aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* libipsec: Don't print ciphertext with ICV in log messageTobias Brunner2013-10-171-1/+2
|
* libipsec: Properly calculate padding length especially for AES-GCMTobias Brunner2013-10-171-1/+3
|
* utils: Add utility function to calculate padding lengthTobias Brunner2013-10-172-13/+24
|
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* trap-manager: Make sure a config is not trapped twiceTobias Brunner2013-10-171-4/+16
|
* Doxygen fixesTobias Brunner2013-10-157-11/+8
|
* Set recommendation in the case of PCR measurement failuresAndreas Steffen2013-10-133-6/+27
|
* Add linux/fip_rules.h to include filesAndreas Steffen2013-10-132-3/+75
|
* Revert refactoring which broke CentOS buildAndreas Steffen2013-10-131-1/+1
|
* checksum: The pool utility was moved to its own directoryTobias Brunner2013-10-111-1/+1
|
* ccm: Add missing comma in get_iv_gen method signatureTobias Brunner2013-10-111-1/+1
|
* iv-gen: Add missing header files to Makefile.amTobias Brunner2013-10-111-0/+1
|
* iv_gen: Mask sequential IVs with a random saltTobias Brunner2013-10-111-0/+24
| | | | | This makes it harder to attack a HA setup, even if the sequence numbers were not fully in sync.
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-117-23/+18
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ipsec: Use IV generator to encrypt ESP messagesTobias Brunner2013-10-112-9/+7
|
* ikev2: Use IV generator to encrypt encrypted payloadTobias Brunner2013-10-111-1/+9
|
* iv_gen: aead_t implementations provide an IV generatorTobias Brunner2013-10-116-1/+84
|
* iv_gen: Add IV generator that allocates IVs sequentiallyTobias Brunner2013-10-114-2/+121
|
* iv_gen: Add IV generator that allocates IVs randomlyTobias Brunner2013-10-114-0/+113
| | | | Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
* crypto: Add generic interface for IV generatorsTobias Brunner2013-10-112-1/+60
|
* apidoc: Move mac_prf to prf Doxygen groupTobias Brunner2013-10-111-1/+1
|
* eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASKTobias Brunner2013-10-111-0/+5
|
* eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributesTobias Brunner2013-10-111-0/+93
| | | | | | | | | | | | | | | Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55) radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27) attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1) or a UNITY_LOCAL_LAN (if the value is 2). So if the following attributes would be configured for a RADIUS user CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0" CVPN3000-IPSec-Split-Tunneling-Policy := 1 A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets would be sent to the client during the ModeCfg exchange.
* eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributesTobias Brunner2013-10-111-3/+25
| | | | | | The contents of the CVPN3000-IPSec-Default-Domain(28) and CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in the corresponding Unity configuration attributes.
* dnscert: Add DNS CERT support for pubkey authenticationRuslan N. Marchenko2013-10-118-0/+828
| | | | | | | | | | | Add DNSSEC protected CERT RR delivered certificate authentication. The new dnscert plugin is based on the ipseckey plugin and relies on the existing PEM decoder as well as x509 and PGP parsers. As such the plugin expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads. The plugin is targeted to improve interoperability with Racoon, which supports this type of authentication, ignoring in-stream certificates and using only DNS provided certificates for FQDN IDs.
* ipseckey: Properly handle failure to create a certificateTobias Brunner2013-10-111-33/+28
| | | | Also, try the next key (if available) if parsing an IPSECKEY failed.
* ipseckey: Refactor creation of certificate enumeratorTobias Brunner2013-10-111-86/+81
| | | | Reduces nesting and fixes a memory leak (rrsig_enum).
* ipseckey: Depend on plugin features to create public key and certificate objectsTobias Brunner2013-10-111-0/+2
|
* unbound: Add support for DLV (DNSSEC Lookaside Validation)Tobias Brunner2013-10-111-12/+23
| | | | Fixes #392.
* kernel-libipsec: Don't ignore policies of type != POLICY_IPSECTobias Brunner2013-10-111-5/+0
| | | | | | This actually broke rekeying due to the DROP policies that are temporarily added, which broke the refcount as the ignored policies were not ignored in del_policy() (the type is not known there).
* kernel-libipsec: Add an option to allow remote TS to match the IKE peerTobias Brunner2013-10-111-2/+9
| | | | | | | | Setting the fwmark options for the kernel-netlink and socket-default plugins allow this kind of setup. It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make it work.
* socket-default: Allow setting firewall mark on outbound packetsTobias Brunner2013-10-111-0/+18
|
* kernel-netlink: Allow setting firewall marks on routing ruleTobias Brunner2013-10-111-0/+20
|
* ipsec_types: Add utility function to parse mark_t from stringsTobias Brunner2013-10-114-46/+98
|
* attr-sql: Use a serializable transaction when inserting identitiesTobias Brunner2013-10-111-12/+5
|
* database: Add support for serializable transactionsTobias Brunner2013-10-114-9/+27
|
* sql: Don't use MyISAM engine and set collation/charset for all tablesTobias Brunner2013-10-111-26/+25
| | | | The MyISAM engine doesn't support transactions.
* pool: Change transaction handlingTobias Brunner2013-10-111-46/+8
|
* pool: Move the pool utility to its own directory in srcTobias Brunner2013-10-119-21/+27
|
* attr-sql: Handle concurrent insertion of identitiesTobias Brunner2013-10-111-2/+12
| | | | | | | | | If the same identity is added concurrently by two threads (or by the pool utility) INSERT might fail even though the SELECT was unsuccessful before. We are currently not able to lock the identities table in a portable way (something like SELECT ... FOR UPDATE on MySQL).
* attr-sql: Don't use database transactions in create_attribute_enumeratorTobias Brunner2013-10-111-5/+0
| | | | | | | | | There could, of course, be race conditions when enumerating the attributes, but those probably don't matter (e.g. missing an attribute that was concurrently added). Transactions are more intended to revert multiple changes if anything fails in the process.
* sqlite: Implement transaction handlingTobias Brunner2013-10-111-6/+83
|
* mysql: Implement transaction handlingTobias Brunner2013-10-111-7/+119
|
* database: Add interface to handle transactionsTobias Brunner2013-10-113-1/+76
|
* mysql: Ensure connections are properly released in multi-threaded environmentsTobias Brunner2013-10-111-14/+23
|
* crypto-factory: Try next available RNG implementation if constructor failsTobias Brunner2013-10-111-13/+6
|
* crypto-factory: Order entries by algorithm identifier and (optionally) speedTobias Brunner2013-10-111-22/+18
|
* Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required ↵Tobias Brunner2013-10-119-26/+18
| | | | for IKEv2 anyway
* vstr: Forward actual field widthTobias Brunner2013-10-111-1/+1
| | | | | fmt_field_width is a flag that indicates if a field width is defined in obj_field_width.
* unit-tests: support testing when leak-detective has not been enabledMartin Willi2013-10-111-5/+14
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 07:15:20 +0000