aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* forecast: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | Same as the change in the connmark plugin. References #1229.
* connmark: Don't restore CONNMARK for packets that already have a mark setTobias Brunner2016-03-101-2/+17
| | | | | | | | | This allows e.g. modified versions of xl2tpd to set the mark in situations where two clients are using the same source port behind the same NAT, which CONNMARK can't restore properly as only one conntrack entry will exist with the mark set to that of the client that sent the last packet. Fixes #1230.
* connmark: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | | | | | | | By settings a matchmask that covers the complete rule we ensure that the correct rule is deleted (i.e. matches and targets with potentially different marks are also compared). Since data after the passed pointer is actually dereferenced when comparing we definitely have to pass an array that is at least as long as the ipt_entry. Fixes #1229.
* Merge branch 'subnet-identities'Andreas Steffen2016-03-109-114/+626
|\ | | | | | | | | | | | | | | Implemented IKEv1 IPv4/IPv6 address subnet and range identities to be used as owners for shared secrets. swanctl supports configuration of traffic selectors with IPv4/IPv6 address ranges.
| * Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-102-7/+27
| |
| * Updated swanctl/rw-psk-ikev1 scenarioAndreas Steffen2016-03-105-28/+36
| |
| * Implemented IPv4/IPv6 subnet and range identitiesAndreas Steffen2016-03-102-79/+563
|/ | | | | | The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and IPV6_ADDR_RANGE identities have been fully implemented and can be used as owners of shared secrets (PSKs).
* Merge branch 'p-cscf'Tobias Brunner2016-03-1014-24/+474
|\ | | | | | | | | | | | | This adds the p-cscf plugin that can request P-CSCF server addresses from an ePDG via IKEv2 (RFC 7651). Addresses of the same families as requested virtual IPs are requested if enabled in strongswan.conf for a particular connection. The plugin currently writes received addresses to the log.
| * attr: Only enumerate attributes matching the IKE version of the current IKE_SATobias Brunner2016-03-101-19/+49
| | | | | | | | Numerically configured attributes are currently sent for both versions.
| * attr: Add p-cscf keyword for P-CSCF server addressesTobias Brunner2016-03-101-0/+1
| |
| * p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-103-2/+18
| |
| * p-cscf: Only send requests if virtual IPs of the same family are requestedTobias Brunner2016-03-101-2/+18
| |
| * p-cscf: Add attribute handler for P-CSCF server addressesTobias Brunner2016-03-104-1/+243
| |
| * p-cscf: Add plugin stubTobias Brunner2016-03-106-0/+136
| |
| * payloads: Verify P-CSCF configuration attributes like others carrying IP ↵Tobias Brunner2016-03-101-0/+2
| | | | | | | | addresses
| * attributes: Define P-CSCF address attributes described in RFC 7651Tobias Brunner2016-03-102-6/+13
|/
* Merge branch 'mbb-reauth-online-revocation'Tobias Brunner2016-03-1028-14/+477
|\ | | | | | | | | | | | | With these changes initiators of make-before-break reauthentications suspend online revocation checks until after the new IKE_SA and all CHILD_SAs are established. See f1cbacc5d1be for details why that's necessary.
| * NEWS: Added note on online revocation checks during make-before-break ↵Tobias Brunner2016-03-101-0/+9
| | | | | | | | reauthentication
| * testing: Add ikev2/reauth-mbb-revoked scenarioTobias Brunner2016-03-109-0/+105
| |
| * testing: Generate a CRL that has moon's actual certificate revokedTobias Brunner2016-03-101-0/+3
| |
| * ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checksTobias Brunner2016-03-101-26/+37
| |
| * ikev2: Delay online revocation checks during make-before-break reauthenticationTobias Brunner2016-03-101-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We do these checks after the SA is fully established. When establishing an SA the responder is always able to install the CHILD_SA created with the IKE_SA before the initiator can do so. During make-before-break reauthentication this could cause traffic sent by the responder to get dropped if the installation of the SA on the initiator is delayed e.g. by OCSP/CRL checks. In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g. with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during make-before-break reauthentication as it wouldn't be able to decrypt the response that the responder sends using the new CHILD_SA. By delaying the revocation checks until the make-before-break reauthentication is completed we avoid the problems described above. Since this only affects reauthentication, not the original IKE_SA, and the delay until the checks are performed is usually not that long this doesn't impose much of a reduction in the overall security.
