aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* ike-mobike: Send retransmits to the current local and remote addressesTobias Brunner2015-10-301-1/+5
| | | | | | These might have changed by a peer-initiated MOBIKE address update. Fixes #1125.
* ikev1: Handle queued INFORMATIONAL message after receiving the last AM requestTobias Brunner2015-10-301-0/+16
|
* ikev1: Queue INFORMATIONAL request if AM is not complete yetTobias Brunner2015-10-301-6/+13
|
* ikev1: Handle queued TRANSACTION messages only after processing repliesTobias Brunner2015-10-301-1/+2
|
* ikev1: Extract queueing of TRANSACTIONAL requests when MM is not complete yetTobias Brunner2015-10-301-17/+27
|
* ikev1: Drop TRANSACTION/QUICK_MODE requests until we received the last AM ↵Tobias Brunner2015-10-301-0/+32
| | | | message
* ikev1: Make maximum number of IKEv1 phase 2 exchanges we keep state about ↵Tobias Brunner2015-10-301-9/+11
| | | | | | configurable Fixes #1128.
* Fix typo in error handling for sigwaitinfo() in charon-systemd and charon-tkmTobias Brunner2015-10-292-2/+2
| | | | Fixes 858148092d1e ("Replace usages of sigwait(3) with sigwaitinfo(2)")
* random: Properly handle errors when reading from /dev/[u]randomTobias Brunner2015-10-291-0/+1
| | | | | | | | If -1 was returned on the first call to read() `done` got SIZE_MAX and the function returned TRUE even though no actual random data had been allocated. Fixes #1156.
* ikev1: Avoid fourth QM message if third QM messages of multiple exchanges ↵Tobias Brunner2015-10-292-2/+14
| | | | | | | | | | | | are handled delayed If we haven't received the third QM message for multiple exchanges the return value of NEED_MORE for passive tasks that are not responsible for a specific exchange would trigger a fourth empty QM message. Fixes: 4de361d92c54 ("ikev1: Fix handling of overlapping Quick Mode exchanges") References #1076.
* ikev1: Prevent deadlock when checking for duplicate IKEv1 SAsTobias Brunner2015-10-291-0/+16
| | | | | | | | | | | Previously, the current segment was held while checking for duplicate SAs, which requires acquiring all segments. If multiple threads did this concurrently this resulted in a deadlock as they couldn't acquire the segments held by the other threads attempting to do the same. With the default configuration only one segment is used, which prevents the problem as only one thread can check in an IKE SA concurrently. Fixes: a064eaa8a63a ("Handling of initial contact")
* Replace usages of sigwait(3) with sigwaitinfo(2)Tobias Brunner2015-10-299-36/+31
| | | | | | | This is basically the same call, but it has the advantage of being supported by FreeBSD's valgrind, which sigwait() is not. References #1106.
* updown: Add rules to allow IP6IP6 traffic used for uncompressed small packetsTobias Brunner2015-09-211-0/+31
|
* shunt-manager: Resolve %dynamic to %any4/6 before installing policiesTobias Brunner2015-09-161-7/+22
| | | | | | | | left|rightsubnet default to %dynamic, which is basically 0.0.0.0/0 until an address is assigned to it. So if only one side was undefined and the other traffic selector was IPv6 an address family mismatch would occur. References #595.
* shunt-manager: Don't install policies in case of an address family or IP ↵Tobias Brunner2015-09-161-0/+20
| | | | | | protocol mismatch References #595.
* openssl: Explicitly include openssl/bn.hTobias Brunner2015-09-165-0/+5
| | | | | | | | If OpenSSL is compiled with OPENSSL_NO_DEPRECATED some of the headers we include don't include openssl/bn.h anymore. Therefore, we have to explicitly include it ourselves where we use BN_* functions. Fixes #1113.
* unit-tests: Add a test to verify that there is no partial matching of RDNsTobias Brunner2015-09-091-0/+1
|
* scepclient: Remove copyright and license from man pageTobias Brunner2015-09-091-9/+0
|
* include: Add linux/socket.hTobias Brunner2015-09-072-1/+22
| | | | | | | | | | | | | __kernel_sa_family_t is defined and used since Linux 3.1, so on systems with older kernels (like CentOS 6.7, which still ships a 2.6.32 kernel) the build with the current UAPI headers fails. And using the native headers on such system does not really work either because we use structs, defines, and enum values from the newer headers in the kernel-netlink plugin. __kernel_sa_family_t is defined in linux/socket.h so we ship that too (in particular the simplified UAPI version from Linux 3.7+). Fixes #1099.
