aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-2312-153/+129
| | | | Makes it potentially easier to add new flags.
* kernel-netlink: Enable hardware offloading if configured for an SATobias Brunner2017-05-231-0/+25
|
* kernel-ipsec: Add flag to enable hardware offloading for an IPsec SATobias Brunner2017-05-231-0/+2
|
* include: Update xfrm.h to include hardware offloading extensionsTobias Brunner2017-05-231-1/+10
|
* kernel-netlink: Directly handle Netlink messages if thread pool is emptyTobias Brunner2017-05-231-1/+2
| | | | | | | | | During initialization of the plugins the thread pool is not yet initialized so there is no watcher thread that could handle the queued Netlink message and the main thread will wait indefinitely for a response. Fixes #2199.
* socket-default: Add an option to force the sending interface via IP_PKTINFOMartin Willi2017-05-231-7/+48
| | | | | | | | | | | | | | | | | | | | | | | | | On Linux, setting the source address is insufficient to force a packet to be sent over a certain path. The kernel uses the best route to select the outgoing interface, even if we set a source address of a lower priority interface. This is not only true for interfaces attaching to the same subnet, but also for unrelated interfaces; the kernel (at least on 4.7) sends out the packet on whatever interface it sees fit, even if that network does not expect packets from the source address we force to. When a better interface becomes available, strongSwan sends its MOBIKE address list update using the old source address. But the kernel sends that packet over the new best interface. If that network drops packets having the unexpected source address from the old path, the MOBIKE update fails and the SA finally times out. To enforce a specific interface for our packet, we explicitly set the interface index from the interface where the source address is installed. According to ip(7), this overrules the specified source address to the primary interface address. As this could have side effects to installations using multiple addresses on a single interface, we disable the option by default for now. This also allows using IPv6 link-local addresses, which won't work if the outbound interface is not set explicitly.
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-235-10/+19
| | | | fragments
* swanctl: Use returned key ID to track loaded private keysTobias Brunner2017-05-231-13/+6
| | | | | | There was a direct call to load_key() for unencrypted keys that didn't remove the key ID from the hashtable, which caused keys to get unloaded when --load-creds was called multiple times.
* vici: Return key ID from load-key commandTobias Brunner2017-05-232-4/+13
| | | | | We already do this for load-token and this should simplify client implementations.
* credential-manager: Prefer local over global setsAdrian-Ken Rueegsegger2017-05-231-7/+7
| | | | | Invert set enumeration order to first enumerate local and then global credential sets.
* ikev1: Send NAT-D payloads after HASH payloads in Aggressive Mode requestsTobias Brunner2017-05-191-1/+1
| | | | | | | Some implementations seem to have problems if the third AM message contains NAT-D payloads before the HASH payload. Fixes #2314.
* ike-sa-manager: Improve scalability of IKE_SA count checkingThomas Egerer2017-05-191-19/+10
| | | | | | | | Much like in commit a68454b, we now use a global atomic counter to keep track of the number of IKE_SAs currently registered. This should improve scalability for a large number of segments even more. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* tun-device: Use next free TUN device on FreeBSDTobias Brunner2017-05-191-3/+18
| | | | | | | | | | | While this API is documented as legacy (and there is a sysctl option to disable it) the documentation also mentions that it will probably stay enabled by default due to compatibility issues with existing applications. With the previous approach only 255 devices could be opened then the daemon had to be restarted. Fixes #2313.
* tun-device: TUN devices are not supported on iOSTobias Brunner2017-05-191-1/+10
|
* attr-sql: Make release of online leases during startup optionalTobias Brunner2017-05-191-8/+12
| | | | This cleanup prevents sharing the same DB between multiple VPN gateways.
