aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/config
Commit message (Collapse)AuthorAgeFilesLines
* child-cfg: Ignore duplicate proposalsTobias Brunner2014-09-121-0/+11
| | | | | If ESP proposals are added once with and once without DH groups duplicates result during IKE_AUTH when DH groups are stripped.
* proposal: Fix equals()Tobias Brunner2014-09-121-5/+5
|
* child-cfg: Store connection specific replay window on CHILD_SA configMartin Willi2014-06-172-0/+38
|
* peer-cfg: Add missing UNIQUE_NEVER to unique_policy_namesMartin Willi2014-05-191-1/+2
|
* proposal: Don't return a default IKE proposal without encryption/AEAD algsMartin Willi2014-05-161-3/+23
|
* child-cfg: Allow passing NULL as proposal to add_proposal()Martin Willi2014-05-162-4/+7
| | | | Making the API consistent to the one of ike_cfg.
* ike-cfg: Allow passing NULL to add_proposal()Martin Willi2014-05-162-3/+7
| | | | | This simplifies adding default proposals with constructors potentially returning NULL.
* proposal: Use an additional "default" constructor specific to AEAD algorithmsMartin Willi2014-05-162-0/+31
| | | | | This allows a caller to create a separated proposal for supported AEAD algorithms, as required by RFC 5996.
* proposal: Don't include AEAD algorithms in the default proposalMartin Willi2014-05-161-61/+66
| | | | | | According to RFC 5996 3.3 we should use a separate proposal for AEAD algorithms. This was not clear in RFC 5282, hence we previously included both AEAD and non-AEAD algorithms in a single proposal.
* child-cfg: Fix removal of redundant traffic selectorsTobias Brunner2014-04-251-1/+1
| | | | | | | We have to make sure we compare every selected traffic selector with every other in the list. Fixes #577.
* ike-cfg: Properly compare IKE proposals for equality5.1.3rc1Tobias Brunner2014-04-031-1/+1
|
* proposal: Don't fail DH proposal matching if peer includes NONETobias Brunner2014-03-311-4/+19
| | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532.
* uclibc only defines strndup(3) if _GNU_SOURCE is definedTobias Brunner2014-02-191-3/+3
| | | | References #516.
* Added NTRU key exchange to default IKE proposalAndreas Steffen2013-11-271-0/+4
|
* proposal: Add ECC Brainpool DH groups to the default proposalTobias Brunner2013-10-171-0/+4
|
* Doxygen fixesTobias Brunner2013-10-151-1/+1
|
* proposal: Strip redundant integrity algos for ESP proposals onlyMartin Willi2013-10-111-16/+19
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-042-46/+211
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-043-25/+12
|
* backends: use ike_cfg host matching functionsMartin Willi2013-09-041-38/+7
|
* ike-cfg: add methods to match a host against configured local/remote addressesMartin Willi2013-09-042-0/+62
|
* ike-cfg: add a method to resolve local/remote hosts with portMartin Willi2013-09-042-0/+30
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-042-4/+26
|
* proposal: correctly enumerate registered AEADs to build default IKE proposalMartin Willi2013-07-191-6/+22
| | | | AEADs are not returned (anymore) with the encryption enumerator.
* Fix various API doc issues and typosTobias Brunner2013-07-182-7/+7
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* proposal: use array to store proposal listMartin Willi2013-07-171-25/+18
| | | | Removes another two linked lists (0.5KB) of memory per IKE/CHILD_SA pair.
* proposal: use a single list to store all transformsMartin Willi2013-07-171-308/+174
| | | | | Beside that it makes the code actually simpler, it reduces the number of lists stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.
* Raise an alert if the responding peer narrowed traffic selectorsMartin Willi2013-06-191-7/+24
|
* Use subset matching instead of is_contained_in() to select a child_cfgMartin Willi2013-06-131-4/+8
| | | | | | | If one selector has a wider IP range than the other, but the other has a wider port/protocol selector than the first one, none is completely contained in the other. The check for a match using is_contained_in() therefore would fail. Using get_subset() can handle such cases, fixing configuration selection.
* Add a DSCP configuration value to IKE configsMartin Willi2013-02-062-2/+23
|
* Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-122-5/+19
|
* Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-242-3/+27
|
* Include 'aggressive' when comparing peer_cfg_t objectsTobias Brunner2012-11-071-0/+1
|
* proposal_t.strip_dh() takes a DH group to keep, using MODP_NONE will remove allTobias Brunner2012-10-243-6/+15
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-247-7/+7
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-243-3/+3
|
* Only add an implicit PRF based on the MAC alg if no PRF given in proposalMartin Willi2012-10-241-38/+38
|
* Remove peer_cfg IKE version matching, as it is done in ike_cfg matchingMartin Willi2012-10-241-22/+3
|
* Respect IKE version while selecting an ike_cfg as responderMartin Willi2012-10-242-11/+34
|
* Remove version argument on peer_cfg constructor, use ike_cfg version insteadMartin Willi2012-10-242-11/+4
|
* Add IKE version information to ike_cfg_tMartin Willi2012-10-242-2/+24
|
* Move ike_version_t definition from peer_cfg_t to ike_cfg_tMartin Willi2012-10-244-24/+24
|
* Make sure we propose a dynamic TS if we don't have hosts to derive a TS fromTobias Brunner2012-09-211-10/+8
| | | | 7ee37114 removed this behavior.
* Derive a dynamic TS to multiple virtual IPsMartin Willi2012-09-184-48/+55
|
* Added possibility to register custom proposal keywordsTobias Brunner2012-09-131-2/+2
| | | | Keyword lookup and registration are handled via the new lib->proposal object.
* Removed len argument from proposal_get_token()Tobias Brunner2012-09-131-24/+23
| | | | Also use enumerators instead of lexparser.h to parse proposal strings.
* Ensure traffic selectors are dynamic before calling set_address() when ↵Tobias Brunner2012-09-121-2/+2
| | | | deriving them
* Add uniqueids=never to ignore INITIAL_CONTACT notifiesTobias Brunner2012-09-101-3/+5
| | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies.
* Merge branch 'multi-vip'Martin Willi2012-08-312-35/+94
|\ | | | | | | | | | | | | Brings support for multiple virtual IPs and multiple pools in left/rigthsourceip definitions. Also introduces the new left/rightdns options to configure requested DNS server address family and respond with multiple connection specific servers.
| * Support multiple address pools configured on a peer_cfgMartin Willi2012-08-302-15/+46
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 14:33:11 +0000