aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-174-2/+115
|
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* kernel-pfroute: Ignore IP address changes if address is %anyTobias Brunner2013-07-171-1/+2
|
* kernel-pfroute: Properly enumerate sockaddrs in interface messagesTobias Brunner2013-07-171-9/+26
| | | | | The ifa_msghdr and rt_msghdr structs are not compatible (at least not on FreeBSD).
* kernel-pfroute: Provide name of interfaces on which virtual IPs are installedTobias Brunner2013-07-172-1/+23
|
* kernel-pfroute: Ignore virtual IPs in address mapTobias Brunner2013-07-171-13/+9
| | | | | As the virtual flag is set after the address has been added to the map, we make sure we ignore virtual IPs when doing lookups.
* kernel-pfroute: Make sure source addresses are not virtual and usableTobias Brunner2013-07-171-4/+20
| | | | | | | It seems we sometimes get the virtual IP as source (with rightsubnet=0.0.0.0/0) even if the exclude route is already installed. Might be a timing issue because shortly afterwards the lookup seems to succeed.
* kernel-pfroute: Don't report an error when trying to reinstall a routeTobias Brunner2013-07-171-0/+4
|
* kernel-pfkey: Provide interface name when installing exclude routeTobias Brunner2013-07-171-4/+15
|
* kernel-pfroute: Reinstall routes on interface/address changesTobias Brunner2013-07-171-7/+320
|
* kernel-pfroute: Trigger a roam event if a new interface appearsTobias Brunner2013-07-171-0/+4
|
* kernel-pfroute: Use ref_get() to allocate sequence numbersTobias Brunner2013-07-171-3/+3
|
* kernel-pfroute: Make time that is waited for VIPs to appear configurableTobias Brunner2013-07-171-2/+11
| | | | | One second might be too short for IPs to appear/disappear, especially on virtualized hosts.
* kernel-pfroute: Retry route lookup without source address on failureTobias Brunner2013-07-171-1/+16
| | | | | The known source address might be gone resulting in an error, making learning a new source address impossible.
* kernel-pfkey: Remove latest IPsec SA mapping when deleting a policyTobias Brunner2013-07-171-5/+12
| | | | | | | | | | | If IPsec SAs are rekeyed due to an address change (e.g. because update_sa is not supported) the exact same policy with the same reqid will be installed, but with different addresses. After the rekeying the old SA and its policies are removed, using the first matching mapping breaks the mapping between the policies and the new SA (at least on FreeBSD, the Linux kernel might only use the reqid for this). Using the oldest matching SA is still an approximation but it solves the above issue.
* kernel-pfkey: Correctly handle IPSEC_PROTO_ANY in an acquireTobias Brunner2013-07-171-2/+5
|
* linked-list: Remove barely used has_more() methodTobias Brunner2013-07-174-152/+106
| | | | | | | | This required some refactoring when handling encrypted payloads. Also changed log messages so that "encrypted payload" is logged instead of "encryption payload" (even if we internally still call it that) as that's the name used in RFC 5996.
* linked-list: Don't require an argument for the item when enumeratingTobias Brunner2013-07-172-1/+21
|
* linked-list: Remove unused clone_function() methodTobias Brunner2013-07-173-53/+7
|
* linked-list: Remove barely used find_last() methodTobias Brunner2013-07-175-72/+6
|
* linked-list: Remove unused replace() methodTobias Brunner2013-07-173-65/+51
| | | | | | Its functionality can be replicated by calling insert_before() followed by remove_at(). Not the other way around, though, because remove_at() changes the enumerator position.
* child-sa: refactor proxy transport mode address lookupMartin Willi2013-07-171-56/+42
|
* child-sa: replace traffic selector lists by arraysMartin Willi2013-07-171-18/+19
| | | | Saves up to another 0.5KB of memory per CHILD_SA.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-1712-78/+124
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ikev2: replace linked lists by arrays in task managerMartin Willi2013-07-171-70/+76
| | | | Eliminates another three lists, 0.5KB per IKE_SA.
* auth-cfg: use array instead of linked listMartin Willi2013-07-171-35/+26
| | | | Saves another 4 linked lists (1KB) per IKE_SA
* proposal: use array to store proposal listMartin Willi2013-07-171-25/+18
| | | | Removes another two linked lists (0.5KB) of memory per IKE/CHILD_SA pair.
* proposal: use a single list to store all transformsMartin Willi2013-07-171-308/+174
| | | | | Beside that it makes the code actually simpler, it reduces the number of lists stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.
* ike-sa: use arrays instead of linked lists in long lived collectionsMartin Willi2013-07-171-116/+98
| | | | This saves about 1.5KB of memory per IKE_SA.
