aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Fixed some typos, courtesy of codespellTobias Brunner2017-11-152-2/+2
|
* unit-tests: Rename targets for libstrongswan and kernel-netlinkThomas Egerer2017-11-091-5/+5
| | | | | | | | | libstrongswan and kernel-netlink are the only two components which do not adhere to the naming scheme used for all other tests. If the tests are run by an external application this imposes problems due to clashing names. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Support anti-replay windows > 2kTobias Brunner2017-11-081-1/+14
| | | | | | | FreeBSD 11.1 supports a new extension to configure larger anti-replay windows, now configured as number of packets. Fixes #2461.
* kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSDTobias Brunner2017-11-081-0/+3
| | | | | | The FreeBSD kernel explicitly rejects messages containing keys for mature SAs. Fixes #2457.
* vici: Add 'get|reset-counters' commandsTobias Brunner2017-11-084-1/+191
|
* counters: Move IKE event counter collection from stroke to a separate pluginTobias Brunner2017-11-0811-387/+849
|
* systime-fix: Add timeout option to stop waiting for valid system timeTobias Brunner2017-11-081-10/+42
| | | | | A certificate check is forced once the timeout is reached even if the system time appears to be invalid.
* vici: Make setting mark on inbound SA configurableTobias Brunner2017-11-021-7/+19
|
* eap-radius: Optionally send Class attributes in RADIUS accounting messagesTobias Brunner2017-11-023-21/+83
| | | | | | | If enabled, add the RADIUS Class attributes received in Access-Accept messages to RADIUS accounting messages as suggested by RFC 2865 section 5.25. Fixes #2451.
* kernel-netlink: Add strings for newer XFRM attribute typesTobias Brunner2017-10-061-1/+6
|
* kernel-pfroute: Delay call to if_indextoname(3) when handling RTM_IFINFOTobias Brunner2017-09-261-0/+5
| | | | | | | It seems that there is a race, at least in 10.13, that lets if_indextoname() fail for the new TUN device. So we delay the call a bit, which seems to "fix" the issue. It's strange anyway that the previous delay was only applied when an iface entry was already found.
* dhcp: Fix warning regarding unaligned pointer value due to packed structTobias Brunner2017-09-181-1/+1
| | | | We don't need to access this as uint32_t so just cast it to a char*.
* dhcp: Don't use signed char for DHCP optionsTobias Brunner2017-09-181-1/+1
| | | | | | The value of DHCP_OPTEND is 255. When it is assigned this result in a sign change as the positive int constant is cast to a signed char and -1 results. Clang 4.0 complains about this.
* kernel-netlink: Set usable state whenever an interface appearsTobias Brunner2017-08-231-2/+2
| | | | | | | | If an interface is renamed we already have an entry (based on the ifindex) allocated but previously only set the usable state once based on the original name. Fixes #2403.
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-072-2/+2
|
* kernel-netlink: Wipe buffer used to read Netlink messagesTobias Brunner2017-08-071-2/+12
| | | | | | | | | When querying SAs the keys will end up in this buffer (the allocated messages that are returned are already wiped). The kernel also returns XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish this here as we only see the response. References #2388.
* kernel-netlink: Set SPI on outbound policyTobias Brunner2017-08-071-4/+10
| | | | | This should cause the right SA to get used if there are multiple outbound SAs and the policies are installed properly.
* error-notify: Don't stop sending notifies after removing a disconnected listenerTobias Brunner2017-07-271-2/+1
| | | | | | | This prevented new listeners from receiving notifies if they joined after another listener disconnected previously, and if they themselves disconnected their old connection would prevent them again from getting notifies.
* farp: Only remove one tracked entryTobias Brunner2017-07-271-0/+1
| | | | | | | | | Multiple CHILD_SAs sharing the same traffic selectors (e.g. during make-before-break reauthentication) also have the same reqid assigned. If all matching entries are removed we could end up without entry even though an SA exists that still uses these traffic selectors. Fixes #2373.
* kernel-pfroute: Make sure there is a netmask when enumerating subnetsTobias Brunner2017-07-051-2/+2
|
* sql: Use qualified names in SQL query statementsTobias Brunner2017-07-052-49/+54
| | | | | | | VIRTUAL is a new reserved keyword in MySQL 5.7.6 that caused some of these queries to fail. Fixes #2359.
* stroke: Don't load configs with invalid proposalsTobias Brunner2017-07-051-7/+20
| | | | References #2347.
* eap-aka-3gpp: Add plugin that implements 3GPP MILENAGE algorithm in softwareTobias Brunner2017-07-059-0/+1373
| | | | | | | | | | This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets or swanctl.conf. Based on a patch by Thomas Strangert. Fixes #2326.
