aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* id-payload: Enable multiple calls to get_ts() for subnet traffic selectorsTobias Brunner2014-12-051-2/+5
| | | | The second call resulted in a /32 subnet previously.
* ikev2: Fix handling of more than one hash-and-URL certificate payloadsTobias Brunner2014-12-041-2/+2
|
* kernel-wfp: Install outbound ALE connect rules for IPsecMartin Willi2014-12-041-16/+43
| | | | | | Similar to the inbound rules, the ALE filter processes IP-in-IP packets for outbound tunnel mode traffic. When using an outbound default-drop policy, Windows does not allow connection initiation without these explicit rules.
* kernel-wfp: Install inbound ALE IP-in-IP filtersMartin Willi2014-12-041-41/+159
| | | | | | | | | | | When processing inbound tunnel mode packets, Windows decrypts packets and filters them as IP-in-IP packets. We therefore require an ALE filter that calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them when using a default-drop policy. Without these rules, any outbound packet created an ALE state that allows inbound packets as well. Processing inbound packets without any outbound traffic fails without these rules.
* kernel-wfp: Add missing IPsec sublayer GUIDsMartin Willi2014-12-041-0/+6
|
* kernel-wfp: Define IPsec related ALE layers and callout GUIDsMartin Willi2014-12-042-0/+40
|
* kernel-wfp: Fix logging of MM/QM/EM NetEvent failuresMartin Willi2014-12-041-0/+12
|
* vici: Make sure to send/recv all requested bytes over socketMartin Willi2014-12-041-3/+22
| | | | | | As the underlying C functions, send/recv on ruby sockets are not guaranteed to send/recv all requested bytes. Use wrapper functions to make sure we get all bytes needed.
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-295-8/+45
| | | | pki tool
* ikev2: Fix ike_rekey switch statement broken with last commitMartin Willi2014-11-241-1/+1
|
* ikev2: Prevent IKE_SA rekeying if we are currently retrying a CHILD_SA rekeyMartin Willi2014-11-211-0/+1
|
* controller: Keep following initiate() if the first DH guess was wrongMartin Willi2014-11-211-0/+12
|
* child-sa: Introduce a CHILD_RETRYING state to detect DH group retriesMartin Willi2014-11-213-0/+7
|
* kernel-libipsec: Use poll(2) instead of selectMartin Willi2014-11-211-54/+56
|
* socket-default: Use round-robin selection of sockets to read fromMartin Willi2014-11-211-5/+13
| | | | | If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket over others. To handle all with equal priority, use a round-robin selection.
* socket-default: Use poll(2) instead of selectMartin Willi2014-11-211-46/+20
| | | | | It is not only simpler, but also allows the use of arbitrary high fd numbers, which silently fails with select().
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
* ike-cfg: Use host_create_from_range() helperTobias Brunner2014-10-301-16/+1
|
* vici: Add support for address range definitions of poolsTobias Brunner2014-10-301-5/+35
|
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* ikev1: Don't inherit children if INITITAL_CONTACT was seenThomas Egerer2014-10-301-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* message: Include encrypted fragment payload in payload (order) rulesTobias Brunner2014-10-291-0/+12
| | | | | | | | | Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted because they don't contain an SA payload. It also prevents a warning when ordering payloads. Fixes #752.
* updown: Explicitly pass caller PATH to updown scriptMartin Willi2014-10-221-0/+1
| | | | | | | | | When invoking /bin/sh, its default PATH is used. On some systems, that does not include the PATH where the ipsec script is installed, as charon is invoked with a custom PATH. Explicitly setting the PATH of charon should fix this case, properly invoking the (default) updown script. Fixes #745.
* vici: Return default value for get_int() if message value is empty stringMartin Willi2014-10-142-1/+5
| | | | | This is the behavior of some strtol() implementations, and it makes sense, so force it.
