aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-1/+2
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-6/+7
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-201-2/+1
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-5/+9
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-5/+8
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-3/+3
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-201-1/+1
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-292-5/+19
| | | | pki tool
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* stroke: Allow specifying the ipsec.secrets location in strongswan.confShea Levy2014-10-021-2/+10
|
* stroke: Don't log unspecified options of conn and ca sectionsTobias Brunner2014-06-301-37/+50
|
* starter: Add a replay_window connection optionMartin Willi2014-06-171-0/+4
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-0/+1
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* enum: Return boolean result for enum_from_name() lookupMartin Willi2014-05-161-2/+1
| | | | | | | | | | | Handling the result for enum_from_name() is difficult, as checking for negative return values requires a cast if the enum type is unsigned. The new signature clearly differentiates lookup result from lookup value. Further, this actually allows to convert real -1 enum values, which could not be distinguished from "not-found" and the -1 return value. This also fixes several clang warnings where enums are unsigned.
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-16/+68
|
* stroke: Use thread-safe dirname(3)Tobias Brunner2014-02-241-6/+4
|
* stroke: Use dirname(3) correctlyTobias Brunner2014-02-241-5/+5
|
* stroke: Use proper modifiers to print size_t argumentsTobias Brunner2014-02-181-1/+1
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-6/+6
|
* stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
|
* chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-231-1/+10
| | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
* stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminatedTobias Brunner2014-01-231-2/+5
| | | | | Otherwise a malicious user could send an unterminated string to cause unterminated reads.
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-231-2/+15
|
* stroke: Fix error message if parsing leftsourceip failsTobias Brunner2014-01-061-1/+1
|
* leak-detective: Use callback functions to report leaks and usage informationMartin Willi2013-11-061-1/+22
| | | | This is more flexible than printing reports to a FILE.
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* stroke: List proposals in statusall without leading '/' in AH SAsMartin Willi2013-10-111-1/+7
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-112-11/+16
|
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
* Fixed double free causing swapped ends to crash5.1.1dr3Andreas Steffen2013-09-071-1/+0
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-042-25/+65
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-042-5/+3
|
* stroke: ignore a leftsourceip if a rightsourceip is given as wellMartin Willi2013-09-041-1/+7
| | | | | | As we always negotiate virtual IPs in charon, having both left- and rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single configuration payload exchange only.
* stroke: re-enable modeconfig keywordMartin Willi2013-09-041-1/+1
|
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-0/+1
|
* stroke: stop enumerating IKE_SAs in statusall if output stream gets closedMartin Willi2013-08-231-1/+1
| | | | | | | If the output stream is not interested in more information, it can close the the stream. Checking for stream errors avoids useless enumeration of IKE_SAs, saving resources. This allows to use "ipsec statusall | head" to monitor the daemon, or stop enumerating IKE_SAs after a specific entry has been found.
* stream-service: move CAP_CHOWN check from plugins to service constructorMartin Willi2013-07-181-8/+2
| | | | | A plugin service can be a TCP socket now, so it does not make much sense to strictly check for CAP_CHOWN.
* stroke: use a stream service to handle stroke requestsMartin Willi2013-07-181-227/+48
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 05:21:31 +0000