aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
* ikev1: Inverse check when applying received KE value during Quick Mode5.3.0rc1Martin Willi2015-03-241-1/+1
| | | | Fixes Quick Mode negotiation when PFS is in use.
* encoding: Remove DH public value verification from KE payloadMartin Willi2015-03-231-73/+0
| | | | | | | | This commit reverts 84738b1a and 2ed5f569. As we have no DH group available in the KE payload for IKEv1, the verification can't work in that stage. Instead, we now verify DH groups in the DH backends, which works for any IKE version or any other purpose.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-235-7/+55
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-238-12/+39
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-235-13/+59
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-236-10/+10
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* load-tester: Migrate NULL DH implementation to INIT/METHOD macrosMartin Willi2015-03-231-21/+26
|
* ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SATobias Brunner2015-03-231-0/+39
| | | | | | | | | | | | | | | | | | | | OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs. This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd meant to delete the old one. What isakmpd does might not be standard compliant. As RFC 2408 puts it: Deletion which is concerned with an ISAKMP SA will contain a Protocol-Id of ISAKMP and the SPIs are the initiator and responder cookies from the ISAKMP Header. This could either be interpreted as "copy the SPIs from the ISAKMP header of the current message to the DELETE payload" (which is what strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs for IKE), or as clarification that ISAKMP "cookies" are actually the SPIs meant to be put in the payload (but that any ISAKMP SA may be deleted).
* encoding: Add getter for IKE SPIs in IKEv1 DELETE payloadsTobias Brunner2015-03-232-0/+25
|
* trap-manager: Add option to ignore traffic selectors from acquire eventsTobias Brunner2015-03-231-1/+8
| | | | | | | | The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860.
* encoding: Don't verify length of IKEv1 KE payloadsTobias Brunner2015-03-201-0/+6
| | | | | | The verification introduced with 84738b1aed95 ("encoding: Verify the length of KE payload data for known groups") can't be done for IKEv1 as the KE payload does not contain the DH group.
* attr-sql: Rename sql_attribute_t to attr_sql_provider_tMartin Willi2015-03-195-32/+32
| | | | | | As the plugin has its origins in the sql plugin, it still uses the naming scheme for the attribute provider implementation. Rename the class to better match the naming scheme we use in any other plugin
* ikev1: Adopt virtual IPs on new IKE_SA during re-authenticationTobias Brunner2015-03-193-45/+156
| | | | | | | | | | | Some clients like iOS/Mac OS X don't do a mode config exchange on the new SA during re-authentication. If we don't adopt the previous virtual IP Quick Mode rekeying will later fail. If a client does do Mode Config we directly reassign the VIPs we migrated from the old SA, without querying the attributes framework. Fixes #807, #810.
* ikev1: Mark rekeyed CHILD_SAs as INSTALLEDTobias Brunner2015-03-191-0/+2
| | | | | Since we keep them around until they finally expire they otherwise would block IKE_SA rekeying/reauthentication.
* mem-pool: Remove entries without online or offline leasesTobias Brunner2015-03-191-6/+22
| | | | | | This avoids filling up the hash table with unused/old identities. References #841.
* kernel-handler: Log new endpoint if NAT mapping changedTobias Brunner2015-03-191-2/+3
|
* child-sa: Remove policies before states to avoid acquire events for ↵Tobias Brunner2015-03-191-16/+16
| | | | untrapped policies
* vici: Add support for python 3Björn Schuberg2015-03-185-8/+29
|
* vici: Execute python tests during "check" if py.test is availableMartin Willi2015-03-181-0/+4
|
* vici: Add test of Packet layer in python libraryBjörn Schuberg2015-03-181-1/+47
|
* vici: Add test of Message (de)serialization in python libraryBjörn Schuberg2015-03-183-0/+100
|
* vici: Evaluate Python streamed command results, and raise CommandExceptionMartin Willi2015-03-181-1/+10
|
* vici: Catch Python GeneratorExit to properly cancel streamed event iterationMartin Willi2015-03-182-1/+12
|
* vici: Fall back to heap buffer when vararg printing on stack failsMartin Willi2015-03-181-21/+44
| | | | This avoids failures when building log event messages including larger hexdumps.
* vici: Return a Python generator instead of a list for streamed responsesMartin Willi2015-03-182-47/+25
| | | | | | | In addition that it may reduce memory usage and improve performance for large responses, it returns immediate results. This is important for longer lasting commands, such as initiate/terminate, where immediate log feedback is preferable when interactively calling such commands.
* vici: Raise a Python CommandException instead of returning a CommandResultMartin Willi2015-03-182-82/+42
|
* vici: Add initial Python egg documentation to READMEMartin Willi2015-03-181-0/+65
|
* vici: Use OrderedDict to handle vici responses in Python libraryMartin Willi2015-03-181-2/+3
| | | | | The default Python dictionaries are unordered, but order is important for some vici trees (for example the order of authentication rounds).
* vici: Return authentication rounds with unique namesMartin Willi2015-03-181-1/+4
| | | | | | To simplify handling of authentication rounds in dictionaries/hashtables on the client side, we assign unique names to each authentication round when listing connection.
* vici: Rebuild ruby gem on source file changesMartin Willi2015-03-181-1/+1
|
* vici: Use default Unix vici socket if none passed to ruby constructorMartin Willi2015-03-182-4/+7
| | | | | While we currently have a static path instead of one generated with Autotools, this at least is congruent to what we have in the Python library.
* vici: Support non-Unix sockets for vici connections using PythonMartin Willi2015-03-182-7/+9
|
* vici: Add python egg setuptools building and installation using easy_installMartin Willi2015-03-181-0/+15
| | | | | | An uninstall target is currently not supported, as there is no trivial way with either plain setuptools or with easy_install. pip would probably be the best choice, but we currently don't depend on it.
* vici: Generate a version specific setup.py for setuptools installationMartin Willi2015-03-183-0/+41
|
* vici: Include python package in distributionMartin Willi2015-03-182-0/+9
|
* vici: Add python package MIT licenseBjörn Schuberg2015-03-182-0/+20
|
* vici: Expose Session as a top-level symbol in python packageBjörn Schuberg2015-03-181-0/+1
|
* vici: Introduce main API Session class in python packageBjörn Schuberg2015-03-181-1/+244
|
* vici: Add a python vici command execution handlerBjörn Schuberg2015-03-182-1/+134
|
* vici: Add vici python protocol handlerBjörn Schuberg2015-03-184-0/+199
|
* encoding: Verify the length of KE payload data for known groupsMartin Willi2015-03-181-0/+67
| | | | | | | IKE is very strict in the length of KE payloads, and it should be safe to strictly verify their length. Not doing so is no direct threat, but allows DDoS amplification by sending short KE payloads for large groups using the target as the source address.
* ikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeyingMartin Willi2015-03-181-0/+6
|
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-185-0/+176
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* vici: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-4/+4
| | | | Fixes #886.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauthMartin Willi2015-03-111-1/+0
| | | | | | | | | We are actually not in rekeying state, but just trigger a separate, new IKE_SA as a replacement for the current IKE_SA. Switching to the REKEYING state disables the invocation of both IKE and CHILD_SA updown hooks as initiator, preventing the removal of any firewall rules. Fixes #885.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* ikev1: Don't handle DPD timeout job if IKE_SA got passiveMartin Willi2015-03-101-0/+6
| | | | | | While a passively installed IKE_SA does not queue a DPD timeout job, one that switches from active to passive might execute it. Ignore such a queued job if the IKE_SA is in passive state.
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-091-1/+2
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 00:42:06 +0000