Martin Willi
4edcc86149
xpc: send child_updown events over XPC channel
2013-07-18 12:17:55 +02:00
Martin Willi
d60c8d2c74
xpc: support termination of IKE_SAs using XPC RPC on connection channel
2013-07-18 12:17:55 +02:00
Martin Willi
790ad9e677
xpc: move XPC RPC reply creation to command dispatching
2013-07-18 12:17:55 +02:00
Martin Willi
a0c125eacb
xpc: terminate daemon when last XPC connection to App gone
2013-07-18 12:17:55 +02:00
Martin Willi
6aae6268d7
xpc: fix some refcounting issues related to XPC connections
2013-07-18 12:17:55 +02:00
Martin Willi
22bffc647d
xpc: no need to clear channel table, they are bound to IKE_SA lifetime
2013-07-18 12:17:55 +02:00
Martin Willi
1a3f71d97a
xpc: add support for logging over XPC channels
2013-07-18 12:17:55 +02:00
Martin Willi
fbc89786b5
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
2013-07-18 12:17:55 +02:00
Martin Willi
dcf8a3c78b
xpc: add a description of the basic XPC protocol to README
2013-07-18 12:17:55 +02:00
Martin Willi
d5966e71e9
xpc: use the same XPC message "type" mechanism on Mach service as on channels
2013-07-18 12:17:55 +02:00
Martin Willi
39d15dde67
xpc: ask App for passwords using connection specific channel
2013-07-18 12:17:55 +02:00
Martin Willi
8279ce99c4
xpc: use IKE_SA specific XPC return channels for further communication
2013-07-18 12:17:55 +02:00
Martin Willi
bc74e18223
xpc: don't send certificate requests, there are too many when using keychain
2013-07-18 12:17:55 +02:00
Martin Willi
5016370390
xpc: build with support for the keychain plugin
2013-07-18 12:17:55 +02:00
Martin Willi
e73a653451
xpc: add support for initiate simple IKEv2 EAP connections
2013-07-18 12:17:54 +02:00
Martin Willi
3dcc9d7aa7
xpc: move dispatching to dedicated class, using dedicated thread
2013-07-18 12:17:54 +02:00
Martin Willi
4204d1d71a
xpc: use non-inlining variant of vstr, compiler does not like it
2013-07-18 12:17:54 +02:00
Martin Willi
6f8c626b81
xpc: add Xcode project for a charon controlled through XPC
2013-07-18 12:17:54 +02:00
Martin Willi
61177388bd
syslog: setlogmask() to include LOG_INFO
...
LOG_INFO seems to be excluded by default on some systems (OS X).
2013-07-18 12:17:54 +02:00
Martin Willi
55dacbfac2
keychain: flush certificate cache after reloading System keychain
2013-07-18 12:17:54 +02:00
Martin Willi
57dce77ba6
keychain: monitor changes in the system keychain, reload when necessary
2013-07-18 12:17:54 +02:00
Martin Willi
dcd8bdde4f
keychain: use SearchCopyNext keychain enumeration for System certs as well
...
SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.
2013-07-18 12:17:54 +02:00
Martin Willi
0bdd453392
keychain: load certificates from System Roots Keychain
2013-07-18 12:17:54 +02:00
Martin Willi
bc6c7bf39e
keychain: load certificates only once during startup, improving performance
2013-07-18 12:17:54 +02:00
Martin Willi
6f00ddb90c
keychain: support on-the-fly enumeration of trusted/untrusted certificates
2013-07-18 12:17:54 +02:00
Martin Willi
7b8edabd8a
keychain: add a stub for a credential plugin using OS X Keychain Services
2013-07-18 12:17:54 +02:00
Martin Willi
5d36f04ee2
credmgr: stop querying for secrets once we get a perfect match
2013-07-18 12:17:54 +02:00
Martin Willi
69039e83f8
credmgr: don't use pointers for id_match_t enum values
2013-07-18 12:17:54 +02:00
Martin Willi
c3e7b3de0b
openssl: parse X.509 extended key usage from extension parsing loop
...
