aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* eap-radius: Add ability to configure RADIUS retransmission behaviorThom Troy2015-11-171-2/+58
| | | | Closes strongswan/strongswan#19.
* eap-mschapv2: Keep internal state to prevent authentication from succeeding ↵Tobias Brunner2015-11-161-24/+67
| | | | | | | | | prematurely We can't allow a client to send us MSCHAPV2_SUCCESS messages before it was authenticated successfully. Fixes CVE-2015-8023.
* vici: Attribute certificates are not trustedTobias Brunner2015-11-121-1/+3
|
* vici: Properly add CRLs to the credential setTobias Brunner2015-11-121-2/+8
| | | | add_crl() ensures that old CLRs are not stored in the credential set.
* mode-config: Reassign migrated virtual IP if client requests %anyTobias Brunner2015-11-121-1/+3
| | | | | | | | | If we mistakenly detect a new IKE_SA as a reauthentication the client won't request the previous virtual IP, but since we already migrated it we already triggered the assign_vips() hook, so we should reassign the migrated virtual IP. Fixes #1152.
* eap-radius: Compare address family when handing out virtual IPsTobias Brunner2015-11-121-6/+26
| | | | | | | This also ensures that the actually released virtual IP is removed from the list of claimed IPs. Fixes #1199.
* eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)Tobias Brunner2015-11-121-1/+4
|
* eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-IdentityTobias Brunner2015-11-121-2/+17
|
* android: Fix build after updating Linux headersTobias Brunner2015-11-121-1/+0
| | | | | | | | Since we don't use the kernel-netlink plugin anymore and the headers in the NDK are reasonably recent, we don't need this anymore (at least when building the app). Fixes #1172.
* ike-sa-manager: Allow plugins to provide IKE SPIs via a callbackTobias Brunner2015-11-112-11/+54
| | | | | Plugins must depend on `libcharon-sa-managers` to ensure the manager exists.
* libcharon: Publish IKE_SA/CHILD_SA managers as custom plugin featureTobias Brunner2015-11-111-11/+29
|
* ikev1: Also use message hashes for Quick Mode for the early retransmission checkTobias Brunner2015-11-111-4/+8
| | | | | | | | | | We already did so during Phase 1 but because all three Quick Mode message have the same message ID we occasionally dropped the third message as retransmit, so we do it there too. For INFORMATIONAL and TRANSACTION exchanges we don't expect more than one inbound message with the same message ID so we still use them there. Fixes #1198.
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-105-107/+119
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* trap-manager: Also clean up remote address in error casesTobias Brunner2015-11-101-0/+2
| | | | Fixes #1201.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-109-14/+14
|
* vici: Add option to query leases of poolsTobias Brunner2015-11-102-3/+36
| | | | | We could later perhaps add filter parameters similar to those of the `ipsec leases` command (pool name/virtual IP).
* vici: Return local and remote virtual IPs when listing SAsTobias Brunner2015-11-102-0/+36
|
* socket-dynamic: Refactor setting source address when sending messagesTobias Brunner2015-11-091-32/+62
| | | | Basically the same change as the one for the socket-default plugin.
* socket-default: Refactor setting source address when sending messagesTobias Brunner2015-11-091-46/+107
| | | | | | | | | | | This ensures we don't pass data (via msg_control) defined in a different scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might optimize the memcpy() call away causing the packets not to get sent from the intended source address. It also makes the code clearer than with all these ifdefs. Fixes #1171.
* socket-default: Refactor retrieval of destination address of received packetsTobias Brunner2015-11-091-39/+89
| | | | This makes the code a bit clearer than with the interleaved ifdefs.
* file-logger: Add option to print milliseconds within the current second ↵Tobias Brunner2015-11-093-11/+34
| | | | | | | | after timestamp For this to look right time_format should end with %S or %T. Closes strongswan/strongswan#18.
* ike-natd: Create fake NAT-D payloads in a more static wayTobias Brunner2015-11-091-20/+8
| | | | | | | | | | | | | | | In some scenarios an IKE_SA might get restarted multiple times (e.g. due to retransmits and delayed INVALID_KE_PAYLOAD notifies) so that two IKE_SA_INIT messages might be sent that only differ in the previously randomly generated NAT_DETECTION_SOURCE_IP payload. This could cause an authentication failure on the responder if the two peers don't use the same IKE_SA_INIT message in their InitiatorSignedOctets. While the payload is generated in a reproducible way it will still change when the daemon is restarted, which should make detecting the payloads as fake a bit harder (compared to e.g. just using 0.0.0.0:0 as address). Fixes #1131.
* mediation: Reschedule initiate mediation job if SA is not yet foundTobias Brunner2015-11-091-0/+4
| | | | | | | | | If the job gets queued for a newly created IKE_SA it might not yet be checked in when the job is running, reschedule the job in that case. This should fix the two p2pnat test scenarios, which occasionally failed because one of the peers did not initiate the connection to the mediation server.
