aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Don't fall back to uninstalling traps if a matching shunt was foundTobias Brunner2017-03-231-3/+7
| | | | | | | This is different if `ike` and `child` are provided and uninstall() fails as we call that without knowing whether a matching shunt exists. But if `ike` is not provided we explicitly search for a matching shunt and if found don't need to look for a trap policy.
* Fixed some typos, courtesy of codespellTobias Brunner2017-03-237-7/+7
|
* swanctl: Reformulate IKEv1 selector restriction, describe problems with TS ↵Noel Kuntze2017-03-231-3/+10
| | | | narrowing
* swanctl: Mention including files when referring to strongswan.conf(5)Tobias Brunner2017-03-231-1/+2
|
* Allow x25519 as an alias of the curve25519 KE algorithmAndreas Steffen2017-03-201-0/+1
|
* Reference Edwards-curve signature RFCsAndreas Steffen2017-03-203-17/+19
|
* The tpm plugin offers random number generationAndreas Steffen2017-03-207-3/+208
| | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option.
* vici: Document how we pronounce the vici protocol and pluginMartin Willi2017-03-201-3/+3
|
* swanctl: Describe what happens when a FQDN is specified in local|remote_addrsTobias Brunner2017-03-201-0/+6
|
* ikev1: First do PSK lookups based on identities then fallback to IPsTobias Brunner2017-03-201-36/+34
| | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223.
* ike-sa-manager: Remove superfluous assignmentThomas Egerer2017-03-161-4/+0
| | | | | | | Memory is allocated with calloc, hence set to zero, thus assigning the numerical value 0 is not required. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log remote IP when deleting half-open IKE_SAsTobias Brunner2017-03-151-1/+2
|
* aikpub2: Removed aikpub2 toolAndreas Steffen2017-03-064-325/+0
| | | | | | | The aikpub2 tool has been replaced by pki --pub|--req --keyid hex .. where keyid indicates the TPM 2.0 private key object handle. Thus either the public key in PKCS#1 format can be extracted or a PKCS#10 certificate request signed by the TPM private key can be generated.
* pki: Add key object handle of smartcard or TPM private key as an argument to ↵Andreas Steffen2017-03-062-5/+25
| | | | pki --keyid
* utils: chunk_from_hex() skips optional 0x prefixAndreas Steffen2017-03-062-11/+18
|
* pki: Edited keyid parameter use in various pki man pages and usage outputsAndreas Steffen2017-03-0612-19/+34
|
* quick-mode: Correctly prepare NAT-OA payloads as responderTobias Brunner2017-03-061-8/+13
| | | | | | The initiator's address was sent back twice previously. Fixes #2268.
* Add keyid of smartcard or TPM private key as an argument to pki --reqAndreas Steffen2017-03-021-2/+15
|
* libipsec: Enforce a minimum of 256 for SPIsTobias Brunner2017-03-021-3/+4
| | | | | | RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff.
* libipsec: Fix min/max SPITobias Brunner2017-03-021-2/+2
|
* controller: Don't listen for CHILD_SA state changes when terminating IKE_SAsTobias Brunner2017-03-021-1/+0
| | | | | | | | We actually want to wait until the IKE_SA is destroyed, not any of the CHILD_SAs (even though there might not be that much of a difference depending on the number of CHILD_SAs). Fixes #2261.
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-024-8/+40
|
* settings: Add support for hex integers (0x prefix) via get_int()Tobias Brunner2017-03-021-1/+6
|
* libipsec: Log a packet's ports and protocol in case of a policy mismatchTobias Brunner2017-03-021-5/+7
|
* host: Don't log port if it is zeroTobias Brunner2017-03-022-6/+6
|
* libipsec: Match IPsec policies against ports of processed packetsTobias Brunner2017-03-021-1/+21
| | | | Fixes #2252.
* addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SAMartin Willi2017-03-021-43/+28
| | | | | | | | Previously, the client had to propose no wider selectors than the certificate permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2 we can dynamically narrow the selectors to what the certificate allows. This makes client and gateway configurations very simple by just proposing 0.0.0.0/0, narrowed to selectors the client is permitted to route into the network.
* addrblock: Support an optional non-strict mode accepting certs without addrblockMartin Willi2017-03-021-3/+11
| | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
* child-cfg: Always apply hosts to traffic selectors if proposing transport modeTobias Brunner2017-02-271-14/+19
| | | | | | | | | | | | | | Usually, %dynamic is used as traffic selector for transport mode SAs, however, if wildcard traps are used then the remote TS will be a subnet. With strongSwan at the remote end that usually works fine as the local %dynamic TS narrows the proposed TS appropriately. But some implementations reject non-host TS for transport mode SAs. Another problem could be if several distinct subnets are configured for a wildcard trap, as we'd then propose unrelated subnets on that transport mode SA, which might be problematic even for strongSwan (switch to tunnel mode and duplicate policies). Closes strongswan/strongswan#61.