* imv-os: Add some useful usage output to the pacman utilityTobias Brunner2015-08-311-2/+8
| | | | Fixes #487.
* kernel-netlink: Properly set port mask for ICMP type/code if only set on one ↵Tobias Brunner2015-08-311-7/+8
| | | | | | | | | | | | side If only one traffic selector had a port (type/code) the other side had the port mask set to 0, which canceled out the applied type/code. It also fixes the installation of ICMP type/code on big-endian hosts. Fixes #1091. References #595.
* kernel-pfkey: Properly encode ICMP type/code if only set on one sideTobias Brunner2015-08-311-34/+20
| | | | References #595.
* libimcv: Updated Android.mk fileTobias Brunner2015-08-311-2/+5
|
* eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address ↵Tobias Brunner2015-08-281-1/+1
| | | | | | | attributes Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes"). References #1001.
* pki: Add new type options to --issue command usage outputTobias Brunner2015-08-271-2/+2
|
* eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packetTobias Brunner2015-08-271-1/+8
|
* trap-manager: Cleanup local address in error casesTobias Brunner2015-08-271-0/+2
|
* imv-os: Properly free strings for invalid input in pacmanTobias Brunner2015-08-271-0/+11
|
* ha: Close control FIFO if it is not validTobias Brunner2015-08-271-0/+4
|
* swanctl: Correctly build man page in out-of-tree builds from the repositoryTobias Brunner2015-08-271-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2015-08-273-3/+3
|
* Fix some Doxygen issuesTobias Brunner2015-08-277-8/+11
|
* unit-tests: Additional test cases to increase coverageTobias Brunner2015-08-272-9/+611
|
* traffic-selector: Use calc_netbits() in RFC 3779 constructorTobias Brunner2015-08-271-2/+1
| | | | This properly detects prefixes encoded as ranges.
* ike: Fix half-open count for initiating SAs when initially checked inTobias Brunner2015-08-271-0/+6
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-276-19/+45
| | | | whether COOKIEs are sent
* vici: Handle closed sockets in the Ruby gemEvan Broder2015-08-241-1/+5
| | | | | | | | | | | | | | | | From recvfrom(2) (which UDPSocket#recv backs into): The return value will be 0 when the peer has performed an orderly shutdown. (i.e. it will return an empty string) Previously in this scenario, Vici::Transport#recv_all would spin forever trying to pull more data off the socket. I'm not entirely clear what happened that caused strongSwan to shutdown the socket, but it probably should not cause vici Ruby apps to spin. Closes strongswan/strongswan#13.
* starter: Don't flush SAs in the kernelTobias Brunner2015-08-213-14/+0
| | | | | If starter is not used we don't do that either. And this allows us to move the stuff in libhydra back to libcharon.
* starter: Don't flush policies in the kernelTobias Brunner2015-08-211-1/+0
| | | | | | | | | | | We can't control which policies we flush, so if policies are installed and used outside of strongSwan for other protocols we'd flush them too. And if installpolicies=no is used we probably shouldn't flush policies either. Luckily already existing policies are not treated as fatal errors anymore, so not flushing policies should not be that much of an issue (in case of a crash in dynamic setups, e.g. with virtual IPs, policies could be left behind even after restarting the connections and properly terminating the daemon).
* kernel-pfkey: Only flush SAs of types we actually manageTobias Brunner2015-08-211-13/+26
|
* kernel-netlink: Only flush SAs of types we actually manageTobias Brunner2015-08-211-6/+19
|
* vici: Optionally check limits when initiating connectionsTobias Brunner2015-08-212-1/+7
| | | | | If the init-limits parameter is set (disabled by default) init limits will be checked and might prevent new SAs from getting initiated.
* vici: Add get_bool() convenience getter for VICI messagesTobias Brunner2015-08-213-0/+94
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-2115-20/+71
|
* ike: Also track initiating IKE_SAs as half-openTobias Brunner2015-08-211-1/+0
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* ikev1: Assign different job priorities for inbound IKEv1 messagesTobias Brunner2015-08-211-2/+12
|
* child-rekey: Don't add a REKEY_SA notify if the child-create task is ↵Tobias Brunner2015-08-211-6/+9
| | | | deleting the SA
* child-create: Cache proposed IPsec protocolTobias Brunner2015-08-211-10/+13
| | | | | This allows us to DELETE CHILD_SAs on failures that occur before we retrieved the selected proposal.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 03:32:55 +0000