aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* bus: Add an ike_update() hook invoked when peer endpoints changeMartin Willi2015-02-204-0/+50
|
* connmark: Add a plugin stubMartin Willi2015-02-204-0/+150
|
* load-tester: Support initiating XAuth authenticationMartin Willi2015-02-201-0/+22
| | | | | | | | As with other configuration backends, XAuth is activated with a two round client authentication using pubkey and xauth. In load-tester, this is configured with initiator_auth=pubkey|xauth. Fixes #835.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-206-51/+87
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* ikev2: Schedule a make-before-break completion task to delete old IKE_SAMartin Willi2015-02-208-1/+174
|
* ikev2: Allow task to skip exchange by setting undefined exchange typeMartin Willi2015-02-201-0/+5
|
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-202-2/+79
|
* ike-sa-manager: Use IKEv1 uniqueness reauthentication detection for IKEv2, tooMartin Willi2015-02-201-12/+8
|
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-208-72/+56
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-2010-65/+55
|
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-205-23/+28
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-205-23/+32
|
* unit-tester: Drop the old unit-tester libcharon pluginMartin Willi2015-02-2013-953/+0
| | | | | | While it has some tests that we don't directly cover with the new unit tests, most of them require special infrastructure and therefore have not been used for a long time.
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-2032-97/+2031
|
* libcharon: Add a test runnerMartin Willi2015-02-205-0/+96
|
* attr-sql: Move plugin to libcharonMartin Willi2015-02-206-0/+722
|
* attr: Move plugin to libcharonMartin Willi2015-02-206-0/+560
|
* resolve: Move plugin back to libcharonMartin Willi2015-02-206-0/+595
| | | | Since pluto is gone, all existing users build upon libcharon.
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-207-10/+12
|
* unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-203-14/+17
| | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-204-38/+15
|
* migrate-job: Do CHILD_SA reqid lookup locallyMartin Willi2015-02-202-26/+21
|
* kernel-interface: Raise mapping event with a proto/SPI/dst tupleMartin Willi2015-02-203-16/+37
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-204-23/+17
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-209-60/+51
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-205-37/+23
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* vici: Include the CHILD_SA unique ID in list-sa eventMartin Willi2015-02-202-0/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-203-19/+92
|
* child-sa-manager: Add a global manager storing CHILD_SA relationsMartin Willi2015-02-206-1/+432
| | | | | | To quickly check out IKE_SAs and find associated CHILD_SAs, the child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-2010-11/+110
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* child-sa: Introduce a unique CHILD_SA identifierMartin Willi2015-02-202-0/+24
| | | | | As the reqid is not that unique even among multiple IKE_SAs anymore, we need an identifier to uniquely identify a specific CHILD_SA instance.
* child-sa: Delegate reqid allocation to the kernel interfaceMartin Willi2015-02-201-15/+46
|
* child-sa: Sort traffic selectors after adding CHILD_SA policiesMartin Willi2015-02-201-0/+3
| | | | Having traffic selectors sorted properly makes comparing them much simpler.
* child-sa: Remove the obsolete update logicMartin Willi2015-02-201-6/+1
| | | | | | The kernel backend uses an inbound parameter these days, where it makes no sense to pass the update flag. The kernel backend decides itself how it handles SA installation based on the inbound flag.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-204-11/+9
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-201-2/+1
|
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-204-8/+8
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-191-1/+1
|
* ha: Perform child rekeying outside of CHILD_SA enumeratorThomas Egerer2015-02-191-7/+22
| | | | | | | | | | | | | | | | When rekey_child_sa is called while enumerating the children of an IKE_SA, and the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas) invalidating the current element of the child_sa_enumerator. The enumerate function of linked_list_t will then advance to an element with unpredictable contents most likely resulting in an segmentation violation. A similar behavior should be observed when delete_child_sa is called. This patch creates a list of protocol/spi values while holding the child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren after releasing the enumerator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* vici: Fix ruby gem author emailMartin Willi2015-01-221-1/+1
|
* vici: Fix README example encoding element type values, off by oneMartin Willi2015-01-211-10/+10
| | | | | | | While we fixed the wrong values in the description with d39e04b5, the example values are still off by one. Fixes #828.
* ikev2: Only touch the DH object if we have a matching proposalTobias Brunner2014-12-231-11/+17
|
* apple: Redefine some additional clashing Mach typesMartin Willi2014-12-161-0/+2
| | | | | | While they usually are not included in a normal strongSwan build, the XPC header indirectly defines these Mach types. To build charon-xpc, which uses both XPC and strongSwan includes, we have to redefine these types.
* Fixed some typos, courtesy of codespellTobias Brunner2014-12-151-1/+1
|
* ike: Allow creation of internally used payloadsTobias Brunner2014-12-121-1/+1
| | | | | | | Since 42e0a317c64b ("ike: Only parse payloads valid for the current IKE version") payload types are checked before creating objects. This check failed for internally used payload types (e.g. proposal substructures), which have a type >= 256, i.e. outside the IKE payload type range.
* vici: Use silent builder destroy function in vici_free_req()Martin Willi2014-12-121-7/+1
|
* vici: Add a destroy method to builder, allowing cancellation without errorMartin Willi2014-12-122-4/+18
| | | | | When cancelling a builder, finalize throws an error which we might prefer to avoid.
* eap-radius: Use the single-server legacy server options as fallbackMartin Willi2014-12-121-3/+10
|
* ikev1: Use same map for AH and ESP authentication algorithmsTobias Brunner2014-12-091-152/+120
| | | | | | The transform identifier used in AH transforms is not the same as the authentication algorithm identifier used in the transform attributes in AH (and ESP) transforms.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 19:28:09 +0000