aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* stroke: Allow specifying the ipsec.secrets location in strongswan.confShea Levy2014-10-021-2/+10
|
* stroke: Don't log unspecified options of conn and ca sectionsTobias Brunner2014-06-301-37/+50
|
* starter: Add a replay_window connection optionMartin Willi2014-06-171-0/+4
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-0/+1
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* enum: Return boolean result for enum_from_name() lookupMartin Willi2014-05-161-2/+1
| | | | | | | | | | | Handling the result for enum_from_name() is difficult, as checking for negative return values requires a cast if the enum type is unsigned. The new signature clearly differentiates lookup result from lookup value. Further, this actually allows to convert real -1 enum values, which could not be distinguished from "not-found" and the -1 return value. This also fixes several clang warnings where enums are unsigned.
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-16/+68
|
* stroke: Use thread-safe dirname(3)Tobias Brunner2014-02-241-6/+4
|
* stroke: Use dirname(3) correctlyTobias Brunner2014-02-241-5/+5
|
* stroke: Use proper modifiers to print size_t argumentsTobias Brunner2014-02-181-1/+1
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-6/+6
|
* stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
|
* chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-231-1/+10
| | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
* stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminatedTobias Brunner2014-01-231-2/+5
| | | | | Otherwise a malicious user could send an unterminated string to cause unterminated reads.
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-231-2/+15
|
* stroke: Fix error message if parsing leftsourceip failsTobias Brunner2014-01-061-1/+1
|
* leak-detective: Use callback functions to report leaks and usage informationMartin Willi2013-11-061-1/+22
| | | | This is more flexible than printing reports to a FILE.
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* stroke: List proposals in statusall without leading '/' in AH SAsMartin Willi2013-10-111-1/+7
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-112-11/+16
|
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
* Fixed double free causing swapped ends to crash5.1.1dr3Andreas Steffen2013-09-071-1/+0
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-042-25/+65
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-042-5/+3
|
* stroke: ignore a leftsourceip if a rightsourceip is given as wellMartin Willi2013-09-041-1/+7
| | | | | | As we always negotiate virtual IPs in charon, having both left- and rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single configuration payload exchange only.
* stroke: re-enable modeconfig keywordMartin Willi2013-09-041-1/+1
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-0/+1
|
* stroke: stop enumerating IKE_SAs in statusall if output stream gets closedMartin Willi2013-08-231-1/+1
| | | | | | | If the output stream is not interested in more information, it can close the the stream. Checking for stream errors avoids useless enumeration of IKE_SAs, saving resources. This allows to use "ipsec statusall | head" to monitor the daemon, or stop enumerating IKE_SAs after a specific entry has been found.
* stream-service: move CAP_CHOWN check from plugins to service constructorMartin Willi2013-07-181-8/+2
| | | | | A plugin service can be a TCP socket now, so it does not make much sense to strictly check for CAP_CHOWN.
* stroke: use a stream service to handle stroke requestsMartin Willi2013-07-181-227/+48
|
* capabilities: Some plugins don't actually require capabilities at runtimeTobias Brunner2013-07-181-1/+1
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-6/+8
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-171-3/+10
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* stroke: Add certificates extracted from PKCS#12 files to correct credential setTobias Brunner2013-07-151-4/+4
| | | | | Only keys and shared secrets are moved from the temporary credential set after loading all secrets.
* Use strpfx() helper where appropriateTobias Brunner2013-07-082-12/+11
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+1
|
* stroke: Changed how proto/port are specified in left|rightsubnetTobias Brunner2013-06-281-1/+8
| | | | Using a colon as separator conflicts with IPv6 addresses.
* capabilities: CAP_CHOWN might be required by many plugins opening UNIX socketsTobias Brunner2013-06-251-0/+6
| | | | | But as the sockets will be created with the user/group of the running process this might not be required as no change may be needed.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-251-2/+2
|
* stroke: support %dynamic in left/rightsubnet for dynamic selectorsMartin Willi2013-06-191-2/+10
| | | | | | | This has the same meaning as omitting left/rightsubnet, i.e. replace it by the IKE address. Supporting %dynamic allows configurations with multiple dynamic selectors in a left/rightsubnet, each with potentially different proto/port selectors.
* stroke: support a specific proto/port for each net defined in left/rightsubnetMartin Willi2013-06-191-3/+105
|
* stroke: add exportconn{cert,chain} commands in addition to exportx509Martin Willi2013-06-191-6/+65
| | | | | The new commands either export a single end entity certificate or the full trust chain for a specific connection name.
* Refactored plugin-loader with improved dependency resolutionTobias Brunner2013-06-111-0/+1
| | | | | | With the new implementation the plugins don't have to be listed in any special order, dependencies are properly resolved. The order only matters if two plugins provide the same feature.
* stroke: Add second password if providedTobias Brunner2013-05-081-0/+13
|
* stroke: Fail silently if another builder calls PW callback after giving upTobias Brunner2013-05-081-9/+14
| | | | Also reduced the number of tries to 3.
* stroke: Cache passwords so the user is not prompted multiple times for the ↵Tobias Brunner2013-05-081-1/+13
| | | | | | | | | | same password To verify/decrypt a PKCS#12 container a password might be needed multiple times. If it was entered correctly we don't want to bother the user again with another password prompt. The passwords for MAC creation and encryption could be different so the user might be prompted multiple times after all.
* stroke: Fix prompt and error messages in passphrase callbackTobias Brunner2013-05-081-11/+13
|
* stroke: Load credentials from PKCS#12 files (P12 token)Tobias Brunner2013-05-081-15/+92
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 23:20:15 +0000