aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Built the CPAN file structure for the Vici::Session perl moduleAndreas Steffen2015-12-0115-72/+1038
|
* Implement vici Perl bindingAndreas Steffen2015-12-018-0/+559
|
* vici: Add get-algorithms command to query loaded algorithms and implementationsTobias Brunner2015-11-302-0/+116
|
* eap-radius: Add ability to configure RADIUS retransmission behaviorThom Troy2015-11-171-2/+58
| | | | Closes strongswan/strongswan#19.
* eap-mschapv2: Keep internal state to prevent authentication from succeeding ↵Tobias Brunner2015-11-161-24/+67
| | | | | | | | | prematurely We can't allow a client to send us MSCHAPV2_SUCCESS messages before it was authenticated successfully. Fixes CVE-2015-8023.
* vici: Attribute certificates are not trustedTobias Brunner2015-11-121-1/+3
|
* vici: Properly add CRLs to the credential setTobias Brunner2015-11-121-2/+8
| | | | add_crl() ensures that old CLRs are not stored in the credential set.
* eap-radius: Compare address family when handing out virtual IPsTobias Brunner2015-11-121-6/+26
| | | | | | | This also ensures that the actually released virtual IP is removed from the list of claimed IPs. Fixes #1199.
* eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)Tobias Brunner2015-11-121-1/+4
|
* eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-IdentityTobias Brunner2015-11-121-2/+17
|
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-103-9/+12
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-104-6/+6
|
* vici: Add option to query leases of poolsTobias Brunner2015-11-102-3/+36
| | | | | We could later perhaps add filter parameters similar to those of the `ipsec leases` command (pool name/virtual IP).
* vici: Return local and remote virtual IPs when listing SAsTobias Brunner2015-11-102-0/+36
|
* socket-dynamic: Refactor setting source address when sending messagesTobias Brunner2015-11-091-32/+62
| | | | Basically the same change as the one for the socket-default plugin.
* socket-default: Refactor setting source address when sending messagesTobias Brunner2015-11-091-46/+107
| | | | | | | | | | | This ensures we don't pass data (via msg_control) defined in a different scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might optimize the memcpy() call away causing the packets not to get sent from the intended source address. It also makes the code clearer than with all these ifdefs. Fixes #1171.
* socket-default: Refactor retrieval of destination address of received packetsTobias Brunner2015-11-091-39/+89
| | | | This makes the code a bit clearer than with the interleaved ifdefs.
* vici: Add NAT information when listing IKE_SAsTobias Brunner2015-11-092-0/+21
| | | | | | | | | | The `nat-local` and `nat-remote` keys contain information on the NAT status of the local and remote IKE endpoints, respectively. If a responder did not detect a NAT but is configured to fake a NAT situation this is indicated by `nat-fake` (if an initiator fakes a NAT situation `nat-local` is set). If any NAT is detected or faked `nat-any` is set. Closes strongswan/strongswan#16.
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* Fix some Doxygen issuesTobias Brunner2015-08-272-2/+2
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-272-2/+2
| | | | whether COOKIEs are sent
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
* vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-218-10/+10
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* sql: Also do a reversed ID matchTobias Brunner2015-08-171-2/+9
| | | | | | | This is required for the case where IDr is not sent (i.e. is %any). The backend manager does the same. Fixes #1044.
* ha: Recreate the control FIFO if the file exists but is not a FIFOTobias Brunner2015-08-171-13/+68
| | | | | | This may happen if something like `echo ... > /path/to/fifo` is used before the plugin was able to create the FIFO. In that case we'd end up in a loop always reading the same values from the static file.
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-171-1/+10
| | | | | | These are defined in RFC 6911. Fixes #1001.
* vici: Add listen methods to receive arbitrary events in Python libraryTobias Brunner2015-08-171-0/+34
|
* vici: Move event (un-)registration to a helper method in Python libraryTobias Brunner2015-08-173-49/+60
| | | | | Also make sure events are unregistered in case of exceptions in streamed_request().
* vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
|
* vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
|
* vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
* vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-151-0/+4
|
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-131-1/+1
|
* Fixed some typosTobias Brunner2015-08-131-4/+4
|
* whitelist: Use hash() method so DNs with different string types matchTobias Brunner2015-08-061-1/+1
| | | | | | | | | | strongSwan uses PrintableString when encoding DNs from strings (if the character set permits it, otherwise T61String is currently used) but certificates might be encoded with UTF8String even for simple ASCII strings. By ignoring this string type when hashing RDNs we make sure the same hash results in this case as long as the actual string values are the same. Fixes #991.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 10:54:00 +0000