Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Version bump to 5.2.2rc15.5.2rc1 | Andreas Steffen | 2017-03-21 | 2 | -3/+3 |
| | |||||
* | testing: Updated OCSP certificate for carol | Andreas Steffen | 2017-03-21 | 13 | -448/+200 |
| | |||||
* | Allow x25519 as an alias of the curve25519 KE algorithm | Andreas Steffen | 2017-03-20 | 84 | -171/+172 |
| | |||||
* | Reference Edwards-curve signature RFCs | Andreas Steffen | 2017-03-20 | 3 | -17/+19 |
| | |||||
* | The tpm plugin offers random number generation | Andreas Steffen | 2017-03-20 | 9 | -3/+211 |
| | | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option. | ||||
* | vici: Document how we pronounce the vici protocol and plugin | Martin Willi | 2017-03-20 | 1 | -3/+3 |
| | |||||
* | swanctl: Describe what happens when a FQDN is specified in local|remote_addrs | Tobias Brunner | 2017-03-20 | 1 | -0/+6 |
| | |||||
* | man: Describe what happens when a FQDN is specified in left or right | Noel Kuntze | 2017-03-20 | 1 | -0/+5 |
| | |||||
* | ikev1: First do PSK lookups based on identities then fallback to IPs | Tobias Brunner | 2017-03-20 | 1 | -36/+34 |
| | | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223. | ||||
* | testing: Fix URL for kernel sources | Tobias Brunner | 2017-03-20 | 1 | -1/+1 |
| | |||||
* | ike-sa-manager: Remove superfluous assignment | Thomas Egerer | 2017-03-16 | 1 | -4/+0 |
| | | | | | | | Memory is allocated with calloc, hence set to zero, thus assigning the numerical value 0 is not required. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | ||||
* | ike: Log remote IP when deleting half-open IKE_SAs | Tobias Brunner | 2017-03-15 | 1 | -1/+2 |
| | |||||
* | coverage: Exclude test suites and /usr from coverage report | Tobias Brunner | 2017-03-15 | 1 | -1/+1 |
| | |||||
* | travis: Create coverage report via codecov.io | Tobias Brunner | 2017-03-15 | 3 | -3/+17 |
| | |||||
* | Version bump to 5.5.2dr75.5.2dr7 | Andreas Steffen | 2017-03-06 | 2 | -2/+2 |
| | |||||
* | aikpub2: Removed aikpub2 tool | Andreas Steffen | 2017-03-06 | 5 | -335/+2 |
| | | | | | | | The aikpub2 tool has been replaced by pki --pub|--req --keyid hex .. where keyid indicates the TPM 2.0 private key object handle. Thus either the public key in PKCS#1 format can be extracted or a PKCS#10 certificate request signed by the TPM private key can be generated. | ||||
* | pki: Add key object handle of smartcard or TPM private key as an argument to ↵ | Andreas Steffen | 2017-03-06 | 2 | -5/+25 |
| | | | | pki --keyid | ||||
* | utils: chunk_from_hex() skips optional 0x prefix | Andreas Steffen | 2017-03-06 | 2 | -11/+18 |
| | |||||
* | pki: Edited keyid parameter use in various pki man pages and usage outputs | Andreas Steffen | 2017-03-06 | 12 | -19/+34 |
| | |||||
* | quick-mode: Correctly prepare NAT-OA payloads as responder | Tobias Brunner | 2017-03-06 | 1 | -8/+13 |
| | | | | | | The initiator's address was sent back twice previously. Fixes #2268. | ||||
* | Version bump to 5.5.2dr65.5.2dr6 | Andreas Steffen | 2017-03-03 | 3 | -3/+5 |
| | |||||
* | Add keyid of smartcard or TPM private key as an argument to pki --req | Andreas Steffen | 2017-03-02 | 1 | -2/+15 |
| | |||||
* | testing: load-testconfig script loads config from source dir | Tobias Brunner | 2017-03-02 | 2 | -67/+109 |
| | | | | | | It now does replace the IPs too. This way it's easier to play around with a config (otherwise a do-tests run was required to build the config files in the build dir). | ||||
* | libipsec: Enforce a minimum of 256 for SPIs | Tobias Brunner | 2017-03-02 | 1 | -3/+4 |
| | | | | | | RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff. | ||||
* | libipsec: Fix min/max SPI | Tobias Brunner | 2017-03-02 | 1 | -2/+2 |
| | |||||
* | controller: Don't listen for CHILD_SA state changes when terminating IKE_SAs | Tobias Brunner | 2017-03-02 | 1 | -1/+0 |
| | | | | | | | | We actually want to wait until the IKE_SA is destroyed, not any of the CHILD_SAs (even though there might not be that much of a difference depending on the number of CHILD_SAs). Fixes #2261. | ||||
* | kernel: Make range of SPIs for IPsec SAs configurable | Tobias Brunner | 2017-03-02 | 5 | -8/+46 |
| | |||||
* | settings: Add support for hex integers (0x prefix) via get_int() | Tobias Brunner | 2017-03-02 | 1 | -1/+6 |
| | |||||
* | libipsec: Log a packet's ports and protocol in case of a policy mismatch | Tobias Brunner | 2017-03-02 | 1 | -5/+7 |
| | |||||
* | host: Don't log port if it is zero | Tobias Brunner | 2017-03-02 | 2 | -6/+6 |
| | |||||
* | libipsec: Match IPsec policies against ports of processed packets | Tobias Brunner | 2017-03-02 | 1 | -1/+21 |
| | | | | Fixes #2252. | ||||
* | NEWS: Mention the new addrblock features | Martin Willi | 2017-03-02 | 1 | -0/+6 |
| | |||||
* | addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA | Martin Willi | 2017-03-02 | 1 | -43/+28 |
