aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* | | | Merge branch 'systime'Martin Willi2013-03-016-0/+452
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Add a systime-fix plugin allowing an embedded system to validate certificates if the system time has not been synchronized after boot. Certificates of established tunnels can be re-validated after the system time gets valid.
| * | | | systime-fix disables certificate lifetime validation if system time not syncedMartin Willi2013-02-194-0/+326
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The system time can be periodically checked. If it gets valid, certificates get rechecked with the current lifetime. If certificates are invalid, associated IKE_SAs can be closed or reauthenticated.
| * | | | Add a stub for systime-fix, a plugin handling certificate lifetimes gracefullyMartin Willi2013-02-194-0/+126
| | |_|/ | |/| |
* | | | Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | | | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| | | | |
* | | | | Merge branch 'vip-shunts'Martin Willi2013-03-011-11/+6
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Installs bypass policies for the physical address if a virtual address is assigned, and installs a proper source route to actually use the physical address for bypassed destinations. Conflicts: src/libcharon/plugins/unity/unity_handler.c
| * | | | | Include local address for Unity Split-Exclude shunt policiesMartin Willi2013-02-201-10/+5
| |/ / / / | | | | | | | | | | | | | | | | | | | | If we use a virtual IP, having a shunt policy for just that wouldn't work, as we want a shunt bypass using the local address.
* | | | | Merge branch 'opaque-ports'Martin Willi2013-03-017-12/+18
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | | | | Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
| | | | | |
| * | | | | Pass complete port range over stroke interface for more flexibilityMartin Willi2013-02-211-14/+4
| | | | | |
| * | | | | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-216-14/+24
| | |/ / / | |/| | |
* | | | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | | | |
* | | | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | |/ / / | |/| | |
* | | | | Merge branch 'tfc-notify'Martin Willi2013-03-011-0/+9
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | |/ / / | |/| | |
* | | | | Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
| |_|_|/ |/| | | | | | | | | | | | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* | | | Android.mk updated to latest MakefilesTobias Brunner2013-02-261-1/+1
| |/ / |/| | | | | | | | Fixes #300.
* | | treat IF-M and IF-TNCCS remediation instructions/parameters in an equal wayAndreas Steffen2013-02-193-97/+198
| | |
* | | Streamlined log messages in ipseckey pluginAndreas Steffen2013-02-192-58/+30
| | |
* | | ipseckey: Report IPSECKEYs with invalid DNSSEC security stateReto Guadagnini2013-02-191-2/+12
| | |
* | | ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.confReto Guadagnini2013-02-191-3/+16
| | |
* | | Added ipseckey plugin, which provides support for public keys in IPSECKEY RRsReto Guadagnini2013-02-198-0/+859
| | |
* | | added missing return statementAndreas Steffen2013-02-191-0/+1
| | |
* | | reject PB-Experimental messages with NOSKIP flag setAndreas Steffen2013-02-191-0/+7
| | |
* | | Add a timeout to clean up PDP RADIUS connectionsMartin Willi2013-02-141-0/+51
| | |
* | | Keep the PDP connections lock while accessing its objectsMartin Willi2013-02-143-7/+34
| | | | | | | | | | | | | | | | | | When we introduce connection timeouts, the state may disappear at any time. This change prevents that, but is not very clear. We probably have to refactor connection handling.
* | | Add locking to TNC-PDP connectionsMartin Willi2013-02-141-7/+23
| | |
* | | Add a global return_success() method implementationMartin Willi2013-02-141-8/+2
| | |
* | | Merge branch 'ike-dscp'Martin Willi2013-02-1413-59/+163
|\ \ \
| * | | Add a ikedscp ipsec.conf option to set DSCP value on outgoing IKE packetsMartin Willi2013-02-061-1/+1
| | | |
| * | | Set configured DSCP value while generating IKE packetsMartin Willi2013-02-061-1/+26
| | | |
| * | | Add a DSCP configuration value to IKE configsMartin Willi2013-02-0611-21/+38
| | | |
| * | | Set DSCP values when sending IP packets in socket-defaultMartin Willi2013-02-061-1/+65
| | | |
| * | | Don't send a packet in default socket if family is not IPv4 nor IPv6Martin Willi2013-02-061-12/+18
| | | |
| * | | Avoid extensive casting of sockaddr types in socket-default by using a unionMartin Willi2013-02-061-24/+16
| |/ / | | | | | | | | | Additionally fixes a strict-aliasing rule compiler warning with older gcc.
* | | Check if recommendations is set before applying language preferenceMartin Willi2013-02-141-3/+6
| | |
* | | Merge branch 'pt-tls'Martin Willi2013-02-143-9/+0
|\ \ \
| * | | TNCCS plugins don't depend on EAP-TNC, but can be used by other transports, tooMartin Willi2013-01-153-9/+0
| | |/ | |/|
* | | Fix 'stroke loglevel any'Tobias Brunner2013-02-131-4/+11
| | | | | | | | | | | | | | | | | | | | | Before b46a5cd4 this worked if debug_t was unsigned. In that case -1, as returned by enum_from_name(), would result in a large positive number. So any unknown debug group (including 'any') had the same effect that was only intended for 'any'.
* | | treat EAP identities as user IDsAndreas Steffen2013-02-121-3/+3
| | |
* | | make TNC client authentication type available to IMVsAndreas Steffen2013-02-129-27/+204
| | |
* | | determine underlying IF-T transport protocolAndreas Steffen2013-02-1210-62/+184
| | |
* | | make AR identities available to IMVs via IF-IMV 1.4 draftAndreas Steffen2013-02-115-0/+146
| | |
* | | Make IKE/EAP IDs available to TNC server/clientAndreas Steffen2013-02-118-24/+81
| | |
* | | Allow more than one CERTREQ payload for IKEv2Tobias Brunner2013-02-081-2/+2
| |/ |/| | | | | | | | | There is no reason not to do so (RFC 5996 explicitly mentions multiple CERTREQ payloads) and some implementations seem to use the same behavior as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload).
* | Use proper buffer sizes for parse_smartcard()Tobias Brunner2013-01-241-7/+10
| |
* | Removed unused command name when printing usage info for lookipTobias Brunner2013-01-241-1/+1
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-14 06:31:26 +0000