aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Version bump to 5.2.2rc15.5.2rc1Andreas Steffen2017-03-212-3/+3
|
* testing: Updated OCSP certificate for carolAndreas Steffen2017-03-2113-448/+200
|
* Allow x25519 as an alias of the curve25519 KE algorithmAndreas Steffen2017-03-2084-171/+172
|
* Reference Edwards-curve signature RFCsAndreas Steffen2017-03-203-17/+19
|
* The tpm plugin offers random number generationAndreas Steffen2017-03-209-3/+211
| | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option.
* vici: Document how we pronounce the vici protocol and pluginMartin Willi2017-03-201-3/+3
|
* swanctl: Describe what happens when a FQDN is specified in local|remote_addrsTobias Brunner2017-03-201-0/+6
|
* man: Describe what happens when a FQDN is specified in left or rightNoel Kuntze2017-03-201-0/+5
|
* ikev1: First do PSK lookups based on identities then fallback to IPsTobias Brunner2017-03-201-36/+34
| | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223.
* testing: Fix URL for kernel sourcesTobias Brunner2017-03-201-1/+1
|
* ike-sa-manager: Remove superfluous assignmentThomas Egerer2017-03-161-4/+0
| | | | | | | Memory is allocated with calloc, hence set to zero, thus assigning the numerical value 0 is not required. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log remote IP when deleting half-open IKE_SAsTobias Brunner2017-03-151-1/+2
|
* coverage: Exclude test suites and /usr from coverage reportTobias Brunner2017-03-151-1/+1
|
* travis: Create coverage report via codecov.ioTobias Brunner2017-03-153-3/+17
|
* Version bump to 5.5.2dr75.5.2dr7Andreas Steffen2017-03-062-2/+2
|
* aikpub2: Removed aikpub2 toolAndreas Steffen2017-03-065-335/+2
| | | | | | | The aikpub2 tool has been replaced by pki --pub|--req --keyid hex .. where keyid indicates the TPM 2.0 private key object handle. Thus either the public key in PKCS#1 format can be extracted or a PKCS#10 certificate request signed by the TPM private key can be generated.
* pki: Add key object handle of smartcard or TPM private key as an argument to ↵Andreas Steffen2017-03-062-5/+25
| | | | pki --keyid
* utils: chunk_from_hex() skips optional 0x prefixAndreas Steffen2017-03-062-11/+18
|
* pki: Edited keyid parameter use in various pki man pages and usage outputsAndreas Steffen2017-03-0612-19/+34
|
* quick-mode: Correctly prepare NAT-OA payloads as responderTobias Brunner2017-03-061-8/+13
| | | | | | The initiator's address was sent back twice previously. Fixes #2268.
* Version bump to 5.5.2dr65.5.2dr6Andreas Steffen2017-03-033-3/+5
|
* Add keyid of smartcard or TPM private key as an argument to pki --reqAndreas Steffen2017-03-021-2/+15
|
* testing: load-testconfig script loads config from source dirTobias Brunner2017-03-022-67/+109
| | | | | | It now does replace the IPs too. This way it's easier to play around with a config (otherwise a do-tests run was required to build the config files in the build dir).
* libipsec: Enforce a minimum of 256 for SPIsTobias Brunner2017-03-021-3/+4
| | | | | | RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff.
* libipsec: Fix min/max SPITobias Brunner2017-03-021-2/+2
|
* controller: Don't listen for CHILD_SA state changes when terminating IKE_SAsTobias Brunner2017-03-021-1/+0
| | | | | | | | We actually want to wait until the IKE_SA is destroyed, not any of the CHILD_SAs (even though there might not be that much of a difference depending on the number of CHILD_SAs). Fixes #2261.
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-025-8/+46
|
* settings: Add support for hex integers (0x prefix) via get_int()Tobias Brunner2017-03-021-1/+6
|
* libipsec: Log a packet's ports and protocol in case of a policy mismatchTobias Brunner2017-03-021-5/+7
|
* host: Don't log port if it is zeroTobias Brunner2017-03-022-6/+6
|
* libipsec: Match IPsec policies against ports of processed packetsTobias Brunner2017-03-021-1/+21
| | | | Fixes #2252.