* charon-nm: Fix typo to actually use random NAT-T portTobias Brunner2017-05-191-1/+1
| | | | Fixes: af16b5afb0ee ("Use random ports in NetworkManager backend")
* af-alg: Fix crypt() definition conflictBaruch Siach2017-05-151-2/+2
| | | | | | | | | | | | | | | | | | | | | | Rename the crypt() method to avoid conflict with POSIX crypt(). Fixes the following build failure with musl libc: In file included from ../../../../src/libstrongswan/utils/utils.h:53:0, from ../../../../src/libstrongswan/library.h:101, from af_alg_ops.h:24, from af_alg_ops.c:16: af_alg_ops.c:110:22: error: conflicting types for 'crypt' METHOD(af_alg_ops_t, crypt, bool, ^ ../../../../src/libstrongswan/utils/utils/object.h:99:13: note: in definition of macro 'METHOD' static ret name(union {iface *_public; this;} \ ^ In file included from af_alg_ops.c:18:0: .../host/usr/x86_64-buildroot-linux-musl/sysroot/usr/include/unistd.h:144:7: note: previous declaration of 'crypt' was here char *crypt(const char *, const char *); ^ Closes strongswan/strongswan#72.
* x509: Evaluate return codes of parsing functionsAndreas Steffen2017-05-084-52/+149
|
* nm: Explicitly prevent the smartcard PIN from being storedRaphael Geissert2017-05-081-0/+2
| | | | | | | The secret storage flag wasn't being saved when using smartcard authentication, resulting in the PIN being stored. Fixes #2166.
* nm: IKE/ESP proposal customization supportDefunct2017-05-082-0/+202
| | | | Closes strongswan/strongswan#70.
* charon-nm: IKE/ESP proposal customization supportDefunct2017-05-081-5/+59
| | | | Closes strongswan/strongswan#69.
* eap-simaka-sql: Fixed database column from use to usedAndreas Steffen2017-04-261-4/+7
|
* pki: Reset variable so error handling works properlyTobias Brunner2017-04-191-0/+1
| | | | | If we jump to `end` without this we crash (not necessarily visibly) due to a double free and the actual error message is not printed.
* vici: Fix type error exception in Python bindingsodi792017-04-191-1/+1
| | | | | | | | | | Line 66 yields "TypeError: can't concat bytes to str" using Python 3.4. "requestdata" was introduced in 22f08609f1b6 but is not actually used. Since the original "request" is not used anywhere else this can be changed to be similar to the other UTF-8 encoding changes in that commit. Fixes: 22f08609f1b6 ("vici: Explicitly set the Python encoding type"). Closes strongswan/strongswan#66.
* kernel-netlink: Avoid O(n^2) copy operations when concatenating Netlink ↵Jiri Horky2017-03-271-7/+13
| | | | | | | | | | | | | | | | | | | | responses When constructing the result, all responses from Netlink were concatenated iteratively, i.e. for each response, the previously acquired result was copied to newly allocated memory and the current response appended to it. This results in O(n^2) copy operations. Instead, we now check for the total final length of the result and copy the individual responses to it in one pass, i.e. in O(n) copy operations. In particular, this issue caused very high CPU usage in memcpy() function as the result is copied over and over. Common way how to hit the issue is when having 1000+ routes and 5+ connecting clients a second. In that case, the memcpy() function can take 50%+ of one CPU thread on a decent CPU and the whole charon daemon is stuck just reading routes and concatenating them together (connecting clients are blocked in that particular case as this is done under mutex). Closes strongswan/strongswan#65. References #2055.
* libtls: Replace expired certificates for unit testsTobias Brunner2017-03-241-68/+66
| | | | | | | | | | | | Only the tests with client authentication failed, the client accepted the trusted self-signed certificate even when it was expired. On the server the lookup (based on the pre-configured SAN) first found the ECDSA cert, which it dismissed for the RSA authentication the client used, and since only the first "pretrusted" cert is considered the following RSA cert was verified more thoroughly. The lookup on the client always uses the full DN of the server certificate not the pre-configured identity so it found the correct certificate on the first try.
