aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* libtls: Replace expired certificates for unit testsTobias Brunner2017-03-241-68/+66
| | | | | | | | | | | | Only the tests with client authentication failed, the client accepted the trusted self-signed certificate even when it was expired. On the server the lookup (based on the pre-configured SAN) first found the ECDSA cert, which it dismissed for the RSA authentication the client used, and since only the first "pretrusted" cert is considered the following RSA cert was verified more thoroughly. The lookup on the client always uses the full DN of the server certificate not the pre-configured identity so it found the correct certificate on the first try.
* pki: Actually make the default key type KEY_ANY for --selfTobias Brunner2017-03-241-1/+1
| | | | | Fixes: 05ccde0a8bd9 ("pki: Add generic 'priv' key type that loads any type of private key")
* addrblock: Narrow selectors when rekeying a CHILD_SA as original responderMartin Willi2017-03-241-0/+1
| | | | | | | | | | | | If a the original responder narrows the selectors of its peer in addrblock, the peer gets a subset of that selectors. However, once the original responder initiates rekeying of that CHILD_SA, it sends the full selectors to the peer, and then narrows the received selectors locally for the installation, only. This is insufficient, as the peer ends up with wider selectors, sending traffic that the original responder will reject to the stricter IPsec policy. So additionally narrow the selectors when rekeying CHILD_SAs before sending the TS list to the peer.
* conf: Document recommended lower limit for SPIsTobias Brunner2017-03-231-0/+4
|
* travis: aikpub2 was removed, no need to disable it anymoreTobias Brunner2017-03-231-1/+1
|
* conf: Remove snippet for aikpub2Tobias Brunner2017-03-232-3/+0
|
* travis: Build Windows-specific pluginsTobias Brunner2017-03-231-1/+7
| | | | | The plugins can only be built on x64 as the MinGW headers on Ubuntu 12.04, which we have to use for x86 due to another issue with MinGW, are too old.
* kernel-wfp: Don't redefine IPPROTO_IP* if already definedTobias Brunner2017-03-231-0/+4
|
* pki: Cast length derived from pointer arithmetic to intTobias Brunner2017-03-231-1/+1
|
* vici: Don't fall back to uninstalling traps if a matching shunt was foundTobias Brunner2017-03-231-3/+7
| | | | | | | This is different if `ike` and `child` are provided and uninstall() fails as we call that without knowing whether a matching shunt exists. But if `ike` is not provided we explicitly search for a matching shunt and if found don't need to look for a trap policy.
* configure: Fix test for libunwindTobias Brunner2017-03-231-1/+1
| | | | | | | | | | | Most functions in libunwind.h are actually mapped via macros to obscure function names, so checking for these would require some elaborate test via AC_LINK_IFELSE(). However, unw_backtrace() seems to be one of the few actual functions so lets use this for now, even though we don't call it ourselves later. Fixes: 016228c15843 ("configure: Check for actual functions in libraries with AC_CHECK_LIB")
* Fixed some typos, courtesy of codespellTobias Brunner2017-03-238-9/+9
|
* swanctl: Reformulate IKEv1 selector restriction, describe problems with TS ↵Noel Kuntze2017-03-231-3/+10
| | | | narrowing
* swanctl: Mention including files when referring to strongswan.conf(5)Tobias Brunner2017-03-231-1/+2
|
* man: Describe the tunneling of several subnets with IKEv1 in more detailNoel Kuntze2017-03-231-1/+3
|
* man: Add note about modeconfig having to matchNoel Kuntze2017-03-231-0/+1
|
* Version bump to 5.2.2rc15.5.2rc1Andreas Steffen2017-03-212-3/+3
|
* testing: Updated OCSP certificate for carolAndreas Steffen2017-03-2113-448/+200
|
* Allow x25519 as an alias of the curve25519 KE algorithmAndreas Steffen2017-03-2084-171/+172
|
* Reference Edwards-curve signature RFCsAndreas Steffen2017-03-203-17/+19
|
* The tpm plugin offers random number generationAndreas Steffen2017-03-209-3/+211
| | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option.
