aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* child-rekey: Suppress updown event when deleting redundant CHILD_SAsTobias Brunner2016-02-011-1/+10
| | | | | | | | | When handling a rekey collision we might have to delete an already installed redundant CHILD_SA (or expect the other peer to do so). We don't want to trigger updown events for these as neither do we do so for successfully rekeyed CHILD_SAs. Fixes #853.
* testing: Don't attempt to start the daemon twice in ha/active-passive scenarioTobias Brunner2016-02-011-1/+0
|
* ha: Properly sync IKEv1 IV if gateway is initiatorTobias Brunner2016-02-011-12/+16
| | | | | | | | | | | | | | To handle Phase 2 exchanges on the other HA host we need to sync the last block of the last Phase 1 message (or the last expected IV). If the gateway is the initiator of a Main Mode SA the last message is an inbound message. When handling such messages the expected IV is not updated until it is successfully decrypted so we can't sync the IV when processing the still encrypted (!plain) message. However, as responder, i.e. if the last message is an outbound message, the reverse applies, that is, we get the next IV after successfully encrypting the message, not while handling the plain message. Fixes #1267.
* ha: Add DH group to CHILD_ADD messageTobias Brunner2016-02-012-1/+12
| | | | References #1267.
* ha: Add DH group to IKE_ADD messageTobias Brunner2016-02-014-0/+16
| | | | | | | | It is required for IKEv1 to determine the DH group of the CHILD SAs during rekeying. It also fixes the status output for HA SAs, which so far haven't shown the DH group on the passive side. Fixes #1267.
* ike-sa-manager: Don't update entries for init messages after unlocking segmentTobias Brunner2016-02-011-3/+2
| | | | | | | | | | | | | If the retransmit of an initial message is processed concurrently with the original message it might not have been handled as intended as the thread processing the retransmit might not have seen the correct value of entry->processing set by the thread handling the original request. For IKEv1, i.e. without proper message IDs, there might still be races e.g. when receiving a retransmit of the initial IKE message while processing the initiator's second request. Fixes #1269.
* unit-tests: The pseudonym RDN is now recognized, so use something more exoticTobias Brunner2016-01-281-3/+3
|
* Version bump to 5.4.0dr55.4.0dr5Andreas Steffen2016-01-281-1/+1
|
* Support pseudonym RDNAndreas Steffen2016-01-273-0/+5
|
* testing: Added swanctl/config-payload scenarioAndreas Steffen2016-01-1412-0/+219
|
* testing: Use include statement in swanctl/rw-pubkey-keyid scenarioAndreas Steffen2016-01-143-30/+19
|
* Version bump to 5.4.0dr45.4.0dr4Andreas Steffen2016-01-101-1/+1
|
* vici: Support multiple named raw ublic keysAndreas Steffen2016-01-101-15/+19
|
* testing: swanctl/rw-pubkey-anon uses anonymous public keys in remote access ↵Andreas Steffen2016-01-0920-0/+297
| | | | scenario
* swanctl: Load pubkeys with load-credsAndreas Steffen2016-01-092-6/+8
|
* testing: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssecAndreas Steffen2016-01-0955-0/+824
|
* vici: list-cert sends subject, not-before and not-after attributes for pubkeysAndreas Steffen2016-01-094-6/+65
|
* vici: Support of raw public keysAndreas Steffen2016-01-099-20/+110
|
* testing: Fixed description of swanctl/frags-iv4 scenarioAndreas Steffen2016-01-091-4/+4
|
* swanctl.conf: IKEv2 fragmentation supportedAndreas Steffen2016-01-091-8/+9
|
* Version bump to 5.4.0dr35.4.0dr3Andreas Steffen2016-01-031-1/+1
|
* vici: Enable transport encoding of CERT_TRUSTED_PUBKEY objectsAndreas Steffen2016-01-031-5/+8
|
* testing: Change sql scenarios to swanctlAndreas Steffen2016-01-03180-398/+454
|
* testing: Fix some IKEv1 scenarios after listing DH groups for CHILD_SAsTobias Brunner2015-12-214-8/+8
|
* stroke: List DH groups for CHILD_SA proposalsTobias Brunner2015-12-211-23/+19
| | | | Closes strongswan/strongswan#23.
* vici: Use correct constant when checking for integrity algorithmTobias Brunner2015-12-211-1/+1
| | | | Currently both have the value 1024 so no real harm done.