* eap-sim-file: Remove redundant enumerator allocationTobias Brunner2017-05-261-1/+1
|
* sql: Remove redundant enumerator allocationTobias Brunner2017-05-261-1/+1
| | | | | | Interestingly, this doesn't show up in the regression tests because the compiler removes the first assignment (and thus the allocation) due to -O2 that's included in our default CFLAGS.
* Fixed some typos, courtesy of codespellTobias Brunner2017-05-264-5/+5
|
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-2610-96/+91
| | | | This avoids the unportable five pointer hack.
* linked-list: Change interface of callback for invoke_function()Tobias Brunner2017-05-263-18/+48
| | | | This avoids the unportable five pointer hack.
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-2614-257/+343
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-2625-132/+256
|
* vici: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-0/+11
|
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-262-1/+3
|
* android-log: Link against liblogTobias Brunner2017-05-261-0/+1
|
* child-sa: Change API used to set/install policiesTobias Brunner2017-05-231-9/+7
| | | | This way we only have to pass the traffic selectors once.
* tnc-ifmap: Null-terminate buffer to make sscanf()-calls safeTobias Brunner2017-05-231-4/+5
|
* kernel-netlink: Use total retransmit timeout as acquire timeoutTobias Brunner2017-05-232-13/+23
| | | | | | | By using the total retransmit timeout, modifications of timeout settings automatically reflect on the value of xfrm_acq_expires. If set, the value of xfrm_acq_expires configured by the user takes precedence over the calculated value.
* kernel-netlink: Try to add new inbound SA if update failsThomas Egerer2017-05-231-3/+12
| | | | | | | | | | | | | | | When establishing a traffic-triggered CHILD_SA involves the setup of an IKE_SA more than one exchange is required. As a result the temporary acquire state may have expired -- even if the acquire expiration (xfrm_acq_expires) time is set properly (165 by default). The expire message sent by the kernel is not processed in charon since no trap can be found by the trap manager. A possible solution could be to track allocated SPIs. But since this is a corner case and the tracking introduces quite a bit of overhead, it seems much more sensible to add a new state if the update of a state fails with NOT_FOUND. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Update SA addresses if supported by the kernelTobias Brunner2017-05-231-21/+16
| | | | | | Upcoming FreeBSD kernels will support updating the addresses of existing SAs with new SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for the SADB_UPDATE message.
* kernel-pfkey: Use new encap flag on Mac OS X when updating SAsTobias Brunner2017-05-231-1/+1
|
* kernel-netlink: Update hardware offload attribute when SAs are updatedTobias Brunner2017-05-231-11/+37
|
* kernel-netlink: Base SA update on correct message in multi-message responseTobias Brunner2017-05-231-7/+7
|
* vici: Make hardware offload configurableTobias Brunner2017-05-231-0/+11
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-236-20/+67
| | | | Makes it potentially easier to add new flags.
* kernel-netlink: Enable hardware offloading if configured for an SATobias Brunner2017-05-231-0/+25
|
* kernel-netlink: Directly handle Netlink messages if thread pool is emptyTobias Brunner2017-05-231-1/+2
| | | | | | | | | During initialization of the plugins the thread pool is not yet initialized so there is no watcher thread that could handle the queued Netlink message and the main thread will wait indefinitely for a response. Fixes #2199.
* socket-default: Add an option to force the sending interface via IP_PKTINFOMartin Willi2017-05-231-7/+48
| | | | | | | | | | | | | | | | | | | | | | | | | On Linux, setting the source address is insufficient to force a packet to be sent over a certain path. The kernel uses the best route to select the outgoing interface, even if we set a source address of a lower priority interface. This is not only true for interfaces attaching to the same subnet, but also for unrelated interfaces; the kernel (at least on 4.7) sends out the packet on whatever interface it sees fit, even if that network does not expect packets from the source address we force to. When a better interface becomes available, strongSwan sends its MOBIKE address list update using the old source address. But the kernel sends that packet over the new best interface. If that network drops packets having the unexpected source address from the old path, the MOBIKE update fails and the SA finally times out. To enforce a specific interface for our packet, we explicitly set the interface index from the interface where the source address is installed. According to ip(7), this overrules the specified source address to the primary interface address. As this could have side effects to installations using multiple addresses on a single interface, we disable the option by default for now. This also allows using IPv6 link-local addresses, which won't work if the outbound interface is not set explicitly.
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-231-0/+1
| | | | fragments
* vici: Return key ID from load-key commandTobias Brunner2017-05-232-4/+13
| | | | | We already do this for load-token and this should simplify client implementations.
* attr-sql: Make release of online leases during startup optionalTobias Brunner2017-05-191-8/+12
| | | | This cleanup prevents sharing the same DB between multiple VPN gateways.
* eap-simaka-sql: Fixed database column from use to usedAndreas Steffen2017-04-261-4/+7
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 02:35:31 +0000