aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Add generic callback based vici message parsingMartin Willi2014-05-072-0/+139
|
* vici: Add a list-policy command to query trap and shunt policiesMartin Willi2014-05-071-0/+147
|
* vici: Add install/uninstall commands to manage trap and shunt policiesMartin Willi2014-05-071-0/+112
|
* vici: Extract CHILD_SA config lookup methodMartin Willi2014-05-071-14/+26
|
* vici: Refactor socket to clean up lockingMartin Willi2014-05-071-87/+233
| | | | | | | Uses separate locks for socket read and write operations. While holding the socket reader lock, a different thread can still claim the socket write lock. This allows to asynchronously send event messages while holding the read lock.
* vici: Fix dispatcher leak when handling unknown requestMartin Willi2014-05-071-10/+11
|
* vici: Add a test case raising events during request, checks in-order deliveryMartin Willi2014-05-071-0/+76
|
* vici: Avoid recursive control log invocationsMartin Willi2014-05-071-18/+24
|
* vici: Add a callback based recursive parser functionMartin Willi2014-05-072-0/+136
|
* vici: Add a version command to print daemon and OS version infoMartin Willi2014-05-071-0/+23
|
* vici: Implement a terminate command to close IKE or CHILD_SAsMartin Willi2014-05-071-0/+118
|
* vici: Add a control backend, currently to initiate connections by nameMartin Willi2014-05-074-0/+275
|
* vici: Support thread cancellation in command callbacksMartin Willi2014-05-072-19/+53
|
* vici: Move dumping to core message class, use it in libviciMartin Willi2014-05-074-56/+81
|
* vici: Add convenience value/string/integer getter to libviciMartin Willi2014-05-072-0/+76
|
* vici: Add some convenience getters on messageMartin Willi2014-05-073-1/+337
|
* vici: Raise events with an optional identifier for specific connectionsMartin Willi2014-05-074-9/+14
|
* vici: Invoke dispatcher outside of connection log, allowing events from commandsMartin Willi2014-05-071-4/+13
|
* vici: Add a query class, currently implementing a list-sas commandMartin Willi2014-05-074-1/+440
|
* vici: Add a libvici low-level client libraryMartin Willi2014-05-076-0/+1413
|
* vici: Provide a command dispatcher handling request and event registrationMartin Willi2014-05-079-128/+1105
|
* vici: Add a fully asynchronous IPC socket segmenting messages on/from streamMartin Willi2014-05-078-0/+1538
|
* vici: Add a test runner for pluginMartin Willi2014-05-074-0/+87
|
* vici: Add a plugin stub for the "Versatile IKE Control Interface" pluginMartin Willi2014-05-074-0/+152
|
* child-cfg: Fix removal of redundant traffic selectorsTobias Brunner2014-04-251-1/+1
| | | | | | | We have to make sure we compare every selected traffic selector with every other in the list. Fixes #577.
* libcharon: Added AEAD sources of libtls to Android.mkTobias Brunner2014-04-251-0/+1
|
* bus: Add a fast-path if log messages don't have to be loggedTobias Brunner2014-04-241-7/+53
| | | | | | | For some rwlock_t implementations acquiring the read lock could be quite expensive even if there are no writers (e.g. because the implementation requires acquiring a mutex to check for writers) particularly if the lock is highly contended, like it is for the vlog() method.
* load-tester: Fix race condition issuing same SPIChristophe Gouault2014-04-241-2/+2
| | | | | | | | | | Due to an unprotected incrementation, two load-tester initiators occasionally use the same SPI under high load, and hence generate 2 IPsec SAs with the same identifier. The responder IPsec stack will refuse to configure the second SA. Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* load-tester: Fix race condition issuing same identityChristophe Gouault2014-04-241-2/+2
| | | | | | | | | | Due to an unprotected incrementation, two load-tester initiators occasionally use the same identifier under high load. The responder typically drops one of the connections. Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* ike-sa-manager: Improve scalability of half-open IKE_SA checkingTobias Brunner2014-04-241-7/+8
| | | | | | | | | | | | | | | This patch is based on one by Christoph Gouault. Currently, to count the total number of half_open IKE_SAs, get_half_open_count sums up the count of each segment in the SA hash table (acquiring a lock for each segment). This procedure does not scale well when the number of segments increases, as the method is called for each new negotiation. Instead, lets maintain a global atomic counter. This optimization allows the use of big values for charon.ikesa_table_size and charon.ikesa_table_segments.
