aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-libipsec: Support ESPv3 TFC paddingMartin Willi2013-10-111-1/+1
|
* kernel-libipsec: Support query_sa() to report usage statisticsMartin Willi2013-10-111-1/+2
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-113-4/+4
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-113-5/+5
|
* updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'Martin Willi2013-10-111-0/+2
|
* ike: Define keylength for aescmac algorithmMartin Willi2013-10-111-0/+1
|
* ikev1: Support parsing of AH+IPComp proposalsMartin Willi2013-10-111-9/+11
|
* ikev1: Accept more than two certificate payloadsMartin Willi2013-10-111-2/+2
|
* ikev1: Support en-/decoding of SA payloads with AH algorithmsMartin Willi2013-10-111-31/+99
|
* kernel-handler: Whitespace cleanupsMartin Willi2013-10-111-42/+38
|
* stroke: List proposals in statusall without leading '/' in AH SAsMartin Willi2013-10-111-1/+7
|
* ikev1: Delete quick modes with the negotiated SA protocolMartin Willi2013-10-111-1/+1
|
* trap-manager: Install trap with SA protocol of the first configured proposalMartin Willi2013-10-111-4/+12
|
* child-sa: Save protocol during SPI allocationMartin Willi2013-10-111-6/+3
| | | | | This allows us to properly delete the incomplete SA with the correct protocol should negotiation fail.
* ikev1: Negotiate SPI with the first/negotiated proposal protocolMartin Willi2013-10-111-3/+18
|
* ikev2: Allocate SPI with the protocol of the first/negotiated proposalMartin Willi2013-10-111-2/+16
|
* proposal: Strip redundant integrity algos for ESP proposals onlyMartin Willi2013-10-111-16/+19
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-112-11/+16
|
* Keep a copy of the tnccs instance for PT-TLS handoverAndreas Steffen2013-10-091-2/+16
|
* xauth-pam: Make trimming of email addresses optional5.1.1dr4Tobias Brunner2013-10-041-4/+9
| | | | Fixes #430.
* ikev1: Accept reauthentication attempts with a keep unique policy from same hostMartin Willi2013-09-301-6/+17
| | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
* ikev1: Don't log a reauthentication detection message if no children adoptedMartin Willi2013-09-301-2/+6
| | | | | When a replace unique policy is in place, the children get adopted during the uniqueness check. In this case the message is just misleading.
* ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policyMartin Willi2013-09-301-8/+29
| | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth.
* eap-radius: Increase buffer for attributes sent in RADIUS accounting messagesTobias Brunner2013-09-271-1/+1
| | | | 64 bytes might be too short for user names/identities.
* load-tester: Fix crash if private key was not loaded successfullyTobias Brunner2013-09-241-1/+1
| | | | Fixes #417.
* ikev2: Force an update of the host addresses on the first responseTobias Brunner2013-09-231-11/+9
| | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly.
* ike-sa: Resolve hosts before reestablishing an IKE_SATobias Brunner2013-09-231-0/+2
|
* android: Several plugins were moved from libcharon to libtnccsTobias Brunner2013-09-231-29/+5
| | | | These were moved in commits e8f65c5cde and 12b3db5006.
* Implemented TCG/PB-PDP_Referral messageAndreas Steffen2013-09-171-0/+12
|
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
* ikev1: Fix double free when searching for redundant CHILD_SAsTobias Brunner2013-09-131-1/+1
| | | | Fixes #411.
* Build all shared libraries with -no-undefined and link them properlyTobias Brunner2013-09-121-1/+7
| | | | | | | | | | The flag is required to convince libtool on Cygwin to build DLLs. But on Windows these shared libraries can not have undefined symbols, so we have to link them explicitly to the libraries they reference. For plugins this is currently not done, so only the monolithic build is supported. The plugin loader wouldn't be able to load DLLs anyway, as it tries to load files that don't exist on Cygwin.
* sockets: Initialize the whole ancillary data buffer not only the actual structTobias Brunner2013-09-102-4/+4
| | | | | | This avoids uninitialized bytes that Valgrind seems to notice otherwise. Fixes #395.
* ikev1: For PFS prefer DH group from IKE_SA over first configuredThomas Egerer2013-09-101-18/+54
| | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA.
* Fixed double free causing swapped ends to crash5.1.1dr3Andreas Steffen2013-09-071-1/+0
|
* load-tester: support extended traffic selector syntax, as in leftsubnetMartin Willi2013-09-041-13/+168
| | | | | In addition the initiator may use %unique as port, using a distinct port for each connection, starting from 1025.
* load-tester: add an option to test transport/beet connectionsMartin Willi2013-09-041-1/+21
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-0411-100/+296
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-047-33/+18
|
* backends: use ike_cfg host matching functionsMartin Willi2013-09-041-38/+7
|
* ike-cfg: add methods to match a host against configured local/remote addressesMartin Willi2013-09-042-0/+62
|
* trap-manager: use ike_cfg resolver functionsMartin Willi2013-09-041-4/+2
|
* ike-sa: use ike_cfg resolver functionsMartin Willi2013-09-041-16/+12
|
* ike-cfg: add a method to resolve local/remote hosts with portMartin Willi2013-09-042-0/+30
|
* stroke: ignore a leftsourceip if a rightsourceip is given as wellMartin Willi2013-09-041-1/+7
| | | | | | As we always negotiate virtual IPs in charon, having both left- and rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single configuration payload exchange only.
* ikev1: implement mode config push modeMartin Willi2013-09-045-76/+363
|
* stroke: re-enable modeconfig keywordMartin Willi2013-09-041-1/+1
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-0410-14/+37
|
* xauth-generic: honor requested XAuth credential types as a clientMartin Willi2013-09-031-16/+51
| | | | Support requesting of XAuth PINs and print XAuth messages.
* message: print type of configuration payloadMartin Willi2013-09-031-1/+21
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 04:35:05 +0000