aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenarioAndreas Steffen2015-08-182-16/+45
|
* Added reason string support to HCD IMVAndreas Steffen2015-08-183-8/+88
|
* Fixed patches format delimited by CR/LFAndreas Steffen2015-08-186-76/+82
|
* Added imc-hcd attributes to strongswan.confAndreas Steffen2015-08-183-0/+75
|
* testing: Added tnc/tnccs-20-hcd-eap scenarioAndreas Steffen2015-08-1824-0/+674
|
* Use PWG HCD PA-TNC subtypes to transport HCD attributesAndreas Steffen2015-08-185-118/+276
|
* Add default password determination capability to os_infoAndreas Steffen2015-08-182-2/+18
|
* Reintroduced ietf_attr_fwd_enabled()Andreas Steffen2015-08-185-1/+319
|
* Defined PWG HCD PA-TNC subtypesAndreas Steffen2015-08-184-96/+217
|
* Added os_info support to HCD IMCAndreas Steffen2015-08-181-0/+14
|
* Subscribed Scanner IMC/IMV to IETF_FIREWALL PA subtypeAndreas Steffen2015-08-182-4/+4
|
* testing: enable HCD IMC and IMVAndreas Steffen2015-08-181-0/+2
|
* Implemented HCD IMC and IMVAndreas Steffen2015-08-1812-1/+1956
|
* Defined HCD PA subtype in PWG namespaceAndreas Steffen2015-08-182-2/+32
|
* Completed implementation of PWG HCD attributesAndreas Steffen2015-08-189-9/+567
|
* Defined generic non-nul terminated string PA-TNC attributeAndreas Steffen2015-08-189-59/+81
|
* Support of HCD Firewall Setting PA-TNC attributeAndreas Steffen2015-08-185-12/+20
|
* Defined generic boolean PA-TNC attributeAndreas Steffen2015-08-1810-434/+136
|
* Defined PWG HCD IF-M attributesAndreas Steffen2015-08-186-4/+191
|
* Fixed the implemention of the IF-M segmentation protocolAndreas Steffen2015-08-1813-51/+97
| | | | | | | The first segment only fit if the segmentation envelope attribute was preceded by a Max Attribute Size Response attribute. The improved implementation fills up the first PA-TNC message with the first segment up to the maximum message size.
* kernel-netlink: Avoid route dump if routing rule excludes traffic with a ↵Tobias Brunner2015-08-181-7/+33
| | | | | | | | | | | certain mark If the routing rule we use to direct traffic to our own routing table excludes traffic with a certain mark (fwmark = !<mark>) we can simplify the route lookup and avoid dumping all routes by passing the mark to the request. That way our own routes are ignored and we get the preferred route back without having to dump and analyze all routes, which is quite a burden on hosts with lots of routes.
* include: Update (rt)netlink.h to the latest UAPI versionTobias Brunner2015-08-182-689/+230
|
* sql: Also do a reversed ID matchTobias Brunner2015-08-171-2/+9
| | | | | | | This is required for the case where IDr is not sent (i.e. is %any). The backend manager does the same. Fixes #1044.
* ha: Recreate the control FIFO if the file exists but is not a FIFOTobias Brunner2015-08-171-13/+68
| | | | | | This may happen if something like `echo ... > /path/to/fifo` is used before the plugin was able to create the FIFO. In that case we'd end up in a loop always reading the same values from the static file.
* ikev1: Assume a default key length of 128-bit for AES-CBCTobias Brunner2015-08-171-0/+11
| | | | | | | | | | Some implementations don't send a Key Length attribute for AES-128. This was allowed for IKE in early drafts of RFC 3602, however, some implementations also seem to do it for ESP, where it never was allowed. And the final version of RFC 3602 demands a Key Length attribute for both phases so they shouldn't do it anymore anyway. Fixes #1064.
