aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/config
Commit message (Collapse)AuthorAgeFilesLines
* child-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-172-18/+33
|
* ike-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-172-27/+43
|
* proposal: Remove MODP_NONE from IKE proposals parsed from stringsTobias Brunner2016-06-171-0/+10
|
* proposal: Handle MODP_NONE in both directions when selecting proposalsTobias Brunner2016-06-171-6/+14
|
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-043-4/+9
|
* proposal: Remove some weaker and rarely used DH groups from the default proposalTobias Brunner2016-05-041-3/+5
| | | | | | | | | | | This fixes an interoperability issue with Windows Server 2012 R2 gateways. They insist on using modp1024 for IKE, however, Microsoft's IKEv2 implementation seems only to consider the first 15 DH groups in the proposal. Depending on the loaded plugins modp1024 is now at position 17 or even later, causing the server to reject the proposal. By removing some of the weaker and rarely used DH groups from the default proposal we make sure modp1024 is among the first 15 DH groups. The removed groups may still be used by configuring custom proposals.
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-092-6/+27
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-092-0/+25
|
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-092-72/+72
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-092-76/+62
|
* Use standard unsigned integer typesAndreas Steffen2016-03-248-84/+84
|
* peer-cfg: Add method to atomically replace child configsTobias Brunner2016-03-082-2/+128
|
* ike-cfg: Use new method to compare proposal lists in equals()Tobias Brunner2016-03-081-20/+4
|
* peer-cfg: Use new method to compare linked lists in equals()Tobias Brunner2016-03-081-36/+3
| | | | This also compares the complete lists not only the first two items.
* child-cfg: Add equals() methodTobias Brunner2016-03-082-2/+62
|
* peer-cfg: Set DPD timeout to at least DPD delayTobias Brunner2016-02-011-0/+4
| | | | | | If DPD timeout is set but to a value smaller than the DPD delay the code in task_manager_v1.c:queue_liveliness_check will run into an integer underrun.
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-40/+140
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-1/+1
|
* Fix some Doxygen issuesTobias Brunner2015-08-271-3/+3
|
* ike-cfg: Add helper function to determine address family of IP addressesTobias Brunner2015-07-272-1/+59
| | | | | All configured static addresses (hostnames, ranges or subnets are not considered) must be of the same family, otherwise AF_UNSPEC is returned.
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
* ike-cfg: Use host_create_from_range() helperTobias Brunner2014-10-301-16/+1
|
* child-cfg: Ignore duplicate proposalsTobias Brunner2014-09-121-0/+11
| | | | | If ESP proposals are added once with and once without DH groups duplicates result during IKE_AUTH when DH groups are stripped.
* proposal: Fix equals()Tobias Brunner2014-09-121-5/+5
|
* child-cfg: Store connection specific replay window on CHILD_SA configMartin Willi2014-06-172-0/+38
|
* peer-cfg: Add missing UNIQUE_NEVER to unique_policy_namesMartin Willi2014-05-191-1/+2
|
* proposal: Don't return a default IKE proposal without encryption/AEAD algsMartin Willi2014-05-161-3/+23
|
* child-cfg: Allow passing NULL as proposal to add_proposal()Martin Willi2014-05-162-4/+7
| | | | Making the API consistent to the one of ike_cfg.
* ike-cfg: Allow passing NULL to add_proposal()Martin Willi2014-05-162-3/+7
| | | | | This simplifies adding default proposals with constructors potentially returning NULL.
* proposal: Use an additional "default" constructor specific to AEAD algorithmsMartin Willi2014-05-162-0/+31
| | | | | This allows a caller to create a separated proposal for supported AEAD algorithms, as required by RFC 5996.
* proposal: Don't include AEAD algorithms in the default proposalMartin Willi2014-05-161-61/+66
| | | | | | According to RFC 5996 3.3 we should use a separate proposal for AEAD algorithms. This was not clear in RFC 5282, hence we previously included both AEAD and non-AEAD algorithms in a single proposal.
* child-cfg: Fix removal of redundant traffic selectorsTobias Brunner2014-04-251-1/+1
| | | | | | | We have to make sure we compare every selected traffic selector with every other in the list. Fixes #577.
* ike-cfg: Properly compare IKE proposals for equality5.1.3rc1Tobias Brunner2014-04-031-1/+1
|
* proposal: Don't fail DH proposal matching if peer includes NONETobias Brunner2014-03-311-4/+19
| | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532.
* uclibc only defines strndup(3) if _GNU_SOURCE is definedTobias Brunner2014-02-191-3/+3
| | | | References #516.
* Added NTRU key exchange to default IKE proposalAndreas Steffen2013-11-271-0/+4
|
* proposal: Add ECC Brainpool DH groups to the default proposalTobias Brunner2013-10-171-0/+4
|
* Doxygen fixesTobias Brunner2013-10-151-1/+1
|
* proposal: Strip redundant integrity algos for ESP proposals onlyMartin Willi2013-10-111-16/+19
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-042-46/+211
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-043-25/+12
|
* backends: use ike_cfg host matching functionsMartin Willi2013-09-041-38/+7
|
* ike-cfg: add methods to match a host against configured local/remote addressesMartin Willi2013-09-042-0/+62
|
* ike-cfg: add a method to resolve local/remote hosts with portMartin Willi2013-09-042-0/+30
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-042-4/+26
|
* proposal: correctly enumerate registered AEADs to build default IKE proposalMartin Willi2013-07-191-6/+22
| | | | AEADs are not returned (anymore) with the encryption enumerator.
* Fix various API doc issues and typosTobias Brunner2013-07-182-7/+7
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* proposal: use array to store proposal listMartin Willi2013-07-171-25/+18
| | | | Removes another two linked lists (0.5KB) of memory per IKE/CHILD_SA pair.
* proposal: use a single list to store all transformsMartin Willi2013-07-171-308/+174
| | | | | Beside that it makes the code actually simpler, it reduces the number of lists stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.
* Raise an alert if the responding peer narrowed traffic selectorsMartin Willi2013-06-191-7/+24
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 06:53:57 +0000