aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/config
Commit message (Collapse)AuthorAgeFilesLines
* Fixed some typos, courtesy of codespellTobias Brunner2017-11-151-1/+1
|
* proposal: Remove MODP-1024 from default IKE proposalTobias Brunner2017-11-081-2/+2
| | | | | | | | RFC 8247 demoted it to SHOULD NOT. This might break connections with Windows clients unless they are configured to use a stronger group or matching weak proposals are configured explicitly on the server. References #2427.
* proposal: Remove MD5 from default IKE proposalTobias Brunner2017-11-081-2/+5
| | | | | | RFC 8247 demoted MD5 to MUST NOT. References #2427.
* proposal: Remove deprecated algorithms from default ESP and AH proposalsTobias Brunner2017-11-081-4/+0
| | | | | | | This removes algorithms that were deprecated by RFC 8221 (3DES, BF, MD5) from the default proposals for ESP and AH. References #8247.
* child-cfg: Optionally set mark on inbound SATobias Brunner2017-11-021-0/+3
|
* ike-cfg: Fix memory leak when checking for configured addressTobias Brunner2017-08-291-0/+1
|
* peer-cfg: Use an rwlock instead of a mutex to safely access child-cfgsTobias Brunner2017-07-271-15/+15
| | | | | | | | | | If multiple threads want to enumerate child-cfgs and potentially lock other locks (e.g. check out IKE_SAs) while doing so a deadlock could be caused (as was the case with VICI configs with start_action=start). It should also improve performance for roadwarrior connections and lots of clients connecting concurrently. Fixes #2374.
* ike-cfg: Fix memory leak when matching against rangesTobias Brunner2017-05-291-1/+1
| | | | | | | traffic_selector_t::to_subnet() always sets the net/host (unless the address family was invalid). Fixes: 3070697f9f7c ("ike: support multiple addresses, ranges and subnets in IKE address config")
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-261-3/+6
| | | | This avoids the unportable five pointer hack.
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-262-31/+39
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-261-7/+15
|
* child-cfg: Optionally use 96-bit truncation for HMAC-SHA-256Tobias Brunner2017-05-261-0/+3
| | | | | | | | The correct truncation is 128-bit but some implementations insist on using 96-bit truncation. With strongSwan this can be negotiated using an algorithm identifier from a private range. But this doesn't work with third-party implementations. This adds an option to use 96-bit truncation even if the official identifier is used.
* child-cfg: Add flag to enable hardware offloadTobias Brunner2017-05-231-0/+3
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-232-120/+47
| | | | Makes it potentially easier to add new flags.
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-231-3/+5
| | | | fragments
* child-cfg: Always apply hosts to traffic selectors if proposing transport modeTobias Brunner2017-02-271-14/+19
| | | | | | | | | | | | | | Usually, %dynamic is used as traffic selector for transport mode SAs, however, if wildcard traps are used then the remote TS will be a subnet. With strongSwan at the remote end that usually works fine as the local %dynamic TS narrows the proposed TS appropriately. But some implementations reject non-host TS for transport mode SAs. Another problem could be if several distinct subnets are configured for a wildcard trap, as we'd then propose unrelated subnets on that transport mode SA, which might be problematic even for strongSwan (switch to tunnel mode and duplicate policies). Closes strongswan/strongswan#61.
* ike-cfg: Add helper function to determine if a given IP address was configuredTobias Brunner2017-02-172-2/+46
|
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-162-14/+14
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* proposal: Copy SPI and proposal number from correct proposal in select()Tobias Brunner2017-02-064-7/+22
| | | | | | | | If charon.prefer_configured_proposals is disabled select() is called on the received proposal. This incorrectly set the SPI to 0 as the configured proposal has no SPI set. Fixes #2190.
