Tobias Brunner
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
Andreas Steffen
bd2f2b11fc
stroke: Load general PKCS#8 private keys
2016-12-17 18:06:11 +01:00
Andreas Steffen
85b5a6ace2
Save both base and delta CRLs to disk
2016-10-11 17:18:22 +02:00
Andreas Steffen
2a2669ee3e
vici: strongswan.conf cache_crls = yes saves fetched CRLs to disk
2016-10-11 17:18:22 +02:00
Andreas Steffen
04208ac5d4
xof: Defined Extended Output Functions
2016-07-29 12:36:14 +02:00
Tobias Brunner
2eb89ee1e3
stroke: Permanently store PINs in credential set
...
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369 .
2016-06-06 14:03:23 +02:00
Tobias Brunner
2ba5dadb12
peer-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
Tobias Brunner
8a00a8452d
child-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
db00982dad
stroke: Correctly print IKE SPIs stored in network order
2016-03-04 18:43:26 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
10c5981d3b
utils: Add enum name for pseudo log group 'any'
2016-02-05 15:41:39 +01:00
Tobias Brunner
5d7049b427
stroke: List DH groups for CHILD_SA proposals
...
Closes strongswan/strongswan#23 .
2015-12-21 12:14:12 +01:00
Andreas Steffen
cc874350b8
Apply pubkey and signature constraints in vici plugin
2015-12-17 17:49:48 +01:00
Andreas Steffen
02d431022c
Refactored certificate management for the vici and stroke interfaces
2015-12-12 00:19:24 +01:00
Andreas Steffen
3317d0e77b
Standardized printing of certificate information
...
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
2015-12-11 18:26:53 +01:00
Tobias Brunner
ebeb8c87c5
traffic-selector: Don't end printf'ed list of traffic selectors with a space
2015-11-10 12:13:06 +01:00
Tobias Brunner
7b95688124
stroke: Make down-nb actually non-blocking
...
Fixes #1191 .
2015-11-09 10:55:46 +01:00
Andreas Steffen
a88d958933
Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemes
2015-11-06 14:55:31 +01:00
Tobias Brunner
735f929ca7
ike: Only consider number of half-open SAs as responder when deciding whether COOKIEs are sent
2015-08-27 11:18:51 +02:00
Tobias Brunner
ff0abde9ed
controller: Optionally adhere to init limits also when initiating IKE_SAs
2015-08-21 18:21:13 +02:00
Tobias Brunner
ffa20bad63
stroke: Allow %any as local address
...
Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).
2015-08-21 18:19:26 +02:00
Tobias Brunner
8212f3d9a4
stroke: Add an option to disable side-swapping of configuration options
...
In some scenarios it might be preferred to ensure left is always local
and no unintended swaps occur.
2015-08-21 18:19:26 +02:00
Tobias Brunner
517cc501ef
stroke: Change how CA certificates are stored
...
Since 11c14bd2f5
CA certificates referenced in ca sections were
enumerated by two credential sets if they were also stored in
ipsec.d/cacerts. This caused duplicate certificate requests to
get sent. All CA certificates, whether loaded automatically or
via a ca section, are now stored in stroke_ca_t.
Certificates referenced in ca sections are now also reloaded
when `ipsec rereadcacerts` is used.
2015-08-20 19:33:41 +02:00
Tobias Brunner
01d3ecbaf0
stroke: Combine CA certificate load methods
...
Also use the right credential set for CA cert references loaded from
stroke_ca_t.
2015-08-20 19:19:38 +02:00
Tobias Brunner
99610f406d
stroke: Atomically replace CA and AA certificates when reloading them
...
Previously it was possible that certificates were not found between the
time the credential sets were cleared and the certificates got readded.
2015-08-20 19:19:37 +02:00
Tobias Brunner
c063b9cfe9
stroke: Properly parse bliss key strength in public key constraint
2015-03-25 13:27:15 +01:00
Tobias Brunner
70728eb1b6
child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAs
...
This is needed to handle DELETEs properly, which was previously done via
CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6
as it prevents
reauthentication.
2015-03-25 12:00:20 +01:00
Tobias Brunner
8286e2050b
stroke: Use %u to print stats returned by mallinfo(3)
...
References #886 .
2015-03-13 15:25:53 +01:00
Tobias Brunner
31bccf4ba1
stroke: Enable BLISS-based public key constraints
2015-03-04 13:54:11 +01:00
Martin Willi
f6b5952b32
stroke: Support public key constraints for EAP methods
2015-03-03 14:08:01 +01:00
Martin Willi
11c14bd2f5
stroke: Serve ca section CA certificates directly, not over central CA set
...
This makes these CA certificates independent from the purge issued by reread
commands. Certificates loaded by CA sections can be removed through ipsec.conf
update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts
can individually be reread using ipsec rereadcacerts.
2015-03-03 13:50:26 +01:00
Martin Willi
aba46b104e
stroke: Purge existing CA/AA certificates during reread
2015-03-03 13:50:26 +01:00
Martin Willi
d69cf39bb4
stroke: Use separate credential sets for CA/AA certificates
2015-03-03 13:50:26 +01:00
Martin Willi
845d36969e
stroke: Refactor load_certdir function
2015-03-03 13:50:26 +01:00
Martin Willi
22e6a06b8c
mem-pool: Pass the remote IKE address, to re-acquire() an address during reauth
...
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
2015-02-20 13:34:57 +01:00
Martin Willi
b9be25ea39
attribute-handler: Pass full IKE_SA to handler backends
2015-02-20 13:34:56 +01:00
Martin Willi
bc9ded9dbf
attribute-provider: Pass full IKE_SA to provider backends
2015-02-20 13:34:56 +01:00
Martin Willi
751363275f
attributes: Move the configuration attributes framework to libcharon
2015-02-20 13:34:55 +01:00
Martin Willi
f81a949748
kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqid
2015-02-20 13:34:50 +01:00
Martin Willi
971a91685d
controller: Use the CHILD_SA unique_id to terminate CHILD_SAs
2015-02-20 13:34:50 +01:00
Martin Willi
53cf7fa60a
stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, too
2015-02-20 13:34:50 +01:00
Andreas Steffen
b6bb32e658
Implemented full BLISS support for IKEv2 public key authentication and the pki tool
2014-11-29 14:51:18 +01:00
Tobias Brunner
c355e2b2c7
stroke: Add support for address range definitions of in-memory pools
2014-10-30 12:32:45 +01:00
Shea Levy
213e02b872
stroke: Allow specifying the ipsec.secrets location in strongswan.conf
2014-10-02 14:31:00 +02:00
Tobias Brunner
28a79e4e0c
stroke: Don't log unspecified options of conn and ca sections
2014-06-30 13:29:26 +02:00
Martin Willi
d5367d2262
starter: Add a replay_window connection option
2014-06-17 16:41:31 +02:00
Martin Willi
4163421f91
plugins: Don't link with -rdynamic on Windows
2014-06-04 15:53:02 +02:00