aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* support gre key in ikev1tterasTimo Teräs2017-11-201-0/+5
| | | | | | | | | | | | | | this implements gre key negotiation in ikev1 similarly to the ipsec-tools patch in alpine. the from/to port pair is internally used as gre key for gre protocol traffic selectors. since from/to pairs 0/0xffff and 0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000 will not work. this is not standard compliant, and should probably not be upstreamed or used widely, but it is applied for interoperability with alpine racoon for the time being.
* charon: add optional source and remote overrides for initiateTimo Teräs2017-11-201-2/+3
| | | | | | | | | | | This introduces support for specifying optional IKE SA specific source and remote address for child sa initiation. This allows to initiate wildcard connection for known address via vici. In addition this allows impler implementation of trap-any patches and is a prerequisite for dmvpn support. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* counters: Move IKE event counter collection from stroke to a separate pluginTobias Brunner2017-11-085-387/+47
|
* stroke: Don't load configs with invalid proposalsTobias Brunner2017-07-051-7/+20
| | | | References #2347.
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-262-10/+8
| | | | This avoids the unportable five pointer hack.
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-264-82/+105
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-262-1/+3
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-232-5/+5
| | | | Makes it potentially easier to add new flags.
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-161-21/+2
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* stroke: Use peer name as namespace for shunt policiesTobias Brunner2017-02-161-2/+18
| | | | | The same goes for the start-action-job. When unrouting, we search for the first policy with a matching child-cfg.
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-162-3/+3
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* stroke: Default to %dynamic if no valid TS are specified in left|rightsubnetTobias Brunner2017-01-251-57/+44
| | | | | | | Otherwise, we'd end up with an empty TS list, which is not valid. Because end->tohost is set to !end->subnets in starter the removed branch was never used.
* stroke: Load general PKCS#8 private keysAndreas Steffen2016-12-172-3/+9
|
* Save both base and delta CRLs to diskAndreas Steffen2016-10-111-1/+5
|
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-112-2/+6
|
* xof: Defined Extended Output FunctionsAndreas Steffen2016-07-291-0/+9
|
* stroke: Permanently store PINs in credential setTobias Brunner2016-06-061-12/+35
| | | | | | | This fixes authentication with tokens that require the PIN for every signature. Fixes #1369.
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-24/+29
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-31/+36
|
* Use standard unsigned integer typesAndreas Steffen2016-03-245-27/+27
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-3/+4
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-033-7/+3
| | | | This moves hydra->kernel_interface to charon->kernel.
* utils: Add enum name for pseudo log group 'any'Tobias Brunner2016-02-051-10/+3
|
* stroke: List DH groups for CHILD_SA proposalsTobias Brunner2015-12-211-23/+19
| | | | Closes strongswan/strongswan#23.
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-114/+2
|
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-121-128/+29
|
* Standardized printing of certificate informationAndreas Steffen2015-12-111-445/+68
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-3/+3
|
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-271-1/+1
| | | | whether COOKIEs are sent
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-211-2/+2
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-1/+2
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-6/+7
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-201-2/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 06:41:53 +0000