Otherwise parsing gets aborted if unknown critical extensions are handled as
error.
2013-07-18 12:17:53 +02:00
Martin Willi
3f55f203ee
openssl: show which critical X.509 extension is not supported
2013-07-18 12:17:53 +02:00
Martin Willi
437a6feb07
hashtable: add common hashtable hash/equals functions for pointer/string keys
2013-07-18 12:17:53 +02:00
Martin Willi
01c0267778
thread: implicitly create thread_t if an external thread calls thread_current()
2013-07-18 12:17:53 +02:00
Tobias Brunner
07a9d5c91a
ike: Fix reestablishing SAs if no child-creating tasks are queued
2013-07-18 10:40:08 +02:00
Martin Willi
2b0c8ee37d
ike-sa: uninstall CHILD_SAs before removing virtual IPs
...
a3854d83
changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.
2013-07-18 10:35:38 +02:00
Tobias Brunner
79b6ead1e4
unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were received
2013-07-17 18:23:57 +02:00
Tobias Brunner
56b0fac8c9
unity: Allow UNITY_LOCAL_LAN to be longer than 8 bytes
2013-07-17 18:23:57 +02:00
Tobias Brunner
c7d0b80abb
unity: Fix memory leak in provider
2013-07-17 18:23:57 +02:00
Tobias Brunner
b2dfa0624d
ipsec.conf.5: closeaction is now supported for IKEv1
2013-07-17 18:18:57 +02:00
Tobias Brunner
a9ffb48f21
ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer
...
We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any
CHILD_SA requires it.
2013-07-17 18:16:59 +02:00
Tobias Brunner
68db844f99
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
2013-07-17 18:16:58 +02:00
Oliver Smith
b79fdab878
ikev1: Support closeaction of CHILD_SA.
...
When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.
2013-07-17 18:16:58 +02:00
Tobias Brunner
6b99e4b7e0
Merge branch 'kernel-pfroute-mobility'
...
This improves the behavior of the kernel-pfroute plugin (and sometimes
the kernel-pfkey plugin) in case of mobility, mostly when used as as
client but also as gateway, if clients are mobile.
2013-07-17 17:49:26 +02:00
Tobias Brunner
fae4d67adc
kernel-pfroute: Ignore IP address changes if address is %any
2013-07-17 17:45:18 +02:00
Tobias Brunner
b308a97944
kernel-pfroute: Properly enumerate sockaddrs in interface messages
...
The ifa_msghdr and rt_msghdr structs are not compatible (at least not on
FreeBSD).
2013-07-17 17:45:18 +02:00
Tobias Brunner
5310f485d9
kernel-pfroute: Provide name of interfaces on which virtual IPs are installed
2013-07-17 17:45:18 +02:00
Tobias Brunner
e9c1ca0278
kernel-pfroute: Ignore virtual IPs in address map
...
As the virtual flag is set after the address has been added to the map,
we make sure we ignore virtual IPs when doing lookups.
2013-07-17 17:45:18 +02:00
Tobias Brunner
cb082d15ef
kernel-pfroute: Make sure source addresses are not virtual and usable
...
It seems we sometimes get the virtual IP as source (with
rightsubnet=0.0.0.0/0) even if the exclude route is already
installed. Might be a timing issue because shortly afterwards the
lookup seems to succeed.
2013-07-17 17:45:18 +02:00
Tobias Brunner
527663d6b6
kernel-pfroute: Don't report an error when trying to reinstall a route
2013-07-17 17:45:18 +02:00
Tobias Brunner
8afd0f05e3
kernel-pfkey: Provide interface name when installing exclude route
2013-07-17 17:45:18 +02:00
Tobias Brunner
0745f846d0
kernel-pfroute: Reinstall routes on interface/address changes
2013-07-17 17:45:17 +02:00