aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * chapoly: Process four ChaCha20 blocks in parallel in SSSE3 driverMartin Willi2015-07-121-16/+207
| | | | | | | | | | As we don't have to shuffle the state in each ChaCha round, overall performance for ChaCha20-Poly1305 increases by ~40%.
| * chapoly: Add an SSSE3 based driverMartin Willi2015-06-294-1/+514
| | | | | | | | | | | | | | | | | | | | | | | | | | We always build the driver on x86/x64, but enable it only if SSSE3 support is detected during runtime. Poly1305 uses parallel 32-bit multiplication operands yielding a 64-bit result, for which two can be done in parallel in SSE. This is minimally faster than multiplication with 64-bit operands, and also works on 32-bit builds not having a __int128 result type. On a 32-bit architecture, this is more than twice as fast as the portable driver, and on 64-bit it is ~30% faster.
| * configure: Check if building against a x86/x64 architectureMartin Willi2015-06-291-0/+16
| | | | | | | | This allows us to include compiler flags specific for them, such as MMX/SSE.
| * chapoly: Add a ChaCha20/Poly1305 driver implemented in portable CMartin Willi2015-06-294-0/+488
| |
| * chapoly: Provide a generic ChaCha20/Poly1305 AEAD supporting driver backendsMartin Willi2015-06-299-0/+683
| |
| * test-vectors: Add some initial ChaCha20/Poly1305 AEAD test vectorMartin Willi2015-06-293-0/+112
| |
| * kernel-netlink: Add ChaCha20-Poly1305 AEAD supportMartin Willi2015-06-291-0/+2
| |
| * libipsec: Create AEAD with four byte salt for ChaCha20-Poly1305Martin Willi2015-06-291-0/+1
| |
| * ikev2: Derive additional 4 byte CHILD_SA nonce keymat for ChaCha20-Poly1305Martin Willi2015-06-291-0/+1
| |
| * ikev2: Use four byte salt for ChaCha20-Poly1305 AEADMartin Willi2015-06-291-0/+1
| |
| * proposal: Add a chacha20poly1305 proposal keywordMartin Willi2015-06-291-0/+1
| |
| * crypter: Define a ChaCha20/Poly1305 AEAD algorithm identifierMartin Willi2015-06-293-3/+7
|/
* capabilities: Handle ERANGE in user and group lookupsTobias Brunner2015-06-231-12/+48
| | | | | | | | | | | | | | As it turns out, getpwnam_r, getgrnam_r, and friends will return ERANGE if _any_ user or group on the system is larger than will fit into the scratch buffer you pass to them. This reworks the resolve_uid and resolve_gid methods plus init_supplementary_groups to use a variable-size buffer that is grown until the results fit. Based on a patch by Evan Broder. Closes strongswan/strongswan#12.
* osx: Version bump to 5.3.2-1Martin Willi2015-06-181-1/+1
|
* osx: Use CodeSignOnCopy for privileged helper, as suggested by XCodeMartin Willi2015-06-181-2/+2
|
* charon-xpc: Use DNS non-append/replace mode in osx-attr pluginMartin Willi2015-06-181-0/+2
|
* osx-attr: Optionally replace existing DNS server instead of appending themMartin Willi2015-06-181-3/+27
|
* Remove accidentally added stamp-h1Tobias Brunner2015-06-151-1/+0
| | | | Was added in bc4748832395 ("Add a return value to prf_t.get_bytes()").
* settings: Fix out-of-tree buildTobias Brunner2015-06-111-1/+1
| | | | | The header file was created in the source directory before, where it wasn't found by the generated C files in the build directory.
* stroke: Add missing include for UINT16_MAXTobias Brunner2015-06-092-0/+2
| | | | | | Fixes the build on FreeBSD. Fixes #988.
* Version bump to 5.3.25.3.2Andreas Steffen2015-06-081-1/+1
|
* NEWS: Add info about CVE-2015-4171Tobias Brunner2015-06-051-0/+10
|
* ikev2: Enforce remote authentication config before proceeding with own ↵Martin Willi2015-06-051-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | authentication Previously the constraints in the authentication configuration of an initiator were enforced only after all authentication rounds were complete. This posed a problem if an initiator used EAP or PSK authentication while the responder was authenticated with a certificate and if a rogue server was able to authenticate itself with a valid certificate issued by any CA the initiator trusted. Because any constraints for the responder's identity (rightid) or other aspects of the authentication (e.g. rightca) the initiator had were not enforced until the initiator itself finished its authentication such a rogue responder was able to acquire usernames and password hashes from the client. And if a client supported EAP-GTC it was even possible to trick it into sending plaintext passwords. This patch enforces the configured constraints right after the responder's authentication successfully finished for each round and before the initiator starts with its own authentication. Fixes CVE-2015-4171.
* child-sa: Use any fixed reqid configured on the CHILD_SA configMartin Willi2015-06-051-2/+2
| | | | | | | Global reqid allocation (94eb09ac) broke fixed reqid allocation. Resupport them by bypassing allocation in the kernel if a fixed reqid has been configured. Fixes #976.
