strongswan.git
11 years agoincreasing the performance of checkout_duplicate by using a hash table.
Tobias Brunner [Wed, 10 Dec 2008 13:51:21 +0000 (13:51 -0000)]
increasing the performance of checkout_duplicate by using a hash table.

11 years agoinitial size of 1 is nonsense
Tobias Brunner [Wed, 10 Dec 2008 13:45:05 +0000 (13:45 -0000)]
initial size of 1 is nonsense

11 years agoincremental version of chunk_hash
Tobias Brunner [Wed, 10 Dec 2008 13:43:51 +0000 (13:43 -0000)]
incremental version of chunk_hash

11 years agolist assigned leases using "ipsec leases"
Martin Willi [Wed, 10 Dec 2008 13:00:02 +0000 (13:00 -0000)]
list assigned leases using "ipsec leases"

11 years agoadded IKE_SA established timer to "ipsec statusall"
Martin Willi [Wed, 10 Dec 2008 09:59:35 +0000 (09:59 -0000)]
added IKE_SA established timer to "ipsec statusall"

11 years agousing rwlock to parallel build credentials
Martin Willi [Tue, 9 Dec 2008 15:57:51 +0000 (15:57 -0000)]
using rwlock to parallel build credentials

11 years agouse thread-safe variant of gmtime
Martin Willi [Tue, 9 Dec 2008 15:00:30 +0000 (15:00 -0000)]
use thread-safe variant of gmtime

11 years agofixed load-tester shared key lookup
Martin Willi [Tue, 9 Dec 2008 14:45:56 +0000 (14:45 -0000)]
fixed load-tester shared key lookup

11 years agopurge auth_info when IKE_SA is established, releases cert memory
Martin Willi [Tue, 9 Dec 2008 14:34:15 +0000 (14:34 -0000)]
purge auth_info when IKE_SA is established, releases cert memory

11 years agolimit number of ADDITIONAL_IPV*_ADDR notifies
Martin Willi [Tue, 9 Dec 2008 14:32:57 +0000 (14:32 -0000)]
limit number of ADDITIONAL_IPV*_ADDR notifies

11 years agolist pools and usage in ipsec statusall
Martin Willi [Tue, 9 Dec 2008 13:24:12 +0000 (13:24 -0000)]
list pools and usage in ipsec statusall

11 years agoextended stroke in-memory pool to use hash-tables
Martin Willi [Tue, 9 Dec 2008 13:23:42 +0000 (13:23 -0000)]
extended stroke in-memory pool to use hash-tables
supports online/offline leases
properly reassign addresses to identities

11 years agofixed hashtable->get_count() after doubling table size
Martin Willi [Tue, 9 Dec 2008 11:13:52 +0000 (11:13 -0000)]
fixed hashtable->get_count() after doubling table size

11 years agorequire explicit enabling of load-testing plugin
Martin Willi [Tue, 9 Dec 2008 09:11:37 +0000 (09:11 -0000)]
require explicit enabling of load-testing plugin

11 years agogenerating different initiator identities, configs and certificates on the fly
Martin Willi [Mon, 8 Dec 2008 19:18:28 +0000 (19:18 -0000)]
generating different initiator identities, configs and certificates on the fly

11 years agoremoved debugging leftovers
Martin Willi [Mon, 8 Dec 2008 19:15:38 +0000 (19:15 -0000)]
removed debugging leftovers

11 years agofixed out-of-tree build of scepclient
Martin Willi [Mon, 8 Dec 2008 16:00:33 +0000 (16:00 -0000)]
fixed out-of-tree build of scepclient

11 years agobasic x509 certificate generation
Martin Willi [Mon, 8 Dec 2008 15:29:36 +0000 (15:29 -0000)]
basic x509 certificate generation

11 years agowhitelisted another pthread_setspecific implementation
Martin Willi [Mon, 8 Dec 2008 15:27:24 +0000 (15:27 -0000)]
whitelisted another pthread_setspecific implementation

12 years agoaccept NULL values in hashtable enumerator
Martin Willi [Fri, 5 Dec 2008 12:34:17 +0000 (12:34 -0000)]
accept NULL values in hashtable enumerator

12 years agohashtable enumerator enumerates over both, key and values
Martin Willi [Fri, 5 Dec 2008 10:01:52 +0000 (10:01 -0000)]
hashtable enumerator enumerates over both, key and values

12 years agoadded actual ikev2bis draft
Martin Willi [Fri, 5 Dec 2008 09:41:20 +0000 (09:41 -0000)]
added actual ikev2bis draft

