aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* x509: Support encoding the RFC 3779 addrblock extensionMartin Willi2017-02-271-3/+134
|
* builder: Define a builder part for X.509 RFC 3779 address blocksMartin Willi2017-02-272-0/+3
|
* plugin-loader: Fix hashing of registered plugin featuresTobias Brunner2017-02-241-1/+1
| | | | | | | This strangely never caused any noticeable issues, but was the reason for build failures in certain test cases (mostly BLISS) due to missing plugin features when built with specific options on Travis (was not reproducible locally).
* Use of TPM 2.0 private keys for signatures via tpm pluginAndreas Steffen2017-02-228-6/+454
|
* Implement signatures with private keys bound to TPM 2.0Andreas Steffen2017-02-213-8/+215
|
* android: New release after fixing potential ANR issueTobias Brunner2017-02-201-2/+2
|
* android: Send network change events from a separate thread via JNITobias Brunner2017-02-172-4/+68
| | | | | | | | | Doing this from the main UI thread (which delivers the broadcast) might cause an ANR if there is a delay (e.g. while acquiring a mutex in the native parts). There might also have been a race condition during termination previously because Unregister() was not synchronized so there might have been dangling events that got delivered while or after the mutex in the native parts was destroyed.
* ikev1: Respond to DPDs for rekeyed IKE_SAsTobias Brunner2017-02-172-0/+10
| | | | | | | | | Some devices always use the oldest IKE_SA to send DPDs and will delete all IKE_SAs when there is no response. If uniqueness is not enforced rekeyed IKE_SAs might not get deleted until they expire so we should respond to DPDs. References #2090.
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-1/+23
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* ikev2: Ignore roam events without MOBIKE but static local addressTobias Brunner2017-02-171-0/+10
| | | | | | | | | | | | | | | Disabling MOBIKE and statically configuring a local address should be enough indication that the user doesn't want to roam to a different address. There might not be any routes that indicate we can use the current address but it might still work (e.g. if the address is on an interface that is not referenced in any routes and the address itself is neither). This way we avoid switching to another address for routes that might be available on the system. We currently don't make much use of COND_STALE anyway when MOBIKE is not enabled, e.g. to avoid sending DPDs if the connection is seemingly down. With MOBIKE enabled we don't exactly check that state but we do don't send DPDs if there is no route/source address available.
* ike-cfg: Add helper function to determine if a given IP address was configuredTobias Brunner2017-02-172-2/+46
|
* vici: Only log messages if there actually is a listenerTobias Brunner2017-02-161-0/+7
|
* vici: Let has_event_listeners() actually check if clients are registeredTobias Brunner2017-02-161-2/+4
| | | | | Fixes: 8d96f90a7983 ("vici: Add function to test if an event should be generated")
* vici: Add support for mediation extensionTobias Brunner2017-02-162-1/+109
|
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-166-68/+95
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* vici: Include uniqueness policy in list-connsTobias Brunner2017-02-161-0/+2
|
* swanctl: Add --rekey commandTobias Brunner2017-02-164-1/+130
|
* vici: Add command to initiate SA rekeyingTobias Brunner2017-02-162-2/+118
|
* vici: Use unique names for CHILD_SAs in the list-sas commandTobias Brunner2017-02-163-4/+10
| | | | | | | | | The original name is returned in the new "name" attribute. This fixes an issue with bindings that map VICI messages to dictionaries. For instance, in roadwarrior scenarios where every CHILD_SA has the same name only the information of the last CHILD_SA would end up in the dictionary for that name.
* swanctl: Allow specifying pubkeys directly via 0x/0s prefixTobias Brunner2017-02-161-28/+38
|
* vici: Add support to load CA certificates from tokens and paths in authority ↵Tobias Brunner2017-02-163-21/+130
| | | | sections
* vici: Add support to load certificates from file pathsTobias Brunner2017-02-162-13/+68
| | | | Probably not that useful via swanctl.conf but could be when used via VICI.
* vici: Add support to load certificates from tokensTobias Brunner2017-02-162-12/+163
|
* swanctl: Add `token` secrets for keys on tokens/smartcardsTobias Brunner2017-02-162-0/+106
|
* vici: Add command to load a private key from a tokenTobias Brunner2017-02-162-3/+117
| | | | | | | PINs are stored in a "hidden" credential set, so that its shared secrets are not exposed via VICI. Since they are not explicitly loaded as shared secrets via VICI a client might consider them as removed secrets and remove them.
* vici: List namespace/peer-cfg name with policies and allow filteringTobias Brunner2017-02-162-13/+33
| | | | The two names are also transmitted in separate keys.
