aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* tkm: Disable RFC 7427 signature authenticationTobias Brunner2015-03-091-0/+4
| | | | | | TKM can't verify such signatures so we'd fail in the authorize hook. Skipping the algorithm identifier doesn't help if the peer uses anything other than SHA-1, so config changes would be required.
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* files: Add simple plugin to load files from file:// URIsTobias Brunner2015-03-097-1/+305
|
* daemon: Remove scheduled jobs before unloading pluginsTobias Brunner2015-03-091-1/+2
| | | | | | | Especially callback jobs might refer to memory that gets invalid after the plugins got unlaoded, so make sure we destroy these jobs before. References #840.
* scheduler: Add method to remove all scheduled jobsTobias Brunner2015-03-092-5/+21
| | | | References #840.
* plugin-loader: Increase log level for warning about plugin features that ↵Tobias Brunner2015-03-091-3/+3
| | | | | | | | | failed to load Since we can't get rid of all unmet dependencies (at least not in every possible plugin configuration) the message is more confusing than helpful. In particular because a detailed warning about plugin features that failed to load due to unmet dependencies is only logged on level 2.
* tls-peer: Make sure to use the right trusted public key for peerTobias Brunner2015-03-091-4/+8
| | | | | | | | | In case a CA certificate uses the same subject DN as the server the previous code could end up trying to verify the server's signature with the CA certificate's public key. By comparing the certificate with the one sent by the peer we make sure to use the right one. Fixes #849.
* pkcs11: Convert RFC 3279 ECDSA signatures when verifyingTobias Brunner2015-03-091-4/+33
| | | | References #873.
* pkcs11: Properly encode RFC 3279 ECDSA signaturesTobias Brunner2015-03-091-2/+19
| | | | Fixes #873.
* pkcs11: Properly encode EC_POINTs created on a tokenTobias Brunner2015-03-091-5/+8
| | | | | | | Some tokens might not fail when creating EC public keys in the incorrect format, but they will later not be able to use them to verify signatures. References #872.
* pkcs11: Properly handle EC_POINTs returned as ASN.1 octet stringTobias Brunner2015-03-091-1/+43
| | | | | | | This is the correct encoding but we internally only use unwrapped keys and some tokens return them unwrapped. Fixes #872.
* Updated products in imv databaseAndreas Steffen2015-03-081-0/+137
|
* attest: output trusted flag and device descriptionAndreas Steffen2015-03-081-8/+10
|
* Make access requestor IP address available to TNC serverAndreas Steffen2015-03-0824-244/+550
|
* testing: Update modified updown scripts to the latest templateTobias Brunner2015-03-0614-2589/+993
| | | | | This avoids confusion and makes identifying the changes needed for each scenario easier.
* Remove obsolete _updown_espmark scriptTobias Brunner2015-03-064-441/+1
| | | | According to NEWS it was created to support kernels < 2.6.16.
* _updown: Remove obsolete stuff from default scriptTobias Brunner2015-03-061-192/+7
|
* ikev1: Set protocol ID and SPIs in INITIAL-CONTACT notification payloadsTobias Brunner2015-03-061-2/+13
| | | | | | | The payload we sent before is not compliant with RFC 2407 and thus some peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error). Fixes #819.
* x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuerTobias Brunner2015-03-061-18/+15
| | | | | | | | | Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and authorityKeyIdentifier. If that's the case we can't force the calculation of the hash to compare that to authorityKeyIdentifier in the CRL, instead we use the subjectKeyIdentifier stored in the issuer certificate, if available. Otherwise, we fall back to the SHA-1 hash (or comparing the DNs) as before.
* kernel-pfkey: Add option to set receive buffer size of event socketTobias Brunner2015-03-063-0/+21
| | | | | | | | If many requests are sent to the kernel the events generated by these requests may fill the receive buffer before the daemon is able to read these messages. Fixes #783.