| | | | | | | | | Previously, the client had to propose no wider selectors than the certificate permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2 we can dynamically narrow the selectors to what the certificate allows. This makes client and gateway configurations very simple by just proposing 0.0.0.0/0, narrowed to selectors the client is permitted to route into the network. | ||||
* | addrblock: Support an optional non-strict mode accepting certs without addrblock | Martin Willi | 2017-03-02 | 3 | -3/+20 |
| | | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration. | ||||
* | child-cfg: Always apply hosts to traffic selectors if proposing transport mode | Tobias Brunner | 2017-02-27 | 1 | -14/+19 |
| | | | | | | | | | | | | | | Usually, %dynamic is used as traffic selector for transport mode SAs, however, if wildcard traps are used then the remote TS will be a subnet. With strongSwan at the remote end that usually works fine as the local %dynamic TS narrows the proposed TS appropriately. But some implementations reject non-host TS for transport mode SAs. Another problem could be if several distinct subnets are configured for a wildcard trap, as we'd then propose unrelated subnets on that transport mode SA, which might be problematic even for strongSwan (switch to tunnel mode and duplicate policies). Closes strongswan/strongswan#61. | ||||
* | traffic-selector: Allow calling set_address() for any traffic selector | Tobias Brunner | 2017-02-27 | 3 | -48/+63 |
| | | | | | Users may check is_host(), is_dynamic() or includes() before calling this if restrictions are required (most actually already do). | ||||
* | Merge branch 'pki-addrblock' | Martin Willi | 2017-02-27 | 9 | -4/+218 |
|\ | | | | | | | | | Add support to the x509 plugin and pki to generate certificates with the RFC 3779 addrblock extension. | ||||
| * | pki: Add a note about constructing RFC 3779 compliant certificates to manpage | Martin Willi | 2017-02-27 | 2 | -0/+6 |
| | | |||||
| * | pki: Support an --addrblock option for issued certificates | Martin Willi | 2017-02-27 | 2 | -1/+22 |
| | | |||||
| * | pki: Support an --addrblock option for self-signed certificates | Martin Willi | 2017-02-27 | 2 | -0/+23 |
| | | |||||
| * | pki: Add a helper function parse traffic selectors from CIDR subnets or ranges | Martin Willi | 2017-02-27 | 2 | -0/+31 |
| | | |||||
| * | x509: Do not mark generated addrblock extension as critical | Martin Willi | 2017-02-27 | 1 | -2/+1 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | While RFC 3779 says we SHOULD mark it is critical, this has severe side effects in practice. The addrblock extension is not widely used nor implemented, and only a few applications can handle this extension. By marking it critical, none of these applications can make use of such certificates where included addrblocks do not matter, such as TLS/HTTPS. If an application wants to make use of addrblocks, that is usually an explicit decision. Then the very same application obviously can handle addrblocks, and there is no need for the extension to be critical. In other words, for local policy checks it is a local matter to handle the extension, hence making it critical is usually not of much help. | ||||
| * | x509: Support encoding the RFC 3779 addrblock extension | Martin Willi | 2017-02-27 | 1 | -3/+134 |
| | | |||||
| * | builder: Define a builder part for X.509 RFC 3779 address blocks | Martin Willi | 2017-02-27 | 2 | -0/+3 |
|/ | |||||
* | plugin-loader: Fix hashing of registered plugin features | Tobias Brunner | 2017-02-24 | 1 | -1/+1 |
| | | | | | | | This strangely never caused any noticeable issues, but was the reason for build failures in certain test cases (mostly BLISS) due to missing plugin features when built with specific options on Travis (was not reproducible locally). | ||||
* | Version bump to 5.5.2dr55.5.2dr5 | Andreas Steffen | 2017-02-23 | 3 | -4/+2528 |
| | |||||
* | Use of TPM 2.0 private keys for signatures via tpm plugin | Andreas Steffen | 2017-02-22 | 10 | -9/+468 |
| | |||||
* | Implement signatures with private keys bound to TPM 2.0 | Andreas Steffen | 2017-02-21 | 3 | -8/+215 |
| | |||||
* | android: New release after fixing potential ANR issue | Tobias Brunner | 2017-02-20 | 1 | -2/+2 |
| | |||||
* | android: Send network change events from a separate thread via JNI | Tobias Brunner | 2017-02-17 | 2 | -4/+68 |
| | | | | | | | | | Doing this from the main UI thread (which delivers the broadcast) might cause an ANR if there is a delay (e.g. while acquiring a mutex in the native parts). There might also have been a race condition during termination previously because Unregister() was not synchronized so there might have been dangling events that got delivered while or after the mutex in the native parts was destroyed. |