| * ikev2: Add task that verifies a peer's certificateTobias Brunner2016-03-107-2/+183
| | | | | | | | | | | | On failure the SA is deleted and reestablished as configured. The task is activated after the REAUTH_COMPLETE task so a make-before-break reauth is completed before the new SA might get torn down.
| * ikev2: Initiate other tasks after a no-op taskTobias Brunner2016-03-101-1/+1
| |
| * ikev2: Don't do online revocation checks in pubkey authenticator if requestedTobias Brunner2016-03-101-1/+8
| | | | | | | | We also update the auth config so the constraints are not enforced.
| * ike-sa: Add condition to suspend online certificate revocation checks for an ↵Tobias Brunner2016-03-101-0/+5
| | | | | | | | IKE_SA
| * ike-sa: Add method to verify certificates in completed authentication roundsTobias Brunner2016-03-102-0/+111
| |
| * auth-cfg: Add a rule to suspend certificate validation constraintsTobias Brunner2016-03-102-0/+18
| |
| * credential-manager: Check cache queue when destroying trusted certificate ↵Tobias Brunner2016-03-101-1/+2
| | | | | | | | | | | | | | | | | | | | enumerator We already do this in the trusted public key enumerator (which internally uses the trusted certificate enumerator) but should do so also when this enumerator is used directly (since the public key enumerator has the read lock the additional call will just be skipped there).
| * credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-106-7/+14
|/ | | | enumerator
* Merge branch 'charon-conf-fallback'Tobias Brunner2016-03-084-2/+61
|\ | | | | | | | | | | | | Makes charon-systemd and charon-svc also load settings from the charon section in strongswan.conf. Fixes #1300.
| * charon-svc: Inherit all settings from the charon sectionTobias Brunner2016-03-081-0/+9
| | | | | | | | Same as with charon-systemd.
| * charon-systemd: Inherit all settings from the charon sectionTobias Brunner2016-03-081-0/+9
| | | | | | | | | | | | | | | | Our default config files are very charon specific. So to avoid confusion when only charon-systemd is installed we just default to all settings defined for charon. Since charon-systemd probably won't be used together with charon this should not cause conflicts (settings may still be overridden via the charon-systemd section).
| * library: Add option to register additional namespaces before calling ↵Tobias Brunner2016-03-082-2/+43
|/ | | | | | | | | | library_init() Because settings are already accessed in library_init(), calling add_fallback() externally after calling library_init() is not ideal. This way namespaces already serve as fallback while library_init() is executed and they are also in the correct order so that libstrongswan is always the last root section.
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* peer-cfg: Add method to atomically replace child configsTobias Brunner2016-03-082-2/+128
|
* ike-cfg: Use new method to compare proposal lists in equals()Tobias Brunner2016-03-081-20/+4
|
* peer-cfg: Use new method to compare linked lists in equals()Tobias Brunner2016-03-081-36/+3
| | | | This also compares the complete lists not only the first two items.
* child-cfg: Add equals() methodTobias Brunner2016-03-082-2/+62
|
* linked-list: Add method to compare two lists of objects for equalityTobias Brunner2016-03-083-2/+166
|
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-082-40/+74
| | | | in the request
* ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messagesTobias Brunner2016-03-071-6/+6
| | | | | | | Some implementations might otherwise not recognize the NAT-D payload type. Also moves SIG and HASH payloads last in these messages. Fixes #1239.
* ike-sa-manager: Log a checkin/failure message for every checkoutThomas Egerer2016-03-071-8/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* testing: Added swanctl/mult-auth-rsa-eap-sim-id scenarioAndreas Steffen2016-03-0620-0/+335
|
* testing: Added swanctl/xauth-rsa scenarioAndreas Steffen2016-03-0611-0/+211
|
* Display IKE ports with swanctl --list-sasAndreas Steffen2016-03-051-4/+9
|
* Version bump to 5.4.0rc1Andreas Steffen2016-03-051-1/+1
|
* testing: attr-sql is a charon plugin5.4.0dr8Andreas Steffen2016-03-0511-42/+10
|
* testing: Added swanctl/rw-psk-ikev1 scenarioAndreas Steffen2016-03-0511-0/+271
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 14:17:34 +0000