aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAsMartin Willi2014-04-141-0/+9
| | | | | | | Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338.
* eap-mschapv2: Fix potential leaks in case of invalid messages from serversTobias Brunner2014-04-091-0/+4
|
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* ike-cfg: Properly compare IKE proposals for equality5.1.3rc1Tobias Brunner2014-04-031-1/+1
|
* tls: Support a maximum TLS version to negotiate using TLS socket abstractionMartin Willi2014-04-011-1/+1
|
* tls: Support a null encryption flag on TLS socket abstractionMartin Willi2014-04-011-2/+2
|
* aead: Support custom AEAD salt sizesMartin Willi2014-03-311-2/+27
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeyingMartin Willi2014-03-311-0/+12
| | | | | Works around issues related to system time changes and kernel backends using that system time, such as Linux XFRM.
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-313-54/+5
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* eap-radius: Add option to not close IKE_SAs on timeouts during interim ↵Tobias Brunner2014-03-311-1/+6
| | | | | | accouting updates Fixes #528.
* ikev1: Accept SPI size of any length <= 16 in ISAKMP proposalTobias Brunner2014-03-311-4/+12
| | | | Fixes #533.
* proposal: Don't fail DH proposal matching if peer includes NONETobias Brunner2014-03-311-4/+19
| | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532.
* ikev2: Cache all received attribute certificates to auth configMartin Willi2014-03-311-1/+27
|
* ikev2: Send all known and valid attribute certificates for subject certMartin Willi2014-03-311-0/+46
|
* ikev2: Slightly refactor certificate payload construction to separate functionsMartin Willi2014-03-311-37/+56
|
* ike: Support encoding of attribute certificates in CERT payloadsMartin Willi2014-03-311-1/+6
|
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-16/+68
|
* tnc-pdp: Fix monolithic buildTobias Brunner2014-03-201-1/+2
|
* tnc-ifmap: Get a reference to the client cert as it is also used in an auth ↵Tobias Brunner2014-03-101-1/+1
| | | | config
* stroke: Use thread-safe dirname(3)Tobias Brunner2014-02-241-6/+4
|
* stroke: Use dirname(3) correctlyTobias Brunner2014-02-241-5/+5
|
* uclibc only defines strndup(3) if _GNU_SOURCE is definedTobias Brunner2014-02-192-3/+6
| | | | References #516.
* stroke: Use proper modifiers to print size_t argumentsTobias Brunner2014-02-181-1/+1
|
* lookip: Properly return from disconnect callback jobTobias Brunner2014-02-181-1/+3
| | | | References #518.
* lookip: Disconnect asynchronously to avoid dead-locking watcher unregistrationMartin Willi2014-02-171-3/+30
| | | | | | | | | While it really would be desirable to allow stream destruction during on_read() callbacks, this does not work anymore since e49b2998. Until we have a proper solution for this issue, use asynchronous disconnects for the only user doing so. Fixes #518.
* libcharon: Remove unused charon->nameTobias Brunner2014-02-122-13/+5
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-1272-259/+255
|
* libhydra: Use lib->ns instead of hydra->daemonTobias Brunner2014-02-121-1/+1
|
* pool: Install SQL schemas from src/poolTobias Brunner2014-02-123-567/+0
| | | | | This allows us to install the schemas if either the attr-sql or sql plugin is enabled, since both use the same schema (at least in parts).
* sql: Set default values for some fields in addresses tableTobias Brunner2014-02-122-6/+6
|
* sql: Install SQL schemas in /usr/share/strongswan/templates/databaseTobias Brunner2014-02-121-0/+3
|
* sql: Remove unused cred.sql snippetTobias Brunner2014-02-121-24/+0
|
* ikev1: Fix config switching due to failed authentication during Aggressive modeTobias Brunner2014-02-121-3/+1
| | | | | | | The encoded ID payload gets destroyed by the authenticator, which caused a segmentation fault after the switch. Fixes #501.
* updown: Return an empty DNS server enumerator if no IKE_SA availableMartin Willi2014-02-061-1/+1
| | | | | The one existing caller does not handle a NULL return and always expects an enumerator; and returning FALSE does not make sense anyway.
* ike: Restart inactivity counter after doing a CHILD_SA rekeyMartin Willi2014-01-231-2/+3
| | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect.
* child-sa: Add a getter for CHILD_SA install timeMartin Willi2014-01-232-0/+20
|
* xauth-pam: Open/close a PAM session for each connected clientAndrea Bonomi2014-01-234-9/+265
| | | | Signed-off-by: Andrea Bonomi <a.bonomi@endian.com>
* xauth-pam: Sanitize XAuth attributes before passing them to PAMMartin Willi2014-01-231-1/+5
|
* ikev2: Add Cisco FRAGMENTATION vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Copyright vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Add Cisco Delete Reason vendor IDMartin Willi2014-01-231-0/+2
| | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
* ikev2: Use a more dynamic vendor ID database, as we use with IKEv1Martin Willi2014-01-231-16/+57
|
* stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
|
* radattr: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-40/+8
|
* chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-231-1/+10
| | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
* unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attributeTobias Brunner2014-01-231-35/+47
| | | | Cisco clients only handle the first such attribute.
* unity: Change local TS to 0.0.0.0/0 as responderTobias Brunner2014-01-231-4/+7
| | | | | Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is used, otherwise Quick Mode fails.
* unity: Send UNITY_SPLIT_INCLUDE attributes with proper paddingTobias Brunner2014-01-231-11/+16
| | | | | | The additional 6 bytes are not actually padding but are parsed by the Cisco client as protocol and src and dst ports (each two bytes but strangely only the first two in network order).
* updown: Increase buffer size for script and environment variablesTobias Brunner2014-01-231-1/+1
|
* updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiatedTobias Brunner2014-01-231-1/+7
|