Tobias Brunner
306c0c9f8e
certificate: Extract helper function to filter certificates
2020-07-20 14:05:38 +02:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
d592ff72bc
stroke: Remove obsolete certificate registration for hash-and-URL
2019-11-26 11:12:26 +01:00
Tobias Brunner
ae06cfad36
ike-cert-post: Generate URL for hash-and-URL here
...
This avoids having to register certificates with authority/ca backends
beforehand, which is tricky for intermediate CA certificates loaded
themselves via authority/ca sections. On the other hand, the form of
these URLs can't be determined by config backends anymore (not an issue
for the two current implementations, no idea if custom implementations
ever made use of that possibility). If that became necessary, we could
perhaps pass the certificate to the CDP enumerator or add a new method
to the credential_set_t interface.
2019-11-26 11:12:26 +01:00
Andreas Steffen
ea41f759b3
stroke: List drbgs in list_algs
2019-10-18 16:24:39 +02:00
SophieK
3aa7b2dc3a
Avoid enumerating certificates with non-matching key type
...
If the key type was specified but the ID was NULL or matched a subject, it
was possible that a certificate was returned that didn't actually match
the requested key type.
Closes strongswan/strongswan#141 .
2019-05-21 10:22:30 +02:00
Tobias Brunner
9486a2e5b0
ike-cfg: Pass arguments as struct
2019-04-25 14:31:33 +02:00
Tobias Brunner
55fb268b51
stroke: Lease enumerator is always defined
...
This function is only called for existing pools (under the protection of
a read lock).
2018-09-11 18:18:50 +02:00
Tobias Brunner
84cdfbc9bc
child-cfg: Allow suppressing log messages when selecting traffic selectors
...
Although being already logged on level 2, these messages are usually just
confusing if they pop up randomly in the log when e.g. querying the configs
or installing traps. So after this the log messages will only be logged when
actually proposing or selecting traffic selectors during IKE.
2018-06-28 18:46:42 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
7b72909774
controller: Add option to force destruction of an IKE_SA
...
It's optionally possible to wait for a timeout to destroy the SA.
2018-05-22 10:06:07 +02:00
Tobias Brunner
0acd1ab4d0
stroke: Ensure a minimum message length
2018-03-19 18:06:00 +01:00
Tobias Brunner
24fa1bb02a
trap-manager: Remove reqid parameter from install() and change return type
...
Reqids for the same traffic selectors are now stable so we don't have to
pass reqids of previously installed CHILD_SAs. Likewise, we don't need
to know the reqid of the newly installed trap policy as we now uninstall
by name.
2018-02-22 11:31:05 +01:00
Tobias Brunner
ca213e1907
trap-manager: Uninstall trap policies by name and not reqid
...
If a trap policy is concurrently uninstalled and reinstalled under a
different name the reqid will be the same so the wrong trap might be
removed.
2018-02-22 11:31:05 +01:00
Tobias Brunner
9d69d8a399
stroke: Remove external enumeration to unroute shunt policies
2018-02-22 11:31:05 +01:00
Tobias Brunner
2db6d5b8b3
Fixed some typos, courtesy of codespell
2018-02-13 12:19:54 +01:00
Tobias Brunner
a9f3016ef3
stroke: Don't ignore %any as owner of shared secrets
...
If users want to associate secrets with any identity, let 'em. This is
also possible with vici and might help if e.g. the remote identity is
actually %any as that would match a PSK with local IP and %any better
than one with local and different remote IP.
Fixes #2497 .
2017-12-22 10:33:27 +01:00
Tobias Brunner
6f74b8748a
counters: Move IKE event counter collection from stroke to a separate plugin
2017-11-08 16:28:28 +01:00
Tobias Brunner
a3bcbb4c64
stroke: Don't load configs with invalid proposals
...
References #2347 .
2017-07-05 10:08:36 +02:00
Tobias Brunner
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner
525cc46cab
Change interface for enumerator_create_filter() callback
...
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
2017-05-26 13:56:44 +02:00
Tobias Brunner
4270c8fcb0
stroke: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
Tobias Brunner
749ac175fa
child-cfg: Use flags for boolean options
...
Makes it potentially easier to add new flags.
2017-05-23 16:51:15 +02:00
Tobias Brunner
ed96fe72cf
peer-cfg: Store mediated_by as name and not peer-cfg reference
...
This way updates to the mediation config are respected and the order in
which configs are configured/loaded does not matter.
The SQL plugin currently maintains the strong relationship between
mediated and mediation connection (we could theoretically change that to a
string too).
2017-02-16 19:24:09 +01:00
Tobias Brunner
02767e4309
stroke: Use peer name as namespace for shunt policies
...
The same goes for the start-action-job. When unrouting, we search for
the first policy with a matching child-cfg.
2017-02-16 19:24:07 +01:00
Tobias Brunner
7a0fdbab42
shunt-manager: Add an optional namespace for each shunt
...
This will allow us to reuse the names of child configs e.g. when they
are defined in different connections.
2017-02-16 19:24:07 +01:00
Tobias Brunner
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
Andreas Steffen
bd2f2b11fc
stroke: Load general PKCS#8 private keys
2016-12-17 18:06:11 +01:00
Andreas Steffen
85b5a6ace2
Save both base and delta CRLs to disk
2016-10-11 17:18:22 +02:00
Andreas Steffen
2a2669ee3e
vici: strongswan.conf cache_crls = yes saves fetched CRLs to disk
2016-10-11 17:18:22 +02:00
Andreas Steffen
04208ac5d4
xof: Defined Extended Output Functions
2016-07-29 12:36:14 +02:00
Tobias Brunner
2eb89ee1e3
stroke: Permanently store PINs in credential set
...
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369 .
2016-06-06 14:03:23 +02:00
Tobias Brunner
2ba5dadb12
peer-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
Tobias Brunner
8a00a8452d
child-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
10c5981d3b
utils: Add enum name for pseudo log group 'any'
2016-02-05 15:41:39 +01:00
Tobias Brunner
5d7049b427
stroke: List DH groups for CHILD_SA proposals
...
Closes strongswan/strongswan#23 .
2015-12-21 12:14:12 +01:00
Andreas Steffen
cc874350b8
Apply pubkey and signature constraints in vici plugin
2015-12-17 17:49:48 +01:00
Andreas Steffen
02d431022c
Refactored certificate management for the vici and stroke interfaces
2015-12-12 00:19:24 +01:00
Andreas Steffen
3317d0e77b
Standardized printing of certificate information
...
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
2015-12-11 18:26:53 +01:00
Tobias Brunner
ebeb8c87c5
traffic-selector: Don't end printf'ed list of traffic selectors with a space
2015-11-10 12:13:06 +01:00
Tobias Brunner
7b95688124
stroke: Make down-nb actually non-blocking
...
Fixes #1191 .
2015-11-09 10:55:46 +01:00
Andreas Steffen
a88d958933
Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemes
2015-11-06 14:55:31 +01:00
Tobias Brunner
735f929ca7
ike: Only consider number of half-open SAs as responder when deciding whether COOKIEs are sent
2015-08-27 11:18:51 +02:00
Tobias Brunner
ff0abde9ed
controller: Optionally adhere to init limits also when initiating IKE_SAs
2015-08-21 18:21:13 +02:00
Tobias Brunner
ffa20bad63
stroke: Allow %any as local address
...
Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).
2015-08-21 18:19:26 +02:00