aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke/stroke_config.c
Commit message (Collapse)AuthorAgeFilesLines
* stroke: Don't load configs with invalid proposalsTobias Brunner2017-07-051-7/+20
| | | | References #2347.
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-261-7/+14
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-1/+2
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-231-4/+4
| | | | Makes it potentially easier to add new flags.
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-161-21/+2
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* stroke: Default to %dynamic if no valid TS are specified in left|rightsubnetTobias Brunner2017-01-251-57/+44
| | | | | | | Otherwise, we'd end up with an empty TS list, which is not valid. Because end->tohost is set to !end->subnets in starter the removed branch was never used.
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-24/+29
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-31/+36
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-7/+7
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-3/+4
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-031-3/+1
| | | | This moves hydra->kernel_interface to charon->kernel.
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-114/+2
|
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* starter: Add a replay_window connection optionMartin Willi2014-06-171-0/+4
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-0/+1
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* stroke: Fix error message if parsing leftsourceip failsTobias Brunner2014-01-061-1/+1
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-111-11/+14
|
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
* Fixed double free causing swapped ends to crash5.1.1dr3Andreas Steffen2013-09-071-1/+0
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-041-22/+63
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-041-1/+1
|
* stroke: ignore a leftsourceip if a rightsourceip is given as wellMartin Willi2013-09-041-1/+7
| | | | | | As we always negotiate virtual IPs in charon, having both left- and rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single configuration payload exchange only.
* stroke: re-enable modeconfig keywordMartin Willi2013-09-041-1/+1
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-0/+1
|
* Use strpfx() helper where appropriateTobias Brunner2013-07-081-5/+5
|
* stroke: Changed how proto/port are specified in left|rightsubnetTobias Brunner2013-06-281-1/+8
| | | | Using a colon as separator conflicts with IPv6 addresses.
* stroke: support %dynamic in left/rightsubnet for dynamic selectorsMartin Willi2013-06-191-2/+10
| | | | | | | This has the same meaning as omitting left/rightsubnet, i.e. replace it by the IKE address. Supporting %dynamic allows configurations with multiple dynamic selectors in a left/rightsubnet, each with potentially different proto/port selectors.
* stroke: support a specific proto/port for each net defined in left/rightsubnetMartin Willi2013-06-191-3/+105
|
* Load any type (RSA/ECDSA) of public key via left|rightsigkeyTobias Brunner2013-05-071-2/+1
|
* Load raw keys before possibly destroying the identityTobias Brunner2013-04-011-12/+11
| | | | | | | | If no identity (or %any) is configured the identification_t object is destroyed and an invalid object was associated with the created pubkey certificate. Actually using %any does not work as the certificate would not match when the client later provides an identity.
* Merge branch 'multi-cert'Martin Willi2013-03-011-15/+32
|\ | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests.
| * Load multiple comma seperarated certificates in the leftcert optionMartin Willi2013-01-181-15/+32
| |
* | Merge branch 'opaque-ports'Martin Willi2013-03-011-4/+4
|\ \ | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | Pass complete port range over stroke interface for more flexibilityMartin Willi2013-02-211-14/+4
| | |
| * | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-5/+15
| |/
* | Add a ikedscp ipsec.conf option to set DSCP value on outgoing IKE packetsMartin Willi2013-02-061-1/+1
| |
* | Add a DSCP configuration value to IKE configsMartin Willi2013-02-061-1/+2
|/
* Don't handle right=%any6 as "loose" identity, but as %anyMartin Willi2013-01-141-2/+1
|
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-121-1/+2
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-241-1/+2
| |
* | Fixed some typos in commentsVolker RĂ¼melin2013-01-111-1/+1
|/
* Make use of new CIDR string ts constructor where appropriateMartin Willi2012-10-241-26/+11
|
* Remove version argument on peer_cfg constructor, use ike_cfg version insteadMartin Willi2012-10-241-2/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 00:32:34 +0000