aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-netlink: Use correct 4 byte alignment for AH with IPv4Tobias Brunner2017-01-251-0/+5
| | | | | | | | By default, the kernel incorrectly uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4. For many algorithms this doesn't matter but that's not the case for HMAC_SHA2_256_128. Since 2.6.39 the kernel can be explicitly configured to use a 4 byte alignment.
* kernel-netlink: Allow change of Netlink socket receive buffer sizeThomas Egerer2017-01-251-0/+44
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAsTobias Brunner2017-01-251-0/+2
| | | | | | | Picky kernels might otherwise reject our messages as RFC 2367 explicitly mandates this. Fixes #2212.
* kernel-pfroute: Don't set a gateway if it is of a different address family ↵Tobias Brunner2017-01-251-1/+2
| | | | than the destination
* stroke: Default to %dynamic if no valid TS are specified in left|rightsubnetTobias Brunner2017-01-251-57/+44
| | | | | | | Otherwise, we'd end up with an empty TS list, which is not valid. Because end->tohost is set to !end->subnets in starter the removed branch was never used.
* vici: Reload loggers after reloading strongswan.conf via reload-setting commandTobias Brunner2017-01-251-0/+1
|
* daemon: Use separate method to set default loggersTobias Brunner2017-01-254-17/+65
| | | | | This way it is not necessary to pass the same values to reload the loggers.
* ha: Fix assignment of IP addresses if multiple pools are definedTobias Brunner2017-01-251-2/+6
| | | | Fixes #2146.
* ha: Delete passive IKE_SA on other node after half-open timeoutTobias Brunner2017-01-251-0/+15
| | | | Fixes #1192.
* kernel-netlink: Return const pointer from lookup_algorithm()Thomas Egerer2017-01-231-3/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* stroke: Load general PKCS#8 private keysAndreas Steffen2016-12-172-3/+9
|
* Merge branch 'Ed25519'Andreas Steffen2016-12-161-0/+32
|\
| * Implemented EdDSA for IKEv2 using a pro forma Identity hash functionAndreas Steffen2016-12-141-0/+32
| |
* | vici: Check for closed connection in Python bindingsWeilu Jia2016-12-141-1/+4
|/ | | | | | | The Python VICI library does not check if the socket is closed. If the daemon closes the connection, _recvall() spins forever. Closes strongswan/strongswan#56.
* kernel-netlink: Add support for AES-CMAC-96 (RFC 4494)Tobias Brunner2016-12-121-0/+1
| | | | The kernel apparently supports this since 3.10.
* ikev1: Minor code optimization in task managerThomas Egerer2016-12-071-11/+5
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* child-sa: Use single return statement in update_usebytes()Thomas Egerer2016-11-181-4/+8
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* proposal: Remove RFC 5114 MODP DH groups from default proposalMartin Willi2016-11-151-2/+4
| | | | | | | | | | | | | | Recent research demonstrates that at least for 1024-bit DH groups, it is possible to create specially crafted primes having a backdoor. From the prime itself this is not detectable, creating a perfect NOBUS attack. http://eprint.iacr.org/2016/961 For the primes defined in RFC 5114 no information is provided on how these have been selected. In the default proposal we included one of the 2048-bit primes only, where it is questionable if constructing a backdoored prime is feasible. Nevertheless, this patch removes the group from the set of default proposals as well.
* proposal: Add curve25519 and curve448 to default proposalTobias Brunner2016-11-141-0/+2
|
* bus: Re-add ampersand that got lost in refactoringTobias Brunner2016-11-141-1/+1
| | | | | Fixes: 4af02c6c61cf ("bus: Fix maximum log level for different groups after removal of a logger")
* peer-cfg: Fix memory leak when replacing child configsTobias Brunner2016-11-111-0/+1
| | | | | Fixes: 622c2b2c3386 ("peer-cfg: Add method to atomically replace child configs")
* bus: Fix maximum log level for different groups after removal of a loggerTobias Brunner2016-11-111-5/+5
| | | | | | | The log level was incorrectly set to the same value for all groups. Fixes: dac15e03c828 ("bus: Fix maximum log levels when mixing log/vlog implementing loggers")
* farp: Fix BPF jump false offsetVolker Rümelin2016-10-311-1/+1
| | | | Jump to BPF_STMT(BPF_RET+BPF_K, 0) if protocol_size != 4
* connmark: Add CAP_NET_RAW to capabilities keep listTim Kent2016-10-251-0/+6
| | | | | | | | | Fix for "Permission denied (you must be root)" error when calling iptc_init(), which opens a RAW socket to communicate with the kernel, when built with "--with-capabilities=libcap". Closes strongswan/strongswan#53. Fixes #2157.
