aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* ike-sa-manager: Improve scalability of half-open IKE_SA checkingTobias Brunner2014-04-241-7/+8
| | | | | | | | | | | | | | | This patch is based on one by Christoph Gouault. Currently, to count the total number of half_open IKE_SAs, get_half_open_count sums up the count of each segment in the SA hash table (acquiring a lock for each segment). This procedure does not scale well when the number of segments increases, as the method is called for each new negotiation. Instead, lets maintain a global atomic counter. This optimization allows the use of big values for charon.ikesa_table_size and charon.ikesa_table_segments.
* utils: Use GCC's __atomic built-ins if availableTobias Brunner2014-04-242-3/+22
| | | | | | | | These are available since GCC 4.7 and will eventually replace the __sync operations. They support the memory model defined by C++11. For instance, by using __ATOMIC_RELAXED for some operations on the reference counters we can avoid memory barriers, which are required by __sync operations (whose memory model essentially is __ATOMIC_SEQ_CST).
* utils: Add ref_cur() to retrieve the current value of a reference counterTobias Brunner2014-04-242-3/+24
| | | | | | | | | | On many architectures it is safe to read the value directly (those using cache coherency protocols, and with atomic loads for 32-bit values) but it is not if that's not the case or if we ever decide to make refcount_t 64-bit (load not atomic on x86). So make sure the operation is actually atomic and that users do not have to care about the size of refcount_t.
* kernel-pfkey: Added IPComp supportFrancois ten Krooden2014-04-241-19/+138
| | | | | | - get_cpi function was implemented to retrieve a CPI from the kernel. - add_sa/update_sa/del_sa were updated to accommodate for IPComp SA. - Updated add_policy_internal to update the SPD to support IPComp.
* nm: Bump NetworkManager plugin version to 1.3.1Martin Willi2014-04-242-1/+7
|
* pacman.sh now fetches Ubuntu 14.04 security updatesAndreas Steffen2014-04-241-1/+22
|
* ike: Delay actively initiated reauthentication when other exchanges in progressMartin Willi2014-04-171-2/+47
| | | | | If any other IKE or CHILD_SA operation takes places, we should not start initiating reauthentication to avoid any potential races.
* ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SAMartin Willi2014-04-171-0/+6
| | | | | | | | | | | If one peer starts reauthentication by deleting the IKE_SA, while the other starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily reject the rekey attempt while we are in the IKE_SA deleting state. RFC 4306/5996 is not exactly clear about this collision, but it should be safe to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry establishing the CHILD_SA on the reauthenticated IKE_SA.
* ikev2: Apply extensions and conditions before starting rekeyingMartin Willi2014-04-171-0/+6
| | | | | | The extensions and conditions apply to the rekeyed IKE_SA as well, so we should migrate them. Especially when using algorithms from private space, we need EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-174-22/+30
|
* ikev1: Add an option to accept unencrypted ID/HASH payloadsMartin Willi2014-04-171-1/+20
| | | | | | | | | Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in unencrypted form, probably to allow PSK lookup based on the ID payloads. We by default reject that, but accept it if the charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. Initial patch courtesy of Paul Stewart.
* ikev2: Fix reauthentication if peer assigns a different virtual IPTobias Brunner2014-04-151-1/+1
| | | | | | | | | | | | | | | | | Before this change a reqid set on the create_child_t task was used as indicator of the CHILD_SA being rekeyed. Only if that was not the case would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we don't know which virtual IP the gateway will eventually assign). On the other hand, in case of a rekeying the VIP is expected to remain the same, so the local TS would simply equal the VIP. Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid set. Which meant that the local TS would contain the previously assigned VIP, basically rendering the gateway unable to assign a different VIP to the client as the resulting TS would not match the client's proposal anymore. Fixes #553.
