aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* | Merge branch 'stroke-counters'Martin Willi2013-03-183-11/+185
|\ \ | | | | | | | | | | | | Extend stroke counters functionality by connection specific counters, and a resetcounters command to reset the global or connection counters.
| * | Add a "resetcounters" command to ipsec, clearing global or connection countersMartin Willi2013-03-153-1/+38
| | |
| * | Add connection name specific stroke countersMartin Willi2013-03-153-11/+148
| | |
* | | Merge branch 'stroke-timeout'Martin Willi2013-03-182-22/+94
|\ \ \ | |_|/ |/| | | | | Add a strongswan.conf timeout option for stroke control commands.
| * | If controller operations have a callback, don't succeed before hook gets calledMartin Willi2013-03-071-4/+12
| | |
| * | Add a stroke command timeout option, and report status of completed commandMartin Willi2013-03-071-18/+82
| |/
* | Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
| |
* | Support mutliple subnets and ranges as external load-tester addressesMartin Willi2013-03-111-15/+59
| |
* | Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
| |
* | Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | | | | | Initial patch by Paul Stewart, fixes #289.
* | As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | | | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* | instead of cloning use extract_buf() methodAndreas Steffen2013-03-041-1/+1
| |
* | Fixed Doxygen comments after scanning complete src directoryTobias Brunner2013-03-024-5/+5
| |
* | Removed backend for old Android frontend patchTobias Brunner2013-03-0212-923/+82
| | | | | | | | Moved the remaining DNS handler to a new plugin.
* | added ERX_SUPPORTED IKEv2 NotifyAndreas Steffen2013-03-022-7/+11
| |
* | Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ \ | | | | | | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * | Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| | |
| * | Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| | |
| * | Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| | |
* | | Merge branch 'multi-cert'Martin Willi2013-03-011-15/+32
|\ \ \ | | | | | | | | | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests.
| * | | Load multiple comma seperarated certificates in the leftcert optionMartin Willi2013-01-181-15/+32
| | | |
* | | | Merge branch 'systime'Martin Willi2013-03-016-0/+452
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Add a systime-fix plugin allowing an embedded system to validate certificates if the system time has not been synchronized after boot. Certificates of established tunnels can be re-validated after the system time gets valid.
| * | | | systime-fix disables certificate lifetime validation if system time not syncedMartin Willi2013-02-194-0/+326
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The system time can be periodically checked. If it gets valid, certificates get rechecked with the current lifetime. If certificates are invalid, associated IKE_SAs can be closed or reauthenticated.
| * | | | Add a stub for systime-fix, a plugin handling certificate lifetimes gracefullyMartin Willi2013-02-194-0/+126
| | |_|/ | |/| |
* | | | Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | | | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| | | | |
* | | | | Merge branch 'vip-shunts'Martin Willi2013-03-011-11/+6
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Installs bypass policies for the physical address if a virtual address is assigned, and installs a proper source route to actually use the physical address for bypassed destinations. Conflicts: src/libcharon/plugins/unity/unity_handler.c
| * | | | | Include local address for Unity Split-Exclude shunt policiesMartin Willi2013-02-201-10/+5
| |/ / / / | | | | | | | | | | | | | | | | | | | | If we use a virtual IP, having a shunt policy for just that wouldn't work, as we want a shunt bypass using the local address.
* | | | | Merge branch 'opaque-ports'Martin Willi2013-03-017-12/+18
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | | | | Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
| | | | | |
| * | | | | Pass complete port range over stroke interface for more flexibilityMartin Willi2013-02-211-14/+4
| | | | | |
| * | | | | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-216-14/+24
| | |/ / / | |/| | |
* | | | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | | | |
* | | | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | |/ / / | |/| | |
* | | | | Merge branch 'tfc-notify'Martin Willi2013-03-011-0/+9
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | |/ / / | |/| | |
* | | | | Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
| |_|_|/ |/| | | | | | | | | | | | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* | | | Android.mk updated to latest MakefilesTobias Brunner2013-02-261-1/+1
| |/ / |/| | | | | | | | Fixes #300.
* | | treat IF-M and IF-TNCCS remediation instructions/parameters in an equal wayAndreas Steffen2013-02-193-97/+198
| | |
* | | Streamlined log messages in ipseckey pluginAndreas Steffen2013-02-192-58/+30
| | |
* | | ipseckey: Report IPSECKEYs with invalid DNSSEC security stateReto Guadagnini2013-02-191-2/+12
| | |
* | | ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.confReto Guadagnini2013-02-191-3/+16
| | |
* | | Added ipseckey plugin, which provides support for public keys in IPSECKEY RRsReto Guadagnini2013-02-198-0/+859
| | |
* | | added missing return statementAndreas Steffen2013-02-191-0/+1
| | |
* | | reject PB-Experimental messages with NOSKIP flag setAndreas Steffen2013-02-191-0/+7
| | |
* | | Add a timeout to clean up PDP RADIUS connectionsMartin Willi2013-02-141-0/+51
| | |
* | | Keep the PDP connections lock while accessing its objectsMartin Willi2013-02-143-7/+34
| | | | | | | | | | | | | | | | | | When we introduce connection timeouts, the state may disappear at any time. This change prevents that, but is not very clear. We probably have to refactor connection handling.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 06:46:37 +0000