Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | updown: Properly configure ICMP[v6] message type and code in firewall rules | Tobias Brunner | 2013-10-17 | 1 | -4/+29 |
| | |||||
* | updown: Pass ICMP[v6] message type and code to updown script | Tobias Brunner | 2013-10-17 | 2 | -4/+27 |
| | | | | The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT. | ||||
* | kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel | Tobias Brunner | 2013-10-17 | 1 | -19/+52 |
| | |||||
* | kernel-netlink: Convert ports in acquires to ICMP[v6] type and code | Tobias Brunner | 2013-10-17 | 1 | -3/+8 |
| | |||||
* | kernel-netlink: Properly install policies with ICMP[v6] types and codes | Tobias Brunner | 2013-10-17 | 1 | -1/+12 |
| | |||||
* | traffic-selector: Print ICMP[v6] message type and code in a more readable way | Tobias Brunner | 2013-10-17 | 1 | -4/+35 |
| | |||||
* | traffic-selector: Store ICMP[v6] message type and code properly | Tobias Brunner | 2013-10-17 | 2 | -8/+70 |
| | | | | We now store them as defined in RFC 4301, section 4.4.1.1. | ||||
* | traffic-selector: Move class to its own Doxygen group | Tobias Brunner | 2013-10-17 | 2 | -1/+4 |
| | |||||
* | Merge branch 'ecc-brainpool' | Tobias Brunner | 2013-10-17 | 6 | -9/+311 |
|\ | | | | | | | Adds support for ECC Brainpool curves for DH exchanges. | ||||
| * | proposal: Add ECC Brainpool DH groups to the default proposal | Tobias Brunner | 2013-10-17 | 1 | -0/+4 |
| | | |||||
| * | openssl: Add workaround if ECC Brainpool curves are not defined | Tobias Brunner | 2013-10-17 | 1 | -11/+247 |
| | | |||||
| * | openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL | Tobias Brunner | 2013-10-17 | 2 | -6/+51 |
| | | | | | | | | OpenSSL does not include them in releases before 1.0.2. | ||||
| * | ecc: Added ECC Brainpool ECDH groups as registered with IANA | Andreas Steffen | 2013-10-17 | 3 | -3/+20 |
|/ | |||||
* | unit-tests: Make test for bio_writer_t more portable | Tobias Brunner | 2013-10-17 | 1 | -2/+8 |
| | |||||
* | libipsec: Don't print ciphertext with ICV in log message | Tobias Brunner | 2013-10-17 | 1 | -1/+2 |
| | |||||
* | libipsec: Properly calculate padding length especially for AES-GCM | Tobias Brunner | 2013-10-17 | 1 | -1/+3 |
| | |||||
* | utils: Add utility function to calculate padding length | Tobias Brunner | 2013-10-17 | 2 | -13/+24 |
| | |||||
* | stroke: Reuse reqids of established CHILD_SAs when routing connections | Tobias Brunner | 2013-10-17 | 1 | -1/+45 |
| | |||||
* | trap-manager: Make sure a config is not trapped twice | Tobias Brunner | 2013-10-17 | 1 | -4/+16 |
| | |||||
* | Doxygen fixes | Tobias Brunner | 2013-10-15 | 7 | -11/+8 |
| | |||||
* | Set recommendation in the case of PCR measurement failures | Andreas Steffen | 2013-10-13 | 3 | -6/+27 |
| | |||||
* | Add linux/fip_rules.h to include files | Andreas Steffen | 2013-10-13 | 2 | -3/+75 |
| | |||||
* | Revert refactoring which broke CentOS build | Andreas Steffen | 2013-10-13 | 1 | -1/+1 |
| | |||||
* | Increase debug level in libipsec/rw-suite-b scenario | Andreas Steffen | 2013-10-11 | 1 | -0/+1 |
| | |||||
* | Use bold font to display key size | Andreas Steffen | 2013-10-11 | 2 | -2/+2 |
| | |||||
* | Added swid_directory option | Andreas Steffen | 2013-10-11 | 1 | -0/+3 |
| | |||||
* | Added tnc/tnccs-11-supplicant scenario | Andreas Steffen | 2013-10-11 | 29 | -0/+1489 |
| | |||||
* | Define aaa.strongswan.org in /etc/hosts | Andreas Steffen | 2013-10-11 | 1 | -1/+1 |
| | |||||
* | testing: Add libipsec/host2host-cert scenario | Tobias Brunner | 2013-10-11 | 11 | -0/+1534 |
| | |||||
* | checksum: The pool utility was moved to its own directory | Tobias Brunner | 2013-10-11 | 1 | -1/+1 |
