aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2/authenticators
Commit message (Collapse)AuthorAgeFilesLines
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* ikev2: Try all RSA signature schemes if none is configuredTobias Brunner2015-03-041-4/+19
|
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-1/+11
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Fall back to SHA-1 signatures for RSATobias Brunner2015-03-041-0/+7
| | | | | This is really just a fallback to "classic" IKEv2 authentication if the other peer supports no stronger hash algorithms.
* ikev2: Select a signature scheme appropriate for the given keyTobias Brunner2015-03-041-18/+13
| | | | | By enumerating hashes we'd use SHA-1 by default. This way stronger signature schemes are preferred.
* ikev2: Log the actual signature scheme used for RFC 7427 authenticationTobias Brunner2015-03-041-4/+6
|
* ikev2: Store signature scheme used to verify peer in auth_cfgTobias Brunner2015-03-041-0/+1
| | | | | | | | | | This enables late connection switching based on the signature scheme used for IKEv2 and allows to enforce stronger signature schemes. This may break existing connections with peers that don't support RFC 7427 if signature schemes are currently used in `rightauth` for certificate chain validation and if the configured schemes are stronger than the default used for IKE (e.g. SHA-1 for RSA).
* ikev2: Remove private AUTH_BLISS methodTobias Brunner2015-03-041-9/+0
| | | | | | We use the new signature authentication instead for this. This is not backward compatible but we only released one version with BLISS support, and the key format will change anyway with the next release.
* ikev2: Handle RFC 7427 signature authentication in pubkey authenticatorTobias Brunner2015-03-041-49/+178
|
* ikev2: Merge EAP client authentication details if EAP methods provides themMartin Willi2015-03-031-0/+7
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-291-0/+9
| | | | pki tool
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-043-5/+5
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-261-0/+10
|
* Log the proper type for virtual EAP methodsTobias Brunner2012-08-311-1/+5
|
* Encode EAP-Naks in expanded format if we got an expanded type requestTobias Brunner2012-08-311-2/+2
| | | | | Since methods defined by the IETF (vendor ID 0) could also be encoded in expanded type format the previous check was insufficient.
* Allow clients to request a configured EAP method via EAP-NakTobias Brunner2012-08-311-4/+24
|
* Virtual EAP methods handle EAP-Naks themselvesTobias Brunner2012-08-311-5/+17
|
* Send EAP-Nak with supported types if requested type is unsupportedTobias Brunner2012-08-311-2/+4
|
* Add a return value to keymat_v2_t.get_auth_octets()Martin Willi2012-07-161-6/+9
|
* Add a return value to keymat_v2_t.get_psk_sig()Martin Willi2012-07-162-13/+27
|
* Use separate Doxygen groups for IKEv1 and IKEv2 entities (authenticators, ↵Tobias Brunner2012-05-183-3/+3
| | | | tasks etc.).
* Merge branch 'ikev1'Martin Willi2012-05-021-14/+3
| | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/encoding/generator.c src/libcharon/encoding/payloads/notify_payload.c src/libcharon/encoding/payloads/notify_payload.h src/libcharon/encoding/payloads/payload.c src/libcharon/network/receiver.c src/libcharon/sa/authenticator.c src/libcharon/sa/authenticator.h src/libcharon/sa/ikev2/tasks/ike_init.c src/libcharon/sa/task_manager.c src/libstrongswan/credentials/auth_cfg.c
* Moved eap/xauth classes out of protocol specific subdirectoriesMartin Willi2012-03-205-463/+1
|
* Separated libcharon/sa directory with ikev1 and ikev2 subfoldersMartin Willi2012-03-2010-0/+1877
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-26 04:00:16 +0000