aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-24/+29
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-31/+36
|
* Use standard unsigned integer typesAndreas Steffen2016-03-245-27/+27
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-3/+4
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-033-7/+3
| | | | This moves hydra->kernel_interface to charon->kernel.
* utils: Add enum name for pseudo log group 'any'Tobias Brunner2016-02-051-10/+3
|
* stroke: List DH groups for CHILD_SA proposalsTobias Brunner2015-12-211-23/+19
| | | | Closes strongswan/strongswan#23.
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-114/+2
|
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-121-128/+29
|
* Standardized printing of certificate informationAndreas Steffen2015-12-111-445/+68
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-3/+3
|
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-271-1/+1
| | | | whether COOKIEs are sent
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-211-2/+2
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-1/+2
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-6/+7
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-201-2/+1
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-5/+9
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-5/+8
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-3/+3
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-201-1/+1
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-292-5/+19
| | | | pki tool
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-7/+33
|
* stroke: Allow specifying the ipsec.secrets location in strongswan.confShea Levy2014-10-021-2/+10
|
* stroke: Don't log unspecified options of conn and ca sectionsTobias Brunner2014-06-301-37/+50
|
* starter: Add a replay_window connection optionMartin Willi2014-06-171-0/+4
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-0/+1
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* enum: Return boolean result for enum_from_name() lookupMartin Willi2014-05-161-2/+1
| | | | | | | | | | | Handling the result for enum_from_name() is difficult, as checking for negative return values requires a cast if the enum type is unsigned. The new signature clearly differentiates lookup result from lookup value. Further, this actually allows to convert real -1 enum values, which could not be distinguished from "not-found" and the -1 return value. This also fixes several clang warnings where enums are unsigned.
* stroke: Fix memory leak when printing unknown AC group OIDsTobias Brunner2014-04-091-0/+1
|
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-311-16/+68
|
* stroke: Use thread-safe dirname(3)Tobias Brunner2014-02-241-6/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-25 15:45:05 +0000