aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Attribute certificates are not trustedTobias Brunner2015-11-121-1/+3
|
* vici: Properly add CRLs to the credential setTobias Brunner2015-11-121-2/+8
| | | | add_crl() ensures that old CLRs are not stored in the credential set.
* eap-radius: Compare address family when handing out virtual IPsTobias Brunner2015-11-121-6/+26
| | | | | | | This also ensures that the actually released virtual IP is removed from the list of claimed IPs. Fixes #1199.
* eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)Tobias Brunner2015-11-121-1/+4
|
* eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-IdentityTobias Brunner2015-11-121-2/+17
|
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-103-9/+12
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-104-6/+6
|
* vici: Add option to query leases of poolsTobias Brunner2015-11-102-3/+36
| | | | | We could later perhaps add filter parameters similar to those of the `ipsec leases` command (pool name/virtual IP).
* vici: Return local and remote virtual IPs when listing SAsTobias Brunner2015-11-102-0/+36
|
* socket-dynamic: Refactor setting source address when sending messagesTobias Brunner2015-11-091-32/+62
| | | | Basically the same change as the one for the socket-default plugin.
* socket-default: Refactor setting source address when sending messagesTobias Brunner2015-11-091-46/+107
| | | | | | | | | | | This ensures we don't pass data (via msg_control) defined in a different scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might optimize the memcpy() call away causing the packets not to get sent from the intended source address. It also makes the code clearer than with all these ifdefs. Fixes #1171.
* socket-default: Refactor retrieval of destination address of received packetsTobias Brunner2015-11-091-39/+89
| | | | This makes the code a bit clearer than with the interleaved ifdefs.
* vici: Add NAT information when listing IKE_SAsTobias Brunner2015-11-092-0/+21
| | | | | | | | | | The `nat-local` and `nat-remote` keys contain information on the NAT status of the local and remote IKE endpoints, respectively. If a responder did not detect a NAT but is configured to fake a NAT situation this is indicated by `nat-fake` (if an initiator fakes a NAT situation `nat-local` is set). If any NAT is detected or faked `nat-any` is set. Closes strongswan/strongswan#16.
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* Fix some Doxygen issuesTobias Brunner2015-08-272-2/+2
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-272-2/+2
| | | | whether COOKIEs are sent
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
* vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-218-10/+10
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* sql: Also do a reversed ID matchTobias Brunner2015-08-171-2/+9
| | | | | | | This is required for the case where IDr is not sent (i.e. is %any). The backend manager does the same. Fixes #1044.
* ha: Recreate the control FIFO if the file exists but is not a FIFOTobias Brunner2015-08-171-13/+68
| | | | | | This may happen if something like `echo ... > /path/to/fifo` is used before the plugin was able to create the FIFO. In that case we'd end up in a loop always reading the same values from the static file.
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-171-1/+10
| | | | | | These are defined in RFC 6911. Fixes #1001.
* vici: Add listen methods to receive arbitrary events in Python libraryTobias Brunner2015-08-171-0/+34
|
* vici: Move event (un-)registration to a helper method in Python libraryTobias Brunner2015-08-173-49/+60
| | | | | Also make sure events are unregistered in case of exceptions in streamed_request().
* vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
|
* vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
|
* vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
* vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-151-0/+4
|
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-131-1/+1
|
* Fixed some typosTobias Brunner2015-08-131-4/+4
|
* whitelist: Use hash() method so DNs with different string types matchTobias Brunner2015-08-061-1/+1
| | | | | | | | | | strongSwan uses PrintableString when encoding DNs from strings (if the character set permits it, otherwise T61String is currently used) but certificates might be encoded with UTF8String even for simple ASCII strings. By ignoring this string type when hashing RDNs we make sure the same hash results in this case as long as the actual string values are the same. Fixes #991.
* updown: Pass virtual IPs assigned to a peer to the updown scriptTobias Brunner2015-08-061-7/+11
| | | | | | Previously only received virtual IPs were available. References #1008.
* eap-radius: Don't send RADIUS Accounting Start messages twiceTobias Brunner2015-08-061-0/+5
| | | | | | | | If a client does Mode Config during reauthentication the assign_vips() event might be triggered twice, we should not send another Start message in that case. Fixes #937.
* eap-radius: Change trigger for Accounting Start messages for IKEv1Tobias Brunner2015-08-061-5/+12
| | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937.
* ha: Properly initialize algo variables when installing CHILD_SAsTobias Brunner2015-08-041-1/+1
| | | | | | | | | | If AEAD algorithms are used no integrity algorithm will be received from the other HA node. But since AUTH_UNDEFINED is 1024 and not 0 this value was incorrectly added to the proposal, resulting in a failure during key derivation. The variables are now explicitly initialized to 0, as already was the case for the IKE SAs. Fixes #1051.
* ha: Sync remote address in HA_IKE_ADD, tooThomas Egerer2015-08-042-0/+11
| | | | | | | | | | | | When the IKE_SA is synced without the remote address, after a reauthentication charon is not able to find it in its connected_peers table since the destination host will be %any (it's missing in the message, hence the default from the newly created ike_sa_t -- %any -- will be used). By adding the value to the HA_IKE_ADD message, we should be able to solve this problem. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-18 03:32:15 +0000