* swanctl: Pass optional connection name to --initiate/install/uninstallTobias Brunner2017-02-162-5/+22
|
* vici: Explicitly use peer name when uninstalling trap and shunt policiesTobias Brunner2017-02-163-10/+40
| | | | Also adds an `ike` parameter to the `uninstall` command.
* stroke: Use peer name as namespace for shunt policiesTobias Brunner2017-02-162-3/+20
| | | | | The same goes for the start-action-job. When unrouting, we search for the first policy with a matching child-cfg.
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-1610-41/+90
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* vici: Add support for NT Hash secretsTobias Brunner2017-02-163-1/+29
| | | | Fixes #1002.
* vici: Add support for IPv6 Transport Proxy ModeTobias Brunner2017-02-163-17/+44
|
* vici: Add support for certificate policiesTobias Brunner2017-02-163-0/+24
|
* vici: Add missing dscp setting for IKE_SAsTobias Brunner2017-02-162-5/+47
| | | | Fixes #2170.
* swanctl: Automatically unload removed shared keysTobias Brunner2017-02-161-15/+49
|
* vici: Add possibility to remove shared keys by a unique identifierTobias Brunner2017-02-162-5/+76
| | | | | This identifier can be set when adding/replacing a secret. The unique identifiers of all secrets may be enumerated.
* mem-cred: Add methods to add/remove shared keys with unique identifiersTobias Brunner2017-02-162-6/+107
| | | | Also added is a method to enumerate the unique identifiers.
* swanctl: Automatically unload removed private keysTobias Brunner2017-02-161-76/+175
|
* vici: Add commands to enumerate and remove private keysTobias Brunner2017-02-162-2/+75
| | | | They are identified by their SHA-1 key identifier.
* mem-cred: Add method to remove a private key with a specific fingerprintTobias Brunner2017-02-162-2/+38
|
* swanctl: Add possibility to query a specific pool by nameTobias Brunner2017-02-161-3/+11
|
* vici: Update get_pools() in Python and Ruby bindingsTobias Brunner2017-02-162-4/+6
|
* vici: Add option to query a specific poolTobias Brunner2017-02-162-3/+10
|
* bypass-lan: Don't use interfaces in policiesTobias Brunner2017-02-161-7/+6
| | | | | | | | | | | After an interface disappeared we can't remove the policies correctly as the name doesn't resolve to the previous index anymore. And making the policies so specific might not provide that much benefit. To handle the interfaces on the policies correctly would require some changes to the child-cfg, kernel-interface etc. so they'd take interface indices directly so we could target the policies correctly even if an interface disappeared (or reappeared and got a new index).
* revocation: More accurately describe the flags to disable OCSP/CRL validationTobias Brunner2017-02-151-8/+7
| | | | | | These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled.
* child-sa: Do not install mark on inbound kernel SAEyal Birger2017-02-141-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The SA ID (src, dst, proto, spi) is unique on ingress. As such, explicit inbound marking is not needed to match an SA. On the other hand, requiring inbound SAs to use marks forces the installation of a mechanism for marking traffic (e.g. iptables) based on some criteria. Defining the criteria becomes complicated, for example when required to support multiple SAs from the same src, especially when traffic is UDP encapsulated. This commit removes the assignment of the child_sa mark_in to the inbound SA. Policies can be arbitrated by existing means - e.g, via netfilter policy matching or using VTI interfaces - without the need to classify the flows prior to state matching. Since the reqid allocator regards the mark value, there is no risk of matching the wrong policy. And as explicit marking was required for route-based VPN to work before this change, it should not cause regressions in existing setups. Closes strongswan/strongswan#59.
* unit-tests: Allow default test timeout to be configured via compile optionThomas Egerer2017-02-141-0/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* tkm: Fix get_auth_octets() signatureTobias Brunner2017-02-131-1/+2
| | | | Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")
* kernel-netlink: Use RTA_SRC to specify route source in kernel-based lookupsMartin Willi2017-02-131-1/+8
| | | | | | | For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is what we do when doing userspace route calculations. For kernel-based route lookups, however, the RTA_PREFSRC attribute is ignored and we must specify RTA_SRC for policy based route lookups.
* kernel-netlink: Use kernel-based route lookup if we do not install routesMartin Willi2017-02-131-1/+11
| | | | | | | | | | | | For gateways with many connections, installing routes is often disabled, as we can use a static route configuration to achieve proper routing with a single rule. If this is the case, there is no need to dump all routes and do userspace route lookups, as there is no need to exclude routes we installed ourself. Doing kernel-based route lookups is not only faster with may routes, but also can use the full power of Linux policy based routing; something we can hardly rebuild in userspace when calculating routes.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 22:09:01 +0000