aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Implemented improved BLISS-B signature algorithmAndreas Steffen2015-02-257-47/+356
|
* host-resolver: Do not cancel threads waiting for new queries during cleanupMartin Willi2015-02-241-6/+8
| | | | | | | | | | | | | | | | While it is currently unclear why it happens, canceling threads waiting in the new_query condvar does not work as expected. The behavior is not fully reproducible: Either cancel(), join() or destroying the condvar hangs. The issue has been seen in the http-fetcher unit tests, where the stream service triggers the use of the resolver for "localhost" hosts. It is reproducible with any cleanup following a host_create_from_dns() use on a Ubuntu 14.04 x64 system. Further, the issue is related to the use of libunwind, as only builds with --enable-unwind-backtraces are affected. As we broadcast() the new_query condvar before destruction, a hard cancel() of these threads is actually not required. Instead we let these threads clean up themselves after receiving the condvar signal.
* host-resolver: Disable resolver thread cancellation by defaultMartin Willi2015-02-241-0/+3
| | | | | The default of new threads is cancellable, but the host-resolver thread code clearly expects the opposite.
* unit-tests: Add host_create_from_dns() test cases resolving "localhost"Martin Willi2015-02-241-0/+42
|
* plugin-loader: Do not unload libraries during dlclose(), if supportedMartin Willi2015-02-241-1/+9
| | | | | | | Unloading libraries calls any library constructor/destructor functions. Some libraries can't handle that in our excessive unit test use. GnuTLS leaks a /dev/urandom file descriptor, letting unit tests fail with arbitrary out-of-resources errors.
* unit-tests: Accept numerical protocol/port numbers in traffic selector testsMartin Willi2015-02-231-11/+16
|
* forecast: Explicitly cast sockaddr to fix compiler warningTobias Brunner2015-02-231-1/+1
| | | | On Travis we compile with -Werror.
* configure: Use pkg-config to detect libiptc used by connmark/forecastTobias Brunner2015-02-232-4/+4
| | | | | This ensures the library is available. On Debian/Ubuntu it is a dynamic library provided by the iptables-dev package.
* openssl: Return the proper IV length for OpenSSL cryptersTobias Brunner2015-02-231-1/+1
| | | | | | | For instance, the NULL cipher has a block size of 1 but an IV length of 0. Fixes #854.
* forecast: Add the broadcast/multicast forwarding plugin called forecastMartin Willi2015-02-208-0/+1479
|
* ipsec-types: Support the %unique mark valueMartin Willi2015-02-202-5/+15
|
* connmark: Add CONNMARK rules to select correct output SA based on conntrackMartin Willi2015-02-204-0/+611
| | | | | | | | | | | | | | Currently supports transport mode connections using IPv4 only, and requires a unique mark configured on the connection. To select the correct outbound SA when multiple connections match (i.e. multiple peers connected from the same IP address / NAT router) marks must be configured. This mark should usually be unique, which can be configured in ipsec.conf using mark=0xffffffff. The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow is tagged with the assigned mark as connmark. On the return path, the mark gets restored from the conntrack entry to select the correct outbound SA.
* bus: Add an ike_update() hook invoked when peer endpoints changeMartin Willi2015-02-204-0/+50
|
* connmark: Add a plugin stubMartin Willi2015-02-204-0/+150
|
* load-tester: Support initiating XAuth authenticationMartin Willi2015-02-201-0/+22
| | | | | | | | As with other configuration backends, XAuth is activated with a two round client authentication using pubkey and xauth. In load-tester, this is configured with initiator_auth=pubkey|xauth. Fixes #835.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-206-51/+87
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* ikev2: Schedule a make-before-break completion task to delete old IKE_SAMartin Willi2015-02-208-1/+174
|
* ikev2: Allow task to skip exchange by setting undefined exchange typeMartin Willi2015-02-201-0/+5
|
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-202-2/+79
|
* ike-sa-manager: Use IKEv1 uniqueness reauthentication detection for IKEv2, tooMartin Willi2015-02-201-12/+8
|
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-2010-79/+61
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-2010-65/+55
|
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-205-23/+28
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-205-23/+32
|
* unit-tester: Drop the old unit-tester libcharon pluginMartin Willi2015-02-2013-953/+0
| | | | | | While it has some tests that we don't directly cover with the new unit tests, most of them require special infrastructure and therefore have not been used for a long time.
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-2040-129/+119
|
* libcharon: Add a test runnerMartin Willi2015-02-205-0/+96
|
* attr-sql: Move plugin to libcharonMartin Willi2015-02-208-10/+13
|
* attr: Move plugin to libcharonMartin Willi2015-02-208-12/+10
|
* resolve: Move plugin back to libcharonMartin Willi2015-02-207-9/+8
| | | | Since pluto is gone, all existing users build upon libcharon.
* charon-tkm: Use get_dst_host getter in EES callbackReto Buerki2015-02-201-4/+14
| | | | | | Use the new get_dst_host getter to retrieve the destination host from the SAD using the reqid, spi and protocol values received from the xfrm-proxy.
* charon-tkm: Add get_dst_host getter to SADReto Buerki2015-02-203-0/+79
| | | | | This function returns the destination host of an SAD entry for given reqid, spi and protocol arguments or NULL if not found.
* charon-tkm: Improve SAD get_esa_id log messagesReto Buerki2015-02-201-4/+4
|
* charon-tkm: Store reqid in SADReto Buerki2015-02-204-15/+26
|
* charon-tkm: Store remote SPI in SADReto Buerki2015-02-201-1/+1
| | | | | | | | | Store the remote instead of the local SPI in the SAD when adding a new entry in the kernel plugin's add_sa() function. Since only one ESA context must be destroyed for an inbound/outbound CHILD SA pair, it does not matter which SPI is used to retrieve it in the del_sa function.
* charon-tkm: Make CHILD/ESP SA database publicReto Buerki2015-02-203-22/+15
| | | | | Make the CHILD/ESP SA database a public member of the global tkm_t struct.
* charon-tkm: Fix logger entity name in tests.cReto Buerki2015-02-201-2/+2
| | | | Change 'test_runner' to 'test-runner'.
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-208-11/+13
|
* unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-203-14/+17
| | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-205-40/+16
|
* migrate-job: Do CHILD_SA reqid lookup locallyMartin Willi2015-02-202-26/+21
|
* kernel-interface: Raise mapping event with a proto/SPI/dst tupleMartin Willi2015-02-208-41/+75
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-204-23/+17
|
* charon-tkm: Fix compilation of ees_callback.cReto Buerki2015-02-201-3/+5
| | | | | | Update the call to hydra->kernel_interface->expire to make ees_callback.c compile again. The required destination host argument is set to NULL for now.
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-2020-118/+124
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-206-38/+24
|
* swanctl: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-2/+2
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* vici: Include the CHILD_SA unique ID in list-sa eventMartin Willi2015-02-202-0/+2
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-203-19/+92
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-21 21:55:52 +0000