aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* ikev1: Defer Mode Config push after CHILD adoption and reauth detectionMartin Willi2014-08-252-10/+35
| | | | | | | | When an initiator starts reauthentication on a connection that uses push mode to assign a virtual IP, we can't execute the Mode Config before releasing the virtual IP. Otherwise we would request a new and different lease, which the client probably can't handle. Defer Mode Config execution, so the same IP gets first released then reassigned during reauthentication.
* ikev1: Extend adopt_children_job by task queuing, executed after adoptionMartin Willi2014-08-252-0/+48
|
* ikev1: Accept Quick Mode DELETES while Quick Mode rekeying is activeMartin Willi2014-08-251-2/+21
| | | | | | | | | | If a peer immediately sends DELETE messages when completing Quick Mode rekeying, the third Quick Mode message and the DELETE are sent simultaneously. This implies that DELETE messages may arrive before the completing third Quick Mode message. Handle this case by ignoring the DELETE INFORMATIONAL in Quick Mode and let the delete task handle it.
* ike-sa-manager: Use transient hasher for IKE_SA_INIT hash calculationChristophe Gouault2014-08-251-32/+11
| | | | | | | | | | | | | | | | To check if a received IKE_SA_INIT request is a new request or a retransmit, charon maintains hashes of the pending IKE_SA_INIT exchanges. However, the hash calculation is not reentrant because a single hasher is used for the whole IKE SA manager. It leads to bogus calculations under high load and hence dropped messages on responder (IkeInInvalidSpi incremented). Don't share a single hasher in the IKE SA manager, create a transient one whenever a message must be hashed. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* bus: Add ike_reestablish_pre hook, called before DNS resolutionTobias Brunner2014-07-224-9/+69
| | | | | The old hook is renamed to ike_reestablish_post and is now also called when the initiation of the new IKE_SA failed.
* receiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2Martin Willi2014-07-171-3/+1
| | | | | | | | | We sent both a notify using IKEv1 and IKEv2. This is a little more aggressive than required, RFC 5996 says we "SHOULD send an unauthenticated Notify message of type INVALID_MAJOR_VERSION containing the highest (closest) version number it supports". Fixes #657.
* xauth-pam: Add workaround for null-terminated passwordsTobias Brunner2014-07-071-1/+6
| | | | Fixes #631.
* stroke: Don't log unspecified options of conn and ca sectionsTobias Brunner2014-06-301-37/+50
|
* libvici: Add missing argument to Doxygen commentTobias Brunner2014-06-301-0/+1
|
* Fixed some typosTobias Brunner2014-06-302-2/+2
|
* updown: Force subnet address to be numericTobias Brunner2014-06-251-2/+2
|
* eap-radius: Increase buffer for accounting attributes to maximum attribute sizeMartin Willi2014-06-251-1/+1
| | | | Fixes #624.
* android: Update Android.mk files to match changes due to the Windows portTobias Brunner2014-06-241-1/+3
| | | | Makes them easier to compare to the original Makefile.am.
* vici: Install libvici in ipseclibdir like we do with other librariesTobias Brunner2014-06-191-1/+1
|
* kernel-interface: Add destination prefix to get_nexthop()Tobias Brunner2014-06-193-4/+4
| | | | | This allows to determine the next hop to reach a subnet, for instance, when installing routes for shunt policies.
* shunt-manager: Install passthrough policies with highest priorityTobias Brunner2014-06-191-9/+34
| | | | | | This avoids conflicts with regular IPsec policies. Similarly, use the lowest priority for drop policies.
* load-tester: Add a crl option to include a CRL uri in generated certificatesMartin Willi2014-06-191-1/+21
|
* bus: Properly va_copy() argument list before passing it to printf() functionsMartin Willi2014-06-191-1/+3
| | | | | | | | As we later potentially use args again, we can't consume it with printf functions without copying it first. Clone list before passing it to any consuming function. Fixes #621.
* child-sa: Set replay window on both inbound and outbound SAMartin Willi2014-06-181-6/+2
| | | | | | | | While the outbound SA actually does not need a replay window, the kernel rejects zero replay windows on SAs using ESN. The ESN flag is required to use the full sequence number in ICV calculation, hence we set the replay window. This restores the behavior we had before 30c009c2.