12 years agopass identity to release_address(), allows providers to do a lookup by id
Martin Willi [Fri, 5 Dec 2008 09:40:50 +0000 (09:40 -0000)]
pass identity to release_address(), allows providers to do a lookup by id

12 years agoextended changeset [4753]
Andreas Steffen [Thu, 4 Dec 2008 23:16:10 +0000 (23:16 -0000)]
extended changeset [4753]

12 years agoimplemented the policy cache in kernel_netlink_ipsec_t with a hash table instead...
Tobias Brunner [Thu, 4 Dec 2008 16:46:08 +0000 (16:46 -0000)]
implemented the policy cache in kernel_netlink_ipsec_t with a hash table instead of a linked list.

12 years agofixed off by one error
Tobias Brunner [Thu, 4 Dec 2008 16:33:39 +0000 (16:33 -0000)]
fixed off by one error

12 years agofixed copy-paste bug (double-free)
Martin Willi [Thu, 4 Dec 2008 10:10:37 +0000 (10:10 -0000)]
fixed copy-paste bug (double-free)

12 years agoreset pointer for a clean destruction
Martin Willi [Thu, 4 Dec 2008 10:09:21 +0000 (10:09 -0000)]
reset pointer for a clean destruction

12 years agohandling peer_match with higher priority tan ike_match to select correct config if...
Martin Willi [Thu, 4 Dec 2008 10:00:03 +0000 (10:00 -0000)]
handling peer_match with higher priority tan ike_match to select correct config if IPs are equal

12 years agoleak whitelisting of OPENSSL_config()
Martin Willi [Thu, 4 Dec 2008 09:23:53 +0000 (09:23 -0000)]
leak whitelisting of OPENSSL_config()

12 years agosuppress output from leak-detective in openac
Andreas Steffen [Thu, 4 Dec 2008 04:51:05 +0000 (04:51 -0000)]
suppress output from leak-detective in openac

12 years agoload openac plugins explicitly
Andreas Steffen [Thu, 4 Dec 2008 04:36:39 +0000 (04:36 -0000)]
load openac plugins explicitly

12 years agofixed refactoring error in openac
Andreas Steffen [Thu, 4 Dec 2008 04:34:49 +0000 (04:34 -0000)]
fixed refactoring error in openac

12 years agosuppress leak-detective stderr output in ipsec pool
Andreas Steffen [Thu, 4 Dec 2008 03:31:53 +0000 (03:31 -0000)]
suppress leak-detective stderr output in ipsec pool

12 years agofixed double free of host in sadb_address2ts
Andreas Steffen [Thu, 4 Dec 2008 01:08:19 +0000 (01:08 -0000)]
fixed double free of host in sadb_address2ts

12 years agoenable leak-detective and integrity-test in UML tests by default
Andreas Steffen [Thu, 4 Dec 2008 00:34:59 +0000 (00:34 -0000)]
enable leak-detective and integrity-test in UML tests by default

12 years agoadd support for smartcards in charon by using the ENGINE API provided by OpenSSL...
Tobias Brunner [Wed, 3 Dec 2008 10:12:20 +0000 (10:12 -0000)]
add support for smartcards in charon by using the ENGINE API provided by OpenSSL, based on patches by Michael Ro├čberg.

12 years agoenable quoted tokens in the token enumerator
Tobias Brunner [Wed, 3 Dec 2008 10:03:59 +0000 (10:03 -0000)]
enable quoted tokens in the token enumerator

12 years agofixed compiler warning
Tobias Brunner [Wed, 3 Dec 2008 10:03:02 +0000 (10:03 -0000)]
fixed compiler warning

12 years agoadded memstr and extract_token_str helper functions
Tobias Brunner [Wed, 3 Dec 2008 09:45:58 +0000 (09:45 -0000)]
added memstr and extract_token_str helper functions

12 years agoadding general purpose hash table
Tobias Brunner [Wed, 3 Dec 2008 09:32:16 +0000 (09:32 -0000)]
adding general purpose hash table

12 years agofixed double free of host in selector2ts
Martin Willi [Wed, 3 Dec 2008 09:15:29 +0000 (09:15 -0000)]
fixed double free of host in selector2ts

12 years agoref_get()/ref_put() use atomic gcc operations if supported, thanks to Thomas Jarosch...
Martin Willi [Tue, 2 Dec 2008 12:14:32 +0000 (12:14 -0000)]
ref_get()/ref_put() use atomic gcc operations if supported, thanks to Thomas Jarosch for the patch