| | |||||
* | ccm: Add missing comma in get_iv_gen method signature | Tobias Brunner | 2013-10-11 | 1 | -1/+1 |
| | |||||
* | iv-gen: Add missing header files to Makefile.am | Tobias Brunner | 2013-10-11 | 1 | -0/+1 |
| | |||||
* | NEWS: Updates for the recent merges | Tobias Brunner | 2013-10-11 | 1 | -1/+18 |
| | |||||
* | Merge branch 'iv-gen' | Tobias Brunner | 2013-10-11 | 19 | -17/+416 |
|\ | | | | | | | | | | | | | Modularizes the generation of initialization vectors, which allows to use different methods depending on the algorithms. For instance for AES-GCM sequential IVs are now used instead of the earlier random IVs, which are still used for other algorithms e.g. AES-CBC. | ||||
| * | iv_gen: Mask sequential IVs with a random salt | Tobias Brunner | 2013-10-11 | 1 | -0/+24 |
| | | | | | | | | | | This makes it harder to attack a HA setup, even if the sequence numbers were not fully in sync. | ||||
| * | iv_gen: Provide external sequence number (IKE, ESP) | Tobias Brunner | 2013-10-11 | 7 | -23/+18 |
| | | | | | | | | This prevents duplicate sequential IVs in case of a HA failover. | ||||
| * | ipsec: Use IV generator to encrypt ESP messages | Tobias Brunner | 2013-10-11 | 2 | -9/+7 |
| | | |||||
| * | ikev2: Use IV generator to encrypt encrypted payload | Tobias Brunner | 2013-10-11 | 1 | -1/+9 |
| | | |||||
| * | iv_gen: aead_t implementations provide an IV generator | Tobias Brunner | 2013-10-11 | 6 | -1/+84 |
| | | |||||
| * | iv_gen: Add IV generator that allocates IVs sequentially | Tobias Brunner | 2013-10-11 | 4 | -2/+121 |
| | | |||||
| * | iv_gen: Add IV generator that allocates IVs randomly | Tobias Brunner | 2013-10-11 | 4 | -0/+113 |
| | | | | | | | | Uses RNG_WEAK as the code currently does elsewhere to allocate IVs. | ||||
| * | crypto: Add generic interface for IV generators | Tobias Brunner | 2013-10-11 | 2 | -1/+60 |
| | | |||||
| * | apidoc: Move mac_prf to prf Doxygen group | Tobias Brunner | 2013-10-11 | 1 | -1/+1 |
|/ | |||||
* | Merge branch 'radius-unity' | Tobias Brunner | 2013-10-11 | 1 | -3/+123 |
|\ | | | | | | | | | | | Adds support for Cisco Unity specific RADIUS attributes. References #383. | ||||
| * | eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK | Tobias Brunner | 2013-10-11 | 1 | -0/+5 |
| | | |||||
| * | eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes | Tobias Brunner | 2013-10-11 | 1 | -0/+93 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55) radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27) attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1) or a UNITY_LOCAL_LAN (if the value is 2). So if the following attributes would be configured for a RADIUS user CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0" CVPN3000-IPSec-Split-Tunneling-Policy := 1 A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets would be sent to the client during the ModeCfg exchange. | ||||
| * | eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes | Tobias Brunner | 2013-10-11 | 1 | -3/+25 |
|/ | | | | | | The contents of the CVPN3000-IPSec-Default-Domain(28) and CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in the corresponding Unity configuration attributes. | ||||
* | Merge branch 'dnscert' | Tobias Brunner | 2013-10-11 | 31 | -133/+1253 |
|\ | | | | | | | | | The new dnscert plugin adds support for authentication via CERT resource records that are protected with DNSSEC. | ||||
| * | testing: Add ikev2/net2net-dnscert scenario | Tobias Brunner | 2013-10-11 | 15 | -0/+224 |
| | | |||||
| * | testing: Provide moon's and sun's certificate as CERT RR | Tobias Brunner | 2013-10-11 | 1 | -0/+51 |
| | |