aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* child-sa: Use flags to track installation of outbound SA and policies separatelyTobias Brunner2017-08-073-29/+46
|
* kernel-netlink: Set SPI on outbound policyTobias Brunner2017-08-071-4/+10
| | | | | This should cause the right SA to get used if there are multiple outbound SAs and the policies are installed properly.
* kernel-interface: Not all kernel interfaces support SPIs on policiesTobias Brunner2017-08-071-0/+2
|
* unit-tests: Stringify direction in message asserts earlyTobias Brunner2017-07-281-6/+6
| | | | x86_64-w64-mingw32-gcc on Windows requires this.
* peer-cfg: Use an rwlock instead of a mutex to safely access child-cfgsTobias Brunner2017-07-271-15/+15
| | | | | | | | | | If multiple threads want to enumerate child-cfgs and potentially lock other locks (e.g. check out IKE_SAs) while doing so a deadlock could be caused (as was the case with VICI configs with start_action=start). It should also improve performance for roadwarrior connections and lots of clients connecting concurrently. Fixes #2374.
* ikev2: AES-CMAC-PRF-128 only uses the first 64 bits of each nonceTobias Brunner2017-07-271-2/+5
| | | | References #2377.
* error-notify: Don't stop sending notifies after removing a disconnected listenerTobias Brunner2017-07-271-2/+1
| | | | | | | This prevented new listeners from receiving notifies if they joined after another listener disconnected previously, and if they themselves disconnected their old connection would prevent them again from getting notifies.
* farp: Only remove one tracked entryTobias Brunner2017-07-271-0/+1
| | | | | | | | | Multiple CHILD_SAs sharing the same traffic selectors (e.g. during make-before-break reauthentication) also have the same reqid assigned. If all matching entries are removed we could end up without entry even though an SA exists that still uses these traffic selectors. Fixes #2373.
* ike: Trigger CHILD_INSTALLED state change after corresponding log messageTobias Brunner2017-07-272-10/+9
| | | | | | | | This way we get the log message in stroke and swanctl as last message when establishing a connection. It's already like this for the IKE_SA where IKE_ESTABLISHED is set after the corresponding log message. Fixes #2364.
* kernel-pfroute: Make sure there is a netmask when enumerating subnetsTobias Brunner2017-07-051-2/+2
|
* sql: Use qualified names in SQL query statementsTobias Brunner2017-07-052-49/+54
| | | | | | | VIRTUAL is a new reserved keyword in MySQL 5.7.6 that caused some of these queries to fail. Fixes #2359.
* stroke: Don't load configs with invalid proposalsTobias Brunner2017-07-051-7/+20
| | | | References #2347.
* ikev1: Determine transform ID before mapping integrity algorithm IDTobias Brunner2017-07-051-1/+1
| | | | | | | | | Due to the lookup based on the mapped algorithm ID the resulting AH proposals were invalid. Fixes #2347. Fixes: 8456d6f5a8e9 ("ikev1: Don't require AH mapping for integrity algorithm when generating proposal")
* eap-aka-3gpp: Add plugin that implements 3GPP MILENAGE algorithm in softwareTobias Brunner2017-07-0511-0/+1382
| | | | | | | | | | This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets or swanctl.conf. Based on a patch by Thomas Strangert. Fixes #2326.
* ikev1: Only delete redundant CHILD_SAs if configuredTobias Brunner2017-06-261-1/+5
| | | | | | | | | If we find a redundant CHILD_SA (the peer probably rekeyed the SA before us) we might not want to delete the old SA because the peer might still use it (same applies to old CHILD_SAs after rekeyings). So only delete them if configured to do so. Fixes #2358.
* ike-cfg: Fix memory leak when matching against rangesTobias Brunner2017-05-291-1/+1
| | | | | | | traffic_selector_t::to_subnet() always sets the net/host (unless the address family was invalid). Fixes: 3070697f9f7c ("ike: support multiple addresses, ranges and subnets in IKE address config")
* ike: Apply retransmission_limit before applying the jitterTobias Brunner2017-05-262-8/+8
|
* eap-sim-file: Remove redundant enumerator allocationTobias Brunner2017-05-261-1/+1
|
* sql: Remove redundant enumerator allocationTobias Brunner2017-05-261-1/+1
| | | | | | Interestingly, this doesn't show up in the regression tests because the compiler removes the first assignment (and thus the allocation) due to -O2 that's included in our default CFLAGS.
* Fixed some typos, courtesy of codespellTobias Brunner2017-05-264-5/+5
|
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-2618-227/+244
| | | | This avoids the unportable five pointer hack.
