tobias Brunner2015-07-311-2/+19
|
* sql: Fix memory leak in SQL loggerTobias Brunner2015-07-281-0/+1
|
* vici: Certification Authority support added.Andreas Steffen2015-07-219-11/+937
| | | | | | CDP and OCSP URIs for a one or multiple certification authorities can be added via the VICI interface. swanctl allows to read definitions from a new authorities section.
* vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets ↵Andreas Steffen2015-07-201-6/+20
| | | | are defined
* vici: Asynchronize debug loggingMartin Willi2015-07-121-1/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The vici logger uses the listener_t.log() callback to raise vici events. When doing so, it holds the bus lock as reader while acquiring the vici socket mutex (1). If at the same time the vici socket enables a writer, that thread tries to lock the watcher mutex (2). The watcher thread uses debugging while holding the lock, i.e. acquires the bus read lock (3). (1) bus.rlock -> vici.lock! (2) vici.lock -> watcher.lock! (3) watcher.lock -> bus.rlock! This all actually would resolve just fine, as we have a shared read lock on the bus. However, under Windows we seem to have a strict writer preference when acquiring the rwlock (4). This results in blocking read locks until any pending write lock can be fulfilled, and makes the constellation deadlock. The relevant threads are: Thread (1) 6 0x71313d25 in wait_ at threading/windows/mutex.c:137 7 0x7054c8a2 in find_entry at vici_socket.c:201 8 0x7054d690 in send_ at vici_socket.c:624 9 0x7054f6c1 in send_op at vici_dispatcher.c:119 10 0x705502c1 in raise_event at vici_dispatcher.c:469 12 0x704c3878 in log_cb at bus/bus.c:332 13 0x712c7c3a in invoke_function at collections/linked_list.c:414 14 0x704c3a63 in vlog at bus/bus.c:400 15 0x704c3b36 in log_ at bus/bus.c:430 18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664 20 0x704f5430 in process_message at sa/ike_sa.c:1369 21 0x704e3823 in execute at processing/jobs/process_message_job.c:74 22 0x712e629f in process_job at processing/processor.c:235 Thread (2) 4 0x71313b61 in lock at threading/windows/mutex.c:66 5 0x712e81fd in add at processing/watcher.c:441 6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213 7 0x712e1b4d in on_write at networking/streams/stream.c:237 8 0x7054d606 in _cb_enable_writer at vici_socket.c:609 9 0x712e5e34 in execute at processing/jobs/callback_job.c:77 10 0x712e629f in process_job at processing/processor.c:235 Thread (3) 3 0x71313f38 in read_lock at threading/windows/rwlock.c:74 4 0x704c3971 in vlog at bus/bus.c:373 5 0x704cc156 in dbg_bus at daemon.c:126 6 0x712e7bf9 in watch at processing/watcher.c:316 7 0x712e5e34 in execute at processing/jobs/callback_job.c:77 8 0x712e629f in process_job at processing/processor.c:235 Thread (4) 3 0x71313f70 in write_lock at threading/windows/rwlock.c:82 4 0x704c378b in remove_logger at bus/bus.c:290 5 0x704cb284 in listener_unregister at control/controller.c:166 6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558 8 0x704cb94e in initiate at control/controller.c:435 9 0x70553996 in _cb_initiate at vici_control.c:187 12 0x7054d200 in _cb_process_queue at vici_socket.c:508 13 0x712e5e34 in execute at processing/jobs/callback_job.c:77 14 0x712e629f in process_job at processing/processor.c:235 To avoid such a situation, we dissolve the (1) lock sequence. It's actually never good practice to acquire shared locks during bus hooks, as it is problematic if we raise bus events while holding the lock. We do so by raising vici events for log message asynchronously, but of curse must keep log order as is using a synchronized queue.
* osx-attr: Optionally replace existing DNS server instead of appending themMartin Willi2015-06-181-3/+27
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-10 13:31:45 +0000