aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-6/+6
|
* stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
|
* chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-231-1/+10
| | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
* stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminatedTobias Brunner2014-01-231-2/+5
| | | | | Otherwise a malicious user could send an unterminated string to cause unterminated reads.
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-231-2/+15
|
* stroke: Fix error message if parsing leftsourceip failsTobias Brunner2014-01-061-1/+1
|
* leak-detective: Use callback functions to report leaks and usage informationMartin Willi2013-11-061-1/+22
| | | | This is more flexible than printing reports to a FILE.
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* stroke: List proposals in statusall without leading '/' in AH SAsMartin Willi2013-10-111-1/+7
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-112-11/+16
|
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
* Fixed double free causing swapped ends to crash5.1.1dr3Andreas Steffen2013-09-071-1/+0
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-042-25/+65
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-042-5/+3
|
* stroke: ignore a leftsourceip if a rightsourceip is given as wellMartin Willi2013-09-041-1/+7
| | | | | | As we always negotiate virtual IPs in charon, having both left- and rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single configuration payload exchange only.
* stroke: re-enable modeconfig keywordMartin Willi2013-09-041-1/+1
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-0/+1
|
* stroke: stop enumerating IKE_SAs in statusall if output stream gets closedMartin Willi2013-08-231-1/+1
| | | | | | | If the output stream is not interested in more information, it can close the the stream. Checking for stream errors avoids useless enumeration of IKE_SAs, saving resources. This allows to use "ipsec statusall | head" to monitor the daemon, or stop enumerating IKE_SAs after a specific entry has been found.
* stream-service: move CAP_CHOWN check from plugins to service constructorMartin Willi2013-07-181-8/+2
| | | | | A plugin service can be a TCP socket now, so it does not make much sense to strictly check for CAP_CHOWN.
* stroke: use a stream service to handle stroke requestsMartin Willi2013-07-181-227/+48
|
* capabilities: Some plugins don't actually require capabilities at runtimeTobias Brunner2013-07-181-1/+1
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-6/+8
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-171-3/+10
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* stroke: Add certificates extracted from PKCS#12 files to correct credential setTobias Brunner2013-07-151-4/+4
| | | | | Only keys and shared secrets are moved from the temporary credential set after loading all secrets.
* Use strpfx() helper where appropriateTobias Brunner2013-07-082-12/+11
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+1
|
* stroke: Changed how proto/port are specified in left|rightsubnetTobias Brunner2013-06-281-1/+8
| | | | Using a colon as separator conflicts with IPv6 addresses.
* capabilities: CAP_CHOWN might be required by many plugins opening UNIX socketsTobias Brunner2013-06-251-0/+6
| | | | | But as the sockets will be created with the user/group of the running process this might not be required as no change may be needed.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-251-2/+2
|
* stroke: support %dynamic in left/rightsubnet for dynamic selectorsMartin Willi2013-06-191-2/+10
| | | | | | | This has the same meaning as omitting left/rightsubnet, i.e. replace it by the IKE address. Supporting %dynamic allows configurations with multiple dynamic selectors in a left/rightsubnet, each with potentially different proto/port selectors.
* stroke: support a specific proto/port for each net defined in left/rightsubnetMartin Willi2013-06-191-3/+105
|
* stroke: add exportconn{cert,chain} commands in addition to exportx509Martin Willi2013-06-191-6/+65
| | | | | The new commands either export a single end entity certificate or the full trust chain for a specific connection name.
* Refactored plugin-loader with improved dependency resolutionTobias Brunner2013-06-111-0/+1
| | | | | | With the new implementation the plugins don't have to be listed in any special order, dependencies are properly resolved. The order only matters if two plugins provide the same feature.
* stroke: Add second password if providedTobias Brunner2013-05-081-0/+13
|
* stroke: Fail silently if another builder calls PW callback after giving upTobias Brunner2013-05-081-9/+14
| | | | Also reduced the number of tries to 3.
* stroke: Cache passwords so the user is not prompted multiple times for the ↵Tobias Brunner2013-05-081-1/+13
| | | | | | | | | | same password To verify/decrypt a PKCS#12 container a password might be needed multiple times. If it was entered correctly we don't want to bother the user again with another password prompt. The passwords for MAC creation and encryption could be different so the user might be prompted multiple times after all.
* stroke: Fix prompt and error messages in passphrase callbackTobias Brunner2013-05-081-11/+13
|
* stroke: Load credentials from PKCS#12 files (P12 token)Tobias Brunner2013-05-081-15/+92
|
* Load any type (RSA/ECDSA) of public key via left|rightsigkeyTobias Brunner2013-05-073-17/+17
|
* left|rightrsasigkey accepts SSH keys but the key format has to be specified ↵Tobias Brunner2013-05-071-12/+22
| | | | | | | explicitly The default is now PKCS#1. With the dns: and ssh: prefixes other formats can be selected.
* Try to load raw keys from ipsec.conf as PKCS#1 blob firstTobias Brunner2013-05-071-5/+12
| | | | | The DNSKEY builder is quite eager and parses pretty much anything as RSA key, so this has to be done before.
* List all stroke counters when "all" is given, and report if connection not knownMartin Willi2013-04-031-30/+88
|
* Load raw keys before possibly destroying the identityTobias Brunner2013-04-011-12/+11
| | | | | | | | If no identity (or %any) is configured the identification_t object is destroyed and an invalid object was associated with the created pubkey certificate. Actually using %any does not work as the certificate would not match when the client later provides an identity.
* enforce singular of packetsAndreas Steffen2013-03-221-4/+6
|
* Avoid a race condition when reloading secrets from ipsec.secretsTobias Brunner2013-03-201-18/+25
| | | | | | | With the previous implementation that cleared the secrets in the active credential set and then loaded the secrets, IKE SA establishment would fail (as initiator or responder) if secrets are concurrently reloaded and the required secret was not yet loaded.
* Don't try to mmap() empty ipsec.secret filesMartin Willi2013-03-191-1/+5
|
* In stroke counters, check if we have an IKE_SA before getting the name from itMartin Willi2013-03-191-3/+6
| | | | | Fixes a segfault when receiving an invalid IKE SPI, where we don't have an IKE_SA for the raised alert.
* Algorithms are not really specific to an IKE versionTobias Brunner2013-03-181-1/+1
| | | | | | But not all of them can be used with IKEv1. Fixes #314.
* Merge branch 'radius-ext'Martin Willi2013-03-181-6/+9
|\ | | | | | | | | | | Bring some extensions to eap-radius, namely a virtual IP address provider based on received Framed-IPs, forwarding of Cisco Unity banners, Interim Accounting updates and the reporting of sent/received packets.
| * Report the number of processed packets in "ipsec statusall"Martin Willi2013-03-141-5/+9
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 02:29:04 +0000