aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* updown: Properly configure ICMP[v6] message type and code in firewall rulesTobias Brunner2013-10-171-4/+29
|
* updown: Pass ICMP[v6] message type and code to updown scriptTobias Brunner2013-10-172-4/+27
| | | | The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.
* kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernelTobias Brunner2013-10-171-19/+52
|
* kernel-netlink: Convert ports in acquires to ICMP[v6] type and codeTobias Brunner2013-10-171-3/+8
|
* kernel-netlink: Properly install policies with ICMP[v6] types and codesTobias Brunner2013-10-171-1/+12
|
* traffic-selector: Print ICMP[v6] message type and code in a more readable wayTobias Brunner2013-10-171-4/+35
|
* traffic-selector: Store ICMP[v6] message type and code properlyTobias Brunner2013-10-172-8/+70
| | | | We now store them as defined in RFC 4301, section 4.4.1.1.
* traffic-selector: Move class to its own Doxygen groupTobias Brunner2013-10-172-1/+4
|
* Merge branch 'ecc-brainpool'Tobias Brunner2013-10-176-9/+311
|\ | | | | | | Adds support for ECC Brainpool curves for DH exchanges.
| * proposal: Add ECC Brainpool DH groups to the default proposalTobias Brunner2013-10-171-0/+4
| |
| * openssl: Add workaround if ECC Brainpool curves are not definedTobias Brunner2013-10-171-11/+247
| |
| * openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSLTobias Brunner2013-10-172-6/+51
| | | | | | | | OpenSSL does not include them in releases before 1.0.2.
| * ecc: Added ECC Brainpool ECDH groups as registered with IANAAndreas Steffen2013-10-173-3/+20
|/
* unit-tests: Make test for bio_writer_t more portableTobias Brunner2013-10-171-2/+8
|
* libipsec: Don't print ciphertext with ICV in log messageTobias Brunner2013-10-171-1/+2
|
* libipsec: Properly calculate padding length especially for AES-GCMTobias Brunner2013-10-171-1/+3
|
* utils: Add utility function to calculate padding lengthTobias Brunner2013-10-172-13/+24
|
* stroke: Reuse reqids of established CHILD_SAs when routing connectionsTobias Brunner2013-10-171-1/+45
|
* trap-manager: Make sure a config is not trapped twiceTobias Brunner2013-10-171-4/+16
|
* Doxygen fixesTobias Brunner2013-10-157-11/+8
|
* Set recommendation in the case of PCR measurement failuresAndreas Steffen2013-10-133-6/+27
|
* Add linux/fip_rules.h to include filesAndreas Steffen2013-10-132-3/+75
|
* Revert refactoring which broke CentOS buildAndreas Steffen2013-10-131-1/+1
|
* Increase debug level in libipsec/rw-suite-b scenarioAndreas Steffen2013-10-111-0/+1
|
* Use bold font to display key sizeAndreas Steffen2013-10-112-2/+2
|
* Added swid_directory optionAndreas Steffen2013-10-111-0/+3
|
* Added tnc/tnccs-11-supplicant scenarioAndreas Steffen2013-10-1129-0/+1489
|
* Define aaa.strongswan.org in /etc/hostsAndreas Steffen2013-10-111-1/+1
|
* testing: Add libipsec/host2host-cert scenarioTobias Brunner2013-10-1111-0/+1534
|
* checksum: The pool utility was moved to its own directoryTobias Brunner2013-10-111-1/+1
|
* ccm: Add missing comma in get_iv_gen method signatureTobias Brunner2013-10-111-1/+1
|
* iv-gen: Add missing header files to Makefile.amTobias Brunner2013-10-111-0/+1
|
* NEWS: Updates for the recent mergesTobias Brunner2013-10-111-1/+18
|
* Merge branch 'iv-gen'Tobias Brunner2013-10-1119-17/+416
|\ | | | | | | | | | | | | Modularizes the generation of initialization vectors, which allows to use different methods depending on the algorithms. For instance for AES-GCM sequential IVs are now used instead of the earlier random IVs, which are still used for other algorithms e.g. AES-CBC.
| * iv_gen: Mask sequential IVs with a random saltTobias Brunner2013-10-111-0/+24
| | | | | | | | | | This makes it harder to attack a HA setup, even if the sequence numbers were not fully in sync.
| * iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-117-23/+18
| | | | | | | | This prevents duplicate sequential IVs in case of a HA failover.
| * ipsec: Use IV generator to encrypt ESP messagesTobias Brunner2013-10-112-9/+7
| |
| * ikev2: Use IV generator to encrypt encrypted payloadTobias Brunner2013-10-111-1/+9
| |
| * iv_gen: aead_t implementations provide an IV generatorTobias Brunner2013-10-116-1/+84
| |
| * iv_gen: Add IV generator that allocates IVs sequentiallyTobias Brunner2013-10-114-2/+121
| |
| * iv_gen: Add IV generator that allocates IVs randomlyTobias Brunner2013-10-114-0/+113
| | | | | | | | Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
| * crypto: Add generic interface for IV generatorsTobias Brunner2013-10-112-1/+60
| |
| * apidoc: Move mac_prf to prf Doxygen groupTobias Brunner2013-10-111-1/+1
|/
* Merge branch 'radius-unity'Tobias Brunner2013-10-111-3/+123
|\ | | | | | | | | | | Adds support for Cisco Unity specific RADIUS attributes. References #383.
| * eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASKTobias Brunner2013-10-111-0/+5
| |
| * eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributesTobias Brunner2013-10-111-0/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55) radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27) attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1) or a UNITY_LOCAL_LAN (if the value is 2). So if the following attributes would be configured for a RADIUS user CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0" CVPN3000-IPSec-Split-Tunneling-Policy := 1 A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets would be sent to the client during the ModeCfg exchange.
| * eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributesTobias Brunner2013-10-111-3/+25
|/ | | | | | The contents of the CVPN3000-IPSec-Default-Domain(28) and CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in the corresponding Unity configuration attributes.
* Merge branch 'dnscert'Tobias Brunner2013-10-1131-133/+1253
|\ | | | | | | | | The new dnscert plugin adds support for authentication via CERT resource records that are protected with DNSSEC.
| * testing: Add ikev2/net2net-dnscert scenarioTobias Brunner2013-10-1115-0/+224
| |
| * testing: Provide moon's and sun's certificate as CERT RRTobias Brunner2013-10-111-0/+51
| |
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-06 09:16:49 +0000