* ike: Delay actively initiated reauthentication when other exchanges in progressMartin Willi2014-04-171-2/+47
| | | | | If any other IKE or CHILD_SA operation takes places, we should not start initiating reauthentication to avoid any potential races.
* ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SAMartin Willi2014-04-171-0/+6
| | | | | | | | | | | If one peer starts reauthentication by deleting the IKE_SA, while the other starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily reject the rekey attempt while we are in the IKE_SA deleting state. RFC 4306/5996 is not exactly clear about this collision, but it should be safe to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry establishing the CHILD_SA on the reauthenticated IKE_SA.
* ikev2: Apply extensions and conditions before starting rekeyingMartin Willi2014-04-171-0/+6
| | | | | | The extensions and conditions apply to the rekeyed IKE_SA as well, so we should migrate them. Especially when using algorithms from private space, we need EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-174-22/+30
|
* ikev1: Add an option to accept unencrypted ID/HASH payloadsMartin Willi2014-04-171-1/+20
| | | | | | | | | Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in unencrypted form, probably to allow PSK lookup based on the ID payloads. We by default reject that, but accept it if the charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. Initial patch courtesy of Paul Stewart.
* ikev2: Fix reauthentication if peer assigns a different virtual IPTobias Brunner2014-04-151-1/+1
| | | | | | | | | | | | | | | | | Before this change a reqid set on the create_child_t task was used as indicator of the CHILD_SA being rekeyed. Only if that was not the case would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we don't know which virtual IP the gateway will eventually assign). On the other hand, in case of a rekeying the VIP is expected to remain the same, so the local TS would simply equal the VIP. Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid set. Which meant that the local TS would contain the previously assigned VIP, basically rendering the gateway unable to assign a different VIP to the client as the resulting TS would not match the client's proposal anymore. Fixes #553.
* ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAsMartin Willi2014-04-141-0/+9
| | | | | | | Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338.
* eap-mschapv2: Fix potential leaks in case of invalid messages from serversTobias Brunner2014-04-091-0/+4
|
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* ike-cfg: Properly compare IKE proposals for equality5.1.3rc1Tobias Brunner2014-04-031-1/+1
|
* tls: Support a maximum TLS version to negotiate using TLS socket abstractionMartin Willi2014-04-011-1/+1
|
* tls: Support a null encryption flag on TLS socket abstractionMartin Willi2014-04-011-2/+2
|
* aead: Support custom AEAD salt sizesMartin Willi2014-03-311-2/+27
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeyingMartin Willi2014-03-311-0/+12
| | | | | Works around issues related to system time changes and kernel backends using that system time, such as Linux XFRM.
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-313-54/+5
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* eap-radius: Add option to not close IKE_SAs on timeouts during interim ↵Tobias Brunner2014-03-311-1/+6
| | | | | | accouting updates Fixes #528.
* ikev1: Accept SPI size of any length <= 16 in ISAKMP proposalTobias Brunner2014-03-311-4/+12
| | | | Fixes #533.
* proposal: Don't fail DH proposal matching if peer includes NONETobias Brunner2014-03-311-4/+19
| | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532.
* ikev2: Cache all received attribute certificates to auth configMartin Willi2014-03-311-1/+27
|
* ikev2: Send all known and valid attribute certificates for subject certMartin Willi2014-03-311-0/+46
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 20:53:17 +0000