* proposal: Remove RFC 5114 MODP DH groups from default proposalMartin Willi2016-11-151-2/+4
| | | | | | | | | | | | | | Recent research demonstrates that at least for 1024-bit DH groups, it is possible to create specially crafted primes having a backdoor. From the prime itself this is not detectable, creating a perfect NOBUS attack. http://eprint.iacr.org/2016/961 For the primes defined in RFC 5114 no information is provided on how these have been selected. In the default proposal we included one of the 2048-bit primes only, where it is questionable if constructing a backdoored prime is feasible. Nevertheless, this patch removes the group from the set of default proposals as well.
* proposal: Add curve25519 and curve448 to default proposalTobias Brunner2016-11-141-0/+2
|
* peer-cfg: Fix memory leak when replacing child configsTobias Brunner2016-11-111-0/+1
| | | | | Fixes: 622c2b2c3386 ("peer-cfg: Add method to atomically replace child configs")
* Fixed some typos, courtesy of codespellTobias Brunner2016-10-141-1/+1
|
* proposal: Correctly add AES-GMAC for AH proposalsTobias Brunner2016-10-051-0/+41
| | | | | | We parse aes*gmac as encryption algorithm, which we have to map to an integrity algorithm. We also make sure we remove all other encryption algorithms and ensure there is an integrity algorithm.
* proposal: Enforce separate proposals for AEAD and classic encryption algorithmsTobias Brunner2016-10-051-16/+22
|
* proposal: Make sure there is a PRF defined in IKE proposalsTobias Brunner2016-10-051-14/+34
| | | | But filter PRFs from ESP proposals.
* proposal: Make DH groups mandatory in IKE proposals parsed from stringsTobias Brunner2016-10-051-4/+11
| | | | References #2051.
* child-cfg: Add setting that controls whether outbound FWD policies are installedTobias Brunner2016-09-282-0/+24
|
* Created newhope plugin implementing the New Hope key exchange algorithmAndreas Steffen2016-08-101-0/+1
|
* child-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-172-18/+33
|
* ike-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-172-27/+43
|
* proposal: Remove MODP_NONE from IKE proposals parsed from stringsTobias Brunner2016-06-171-0/+10
|
* proposal: Handle MODP_NONE in both directions when selecting proposalsTobias Brunner2016-06-171-6/+14
|
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-043-4/+9
|
* proposal: Remove some weaker and rarely used DH groups from the default proposalTobias Brunner2016-05-041-3/+5
| | | | | | | | | | | This fixes an interoperability issue with Windows Server 2012 R2 gateways. They insist on using modp1024 for IKE, however, Microsoft's IKEv2 implementation seems only to consider the first 15 DH groups in the proposal. Depending on the loaded plugins modp1024 is now at position 17 or even later, causing the server to reject the proposal. By removing some of the weaker and rarely used DH groups from the default proposal we make sure modp1024 is among the first 15 DH groups. The removed groups may still be used by configuring custom proposals.
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-092-6/+27
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-092-0/+25
|
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-092-72/+72
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-092-76/+62
|
* Use standard unsigned integer typesAndreas Steffen2016-03-248-84/+84
|
* peer-cfg: Add method to atomically replace child configsTobias Brunner2016-03-082-2/+128
|
* ike-cfg: Use new method to compare proposal lists in equals()Tobias Brunner2016-03-081-20/+4
|
* peer-cfg: Use new method to compare linked lists in equals()Tobias Brunner2016-03-081-36/+3
| | | | This also compares the complete lists not only the first two items.
* child-cfg: Add equals() methodTobias Brunner2016-03-082-2/+62
|
* peer-cfg: Set DPD timeout to at least DPD delayTobias Brunner2016-02-011-0/+4
| | | | | | If DPD timeout is set but to a value smaller than the DPD delay the code in task_manager_v1.c:queue_liveliness_check will run into an integer underrun.
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-40/+140
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-1/+1
|
* Fix some Doxygen issuesTobias Brunner2015-08-271-3/+3
|
* ike-cfg: Add helper function to determine address family of IP addressesTobias Brunner2015-07-272-1/+59
| | | | | All configured static addresses (hostnames, ranges or subnets are not considered) must be of the same family, otherwise AF_UNSPEC is returned.
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-28 06:52:39 +0000