aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* Use exact mask when calling umask(2)Tobias Brunner2013-10-292-2/+2
| | | | | | Due to the previous negation the high bits of the mask were set, which at least some versions of the Android build system prevent with a compile-time check.
* whitelist: Read multiple commands until client closes connectionMartin Willi2013-10-291-30/+28
| | | | | This restores the same behavior we had before e11c02c8, and fixes the whitelist add/remove-from command.
* Fixed some typosTobias Brunner2013-10-293-3/+3
|
* check it specified IF-TNCCS protocol is enabledAndreas Steffen2013-10-211-0/+6
|
* updown: Pass ICMP[v6] message type and code to updown scriptTobias Brunner2013-10-171-2/+23
| | | | The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.
* proposal: Add ECC Brainpool DH groups to the default proposalTobias Brunner2013-10-171-0/+4
|
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* trap-manager: Make sure a config is not trapped twiceTobias Brunner2013-10-171-4/+16
|
* Doxygen fixesTobias Brunner2013-10-152-3/+2
|
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-113-5/+7
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ikev2: Use IV generator to encrypt encrypted payloadTobias Brunner2013-10-111-1/+9
|
* iv_gen: aead_t implementations provide an IV generatorTobias Brunner2013-10-111-0/+8
|
* eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASKTobias Brunner2013-10-111-0/+5
|
* eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributesTobias Brunner2013-10-111-0/+93
| | | | | | | | | | | | | | | Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55) radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27) attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1) or a UNITY_LOCAL_LAN (if the value is 2). So if the following attributes would be configured for a RADIUS user CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0" CVPN3000-IPSec-Split-Tunneling-Policy := 1 A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets would be sent to the client during the ModeCfg exchange.
* eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributesTobias Brunner2013-10-111-3/+25
| | | | | | The contents of the CVPN3000-IPSec-Default-Domain(28) and CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in the corresponding Unity configuration attributes.
* dnscert: Add DNS CERT support for pubkey authenticationRuslan N. Marchenko2013-10-118-0/+828
| | | | | | | | | | | Add DNSSEC protected CERT RR delivered certificate authentication. The new dnscert plugin is based on the ipseckey plugin and relies on the existing PEM decoder as well as x509 and PGP parsers. As such the plugin expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads. The plugin is targeted to improve interoperability with Racoon, which supports this type of authentication, ignoring in-stream certificates and using only DNS provided certificates for FQDN IDs.
* ipseckey: Properly handle failure to create a certificateTobias Brunner2013-10-111-33/+28
| | | | Also, try the next key (if available) if parsing an IPSECKEY failed.
* ipseckey: Refactor creation of certificate enumeratorTobias Brunner2013-10-111-86/+81
| | | | Reduces nesting and fixes a memory leak (rrsig_enum).
* ipseckey: Depend on plugin features to create public key and certificate objectsTobias Brunner2013-10-111-0/+2
|
* kernel-libipsec: Don't ignore policies of type != POLICY_IPSECTobias Brunner2013-10-111-5/+0
| | | | | | This actually broke rekeying due to the DROP policies that are temporarily added, which broke the refcount as the ignored policies were not ignored in del_policy() (the type is not known there).
* kernel-libipsec: Add an option to allow remote TS to match the IKE peerTobias Brunner2013-10-111-2/+9
| | | | | | | | Setting the fwmark options for the kernel-netlink and socket-default plugins allow this kind of setup. It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make it work.
* socket-default: Allow setting firewall mark on outbound packetsTobias Brunner2013-10-111-0/+18
|
* sql: Don't use MyISAM engine and set collation/charset for all tablesTobias Brunner2013-10-111-26/+25
| | | | The MyISAM engine doesn't support transactions.
* Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵Tobias Brunner2013-10-112-2/+2
| | | | for IKEv2 anyway
* kernel-libipsec: Support ESPv3 TFC paddingMartin Willi2013-10-111-1/+1
|
* kernel-libipsec: Support query_sa() to report usage statisticsMartin Willi2013-10-111-1/+2
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-113-4/+4
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-113-5/+5
|
* updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'Martin Willi2013-10-111-0/+2
|
* ike: Define keylength for aescmac algorithmMartin Willi2013-10-111-0/+1
|
* ikev1: Support parsing of AH+IPComp proposalsMartin Willi2013-10-111-9/+11
|
* ikev1: Accept more than two certificate payloadsMartin Willi2013-10-111-2/+2
|
* ikev1: Support en-/decoding of SA payloads with AH algorithmsMartin Willi2013-10-111-31/+99
|
* kernel-handler: Whitespace cleanupsMartin Willi2013-10-111-42/+38
|
* stroke: List proposals in statusall without leading '/' in AH SAsMartin Willi2013-10-111-1/+7
|
* ikev1: Delete quick modes with the negotiated SA protocolMartin Willi2013-10-111-1/+1
|
* trap-manager: Install trap with SA protocol of the first configured proposalMartin Willi2013-10-111-4/+12
|
* child-sa: Save protocol during SPI allocationMartin Willi2013-10-111-6/+3
| | | | | This allows us to properly delete the incomplete SA with the correct protocol should negotiation fail.
* ikev1: Negotiate SPI with the first/negotiated proposal protocolMartin Willi2013-10-111-3/+18
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* proposal: Strip redundant integrity algos for ESP proposals onlyMartin Willi2013-10-111-16/+19
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-112-11/+16
|
* Keep a copy of the tnccs instance for PT-TLS handoverAndreas Steffen2013-10-091-2/+16
|
* xauth-pam: Make trimming of email addresses optional5.1.1dr4Tobias Brunner2013-10-041-4/+9
| | | | Fixes #430.
* ikev1: Accept reauthentication attempts with a keep unique policy from same hostMartin Willi2013-09-301-6/+17
| | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
* ikev1: Don't log a reauthentication detection message if no children adoptedMartin Willi2013-09-301-2/+6
| | | | | When a replace unique policy is in place, the children get adopted during the uniqueness check. In this case the message is just misleading.
* ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policyMartin Willi2013-09-301-8/+29
| | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth.
* eap-radius: Increase buffer for attributes sent in RADIUS accounting messagesTobias Brunner2013-09-271-1/+1
| | | | 64 bytes might be too short for user names/identities.
* load-tester: Fix crash if private key was not loaded successfullyTobias Brunner2013-09-241-1/+1
| | | | Fixes #417.
* ikev2: Force an update of the host addresses on the first responseTobias Brunner2013-09-231-11/+9
| | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 05:33:54 +0000