aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* IMCs and IMVs might depend on X.509 certificates or trusted public keysAndreas Steffen2012-06-282-0/+4
|
* Show some uname() info in "ipsec statusall"Martin Willi2012-06-281-3/+10
|
* libcharon also requires kernel interfaces and a socket implementationTobias Brunner2012-06-271-0/+3
|
* Defer quick mode initiation if we expect a mode config requestMartin Willi2012-06-271-1/+20
|
* Queue a mode config task as responder if we need a virtual IPMartin Willi2012-06-272-4/+16
|
* Add basic support for XAuth responder authenticationMartin Willi2012-06-272-8/+10
|
* Map XAuth responder authentication methods between IKEv1 and IKEv2Martin Willi2012-06-271-1/+13
|
* Show remote EAP/XAuth identity in "statusall" on a separate lineMartin Willi2012-06-271-1/+12
|
* Use static plugin features in libcharon to define essential dependenciesTobias Brunner2012-06-271-1/+10
|
* Ignore a received %any virtual IP for installationMartin Willi2012-06-261-1/+2
|
* Also build charon's IKEv1 implementation on AndroidTobias Brunner2012-06-261-0/+23
|
* Missing source file added to libcharon's Android.mkTobias Brunner2012-06-261-0/+1
|
* Make rescheduling a job more predictableTobias Brunner2012-06-252-12/+5
| | | | | | | | | | | | | This avoids race conditions between calls to cancel() and jobs that like to be rescheduled. If jobs were able to reschedule themselves it would theoretically be possible that two worker threads have the same job assigned (the one currently executing the job and the one executing the same but rescheduled job if it already is time to execute it), this means that cancel() could be called twice for that job. Creating a new job based on the current one and reschedule that is also OK, but rescheduling itself is more efficient for jobs that need to be executed often.
* Centralized thread cancellation in processor_tTobias Brunner2012-06-2518-182/+97
| | | | | | | | | | This ensures that no threads are active when plugins and the rest of the daemon are unloaded. callback_job_t was simplified a lot in the process as its main functionality is now contained in processor_t. The parent-child relationships were abandoned as these were only needed to simplify job cancellation.
* Give processor_t more control over the lifecycle of a jobTobias Brunner2012-06-2520-64/+60
| | | | | | | | | | | Jobs are now destroyed by the processor, but they are allowed to reschedule themselves. That is, parts of the reschedule functionality already provided by callback_job_t is moved to the processor. Not yet fully supported is JOB_REQUEUE_DIRECT and canceling jobs. Note: job_t.destroy() is now called not only for queued jobs but also after execution or cancellation of jobs. job_t.status can be used to decide what to do in said method.
* support Cisco Unity VIDAndreas Steffen2012-06-252-3/+11
|
* Enforce uniqueids=keep based on XAuth identityMartin Willi2012-06-251-0/+6
|
* Don't send XAUTH_OK if a hook prevents SA to establishMartin Willi2012-06-251-4/+14
|
* Enforce uniqueids=keep only for non-XAuth Main/Agressive ModesMartin Willi2012-06-252-28/+28
|
* Show EAP/XAuth identity in "ipsec status", if availableMartin Willi2012-06-251-1/+1
|
* Use XAuth/EAP remote identity for uniqueness checkMartin Willi2012-06-253-4/+6
|
* Add missing XAuth name variable when complaining about missing XAuth backendMartin Willi2012-06-251-1/+1
|
* Fix SIGSEGV if kernel install fails during Quick Mode as responder.Tobias Brunner2012-06-221-4/+8
|
* Fixed compile error because of charon->name in certexpire plugin.Tobias Brunner2012-06-211-0/+1
|
* Select requested virtual IP family based on remote TS, if no local TS availableMartin Willi2012-06-201-1/+12
|
* Adopt children as XAuth initiator (which is IKE responder)Martin Willi2012-06-141-2/+2
|
* Show what kind of *Swan we run in "ipsec status"Martin Willi2012-06-141-3/+16
|
* Require a scary option to respond to Aggressive Mode PSK requestsMartin Willi2012-06-141-0/+17
| | | | | | | | While Aggressive Mode PSK is widely used, it is known to be subject to dictionary attacks by passive attackers. We don't complain as initiator to be compatible with existing (insecure) setups, but require a scary strongswan.conf option if someone wants to use it as responder.
* Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.Tobias Brunner2012-06-131-0/+2
|
* Added signature scheme options left/rightauthMartin Willi2012-06-121-11/+99
|
* certificate_t->issued_by takes an argument to receive signature schemeMartin Willi2012-06-122-3/+3
|
* added missing parameter in get_my_addr() and get_other_addr() callsAndreas Steffen2012-06-091-2/+4
|
* implemented the right|leftallowany featureAndreas Steffen2012-06-0815-73/+131
|
* Enforce uniqueness policy in IKEv1 main and aggressive modesMartin Willi2012-06-082-0/+29
|
* Try to rekey without KE exchange if peer returns INVALID_KE_PAYLOAD(NONE)Martin Willi2012-06-081-1/+8
| | | | | | According to RFC5996, implementations should just ignore the KE payload if they select a non-PFS proposals. Some implementations don't, but return MODP_NONE in INVALID_KE_PAYLOAD, hence we accept that, too.
* While checking for redundant quick modes, compare traffic selectorsMartin Willi2012-06-081-0/+22
| | | | | If a configuration is instanced more than once using narrowing, we should keep all unique quick modes up during rekeying.
* Store shorter soft lifetime of in- and outbound SAs onlyMartin Willi2012-06-081-1/+8
|
* Initiate quick mode rekeying with narrowed traffic selectorsMartin Willi2012-06-081-1/+18
|
* Use traffic selectors passed to quick mode constructor as initiatorMartin Willi2012-06-081-2/+10
|
* Instead of rekeying, delete a quick mode if we have a fresher instanceMartin Willi2012-06-081-6/+42
| | | | | | | | If both peers initiate quick mode rekeying simultaneously, we end up with duplicate SAs for a configuration. This can't be avoided, nor do the standards provide an appropriate solution. Instead of closing one SA immediately, we keep both. But once rekeying triggers, we don't refresh the SA with the shorter soft lifetime, but delete it.
* As responder, enforce the same configuration while rekeying CHILD_SAsMartin Willi2012-06-063-1/+19
|
* Show expiration time of rekeyed CHILD_SAs in statusallMartin Willi2012-06-051-1/+6
|
* Mark CHILD_SAs used for trap policies to uninstall them properly.Tobias Brunner2012-06-041-6/+13
| | | | | | | If the installation failed the state is not CHILD_ROUTED which means the wrong priority is used to uninstall the policies. This is a problem for kernel interfaces that keep track of installed policies as now the proper policy is not found (if the priority is considered).
* Avoid queueing more than one retry initiate job.Tobias Brunner2012-05-303-4/+35
|
* Retry IKE_SA initiation if DNS resolution failed.Tobias Brunner2012-05-301-4/+39
| | | | | This is disabled by default and can be enabled with the charon.retry_initiate_interval option in strongswan.conf.
* Job added to re-initiate an IKE_SA.Tobias Brunner2012-05-303-0/+144
|
* Fix MOBIKE address update if responder address changed.Tobias Brunner2012-05-251-2/+2
| | | | | Use the source address of the current MOBIKE message as peer address instead of assuming the address cached on the IKE_SA is still valid.
* Resolve hosts before reauthenticating due to address change.Tobias Brunner2012-05-251-0/+2
|
* Don't queue delete_ike_sa job when setting IKE_DELETING.Tobias Brunner2012-05-252-9/+1
| | | | | This avoids deleting IKE_SAs during reauthentication (without trying to reestablish them).
* During reauthentication reestablish IKE_SA even if deleting the old one fails.Tobias Brunner2012-05-251-0/+6
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 12:09:16 +0000