* ikev1: Allow late connection switching based on XAuth usernameTobias Brunner2014-06-181-6/+0
|
* vici: Support memory stats without leak-detective on WindowsMartin Willi2014-06-171-0/+53
|
* vici: Add a stats command returning various daemon infos and statisticsMartin Willi2014-06-171-0/+104
|
* vici: Support a replay_window CHILD_SA optionMartin Willi2014-06-171-0/+16
|
* starter: Add a replay_window connection optionMartin Willi2014-06-171-0/+4
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-174-8/+15
|
* child-cfg: Store connection specific replay window on CHILD_SA configMartin Willi2014-06-172-0/+38
|
* socket-win: Use non-overlapped I/O and socket event selectionMartin Willi2014-06-171-31/+13
| | | | | | | | The use of overlapped I/O was incorrect, as we passed stack based buffers, but did not cancel/wait for pending completion on all sockets. Our receive-from-all socket interface is actually tricky to implement using overlapped I/O. Switch to WSAEventSelect() event management, which can be canceled properly while working in a select()-like way.
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-176-0/+53
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ikev1: Invoke the assign_vips() bus hook for IKEv1 as wellMartin Willi2014-06-162-3/+7
|
* ike: Create an enumerator for (un-)handled configuration attributes on IKE_SAMartin Willi2014-06-162-0/+32
|
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-164-12/+12
|
* Split swanctl --raw mode into single-line and --pretty modeAndreas Steffen2014-06-144-31/+70
|
* windows: Use WINAPI call convention for Windows API callbacksMartin Willi2014-06-063-10/+13
| | | | | For x86_64 it does not actually matter, but for i686 builds the call convention is different with WINAPI.
* kernel-wfp: Include Windows header patch for MinGW 4.8.1Martin Willi2014-06-042-0/+29
|
* kernel-wfp: Clone acquire traffic selectors only if they existMartin Willi2014-06-041-1/+3
|
* kernel-wfp: Install routes for trap policiesMartin Willi2014-06-041-3/+21
|
* kernel-wfp: Refactor route management to separate functionMartin Willi2014-06-041-39/+47
|
* kernel-wfp: Install tunnel mode policies to appropriate sub-layersMartin Willi2014-06-042-6/+22
| | | | | While it is unclear if this has any effect at all, we prefer specific sublayers to install policies as suggested.
* kernel-wfp: Declare GUIDs and auth/cipher configs missing in some MinGW buildsMartin Willi2014-06-041-0/+89
|
* kernel-wfp: Support multiple traffic selectors on tunnel mode SAsMartin Willi2014-06-041-36/+80
|
* child-sa: Pass the number of total policies tied to an SA to the kernelMartin Willi2014-06-041-0/+8
| | | | | This will be useful if the kernel backend has to know how many policies follow an SA install, for example if it must install all policies concurrently.
* kernel-iph: Implicitly enable IP forwarding when installing routesMartin Willi2014-06-041-0/+26
|
* kernel-wfp: Show a warning for packets the kernel drops in its IPsec layersMartin Willi2014-06-041-0/+6
|
* kernel-wfp: Set flag to get UDP encapsulation with tunnel mode workingMartin Willi2014-06-042-0/+22
| | | | | | Having this flag set fixes connections initiated by the Windows host, but unfortunately does not yet fix incoming connections. Connection state issue? We still see 0xc00000e2 error events, translating to INTERNAL_ERROR.
* kernel-wfp: Install tunnel and trap forward policiesMartin Willi2014-06-043-136/+275
|
* kernel-wfp: Manually create a ProviderContext to attach individual filtersMartin Willi2014-06-044-79/+73
| | | | | | This gives us more flexibility than using the intransparent FwpmIPsecTunnelAdd, and fixes the issues we have seen with trap policies. Forward filters are still missing, but required for site-to-site tunnels.
* kernel-wfp: Print filter weight in "ipsecdump filters"Martin Willi2014-06-041-0/+4
|
* kernel-wfp: Add support for trap policies and acquiresMartin Willi2014-06-042-1/+304
|
* socket-win: Install IKE bypass policies using bypass_socket()Martin Willi2014-06-042-0/+12
|
* kernel-wfp: Implement bypass_socket() using dedicated filter rulesMartin Willi2014-06-041-2/+117
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 14:28:42 +0000