aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Switch encoding of AR Identity Value from binary to UTF-8Andreas Steffen2013-03-2214-118/+123
|
* activate logging before loading pluginsAndreas Steffen2013-03-211-7/+7
|
* Add a load-tester option to keep allocated external address until shutdownMartin Willi2013-03-212-1/+50
|
* android: No need to disable CMS explicitlyTobias Brunner2013-03-201-1/+0
| | | | The version check introduced with 0d237763 should take care of it.
* Allow up to 10 NAT-D payloads in IKEv1 messagesTobias Brunner2013-03-201-1/+1
|
* Avoid a race condition when reloading secrets from ipsec.secretsTobias Brunner2013-03-201-18/+25
| | | | | | | With the previous implementation that cleared the secrets in the active credential set and then loaded the secrets, IKE SA establishment would fail (as initiator or responder) if secrets are concurrently reloaded and the required secret was not yet loaded.
* Add a method to replace all secrets in a mem_cred_t objectTobias Brunner2013-03-202-5/+68
|
* android: Build native libraries also for x86Tobias Brunner2013-03-203-2/+5
| | | | Requires an updated build script for Vstr.
* android: libtnccs requires headers from libtlsTobias Brunner2013-03-201-0/+1
|
* android: Fix Android.mk for ipsec scriptTobias Brunner2013-03-201-1/+2
|
* android: Remove/filter header files from LOCAL_SRC_FILESTobias Brunner2013-03-209-20/+36
| | | | This avoids huge warnings when building the native code.
* android: Request and install an IPv6 DNS serverTobias Brunner2013-03-202-9/+17
|
* android: Also request a virtual IPv6 address and propose IPv6 TSTobias Brunner2013-03-203-23/+25
| | | | | This allows IPv6 over IPv4 but falls back nicely if we don't get a virtual IPv6 (or IPv4) address.
* ipsec: Increased log level for message in case no outbound policy is foundTobias Brunner2013-03-201-1/+1
| | | | | | | This might happen on Android if sockets are bound to the physical IP address but packets are still routed via TUN device. Since it seems to happen quite often (or for stuff that requires regular traffic) this hides these messages from the default log.
* Add an option to autobalance a HA cluster automaticallyMartin Willi2013-03-191-0/+59
|
* Check if for some reason we handle a HA segment on both nodesMartin Willi2013-03-191-1/+15
|
* Acquire HA segment lock while sending heartbeatMartin Willi2013-03-191-0/+2
|
* Removed unused variable 'id'Tobias Brunner2013-03-191-2/+1
|
* Properly cleanup libmysqlTobias Brunner2013-03-191-1/+1
| | | | Seems to work correctly with recent MySQL versions.
* Use proper address family when adding multiple addresses to SQL poolTobias Brunner2013-03-191-0/+15
|
* Ignore SQL-based IP address pools if their address family does not matchTobias Brunner2013-03-191-10/+21
|
* charon-nm: Add dependencies to CERT_DECODE and PRIVKEY plugin featuresTobias Brunner2013-03-191-0/+4
| | | | | | This ensures the NM-specific credential set is unloaded before any implementation of certificate/key objects, which causes a segmentation fault during shutdown.
* charon-nm: Prevent NM from changing the default routeTobias Brunner2013-03-191-0/+8
| | | | | | This is not required as we install our own (narrow) route(s) in our own routing table. This should allow split tunneling if configured on the gateway.
* charon-nm: Use VIP (if any) as local addressTobias Brunner2013-03-191-1/+10
| | | | NM will install this address on the provided device.
* charon-nm: Pass a dummy TUN device to NetworkManagerTobias Brunner2013-03-191-5/+37
| | | | | | NetworkManager modifies the addresses etc. on this interface so using "lo" is not optimal. With the dummy interface NM is free to do its thing.
* charon-nm: Fix NM plugin utility macrosTobias Brunner2013-03-191-3/+3
|
* Avoid returning COOKIEs right after system bootTobias Brunner2013-03-191-1/+1
| | | | | | | | | | | When the monotonic timer is initialized to 0 right after the system is booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s). Since the COOKIE verification code actually produces an overflow for COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs. Checking for last_cookie makes sense anyway as that condition must only apply if we actually sent a COOKIE before.
