aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/stroke
Commit message (Collapse)AuthorAgeFilesLines
* counters: Move IKE event counter collection from stroke to a separate pluginTobias Brunner2017-11-085-387/+47
|
* stroke: Don't load configs with invalid proposalsTobias Brunner2017-07-051-7/+20
| | | | References #2347.
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-262-10/+8
| | | | This avoids the unportable five pointer hack.
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-264-82/+105
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-262-1/+3
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-232-5/+5
| | | | Makes it potentially easier to add new flags.
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-161-21/+2
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* stroke: Use peer name as namespace for shunt policiesTobias Brunner2017-02-161-2/+18
| | | | | The same goes for the start-action-job. When unrouting, we search for the first policy with a matching child-cfg.
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-162-3/+3
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* stroke: Default to %dynamic if no valid TS are specified in left|rightsubnetTobias Brunner2017-01-251-57/+44
| | | | | | | Otherwise, we'd end up with an empty TS list, which is not valid. Because end->tohost is set to !end->subnets in starter the removed branch was never used.
* stroke: Load general PKCS#8 private keysAndreas Steffen2016-12-172-3/+9
|
* Save both base and delta CRLs to diskAndreas Steffen2016-10-111-1/+5
|
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-112-2/+6
|
* xof: Defined Extended Output FunctionsAndreas Steffen2016-07-291-0/+9
|
* stroke: Permanently store PINs in credential setTobias Brunner2016-06-061-12/+35
| | | | | | | This fixes authentication with tokens that require the PIN for every signature. Fixes #1369.
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-24/+29
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-31/+36
|
* Use standard unsigned integer typesAndreas Steffen2016-03-245-27/+27
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-3/+4
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-033-7/+3
| | | | This moves hydra->kernel_interface to charon->kernel.
* utils: Add enum name for pseudo log group 'any'Tobias Brunner2016-02-051-10/+3
|
* stroke: List DH groups for CHILD_SA proposalsTobias Brunner2015-12-211-23/+19
| | | | Closes strongswan/strongswan#23.
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-114/+2
|
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-121-128/+29
|
* Standardized printing of certificate informationAndreas Steffen2015-12-111-445/+68
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* traffic-selector: Don't end printf'ed list of traffic selectors with a spaceTobias Brunner2015-11-101-3/+3
|
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-061-3/+3
|
* ike: Only consider number of half-open SAs as responder when deciding ↵Tobias Brunner2015-08-271-1/+1
| | | | whether COOKIEs are sent
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-211-2/+2
|
* stroke: Allow %any as local addressTobias Brunner2015-08-211-3/+7
| | | | | Actually, resolving addresses in `left` might be overkill as we'll assume left=local anyway (the only difference is the log message).
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-33/+46
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* stroke: Change how CA certificates are storedTobias Brunner2015-08-205-58/+285
| | | | | | | | | | | Since 11c14bd2f5 CA certificates referenced in ca sections were enumerated by two credential sets if they were also stored in ipsec.d/cacerts. This caused duplicate certificate requests to get sent. All CA certificates, whether loaded automatically or via a ca section, are now stored in stroke_ca_t. Certificates referenced in ca sections are now also reloaded when `ipsec rereadcacerts` is used.
* stroke: Combine CA certificate load methodsTobias Brunner2015-08-201-82/+74
| | | | | Also use the right credential set for CA cert references loaded from stroke_ca_t.
* stroke: Atomically replace CA and AA certificates when reloading themTobias Brunner2015-08-201-34/+45
| | | | | Previously it was possible that certificates were not found between the time the credential sets were cleared and the certificates got readded.
* stroke: Properly parse bliss key strength in public key constraintTobias Brunner2015-03-251-1/+1
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-1/+2
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-6/+7
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-201-2/+1
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-5/+9
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-5/+8
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 22:38:27 +0000