12 years agoadded a --disable-threads ./configure option for pluto
Martin Willi [Tue, 2 Dec 2008 09:01:57 +0000 (09:01 -0000)]
added a --disable-threads ./configure option for pluto

12 years agouse DBG_ANY to set all loglevels
Martin Willi [Tue, 2 Dec 2008 08:52:46 +0000 (08:52 -0000)]
use DBG_ANY to set all loglevels

12 years agoadded time.h include for struct tm
Martin Willi [Tue, 2 Dec 2008 08:46:15 +0000 (08:46 -0000)]
added time.h include for struct tm

12 years agosome task queueing improvements:
Martin Willi [Mon, 1 Dec 2008 18:38:28 +0000 (18:38 -0000)]
some task queueing improvements:
- do not pass CHILD_SAs to task constructor, might not
  be valid anymore during execution (late lookup)
- use sub-tasks to delete CHILD/IKE_SA after rekeying,
  as we want to execute the delete before additional
  queued tasks

12 years agore-established lost default auth sys_logger
Andreas Steffen [Mon, 1 Dec 2008 01:24:55 +0000 (01:24 -0000)]
re-established lost default auth sys_logger

12 years agoschedule rekeying when activating passive IKE_SAs
Martin Willi [Fri, 28 Nov 2008 16:19:19 +0000 (16:19 -0000)]
schedule rekeying when activating passive IKE_SAs

12 years agodo not delete passive IKE_SAs
Martin Willi [Fri, 28 Nov 2008 15:44:25 +0000 (15:44 -0000)]
do not delete passive IKE_SAs

12 years agoadded a PASSIVE IKE_SA state to manage it externally
Martin Willi [Fri, 28 Nov 2008 10:49:14 +0000 (10:49 -0000)]
added a PASSIVE IKE_SA state to manage it externally

12 years agopass SKd to derive_ike_keys() to have a more interoperable API
Martin Willi [Fri, 28 Nov 2008 09:51:44 +0000 (09:51 -0000)]
pass SKd to derive_ike_keys() to have a more interoperable API

12 years agofixed a double-unlock bug, showed up when using rwlocks in backend manager
Martin Willi [Fri, 28 Nov 2008 08:22:55 +0000 (08:22 -0000)]
fixed a double-unlock bug, showed up when using rwlocks in backend manager

12 years agouse rwlocks in backend manager to allow simultaneous access
Martin Willi [Thu, 27 Nov 2008 15:34:17 +0000 (15:34 -0000)]
use rwlocks in backend manager to allow simultaneous access

12 years agouse a rwlock in attribute manager to allow simultaneous access
Martin Willi [Thu, 27 Nov 2008 15:22:41 +0000 (15:22 -0000)]
use a rwlock in attribute manager to allow simultaneous access

12 years agoremove attribute provider in SQL plugin destruction
Martin Willi [Thu, 27 Nov 2008 14:33:41 +0000 (14:33 -0000)]
remove attribute provider in SQL plugin destruction

12 years agoadded an include hack to build starter without gmp.h
Martin Willi [Thu, 27 Nov 2008 10:20:25 +0000 (10:20 -0000)]
added an include hack to build starter without gmp.h

12 years agofixed pluto out-of-tree builds
Martin Willi [Thu, 27 Nov 2008 10:18:38 +0000 (10:18 -0000)]
fixed pluto out-of-tree builds

12 years agotoken enumerator missed the last token if it contains only a single char
Martin Willi [Thu, 27 Nov 2008 09:21:52 +0000 (09:21 -0000)]
token enumerator missed the last token if it contains only a single char

12 years agocheckin of non-existing IKE_SAs
Martin Willi [Wed, 26 Nov 2008 14:32:55 +0000 (14:32 -0000)]
checkin of non-existing IKE_SAs
removed unneeded checkin() return values

12 years agoremoved private parser function pointers, allows compiler to inline
Martin Willi [Wed, 26 Nov 2008 10:54:08 +0000 (10:54 -0000)]
removed private parser function pointers, allows compiler to inline

12 years agoremoved private generator function pointers, allows compiler to inline
Martin Willi [Wed, 26 Nov 2008 10:42:54 +0000 (10:42 -0000)]
removed private generator function pointers, allows compiler to inline

12 years agoinlined some short chunk functions, showed up in the profiler
Martin Willi [Wed, 26 Nov 2008 10:08:36 +0000 (10:08 -0000)]
inlined some short chunk functions, showed up in the profiler

12 years agomemxor() tweaks, as it is heavily used in xcbc
Martin Willi [Wed, 26 Nov 2008 10:06:59 +0000 (10:06 -0000)]
memxor() tweaks, as it is heavily used in xcbc

12 years agoallow to globally disable DOS protection by setting charon.dos_protection to no.
Tobias Brunner [Wed, 26 Nov 2008 09:22:19 +0000 (09:22 -0000)]
allow to globally disable DOS protection by setting charon.dos_protection to no.