* Fixed some typos, courtesy of codespellTobias Brunner2016-10-141-1/+1
|
* kernel-netlink: Fix get_route() interface determinationChristophe Gouault2016-10-121-2/+2
| | | | | | | | | | | | A wrong variable is used (route instead of best), so much that the returned interface belongs to the last seen route instead of the best choice route. get_route() may therefore return mismatching interface and gateway. Fixes: 66e9165bc686 ("kernel-netlink: Return outbound interface in get_nexthop()") Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* Save both base and delta CRLs to diskAndreas Steffen2016-10-112-2/+9
|
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-116-4/+83
|
* task-manager: Only trigger retransmit cleared alert if there was at least ↵Tobias Brunner2016-10-052-2/+2
| | | | | | | | one retransmit The counter is already increased when sending the original message. Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")
* unit-tests: Enable optional logging in libcharon unit testsTobias Brunner2016-10-051-0/+17
|
* unit-tests: Add more tests for proposal creationTobias Brunner2016-10-051-8/+62
|
* proposal: Correctly add AES-GMAC for AH proposalsTobias Brunner2016-10-051-0/+41
| | | | | | We parse aes*gmac as encryption algorithm, which we have to map to an integrity algorithm. We also make sure we remove all other encryption algorithms and ensure there is an integrity algorithm.
* proposal: Enforce separate proposals for AEAD and classic encryption algorithmsTobias Brunner2016-10-051-16/+22
|
* proposal: Make sure there is a PRF defined in IKE proposalsTobias Brunner2016-10-051-14/+34
| | | | But filter PRFs from ESP proposals.
* proposal: Make DH groups mandatory in IKE proposals parsed from stringsTobias Brunner2016-10-052-21/+40
| | | | References #2051.
* ikev2: Respond with NO_PROPOSAL_CHOSEN if proposal without DH group was selectedTobias Brunner2016-10-051-0/+1
| | | | Fixes #2051.
* kernel-netlink: Consider RTA_SRC when looking for a source addressTobias Brunner2016-10-051-52/+134
|
* ikev2: Only add NAT-D notifies to DPDs as initiatorTobias Brunner2016-10-041-8/+15
| | | | | | | | | | If a responder is natted it will usually be a static NAT (unless it's a mediated connection) in which case adding these notifies makes not much sense (if the initiator's NAT mapping had changed the responder wouldn't be able to reach it anyway). It's also problematic as some clients refuse to respond to DPDs if they contain such notifies. Fixes #2126.
* ikev1: Activate task to delete the IKE_SA in state IKE_REKEYINGTobias Brunner2016-10-041-0/+8
| | | | It does not have any CHILD_SAs attached at that point.
* ikev1: Delete Quick Mode SAs before the ISAKMP SATobias Brunner2016-10-041-2/+2
| | | | | After the ISAKMP_DELETE task has been executed the IKE_SA is destroyed so we wouldn't be able to send deletes for the Quick Mode SAs.
* ikev1: Send DELETE for rekeyed IKE_SAsTobias Brunner2016-10-041-9/+5
| | | | | | If we silently delete the IKE_SA the other peer might still use it even if only to send DPDs. If we don't answer to DPDs that might result in the deletion of the new IKE_SA too.
* vici: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-1/+1
|
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-1/+1
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* ikev2: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-26/+43
|
* ikev2: Send derived IKE_SA keys to busTobias Brunner2016-10-041-26/+30
|
* ikev1: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-14/+26
|
* ikev1: Send derived IKE_SA keys to busTobias Brunner2016-10-041-14/+11
|
* bus: Add new hooks for derived IKE_SA and CHILD_SA keysTobias Brunner2016-10-043-11/+131
|
* bus: Fix maximum log levels when mixing log/vlog implementing loggersTobias Brunner2016-09-301-12/+20
| | | | | | | | | | | The maximum would not get set correctly when a logger is removed and the first remaining logger in the list (the one with the highest log level) does e.g. only implement vlog() while there are other loggers that implement log(). This would result in only max_vlevel getting set correctly while max_level would incorrectly get set to -1 so that log() would not get called for any of the loggers anymore. References #574.
* kernel-netlink: Pass zero mark to kernel if mask is setTobias Brunner2016-09-301-2/+2
| | | | | | The kernel will apply the mask to the mark on the packet and then compare it to the configured mark. So to match only unmarked packets we have to be able to set 0/0xffffffff.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 03:25:50 +0000