aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* diffie-hellman: Add DH group identifiers for Curve25519 and Curve448Martin Willi2016-11-142-3/+14
|
* bus: Re-add ampersand that got lost in refactoringTobias Brunner2016-11-141-1/+1
| | | | | Fixes: 4af02c6c61cf ("bus: Fix maximum log level for different groups after removal of a logger")
* peer-cfg: Fix memory leak when replacing child configsTobias Brunner2016-11-111-0/+1
| | | | | Fixes: 622c2b2c3386 ("peer-cfg: Add method to atomically replace child configs")
* bus: Fix maximum log level for different groups after removal of a loggerTobias Brunner2016-11-111-5/+5
| | | | | | | The log level was incorrectly set to the same value for all groups. Fixes: dac15e03c828 ("bus: Fix maximum log levels when mixing log/vlog implementing loggers")
* farp: Fix BPF jump false offsetVolker Rümelin2016-10-311-1/+1
| | | | Jump to BPF_STMT(BPF_RET+BPF_K, 0) if protocol_size != 4
* Version bump to 5.5.2dr15.5.2dr1Andreas Steffen2016-10-303-3/+10
|
* Fixed in-place update of cached base and delta CRLsAndreas Steffen2016-10-301-4/+4
|
* Newer CRLs replace older versions of the CRL in the cacheAndreas Steffen2016-10-261-0/+39
|
* connmark: Add CAP_NET_RAW to capabilities keep listTim Kent2016-10-251-0/+6
| | | | | | | | | Fix for "Permission denied (you must be root)" error when calling iptc_init(), which opens a RAW socket to communicate with the kernel, when built with "--with-capabilities=libcap". Closes strongswan/strongswan#53. Fixes #2157.
* Version bump to 5.5.15.5.1Andreas Steffen2016-10-204-3/+13
|
* nm: Enable IKE fragmentationTobias Brunner2016-10-201-1/+1
|
* Version bump to 5.5.1rc25.5.1rc2Andreas Steffen2016-10-182-3/+3
|
* testing: Renewed expired certificatesAndreas Steffen2016-10-1813-140/+221
|
* added XOF dependencies of bliss and ntru pluginsAndreas Steffen2016-10-182-4/+26
|
* testing: enable MACsec in guest kernelAndreas Steffen2016-10-181-1/+1
|
* configure: Reorder mgf1 in list of crypto pluginsTobias Brunner2016-10-181-1/+1
|
* newhope: Fix Doxygen group nameTobias Brunner2016-10-141-1/+1
|
* libnttfft: Fix Doxygen groupTobias Brunner2016-10-141-1/+3
|
* Fixed some typos, courtesy of codespellTobias Brunner2016-10-142-3/+3
|
* newhope: Properly release allocated arrays if RNG can't be createdTobias Brunner2016-10-141-8/+8
|
* nm: Add D-Bus policy to the distributionTobias Brunner2016-10-141-0/+2
|
* nm: Version bump to 1.4.1Tobias Brunner2016-10-142-1/+6
|
* kernel-netlink: Fix get_route() interface determinationChristophe Gouault2016-10-121-2/+2
| | | | | | | | | | | | A wrong variable is used (route instead of best), so much that the returned interface belongs to the last seen route instead of the best choice route. get_route() may therefore return mismatching interface and gateway. Fixes: 66e9165bc686 ("kernel-netlink: Return outbound interface in get_nexthop()") Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* Version bump to 5.5.1rc15.5.1rc1Andreas Steffen2016-10-114-4/+2491
|
* Merge branch 'cache-crls'Andreas Steffen2016-10-1126-32/+342
|\
| * Save both base and delta CRLs to diskAndreas Steffen2016-10-118-11/+73
| |
| * vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-1120-6/+213
| |
| * mem-cred: Support storing a delta CRL together with its baseTobias Brunner2016-10-111-8/+30
| | | | | | | | | | | | | | | | | | | | | | | | So far every "newer" CRL (higher serial or by date) replaced an existing "older" CRL. This meant that delta CRLs replaced an existing base CRL and that base CRLs weren't added if a delta CRL was already stored. So the base had to be re-fetched every time after a delta CRL was added. With this change one delta CRL to the latest base may be stored. A newer delta CRL will replace an existing delta CRL (but not its base, older base CRLs are removed, though). And a newer base will replace the existing base and optional delta CRL.
| * revocation: Cache valid CRL also if certificate is revokedTobias Brunner2016-10-111-10/+25
| |
| * pki: Don't remove zero bytes in CRL serials anymoreTobias Brunner2016-10-111-6/+7
| | | | | | | | | | | | This was added a few years ago because pki --signcrl once encoded serials incorrectly as eight byte blobs. But still ensure we have can handle overflows in case the serial is encoded incorrectly without zero-prefix.
| * pki: Use serial of base CRL for delta CRLsTobias Brunner2016-10-111-1/+4
|/ | | | | According to RFC 5280 delta CRLs and complete CRLs MUST share one numbering sequence.