* NEWS: Mention the new addrblock featuresMartin Willi2017-03-021-0/+6
|
* addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SAMartin Willi2017-03-021-43/+28
| | | | | | | | Previously, the client had to propose no wider selectors than the certificate permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2 we can dynamically narrow the selectors to what the certificate allows. This makes client and gateway configurations very simple by just proposing 0.0.0.0/0, narrowed to selectors the client is permitted to route into the network.
* addrblock: Support an optional non-strict mode accepting certs without addrblockMartin Willi2017-03-023-3/+20
| | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
* child-cfg: Always apply hosts to traffic selectors if proposing transport modeTobias Brunner2017-02-271-14/+19
| | | | | | | | | | | | | | Usually, %dynamic is used as traffic selector for transport mode SAs, however, if wildcard traps are used then the remote TS will be a subnet. With strongSwan at the remote end that usually works fine as the local %dynamic TS narrows the proposed TS appropriately. But some implementations reject non-host TS for transport mode SAs. Another problem could be if several distinct subnets are configured for a wildcard trap, as we'd then propose unrelated subnets on that transport mode SA, which might be problematic even for strongSwan (switch to tunnel mode and duplicate policies). Closes strongswan/strongswan#61.
* traffic-selector: Allow calling set_address() for any traffic selectorTobias Brunner2017-02-273-48/+63
| | | | | Users may check is_host(), is_dynamic() or includes() before calling this if restrictions are required (most actually already do).
* Merge branch 'pki-addrblock'Martin Willi2017-02-279-4/+218
|\ | | | | | | | | Add support to the x509 plugin and pki to generate certificates with the RFC 3779 addrblock extension.
| * pki: Add a note about constructing RFC 3779 compliant certificates to manpageMartin Willi2017-02-272-0/+6
| |
| * pki: Support an --addrblock option for issued certificatesMartin Willi2017-02-272-1/+22
| |
| * pki: Support an --addrblock option for self-signed certificatesMartin Willi2017-02-272-0/+23
| |
| * pki: Add a helper function parse traffic selectors from CIDR subnets or rangesMartin Willi2017-02-272-0/+31
| |
| * x509: Do not mark generated addrblock extension as criticalMartin Willi2017-02-271-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | While RFC 3779 says we SHOULD mark it is critical, this has severe side effects in practice. The addrblock extension is not widely used nor implemented, and only a few applications can handle this extension. By marking it critical, none of these applications can make use of such certificates where included addrblocks do not matter, such as TLS/HTTPS. If an application wants to make use of addrblocks, that is usually an explicit decision. Then the very same application obviously can handle addrblocks, and there is no need for the extension to be critical. In other words, for local policy checks it is a local matter to handle the extension, hence making it critical is usually not of much help.
| * x509: Support encoding the RFC 3779 addrblock extensionMartin Willi2017-02-271-3/+134
| |
| * builder: Define a builder part for X.509 RFC 3779 address blocksMartin Willi2017-02-272-0/+3
|/
* plugin-loader: Fix hashing of registered plugin featuresTobias Brunner2017-02-241-1/+1
| | | | | | | This strangely never caused any noticeable issues, but was the reason for build failures in certain test cases (mostly BLISS) due to missing plugin features when built with specific options on Travis (was not reproducible locally).
* Version bump to 5.5.2dr55.5.2dr5Andreas Steffen2017-02-233-4/+2528
|
* Use of TPM 2.0 private keys for signatures via tpm pluginAndreas Steffen2017-02-2210-9/+468
|
* Implement signatures with private keys bound to TPM 2.0Andreas Steffen2017-02-213-8/+215
|
* android: New release after fixing potential ANR issueTobias Brunner2017-02-201-2/+2
|
* android: Send network change events from a separate thread via JNITobias Brunner2017-02-172-4/+68
| | | | | | | | | Doing this from the main UI thread (which delivers the broadcast) might cause an ANR if there is a delay (e.g. while acquiring a mutex in the native parts). There might also have been a race condition during termination previously because Unregister() was not synchronized so there might have been dangling events that got delivered while or after the mutex in the native parts was destroyed.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-14 07:35:10 +0000