aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-netlink: Associate routes with IN policies instead of FWD policiesTobias Brunner2016-04-091-21/+21
| | | | | | This allows us to install more than one FWD policy. We already do this in the kernel-pfkey plugin (there the original reason was that not all kernels support FWD policies).
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-0910-894/+1066
|
* vici: Fix documentation of some dictionary keys of two request messagesCameron McCord2016-03-311-3/+3
| | | | Closes strongswan/strongswan#40.
* Use standard unsigned integer typesAndreas Steffen2016-03-24233-1711/+1711
|
* updown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SAShota Fukumori2016-03-231-2/+2
| | | | | | | Or the invoked script will get a broken value when `mark=%unique` is used in a configuration. Closes strongswan/strongswan#37.
* connmark: Explicitly include xt_mark.h for older kernelsTobias Brunner2016-03-231-0/+1
| | | | Fixes #1365.
* libcharon: Add missing header file to Android.mkTobias Brunner2016-03-231-0/+1
| | | | Not really relevant, just to make sure both file lists are the same.
* ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() ↵Tobias Brunner2016-03-231-23/+38
| | | | | | | | | | | | | was called A thread might check out a new IKE_SA via checkout_new() or checkout_by_config() and start initiating it while the daemon is terminating and the IKE_SA manager is flushed by the main thread. That SA is not tracked yet so the main thread is not waiting for it and the other thread is able to check it in and creating an entry after flush() already terminated causing a memory leak. Fixes #1348.
* ha: Delete cache entry inside the locked mutexThomas Egerer2016-03-231-0/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-netlink: Fix lookup of next hops for destinations with prefixTobias Brunner2016-03-211-1/+2
| | | | References #1347.
* Fix some Doxygen issuesTobias Brunner2016-03-111-1/+1
|
* vici: Don't hold write lock while running or undoing start actionsTobias Brunner2016-03-111-27/+63
| | | | | | | | | | | | | | Running or undoing start actions might require enumerating IKE_SAs, which in turn might have to enumerate peer configs concurrently, which requires acquiring a read lock. So if we keep holding the write lock while enumerating the SAs we provoke a deadlock. By preventing other threads from acquiring the write lock while handling actions, and thus preventing the modification of the configs, we largely maintain the current synchronous behavior. This way we also don't need to acquire additional refs for config objects as they won't get modified/removed. Fixes #1185.
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* forecast: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | Same as the change in the connmark plugin. References #1229.
* connmark: Don't restore CONNMARK for packets that already have a mark setTobias Brunner2016-03-101-2/+17
| | | | | | | | | This allows e.g. modified versions of xl2tpd to set the mark in situations where two clients are using the same source port behind the same NAT, which CONNMARK can't restore properly as only one conntrack entry will exist with the mark set to that of the client that sent the last packet. Fixes #1230.
* connmark: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | | | | | | | By settings a matchmask that covers the complete rule we ensure that the correct rule is deleted (i.e. matches and targets with potentially different marks are also compared). Since data after the passed pointer is actually dereferenced when comparing we definitely have to pass an array that is at least as long as the ipt_entry. Fixes #1229.
* Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-102-7/+27
|
* attr: Only enumerate attributes matching the IKE version of the current IKE_SATobias Brunner2016-03-101-19/+49
| | | | Numerically configured attributes are currently sent for both versions.
* attr: Add p-cscf keyword for P-CSCF server addressesTobias Brunner2016-03-101-0/+1
|
* p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-101-2/+6
|
* p-cscf: Only send requests if virtual IPs of the same family are requestedTobias Brunner2016-03-101-2/+18
|
* p-cscf: Add attribute handler for P-CSCF server addressesTobias Brunner2016-03-104-1/+243
|
* p-cscf: Add plugin stubTobias Brunner2016-03-105-0/+132
|
* payloads: Verify P-CSCF configuration attributes like others carrying IP ↵Tobias Brunner2016-03-101-0/+2
| | | | addresses
* attributes: Define P-CSCF address attributes described in RFC 7651Tobias Brunner2016-03-102-6/+13
|
* ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checksTobias Brunner2016-03-101-26/+37
|
* ikev2: Delay online revocation checks during make-before-break reauthenticationTobias Brunner2016-03-101-0/+5
| | | | | | | | | | | | | | | | | | | | | We do these checks after the SA is fully established. When establishing an SA the responder is always able to install the CHILD_SA created with the IKE_SA before the initiator can do so. During make-before-break reauthentication this could cause traffic sent by the responder to get dropped if the installation of the SA on the initiator is delayed e.g. by OCSP/CRL checks. In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g. with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during make-before-break reauthentication as it wouldn't be able to decrypt the response that the responder sends using the new CHILD_SA. By delaying the revocation checks until the make-before-break reauthentication is completed we avoid the problems described above. Since this only affects reauthentication, not the original IKE_SA, and the delay until the checks are performed is usually not that long this doesn't impose much of a reduction in the overall security.
* ikev2: Add task that verifies a peer's certificateTobias Brunner2016-03-107-2/+183
| | | | | | On failure the SA is deleted and reestablished as configured. The task is activated after the REAUTH_COMPLETE task so a make-before-break reauth is completed before the new SA might get torn down.
* ikev2: Initiate other tasks after a no-op taskTobias Brunner2016-03-101-1/+1
|
* ikev2: Don't do online revocation checks in pubkey authenticator if requestedTobias Brunner2016-03-101-1/+8
| | | | We also update the auth config so the constraints are not enforced.
* ike-sa: Add condition to suspend online certificate revocation checks for an ↵Tobias Brunner2016-03-101-0/+5
| | | | IKE_SA
* ike-sa: Add method to verify certificates in completed authentication roundsTobias Brunner2016-03-102-0/+111
|
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-2/+2
| | | | enumerator
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* peer-cfg: Add method to atomically replace child configsTobias Brunner2016-03-082-2/+128
|
* ike-cfg: Use new method to compare proposal lists in equals()Tobias Brunner2016-03-081-20/+4
|
* peer-cfg: Use new method to compare linked lists in equals()Tobias Brunner2016-03-081-36/+3
| | | | This also compares the complete lists not only the first two items.
* child-cfg: Add equals() methodTobias Brunner2016-03-082-2/+62
|
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-081-40/+64
| | | | in the request
* ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messagesTobias Brunner2016-03-071-6/+6
| | | | | | | Some implementations might otherwise not recognize the NAT-D payload type. Also moves SIG and HASH payloads last in these messages. Fixes #1239.
* ike-sa-manager: Log a checkin/failure message for every checkoutThomas Egerer2016-03-071-8/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-sa-manager: Log some additional details like SPIs when checking out SAsTobias Brunner2016-03-041-7/+16
|
* smp: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-4/+4
|
* vici: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* vici: Add support for pubkey constraints with EAP-TLSTobias Brunner2016-03-041-0/+8
| | | | This is a feature currently supported by stroke.
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-042-5/+7
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* ikev2: Always store signature scheme in auth-cfgTobias Brunner2016-03-041-12/+1
| | | | As we use a different rule we can always store the scheme.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-3/+4
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-init: Verify REDIRECT notify before processing IKE_SA_INIT messageTobias Brunner2016-03-041-7/+51
| | | | | | An attacker could blindly send a message with invalid nonce data (or none at all) to DoS an initiator if we just destroy the SA. To prevent this we ignore the message and wait for the one by the correct responder.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 21:36:51 +0000