* openssl: Fix AES-GCM with BoringSSLTobias Brunner2016-10-111-3/+3
| | | | | | | | BoringSSL only supports a limited list of (hard-coded) algorithms via EVP_get_cipherbyname(), which does not include AES-GCM. While BoringSSL deprecated these functions they are also supported by OpenSSL (in BoringSSL a completely new interface for AEADs was added, which OpenSSL currently does not support).
* android: Identifiers for SHA2-base RSA signature schemes got renamedTobias Brunner2016-10-111-4/+4
| | | | Fixes: 40f2589abfc8 ("gmp: Support of SHA-3 RSA signatures")
* android: MGF1 implementation was moved to a pluginTobias Brunner2016-10-111-2/+1
| | | | Fixes: 188b190a70c9 ("mgf1: Refactored MGF1 as an XOF")
* ldap: Fix crash in case of empty LDAP response for CRL fetchYannick CANN2016-10-061-2/+1
| | | | | | | | | In case of an empty LDAP result during a CRL fetch (for example, due to a wrong filter attribute in the LDAP URI, or invalid LDAP configuration), the call to ldap_result2error() with NULL value for "entry" lead to a crash. Closes strongswan/strongswan#52.
* libimcv: Add Debian 8.6 to databaseTobias Brunner2016-10-051-0/+18
|
* task-manager: Only trigger retransmit cleared alert if there was at least ↵Tobias Brunner2016-10-052-2/+2
| | | | | | | | one retransmit The counter is already increased when sending the original message. Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")
* Merge branch 'proposal-checks'Tobias Brunner2016-10-054-43/+201
|\ | | | | | | | | | | | | | | Adds checks for proposals parsed from strings. For instance, the presence of DH, PRF and encryption algorithms for IKE are now enforced and AEAD and regular encryption algorithms are not allowed in the same proposal anymore. Also fixed is the mapping of the aes*gmac keywords to an integrity algorithm in AH proposals.
| * unit-tests: Enable optional logging in libcharon unit testsTobias Brunner2016-10-051-0/+17
| |
| * unit-tests: Add more tests for proposal creationTobias Brunner2016-10-051-8/+62
| |
| * proposal: Correctly add AES-GMAC for AH proposalsTobias Brunner2016-10-051-0/+41
| | | | | | | | | | | | We parse aes*gmac as encryption algorithm, which we have to map to an integrity algorithm. We also make sure we remove all other encryption algorithms and ensure there is an integrity algorithm.
| * proposal: Enforce separate proposals for AEAD and classic encryption algorithmsTobias Brunner2016-10-051-16/+22
| |
| * proposal: Make sure there is a PRF defined in IKE proposalsTobias Brunner2016-10-051-14/+34
| | | | | | | | But filter PRFs from ESP proposals.
| * proposal: Make DH groups mandatory in IKE proposals parsed from stringsTobias Brunner2016-10-052-21/+40
| | | | | | | | References #2051.
| * ikev2: Respond with NO_PROPOSAL_CHOSEN if proposal without DH group was selectedTobias Brunner2016-10-051-0/+1
|/ | | | Fixes #2051.
* testing: Remove ikev2/default-keys scenarioTobias Brunner2016-10-0510-156/+0
| | | | No default keys are generated anymore.
* kernel-netlink: Consider RTA_SRC when looking for a source addressTobias Brunner2016-10-051-52/+134
|
* Merge branch 'priv-key-any'Tobias Brunner2016-10-0525-63/+301
|\ | | | | | | | | | | | | | | Adds the ability to parse KEY_ANY keys via the pkcs1 and openssl plugins. This is then used in the pki utility, where private keys may now be loaded via `priv` keyword instead of having to specify the type of the key explicitly. And swanctl can load any type of key from the swanctl/private directory.
| * swanctl: Add 'private' directory/section to load any type of private keyTobias Brunner2016-10-054-5/+26
| |
| * pki: Add generic 'priv' key type that loads any type of private keyTobias Brunner2016-10-0512-28/+59
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 11:33:05 +0000