* auth-cfg: Matching one CA should be enough, similar to peer certificatesTobias Brunner2015-08-171-15/+20
| | | | | | | | | | Not sure if defining multiple CA constraints and enforcing _all_ of them, i.e. the previous behavior, makes even sense. To ensure a very specific chain it should be enough to define the last intermediate CA. On the other hand, the ability to define multiple CAs could simplify configuration. This can currently only be used with swanctl/VICI based configs as `rightca` only takes a single DN.
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-172-1/+12
|
* child-sa: Fix refcounting of allocated reqidsTobias Brunner2015-08-171-3/+12
| | | | | | | | | | | During a rekeying we want to reuse the current reqid, but if the new SA does not allocate it via kernel-interface the state there will disappear when the old SA is destroyed after the rekeying. When the IKE_SA is later reauthenticated with make-before-break reauthentication the new CHILD_SAs there will get new reqids as no existing state is found in the kernel-interface, breaking policy installation in the kernel. Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
* identification: Remove unused ID_USER_ID typeTobias Brunner2015-08-172-11/+3
|
* man: Clarify identity parsing and identity type prefixesTobias Brunner2015-08-171-6/+58
| | | | References #1028.
* pki: Add --dn command to extract the subject DN of a certificateTobias Brunner2015-08-178-80/+133
|
* scripts: Add script to extract the ASN.1 subject DN from a certificateTobias Brunner2015-08-172-1/+157
| | | | | | This can be useful if the subject DN has to be configured with the asn1dn: prefix in ipsec.conf (e.g. because the actual encoding can't be created by strongSwan's string parser/encoder).
* plugin-feature: Add vendor specific EAP method registration macrosTobias Brunner2015-08-173-9/+20
| | | | | | | | | | | Vendor specific EAP methods may be registered with: PLUGIN_CALLBACK(eap_method_register, <constructor>), PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>), Same for client implementations via EAP_PEER_VENDOR. References #969.
* eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in ↵Tobias Brunner2015-08-171-4/+2
| | | | | | | | | accounting messages This attribute is more appropriate for single IPv6 virtual IPs than the Framed-IPv6-Prefix attribute. Fixes #1001.
* eap-radius: Add support for some basic IPv6-specific RADIUS attributesTobias Brunner2015-08-173-2/+23
| | | | | | These are defined in RFC 6911. Fixes #1001.
* utils: Check for dirfd(3)Tobias Brunner2015-08-172-1/+10
| | | | | Not all POSIX compatible systems might provide it yet. If not, we close the lowest FD to close and hope it gets reused by opendir().
* utils: Directly use syscall() to close open FDs in closefrom()Tobias Brunner2015-08-172-6/+54
| | | | | | | This avoids any allocations, since calling malloc() after fork() is potentially unsafe. Fixes #990.
* utils: Don't use directory enumerator to close open FDs in closefrom()Tobias Brunner2015-08-171-24/+36
| | | | | | | | | | Calling malloc() after fork() is potentially unsafe, so we should avoid it if possible. opendir() will still require an allocation but that's less than the variant using the enumerator wrapper, thus, decreasing the conflict potential. This way we can also avoid closing the FD for the enumerated directory itself. References #990.
* Merge branch 'vici-updown'Tobias Brunner2015-08-175-51/+236
|\ | | | | | | | | | | | | Documents the ike/child-updown events and adds a ike/child-rekey event and a new listen() method in the Python VICI bindings to listen for arbitrary events (similar to the listen_events() method in the Ruby bindings).
| * vici: Add listen methods to receive arbitrary events in Python libraryTobias Brunner2015-08-171-0/+34
| |
| * vici: Move event (un-)registration to a helper method in Python libraryTobias Brunner2015-08-173-49/+60
| | | | | | | | | | Also make sure events are unregistered in case of exceptions in streamed_request().
| * vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
| |
| * vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
| |
| * vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | | | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
| * vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|/
* Version bump to 5.3.3dr55.3.3dr5Andreas Steffen2015-08-161-1/+1
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-153-2/+11
|
* kernel-pfroute: Don't install virtual IPs if charon.install_virtual_ip is ↵Tobias Brunner2015-08-131-0/+17
| | | | disabled
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-134-4/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 22:09:30 +0000