ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
15,624 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

53 Commits

Author SHA1 Message Date
Tobias Brunner d5c6a0bac4 vici: Enable IKE fragmentation by default 2016-10-04 10:08:21 +02:00
Tobias Brunner 50721a61d8 vici: Make installation of outbound FWD policies configurable 2016-09-28 17:56:43 +02:00
Andreas Steffen 7f65a8c271 vici: Increased various string buffers to BUF_LEN (512 bytes) 2016-07-29 12:34:40 +02:00
Andreas Steffen b1df631212 vici list-conns sends reauthentication and rekeying time information 2016-05-04 18:13:52 +02:00
Andreas Steffen c26e4330e7 Implemented IPsec policies restricted to given network interface 2016-04-09 16:51:02 +02:00
Andreas Steffen 7f57c4f9fb Support manually-set IPsec policy priorities 2016-04-09 16:51:01 +02:00
Tobias Brunner 2ba5dadb12 peer-cfg: Use struct to pass data to constructor 2016-04-09 16:51:01 +02:00
Tobias Brunner 8a00a8452d child-cfg: Use struct to pass data to constructor 2016-04-09 16:51:01 +02:00
Andreas Steffen b12c53ce77 Use standard unsigned integer types 2016-03-24 18:52:48 +01:00
Tobias Brunner 20df9d315c vici: Don't hold write lock while running or undoing start actions 
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock.  So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.

By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior.  This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.

Fixes #1185.
 2016-03-11 08:32:18 +01:00
Andreas Steffen 35babdf43f Initialize ts variable 2016-03-11 08:29:23 +01:00
Andreas Steffen 3f1de98678 Support of IP address ranges in traffic selectors 2016-03-10 13:59:37 +01:00
Tobias Brunner 101abed566 vici: Replace child configs atomically 
This also leaves unmodified configs as they are.
 2016-03-08 10:21:58 +01:00
Tobias Brunner 229cdf6bc8 vici: Order auth rounds by optional `round` parameter instead of by position in the request 2016-03-08 10:04:55 +01:00
Tobias Brunner 1ecec95dff vici: Add support for pubkey constraints with EAP-TLS 
This is a feature currently supported by stroke.
 2016-03-04 16:19:54 +01:00
Tobias Brunner 3c23a75120 auth-cfg: Make IKE signature schemes configurable 
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
 2016-03-04 16:19:54 +01:00
Andreas Steffen ffd29ab30a vici: Support multiple named raw ublic keys 2016-01-10 00:12:57 +01:00
Andreas Steffen 87371460f6 vici: Support of raw public keys 2016-01-09 07:23:29 +01:00
Andreas Steffen cc874350b8 Apply pubkey and signature constraints in vici plugin 2015-12-17 17:49:48 +01:00
Martin Willi 1db918c4f8 vici: Use an empty local auth round if none given 
While it hardly makes sense to use none for negotiated SAs, it actually does
when installing shunt policies.
 2015-12-07 10:05:07 +01:00
Martin Willi b26ba1b4a4 vici: Limit start action undoing to IKE_SAs using the base peer config name 
If two peer configs use the same child config names, potentailly delete
the wrong CHILD_SA. Check the peer config name as well to avoid that.
 2015-12-07 10:05:07 +01:00
Martin Willi 23b1f71372 vici: Close empty IKE_SAs after undoing CHILD_SA start actions 2015-12-07 10:05:07 +01:00
Martin Willi 2facf18833 vici: Use value based array to store CHILD_SA ids during restart 
The previous approach stored a pointer to a volatile stack variable, which
works for a single ID, but not for multiple.
 2015-12-07 10:05:07 +01:00
Martin Willi f3b2d4a9d8 vici: Undo start actions when unloading configs 2015-12-07 10:05:07 +01:00
Tobias Brunner ff0abde9ed controller: Optionally adhere to init limits also when initiating IKE_SAs 2015-08-21 18:21:13 +02:00
Tobias Brunner 9322e5b398 vici: Add option to disable policy installation for CHILD_SAs 2015-08-17 12:01:36 +02:00
Andreas Steffen 63d370387d vici: Certification Authority support added. 
CDP and OCSP URIs for a one or multiple certification authorities
can be added via the VICI interface. swanctl allows to read
definitions from a new authorities section.
 2015-07-21 13:02:30 +02:00
Andreas Steffen e194349148 vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets are defined 2015-07-20 21:34:09 +02:00
Timo Teräs 17d3435693 vici: Default to certificate subject for identity 
If id is not specified and certificate authentication is used, use the
certificate subject name as identity. Simplifies configuration as in most cases
this is the right thing to do.

Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 2015-05-04 13:42:51 +02:00
Martin Willi 1549a98493 vici: Don't use a default rand_time larger than half of rekey/reauth_time 2015-03-03 13:49:14 +01:00
Martin Willi f6511e36b5 vici: If a IKE reauth_time is configured, disable the default rekey_time 2015-03-03 13:49:14 +01:00
Martin Willi 971a91685d controller: Use the CHILD_SA unique_id to terminate CHILD_SAs 2015-02-20 13:34:50 +01:00
Martin Willi d73a46171d vici: Support a replay_window CHILD_SA option 2014-06-17 16:41:31 +02:00
Martin Willi dfb23fa159 vici: Add Windows support 2014-06-04 15:53:12 +02:00
Martin Willi 8d74ec9e80 ike: Add an additional but separate AEAD proposal to CHILD config 
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
 2014-05-16 16:51:19 +02:00
Martin Willi 879e3d12ca ike: Add an additional but separate AEAD proposal to IKE config, if supported 2014-05-16 16:51:19 +02:00
Martin Willi 80b56fb468 vici: Support the close_action keyword, as we have it documented 2014-05-14 16:26:53 +02:00
Martin Willi afb7ef4908 vici: Properly filter by CHILD_SA name while undoing start actions 2014-05-07 14:13:39 +02:00
Martin Willi 682c9966fa vici: Fallback to socket listening port if no explicit local port specified 2014-05-07 14:13:39 +02:00
Martin Willi dffd60083d vici: Support a "mtu" value for the tfc_padding option 2014-05-07 14:13:39 +02:00
Martin Willi 5619d40613 vici: Handle the "trap" action as an alias for "route" 2014-05-07 14:13:39 +02:00
Martin Willi f3e1ec4a85 vici: Have an explicit "relaxed" keyword for the default revocation policy 2014-05-07 14:13:38 +02:00
Martin Willi 585814470d vici: Use a default child rekey time of 1 hour 2014-05-07 14:13:38 +02:00
Martin Willi 046befeca5 vici: Use a default IKE rekey time of 4 hours 2014-05-07 14:13:38 +02:00
Martin Willi afb8f492ef vici: Support referencing external named pools for peer configs 2014-05-07 14:13:37 +02:00
Martin Willi 3ad9c34c92 vici: Actually add configured virtual IPs to peer config 2014-05-07 14:13:37 +02:00
Martin Willi e651afe67b vici: Use a default rand_time of the difference between hard and soft lifetimes 2014-05-07 14:13:37 +02:00
Martin Willi c520510508 vici: Use a default hard lifetime of 110% of the soft lifetime 2014-05-07 14:13:37 +02:00
Martin Willi 7de35b7ff6 vici: Perform specified start_action on connection load, undo it on unload 2014-05-07 14:13:37 +02:00
Martin Willi b57739f721 vici: Support pinning end entity and CA certificates to connections 2014-05-07 14:13:37 +02:00