aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* shunt-manager: Don't install policies in case of an address family or IP ↵Tobias Brunner2015-09-161-0/+20
| | | | | | protocol mismatch References #595.
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* trap-manager: Cleanup local address in error casesTobias Brunner2015-08-271-0/+2
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* Fix some Doxygen issuesTobias Brunner2015-08-273-5/+5
|
* ike: Fix half-open count for initiating SAs when initially checked inTobias Brunner2015-08-271-0/+6
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-276-19/+45
| | | | whether COOKIEs are sent
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
* vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-2112-17/+68
|
* ike: Also track initiating IKE_SAs as half-openTobias Brunner2015-08-211-1/+0
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* ikev1: Assign different job priorities for inbound IKEv1 messagesTobias Brunner2015-08-211-2/+12
|
* child-rekey: Don't add a REKEY_SA notify if the child-create task is ↵Tobias Brunner2015-08-211-6/+9
| | | | deleting the SA
* child-create: Cache proposed IPsec protocolTobias Brunner2015-08-211-10/+13
| | | | | This allows us to DELETE CHILD_SAs on failures that occur before we retrieved the selected proposal.
* child-create: Don't attempt to delete the SA if we don't have all the ↵Tobias Brunner2015-08-211-8/+10
| | | | | | | information Since we only support single protocols we could probably guess it and always send a DELETE.
* child-rekey: Remove redundant migrate() call for child-create sub-taskTobias Brunner2015-08-211-2/+1
| | | | | | | When retrying due to a DH group mismatch this is already done by the child-create task itself. And in other cases where the task returns NEED_MORE we actually will need access to a possible proposal to properly delete it.
* child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group ↵Tobias Brunner2015-08-211-0/+1
| | | | | | | | | | mismatch If the responder declines our KE payload during a CHILD_SA rekeying migrate() is called to reuse the child-create task. But the child-rekey task then calls the same method again. Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* ikev1: Fix handling of overlapping Quick Mode exchangesTobias Brunner2015-08-203-2/+70
| | | | | | | | | | | | | In some cases the third message of a Quick Mode exchange might arrive after the first message of a subsequent Quick Mode exchange. Previously these messages were handled incorrectly and the second Quick Mode exchange failed. Some implementations might even try to establish multiple Quick Modes simultaneously, which is explicitly allowed in RFC 2409. We don't fully support that, though, in particular in case of retransmits. Fixes #1076.
* ikev2: Compare initiator flag again, partially reverts 17ec1c74deTobias Brunner2015-08-202-1/+5
| | | | | We should ignore messages that have the flag set incorrectly. This restores RFC compliance which was broken since the mentioned commit.
* ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag setTobias Brunner2015-08-201-1/+3
| | | | | | | | | | | While this doesn't really create any problems it is not 100% correct to accept such messages because, of course, the sender of an IKE_SA_INIT request is always the original initiator of an IKE_SA. We currently don't check the flag later, so we wouldn't notice if the peer doesn't set it in later messages (ike_sa_id_t.equals doesn't compare it anymore since we added support for IKEv1, in particular since 17ec1c74de).
* ikev1: Pass current auth-cfg when looking for key to determine auth methodTobias Brunner2015-08-191-1/+1
| | | | | | | | | If multiple certificates use the same subjects we might choose the wrong one otherwise. This way we use the one referenced with leftcert and stored in the auth-cfg and we actually do the same thing later in the pubkey authenticator. Fixes #1077.
* ikev2: Store outer EAP method used to authenticate remote peer in auth-cfgTobias Brunner2015-08-191-0/+9
| | | | | | | This allows symmetric configuration of EAP methods (i.e. the same value in leftauth and rightauth) when mutual EAP-only authentication is used. Previously the client had to configure rightauth=eap or rightauth=any, which prevented it from using this same config as responder.
* ike: Use the original port when remote resolves to %anyTobias Brunner2015-08-191-1/+3
| | | | | | When reestablishing the IKE_SA we should still use the original port when right resolves to %any as some implementations might not like initial IKE messages on port 4500 (especially for IKEv1).
* trap-manager: Enable auto=route with right=%any for transport mode connectionsTobias Brunner2015-08-191-27/+118
| | | | Fixes #196.
* sql: Also do a reversed ID matchTobias Brunner2015-08-171-2/+9
| | | | | | | This is required for the case where IDr is not sent (i.e. is %any). The backend manager does the same. Fixes #1044.
* ha: Recreate the control FIFO if the file exists but is not a FIFOTobias Brunner2015-08-171-13/+68
| | | | | | This may happen if something like `echo ... > /path/to/fifo` is used before the plugin was able to create the FIFO. In that case we'd end up in a loop always reading the same values from the static file.
* ikev1: Assume a default key length of 128-bit for AES-CBCTobias Brunner2015-08-171-0/+11
| | | | | | | | | | Some implementations don't send a Key Length attribute for AES-128. This was allowed for IKE in early drafts of RFC 3602, however, some implementations also seem to do it for ESP, where it never was allowed. And the final version of RFC 3602 demands a Key Length attribute for both phases so they shouldn't do it anymore anyway. Fixes #1064.
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* child-sa: Fix refcounting of allocated reqidsTobias Brunner2015-08-171-3/+12
| | | | | | | | | | | During a rekeying we want to reuse the current reqid, but if the new SA does not allocate it via kernel-interface the state there will disappear when the old SA is destroyed after the rekeying. When the IKE_SA is later reauthenticated with make-before-break reauthentication the new CHILD_SAs there will get new reqids as no existing state is found in the kernel-interface, breaking policy installation in the kernel. Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
* plugin-feature: Add vendor specific EAP method registration macrosTobias Brunner2015-08-171-1/+2
| | | | | | | | | | | Vendor specific EAP methods may be registered with: PLUGIN_CALLBACK(eap_method_register, <constructor>), PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>), Same for client implementations via EAP_PEER_VENDOR. References #969.
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-171-1/+10
| | | | | | These are defined in RFC 6911. Fixes #1001.
* vici: Add listen methods to receive arbitrary events in Python libraryTobias Brunner2015-08-171-0/+34
|
* vici: Move event (un-)registration to a helper method in Python libraryTobias Brunner2015-08-173-49/+60
| | | | | Also make sure events are unregistered in case of exceptions in streamed_request().
* vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
|
* vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
|
* vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
* vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-151-0/+4
|
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-132-2/+2
|
* Fixed some typosTobias Brunner2015-08-132-5/+5
|
* whitelist: Use hash() method so DNs with different string types matchTobias Brunner2015-08-061-1/+1
| | | | | | | | | | strongSwan uses PrintableString when encoding DNs from strings (if the character set permits it, otherwise T61String is currently used) but certificates might be encoded with UTF8String even for simple ASCII strings. By ignoring this string type when hashing RDNs we make sure the same hash results in this case as long as the actual string values are the same. Fixes #991.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-17 22:32:55 +0000