* vici: Add vici.gemspec.in and vici.rb to distributionTobias Brunner2014-10-141-0/+2
|
* libimcv: Updated Android.mk to latest Makefile.amTobias Brunner2014-10-131-0/+1
|
* ike: Do remote address updates also when behind static NATsTobias Brunner2014-10-131-4/+7
| | | | | | | | We assume that a responder is behind a static NAT (e.g. port forwarding) and allow remote address updates in such situations. The problem described in RFC 5996 is only an issue if the NAT mapping can expire.
* ike: Remove redundant check for local NAT when handling changed NAT mappingsTobias Brunner2014-10-131-6/+1
|
* vici: Cancel processor before calling library_deinit()Martin Willi2014-10-101-0/+1
| | | | | For non-direct libstrongswan users, the deinitialization segfaults because of the missing worker thread cancellation.
* vici: Reduce debug level during thread spawningMartin Willi2014-10-101-0/+2
| | | | We want to avoid libvici users to get a cluttered stderr for no real error.
* vici: Don't include-depend on libstrongswan for boolean typesMartin Willi2014-10-102-4/+2
| | | | | | | | As we want to avoid the libstrongswan include dependencies for libvici, avoid the use of the bool type. Unfortunately this change may break the ABI for vici_dump(). As this function is mostly for debugging purposes, we do it nonetheless; my apologies if somebody already relies on the ABI stability of that function.
* vici: Document the ruby gem and add some simple examplesMartin Willi2014-10-101-0/+58
|
* vici: Add some simple libvici examples to the READMEMartin Willi2014-10-101-2/+116
|
* vici: Document the available vici command and event messagesMartin Willi2014-10-101-1/+509
|
* vici: Use "gem"-assisted vici ruby gem building and installationMartin Willi2014-10-104-1/+29
|
* vici: Add a ruby gem providing a native vici interfaceMartin Willi2014-10-103-0/+586
|
* vici: Return a success result for the clear-creds commandMartin Willi2014-10-101-4/+1
| | | | | Even if the command actually can't fail, this looks more aligned to similar commands.
* vici: Fix message encoding type values in documentationMartin Willi2014-10-101-6/+6
|
* ikev1: Add fragmentation support for Windows peersVolker Rümelin2014-10-103-13/+58
| | | | | | | | I still think ipsec/l2tp with fragmentation support is a useful fallback option in case the Windows IKEv2 connection fails because of fragmentation problems. Tested with Windows XP, 7 and 8.1.
* eap-radius: Add option to set interval for interim accounting updatesTobias Brunner2014-10-101-0/+10
| | | | | | Any interval returned by the RADIUS server in the Access-Accept message overrides the configured interval. But it might be useful if RADIUS is only used for accounting.
* message: Limit maximum number of IKEv2 fragmentsTobias Brunner2014-10-101-1/+11
| | | | | | | | The maximum for IKEv1 is already 255 due to the 8-bit fragment number. With an overhead of 17 bytes (x64) per fragment and a default maximum of 10000 bytes per packet the maximum memory required is 14 kB for a fragmented message.
* packet: Define a global default maximum size for IKE packetsTobias Brunner2014-10-104-18/+4
|
* message: Ensure a minimum fragment lengthTobias Brunner2014-10-101-8/+18
|
* ikev2: Send retransmits using the latest known addressesTobias Brunner2014-10-101-1/+3
| | | | | | | For instance, if a DPD exchange is initiated by the gateway when a mobile client is roaming and it then gets a new IP address and sends an address update via MOBIKE, the DPD retransmits would still be sent to the old address and the SA would eventually get closed.
* ikev2: Send and receive fragmented IKE messagesTobias Brunner2014-10-101-44/+169
| | | | | If a fragmented message is retransmitted only the first packet is passed to the alert() hook.
* ike: IKE_SA may fragment IKEv2 messagesTobias Brunner2014-10-101-1/+1
|
* ike: Do not cache MID of IKEv2 fragmentsTobias Brunner2014-10-101-2/+3
| | | | | This fails if there are unencrypted payloads before an encrypted fragment payload in the first fragment.
* message: Fragment and reassemble IKEv2 messagesTobias Brunner2014-10-102-133/+366
|
* message: Handle encrypted fragment payload similar to the encrypted payloadTobias Brunner2014-10-101-16/+91
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 09:08:57 +0000