* ike-sa-manager: Signal entries that we don't actually check outTobias Brunner2015-11-091-1/+8
| | | | | | | | | In some cases we call wait_for_entry() but don't actually check out the entry afterwards (e.g. because it doesn't match certain criteria). So there won't be a call to checkin() for such entries causing waiting threads to get signaled. Instead, such threads would be blocked until another thread properly checks out/in the entry (or does a blocking enumeration).
* ike-sa-manager: Signal waiting threads after check out/in for uniqueness checkTobias Brunner2015-11-091-0/+3
| | | | Fixes 758b1caa0e75 ("ikev1: Prevent deadlock when checking for duplicate IKEv1 SAs")
* ikev1: Fix calculation of DPD timeoutTobias Brunner2015-11-091-0/+2
| | | | | A DPD timeout job is queued whenever a DPD is sent, i.e. after the DPD delay already has elapsed, so we have to compensate for that.
* xauth: Call authorize() hook also when xauth-noauth is usedTobias Brunner2015-11-091-2/+8
| | | | Fixes #1138.
* vici: Add NAT information when listing IKE_SAsTobias Brunner2015-11-092-0/+21
| | | | | | | | | | The `nat-local` and `nat-remote` keys contain information on the NAT status of the local and remote IKE endpoints, respectively. If a responder did not detect a NAT but is configured to fake a NAT situation this is indicated by `nat-fake` (if an initiator fakes a NAT situation `nat-local` is set). If any NAT is detected or faked `nat-any` is set. Closes strongswan/strongswan#16.
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* ikev2: Fix size of key material for CAMELLIA-CTRTobias Brunner2015-10-301-0/+1
| | | | Like AES in CTR mode it includes a 4 byte nonce.
* ike-mobike: Send retransmits to the current local and remote addressesTobias Brunner2015-10-301-1/+5
| | | | | | These might have changed by a peer-initiated MOBIKE address update. Fixes #1125.
* ikev1: Handle queued INFORMATIONAL message after receiving the last AM requestTobias Brunner2015-10-301-0/+16
|
* ikev1: Queue INFORMATIONAL request if AM is not complete yetTobias Brunner2015-10-301-6/+13
|
* ikev1: Handle queued TRANSACTION messages only after processing repliesTobias Brunner2015-10-301-1/+2
|
* ikev1: Extract queueing of TRANSACTIONAL requests when MM is not complete yetTobias Brunner2015-10-301-17/+27
|
* ikev1: Drop TRANSACTION/QUICK_MODE requests until we received the last AM ↵Tobias Brunner2015-10-301-0/+32
| | | | message
* ikev1: Make maximum number of IKEv1 phase 2 exchanges we keep state about ↵Tobias Brunner2015-10-301-9/+11
| | | | | | configurable Fixes #1128.
* ikev1: Avoid fourth QM message if third QM messages of multiple exchanges ↵Tobias Brunner2015-10-292-2/+14
| | | | | | | | | | | | are handled delayed If we haven't received the third QM message for multiple exchanges the return value of NEED_MORE for passive tasks that are not responsible for a specific exchange would trigger a fourth empty QM message. Fixes: 4de361d92c54 ("ikev1: Fix handling of overlapping Quick Mode exchanges") References #1076.
* ikev1: Prevent deadlock when checking for duplicate IKEv1 SAsTobias Brunner2015-10-291-0/+16
| | | | | | | | | | | Previously, the current segment was held while checking for duplicate SAs, which requires acquiring all segments. If multiple threads did this concurrently this resulted in a deadlock as they couldn't acquire the segments held by the other threads attempting to do the same. With the default configuration only one segment is used, which prevents the problem as only one thread can check in an IKE SA concurrently. Fixes: a064eaa8a63a ("Handling of initial contact")
* shunt-manager: Resolve %dynamic to %any4/6 before installing policiesTobias Brunner2015-09-161-7/+22
| | | | | | | | left|rightsubnet default to %dynamic, which is basically 0.0.0.0/0 until an address is assigned to it. So if only one side was undefined and the other traffic selector was IPv6 an address family mismatch would occur. References #595.
* shunt-manager: Don't install policies in case of an address family or IP ↵Tobias Brunner2015-09-161-0/+20
| | | | | | protocol mismatch References #595.
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* trap-manager: Cleanup local address in error casesTobias Brunner2015-08-271-0/+2
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* Fix some Doxygen issuesTobias Brunner2015-08-273-5/+5
|
* ike: Fix half-open count for initiating SAs when initially checked inTobias Brunner2015-08-271-0/+6
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-276-19/+45
| | | | whether COOKIEs are sent
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 22:00:13 +0000