aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* message: Show the fragmentation numbers in message stringificationMartin Willi2015-06-011-0/+36
|
* ha: Document tunnel parameterTobias Brunner2015-05-271-0/+1
|
* ha: Skip SA for sync messages when resyncing HA segmentsTobias Brunner2015-05-263-3/+14
|
* ha: Move plugin initialization from constructor to plugin callbackTobias Brunner2015-05-261-58/+69
| | | | | This fixes support for the secret option, as otherwise the kernel interface is not registered yet when the trap policy is installed.
* vici: Explicitly disable --user-install when installing Ruby GemTobias Brunner2015-05-211-1/+1
| | | | | | | | Only one of `--user-install` and `--install-dir` may be set and if `--user-install` is the default on a system installation will fail unless we disable it explicitly. Fixes #914.
* vici: Make installation of Ruby Gem and Python Egg optionalTobias Brunner2015-05-212-0/+4
| | | | | | | | | | | | | | | | | | Installing them might not work well when building distro packages (e.g. with DESTDIR installs). It might be easier to install them later with a script in the distro package. When building from source on the local system it could still be useful to install the packages directly, which can be enabled with separate configure options. The main problem with DESTDIR installations of the Python Egg is that easy_install creates or modifies a file called easy-install.pth in the installation directory. So it's not actually possible to simply copy the results in DESTDIR over to the actual system as that file would have to be merged with any existing one. Fixes #914.
* vici: Support out-of-tree build of Python EggTobias Brunner2015-05-211-5/+5
| | | | | | | We also don't require setup.py to exist during cleanup, as e.g. with make distcheck the source directory is not writable when the build directory is cleaned, so setup.py can't be created (to just get removed again anyway if VICI and the Python Eggs haven't been enabled previously).
* ikev1: When a reauth is detected explicitly delete the old IKE_SATobias Brunner2015-05-211-3/+13
| | | | | | | | | | | Instead of just implicitly destroying the old SA we properly delete it to notify the other peer (if the other peer keeps the SA up after the reauthentication and sends DPDs it might consider us dead even though the new SA is up, that seems to be the case with racoon). We delay the DELETE a bit to give the other peer time to get the new SA fully established. Since DELETE messages are not retransmitted it is still possible that the other peer misses that we deleted the SA.
* eap-radius: Keep track of stats for SAs migrated during IKEv1 reauthenticationTobias Brunner2015-05-211-88/+229
|
* ikev1: Trigger children_migrate event if CHILD_SAs are adoptedTobias Brunner2015-05-213-1/+12
|
* bus: Add new hook called when IKEv1 CHILD_SAs are migrated to a new IKE_SATobias Brunner2015-05-213-3/+58
| | | | | | The interface is currently not very nice, but if we ever were able to safely checkout multiple SAs concurrently we could add something similar to ike_rekey() and call that when we detect a reauthentication.
* eap-radius: Remove cache entries for expired SAs during ike/child_rekeyTobias Brunner2015-05-211-0/+53
|
* eap-radius: Add cache for usage stats of expired/rekeyed SAsTobias Brunner2015-05-211-6/+102
| | | | | | | | | | | | | There are several situations that the previous code didn't handle that well, for example, interim updates during rekeying (until the rekeyed SA was deleted the numbers were too high, then suddenly dropped afterwards), or rekeying for IKEv1 in general because rekeyed IPsec SAs stay installed until they expire (so if they were still around when the IKE_SA was terminated, the reported numbers in the Stop message were too high). If intermediate updates are not used the cache entries for rekeyed CHILD_SA will accumulate, we can't clean them up as we don't get child_updown() events for them.
* child-create: Destroy nonceg in migrate()Tobias Brunner2015-05-051-1/+2
| | | | | Since another nonce gets allocated later (if any was allocated already) this would have resulted in a leaked nonce context ID when used in charon-tkm.
* child-create: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-14/+12
| | | | As with ike-init we can't return NULL in the task constructor.
* ike-init: Fix error handling if nonceg can't be createdTobias Brunner2015-05-051-13/+21
| | | | | | Returning FAILED in the constructor is wrong, but returning NULL doesn't work either as it's currently assumed tasks always can be created. Therefore, delay this check until we actually try to allocate a nonce.
* ike-init: Fix compiler warningTobias Brunner2015-05-051-2/+0
|
* ike-init: Make nonceg a member of ike_init structReto Buerki2015-05-041-20/+17
| | | | | | | This allows to control the life-cycle of a nonce in the context of the ike init task. In the TKM use-case the nonce generator cannot be destroyed before the ike init task is finalized, otherwise the created nonce is detected as stale.
* child-create: Make nonceg a member of child_create structReto Buerki2015-05-041-12/+16
| | | | | | | | This allows to control the life-cycle of a nonce in the context of the child create task. In the TKM use-case, it is required to reset the nonce context if the created nonce is not consumed. This happens if the child SA negotiation fails and it is detected before the SA is established via the TKM kernel plugin (i.e. rekey collision).
* Add bool param to ALERT_KEEP_ON_CHILD_SA_FAILURE alertAdrian-Ken Rueegsegger2015-05-042-3/+8
| | | | | The parameter indicates if the alert is raised upon failure to establish the first CHILD SA of an IKE SA.