12 years agooptimized the scheduler for performance by replacing the linked list with a heap.
Tobias Brunner [Tue, 25 Nov 2008 19:56:05 +0000 (19:56 -0000)]
optimized the scheduler for performance by replacing the linked list with a heap.

12 years agoreplacing the pthread_mutex in scheduler_t with the wrapped implementation.
Tobias Brunner [Tue, 25 Nov 2008 19:30:02 +0000 (19:30 -0000)]
replacing the pthread_mutex in scheduler_t with the wrapped implementation.
added a method to condvar_t which allows to wait for an absolute timeout.

12 years agoperformance optimization for the DOS protection.
Tobias Brunner [Tue, 25 Nov 2008 13:16:05 +0000 (13:16 -0000)]
performance optimization for the DOS protection.
 * half-open SAs per peer are tracked in a hash table
 * charon.dos_protection setting replaced with charon.cookie_threshold and charon.block_threshold
 * chunk_hash function added

12 years agofixed crash due to missing function call parameter
Andreas Steffen [Tue, 25 Nov 2008 08:11:57 +0000 (08:11 -0000)]
fixed crash due to missing function call parameter

12 years agouse static IPsec policy iptables rule for alice in mobike scenario
Andreas Steffen [Tue, 25 Nov 2008 08:11:14 +0000 (08:11 -0000)]
use static IPsec policy iptables rule for alice in mobike scenario

12 years agofixed set_message_id() on IKE_SA
Martin Willi [Mon, 24 Nov 2008 13:59:30 +0000 (13:59 -0000)]
fixed set_message_id() on IKE_SA
added missing bus->message() hook invocation
whitespace cleanups

12 years agoset message IDs on IKE_SAs
Martin Willi [Mon, 24 Nov 2008 12:46:06 +0000 (12:46 -0000)]
set message IDs on IKE_SAs

12 years agomoved the IPV6_IPSEC_POLICY definition to the ipsec plugins, fixes uClibc build
Martin Willi [Mon, 24 Nov 2008 08:22:05 +0000 (08:22 -0000)]
moved the IPV6_IPSEC_POLICY definition to the ipsec plugins, fixes uClibc build

12 years agoadded a "load_tester.auth" option: "pubkey" (default) or "psk"
Martin Willi [Sun, 23 Nov 2008 11:58:41 +0000 (11:58 -0000)]
added a "load_tester.auth" option: "pubkey" (default) or "psk"

12 years agoproper cancellation of load-testing initiators
Martin Willi [Sun, 23 Nov 2008 11:17:30 +0000 (11:17 -0000)]
proper cancellation of load-testing initiators

12 years agoadded a MODP_NULL Diffie Hellman group to avoid calculation overhead in load-testing
Martin Willi [Sat, 22 Nov 2008 16:14:55 +0000 (16:14 -0000)]
added a MODP_NULL Diffie Hellman group to avoid calculation overhead in load-testing

12 years agoexpecting int sized length arguments to chunk_split, as vararg functions use integers
Martin Willi [Fri, 21 Nov 2008 08:11:24 +0000 (08:11 -0000)]
expecting int sized length arguments to chunk_split, as vararg functions use integers

12 years agofixing Makefile of the nm plugin (avoids including a .svn directory in the distribution)
Tobias Brunner [Thu, 20 Nov 2008 14:46:03 +0000 (14:46 -0000)]
fixing Makefile of the nm plugin (avoids including a .svn directory in the distribution)

12 years agooptimized ike_sa_manager for concurrent access (default behavior is still as before...
Tobias Brunner [Thu, 20 Nov 2008 13:30:23 +0000 (13:30 -0000)]
optimized ike_sa_manager for concurrent access (default behavior is still as before, needs configuration in strongswan.conf).

