aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-netlink,pfroute: Properly update address flag within ROAM_DELAYTobias Brunner2013-08-122-2/+2
| | | | | | | 77d4a02 and 55da01f only updated the address flag when a job was created, which obviously had the same limitation as the old code. Fixes #374.
* kernel-pfroute: Implement roam event handling like in the kernel-netlink pluginTobias Brunner2013-08-121-13/+36
| | | | | There was no proper locking and the issue regarding the address flag also existed.
* kernel-netlink: Ensure address changes are not missed in roam eventsTobias Brunner2013-08-121-4/+15
| | | | | | | | | | | | | | | | If multiple roam events are triggered within ROAM_DELAY, only one job is created. The old code set the address flag to the value of the last triggering call. So if a route change followed an address change within ROAM_DELAY the address change was missed by the upper layers, e.g. causing it not to update the list of addresses via MOBIKE. The new code now keeps the state of the address flag until the job is actually executed, which still has some issues. For instance, if an address disappears and reappears within ROAM_RELAY, the flag would not have to be set to TRUE. So address updates might occasionally get triggered where none would actually be required. Fixes #374.
* backtrace: rename clone() method clashing with system callMartin Willi2013-08-091-2/+2
| | | | Fixes #376.
* updown: remove description of unsupported PLUTO_ variablesMartin Willi2013-08-083-59/+6
| | | | These have been set by pluto, but are not by charons updown plugin.
* tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages5.1.0Tobias Brunner2013-07-311-10/+10
| | | | | Before this e.g. msg_controllen was not initialized properly which could cause invalid reads.
* whitelist: Fix compilation on FreeBSDTobias Brunner2013-07-311-0/+2
|
* host: Properly initialize struct sockaddr_in[6] when parsing stringsTobias Brunner2013-07-311-0/+2
| | | | | Otherwise struct members like sin6_flowinfo or sin6_scope_id might be set to bogus values.
* asn1: Fix handling of invalid ASN.1 length in is_asn1()Tobias Brunner2013-07-311-0/+5
| | | | Fixes CVE-2013-5018.
* Callback job is not needed any moreAndreas Steffen2013-07-311-4/+0
|
* charon-xpc: load missing ctr/ccm/gcm pluginsMartin Willi2013-07-311-2/+3
|
* charon-xpc: use kernel-libipsec instead of kernel-pfkeyMartin Willi2013-07-313-4/+9
|
* charon-xpc: fix TS getting after changing CHILD_SA APIMartin Willi2013-07-311-2/+6
|
* keychain: be less verbose when loading certificatesMartin Willi2013-07-311-2/+5
|
* receiver: Avoid cloning packet data when verifying COOKIE payloadsTobias Brunner2013-07-291-5/+1
| | | | | | | Besides being more efficient this removes a memory leak that occurred when a COOKIE payload was successfully verified. Fixes #369.
* unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributesTobias Brunner2013-07-291-50/+97
| | | | | | | Cisco devices seem to add 6 bytes of padding between each address/mask pair. Fixes #366.
* tnc-pdp now uses watcher_tAndreas Steffen2013-07-291-92/+63
|
* ikev2: Only schedule half-open-timeout delete job after successfully ↵Tobias Brunner2013-07-291-8/+16
| | | | | | | handling IKE_SA_INIT We want to avoid this allocation if the initial message is invalid (e.g. if the message ID is != 0).
* charon-cmd: add --eap-identity and --xauth-username optionsMartin Willi2013-07-294-0/+37
|
* eap-radius: do RADIUS/IKE attribute forwarding in XAuth backendMartin Willi2013-07-292-1/+5
|
* eap-radius: support plain XAuth RADIUS authentication using User-PasswordMartin Willi2013-07-294-0/+253
|
* libradius: support encryption of User-Password attributesMartin Willi2013-07-291-0/+27
|
* utils: add round_up/down() helper functionsMartin Willi2013-07-292-0/+49
|
* libradius: refactor generic RADIUS en-/decryption function to a message methodMartin Willi2013-07-293-44/+85
|
* eap-radius: export function to build common attributes of Access-RequestMartin Willi2013-07-292-24/+39
|
* eap-radius: export function to process common attributes of Access-AcceptMartin Willi2013-07-292-31/+36
|
* mem-pool: add option for reusing online leases, and disable it by defaultMartin Willi2013-07-291-1/+13
| | | | | | | | | | | Mainly for reauthentication with third party implementations, we allowed to reuse an online lease, but only for the same peer identity and when it explicitly requested the same address. This has always been problematic, because it changes the reqid of the CHILD_SA with the same traffic selectors, breaking the old tunnel. As we now reject such policy overwrites, this usually lets the installation of the new policies fail. We therefore disable reassignment of online leases by default.
* mem-pool: replace per-identity online/offline lists by more efficient arraysMartin Willi2013-07-291-48/+52
| | | | This saves two lists per connected peer identity, up to 0.4KB.
* mem-pool: refcount online lease when reassigning it to another tunnelMartin Willi2013-07-261-5/+28
| | | | | | | When we reassign an online lease for the same peer, we have to refcount it. Otherwise we would set it offline if one of the tunnels goes down, but it is actually still in use by a the second tunnel. This can finally lead in assigning the same virtual IP to different peers.
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* watcher: Made notify array initialization compatible with older GCC versionsTobias Brunner2013-07-251-2/+1
|
* unit-tests: Add additional tests for host_tTobias Brunner2013-07-251-3/+551
|
* imv-attestation: Properly measure complete directoriesTobias Brunner2013-07-251-1/+1
|
* array: Number of items in get_size() is unsignedTobias Brunner2013-07-251-1/+1
| | | | | | Otherwise, array->esize is promoted to int and if array->esize * num results in a value > 0x7fffffff the return value would be incorrect due the implicit sign extension when getting cast to size_t.
* stream: Ensure UNIX socket path is null terminatedTobias Brunner2013-07-241-0/+1
|
* kernel-pfkey: Add sanity check when deleting policiesTobias Brunner2013-07-241-0/+5
|
* imv-os: check_packages() fails if product query failsTobias Brunner2013-07-241-0/+1
|
* pkcs5: Add missing break statements when checking crypto primitivesTobias Brunner2013-07-241-0/+2
|
* imv-scanner: Properly check snprintf() return valueTobias Brunner2013-07-241-5/+9
|
* socket-dynamic: Properly initialize IPv6 addressTobias Brunner2013-07-241-1/+1
|
* unit-tests: Add test for host_create_netmask()Tobias Brunner2013-07-244-1/+100
|
* host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128Tobias Brunner2013-07-241-5/+7
|
* imv-attestation: Use proper cast for length when using %.*sTobias Brunner2013-07-241-2/+2
|
* tnc-ifmap: Use proper cast for length when using %.*sTobias Brunner2013-07-241-5/+6
|
* capabilities: Proper error handling when reading groupsTobias Brunner2013-07-241-1/+8
|
* ipsec: Add --piddir to retrieve the PID/socket directoryTobias Brunner2013-07-222-3/+11
|
* starter: Properly refer to the ipsec script if it was renamedTobias Brunner2013-07-223-2/+3
|
* coupling: Fix call to call_hook()Tobias Brunner2013-07-221-1/+1
|
* charon-xpc: Use correct namespace when setting default settingsTobias Brunner2013-07-221-3/+3
|
* tnc-pdp: Fix reading port setting from strongswan.confTobias Brunner2013-07-221-1/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 02:40:13 +0000