* Handle tag separatorsAndreas Steffen2014-04-151-12/+15
|
* swid_generator software-id does not generate empty lines any moreAndreas Steffen2014-04-151-5/+0
|
* Added result information to TPMRA workitemsAndreas Steffen2014-04-158-62/+94
| | | | On the occasion got rid of complicated functional component stuff
* Indicate IMV in assessment log statementAndreas Steffen2014-04-151-4/+14
|
* Implemented segmented SWID tag attributes on IMV sideAndreas Steffen2014-04-154-35/+77
|
* Use python-based swidGenerator to generated SWID tagsAndreas Steffen2014-04-1521-211/+662
|
* Updated imv database templatesAndreas Steffen2014-04-152-14/+15
|
* Optimized PTS measurementsAndreas Steffen2014-04-1512-294/+132
|
* Use cached pid for product-based package accessAndreas Steffen2014-04-152-40/+17
|
* Make Attestation IMV independent of OS IMVAndreas Steffen2014-04-156-41/+136
|
* Separated IMV session management from IMV policy databaseAndreas Steffen2014-04-1538-1343/+1786
|
* Renamed the AIK public key parameter to imc-attestation.aik_pubkeyAndreas Steffen2014-04-151-1/+1
|
* Implemented configurable Device ID in OS IMCAndreas Steffen2014-04-151-11/+85
|
* ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAsMartin Willi2014-04-141-0/+9
| | | | | | | Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338.
* eap-mschapv2: Fix potential leaks in case of invalid messages from serversTobias Brunner2014-04-091-0/+4
|
* pts: Make sure the complete AIK blob has been readTobias Brunner2014-04-091-1/+2
|
* attr: Don't shift the 32-bit netmask by 32Tobias Brunner2014-04-091-3/+6
| | | | | | | | | | This is undefined behavior as per the C99 standard (sentence 1185): "If the value of the right operand is negative or is greater or equal to the width of the promoted left operand, the behavior is undefined." Apparently shifts may be done modulo the width on some platforms so a shift by 32 would not shift at all.
* nm: Fix NULL-pointer dereference when handling TUN device failureTobias Brunner2014-04-091-1/+0
|
* x509: Don't include authKeyIdentifier in self-signed certificatesTobias Brunner2014-04-091-1/+1
| | | | | As the comment indicates this was the intention in d7be2906433a7dcfefc1fd732587865688dbfe1b all along.
* x509: Initialize certs when building optionalSignature for OCSP requestsTobias Brunner2014-04-091-1/+1
|
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* pki: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* pki: Removed extra continue statementTobias Brunner2014-04-091-1/+0
|
* Added support for msSmartcardLogon EKUAndreas Steffen2014-04-086-16/+37
|
* Added some more OIDsAndreas Steffen2014-04-081-1/+20
|
* Initialize m1 to suppress compiler warningAndreas Steffen2014-04-071-1/+1
|
* Fixed another dirname/basename refactoring bug.Andreas Steffen2014-04-071-1/+3
| | | | file was freed before use.
* Fixed dirname/basename refactoring bug.Andreas Steffen2014-04-071-11/+10
| | | | Variables used in a database query have to be kept until the end of the enumeration
* Added SHA3 OIDsAndreas Steffen2014-04-041-6/+12
|
* ike-cfg: Properly compare IKE proposals for equality5.1.3rc1Tobias Brunner2014-04-031-1/+1
|
* leak-detective: LEAK_DETECTIVE_DISABLE completely disables LDTobias Brunner2014-04-033-17/+23
| | | | | If lib->leak_detective is non-null some code parts (e.g. the plugin loader) assume LD is actually used.
* unit-tests: Verify two bytes at once when testing chunk_clear()Tobias Brunner2014-04-021-3/+6
| | | | | This reduces the chances of arbitrary test failures if the memory area already got overwritten.
* tls: Add a test case to check correct enum name mapping of cipher suitesMartin Willi2014-04-013-0/+250
|
* tls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0Martin Willi2014-04-013-0/+527
|
* tls: Remove superfluous initializers in TLS AEAD implementationsMartin Willi2014-04-014-4/+0
|
* tls: Support a maximum TLS version to negotiate using TLS socket abstractionMartin Willi2014-04-015-5/+7
|
* tls: Support a null encryption flag on TLS socket abstractionMartin Willi2014-04-015-7/+21
|
* tls: Introduce a generic TLS purpose that accepts NULL encryption ciphersMartin Willi2014-04-013-0/+6
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 10:22:35 +0000