* vici: Default to certificate subject for identityTimo Teräs2015-05-041-0/+37
| | | | | | | | If id is not specified and certificate authentication is used, use the certificate subject name as identity. Simplifies configuration as in most cases this is the right thing to do. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* vici: Add support for ike_sa and child_sa updown notificationsTimo Teräs2015-05-043-0/+137
| | | | | | Useful for monitoring and management purposes. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* vici: Add function to test if an event should be generatedTimo Teräs2015-05-042-0/+74
| | | | | | | Useful to avoid generating vici messages if they are not needed and their generation is heavy operation. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* ike-vendor: Add some Microsoft vendor IDsTobias Brunner2015-04-211-0/+10
|
* vici: Relicense libvici.h under MITMartin Willi2015-04-141-9/+20
| | | | | | libvici currently relies on libstrongswan, and therefore is bound to the GPLv2. But to allow alternatively licensed reimplementations without copyleft based on the same interface, we liberate the header.
* utils: Use chunk_equals_const() for all cryptographic purposesMartin Willi2015-04-1410-13/+11
|
* utils: Use memeq_const() for all cryptographic purposesMartin Willi2015-04-146-13/+7
|
* vici: Defer read/write error reporting after connection entry has been releasedMartin Willi2015-04-131-12/+34
| | | | | | | | | | | | | | | | If a vici client registered for (control-)log events, but a vici read/write operation fails, this may result in a deadlock. The attempt to write to the bus results in a vici log message, which in turn tries to acquire the lock for the entry currently held. While a recursive lock could help as well for a single thread, there is still a risk of inter-thread races if there is more than one thread listening for events and/or having read/write errors. We instead log to a local buffer, and write to the bus not before the connection entry has been released. Additionally, we mark the connection entry as unusable to avoid writing to the failed socket again, potentially triggering an error loop.
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-131-4/+11
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* eap-tnc: Free eap-tnc object if IKE_SA not found to get IPsTobias Brunner2015-03-251-0/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2015-03-252-2/+2
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-257-5/+15
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* ikev1: Inverse check when applying received KE value during Quick Mode5.3.0rc1Martin Willi2015-03-241-1/+1
| | | | Fixes Quick Mode negotiation when PFS is in use.
* encoding: Remove DH public value verification from KE payloadMartin Willi2015-03-231-73/+0
| | | | | | | | This commit reverts 84738b1a and 2ed5f569. As we have no DH group available in the KE payload for IKEv1, the verification can't work in that stage. Instead, we now verify DH groups in the DH backends, which works for any IKE version or any other purpose.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-235-7/+55
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-238-12/+39
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-235-13/+59
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-236-10/+10
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* load-tester: Migrate NULL DH implementation to INIT/METHOD macrosMartin Willi2015-03-231-21/+26
|
* ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SATobias Brunner2015-03-231-0/+39
| | | | | | | | | | | | | | | | | | | | OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs. This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd meant to delete the old one. What isakmpd does might not be standard compliant. As RFC 2408 puts it: Deletion which is concerned with an ISAKMP SA will contain a Protocol-Id of ISAKMP and the SPIs are the initiator and responder cookies from the ISAKMP Header. This could either be interpreted as "copy the SPIs from the ISAKMP header of the current message to the DELETE payload" (which is what strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs for IKE), or as clarification that ISAKMP "cookies" are actually the SPIs meant to be put in the payload (but that any ISAKMP SA may be deleted).
* encoding: Add getter for IKE SPIs in IKEv1 DELETE payloadsTobias Brunner2015-03-232-0/+25
|
* trap-manager: Add option to ignore traffic selectors from acquire eventsTobias Brunner2015-03-231-1/+8
| | | | | | | | The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860.
* encoding: Don't verify length of IKEv1 KE payloadsTobias Brunner2015-03-201-0/+6
| | | | | | The verification introduced with 84738b1aed95 ("encoding: Verify the length of KE payload data for known groups") can't be done for IKEv1 as the KE payload does not contain the DH group.
* attr-sql: Rename sql_attribute_t to attr_sql_provider_tMartin Willi2015-03-195-32/+32
| | | | | | As the plugin has its origins in the sql plugin, it still uses the naming scheme for the attribute provider implementation. Rename the class to better match the naming scheme we use in any other plugin
* ikev1: Adopt virtual IPs on new IKE_SA during re-authenticationTobias Brunner2015-03-193-45/+156
| | | | | | | | | | | Some clients like iOS/Mac OS X don't do a mode config exchange on the new SA during re-authentication. If we don't adopt the previous virtual IP Quick Mode rekeying will later fail. If a client does do Mode Config we directly reassign the VIPs we migrated from the old SA, without querying the attributes framework. Fixes #807, #810.
* ikev1: Mark rekeyed CHILD_SAs as INSTALLEDTobias Brunner2015-03-191-0/+2
| | | | | Since we keep them around until they finally expire they otherwise would block IKE_SA rekeying/reauthentication.
* mem-pool: Remove entries without online or offline leasesTobias Brunner2015-03-191-6/+22
| | | | | | This avoids filling up the hash table with unused/old identities. References #841.
* kernel-handler: Log new endpoint if NAT mapping changedTobias Brunner2015-03-191-2/+3
|
* child-sa: Remove policies before states to avoid acquire events for ↵Tobias Brunner2015-03-191-16/+16
| | | | untrapped policies
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 08:13:42 +0000