aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
| * | | After merging the used trustchain with config, move used certificate to frontMartin Willi2013-01-181-0/+24
| | | |
| * | | Try to build a trustchain for all configured certificates before enforcing oneMartin Willi2013-01-181-1/+29
| | | | | | | | | | | | | | | | | | | | This enables the daemon to select from multiple configured certificates by building trustchains against the received certificate requests.
| * | | Load multiple comma seperarated certificates in the leftcert optionMartin Willi2013-01-181-15/+32
| | | |
| * | | Make AUTH_RULE_SUBJECT cert multi-valuedMartin Willi2013-01-181-11/+24
| | | | | | | | | | | | | | | | | | | | Constraints having multiple subject certs defined are fulfilled if authentication used one of the listed certificates.
* | | | Merge branch 'systime'Martin Willi2013-03-018-10/+521
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Add a systime-fix plugin allowing an embedded system to validate certificates if the system time has not been synchronized after boot. Certificates of established tunnels can be re-validated after the system time gets valid.
| * | | | systime-fix disables certificate lifetime validation if system time not syncedMartin Willi2013-02-194-0/+326
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The system time can be periodically checked. If it gets valid, certificates get rechecked with the current lifetime. If certificates are invalid, associated IKE_SAs can be closed or reauthenticated.
| * | | | Add a stub for systime-fix, a plugin handling certificate lifetimes gracefullyMartin Willi2013-02-194-0/+126
| | | | |
| * | | | Add a cert_validator hook allowing plugins to provide custom lifetime checkingMartin Willi2013-02-192-10/+64
| | | | |
| * | | | Make cert_validator_t.validate optional to implementMartin Willi2013-02-192-0/+5
| | |_|/ | |/| |
* | | | Merge branch 'ikev1-rekeying'Martin Willi2013-03-012-0/+25
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | | | After IKEv1 reauthentication, reinstall VIP routes after migrating CHILD_SAsMartin Willi2013-02-201-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled. The CHILD_SAs get migrated, but any associated route gets removed from the kernel. Reinstall routes after adding the virtual IP again.
| * | | | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| | | | |
* | | | | Merge branch 'vip-shunts'Martin Willi2013-03-012-15/+19
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Installs bypass policies for the physical address if a virtual address is assigned, and installs a proper source route to actually use the physical address for bypassed destinations. Conflicts: src/libcharon/plugins/unity/unity_handler.c
| * | | | | Install a route for shunt policiesMartin Willi2013-02-201-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we install a virtual IP, its source route would render the shunt policy useless, as locally generated traffic wouldn't match. Having a route for each shunt policy with higher priority chooses the correct source address for bypassed destinations.
| * | | | | Include local address for Unity Split-Exclude shunt policiesMartin Willi2013-02-201-10/+5
| |/ / / / | | | | | | | | | | | | | | | | | | | | If we use a virtual IP, having a shunt policy for just that wouldn't work, as we want a shunt bypass using the local address.
* | | | | Merge branch 'opaque-ports'Martin Willi2013-03-0118-118/+191
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | | | | Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
| | | | | |
| * | | | | Optionally support port ranges in leftprotoportMartin Willi2013-02-211-4/+20
| | | | | |
| * | | | | Support %opaque keyword in leftprotoport for "opaque" portsMartin Willi2013-02-211-0/+5
| | | | | |
| * | | | | Pass complete port range over stroke interface for more flexibilityMartin Willi2013-02-217-24/+21
| | | | | |
| * | | | | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-2111-36/+46
| | | | | |
| * | | | | Print OPAQUE traffic selectors as what they are, not as port rangeMartin Willi2013-02-211-0/+4
| | | | | |
| * | | | | Support "opaque" ports in traffic selector subset calculationMartin Willi2013-02-211-6/+32
| | | | | |
| * | | | | Slightly refactor traffic_selector_t.get_subset()Martin Willi2013-02-211-61/+68
| | | | | |
| * | | | | Migrate remaining traffic selector methods to METHOD macroMartin Willi2013-02-211-19/+18
| | |/ / / | |/| | |
* | | | | When running with an unprivileged user, initialize supplementary groupsMartin Willi2013-03-011-1/+37
| | | | |
* | | | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | | | |
* | | | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | | | | |
* | | | | | Merge branch 'tfc-notify'Martin Willi2013-03-016-2/+68
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | | | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | | | | | |
| * | | | | | Indicate support for processing ESPv3 TFC padding in Netlink IPsec backendMartin Willi2013-03-011-1/+7
| | | | | | |
| * | | | | | Introduce "features" for the kernel backends returning kernel capabilitiesMartin Willi2013-03-014-1/+52
| | |/ / / / | |/| | | |
* | | | | | openssl: Provide AES-GCM implementationTobias Brunner2013-02-284-1/+312
| | | | | |
* | | | | | Fix cleanup in crypto_tester if AEAD implementation failsTobias Brunner2013-02-281-1/+4
| | | | | |
* | | | | | Order of arguments in Doxygen comment fixedTobias Brunner2013-02-282-2/+2
| | | | | |
* | | | | | Fix auth_cfg_t.clone() for single-valued auth rulesTobias Brunner2013-02-281-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By using the default list enumerator and adding the rules with the public add() method, clones of auth_cfg_t objects would return the values for single-valued auth rules in the wrong order (i.e. the oldest instead of the newest value was returned). Using the internal enumerator (which the comment already suggested) fixes this, but the clone will not be a full clone as it does not contain any old values for single-valued auth rules. Since these will never be used anyway, this should be fine.
* | | | | | Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
| |_|_|_|/ |/| | | | | | | | | | | | | | | | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* | | | | Use SIGUSR2 for SIG_CANCEL on AndroidTobias Brunner2013-02-261-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SIGRTMIN is defined as 32 while sigset_t is defined as unsigned long (i.e. holds 32 signals). Hence, the signal could never be blocked. Sending the signal still canceled threads, but sometimes in situations where they shouldn't have been canceled (e.g. while holding a lock). Fixes #298.
* | | | | Android.mk updated to latest MakefilesTobias Brunner2013-02-263-1/+3
| |/ / / |/| | | | | | | | | | | Fixes #300.
* | | | openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8gTobias Brunner2013-02-202-1/+5
| |/ / |/| | | | | | | | Fixes #292.
* | | treat IF-M and IF-TNCCS remediation instructions/parameters in an equal wayAndreas Steffen2013-02-194-107/+204
| | |
* | | Streamlined log messages in ipseckey pluginAndreas Steffen2013-02-192-58/+30
| | |
* | | Encode RSA public keys in RFC 3110 DNSKEY formatAndreas Steffen2013-02-198-3/+155
| | |
* | | Moved configuration from resolver manager to unbound pluginAndreas Steffen2013-02-196-52/+41
| | | | | | | | | | | | Also streamlined log messages in unbound plugin.
* | | ipseckey: Report IPSECKEYs with invalid DNSSEC security stateReto Guadagnini2013-02-191-2/+12
| | |
* | | ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.confReto Guadagnini2013-02-191-3/+16
| | |
* | | Added ipseckey plugin, which provides support for public keys in IPSECKEY RRsReto Guadagnini2013-02-198-0/+859
| | |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-16 14:02:08 +0000