aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* ike-sa: Add method to verify certificates in completed authentication roundsTobias Brunner2016-03-102-0/+111
|
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-2/+2
| | | | enumerator
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* peer-cfg: Add method to atomically replace child configsTobias Brunner2016-03-082-2/+128
|
* ike-cfg: Use new method to compare proposal lists in equals()Tobias Brunner2016-03-081-20/+4
|
* peer-cfg: Use new method to compare linked lists in equals()Tobias Brunner2016-03-081-36/+3
| | | | This also compares the complete lists not only the first two items.
* child-cfg: Add equals() methodTobias Brunner2016-03-082-2/+62
|
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-081-40/+64
| | | | in the request
* ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messagesTobias Brunner2016-03-071-6/+6
| | | | | | | Some implementations might otherwise not recognize the NAT-D payload type. Also moves SIG and HASH payloads last in these messages. Fixes #1239.
* ike-sa-manager: Log a checkin/failure message for every checkoutThomas Egerer2016-03-071-8/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-sa-manager: Log some additional details like SPIs when checking out SAsTobias Brunner2016-03-041-7/+16
|
* smp: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-4/+4
|
* vici: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* vici: Add support for pubkey constraints with EAP-TLSTobias Brunner2016-03-041-0/+8
| | | | This is a feature currently supported by stroke.
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-042-5/+7
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* ikev2: Always store signature scheme in auth-cfgTobias Brunner2016-03-041-12/+1
| | | | As we use a different rule we can always store the scheme.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-3/+4
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike-init: Verify REDIRECT notify before processing IKE_SA_INIT messageTobias Brunner2016-03-041-7/+51
| | | | | | An attacker could blindly send a message with invalid nonce data (or none at all) to DoS an initiator if we just destroy the SA. To prevent this we ignore the message and wait for the one by the correct responder.
* ikev2: Allow tasks to verify request messages before processing themTobias Brunner2016-03-041-4/+47
|
* ikev2: Allow tasks to verify response messages before processing themTobias Brunner2016-03-041-1/+27
|
* task: Add optional pre_process() methodTobias Brunner2016-03-041-1/+13
| | | | | This will eventually allow tasks to pre-process and verify received messages.
* ike-init: Ignore notifies related to redirects during rekeyingTobias Brunner2016-03-041-3/+13
| | | | Also don't query redirect providers in this case.
* ike-sa: Add limit for the number of redirects within a defined time periodTobias Brunner2016-03-042-0/+54
|
* ike-sa: Reauthenticate to the same addresses we currently useTobias Brunner2016-03-041-2/+5
| | | | | | If the SA got redirected this would otherwise cause a reauthentication with the original gateway. Reestablishing the SA to the original gateway, if e.g. the new gateway is not reachable makes sense though.
* vici: Don't redirect all SAs if no selectors are givenTobias Brunner2016-03-041-1/+1
| | | | | This avoid confusion and redirecting all SAs can now easily be done explicitly (e.g. peer_ip=0.0.0.0/0).
* vici: Match subnets and ranges against peer IP in redirect commandTobias Brunner2016-03-042-12/+42
|
* vici: Match identity with wildcards against remote ID in redirect commandTobias Brunner2016-03-042-5/+9
|
* vici: Add redirect commandTobias Brunner2016-03-045-0/+150
| | | | | This allows redirecting IKE_SAs by multiple different selectors, if none are given all SAs are redirected.
* redirect-job: Add job to redirect an active IKE_SATobias Brunner2016-03-044-0/+159
|
* ike-sa: Add redirect() method to actively redirect an IKE_SATobias Brunner2016-03-042-0/+50
|
* ike-redirect: Add task to redirect active IKE_SAsTobias Brunner2016-03-047-0/+220
|
* ike-auth: Handle REDIRECT notifies during IKE_AUTHTobias Brunner2016-03-041-22/+44
|
* ike-sa: Handle redirect requests for established SAs as reestablishmentTobias Brunner2016-03-041-82/+174
| | | | | | | We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs, which also includes the one actively queued during IKE_AUTH. To delete the old SA we use the recently added ike_reauth_complete task.
* ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providersTobias Brunner2016-03-041-27/+51
| | | | | | To prevent the creation of the CHILD_SA we set a condition on the IKE_SA. We also schedule a delete job in case the client does not terminate the IKE_SA (which is a SHOULD in RFC 5685).
* ike-config: Do not assign attributes for redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTHTobias Brunner2016-03-041-0/+4
|
* ike-sa: Add a condition to mark redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as serverTobias Brunner2016-03-041-0/+17
|
* ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriateTobias Brunner2016-03-041-1/+19
|
* ike-sa: Keep track of the address of the gateway that redirected usTobias Brunner2016-03-042-1/+27
|
* ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-042-1/+20
|
* ikev2: Handle REDIRECT notifies during IKE_SA_INITTobias Brunner2016-03-043-0/+64
|
* ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providersTobias Brunner2016-03-041-0/+17
|
* redirect-manager: Add helper function to create and parse REDIRECT notify dataTobias Brunner2016-03-042-11/+162
| | | | The same encoding is also used for the REDIRECT_FROM notifies.
* redirect-manager: Verify type of returned gateway IDTobias Brunner2016-03-041-1/+12
|
* ike-init: Send REDIRECT_SUPPORTED as initiatorTobias Brunner2016-03-041-0/+5
|
* ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notifyTobias Brunner2016-03-041-0/+4
|
* ike-sa: Add new extension for IKEv2 redirection (RFC 5685)Tobias Brunner2016-03-041-1/+6
|
* daemon: Create global redirect manager instanceTobias Brunner2016-03-042-0/+8
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 14:33:29 +0000