aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* imv-attestation: Fix memory leaks when creating functional componentsTobias Brunner2015-12-113-6/+6
|
* ipsec: Fix stop command on systems where sleep(1) only supports integersTobias Brunner2015-12-101-2/+7
| | | | Fixes #1231.
* vici: Fix documentation about the initiate/terminate timeoutMartin Willi2015-12-071-2/+2
|
* vici: Honor an optionally passed IKE configuration name in initiate/installMartin Willi2015-12-072-5/+13
| | | | | | | If two IKE configurations have CHILD configurations with the same name, we have no control about the CHILD_SA that actually gets controlled. The new "ike" parameter specifies the peer config name to find the "child" config under.
* vici: Support completely asynchronous initiating and terminationMartin Willi2015-12-072-5/+23
| | | | | | In some situations the vici client is not interested in waiting for a timeout at all, so don't register a logging callback if the timeout argument is negative.
* vici: Use an empty local auth round if none givenMartin Willi2015-12-071-3/+2
| | | | | While it hardly makes sense to use none for negotiated SAs, it actually does when installing shunt policies.
* vici: Limit start action undoing to IKE_SAs using the base peer config nameMartin Willi2015-12-071-3/+7
| | | | | If two peer configs use the same child config names, potentailly delete the wrong CHILD_SA. Check the peer config name as well to avoid that.
* vici: Close empty IKE_SAs after undoing CHILD_SA start actionsMartin Willi2015-12-071-6/+44
|
* vici: Use value based array to store CHILD_SA ids during restartMartin Willi2015-12-071-5/+6
| | | | | The previous approach stored a pointer to a volatile stack variable, which works for a single ID, but not for multiple.
* array: Add an insert/create function for value based arraysMartin Willi2015-12-073-0/+68
|
* vici: Undo start actions when unloading configsMartin Willi2015-12-071-0/+1
|
* vici: Fix clean-local target for Perl bindings if they were not builtTobias Brunner2015-12-041-1/+1
| | | | | This is called when running `make distclean` (or indirectly via `make distcheck`).
* byteorder: Provide a fallback for le32toh/htole32()Martin Willi2015-12-041-0/+20
| | | | | Some older toolchains don't provide these macros, so implement them using the gcc builtins. We also provide 64-bit variants as used by chapoly.
* byteorder: Add 32-bit unaligned little-endian conversion functionsMartin Willi2015-12-042-21/+27
|
* swanctl: Explicitly link against -lpthread and -ldl if requiredMartin Willi2015-12-041-1/+2
| | | | | We already do this for charon, as some toolchains require an explicit link even if libstrongswan already depends on it.
* pki: Explicitly link against -lpthread and -ldl if requiredMartin Willi2015-12-041-1/+4
| | | | | We already do this for charon, as some toolchains require an explicit link even if libstrongswan already depends on it.
* watcher: Check for cancellation if poll() fails with EINTRMartin Willi2015-12-041-0/+7
| | | | | | | With LinuxThreads, poll() is unfortunately no cancellation point. It seems that poll gets woken up after cancellation, but we actively must check for cancellation before re-entering poll to properly shut down the watcher thread.
* Extended and refactored vici perl implementationAndreas Steffen2015-12-013-80/+121
|
* Built the CPAN file structure for the Vici::Session perl moduleAndreas Steffen2015-12-0115-72/+1038
|
* Implement vici Perl bindingAndreas Steffen2015-12-018-0/+559
|
* swanctl: Add --list-algs command to query loaded algorithmsTobias Brunner2015-11-304-2/+110
|
* vici: Add get-algorithms command to query loaded algorithms and implementationsTobias Brunner2015-11-302-0/+116
|
* sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not ↵Tobias Brunner2015-11-239-32/+35
| | | | | | in the set Fixes #1213.
* kernel-pfkey: Enable ENCR_CAMELLIA_CBC when it's availableTobias Brunner2015-11-231-0/+3
| | | | Fixes #1214.
* utils: Use the more low-level __NR_ prefix to refer to the syscall numberTobias Brunner2015-11-171-1/+1
| | | | The __NR_ constants are also defined in the Android headers.
* eap-radius: Add ability to configure RADIUS retransmission behaviorThom Troy2015-11-176-17/+193
| | | | Closes strongswan/strongswan#19.
* eap-mschapv2: Keep internal state to prevent authentication from succeeding ↵Tobias Brunner2015-11-161-24/+67
| | | | | | | | | prematurely We can't allow a client to send us MSCHAPV2_SUCCESS messages before it was authenticated successfully. Fixes CVE-2015-8023.
