tteras/strongswan/src/libcharon/plugins/addrblock, branch master tteras' strongSwan tree Fixed some typos, courtesy of codespell 2017-05-26T12:44:06+00:00 Tobias Brunner tobias@strongswan.org 2017-05-26T12:44:06+00:00 b2473e94a21598eb818daee696e9fb0c7e87530d 






addrblock: Narrow selectors when rekeying a CHILD_SA as original responder
2017-03-24T07:17:01+00:00

Martin Willi
martin@strongswan.org

2017-03-23T07:48:46+00:00

3610d7607e2193d8b088bcba4362f58297dbca0f

If a the original responder narrows the selectors of its peer in addrblock,
the peer gets a subset of that selectors. However, once the original responder
initiates rekeying of that CHILD_SA, it sends the full selectors to the peer,
and then narrows the received selectors locally for the installation, only.

This is insufficient, as the peer ends up with wider selectors, sending traffic
that the original responder will reject to the stricter IPsec policy. So
additionally narrow the selectors when rekeying CHILD_SAs before sending the
TS list to the peer.





If a the original responder narrows the selectors of its peer in addrblock,
the peer gets a subset of that selectors. However, once the original responder
initiates rekeying of that CHILD_SA, it sends the full selectors to the peer,
and then narrows the received selectors locally for the installation, only.

This is insufficient, as the peer ends up with wider selectors, sending traffic
that the original responder will reject to the stricter IPsec policy. So
additionally narrow the selectors when rekeying CHILD_SAs before sending the
TS list to the peer.







addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA
2017-03-02T07:24:02+00:00

Martin Willi
martin@strongswan.org

2017-02-22T09:01:19+00:00

d536b94e0d12543e548ed4f0df2220384293f08e

Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.





Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.







addrblock: Support an optional non-strict mode accepting certs without addrblock
2017-03-02T07:24:02+00:00

Martin Willi
martin@strongswan.org

2017-02-22T08:43:31+00:00

d1317adb9a45166cdc8f44117a5fa85ecd053552

This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.





This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.







libhydra: Remove empty unused library
2016-03-03T16:36:11+00:00

Tobias Brunner
tobias@strongswan.org

2016-02-12T15:35:54+00:00

28649f6d91971e0fe50078aec2937010e8c61cd8












plugins: Don't link with -rdynamic on Windows
2014-06-04T13:53:02+00:00

Martin Willi
martin@revosec.ch

2013-10-25T14:03:47+00:00

4163421f918d830585bfdccde0973d8801aad258












credmgr: introduce a hook function to catch trust chain validation errors
2013-07-18T14:00:30+00:00

Martin Willi
martin@revosec.ch

2013-07-09T09:55:32+00:00

4d7a762871f52dac5c7bd7808edc94a55dd40e1a












automake: replace INCLUDES by AM_CPPFLAGS
2013-07-18T12:59:19+00:00

Martin Willi
martin@revosec.ch

2013-07-17T12:45:39+00:00

19cb07b89050c0e3ea6a11e1914318c4ff1284b5

INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.





INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.







addrblock: Use plugin features with soft dependency on X.509 decoding
2013-06-11T09:18:17+00:00

Tobias Brunner
tobias@strongswan.org

2013-06-07T13:45:02+00:00

94ca7252c13f86bd93d1c41427a949a4eabcacd7












Moved debug.[ch] to utils folder
2012-10-24T14:00:51+00:00

Tobias Brunner
tobias@strongswan.org

2012-10-16T14:03:21+00:00

f05b427265e20ccb43889094e4c58c1a5bf3e290