* unit-tests: implement tests for array collectionMartin Willi2013-07-174-1/+363
|
* array: introduce an array collection storing elements very efficientlyMartin Willi2013-07-174-2/+613
| | | | | | | | | | | | | | | | | | | | | | | | | | Currently we use the very versatile linked-list collection to store elements with variable count. This is fine, but very inefficient: Due to the many methods in the linked list, on 64-bit platforms an empty list alone is more than 200 bytes. As we currently have about 50 lists per IKE_SA/CHILD_SA pair, this takes up to 10KB just for managing the empty lists. This is about the half of memory used by an IKE_SA/CHILD_SA pair, and obviously way too much. The new array type is not an object, but a collection of functions on an abstract type. The following lists are per IKE_SA and should be considered for a replacement with more efficient arrays (this uses load-testers on-demand created dynamic configurations, other scenarios have different lists): 14 -> ike_sa_create() @ src/libcharon/sa/ike_sa.c:2198 10 -> auth_cfg_create() @ src/libstrongswan/credentials/auth_cfg.c:1088 6 -> task_manager_v2_create() @ src/libcharon/sa/ikev2/task_manager_v2.c:1505 6 -> proposal_create() @ src/libcharon/config/proposal.c:592 5 -> peer_cfg_create() @ src/libcharon/config/peer_cfg.c:657 4 -> child_sa_create() @ src/libcharon/sa/child_sa.c:1090 2 -> child_cfg_create() @ src/libcharon/config/child_cfg.c:536 1 -> ike_cfg_create() @ src/libcharon/config/ike_cfg.c:330 1 -> put_connected_peers() @ src/libcharon/sa/ike_sa_manager.c:854
* kernel-libipsec: Log error if no local address is found when installing routesTobias Brunner2013-07-151-0/+5
|
* dumm: Sort templates by nameTobias Brunner2013-07-152-1/+3
|
* stroke: Add certificates extracted from PKCS#12 files to correct credential setTobias Brunner2013-07-151-4/+4
| | | | | Only keys and shared secrets are moved from the temporary credential set after loading all secrets.
* pkcs12: Add plugin dependencies with soft dependencies on the most common ↵Tobias Brunner2013-07-151-0/+6
| | | | algorithms
* leak-detective: remove hdr entry when reallocating zero bytesMartin Willi2013-07-121-0/+6
|
* leak-detective: print total of allocated/leaked bytes in usage/reportMartin Willi2013-07-121-5/+13
|
* dumm: add include for in.h, if_bridge.h now uses struct in6_addrMartin Willi2013-07-121-1/+1
|
* Recognize critical IssuingDistributionPoint CRL extensionAndreas Steffen2013-07-123-1/+8
|
* leak-detective: add a usage threshold option based on the number of allocationsMartin Willi2013-07-101-6/+11
|
* leak-detective: set_state() only affects the calling threadMartin Willi2013-07-102-15/+2
| | | | | The only user (bfd backtraces) is fine with that, and we really should not mess the enable flag while doing allocations with other threads.
* leak-detective: take a copy of backtrace while printing tracesMartin Willi2013-07-101-2/+3
| | | | | As we don't want to hold the lock, we must make sure backtraces keep valid while printing them.
* backtrace: add a clone() methodMartin Willi2013-07-102-7/+44
|
* leak-detective: remove hdr from the allocation list during realloc()Martin Willi2013-07-101-39/+60
| | | | | | | If realloc moves an allocation, the original allocation gets freed. We therefore must remove the hdr from the list, as it is invalid. We can add it afterwards once it has been updated, allowing us to unlock the list during reallocation.
* Fixed alignment of device ID column5.1.0dr2Andreas Steffen2013-07-101-2/+2
|
* android: New release after adding support for EAP-TNCTobias Brunner2013-07-081-2/+2
| | | | | Also disabled listening on IPv6 because the Linux kernel currently does not support UDP encapsulation for IPv6.
* android: Properly handle dotted-quad notation of IPv6 addressesTobias Brunner2013-07-081-1/+1
| | | | | For nestat output like ::ffff:127.0.0.1:9876 we shall not treat 127 as port but 9876 instead.
* android: Allow IMC state to be dismissed with a swipe gestureTobias Brunner2013-07-081-0/+30
|
* android: Use explicit locale when converting settings namesTobias Brunner2013-07-081-2/+4
| | | | | | Apparently, these functions use the user's default locale which might not yield the expected result (e.g. lowercase I is not i in the Turkish locale but ı instead).
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 06:27:19 +0000