12 years agofixed lock-profiler help message
Martin Willi [Wed, 19 Nov 2008 15:37:46 +0000 (15:37 -0000)]
fixed lock-profiler help message

12 years agorefactored and cleaned up child_sa interface
Martin Willi [Wed, 19 Nov 2008 15:31:27 +0000 (15:31 -0000)]
refactored and cleaned up child_sa interface
replaced add/update calls by a install() call
allocating SPIs always externally
support installation of non-allocated CHILD_SAs
some other cleanups

12 years agofixing compilation on systems lacking linux/xfrm.h
Tobias Brunner [Tue, 18 Nov 2008 14:28:05 +0000 (14:28 -0000)]
fixing compilation on systems lacking linux/xfrm.h

12 years agosetting default port of own address to have a proper fallback if src addr lookup...
Martin Willi [Tue, 18 Nov 2008 10:10:36 +0000 (10:10 -0000)]
setting default port of own address to have a proper fallback if src addr lookup fails

12 years agoconsider interfaces we do not monitor as up (e.g. lo)
Martin Willi [Tue, 18 Nov 2008 09:52:28 +0000 (09:52 -0000)]
consider interfaces we do not monitor as up (e.g. lo)
fixes load-testing against 127.0.0.1

12 years agoversion bump to 4.2.10
Andreas Steffen [Tue, 18 Nov 2008 00:02:59 +0000 (00:02 -0000)]
version bump to 4.2.10

12 years agoseparated updown listener to its own class 4.2.9
Martin Willi [Mon, 17 Nov 2008 09:29:27 +0000 (09:29 -0000)]
separated updown listener to its own class
caching interface names to properly remove rules if interface has changed

12 years agofixed virtual IP re-installation failure in MOBIKE scenarios introduced with changese...
Andreas Steffen [Mon, 17 Nov 2008 00:01:34 +0000 (00:01 -0000)]
fixed virtual IP re-installation failure in MOBIKE scenarios introduced with changeset 4662

12 years agoset release number back to 4.2.9
Andreas Steffen [Sun, 16 Nov 2008 22:25:16 +0000 (22:25 -0000)]
set release number back to 4.2.9

12 years agoadded migration to NEWS
Andreas Steffen [Sun, 16 Nov 2008 21:23:56 +0000 (21:23 -0000)]
added migration to NEWS

12 years agocompleted migration of MIPv6 connections
Andreas Steffen [Sun, 16 Nov 2008 21:19:58 +0000 (21:19 -0000)]
completed migration of MIPv6 connections

12 years agoshow TRANSPORT_PROXY mode in ipsec status
Andreas Steffen [Sun, 16 Nov 2008 21:19:17 +0000 (21:19 -0000)]
show TRANSPORT_PROXY mode in ipsec status

12 years agousing aligned buffers for netlink
Martin Willi [Fri, 14 Nov 2008 14:23:11 +0000 (14:23 -0000)]
using aligned buffers for netlink

12 years agofallback to reauthentication if peer does not support CHILD_SA rekeying
Martin Willi [Fri, 14 Nov 2008 14:05:47 +0000 (14:05 -0000)]
fallback to reauthentication if peer does not support CHILD_SA rekeying

12 years agofall back to reauthentication if IKE rekeying fails with NO_ADDITIONAL_SAS
Martin Willi [Fri, 14 Nov 2008 13:58:16 +0000 (13:58 -0000)]
fall back to reauthentication if IKE rekeying fails with NO_ADDITIONAL_SAS

12 years agoalso use correct encap parameter in PF_KEY
Martin Willi [Fri, 14 Nov 2008 13:15:26 +0000 (13:15 -0000)]
also use correct encap parameter in PF_KEY

12 years agofixed encap enabling in xfrm (using new encap state, not the old one)
Martin Willi [Fri, 14 Nov 2008 13:12:07 +0000 (13:12 -0000)]
fixed encap enabling in xfrm (using new encap state, not the old one)

12 years agodo not use a route if outgoing interface is down
Martin Willi [Fri, 14 Nov 2008 13:04:22 +0000 (13:04 -0000)]
do not use a route if outgoing interface is down
other cleanups

12 years agorta->rta_len is NOT the payload data length, use RTA_PAYLOAD(rta) instead!
Martin Willi [Fri, 14 Nov 2008 10:30:26 +0000 (10:30 -0000)]
rta->rta_len is NOT the payload data length, use RTA_PAYLOAD(rta) instead!

12 years agodo not use public interface for functions which are local anyway
Martin Willi [Fri, 14 Nov 2008 09:38:49 +0000 (09:38 -0000)]
do not use public interface for functions which are local anyway

12 years agoreset IKE_SA on bus during child_sa destruction
Martin Willi [Fri, 14 Nov 2008 08:38:53 +0000 (08:38 -0000)]
reset IKE_SA on bus during child_sa destruction