aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* ha: Properly sync IKEv1 IV if gateway is initiatorTobias Brunner2016-02-011-12/+16
| | | | | | | | | | | | | | To handle Phase 2 exchanges on the other HA host we need to sync the last block of the last Phase 1 message (or the last expected IV). If the gateway is the initiator of a Main Mode SA the last message is an inbound message. When handling such messages the expected IV is not updated until it is successfully decrypted so we can't sync the IV when processing the still encrypted (!plain) message. However, as responder, i.e. if the last message is an outbound message, the reverse applies, that is, we get the next IV after successfully encrypting the message, not while handling the plain message. Fixes #1267.
* ha: Add DH group to CHILD_ADD messageTobias Brunner2016-02-012-1/+12
| | | | References #1267.
* ha: Add DH group to IKE_ADD messageTobias Brunner2016-02-014-0/+16
| | | | | | | | It is required for IKEv1 to determine the DH group of the CHILD SAs during rekeying. It also fixes the status output for HA SAs, which so far haven't shown the DH group on the passive side. Fixes #1267.
* ike-sa-manager: Don't update entries for init messages after unlocking segmentTobias Brunner2016-02-011-3/+2
| | | | | | | | | | | | | If the retransmit of an initial message is processed concurrently with the original message it might not have been handled as intended as the thread processing the retransmit might not have seen the correct value of entry->processing set by the thread handling the original request. For IKEv1, i.e. without proper message IDs, there might still be races e.g. when receiving a retransmit of the initial IKE message while processing the initiator's second request. Fixes #1269.
* vici: Support multiple named raw ublic keysAndreas Steffen2016-01-101-15/+19
|
* swanctl: Load pubkeys with load-credsAndreas Steffen2016-01-091-6/+7
|
* vici: list-cert sends subject, not-before and not-after attributes for pubkeysAndreas Steffen2016-01-092-1/+28
|
* vici: Support of raw public keysAndreas Steffen2016-01-095-9/+60
|
* vici: Enable transport encoding of CERT_TRUSTED_PUBKEY objectsAndreas Steffen2016-01-031-5/+8
|
* stroke: List DH groups for CHILD_SA proposalsTobias Brunner2015-12-211-23/+19
| | | | Closes strongswan/strongswan#23.
* vici: Use correct constant when checking for integrity algorithmTobias Brunner2015-12-211-1/+1
| | | | Currently both have the value 1024 so no real harm done.
* vici: CHILD_SA proposals never contain a PRFTobias Brunner2015-12-211-5/+0
|
* vici: allow legacy shortcuts in cert queriesAndreas Steffen2015-12-191-10/+14
|
* Use 128 bit security in README.pod examplesAndreas Steffen2015-12-181-4/+4
|
* Improvements to the VICI Perl bindings by Andreas HofmeisterAndreas Hofmeister2015-12-184-189/+127
| | | | | | | | | | | | | | | | | | | | | | | | | | | - Switch.pm, which was implemented as a source filter, has been deprecated in Perl 5.10 and was later removed from the core modules in Perl 5.14 or so. Unfortunately, its replacement, the given/when/default construct, has since been downgraded to "experimental" status because of problems with the underlying "smart-match" operator. Thus, as of Perl 5.22, Perl still has no actually usable "switch"-like construct. So just use boring, old and ugly "if/elsif/else" constructs instead, which are compatible with almost any Perl version. - None of the Perl modules here does anything that would require "AutoLoader". - "Exporter" can be used to export plain functions into another modules name space. But the things that were exported here are meant to be called as methods. In this case, it is neither necessary nor advisable to export those symbols. Just export nothing (the POD documentation already said so). - It is usually the calling script that enables (or does not enable) warnings globally. When a module says "use warnings;" however, the caller looses control over what warnings should be enabled in that module.
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-172-115/+7
|
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-40/+140
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* Refactored certificate management for the vici and stroke interfaces5.4.0dr1Andreas Steffen2015-12-126-216/+93
|
* Modified vici_cert_info class for use with load_creds and vici_credAndreas Steffen2015-12-112-59/+31
|
* Removed VICI protocol versioningAndreas Steffen2015-12-115-88/+0
|
* Share vici_cert_info.c with vici_cred.cAndreas Steffen2015-12-113-37/+35
|
* Use VICI 2.0 protocol version for certificate queriesAndreas Steffen2015-12-114-52/+159
|
* Sort certificate types during enumerationAndreas Steffen2015-12-111-39/+205
|
* Define VICI protocol versionsAndreas Steffen2015-12-115-0/+88
|
* vici: Don't report memory usage via leak-detectiveTobias Brunner2015-12-111-17/+0
| | | | | This slowed down the `swanctl --stats` calls in the test scenarios significantly, with not much added value.
