Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Switch encoding of AR Identity Value from binary to UTF-8 | Andreas Steffen | 2013-03-22 | 14 | -118/+123 | |
| | ||||||
* | activate logging before loading plugins | Andreas Steffen | 2013-03-21 | 1 | -7/+7 | |
| | ||||||
* | Add a load-tester option to keep allocated external address until shutdown | Martin Willi | 2013-03-21 | 2 | -1/+50 | |
| | ||||||
* | android: No need to disable CMS explicitly | Tobias Brunner | 2013-03-20 | 1 | -1/+0 | |
| | | | | The version check introduced with 0d237763 should take care of it. | |||||
* | Allow up to 10 NAT-D payloads in IKEv1 messages | Tobias Brunner | 2013-03-20 | 1 | -1/+1 | |
| | ||||||
* | Avoid a race condition when reloading secrets from ipsec.secrets | Tobias Brunner | 2013-03-20 | 1 | -18/+25 | |
| | | | | | | | With the previous implementation that cleared the secrets in the active credential set and then loaded the secrets, IKE SA establishment would fail (as initiator or responder) if secrets are concurrently reloaded and the required secret was not yet loaded. | |||||
* | Add a method to replace all secrets in a mem_cred_t object | Tobias Brunner | 2013-03-20 | 2 | -5/+68 | |
| | ||||||
* | android: Build native libraries also for x86 | Tobias Brunner | 2013-03-20 | 3 | -2/+5 | |
| | | | | Requires an updated build script for Vstr. | |||||
* | android: libtnccs requires headers from libtls | Tobias Brunner | 2013-03-20 | 1 | -0/+1 | |
| | ||||||
* | android: Fix Android.mk for ipsec script | Tobias Brunner | 2013-03-20 | 1 | -1/+2 | |
| | ||||||
* | android: Remove/filter header files from LOCAL_SRC_FILES | Tobias Brunner | 2013-03-20 | 9 | -20/+36 | |
| | | | | This avoids huge warnings when building the native code. | |||||
* | android: Request and install an IPv6 DNS server | Tobias Brunner | 2013-03-20 | 2 | -9/+17 | |
| | ||||||
* | android: Also request a virtual IPv6 address and propose IPv6 TS | Tobias Brunner | 2013-03-20 | 3 | -23/+25 | |
| | | | | | This allows IPv6 over IPv4 but falls back nicely if we don't get a virtual IPv6 (or IPv4) address. | |||||
* | ipsec: Increased log level for message in case no outbound policy is found | Tobias Brunner | 2013-03-20 | 1 | -1/+1 | |
| | | | | | | | This might happen on Android if sockets are bound to the physical IP address but packets are still routed via TUN device. Since it seems to happen quite often (or for stuff that requires regular traffic) this hides these messages from the default log. | |||||
* | Add an option to autobalance a HA cluster automatically | Martin Willi | 2013-03-19 | 1 | -0/+59 | |
| | ||||||
* | Check if for some reason we handle a HA segment on both nodes | Martin Willi | 2013-03-19 | 1 | -1/+15 | |
| | ||||||
* | Acquire HA segment lock while sending heartbeat | Martin Willi | 2013-03-19 | 1 | -0/+2 | |
| | ||||||
* | Removed unused variable 'id' | Tobias Brunner | 2013-03-19 | 1 | -2/+1 | |
| | ||||||
* | Properly cleanup libmysql | Tobias Brunner | 2013-03-19 | 1 | -1/+1 | |
| | | | | Seems to work correctly with recent MySQL versions. | |||||
* | Use proper address family when adding multiple addresses to SQL pool | Tobias Brunner | 2013-03-19 | 1 | -0/+15 | |
| | ||||||
* | Ignore SQL-based IP address pools if their address family does not match | Tobias Brunner | 2013-03-19 | 1 | -10/+21 | |
| | ||||||
* | charon-nm: Add dependencies to CERT_DECODE and PRIVKEY plugin features | Tobias Brunner | 2013-03-19 | 1 | -0/+4 | |
| | | | | | | This ensures the NM-specific credential set is unloaded before any implementation of certificate/key objects, which causes a segmentation fault during shutdown. | |||||
* | charon-nm: Prevent NM from changing the default route | Tobias Brunner | 2013-03-19 | 1 | -0/+8 | |
| | | | | | | This is not required as we install our own (narrow) route(s) in our own routing table. This should allow split tunneling if configured on the gateway. | |||||
* | charon-nm: Use VIP (if any) as local address | Tobias Brunner | 2013-03-19 | 1 | -1/+10 | |
| | | | | NM will install this address on the provided device. | |||||
* | charon-nm: Pass a dummy TUN device to NetworkManager | Tobias Brunner | 2013-03-19 | 1 | -5/+37 | |
| | | | | | | NetworkManager modifies the addresses etc. on this interface so using "lo" is not optimal. With the dummy interface NM is free to do its thing. | |||||
* | charon-nm: Fix NM plugin utility macros | Tobias Brunner | 2013-03-19 | 1 | -3/+3 | |
| | ||||||
* | Avoid returning COOKIEs right after system boot | Tobias Brunner | 2013-03-19 | 1 | -1/+1 | |
| | | | | | | | | | | | When the monotonic timer is initialized to 0 right after the system is booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s). Since the COOKIE verification code actually produces an overflow for COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs. Checking for last_cookie makes sense anyway as that condition must only apply if we actually sent a COOKIE before. | |||||
