aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
* Merge branch 'mem-pool-range'Tobias Brunner2014-10-3016-42/+590
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | Adds support to configure address pools as ranges (from-to) in ipsec.conf and swanctl.conf. The first and last addresses in subnet based pools are now skipped properly and the pools' sizes are adjusted accordingly. Which is also the case if pools are configured with an offset, e.g. 192.168.0.100/24, which reduces the number of available addresses from 254 to 155, and assignment now starts at .100 not .101, i.e. .100-.254 are assignable to clients. References #744.
| * host: Ignore spaces around - when parsing rangesTobias Brunner2014-10-303-9/+23
| |
| * ike-cfg: Use host_create_from_range() helperTobias Brunner2014-10-301-16/+1
| |
| * vici: Add support for address range definitions of poolsTobias Brunner2014-10-302-9/+39
| |
| * stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-302-8/+36
| |
| * host: Add function to create two hosts from a range definitionTobias Brunner2014-10-303-0/+124
| |
| * mem-pool: Add basic unit testsTobias Brunner2014-10-303-0/+233
| |
| * libhydra: Add test runnerTobias Brunner2014-10-306-0/+92
| |
| * mem-pool: Correctly ignore first and last addresses of subnets and adjust sizeTobias Brunner2014-10-301-7/+49
|/ | | | | | | Previously one more than the first and last address was ignored. And if the base address is not the network ID of the subnet we should not skip it. But we should adjust the size as it does not represent the actual number of IP addresses assignable.
* ikev1: Don't inherit children if INITITAL_CONTACT was seenThomas Egerer2014-10-301-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Merge branch 'policy-constraints'Martin Willi2014-10-308-53/+1255
|\ | | | | | | | | | | | | | | | | | | | | | | Fixes handling of invalid policies in end entity certificates by not rejecting the full certificate, but just invalidating the affected policy. Additionally adds a bunch of unit tests for the constraints plugin, and some minor fixes to the nameConstraints handling. Currently we still reject CAs that use invalid policy mapping; we should accept such certificates and just invalid affected policies in a next iteration. Fixes #453.
| * pki: Print and document the name constraint type for DNS or email constraintsMartin Willi2014-10-303-6/+46
| | | | | | | | | | As email constraints may be for a specific host, it is not clear from the name itself if it is a DNS or email constraint.
| * constraints: Add permitted/excludedNameConstraints checkMartin Willi2014-10-303-0/+400
| |
| * constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | | | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
| * constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
| |
| * constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
| |
| * constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
| |
| * constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | | | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
| * constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|/
* Merge branch 'id-type-prefix'Martin Willi2014-10-306-57/+212
|\ | | | | | | Introduce generic identity prefixes to enforce a specific type.
| * NEWS: Mention identity prefixesMartin Willi2014-10-301-0/+9
| |
| * swanctl: Document identity type prefixesMartin Willi2014-10-301-3/+18
| |
| * man: Document identification type prefixes in ipsec.conf(5)Martin Willi2014-10-301-2/+27
| |
| * identification: Support custom types in string constructor prefixesMartin Willi2014-10-303-0/+48
| |
| * identification: Support prefixes in string constructors for an explicit typeMartin Willi2014-10-303-0/+58
| |
| * unit-tests: Re-align identification_create_from_string() unit test table dataMartin Willi2014-10-301-52/+52
|/
* threading: Support rwlock try_write_lock() on WindowsMartin Willi2014-10-301-2/+0
| | | | | | | | | | | We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer toolchain works fine. While try_write_lock() obviously can fail, not supporting it is not really an option, as some algorithms depend on occasionally successful calls. Certificate caching in the certificate manager and the cred_set cache rely on successful try_write_lock()ing.
* threading: Add a more explicit rwlock try_write_lock() testingMartin Willi2014-10-301-0/+44
|
* message: Include encrypted fragment payload in payload (order) rulesTobias Brunner2014-10-291-0/+12
| | | | | | | | | Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted because they don't contain an SA payload. It also prevents a warning when ordering payloads. Fixes #752.
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* unit-tests: Fix internet checksum tests on big-endian systemsTobias Brunner2014-10-231-4/+9
| | | | | | | We actually need to do a byte-swap, which ntohs() only does on little-endian systems. Fixes #747.
* chunk: Fix internet checksum calculation on big-endian systemsTobias Brunner2014-10-231-1/+1
| | | | | | | ntohs() might be defined as noop (#define ntohs(x) (x)) so we have to manually shorten the negated value (gets promoted to an int). Fixes #747.
* updown: Explicitly pass caller PATH to updown scriptMartin Willi2014-10-221-0/+1
| | | | | | | | | When invoking /bin/sh, its default PATH is used. On some systems, that does not include the PATH where the ipsec script is installed, as charon is invoked with a custom PATH. Explicitly setting the PATH of charon should fix this case, properly invoking the (default) updown script. Fixes #745.
* ip-packet: Fix length in IPv6 header of generated packetsTobias Brunner2014-10-201-1/+1
|
* Increased fragment size to 1400 in ipv6/net2net-ikev1 scenario5.2.1Andreas Steffen2014-10-182-2/+2
|
* Enabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenarioAndreas Steffen2014-10-184-2/+6
|
* Version bump to 5.2.1Andreas Steffen2014-10-181-3/+3
|
* Remove unneeded get_count() methodAndreas Steffen2014-10-171-1/+0
|
* Process TCG/PTS File Measurement attribute incrementallyAndreas Steffen2014-10-171-37/+77
|
* Exempt TCG/SEG attributes from unsupported case statementAndreas Steffen2014-10-162-4/+11
|
* Request IF-M segmentation contract for TCG/PTS subtypeAndreas Steffen2014-10-161-0/+27
|
* tls: Fix an invalid free on CBC encryption failureMartin Willi2014-10-151-1/+0
|
* tls: Fix a memory leak if AEAD encryption failsMartin Willi2014-10-151-0/+1
|
* tls: Check all bytes of the padding if they equal the padding lengthMartin Willi2014-10-152-0/+16
|
* android: Fix PA-TNC construction based on data passed via JNITobias Brunner2014-10-151-3/+2
|
* libimcv: Add generic constructor for PA-TNC attributesTobias Brunner2014-10-152-0/+51
|
* backtrace: Fix symbol lookup in dynamic symtab via libbfdTobias Brunner2014-10-141-0/+1
|
* swid-inventory: Remove unused variable end_of_tagTobias Brunner2014-10-141-6/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 01:14:10 +0000