aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * auth-cfg: Add a rule to suspend certificate validation constraintsTobias Brunner2016-03-102-0/+18
| |
| * credential-manager: Check cache queue when destroying trusted certificate ↵Tobias Brunner2016-03-101-1/+2
| | | | | | | | | | | | | | | | | | | | enumerator We already do this in the trusted public key enumerator (which internally uses the trusted certificate enumerator) but should do so also when this enumerator is used directly (since the public key enumerator has the read lock the additional call will just be skipped there).
| * credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-106-7/+14
|/ | | | enumerator
* Merge branch 'charon-conf-fallback'Tobias Brunner2016-03-084-2/+61
|\ | | | | | | | | | | | | Makes charon-systemd and charon-svc also load settings from the charon section in strongswan.conf. Fixes #1300.
| * charon-svc: Inherit all settings from the charon sectionTobias Brunner2016-03-081-0/+9
| | | | | | | | Same as with charon-systemd.
| * charon-systemd: Inherit all settings from the charon sectionTobias Brunner2016-03-081-0/+9
| | | | | | | | | | | | | | | | Our default config files are very charon specific. So to avoid confusion when only charon-systemd is installed we just default to all settings defined for charon. Since charon-systemd probably won't be used together with charon this should not cause conflicts (settings may still be overridden via the charon-systemd section).
| * library: Add option to register additional namespaces before calling ↵Tobias Brunner2016-03-082-2/+43
|/ | | | | | | | | | library_init() Because settings are already accessed in library_init(), calling add_fallback() externally after calling library_init() is not ideal. This way namespaces already serve as fallback while library_init() is executed and they are also in the correct order so that libstrongswan is always the last root section.
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* peer-cfg: Add method to atomically replace child configsTobias Brunner2016-03-082-2/+128
|
* ike-cfg: Use new method to compare proposal lists in equals()Tobias Brunner2016-03-081-20/+4
|
* peer-cfg: Use new method to compare linked lists in equals()Tobias Brunner2016-03-081-36/+3
| | | | This also compares the complete lists not only the first two items.
* child-cfg: Add equals() methodTobias Brunner2016-03-082-2/+62
|
* linked-list: Add method to compare two lists of objects for equalityTobias Brunner2016-03-083-2/+166
|
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-082-40/+74
| | | | in the request
* ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messagesTobias Brunner2016-03-071-6/+6
| | | | | | | Some implementations might otherwise not recognize the NAT-D payload type. Also moves SIG and HASH payloads last in these messages. Fixes #1239.
* ike-sa-manager: Log a checkin/failure message for every checkoutThomas Egerer2016-03-071-8/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* testing: Added swanctl/mult-auth-rsa-eap-sim-id scenarioAndreas Steffen2016-03-0620-0/+335
|
* testing: Added swanctl/xauth-rsa scenarioAndreas Steffen2016-03-0611-0/+211
|
* Display IKE ports with swanctl --list-sasAndreas Steffen2016-03-051-4/+9
|
* Version bump to 5.4.0rc1Andreas Steffen2016-03-051-1/+1
|
* testing: attr-sql is a charon plugin5.4.0dr8Andreas Steffen2016-03-0511-42/+10
|
* testing: Added swanctl/rw-psk-ikev1 scenarioAndreas Steffen2016-03-0511-0/+271
|
* testing: Include IKE port information in evaltestsAndreas Steffen2016-03-0568-238/+221
|
* Version bump to 5.4.0dr8Andreas Steffen2016-03-041-1/+1
|
* ike-sa-manager: Log some additional details like SPIs when checking out SAsTobias Brunner2016-03-041-7/+16
|
* smp: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-4/+4
|
* vici: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* byteorder: Simplify htoun64/untoh64 functionsTobias Brunner2016-03-041-27/+0
|
* byteorder: Always define be64toh/htobe64 macrosTobias Brunner2016-03-041-20/+30
|
* Merge branch 'ike-sig-contraints'Tobias Brunner2016-03-0412-90/+316
|\ | | | | | | | | Signature scheme constraints against IKEv2 authentication may now be configured independently of constraints against trustchains.
| * NEWS: Add note about IKEv2 signature scheme constraintsTobias Brunner2016-03-041-0/+4
| |
| * swanctl: Document signature scheme constraintsTobias Brunner2016-03-041-1/+30
| |
| * vici: Add support for pubkey constraints with EAP-TLSTobias Brunner2016-03-041-0/+8
| | | | | | | | This is a feature currently supported by stroke.
| * auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-048-46/+203
| | | | | | | | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
| * ikev2: Always store signature scheme in auth-cfgTobias Brunner2016-03-041-12/+1
| | | | | | | | As we use a different rule we can always store the scheme.
| * ikev2: Diversify signature scheme ruleThomas Egerer2016-03-044-33/+72
|/ | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* NEWS: Document RFC 5685 supportTobias Brunner2016-03-041-0/+6
|
* Merge branch 'ike-redirect'Tobias Brunner2016-03-0450-122/+2168
|\ | | | | | | | | | | | | | | This adds support for IKEv2 redirection (RFC 5685). There is currently no default implementation of the redirect_provider_t interface provided. Plugins may implement the interface to decide if and when to redirect connecting clients. It is also possible to redirect established IKE_SAs via VICI/swanctl.
| * ike-init: Verify REDIRECT notify before processing IKE_SA_INIT messageTobias Brunner2016-03-041-7/+51
| | | | | | | | | | | | An attacker could blindly send a message with invalid nonce data (or none at all) to DoS an initiator if we just destroy the SA. To prevent this we ignore the message and wait for the one by the correct responder.
| * ikev2: Allow tasks to verify request messages before processing themTobias Brunner2016-03-041-4/+47
| |
| * ikev2: Allow tasks to verify response messages before processing themTobias Brunner2016-03-041-1/+27
| |
| * task: Add optional pre_process() methodTobias Brunner2016-03-041-1/+13
| | | | | | | | | | This will eventually allow tasks to pre-process and verify received messages.
| * testing: Add ikev2/redirect-active scenarioTobias Brunner2016-03-0420-0/+322
| |
| * ike-init: Ignore notifies related to redirects during rekeyingTobias Brunner2016-03-041-3/+13
| | | | | | | | Also don't query redirect providers in this case.
| * ike-sa: Add limit for the number of redirects within a defined time periodTobias Brunner2016-03-042-0/+54
| |
| * ike-sa: Reauthenticate to the same addresses we currently useTobias Brunner2016-03-041-2/+5
| | | | | | | | | | | | If the SA got redirected this would otherwise cause a reauthentication with the original gateway. Reestablishing the SA to the original gateway, if e.g. the new gateway is not reachable makes sense though.
| * vici: Don't redirect all SAs if no selectors are givenTobias Brunner2016-03-041-1/+1
| | | | | | | | | | This avoid confusion and redirecting all SAs can now easily be done explicitly (e.g. peer_ip=0.0.0.0/0).
| * vici: Match subnets and ranges against peer IP in redirect commandTobias Brunner2016-03-043-13/+43
| |
| * vici: Match identity with wildcards against remote ID in redirect commandTobias Brunner2016-03-043-6/+10
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 17:55:05 +0000