aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/credentials/auth_cfg.c
Commit message (Collapse)AuthorAgeFilesLines
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-36/+60
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-041-30/+66
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-0/+110
|
* auth-cfg: Prefer merged rules over existing ones when moving themTobias Brunner2015-11-121-3/+3
| | | | | | This is particularly important for single valued rules (e.g. identities). When copying values this is already handled correctly by the enumerator and add().
* auth-cfg: Don't enforce EAP_RADIUSTobias Brunner2015-08-211-1/+2
| | | | | Basically the same as e79b0e07e4ab. EAP_RADIUS is also a virtual method that will identify itself as a different EAP method later.
* auth-cfg: Don't enforce EAP_DYNAMICTobias Brunner2015-08-201-1/+2
| | | | | We now store the actual method on the auth config, which won't match anymore if rightauth=eap-dynamic is configured.
* auth-cfg: Matching one CA should be enough, similar to peer certificatesTobias Brunner2015-08-171-15/+20
| | | | | | | | | | Not sure if defining multiple CA constraints and enforcing _all_ of them, i.e. the previous behavior, makes even sense. To ensure a very specific chain it should be enough to define the last intermediate CA. On the other hand, the ability to define multiple CAs could simplify configuration. This can currently only be used with swanctl/VICI based configs as `rightca` only takes a single DN.
* auth-cfg: Add BLISS key strength constraintTobias Brunner2015-03-041-20/+40
|
* auth-cfg: Fix crash after several reauthentications with multiple ↵Tobias Brunner2014-09-111-1/+1
| | | | | | | | | | authentication rounds Due to the issue described in c641974, purge() inadvertently destroyed CA certificates that should have been kept (while the pointer to these objects remained in the array). This lead to incorrect reference counts and after a few reauthentications with multiple authentication rounds, which cause calls to purge(TRUE), to crashes.
* auth-cfg: Cast literal default value to pointer typeMartin Willi2014-05-161-1/+1
| | | | Fixes a clang warning.
* auth-cfg: Declare an attribute certificate helper type to exchange acertsMartin Willi2014-03-311-1/+11
|
* auth-cfg: use array instead of linked listMartin Willi2013-07-171-35/+26
| | | | Saves another 4 linked lists (1KB) per IKE_SA
* Merge branch 'multi-cert'Martin Willi2013-03-011-11/+24
|\ | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests.
| * Make AUTH_RULE_SUBJECT cert multi-valuedMartin Willi2013-01-181-11/+24
| | | | | | | | | | Constraints having multiple subject certs defined are fulfilled if authentication used one of the listed certificates.
* | Fix auth_cfg_t.clone() for single-valued auth rulesTobias Brunner2013-02-281-10/+11
|/ | | | | | | | | | By using the default list enumerator and adding the rules with the public add() method, clones of auth_cfg_t objects would return the values for single-valued auth rules in the wrong order (i.e. the oldest instead of the newest value was returned). Using the internal enumerator (which the comment already suggested) fixes this, but the clone will not be a full clone as it does not contain any old values for single-valued auth rules. Since these will never be used anyway, this should be fine.
* Moved debug.[ch] to utils folderTobias Brunner2012-10-241-1/+1
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-241-1/+1
|
* Fix equality comparison of auth_cfg_tTobias Brunner2012-09-181-2/+16
| | | | | | | We previously only confirmed that rules contained in the first config are also contained in the second, but since the number of rules does not have to be equal, it might be that the second config contains rules that the first one doesn't.
* Add AUTH_RULE_IDENTITY_LOOSE which allows to use IDr loosely as initiatorTobias Brunner2012-09-181-0/+23
| | | | | | If it is set on an auth config IDr will not be sent, and later the configured identity will not only be checked against the returned IDr, but also against other identities contained in the responder's certificate.
* Show which group would be required when failing in constraint checkMartin Willi2012-07-261-8/+10
|
* Support multiple different public key strength types in constraintsMartin Willi2012-06-121-41/+38
|
* Define auth_cfg rules for signature schemesMartin Willi2012-06-121-0/+51
|
* Merge branch 'ikev1'Martin Willi2012-05-021-1/+26
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/encoding/generator.c src/libcharon/encoding/payloads/notify_payload.c src/libcharon/encoding/payloads/notify_payload.h src/libcharon/encoding/payloads/payload.c src/libcharon/network/receiver.c src/libcharon/sa/authenticator.c src/libcharon/sa/authenticator.h src/libcharon/sa/ikev2/tasks/ike_init.c src/libcharon/sa/task_manager.c src/libstrongswan/credentials/auth_cfg.c
| * Added an XAUTH identity to use or require for XAuth authenticationMartin Willi2012-03-201-0/+9
| |
| * Stop checking once a key size constraint is not fulfilledMartin Willi2012-03-201-0/+3
| |
| * Added missing XAuth auth_class enum nameMartin Willi2012-03-201-1/+2
| |
| * Added auth_cfg option to select XAUTH backend to useMartin Willi2012-03-201-0/+10
| |
* | Removed auth_cfg_t.replace_value() and replaced usages with add().Tobias Brunner2012-04-181-67/+35
| | | | | | | | | | replace_value() was used to replace identities. Since for these the latest is now returned by get(), adding the new identity with add() is sufficient.
* | Changed the order and semantics of rules we expect only once in auth_cfg_t.Tobias Brunner2012-04-181-113/+194
| | | | | | | | | | | | | | These rules are now inserted at the front of the internal list, this allows to retrieve the rule added last with get(). For other rules the order in which they are added is maintained (this allows to properly enumerate them).
* | Added a simple method to replace the value of a rule in auth_cfg_t.Tobias Brunner2012-04-161-31/+64
|/
* Migrated auth_cfg to INIT/METHOD macrosAndreas Steffen2011-10-021-40/+30
|
* Added missing auth_rule_namesMartin Willi2011-08-221-1/+6
|
* Moved auth_rule_names back to auth_cfg.cMartin Willi2011-08-221-0/+18
|
* Added an AUTH_HELPER for revocation certificatesMartin Willi2011-01-051-0/+8
|
* Added a certificate policy OID auth_cfg constraintMartin Willi2011-01-051-0/+29
|
* Key strength checking stores all key sizes in auth_cfg, verifies all in ↵Martin Willi2011-01-051-32/+68
| | | | complies()
* Added key strength constraints for RSA or ECDSA trustchainsMartin Willi2011-01-051-0/+28
|
* Added an AAA identity authentication config optionMartin Willi2010-08-311-0/+8
|
* Moved EAP type/code definitions to a seprate header file in libstrongswanMartin Willi2010-08-311-101/+1
|
* defined EAP-TNCAndreas Steffen2010-08-301-2/+7
|
* moved eap_from_string() fomr libcharon to libstrongswan to make it available ↵Andreas Steffen2010-08-131-0/+32
| | | | in starter
* added TTLS to EAP short names, tooAndreas Steffen2010-08-061-1/+3
|
* added EAP_TTLS methodAndreas Steffen2010-08-051-1/+3
|
* Moved eap-tls plugin to libcharon, updated to 4.4.1 APIsMartin Willi2010-08-031-1/+3
|
* Added EAP-TLS plugin stubMartin Willi2010-08-031-1/+3
|
* Moved credential manager to libstrongswanMartin Willi2010-07-131-0/+830
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-18 04:00:58 +0000