* android: Suppress compiler warnings about missing field initializersTobias Brunner2015-11-131-0/+1
| | | | | Triggered by -Wextra for many INIT usages where we only partially initialize a struct.
* utils: Provide a fallback for sigwaitinfo() if neededTobias Brunner2015-11-133-30/+36
| | | | | Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide this on Windows.
* vici: Attribute certificates are not trustedTobias Brunner2015-11-121-1/+3
|
* vici: Properly add CRLs to the credential setTobias Brunner2015-11-121-2/+8
| | | | add_crl() ensures that old CLRs are not stored in the credential set.
* mode-config: Reassign migrated virtual IP if client requests %anyTobias Brunner2015-11-121-1/+3
| | | | | | | | | If we mistakenly detect a new IKE_SA as a reauthentication the client won't request the previous virtual IP, but since we already migrated it we already triggered the assign_vips() hook, so we should reassign the migrated virtual IP. Fixes #1152.
* revocation: Allow CRLs to be encoded in PEM formatTobias Brunner2015-11-121-1/+1
| | | | | | | | | | Since the textual representation for a CRL is now standardized in RFC 7468 one could argue that we should accept that too, even though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to be in DER format. But in particular for file URIs enforcing that seems inconvenient. Fixes #1203.
* curl: Be less strict when considering status codes as errorsTobias Brunner2015-11-121-3/+3
| | | | | | | For file:// URIs the code is 0 on success. We now do the same libcurl would do with CURLOPT_FAILONERROR enabled. Fixes #1203.
* eap-radius: Compare address family when handing out virtual IPsTobias Brunner2015-11-121-6/+26
| | | | | | | This also ensures that the actually released virtual IP is removed from the list of claimed IPs. Fixes #1199.
* eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)Tobias Brunner2015-11-121-1/+4
|
* eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-IdentityTobias Brunner2015-11-121-2/+17
|
* auth-cfg: Prefer merged rules over existing ones when moving themTobias Brunner2015-11-121-3/+3
| | | | | | This is particularly important for single valued rules (e.g. identities). When copying values this is already handled correctly by the enumerator and add().
* android: Add some (older) unit testsTobias Brunner2015-11-123-0/+381
|
* android: Properly handle shorter types in BufferedByteWriterTobias Brunner2015-11-121-0/+86
| | | | | | | | In Java all integer types are signed, when a negative integer is casted to a larger type (e.g. int to long) then due to sign extension the upper bytes are not 0. So writing that value to a byte array does not produce the expected result. By overloading the putX() methods we make sure to upcast the values correctly.
* android: Migrate to the Gradle build systemTobias Brunner2015-11-12139-71/+327
| | | | | This uses a manual way to trigger the NDK build (the default with on-the-fly Android.mk files does not work for us).
* android: Provide a fallback for sigwaitinfo()Tobias Brunner2015-11-121-1/+29
|
* android: Replace AndroidConfigLocal.h with a header in utils/compatTobias Brunner2015-11-124-5/+16
|
* android: Fix build after updating Linux headersTobias Brunner2015-11-123-3/+0
| | | | | | | | Since we don't use the kernel-netlink plugin anymore and the headers in the NDK are reasonably recent, we don't need this anymore (at least when building the app). Fixes #1172.
* charon-tkm: Register SPI generator callbackAdrian-Ken Rueegsegger2015-11-111-0/+4
| | | | Set get_spi callback of IKE SA manager to TKM-specific implementation.
* charon-tkm: Implement SPI generatorAdrian-Ken Rueegsegger2015-11-112-0/+134
| | | | | The get_spi callback returns a random SPI with a label encoded according to the spi_label and spi_mask parameters read from the strongswan.conf.
* settings: Add settings_value_as_uint64() helper functionTobias Brunner2015-11-113-0/+58
|
* ike-sa-manager: Allow plugins to provide IKE SPIs via a callbackTobias Brunner2015-11-112-11/+54
| | | | | Plugins must depend on `libcharon-sa-managers` to ensure the manager exists.
* libcharon: Publish IKE_SA/CHILD_SA managers as custom plugin featureTobias Brunner2015-11-111-11/+29
|
* ikev1: Also use message hashes for Quick Mode for the early retransmission checkTobias Brunner2015-11-111-4/+8
| | | | | | | | | | We already did so during Phase 1 but because all three Quick Mode message have the same message ID we occasionally dropped the third message as retransmit, so we do it there too. For INFORMATIONAL and TRANSACTION exchanges we don't expect more than one inbound message with the same message ID so we still use them there. Fixes #1198.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 01:07:51 +0000