aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* xauth-pam: Make trimming of email addresses optional5.1.1dr4Tobias Brunner2013-10-041-4/+9
| | | | Fixes #430.
* ikev1: Accept reauthentication attempts with a keep unique policy from same hostMartin Willi2013-09-301-6/+17
| | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
* ikev1: Don't log a reauthentication detection message if no children adoptedMartin Willi2013-09-301-2/+6
| | | | | When a replace unique policy is in place, the children get adopted during the uniqueness check. In this case the message is just misleading.
* ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policyMartin Willi2013-09-301-8/+29
| | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth.
* eap-radius: Increase buffer for attributes sent in RADIUS accounting messagesTobias Brunner2013-09-271-1/+1
| | | | 64 bytes might be too short for user names/identities.
* openssl: Properly log FIPS mode when enabled via openssl.confTobias Brunner2013-09-271-5/+13
| | | | | | | | | Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf it should be disabled in strongswan.conf (or the other way around). Either way, we should log whether FIPS mode is enabled or not. References #412.
* android: New release after fixing remediation instructions regressionTobias Brunner2013-09-261-2/+2
|
* android: Change progress dialog handlingTobias Brunner2013-09-261-24/+41
| | | | | With the previous code the dialog sometimes was hidden for a short while before it got reopened.
* android: Clear remediation instructions when starting a new connectionTobias Brunner2013-09-261-0/+1
|
* starter: Don't ignore keyingtries with rekey=noTobias Brunner2013-09-261-1/+2
| | | | | | | Since keyingtries also affects the number of retries initially or when reestablishing an SA it should not be affected by the rekey option. Fixes #418.
* load-tester: Fix crash if private key was not loaded successfullyTobias Brunner2013-09-241-1/+1
| | | | Fixes #417.
* printf-hook: Write to output stream instead of the FD directly when using VstrTobias Brunner2013-09-241-12/+12
| | | | | This avoids problems when other stdio functions are used (fputs, fwrite) as writes via Vstr/FD were always unbuffered.
* android: New release after improving recovery after connectivity changesTobias Brunner2013-09-231-2/+2
|
* android: Change state handling to display errors occurring while the app is ↵Tobias Brunner2013-09-233-64/+56
| | | | | | | | | | hidden A new connection ID allows listeners to track which errors they have already shown to the user or were already dismissed by the user. This was necessary because the state fragment is now unregistered from state changes when it is not shown.
* android: Don't update state fragments when they are not displayedTobias Brunner2013-09-232-2/+26
| | | | | | | Besides that updates don't make much sense when the fragments are not displayed this fixes the following exception: java.lang.IllegalStateException: Can not perform this action after onSaveInstanceState
* ikev2: Force an update of the host addresses on the first responseTobias Brunner2013-09-231-11/+9
| | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly.
* ike-sa: Resolve hosts before reestablishing an IKE_SATobias Brunner2013-09-231-0/+2
|
* android: Several plugins were moved from libcharon to libtnccsTobias Brunner2013-09-232-29/+25
| | | | These were moved in commits e8f65c5cde and 12b3db5006.
* android: Properly handle failures while initializing charonTobias Brunner2013-09-232-13/+23
|
* kernel-netlink: Allow to override xfrm_acq_expires valueAnsis Atteka2013-09-231-6/+10
| | | | | | | | | | | | | | | | When using auto=route, current xfrm_acq_expires default value implies that tunnel can be down for up to 165 seconds, if other peer rejected first IKE request with an AUTH_FAILED or NO_PROPOSAL_CHOSEN error message. These error messages are completely normal in setups where another application pushes configuration to both strongSwans without waiting for acknowledgment that they have updated their configurations. This patch allows strongswan to override xfrm_acq_expires default value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in strongswan.conf. Signed-off-by: Ansis Atteka <aatteka@nicira.com>
* Implemented TCG/PB-PDP_Referral messageAndreas Steffen2013-09-175-13/+153
|
* Allow vendor-specific PB-TNC messagesAndreas Steffen2013-09-1723-138/+583
|
* ignore *.1 manpage filesAndreas Steffen2013-09-171-1/+1
|
* sshkey: Add support for parsing keys from filesTobias Brunner2013-09-131-1/+92
|
* sshkey: Add encoding for ECDSA keysTobias Brunner2013-09-131-0/+72
|
* openssl: Add support for generic encoding of EC public keysTobias Brunner2013-09-131-23/+13
|
* pki: --pub also accepts public keys (i.e. to convert them to a different format)Tobias Brunner2013-09-132-3/+18
|
* pki: Add support to encode public keys in SSH key formatTobias Brunner2013-09-133-4/+16
|
* sshkey: Add encoder for RSA keysTobias Brunner2013-09-136-2/+93
|
* openssl: Add generic RSA public key encodingTobias Brunner2013-09-131-3/+17
|
* openssl: Add helper function to convert BIGNUMs to chunksTobias Brunner2013-09-132-0/+27
|
* pki: Don't print an error if no arguments are givenTobias Brunner2013-09-131-1/+1
|
* pki: Install pki(1) as utility directly in $prefix/binTobias Brunner2013-09-1316-88/+94
| | | | ipsec pki is maintained as alias.
* pki: Add example commands to setup a simple CATobias Brunner2013-09-131-0/+75
|
* pki: Add pki --verify man pageTobias Brunner2013-09-134-4/+61
|
* pki: Add pki --pub man pageTobias Brunner2013-09-134-4/+81
|
* pki: Add pki --print man pageTobias Brunner2013-09-133-2/+57
|
* pki: Add pki --keyid man pageTobias Brunner2013-09-133-2/+76
|
* pki: Add pki --pkcs7 man pageTobias Brunner2013-09-134-6/+87
|
* pki: Add pki --req man pageTobias Brunner2013-09-134-5/+97
|
* pki: Add pki --signcrl man pageTobias Brunner2013-09-134-8/+134
|
* pki: Add pki --issue man pageTobias Brunner2013-09-134-8/+189
|
* pki: Add pki --self man pageTobias Brunner2013-09-134-4/+154
| | | | Can be opened with "man pki --self".
* pki: Add pki --gen man pageTobias Brunner2013-09-134-4/+118
| | | | Can be opened with "man pki --gen".
* pki: Add ipsec-pki(8) man pageTobias Brunner2013-09-134-0/+79
| | | | | | | Can be opened either with "man ipsec pki" or "man ipsec-pki". Since man(1) only supports one level of subpages, the forthcoming man pages for each command will have to be opened with "man pki --<command>".
* Build generated man pages via configure scriptTobias Brunner2013-09-132-10/+3
|
* resolve: Remove comment when using resolvconf(8)Tobias Brunner2013-09-131-2/+1
| | | | | | | | | | | Since comments in resolv.conf are only valid at the beginning of a line resolvconf(8) seems to have started treating any text after 'nameserver <ip>' as additional IP addresses for name servers. Since it ignores comments, and we can easily remove the added servers again, there is no point to add any. Fixes #410.
* libipsec: fix memory management when cloning ip_packetMartin Willi2013-09-131-1/+1
|
* libipsec: check for a policy with the reqid of the SA on decapsulationMartin Willi2013-09-133-7/+14
| | | | | To prevent a client from sending a packet with a source address of a different client, we require a policy bound via reqid to the decapsulating SA.
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 21:22:00 +0000