* Standardized printing of certificate informationAndreas Steffen2015-12-111-445/+68
| | | | | | | The certificate_printer class allows the printing of certificate information to a text file (usually stdout). This class is used by the pki --print and swanctl --list-certs commands as well as by the stroke plugin.
* vici: Fix documentation about the initiate/terminate timeoutMartin Willi2015-12-071-2/+2
|
* vici: Honor an optionally passed IKE configuration name in initiate/installMartin Willi2015-12-072-5/+13
| | | | | | | If two IKE configurations have CHILD configurations with the same name, we have no control about the CHILD_SA that actually gets controlled. The new "ike" parameter specifies the peer config name to find the "child" config under.
* vici: Support completely asynchronous initiating and terminationMartin Willi2015-12-072-5/+23
| | | | | | In some situations the vici client is not interested in waiting for a timeout at all, so don't register a logging callback if the timeout argument is negative.
* vici: Use an empty local auth round if none givenMartin Willi2015-12-071-3/+2
| | | | | While it hardly makes sense to use none for negotiated SAs, it actually does when installing shunt policies.
* vici: Limit start action undoing to IKE_SAs using the base peer config nameMartin Willi2015-12-071-3/+7
| | | | | If two peer configs use the same child config names, potentailly delete the wrong CHILD_SA. Check the peer config name as well to avoid that.
* vici: Close empty IKE_SAs after undoing CHILD_SA start actionsMartin Willi2015-12-071-6/+44
|
* vici: Use value based array to store CHILD_SA ids during restartMartin Willi2015-12-071-5/+6
| | | | | The previous approach stored a pointer to a volatile stack variable, which works for a single ID, but not for multiple.
* vici: Undo start actions when unloading configsMartin Willi2015-12-071-0/+1
|
* vici: Fix clean-local target for Perl bindings if they were not builtTobias Brunner2015-12-041-1/+1
| | | | | This is called when running `make distclean` (or indirectly via `make distcheck`).
* Extended and refactored vici perl implementationAndreas Steffen2015-12-013-80/+121
|
* Built the CPAN file structure for the Vici::Session perl moduleAndreas Steffen2015-12-0115-72/+1038
|
* Implement vici Perl bindingAndreas Steffen2015-12-018-0/+559
|
* vici: Add get-algorithms command to query loaded algorithms and implementationsTobias Brunner2015-11-302-0/+116
|
* eap-radius: Add ability to configure RADIUS retransmission behaviorThom Troy2015-11-171-2/+58
| | | | Closes strongswan/strongswan#19.
* eap-mschapv2: Keep internal state to prevent authentication from succeeding ↵Tobias Brunner2015-11-161-24/+67
| | | | | | | | | prematurely We can't allow a client to send us MSCHAPV2_SUCCESS messages before it was authenticated successfully. Fixes CVE-2015-8023.
* vici: Attribute certificates are not trustedTobias Brunner2015-11-121-1/+3
|
* vici: Properly add CRLs to the credential setTobias Brunner2015-11-121-2/+8
| | | | add_crl() ensures that old CLRs are not stored in the credential set.
* mode-config: Reassign migrated virtual IP if client requests %anyTobias Brunner2015-11-121-1/+3
| | | | | | | | | If we mistakenly detect a new IKE_SA as a reauthentication the client won't request the previous virtual IP, but since we already migrated it we already triggered the assign_vips() hook, so we should reassign the migrated virtual IP. Fixes #1152.
* eap-radius: Compare address family when handing out virtual IPsTobias Brunner2015-11-121-6/+26
| | | | | | | This also ensures that the actually released virtual IP is removed from the list of claimed IPs. Fixes #1199.
* eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)Tobias Brunner2015-11-121-1/+4
|
* eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-IdentityTobias Brunner2015-11-121-2/+17
|
* android: Fix build after updating Linux headersTobias Brunner2015-11-121-1/+0
| | | | | | | | Since we don't use the kernel-netlink plugin anymore and the headers in the NDK are reasonably recent, we don't need this anymore (at least when building the app). Fixes #1172.
* ike-sa-manager: Allow plugins to provide IKE SPIs via a callbackTobias Brunner2015-11-112-11/+54
| | | | | Plugins must depend on `libcharon-sa-managers` to ensure the manager exists.
* libcharon: Publish IKE_SA/CHILD_SA managers as custom plugin featureTobias Brunner2015-11-111-11/+29
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-22 18:37:59 +0000