* vici: Document how we pronounce the vici protocol and pluginMartin Willi2017-03-201-3/+3
|
* swanctl: Describe what happens when a FQDN is specified in local|remote_addrsTobias Brunner2017-03-201-0/+6
|
* man: Describe what happens when a FQDN is specified in left or rightNoel Kuntze2017-03-201-0/+5
|
* ikev1: First do PSK lookups based on identities then fallback to IPsTobias Brunner2017-03-201-36/+34
| | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223.
* testing: Fix URL for kernel sourcesTobias Brunner2017-03-201-1/+1
|
* ike-sa-manager: Remove superfluous assignmentThomas Egerer2017-03-161-4/+0
| | | | | | | Memory is allocated with calloc, hence set to zero, thus assigning the numerical value 0 is not required. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log remote IP when deleting half-open IKE_SAsTobias Brunner2017-03-151-1/+2
|
* coverage: Exclude test suites and /usr from coverage reportTobias Brunner2017-03-151-1/+1
|
* travis: Create coverage report via codecov.ioTobias Brunner2017-03-153-3/+17
|
* Version bump to 5.5.2dr75.5.2dr7Andreas Steffen2017-03-062-2/+2
|
* aikpub2: Removed aikpub2 toolAndreas Steffen2017-03-065-335/+2
| | | | | | | The aikpub2 tool has been replaced by pki --pub|--req --keyid hex .. where keyid indicates the TPM 2.0 private key object handle. Thus either the public key in PKCS#1 format can be extracted or a PKCS#10 certificate request signed by the TPM private key can be generated.
* pki: Add key object handle of smartcard or TPM private key as an argument to ↵Andreas Steffen2017-03-062-5/+25
| | | | pki --keyid
* utils: chunk_from_hex() skips optional 0x prefixAndreas Steffen2017-03-062-11/+18
|
* pki: Edited keyid parameter use in various pki man pages and usage outputsAndreas Steffen2017-03-0612-19/+34
|
* quick-mode: Correctly prepare NAT-OA payloads as responderTobias Brunner2017-03-061-8/+13
| | | | | | The initiator's address was sent back twice previously. Fixes #2268.
* Version bump to 5.5.2dr65.5.2dr6Andreas Steffen2017-03-033-3/+5
|
* Add keyid of smartcard or TPM private key as an argument to pki --reqAndreas Steffen2017-03-021-2/+15
|
* testing: load-testconfig script loads config from source dirTobias Brunner2017-03-022-67/+109
| | | | | | It now does replace the IPs too. This way it's easier to play around with a config (otherwise a do-tests run was required to build the config files in the build dir).
* libipsec: Enforce a minimum of 256 for SPIsTobias Brunner2017-03-021-3/+4
| | | | | | RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff.
* libipsec: Fix min/max SPITobias Brunner2017-03-021-2/+2
|
* controller: Don't listen for CHILD_SA state changes when terminating IKE_SAsTobias Brunner2017-03-021-1/+0
| | | | | | | | We actually want to wait until the IKE_SA is destroyed, not any of the CHILD_SAs (even though there might not be that much of a difference depending on the number of CHILD_SAs). Fixes #2261.
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-025-8/+46
|
* settings: Add support for hex integers (0x prefix) via get_int()Tobias Brunner2017-03-021-1/+6
|
* libipsec: Log a packet's ports and protocol in case of a policy mismatchTobias Brunner2017-03-021-5/+7
|
* host: Don't log port if it is zeroTobias Brunner2017-03-022-6/+6
|
* libipsec: Match IPsec policies against ports of processed packetsTobias Brunner2017-03-021-1/+21
| | | | Fixes #2252.
* NEWS: Mention the new addrblock featuresMartin Willi2017-03-021-0/+6
|
* addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SAMartin Willi2017-03-021-43/+28
| | | | | | | | Previously, the client had to propose no wider selectors than the certificate permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2 we can dynamically narrow the selectors to what the certificate allows. This makes client and gateway configurations very simple by just proposing 0.0.0.0/0, narrowed to selectors the client is permitted to route into the network.
* addrblock: Support an optional non-strict mode accepting certs without addrblockMartin Willi2017-03-023-3/+20
| | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 19:27:45 +0000