aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge branch 'android-eap-tls'Tobias Brunner2014-11-0614-87/+101
|\ | | | | | | | | | | | | | | | | | | | | | | | | This adds support for EAP-TLS authentication on Android. EAP-only authentication is currently not allowed because the AAA identity is not configurable, so to prevent anyone with a valid certificate from impersonating the AAA server and thus the gateway, we authenticate the gateway (like we do with other authentication methods). Also, it's currently not possible to select a specific CA certificate to authenticate the AAA server certificate, so it either must be issued by the same CA as that of the gateway or automatic CA certificate selection must be used.
| * android: Use %any as AAA identity, but disable EAP-only authenticationTobias Brunner2014-11-061-5/+3
| | | | | | | | | | | | | | Without verification of the identity we can't prevent a malicious user with a valid certificate from impersonating the AAA server and thus the VPN gateway. So unless we make the AAA identity configurable we have to prevent EAP-only authentication.
| * android: Add support for signature schemes used by EAP-TLSTobias Brunner2014-11-061-19/+34
| |
| * android: Allow enumeration of untrusted certificatesTobias Brunner2014-11-061-1/+1
| |
| * android: Handle EAP-TLS in Android serviceTobias Brunner2014-11-061-6/+19
| |
| * android: Enable EAP-TLS plugin in the appTobias Brunner2014-11-061-1/+1
| |
| * android: Add EAP-TLS VPN type to the GUITobias Brunner2014-11-066-1/+7
| |
| * android: Change how features of VPN types are stored and checkedTobias Brunner2014-11-065-59/+41
|/
* testing: Update tkm/multiple-clients/evaltest.datReto Buerki2014-10-311-2/+1
| | | | | | Since the CC context is now properly reset in the bus listener plugin, the second connection from host dave re-uses the first CC ID. Adjust the expect string on gateway sun accordingly.
* charon-tkm: Properly reset CC context in listenerReto Buerki2014-10-311-7/+13
| | | | | | Make sure that the acquired CC context is correctly reset and the associated ID released in the authorize() function of the TKM bus listener.
* charon-tkm: Add missing comma to enumReto Buerki2014-10-311-1/+1
| | | | Add missing comma to tkm_context_kind_names enum definition.
* proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity ↵Tobias Brunner2014-10-311-0/+2
| | | | algorithms
* Merge branch 'mem-pool-range'Tobias Brunner2014-10-3016-42/+590
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | Adds support to configure address pools as ranges (from-to) in ipsec.conf and swanctl.conf. The first and last addresses in subnet based pools are now skipped properly and the pools' sizes are adjusted accordingly. Which is also the case if pools are configured with an offset, e.g. 192.168.0.100/24, which reduces the number of available addresses from 254 to 155, and assignment now starts at .100 not .101, i.e. .100-.254 are assignable to clients. References #744.
| * host: Ignore spaces around - when parsing rangesTobias Brunner2014-10-303-9/+23
| |
| * ike-cfg: Use host_create_from_range() helperTobias Brunner2014-10-301-16/+1
| |
| * vici: Add support for address range definitions of poolsTobias Brunner2014-10-302-9/+39
| |
| * stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-302-8/+36
| |
| * host: Add function to create two hosts from a range definitionTobias Brunner2014-10-303-0/+124
| |
| * mem-pool: Add basic unit testsTobias Brunner2014-10-303-0/+233
| |
| * libhydra: Add test runnerTobias Brunner2014-10-306-0/+92
| |
| * mem-pool: Correctly ignore first and last addresses of subnets and adjust sizeTobias Brunner2014-10-301-7/+49
|/ | | | | | | Previously one more than the first and last address was ignored. And if the base address is not the network ID of the subnet we should not skip it. But we should adjust the size as it does not represent the actual number of IP addresses assignable.
* ikev1: Don't inherit children if INITITAL_CONTACT was seenThomas Egerer2014-10-301-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Merge branch 'policy-constraints'Martin Willi2014-10-308-53/+1255
|\ | | | | | | | | | | | | | | | | | | | | | | Fixes handling of invalid policies in end entity certificates by not rejecting the full certificate, but just invalidating the affected policy. Additionally adds a bunch of unit tests for the constraints plugin, and some minor fixes to the nameConstraints handling. Currently we still reject CAs that use invalid policy mapping; we should accept such certificates and just invalid affected policies in a next iteration. Fixes #453.
| * pki: Print and document the name constraint type for DNS or email constraintsMartin Willi2014-10-303-6/+46
| | | | | | | | | | As email constraints may be for a specific host, it is not clear from the name itself if it is a DNS or email constraint.
| * constraints: Add permitted/excludedNameConstraints checkMartin Willi2014-10-303-0/+400
| |
| * constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | | | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
| * constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
| |
| * constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
| |
| * constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
| |
| * constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | | | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
| * constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|/
* Merge branch 'id-type-prefix'Martin Willi2014-10-306-57/+212
|\ | | | | | | Introduce generic identity prefixes to enforce a specific type.
| * NEWS: Mention identity prefixesMartin Willi2014-10-301-0/+9
| |
| * swanctl: Document identity type prefixesMartin Willi2014-10-301-3/+18
| |
| * man: Document identification type prefixes in ipsec.conf(5)Martin Willi2014-10-301-2/+27
| |
| * identification: Support custom types in string constructor prefixesMartin Willi2014-10-303-0/+48
| |
| * identification: Support prefixes in string constructors for an explicit typeMartin Willi2014-10-303-0/+58
| |
| * unit-tests: Re-align identification_create_from_string() unit test table dataMartin Willi2014-10-301-52/+52
|/
* threading: Support rwlock try_write_lock() on WindowsMartin Willi2014-10-301-2/+0
| | | | | | | | | | | We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer toolchain works fine. While try_write_lock() obviously can fail, not supporting it is not really an option, as some algorithms depend on occasionally successful calls. Certificate caching in the certificate manager and the cred_set cache rely on successful try_write_lock()ing.
* threading: Add a more explicit rwlock try_write_lock() testingMartin Willi2014-10-301-0/+44
|
* message: Include encrypted fragment payload in payload (order) rulesTobias Brunner2014-10-291-0/+12
| | | | | | | | | Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted because they don't contain an SA payload. It also prevents a warning when ordering payloads. Fixes #752.
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* unit-tests: Fix internet checksum tests on big-endian systemsTobias Brunner2014-10-231-4/+9
| | | | | | | We actually need to do a byte-swap, which ntohs() only does on little-endian systems. Fixes #747.
* chunk: Fix internet checksum calculation on big-endian systemsTobias Brunner2014-10-231-1/+1
| | | | | | | ntohs() might be defined as noop (#define ntohs(x) (x)) so we have to manually shorten the negated value (gets promoted to an int). Fixes #747.
* updown: Explicitly pass caller PATH to updown scriptMartin Willi2014-10-221-0/+1
| | | | | | | | | When invoking /bin/sh, its default PATH is used. On some systems, that does not include the PATH where the ipsec script is installed, as charon is invoked with a custom PATH. Explicitly setting the PATH of charon should fix this case, properly invoking the (default) updown script. Fixes #745.
* ip-packet: Fix length in IPv6 header of generated packetsTobias Brunner2014-10-201-1/+1
|
* Increased fragment size to 1400 in ipv6/net2net-ikev1 scenario5.2.1Andreas Steffen2014-10-182-2/+2
|
* Enabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenarioAndreas Steffen2014-10-184-2/+6
|
* Version bump to 5.2.1Andreas Steffen2014-10-181-3/+3
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-14 11:56:32 +0000