306c0c9f8e
certificate: Extract helper function to filter certificates
2020-07-20 14:05:38 +02:00
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
d592ff72bc
stroke: Remove obsolete certificate registration for hash-and-URL
2019-11-26 11:12:26 +01:00
ae06cfad36
ike-cert-post: Generate URL for hash-and-URL here
...
This avoids having to register certificates with authority/ca backends
beforehand, which is tricky for intermediate CA certificates loaded
themselves via authority/ca sections. On the other hand, the form of
these URLs can't be determined by config backends anymore (not an issue
for the two current implementations, no idea if custom implementations
ever made use of that possibility). If that became necessary, we could
perhaps pass the certificate to the CDP enumerator or add a new method
to the credential_set_t interface.
2019-11-26 11:12:26 +01:00
ea41f759b3
stroke: List drbgs in list_algs
2019-10-18 16:24:39 +02:00
3aa7b2dc3a
Avoid enumerating certificates with non-matching key type
...
If the key type was specified but the ID was NULL or matched a subject, it
was possible that a certificate was returned that didn't actually match
the requested key type.
Closes strongswan/strongswan#141 .
2019-05-21 10:22:30 +02:00
9486a2e5b0
ike-cfg: Pass arguments as struct
2019-04-25 14:31:33 +02:00
55fb268b51
stroke: Lease enumerator is always defined
...
This function is only called for existing pools (under the protection of
a read lock).
2018-09-11 18:18:50 +02:00
84cdfbc9bc
child-cfg: Allow suppressing log messages when selecting traffic selectors
...
Although being already logged on level 2, these messages are usually just
confusing if they pop up randomly in the log when e.g. querying the configs
or installing traps. So after this the log messages will only be logged when
actually proposing or selecting traffic selectors during IKE.
2018-06-28 18:46:42 +02:00
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
7b72909774
controller: Add option to force destruction of an IKE_SA
...
It's optionally possible to wait for a timeout to destroy the SA.
2018-05-22 10:06:07 +02:00
0acd1ab4d0
stroke: Ensure a minimum message length
2018-03-19 18:06:00 +01:00
24fa1bb02a
trap-manager: Remove reqid parameter from install() and change return type
...
Reqids for the same traffic selectors are now stable so we don't have to
pass reqids of previously installed CHILD_SAs. Likewise, we don't need
to know the reqid of the newly installed trap policy as we now uninstall
by name.
2018-02-22 11:31:05 +01:00
ca213e1907
trap-manager: Uninstall trap policies by name and not reqid
...
If a trap policy is concurrently uninstalled and reinstalled under a
different name the reqid will be the same so the wrong trap might be
removed.
2018-02-22 11:31:05 +01:00
9d69d8a399
stroke: Remove external enumeration to unroute shunt policies
2018-02-22 11:31:05 +01:00
2db6d5b8b3
Fixed some typos, courtesy of codespell
2018-02-13 12:19:54 +01:00
a9f3016ef3
stroke: Don't ignore %any as owner of shared secrets
...
If users want to associate secrets with any identity, let 'em. This is
also possible with vici and might help if e.g. the remote identity is
actually %any as that would match a PSK with local IP and %any better
than one with local and different remote IP.
Fixes #2497 .
2017-12-22 10:33:27 +01:00
6f74b8748a
counters: Move IKE event counter collection from stroke to a separate plugin
2017-11-08 16:28:28 +01:00
a3bcbb4c64
stroke: Don't load configs with invalid proposals
...
References #2347 .
2017-07-05 10:08:36 +02:00
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
525cc46cab
Change interface for enumerator_create_filter() callback
...
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
2017-05-26 13:56:44 +02:00
4270c8fcb0
stroke: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
749ac175fa
child-cfg: Use flags for boolean options
...
Makes it potentially easier to add new flags.
2017-05-23 16:51:15 +02:00
ed96fe72cf
peer-cfg: Store mediated_by as name and not peer-cfg reference
...
This way updates to the mediation config are respected and the order in
which configs are configured/loaded does not matter.
The SQL plugin currently maintains the strong relationship between
mediated and mediation connection (we could theoretically change that to a
string too).
2017-02-16 19:24:09 +01:00
02767e4309
stroke: Use peer name as namespace for shunt policies
...
The same goes for the start-action-job. When unrouting, we search for
the first policy with a matching child-cfg.
2017-02-16 19:24:07 +01:00
7a0fdbab42
shunt-manager: Add an optional namespace for each shunt
...
This will allow us to reuse the names of child configs e.g. when they
are defined in different connections.
2017-02-16 19:24:07 +01:00
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
bd2f2b11fc
stroke: Load general PKCS#8 private keys
2016-12-17 18:06:11 +01:00
85b5a6ace2
Save both base and delta CRLs to disk
2016-10-11 17:18:22 +02:00
2a2669ee3e
vici: strongswan.conf cache_crls = yes saves fetched CRLs to disk
2016-10-11 17:18:22 +02:00
04208ac5d4
xof: Defined Extended Output Functions
2016-07-29 12:36:14 +02:00
2eb89ee1e3
stroke: Permanently store PINs in credential set
...
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369 .
2016-06-06 14:03:23 +02:00
2ba5dadb12
peer-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
8a00a8452d
child-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
10c5981d3b
utils: Add enum name for pseudo log group 'any'
2016-02-05 15:41:39 +01:00
5d7049b427
stroke: List DH groups for CHILD_SA proposals
...
Closes strongswan/strongswan#23 .
2015-12-21 12:14:12 +01:00
cc874350b8
Apply pubkey and signature constraints in vici plugin
2015-12-17 17:49:48 +01:00
02d431022c
Refactored certificate management for the vici and stroke interfaces
2015-12-12 00:19:24 +01:00
3317d0e77b
Standardized printing of certificate information
...
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
2015-12-11 18:26:53 +01:00
ebeb8c87c5
traffic-selector: Don't end printf'ed list of traffic selectors with a space
2015-11-10 12:13:06 +01:00
7b95688124
stroke: Make down-nb actually non-blocking
...
Fixes #1191 .
2015-11-09 10:55:46 +01:00
a88d958933
Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemes
2015-11-06 14:55:31 +01:00
735f929ca7
ike: Only consider number of half-open SAs as responder when deciding whether COOKIEs are sent
2015-08-27 11:18:51 +02:00
ff0abde9ed
controller: Optionally adhere to init limits also when initiating IKE_SAs
2015-08-21 18:21:13 +02:00
ffa20bad63
stroke: Allow %any as local address
...
Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).
2015-08-21 18:19:26 +02:00
Tobias Brunner