aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-netlink: Implement configurable Netlink request retransmissionMartin Willi2014-11-211-15/+86
|
* kernel-netlink: Add a stress test with several threads doing Netlink exchangesMartin Willi2014-11-211-0/+62
|
* kernel-netlink: Retry netlink query while kernel returns EBUSYMartin Willi2014-11-211-3/+37
| | | | | | If the kernel can't execute a Netlink query because a different query is already active, it returns EBUSY. As this can happen now as we support parallel queries, retry on this error condition.
* kernel-netlink: Support parallel Netlink queriesMartin Willi2014-11-211-74/+192
| | | | | | | | | | | | | | | | | | Instead of locking the socket exclusively to wait for replies, use watcher to wait for and read in responses asynchronously. This allows multiple parallel Netlink queries, which can significantly improve performance if the kernel Netlink layer has longer latencies and supports parallel queries. For vanilla Linux, parallel queries don't make much sense, as it usually returns EBUSY for the relevant dump requests. This requires a retry, and in the end makes queries more expensive under high load. Instead of checking the Netlink message sequence number to detect multi-part messages, this code now relies on the NLM_F_MULTI flag to detect them. This has previously been avoided (by 1d51abb7). It is unclear if the flag did not work correctly on very old Linux kernels, or if the flag was not used appropriately by strongSwan. The flag seems to work just fine back to 2.6.18, which is a kernel still in use by RedHat/CentOS 5.
* kernel-netlink: Add a simple send message test querying available linksMartin Willi2014-11-213-0/+70
|
* kernel-netlink: Add a stub for a test-runnerMartin Willi2014-11-214-0/+85
|
* mem-pool: Fix potential memory leak and lost leases when reassigning leasesTobias Brunner2014-11-111-2/+6
| | | | | | | | | | | | | | | | If no offline leases are available for the current client and assigning online leases is disabled, and if all IPs of the pool have already been assigned to clients we look for offline leases that previously were assigned to other clients. In case the current client has online leases the previous code would replace the existing mapping entry and besides resulting in a memory leak the online leases would be lost forever (even if the client later releases the addresses). If this happens repeatedly the number of available addresses would decrease even though the total number of online and offline leases seen in `ipsec leases` would indicate that there are free addresses available. Fixes #764.
* android: New release based on 5.2.1 and after adding EAP-TLSTobias Brunner2014-11-061-3/+3
| | | | | Also enables support for IKEv2 fragmentation, provides improved MOBIKE handling and optionally enables PFS for CHILD_SAs.
* android: Build binaries for MIPSTobias Brunner2014-11-061-1/+1
|
* android: Increase fragment sizeTobias Brunner2014-11-061-0/+3
| | | | We use the same value we use as MTU on TUN devices.
* android: Enable IKEv2 fragmentationTobias Brunner2014-11-061-1/+1
|
* android: Use %any as AAA identity, but disable EAP-only authenticationTobias Brunner2014-11-061-5/+3
| | | | | | | Without verification of the identity we can't prevent a malicious user with a valid certificate from impersonating the AAA server and thus the VPN gateway. So unless we make the AAA identity configurable we have to prevent EAP-only authentication.
* android: Add support for signature schemes used by EAP-TLSTobias Brunner2014-11-061-19/+34
|
* android: Allow enumeration of untrusted certificatesTobias Brunner2014-11-061-1/+1
|
* android: Handle EAP-TLS in Android serviceTobias Brunner2014-11-061-6/+19
|
* android: Enable EAP-TLS plugin in the appTobias Brunner2014-11-061-1/+1
|
* android: Add EAP-TLS VPN type to the GUITobias Brunner2014-11-066-1/+7
|
* android: Change how features of VPN types are stored and checkedTobias Brunner2014-11-065-59/+41
|
* charon-tkm: Properly reset CC context in listenerReto Buerki2014-10-311-7/+13
| | | | | | Make sure that the acquired CC context is correctly reset and the associated ID released in the authorize() function of the TKM bus listener.
* charon-tkm: Add missing comma to enumReto Buerki2014-10-311-1/+1
| | | | Add missing comma to tkm_context_kind_names enum definition.
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
* host: Ignore spaces around - when parsing rangesTobias Brunner2014-10-303-9/+23
|
* ike-cfg: Use host_create_from_range() helperTobias Brunner2014-10-301-16/+1
|
* vici: Add support for address range definitions of poolsTobias Brunner2014-10-302-9/+39
|
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* host: Add function to create two hosts from a range definitionTobias Brunner2014-10-303-0/+124
|
* mem-pool: Add basic unit testsTobias Brunner2014-10-303-0/+233
|
* libhydra: Add test runnerTobias Brunner2014-10-305-0/+91
|
* mem-pool: Correctly ignore first and last addresses of subnets and adjust sizeTobias Brunner2014-10-301-7/+49
| | | | | | | Previously one more than the first and last address was ignored. And if the base address is not the network ID of the subnet we should not skip it. But we should adjust the size as it does not represent the actual number of IP addresses assignable.
* ikev1: Don't inherit children if INITITAL_CONTACT was seenThomas Egerer2014-10-301-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* pki: Print and document the name constraint type for DNS or email constraintsMartin Willi2014-10-303-6/+46
| | | | | As email constraints may be for a specific host, it is not clear from the name itself if it is a DNS or email constraint.
* constraints: Add permitted/excludedNameConstraints checkMartin Willi2014-10-303-0/+400
|
* constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
* constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
|
* constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
* constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|
* swanctl: Document identity type prefixesMartin Willi2014-10-301-3/+18
|
* identification: Support custom types in string constructor prefixesMartin Willi2014-10-303-0/+48
|
* identification: Support prefixes in string constructors for an explicit typeMartin Willi2014-10-303-0/+58
|
* unit-tests: Re-align identification_create_from_string() unit test table dataMartin Willi2014-10-301-52/+52
|
* threading: Support rwlock try_write_lock() on WindowsMartin Willi2014-10-301-2/+0
| | | | | | | | | | | We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer toolchain works fine. While try_write_lock() obviously can fail, not supporting it is not really an option, as some algorithms depend on occasionally successful calls. Certificate caching in the certificate manager and the cred_set cache rely on successful try_write_lock()ing.
* threading: Add a more explicit rwlock try_write_lock() testingMartin Willi2014-10-301-0/+44
|
* message: Include encrypted fragment payload in payload (order) rulesTobias Brunner2014-10-291-0/+12
| | | | | | | | | Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted because they don't contain an SA payload. It also prevents a warning when ordering payloads. Fixes #752.
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* unit-tests: Fix internet checksum tests on big-endian systemsTobias Brunner2014-10-231-4/+9
| | | | | | | We actually need to do a byte-swap, which ntohs() only does on little-endian systems. Fixes #747.
* chunk: Fix internet checksum calculation on big-endian systemsTobias Brunner2014-10-231-1/+1
| | | | | | | ntohs() might be defined as noop (#define ntohs(x) (x)) so we have to manually shorten the negated value (gets promoted to an int). Fixes #747.
* updown: Explicitly pass caller PATH to updown scriptMartin Willi2014-10-221-0/+1
| | | | | | | | | When invoking /bin/sh, its default PATH is used. On some systems, that does not include the PATH where the ipsec script is installed, as charon is invoked with a custom PATH. Explicitly setting the PATH of charon should fix this case, properly invoking the (default) updown script. Fixes #745.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 20:43:57 +0000