d592ff72bc
stroke: Remove obsolete certificate registration for hash-and-URL
2019-11-26 11:12:26 +01:00
9486a2e5b0
ike-cfg: Pass arguments as struct
2019-04-25 14:31:33 +02:00
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
2db6d5b8b3
Fixed some typos, courtesy of codespell
2018-02-13 12:19:54 +01:00
a3bcbb4c64
stroke: Don't load configs with invalid proposals
...
References #2347 .
2017-07-05 10:08:36 +02:00
525cc46cab
Change interface for enumerator_create_filter() callback
...
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
2017-05-26 13:56:44 +02:00
4270c8fcb0
stroke: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
749ac175fa
child-cfg: Use flags for boolean options
...
Makes it potentially easier to add new flags.
2017-05-23 16:51:15 +02:00
ed96fe72cf
peer-cfg: Store mediated_by as name and not peer-cfg reference
...
This way updates to the mediation config are respected and the order in
which configs are configured/loaded does not matter.
The SQL plugin currently maintains the strong relationship between
mediated and mediation connection (we could theoretically change that to a
string too).
2017-02-16 19:24:09 +01:00
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
2ba5dadb12
peer-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
8a00a8452d
child-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
cc874350b8
Apply pubkey and signature constraints in vici plugin
2015-12-17 17:49:48 +01:00
a88d958933
Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemes
2015-11-06 14:55:31 +01:00
ffa20bad63
stroke: Allow %any as local address
...
Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).
2015-08-21 18:19:26 +02:00
8212f3d9a4
stroke: Add an option to disable side-swapping of configuration options
...
In some scenarios it might be preferred to ensure left is always local
and no unintended swaps occur.
2015-08-21 18:19:26 +02:00
c063b9cfe9
stroke: Properly parse bliss key strength in public key constraint
2015-03-25 13:27:15 +01:00
31bccf4ba1
stroke: Enable BLISS-based public key constraints
2015-03-04 13:54:11 +01:00
f6b5952b32
stroke: Support public key constraints for EAP methods
2015-03-03 14:08:01 +01:00
c355e2b2c7
stroke: Add support for address range definitions of in-memory pools
2014-10-30 12:32:45 +01:00
d5367d2262
starter: Add a replay_window connection option
2014-06-17 16:41:31 +02:00
8d74ec9e80
ike: Add an additional but separate AEAD proposal to CHILD config
...
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
2014-05-16 16:51:19 +02:00
879e3d12ca
ike: Add an additional but separate AEAD proposal to IKE config, if supported
2014-05-16 16:51:19 +02:00
261fd9d33b
stroke: Fix error message if parsing leftsourceip fails
2014-01-06 12:55:45 +01:00
0576412989
stroke: Configure proposal with AH protocol if 'ah' option set
2013-10-11 10:15:20 +02:00
791fde1669
stroke: don't remove a matching peer config if used by other child configs
...
When configurations get merged during add, we should not remove peer configs
if other connection entries use the same peer config.
2013-09-13 13:56:31 +02:00
c1ebc7b1cc
Fixed double free causing swapped ends to crash
2013-09-07 08:25:10 +02:00
3070697f9f
ike: support multiple addresses, ranges and subnets in IKE address config
...
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
2013-09-04 10:38:37 +02:00
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
a858064455
stroke: ignore a leftsourceip if a rightsourceip is given as well
...
As we always negotiate virtual IPs in charon, having both left- and
rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single
configuration payload exchange only.
2013-09-04 10:33:38 +02:00
2bae838d5e
stroke: re-enable modeconfig keyword
2013-09-04 10:33:38 +02:00
9aeaa7396e
peer-cfg: add a pull/push mode option to use with mode config
2013-09-04 10:33:37 +02:00
d27f225d9a
Use strpfx() helper where appropriate
2013-07-08 18:49:30 +02:00
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
483a258ad8
stroke: support %dynamic in left/rightsubnet for dynamic selectors
...
This has the same meaning as omitting left/rightsubnet, i.e. replace it
by the IKE address. Supporting %dynamic allows configurations with multiple
dynamic selectors in a left/rightsubnet, each with potentially different
proto/port selectors.
2013-06-19 16:36:01 +02:00
4a7c29bf02
stroke: support a specific proto/port for each net defined in left/rightsubnet
2013-06-19 16:36:01 +02:00
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
eca499f3d9
Load raw keys before possibly destroying the identity
...
If no identity (or %any) is configured the identification_t object is
destroyed and an invalid object was associated with the created pubkey
certificate.
Actually using %any does not work as the certificate would not match
when the client later provides an identity.
2013-04-01 13:48:34 +02:00
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
cd41b951ee
Pass complete port range over stroke interface for more flexibility
2013-02-21 11:52:33 +01:00
a1db77de7c
Use a complete port range in traffic_selector_create_from_{subnet,cidr}
2013-02-21 11:52:33 +01:00
7fbe516f88
Add a ikedscp ipsec.conf option to set DSCP value on outgoing IKE packets
2013-02-06 15:36:36 +01:00
306a269e34
Add a DSCP configuration value to IKE configs
2013-02-06 15:20:32 +01:00
78af36db50
Load multiple comma seperarated certificates in the leftcert option
2013-01-18 09:33:15 +01:00
c4a49008e8
Don't handle right=%any6 as "loose" identity, but as %any
2013-01-14 10:33:14 +01:00
21235e1ec2
Merge branch 'ikev1-fragmentation'
...
This adds support for the proprietary IKEv1 fragmentation extension.
Conflicts:
NEWS
2013-01-12 11:58:26 +01:00
Tobias Brunner