* vici: CHILD_SA proposals never contain a PRFTobias Brunner2015-12-211-5/+0
|
* strongswan-swanctl.service.in: Match install used by strongswan.serviceChris Patterson2015-12-211-0/+3
| | | | | | Signed-off-by: Chris Patterson <pattersonc@ainfosec.com> Closes strongswan/strongswan#25.
* configure: Support systemd >= 209Chris Patterson2015-12-212-9/+12
| | | | | | | | | | | | | | | | | libsystemd-journal and libsystemd-daemon are now just part of libsystemd. Keep original systemd checks as a fallback. Updates charon-systemd/Makefile.am accordingly. Tested on: - debian wheezy (systemd v44) - ubuntu 15.10 (systemd v255). Signed-off-by: Chris Patterson <pattersonc@ainfosec.com> Closes strongswan/strongswan#24.
* vici: allow legacy shortcuts in cert queriesAndreas Steffen2015-12-191-10/+14
|
* Version bump to 5.4.0dr25.4.0dr2Andreas Steffen2015-12-181-1/+1
|
* testing: Fixed description in swanctl/rw-ntru-bliss scenarioAndreas Steffen2015-12-181-1/+1
|
* testing: swanctl is enabled by defaultAndreas Steffen2015-12-181-1/+0
|
* Use 128 bit security in README.pod examplesAndreas Steffen2015-12-181-4/+4
|
* Improvements to the VICI Perl bindings by Andreas HofmeisterAndreas Hofmeister2015-12-184-189/+127
| | | | | | | | | | | | | | | | | | | | | | | | | | | - Switch.pm, which was implemented as a source filter, has been deprecated in Perl 5.10 and was later removed from the core modules in Perl 5.14 or so. Unfortunately, its replacement, the given/when/default construct, has since been downgraded to "experimental" status because of problems with the underlying "smart-match" operator. Thus, as of Perl 5.22, Perl still has no actually usable "switch"-like construct. So just use boring, old and ugly "if/elsif/else" constructs instead, which are compatible with almost any Perl version. - None of the Perl modules here does anything that would require "AutoLoader". - "Exporter" can be used to export plain functions into another modules name space. But the things that were exported here are meant to be called as methods. In this case, it is neither necessary nor advisable to export those symbols. Just export nothing (the POD documentation already said so). - It is usually the calling script that enables (or does not enable) warnings globally. When a module says "use warnings;" however, the caller looses control over what warnings should be enabled in that module.
* configure: Enable vici plugin and swanctl by defaultAndreas Steffen2015-12-171-2/+2
|
* testing: Added swanctl/rw-ntru-bliss scenarioAndreas Steffen2015-12-1720-0/+214
|
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-174-115/+124
|
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-172-59/+159
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
* stroke: Fix --utc option for list* commandsTobias Brunner2015-12-171-2/+7
| | | | Fixes: dcb168413fa3 ("stroke: Add --daemon option")
* Merge branch 'command-max-lines'Tobias Brunner2015-12-164-7/+24
|\ | | | | | | | | | | | | Make sure commands registered in pki and swanctl don't exceed the maximum number of lines available for their usage summary. Closes strongswan/strongswan#22.
| * swanctl: Slightly change usage summary for --list-certsTobias Brunner2015-12-161-4/+3
| |
| * swanctl: Never print more than MAX_LINES of usage summaryTobias Brunner2015-12-161-1/+10
| | | | | | | | Print a warning if a registered command exceeds that limit.
| * pki: Increase MAX_LINESTobias Brunner2015-12-161-1/+1
| | | | | | | | | | The --issue and --self commands both define 10 lines of usage summary text.
| * pki: Never print more than MAX_LINES of usage summaryTobias Brunner2015-12-161-1/+10
|/ | | | Print a warning if a registered command exceeds that limit.
* travis: Enable IPv6 on build hostsTobias Brunner2015-12-151-0/+3
| | | | | | Since the move to Google Compute Engine (GCE) IPv6 has been disabled on the build hosts, causing several tests to fail. Lets try to get at least local IPv6 connectivity up again.
* libstrongswan: Updated Android.mk to current Makefile.amTobias Brunner2015-12-141-1/+2
|
* configure: Fix typo when enabling CPAN modules as dependencyTobias Brunner2015-12-141-1/+1
| | | | Fixes: a17b6d469c10 ("Built the CPAN file structure for the Vici::Session perl module")
* 128 bit default security strength requires 3072 bit prime DH groupAndreas Steffen2015-12-1435-83/+83
|
* swanctl --stats lists loaded pluginsAndreas Steffen2015-12-131-0/+12
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 11:33:10 +0000