aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* nm: Make global CA directory configurableTobias Brunner2016-10-041-1/+2
|
* ikev1: Activate task to delete the IKE_SA in state IKE_REKEYINGTobias Brunner2016-10-041-0/+8
| | | | It does not have any CHILD_SAs attached at that point.
* ikev1: Delete Quick Mode SAs before the ISAKMP SATobias Brunner2016-10-041-2/+2
| | | | | After the ISAKMP_DELETE task has been executed the IKE_SA is destroyed so we wouldn't be able to send deletes for the Quick Mode SAs.
* ikev1: Send DELETE for rekeyed IKE_SAsTobias Brunner2016-10-041-9/+5
| | | | | | If we silently delete the IKE_SA the other peer might still use it even if only to send DPDs. If we don't answer to DPDs that might result in the deletion of the new IKE_SA too.
* starter: Install an empty ipsec.secrets fileTobias Brunner2016-10-042-1/+3
|
* starter: Don't generate a key/certificate if ipsec.secrets does not existTobias Brunner2016-10-042-70/+0
|
* watcher: Avoid allocations due to enumeratorsTobias Brunner2016-10-041-37/+83
| | | | | Since the FD set could get rebuilt quite often this change avoids having to allocate memory just to enumerate the registered FDs.
* vici: Enable IKE fragmentation by defaultTobias Brunner2016-10-042-4/+4
|
* starter: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-0/+1
|
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-1/+1
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* ikev2: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-26/+43
|
* ikev2: Send derived IKE_SA keys to busTobias Brunner2016-10-041-26/+30
|
* ikev1: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-14/+26
|
* ikev1: Send derived IKE_SA keys to busTobias Brunner2016-10-041-14/+11
|
* bus: Add new hooks for derived IKE_SA and CHILD_SA keysTobias Brunner2016-10-043-11/+131
|
* nm: Remove dummy TUN deviceTobias Brunner2016-10-041-36/+0
| | | | | Recent NM releases don't insist on getting a device back from VPN plugins.
* nm: Fix comment in service file in /etc/NetworkManager/VPNTobias Brunner2016-10-041-1/+1
|
* nm: Remove generated service file in `make clean`Tobias Brunner2016-10-041-1/+1
|
* nm: Don't add generated AppStream metadata to tarballTobias Brunner2016-10-041-1/+0
|
* bus: Fix maximum log levels when mixing log/vlog implementing loggersTobias Brunner2016-09-301-12/+20
| | | | | | | | | | | The maximum would not get set correctly when a logger is removed and the first remaining logger in the list (the one with the highest log level) does e.g. only implement vlog() while there are other loggers that implement log(). This would result in only max_vlevel getting set correctly while max_level would incorrectly get set to -1 so that log() would not get called for any of the loggers anymore. References #574.
* kernel-netlink: Pass zero mark to kernel if mask is setTobias Brunner2016-09-301-2/+2
| | | | | | The kernel will apply the mask to the mark on the packet and then compare it to the configured mark. So to match only unmarked packets we have to be able to set 0/0xffffffff.
* kernel-netlink: Support configuring XFRM policy hashing thresholdsTobias Brunner2016-09-301-0/+107
| | | | | | | | | | | | | | | | | | | | | | | | If the number of flows over a gateway exceeds the flow cache size of the Linux kernel, policy lookup gets very expensive. Policies covering more than a single address don't get hash-indexed by default, which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use. Starting with several hundred policies the overhead gets inacceptable. Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet to perform indexed lookup. With correctly chosen netbits, this can completely eliminate the performance impact of policy lookups, freeing the resources for ESP crypto. WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a NULL pointer dereference if a socket policy is installed while hash thresholds are changed. And because the hashtable rebuild triggered by the threshold change that causes this is scheduled it might also happen if the socket policies are seemingly installed after setting the thresholds. The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when rebuilding hash tables") - is included since 4.8 (and might get backported). As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled to replace the socket policies that allow IKE traffic with port specific bypass policies.