* traffic-selector: Allow calling set_address() for any traffic selectorTobias Brunner2017-02-273-48/+63
| | | | | Users may check is_host(), is_dynamic() or includes() before calling this if restrictions are required (most actually already do).
* pki: Add a note about constructing RFC 3779 compliant certificates to manpageMartin Willi2017-02-272-0/+6
|
* pki: Support an --addrblock option for issued certificatesMartin Willi2017-02-272-1/+22
|
* pki: Support an --addrblock option for self-signed certificatesMartin Willi2017-02-272-0/+23
|
* pki: Add a helper function parse traffic selectors from CIDR subnets or rangesMartin Willi2017-02-272-0/+31
|
* x509: Do not mark generated addrblock extension as criticalMartin Willi2017-02-271-2/+1
| | | | | | | | | | | | | | While RFC 3779 says we SHOULD mark it is critical, this has severe side effects in practice. The addrblock extension is not widely used nor implemented, and only a few applications can handle this extension. By marking it critical, none of these applications can make use of such certificates where included addrblocks do not matter, such as TLS/HTTPS. If an application wants to make use of addrblocks, that is usually an explicit decision. Then the very same application obviously can handle addrblocks, and there is no need for the extension to be critical. In other words, for local policy checks it is a local matter to handle the extension, hence making it critical is usually not of much help.
* x509: Support encoding the RFC 3779 addrblock extensionMartin Willi2017-02-271-3/+134
|
* builder: Define a builder part for X.509 RFC 3779 address blocksMartin Willi2017-02-272-0/+3
|
* plugin-loader: Fix hashing of registered plugin featuresTobias Brunner2017-02-241-1/+1
| | | | | | | This strangely never caused any noticeable issues, but was the reason for build failures in certain test cases (mostly BLISS) due to missing plugin features when built with specific options on Travis (was not reproducible locally).
* Use of TPM 2.0 private keys for signatures via tpm pluginAndreas Steffen2017-02-228-6/+454
|
* Implement signatures with private keys bound to TPM 2.0Andreas Steffen2017-02-213-8/+215
|
* android: New release after fixing potential ANR issueTobias Brunner2017-02-201-2/+2
|
* android: Send network change events from a separate thread via JNITobias Brunner2017-02-172-4/+68
| | | | | | | | | Doing this from the main UI thread (which delivers the broadcast) might cause an ANR if there is a delay (e.g. while acquiring a mutex in the native parts). There might also have been a race condition during termination previously because Unregister() was not synchronized so there might have been dangling events that got delivered while or after the mutex in the native parts was destroyed.
* ikev1: Respond to DPDs for rekeyed IKE_SAsTobias Brunner2017-02-172-0/+10
| | | | | | | | | Some devices always use the oldest IKE_SA to send DPDs and will delete all IKE_SAs when there is no response. If uniqueness is not enforced rekeyed IKE_SAs might not get deleted until they expire so we should respond to DPDs. References #2090.
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-1/+23
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* ikev2: Ignore roam events without MOBIKE but static local addressTobias Brunner2017-02-171-0/+10
| | | | | | | | | | | | | | | Disabling MOBIKE and statically configuring a local address should be enough indication that the user doesn't want to roam to a different address. There might not be any routes that indicate we can use the current address but it might still work (e.g. if the address is on an interface that is not referenced in any routes and the address itself is neither). This way we avoid switching to another address for routes that might be available on the system. We currently don't make much use of COND_STALE anyway when MOBIKE is not enabled, e.g. to avoid sending DPDs if the connection is seemingly down. With MOBIKE enabled we don't exactly check that state but we do don't send DPDs if there is no route/source address available.
* ike-cfg: Add helper function to determine if a given IP address was configuredTobias Brunner2017-02-172-2/+46
|
* vici: Only log messages if there actually is a listenerTobias Brunner2017-02-161-0/+7
|
* vici: Let has_event_listeners() actually check if clients are registeredTobias Brunner2017-02-161-2/+4
| | | | | Fixes: 8d96f90a7983 ("vici: Add function to test if an event should be generated")
* vici: Add support for mediation extensionTobias Brunner2017-02-162-1/+109
|
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-166-68/+95
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 20:10:13 +0000