aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-271-1/+1
| | | | whether COOKIEs are sent
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-211-2/+2
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-1/+2
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-6/+7
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-201-2/+1
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-5/+9
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-5/+8
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-3/+3
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-201-1/+1
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-292-5/+19
| | | | pki tool
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* stroke: Allow specifying the ipsec.secrets location in strongswan.confShea Levy2014-10-021-2/+10
|
* stroke: Don't log unspecified options of conn and ca sectionsTobias Brunner2014-06-301-37/+50
|
* starter: Add a replay_window connection optionMartin Willi2014-06-171-0/+4
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-0/+1
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* enum: Return boolean result for enum_from_name() lookupMartin Willi2014-05-161-2/+1
| | | | | | | | | | | Handling the result for enum_from_name() is difficult, as checking for negative return values requires a cast if the enum type is unsigned. The new signature clearly differentiates lookup result from lookup value. Further, this actually allows to convert real -1 enum values, which could not be distinguished from "not-found" and the -1 return value. This also fixes several clang warnings where enums are unsigned.
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-16/+68
|
* stroke: Use thread-safe dirname(3)Tobias Brunner2014-02-241-6/+4
|
* stroke: Use dirname(3) correctlyTobias Brunner2014-02-241-5/+5
|
* stroke: Use proper modifiers to print size_t argumentsTobias Brunner2014-02-181-1/+1
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-6/+6
|
* stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
|
* chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-231-1/+10
| | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
* stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminatedTobias Brunner2014-01-231-2/+5
| | | | | Otherwise a malicious user could send an unterminated string to cause unterminated reads.
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-231-2/+15
|
* stroke: Fix error message if parsing leftsourceip failsTobias Brunner2014-01-061-1/+1
|
* leak-detective: Use callback functions to report leaks and usage informationMartin Willi2013-11-061-1/+22
| | | | This is more flexible than printing reports to a FILE.
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* stroke: List proposals in statusall without leading '/' in AH SAsMartin Willi2013-10-111-1/+7
|
* stroke: Configure proposal with AH protocol if 'ah' option setMartin Willi2013-10-112-11/+16
|
* stroke: don't remove a matching peer config if used by other child configsMartin Willi2013-09-131-4/+3
| | | | | When configurations get merged during add, we should not remove peer configs if other connection entries use the same peer config.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 05:15:49 +0000