* include: Update xfrm.h to Linux v4.3Martin Willi2016-09-301-0/+22
| | | | | We strip the newly introduced <linux/in6.h> include, as this clashes with the <netinet/in6.h> include.
* child-sa: Only install outbound FWD policies if explicitly configuredTobias Brunner2016-09-281-14/+27
| | | | | | They are only required if drop policies would otherwise prevent forwarding traffic. This reduces the number of policies and avoids conflicts e.g. with SPD hash thresholds.
* vici: Make installation of outbound FWD policies configurableTobias Brunner2016-09-282-25/+36
|
* child-cfg: Add setting that controls whether outbound FWD policies are installedTobias Brunner2016-09-282-0/+24
|
* kernel-netlink: Update cached reqid when updating policiesTobias Brunner2016-09-281-0/+2
|
* gmp: Support of SHA-3 RSA signaturesAndreas Steffen2016-09-2221-163/+265
|
* bliss sampler unit-test: Fixed enumeration typeAndreas Steffen2016-09-221-2/+2
|
* bliss: bliss_sampler expects XOF typeAndreas Steffen2016-09-221-4/+3
|
* unit-tests: MGF1 tests depend on an XOF implementation not just a hash functionTobias Brunner2016-09-211-2/+2
| | | | | If the mgf1 plugin was not enabled (e.g. with the default configure options) the tests failed.
* mgf1: Refactored MGF1 as an XOFAndreas Steffen2016-09-2130-615/+928
|
* leak-detective: Fix compile warning due to unused variable if LD is disabledTobias Brunner2016-09-201-1/+1
|
* leak-detective: Whitelist thread ID getterTobias Brunner2016-09-201-1/+3
| | | | | | | | In case an external thread calls into our code and logs messages, a thread object is allocated that will never be released. Even if we try to clean up the object via thread value destructor there is no guarantee that the thread actually terminates before we check for leaks, which seems to be the case for the Ada Tasking threads.
* charon-tkm: Build C code with debug informationTobias Brunner2016-09-201-1/+2
|
* leak-detective: Whitelist functions of the Ada runtime related to TaskingTobias Brunner2016-09-201-0/+4
|
* charon-tkm: Free name of the PID fileTobias Brunner2016-09-201-0/+1
|
* charon-tkm: Deinitialize tkm before libstrongswanTobias Brunner2016-09-201-1/+1
| | | | In particular because of leak-detective.
* leak-detective: Whitelist some glib/libsoup functionsTobias Brunner2016-09-201-1/+13
| | | | | | Some of these are pretty broad, so maybe an alternative option is to not use the soup plugin in the openssl-ikev2/rw-suite-b* scenarios. But the plugin is not tested anywhere else so lets go with this for now.
* eap-peap: Fix memory leaks when handling tunneled methodsTobias Brunner2016-09-201-1/+3
|
* ipseckey: Properly free enumerated certificatesTobias Brunner2016-09-201-12/+14
|
* ipseckey: Properly free public key after creating certificateTobias Brunner2016-09-201-1/+1
|
* dnscert: Properly free enumerated certificatesTobias Brunner2016-09-201-8/+11
|
* unbound: Avoid unnecessary cloning of RR list that caused a memory leakTobias Brunner2016-09-201-2/+1
|
* unbound: Fix memory leakTobias Brunner2016-09-201-0/+2
|
* pool: Fix (known) memory leak when querying leasesTobias Brunner2016-09-201-21/+38
|
* leak-detective: Whitelist leak in libldapTobias Brunner2016-09-201-0/+2
|
* leak-detective: Optionally write report to a log fileTobias Brunner2016-09-201-10/+36
|
* vici: Fix indention of flush_certs() method in Python bindingsTobias Brunner2016-09-201-1/+1
|
* maemo: Remove unused pluginTobias Brunner2016-09-157-748/+0
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-21 14:46:06 +0000