* linked-list: Change interface of callback for invoke_function()Tobias Brunner2017-05-265-34/+65
| | | | This avoids the unportable five pointer hack.
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-2623-393/+551
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-2634-169/+333
|
* vici: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-0/+11
|
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-262-1/+3
|
* child-cfg: Optionally use 96-bit truncation for HMAC-SHA-256Tobias Brunner2017-05-262-0/+11
| | | | | | | | The correct truncation is 128-bit but some implementations insist on using 96-bit truncation. With strongSwan this can be negotiated using an algorithm identifier from a private range. But this doesn't work with third-party implementations. This adds an option to use 96-bit truncation even if the official identifier is used.
* android-log: Link against liblogTobias Brunner2017-05-261-0/+1
|
* unit-tests: Check installed IPsec SAs in child-rekey testsTobias Brunner2017-05-231-3/+94
|
* unit-tests: Add assert to check for installed IPsec SAsTobias Brunner2017-05-232-3/+115
|
* unit-tests: Migrate cached IPsec SAs to new IKE_SAs during rekeyingTobias Brunner2017-05-231-0/+42
|
* unit-tests: Keep track of installed IPsec SAs in mock kernel_ipsec_t ↵Tobias Brunner2017-05-232-4/+136
| | | | implementation
* child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-233-128/+412
| | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
* delete-child-sa-job: Add new constructor that takes the unique ID of a CHILD_SATobias Brunner2017-05-232-13/+69
| | | | | This makes sure we delete the right SA in case the addresses got updated in the mean time.
* child-sa: Remove state to track installation of half the SA againTobias Brunner2017-05-236-62/+47
|
* unit-tests: Overload helper macro to check for outbound SA stateTobias Brunner2017-05-231-2/+30
|
* child-sa: Expose state of the outbound SATobias Brunner2017-05-232-17/+61
|
* child-sa: Add method to remove the outbound SA and policiesTobias Brunner2017-05-232-5/+78
|
* child-sa: Keep track whether the outbound SA has been installed or notTobias Brunner2017-05-231-8/+13
|
* child-delete: Track flags per individual CHILD_SATobias Brunner2017-05-231-47/+78
|
* ikev2: Delay installation of outbound SAs during rekeying on the responderTobias Brunner2017-05-234-30/+124
| | | | | | | | The responder has all the information needed to install both SAs before the initiator does. So if the responder immediately installs the outbound SA it might send packets using the new SA which the initiator is not yet able to process. This can be avoided by delaying the installation of the outbound SA until the replaced SA is deleted.
* child-sa: Add log message for CHILD_SA state changesTobias Brunner2017-05-231-0/+4
|
* child-sa: Add method to associate rekeyed CHILD_SAs with their replacementTobias Brunner2017-05-232-0/+35
|
* child-sa: Add methods that allow partial installation of CHILD_SATobias Brunner2017-05-232-5/+144
| | | | | | | Using install() for the inbound SA and register_outbound() for the outbound SA followed by install_policies(), will delay the installation of the outbound SA as well as the installation of the outbound policies in the kernel until install_outbound() is called later.
* child-sa: Add new state to track installation of only the inbound SATobias Brunner2017-05-232-1/+7
|
* child-sa: Change API used to set/install policiesTobias Brunner2017-05-236-79/+119
| | | | This way we only have to pass the traffic selectors once.
* child-sa: Split in- and outbound policy de-/installationTobias Brunner2017-05-231-62/+127
| | | | Only install outbound fallback policies.
* child-create: Trigger NARROW_RESPONDER_POST hook before installing SAsTobias Brunner2017-05-231-25/+21
| | | | | This makes sure we use the same set of traffic selectors when installing the SAs and installing the policies.
* tnc-ifmap: Null-terminate buffer to make sscanf()-calls safeTobias Brunner2017-05-231-4/+5
|
* Add plugin constructor registration for all libraries that provide pluginsTobias Brunner2017-05-232-0/+16
| | | | | | | | | | | | | | Unfortunately, we can't just add the generated C file to the sources in Makefile.am as the linker would remove that object file when it notices that no symbol in it is ever referenced. So we include it in the file that contains the library initialization, which will definitely be referenced by the executable. This allows building an almost stand-alone static version of e.g. charon when building with `--enable-monolithic --enable-static --disable-shared` (without `--disable-shared` libtool will only build a version that links the libraries dynamically). External libraries (e.g. gmp or openssl) are not linked statically this way, though.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 03:47:02 +0000