* unit-tests: Add tests for iv_gen_seq_tTobias Brunner2015-06-053-0/+75
|
* ivgen: Allow reusing the same message ID twice in sequential IV genMartin Willi2015-06-051-7/+25
| | | | | | | | | | | | We use the message ID and fragment number as IV generator. As IKEv2 uses distinct message ID counters for actively and passively initiated exchanges, each IV would be used twice. As we explicitly reject such message IDs since d0ed1079, original-responder initiated exchanges fail with counter mode ciphers. This commit separates IV space in two halves for sequential IVs, and automatically assigns once reused sequence numbers to the second half. Fixes #980.
* Fix timeattack script compilation under ARMAndreas Steffen2015-06-051-1/+1
|
* Updated SWID attribute listAndreas Steffen2015-06-022-3/+9
|
* Version bump to 5.3.15.3.1Andreas Steffen2015-06-011-1/+1
|
* NEWS: Add info about CVE-2015-3991Tobias Brunner2015-06-011-0/+7
|
* message: Log message if unknown/disallowed payload receivedTobias Brunner2015-06-011-3/+10
|
* message: Log original message type of unknown payloadsTobias Brunner2015-06-011-0/+13
|
* unknown-payload: Use a new private payload type and make original type availableTobias Brunner2015-06-016-10/+35
| | | | | | | | | This fixes a DoS and potential remote code execution vulnerability that was caused because the original payload type that was returned previously was used to cast such payload objects to payloads of the indicated type (e.g. when logging notify payloads with a payload type for the wrong IKE version). Fixes CVE-2015-3991.
* ikev2: Include fragment number into message ID passed to IV genMartin Willi2015-06-011-0/+5
| | | | | | When using a cipher with sequential IVs, we never must pass an identical IV to the IV generator. To avoid it when using IKEv2 fragmentation, use the lower bits of the 64-bit message ID as the fragment number.
* iv-gen: Fail getting shorter IV values than the used counter sizeMartin Willi2015-06-011-0/+4
| | | | | While no algorithm actually uses such short IVs, we add a check here to ensure we won't return just the lower bits of the counter.
* iv-gen: Ensure external sequential IVs are actually sequentialMartin Willi2015-06-012-0/+23
| | | | We allow gaps in IVs, but ensure that an IV is never used more than once.
* message: Show the fragmentation numbers in message stringificationMartin Willi2015-06-011-0/+36
|
* testing: use a decent PSKAndreas Steffen2015-05-302-2/+2
|
* testing: Added ha/active-passive scenarioAndreas Steffen2015-05-3021-0/+441
|
* Added 5.3.1 caption to NEWS5.3.1rc1Andreas Steffen2015-05-281-0/+3
|
* ha: Document tunnel parameterTobias Brunner2015-05-271-0/+1
|
* ha: Skip SA for sync messages when resyncing HA segmentsTobias Brunner2015-05-263-3/+14
|
* ha: Move plugin initialization from constructor to plugin callbackTobias Brunner2015-05-261-58/+69
| | | | | This fixes support for the secret option, as otherwise the kernel interface is not registered yet when the trap policy is installed.
* libtls: As client, reject DH exchanges using primes smaller than 1024 bitMartin Willi2015-05-261-0/+7
| | | | | | | | | | | | | | | | | | While the server signs the ephemeral DH parameters, it can be tricked to its lowest supported DH group by a man-in-the-middle: https://weakdh.org/imperfect-forward-secrecy.pdf While we at least use 2048-bit DH groups as server, the client accepts any DH prime the server sends. If it supports export ciphers, only a 512-bit prime may be used. As TLS does not define nor negotiate a DH group for cipher suites, the client actually must accept what the server offers. To avoid downgrades to weak DH groups, we must reject what we consider insecure. We set this limit to 1024-bit primes. While this breaks compatibility with TLS servers using weaker primes, this is what we expect servers at least use. Most browser vendors use the same limit in a similar fix.
* Check for NULL installed packages enumeratorAndreas Steffen2015-05-241-1/+5
|
* Fixed os_info path in strongswan.confAndreas Steffen2015-05-241-2/+2
|
* List attribute request entries also during buildAndreas Steffen2015-05-242-15/+14
|
* testing: Include iperf and htop in base imageTobias Brunner2015-05-221-2/+2
|
* stroke: Dynamically resize stroke messagesTobias Brunner2015-05-223-287/+320
| | | | | | | The maximum size of a stroke message is currently 64k due to the 2 byte length field. Fixes #943.
* vici: Explicitly disable --user-install when installing Ruby GemTobias Brunner2015-05-211-1/+1
| | | | | | | | Only one of `--user-install` and `--install-dir` may be set and if `--user-install` is the default on a system installation will fail unless we disable it explicitly. Fixes #914.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 14:24:48 +0000