* Fix scheduling of heartbeat sending in HA pluginMartin Willi2013-03-191-2/+11
| | | | | | e0efd7c1 switches to automated job rescheduling for HA heartbeat. However, send_status() is initially called directly, which will not reschedule the job as required.
* Fix compiler warning in HA pluginMartin Willi2013-03-191-1/+1
|
* Various stylistic fixesAdrian-Ken Rueegsegger2013-03-1912-123/+155
|
* Use network byte order for ESA SPIsAdrian-Ken Rueegsegger2013-03-191-6/+5
|
* Provide MODP-2048 through TKM DH pluginAdrian-Ken Rueegsegger2013-03-191-0/+1
|
* Add charon-tkm API documentationAdrian-Ken Rueegsegger2013-03-1917-16/+158
|
* Do not hardwire keys to KEY_RSAReto Buerki2013-03-193-12/+51
| | | | | Make the TKM private and public keys more easily extendable by determining the associated key type dynamically.
* Provide TKM credential encoderReto Buerki2013-03-195-26/+150
| | | | | | | | The TKM credential encoder creates fingerprints of type KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using CRED_PART_RSA_PUB_ASN1_DER. This makes the pkcs1 plugin unnecessary.
* Switch to openssl pluginReto Buerki2013-03-191-8/+1
|
* Don't manually register kernel_netlink_netReto Buerki2013-03-194-16/+11
| | | | | | | | | Load complete kernel_netlink plugin instead. Registering the TKM specific plugins first still ensures that the correct ipsec plugin is used. Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable soft dependency on startup.
* Move stroke plugin to the end of PLUGINS listReto Buerki2013-03-191-2/+2
| | | | | This fixes the problem of stroke being unable to load the ca certificates on startup.
* Make sure IP_XFRM_POLICY is definedReto Buerki2013-03-191-0/+5
|
* Call isa_skip_create_first when keeping IKE SAAdrian-Ken Rueegsegger2013-03-191-0/+20
| | | | | | | An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment fails but the corresponding IKE SA is not destroyed. To allow later creation of child SAs the ISA context must be signaled that the implicity first child SA creation was skipped.
* Make IKE and EES sockets configurableAdrian-Ken Rueegsegger2013-03-191-4/+15
| | | | | | | | | | | | The IKE and EES sockets are now read from strongswan.conf. They can be specified like this: charon-tkm { ike_socket = /tmp/tkm.rpc.ike ees_socket = /tmp/tkm.rpc.ees } The socket names given above are used by default if none are configured.
* Implement TKM-specific credential setReto Buerki2013-03-195-21/+206
| | | | | | | The TKM credential set extends the in-memory credential set. It provides a private key enumerator which is used to instantiate private key proxy objects on-demand. This allows the usage of private keys with arbitrary identifiers.
* Initialize libstrongswan in test_runner main()Reto Buerki2013-03-192-54/+41
|
* Set ri_id to reqid when setting user certificateAdrian-Ken Rueegsegger2013-03-191-2/+29
| | | | | | | | | Pass the reqid (of the first child config of an IKE SA) as remote identity id when calling cc_set_user_certificate. May lead to the usage of the wrong id in case an IKE SA has multiple child configurations/reqids. This must be replaced with a proper lookup once the configuration backend is implemented and provides remote identity ids to charon-tkm.
* Set sp_id to reqid when creating ESAAdrian-Ken Rueegsegger2013-03-191-3/+3
| | | | The reqid corresponds to the sp_id (security policy id) on the TKM side.
* Call Esa_Select after creation of child SAAdrian-Ken Rueegsegger2013-03-191-0/+10
| | | | This tells the TKM which child SA is the currently active SA.
* Check that chunk fits into sequence when convertingAdrian-Ken Rueegsegger2013-03-191-1/+13
|
* Remove result out parameter from EES InitReto Buerki2013-03-193-21/+4
| | | | Error processing is done by the registered exception handler.
* Drop support for pre-shared key authenticationAdrian-Ken Rueegsegger2013-03-191-23/+1
|
* charon-tkm: Register TKM private key on startupReto Buerki2013-03-191-0/+13
|