* use SHA512 for moon's BLISS signatureAndreas Steffen2015-03-042-2/+3
|
* Merge branch 'ikev2-signature-authentication'Tobias Brunner2015-03-0484-191/+1411
|\ | | | | | | | | | | | | | | | | | | | | This adds support for RFC 7427 signature authentication in IKEv2, enabling the use of stronger signature schemes (e.g. RSA with SHA-2) for IKE authentication. Public key constraints defined in `rightauth` are now also checked against IKEv2 signature schemes (may be disabled via strongswan.conf). Fixes #863.
| * NEWS: Introduce RFC 7427 signature authenticationTobias Brunner2015-03-041-0/+13
| |
| * man: Add documentation about IKEv2 signature schemesTobias Brunner2015-03-041-0/+15
| |
| * testing: Test classic public key authentication in ikev2/net2net-cert scenarioTobias Brunner2015-03-042-0/+2
| |
| * testing: Disable signature authentication on dave in ↵Tobias Brunner2015-03-042-2/+3
| | | | | | | | openssl-ikev2/ecdsa-certs scenario
| * ikev2: Try all RSA signature schemes if none is configuredTobias Brunner2015-03-041-4/+19
| |
| * ikev2: Consider signature schemes in rightauth when sending hash algorithmsTobias Brunner2015-03-041-14/+54
| |
| * tkm: Implement hash algorithm storage methods of keymat_v2_t interfaceTobias Brunner2015-03-041-0/+29
| |
| * keymat: Use hash algorithm setTobias Brunner2015-03-041-29/+7
| |
| * hash-algorithm-set: Add class to manage a set of hash algorithmsTobias Brunner2015-03-044-1/+193
| |
| * ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-042-1/+19
| | | | | | | | | | | | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
| * stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
| |
| * credential-manager: Store BLISS key strength in auth configTobias Brunner2015-03-041-0/+3
| |
| * auth-cfg: Add BLISS key strength constraintTobias Brunner2015-03-042-21/+43
| |
| * testing: Don't check for exact IKEv2 fragment sizeTobias Brunner2015-03-041-2/+2
| | | | | | | | | | Because SHA-256 is now used for signatures the size of the two IKE_AUTH messages changed.
| * testing: Update test conditions because signature schemes are now loggedTobias Brunner2015-03-0433-58/+58
| | | | | | | | | | RFC 7427 signature authentication is now used between strongSwan hosts by default, which causes the actual signature schemes to get logged.
| * testing: Add ikev2/rw-sig-auth scenarioTobias Brunner2015-03-0412-0/+180
| |
| * testing: Add ikev2/net2net-cert-sha2 scenarioTobias Brunner2015-03-049-0/+104
| |
| * ikev2: Fall back to SHA-1 signatures for RSATobias Brunner2015-03-041-0/+7
| | | | | | | | | | This is really just a fallback to "classic" IKEv2 authentication if the other peer supports no stronger hash algorithms.
| * ikev2: Select a signature scheme appropriate for the given keyTobias Brunner2015-03-041-18/+13
| | | | | | | | | | By enumerating hashes we'd use SHA-1 by default. This way stronger signature schemes are preferred.
| * public-key: Add helper to determine acceptable signature schemes for keysTobias Brunner2015-03-043-1/+122
| |
| * ikev2: Log the actual signature scheme used for RFC 7427 authenticationTobias Brunner2015-03-041-4/+6
| |
| * ikev2: Store signature scheme used to verify peer in auth_cfgTobias Brunner2015-03-041-0/+1
| | | | | | | | | | | | | | | | | | | | This enables late connection switching based on the signature scheme used for IKEv2 and allows to enforce stronger signature schemes. This may break existing connections with peers that don't support RFC 7427 if signature schemes are currently used in `rightauth` for certificate chain validation and if the configured schemes are stronger than the default used for IKE (e.g. SHA-1 for RSA).
| * ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-042-2/+15
| | | | | | | | This is mostly for testing.
| * ikev2: Remove private AUTH_BLISS methodTobias Brunner2015-03-043-18/+1
| | | | | | | | | | | | We use the new signature authentication instead for this. This is not backward compatible but we only released one version with BLISS support, and the key format will change anyway with the next release.
| * ikev2: Handle RFC 7427 signature authentication in pubkey authenticatorTobias Brunner2015-03-042-49/+179
| |
| * hasher: Add helper to determine hash algorithm from signature schemeTobias Brunner2015-03-042-0/+44
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 06:15:51 +0000