* | Fix scheduling of heartbeat sending in HA plugin | Martin Willi | 2013-03-19 | 1 | -2/+11 | |
| | | | | | | e0efd7c1 switches to automated job rescheduling for HA heartbeat. However, send_status() is initially called directly, which will not reschedule the job as required. | |||||
* | Fix compiler warning in HA plugin | Martin Willi | 2013-03-19 | 1 | -1/+1 | |
| | ||||||
* | Various stylistic fixes | Adrian-Ken Rueegsegger | 2013-03-19 | 12 | -123/+155 | |
| | ||||||
* | Use network byte order for ESA SPIs | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -6/+5 | |
| | ||||||
* | Provide MODP-2048 through TKM DH plugin | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -0/+1 | |
| | ||||||
* | Add charon-tkm API documentation | Adrian-Ken Rueegsegger | 2013-03-19 | 17 | -16/+158 | |
| | ||||||
* | Do not hardwire keys to KEY_RSA | Reto Buerki | 2013-03-19 | 3 | -12/+51 | |
| | | | | | Make the TKM private and public keys more easily extendable by determining the associated key type dynamically. | |||||
* | Provide TKM credential encoder | Reto Buerki | 2013-03-19 | 5 | -26/+150 | |
| | | | | | | | | The TKM credential encoder creates fingerprints of type KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using CRED_PART_RSA_PUB_ASN1_DER. This makes the pkcs1 plugin unnecessary. | |||||
* | Switch to openssl plugin | Reto Buerki | 2013-03-19 | 1 | -8/+1 | |
| | ||||||
* | Don't manually register kernel_netlink_net | Reto Buerki | 2013-03-19 | 4 | -16/+11 | |
| | | | | | | | | | Load complete kernel_netlink plugin instead. Registering the TKM specific plugins first still ensures that the correct ipsec plugin is used. Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable soft dependency on startup. | |||||
* | Move stroke plugin to the end of PLUGINS list | Reto Buerki | 2013-03-19 | 1 | -2/+2 | |
| | | | | | This fixes the problem of stroke being unable to load the ca certificates on startup. | |||||
* | Make sure IP_XFRM_POLICY is defined | Reto Buerki | 2013-03-19 | 1 | -0/+5 | |
| | ||||||
* | Call isa_skip_create_first when keeping IKE SA | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -0/+20 | |
| | | | | | | | An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment fails but the corresponding IKE SA is not destroyed. To allow later creation of child SAs the ISA context must be signaled that the implicity first child SA creation was skipped. | |||||
* | Make IKE and EES sockets configurable | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -4/+15 | |
| | | | | | | | | | | | | The IKE and EES sockets are now read from strongswan.conf. They can be specified like this: charon-tkm { ike_socket = /tmp/tkm.rpc.ike ees_socket = /tmp/tkm.rpc.ees } The socket names given above are used by default if none are configured. | |||||
* | Implement TKM-specific credential set | Reto Buerki | 2013-03-19 | 5 | -21/+206 | |
| | | | | | | | The TKM credential set extends the in-memory credential set. It provides a private key enumerator which is used to instantiate private key proxy objects on-demand. This allows the usage of private keys with arbitrary identifiers. | |||||
* | Initialize libstrongswan in test_runner main() | Reto Buerki | 2013-03-19 | 2 | -54/+41 | |
| | ||||||
* | Set ri_id to reqid when setting user certificate | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -2/+29 | |
| | | | | | | | | | Pass the reqid (of the first child config of an IKE SA) as remote identity id when calling cc_set_user_certificate. May lead to the usage of the wrong id in case an IKE SA has multiple child configurations/reqids. This must be replaced with a proper lookup once the configuration backend is implemented and provides remote identity ids to charon-tkm. | |||||
* | Set sp_id to reqid when creating ESA | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -3/+3 | |
| | | | | The reqid corresponds to the sp_id (security policy id) on the TKM side. | |||||
* | Call Esa_Select after creation of child SA | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -0/+10 | |
| | | | | This tells the TKM which child SA is the currently active SA. | |||||
* | Check that chunk fits into sequence when converting | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -1/+13 | |
| | ||||||
* | Remove result out parameter from EES Init | Reto Buerki | 2013-03-19 | 3 | -21/+4 | |
| | | | | Error processing is done by the registered exception handler. | |||||
* | Drop support for pre-shared key authentication | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -23/+1 | |
| | ||||||
* | charon-tkm: Register TKM private key on startup | Reto Buerki | 2013-03-19 | 1 | -0/+13 | |
| |