aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-handler: Log new endpoint if NAT mapping changedTobias Brunner2015-03-191-2/+3
|
* child-sa: Remove policies before states to avoid acquire events for ↵Tobias Brunner2015-03-191-16/+16
| | | | untrapped policies
* vici: Add support for python 3Björn Schuberg2015-03-185-8/+29
|
* vici: Execute python tests during "check" if py.test is availableMartin Willi2015-03-181-0/+4
|
* vici: Add test of Packet layer in python libraryBjörn Schuberg2015-03-181-1/+47
|
* vici: Add test of Message (de)serialization in python libraryBjörn Schuberg2015-03-183-0/+100
|
* vici: Evaluate Python streamed command results, and raise CommandExceptionMartin Willi2015-03-181-1/+10
|
* vici: Catch Python GeneratorExit to properly cancel streamed event iterationMartin Willi2015-03-182-1/+12
|
* vici: Fall back to heap buffer when vararg printing on stack failsMartin Willi2015-03-181-21/+44
| | | | This avoids failures when building log event messages including larger hexdumps.
* vici: Return a Python generator instead of a list for streamed responsesMartin Willi2015-03-182-47/+25
| | | | | | | In addition that it may reduce memory usage and improve performance for large responses, it returns immediate results. This is important for longer lasting commands, such as initiate/terminate, where immediate log feedback is preferable when interactively calling such commands.
* vici: Raise a Python CommandException instead of returning a CommandResultMartin Willi2015-03-182-82/+42
|
* vici: Add initial Python egg documentation to READMEMartin Willi2015-03-181-0/+65
|
* vici: Use OrderedDict to handle vici responses in Python libraryMartin Willi2015-03-181-2/+3
| | | | | The default Python dictionaries are unordered, but order is important for some vici trees (for example the order of authentication rounds).
* vici: Return authentication rounds with unique namesMartin Willi2015-03-182-3/+7
| | | | | | To simplify handling of authentication rounds in dictionaries/hashtables on the client side, we assign unique names to each authentication round when listing connection.
* vici: Rebuild ruby gem on source file changesMartin Willi2015-03-181-1/+1
|
* vici: Use default Unix vici socket if none passed to ruby constructorMartin Willi2015-03-182-4/+7
| | | | | While we currently have a static path instead of one generated with Autotools, this at least is congruent to what we have in the Python library.
* vici: Support non-Unix sockets for vici connections using PythonMartin Willi2015-03-182-7/+9
|
* vici: Add python egg setuptools building and installation using easy_installMartin Willi2015-03-181-0/+15
| | | | | | An uninstall target is currently not supported, as there is no trivial way with either plain setuptools or with easy_install. pip would probably be the best choice, but we currently don't depend on it.
* vici: Generate a version specific setup.py for setuptools installationMartin Willi2015-03-183-0/+41
|
* vici: Include python package in distributionMartin Willi2015-03-182-0/+9
|
* vici: Add python package MIT licenseBjörn Schuberg2015-03-182-0/+20
|
* vici: Expose Session as a top-level symbol in python packageBjörn Schuberg2015-03-181-0/+1
|
* vici: Introduce main API Session class in python packageBjörn Schuberg2015-03-181-1/+244
|
* vici: Add a python vici command execution handlerBjörn Schuberg2015-03-182-1/+134
|
* vici: Add vici python protocol handlerBjörn Schuberg2015-03-184-0/+199
|
* swanctl: Cache entered PKCS#12 decryption secretMartin Willi2015-03-181-6/+23
| | | | | It is usually used more than once, but most likely the same for decryption and MAC verification.
* swanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directoryMartin Willi2015-03-184-0/+128
|
* swanctl: Generalize private key decryption to support other credential typesMartin Willi2015-03-181-55/+97
|
* encoding: Verify the length of KE payload data for known groupsMartin Willi2015-03-181-0/+67
| | | | | | | IKE is very strict in the length of KE payloads, and it should be safe to strictly verify their length. Not doing so is no direct threat, but allows DDoS amplification by sending short KE payloads for large groups using the target as the source address.
* ikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeyingMartin Willi2015-03-181-0/+6
|
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-185-0/+176
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* Replace kid by aik_id in ITA TBOOT functional componentAndreas Steffen2015-03-161-7/+2
|
* Fixed two BLISS key type identifier stringsAndreas Steffen2015-03-161-2/+2
|
* charon-systemd: Add missing semicolonMartin Willi2015-03-161-1/+1
| | | | References #887, fixes f3c83322.
* osx: Include eap-gtc plugin in build instructionsMartin Willi2015-03-161-1/+1
|
* Create TPM TBOOT Measurement groupAndreas Steffen2015-03-151-0/+18
|
* vici: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-4/+4
| | | | Fixes #886.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* charon-systemd: Add support to configure user and group via strongswan.confTobias Brunner2015-03-131-6/+19
| | | | Fixes #887.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauthMartin Willi2015-03-111-1/+0
| | | | | | | | | We are actually not in rekeying state, but just trigger a separate, new IKE_SA as a replacement for the current IKE_SA. Switching to the REKEYING state disables the invocation of both IKE and CHILD_SA updown hooks as initiator, preventing the removal of any firewall rules. Fixes #885.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* ikev1: Don't handle DPD timeout job if IKE_SA got passiveMartin Willi2015-03-101-0/+6
| | | | | | While a passively installed IKE_SA does not queue a DPD timeout job, one that switches from active to passive might execute it. Ignore such a queued job if the IKE_SA is in passive state.
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-094-6/+10
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-0910-17/+19
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* tkm: Use the inbound flag do determine peer role in CHILD_SA exchangeMartin Willi2015-03-091-5/+1
| | | | | This was not available during initial implementation, but fits just fine to avoid reconstructing the peer role.
* Revert "child-sa: Remove the obsolete update logic"Martin Willi2015-03-091-1/+6
| | | | | | | | | While the the meaning of the "inbound" flag on the kernel_interface->add_sa() call is not very clear, we still need that update logic to allow installation of inbound SAs without SPI allocation. This is used in the HA plugin as a passive node. This reverts commit 698ed656.
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* tkm: Disable RFC 7427 signature authenticationTobias Brunner2015-03-091-0/+4
| | | | | | TKM can't verify such signatures so we'd fail in the authorize hook. Skipping the algorithm identifier doesn't help if the peer uses anything other than SHA-1, so config changes would be required.
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 18:35:05 +0000