| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | Fixed some typos, courtesy of codespell | Tobias Brunner | 2017-05-26 | 1 | -2/+2 |
| | | |||||
| * | addrblock: Narrow selectors when rekeying a CHILD_SA as original responder | Martin Willi | 2017-03-24 | 1 | -0/+1 |
| | | | | | | | | | | | | | If a the original responder narrows the selectors of its peer in addrblock, the peer gets a subset of that selectors. However, once the original responder initiates rekeying of that CHILD_SA, it sends the full selectors to the peer, and then narrows the received selectors locally for the installation, only. This is insufficient, as the peer ends up with wider selectors, sending traffic that the original responder will reject to the stricter IPsec policy. So additionally narrow the selectors when rekeying CHILD_SAs before sending the TS list to the peer. | ||||
| * | addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA | Martin Willi | 2017-03-02 | 1 | -43/+28 |
| | | | | | | | | | Previously, the client had to propose no wider selectors than the certificate permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2 we can dynamically narrow the selectors to what the certificate allows. This makes client and gateway configurations very simple by just proposing 0.0.0.0/0, narrowed to selectors the client is permitted to route into the network. | ||||
| * | addrblock: Support an optional non-strict mode accepting certs without addrblock | Martin Willi | 2017-03-02 | 1 | -3/+11 |
| | | | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration. | ||||
| * | libhydra: Remove empty unused library | Tobias Brunner | 2016-03-03 | 1 | -1/+0 |
| | | |||||
| * | plugins: Don't link with -rdynamic on Windows | Martin Willi | 2014-06-04 | 1 | -1/+1 |
| | | |||||
| * | credmgr: introduce a hook function to catch trust chain validation errors | Martin Willi | 2013-07-18 | 1 | -1/+6 |
| | | |||||
| * | automake: replace INCLUDES by AM_CPPFLAGS | Martin Willi | 2013-07-18 | 1 | -3/+5 |
| | | | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only. | ||||
| * | addrblock: Use plugin features with soft dependency on X.509 decoding | Tobias Brunner | 2013-06-11 | 1 | -5/+34 |
| | | |||||
| * | Moved debug.[ch] to utils folder | Tobias Brunner | 2012-10-24 | 1 | -1/+1 |
| | | |||||
| * | Added a (not yet implemented) plugin_t method to reload plugin configuration | Martin Willi | 2011-04-15 | 1 | -0/+1 |
| | | |||||
| * | Added a get_name() function to plugin_t, create_plugin_enumerator enumerates ↵ | Martin Willi | 2011-04-15 | 2 | -2/+11 |
| | | | | | over plugin_t | ||||
| * | fixed cert_validator_t:validate interface | Andreas Steffen | 2011-01-07 | 1 | -5/+4 |
| | | |||||
| * | Use a seperate section for each nested struct member in INIT macro | Martin Willi | 2010-08-18 | 1 | -1/+5 |
| | | |||||
| * | Moved X509 ipAddrBlock checking to the addrblock plugin | Martin Willi | 2010-07-13 | 4 | -1/+216 |
| | | |||||
| * | Moved addrblock plugin to libcharon | Martin Willi | 2010-07-13 | 5 | -0/+293 |
 |
index : tteras/strongswan | |
| tteras' strongSwan tree | gitolite |
| aboutsummaryrefslogtreecommitdiffstats |