* pki: Actually make the default key type KEY_ANY for --selfTobias Brunner2017-03-241-1/+1
| | | | | Fixes: 05ccde0a8bd9 ("pki: Add generic 'priv' key type that loads any type of private key")
* addrblock: Narrow selectors when rekeying a CHILD_SA as original responderMartin Willi2017-03-241-0/+1
| | | | | | | | | | | | If a the original responder narrows the selectors of its peer in addrblock, the peer gets a subset of that selectors. However, once the original responder initiates rekeying of that CHILD_SA, it sends the full selectors to the peer, and then narrows the received selectors locally for the installation, only. This is insufficient, as the peer ends up with wider selectors, sending traffic that the original responder will reject to the stricter IPsec policy. So additionally narrow the selectors when rekeying CHILD_SAs before sending the TS list to the peer.
* kernel-wfp: Don't redefine IPPROTO_IP* if already definedTobias Brunner2017-03-231-0/+4
|
* pki: Cast length derived from pointer arithmetic to intTobias Brunner2017-03-231-1/+1
|
* vici: Don't fall back to uninstalling traps if a matching shunt was foundTobias Brunner2017-03-231-3/+7
| | | | | | | This is different if `ike` and `child` are provided and uninstall() fails as we call that without knowing whether a matching shunt exists. But if `ike` is not provided we explicitly search for a matching shunt and if found don't need to look for a trap policy.
* Fixed some typos, courtesy of codespellTobias Brunner2017-03-237-7/+7
|
* swanctl: Reformulate IKEv1 selector restriction, describe problems with TS ↵Noel Kuntze2017-03-231-3/+10
| | | | narrowing
* swanctl: Mention including files when referring to strongswan.conf(5)Tobias Brunner2017-03-231-1/+2
|
* Allow x25519 as an alias of the curve25519 KE algorithmAndreas Steffen2017-03-201-0/+1
|
* Reference Edwards-curve signature RFCsAndreas Steffen2017-03-203-17/+19
|
* The tpm plugin offers random number generationAndreas Steffen2017-03-207-3/+208
| | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option.
* vici: Document how we pronounce the vici protocol and pluginMartin Willi2017-03-201-3/+3
|
* swanctl: Describe what happens when a FQDN is specified in local|remote_addrsTobias Brunner2017-03-201-0/+6
|
* ikev1: First do PSK lookups based on identities then fallback to IPsTobias Brunner2017-03-201-36/+34
| | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223.
* ike-sa-manager: Remove superfluous assignmentThomas Egerer2017-03-161-4/+0
| | | | | | | Memory is allocated with calloc, hence set to zero, thus assigning the numerical value 0 is not required. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log remote IP when deleting half-open IKE_SAsTobias Brunner2017-03-151-1/+2
|
* aikpub2: Removed aikpub2 toolAndreas Steffen2017-03-064-325/+0
| | | | | | | The aikpub2 tool has been replaced by pki --pub|--req --keyid hex .. where keyid indicates the TPM 2.0 private key object handle. Thus either the public key in PKCS#1 format can be extracted or a PKCS#10 certificate request signed by the TPM private key can be generated.
* pki: Add key object handle of smartcard or TPM private key as an argument to ↵Andreas Steffen2017-03-062-5/+25
| | | | pki --keyid
* utils: chunk_from_hex() skips optional 0x prefixAndreas Steffen2017-03-062-11/+18
|
* pki: Edited keyid parameter use in various pki man pages and usage outputsAndreas Steffen2017-03-0612-19/+34
|
* quick-mode: Correctly prepare NAT-OA payloads as responderTobias Brunner2017-03-061-8/+13
| | | | | | The initiator's address was sent back twice previously. Fixes #2268.
* Add keyid of smartcard or TPM private key as an argument to pki --reqAndreas Steffen2017-03-021-2/+15
|
* libipsec: Enforce a minimum of 256 for SPIsTobias Brunner2017-03-021-3/+4
| | | | | | RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff.
* libipsec: Fix min/max SPITobias Brunner2017-03-021-2/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-20 22:43:46 +0000