Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | stroke: Configure proposal with AH protocol if 'ah' option set | Martin Willi | 2013-10-11 | 2 | -11/+16 |
| | |||||
* | starter: Add an 'ah' keyword for Authentication Header Security Associations | Martin Willi | 2013-10-11 | 6 | -0/+6 |
| | |||||
* | Version bump to 5.1.1rc1 | Andreas Steffen | 2013-10-11 | 1 | -1/+1 |
| | |||||
* | Keep a copy of the tnccs instance for PT-TLS handover | Andreas Steffen | 2013-10-09 | 5 | -27/+144 |
| | |||||
* | xauth-pam: Make trimming of email addresses optional5.1.1dr4 | Tobias Brunner | 2013-10-04 | 2 | -4/+13 |
| | | | | Fixes #430. | ||||
* | ikev1: Accept reauthentication attempts with a keep unique policy from same host | Martin Willi | 2013-09-30 | 1 | -6/+17 |
| | | | | | | | When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old). | ||||
* | ikev1: Don't log a reauthentication detection message if no children adopted | Martin Willi | 2013-09-30 | 1 | -2/+6 |
| | | | | | When a replace unique policy is in place, the children get adopted during the uniqueness check. In this case the message is just misleading. | ||||
* | ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy | Martin Willi | 2013-09-30 | 1 | -8/+29 |
| | | | | | | | | | Sending a DELETE for the replaced SA immediately is problematic during reauthentication, as the peer might have associated the Quick Modes to the old SA, and also delete them. With this change the delete for the old ISAKMP SA is usually omitted, as it is gets implicitly deleted by the reauth. | ||||
* | eap-radius: Increase buffer for attributes sent in RADIUS accounting messages | Tobias Brunner | 2013-09-27 | 1 | -1/+1 |
| | | | | 64 bytes might be too short for user names/identities. | ||||
* | openssl: Properly log FIPS mode when enabled via openssl.conf | Tobias Brunner | 2013-09-27 | 1 | -5/+13 |
| | | | | | | | | | Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf it should be disabled in strongswan.conf (or the other way around). Either way, we should log whether FIPS mode is enabled or not. References #412. | ||||
* | android: New release after fixing remediation instructions regression | Tobias Brunner | 2013-09-26 | 1 | -2/+2 |
| | |||||
* | android: Change progress dialog handling | Tobias Brunner | 2013-09-26 | 1 | -24/+41 |
| | | | | | With the previous code the dialog sometimes was hidden for a short while before it got reopened. | ||||
* | android: Clear remediation instructions when starting a new connection | Tobias Brunner | 2013-09-26 | 1 | -0/+1 |
| | |||||
* | starter: Don't ignore keyingtries with rekey=no | Tobias Brunner | 2013-09-26 | 1 | -1/+2 |
| | | | | | | | Since keyingtries also affects the number of retries initially or when reestablishing an SA it should not be affected by the rekey option. Fixes #418. | ||||
* | load-tester: Fix crash if private key was not loaded successfully | Tobias Brunner | 2013-09-24 | 1 | -1/+1 |
| | | | | Fixes #417. | ||||
* | printf-hook: Write to output stream instead of the FD directly when using Vstr | Tobias Brunner | 2013-09-24 | 1 | -12/+12 |
| | | | | | This avoids problems when other stdio functions are used (fputs, fwrite) as writes via Vstr/FD were always unbuffered. | ||||
* | android: New release after improving recovery after connectivity changes | Tobias Brunner | 2013-09-23 | 1 | -2/+2 |
| | |||||
* | android: Change state handling to display errors occurring while the app is ↵ | Tobias Brunner | 2013-09-23 | 3 | -64/+56 |
| | | | | | | | | | | hidden A new connection ID allows listeners to track which errors they have already shown to the user or were already dismissed by the user. This was necessary because the state fragment is now unregistered from state changes when it is not shown. | ||||
* | android: Don't update state fragments when they are not displayed | Tobias Brunner | 2013-09-23 | 2 | -2/+26 |
| | | | | | | | Besides that updates don't make much sense when the fragments are not displayed this fixes the following exception: java.lang.IllegalStateException: Can not perform this action after onSaveInstanceState | ||||
* | ikev2: Force an update of the host addresses on the first response | Tobias Brunner | 2013-09-23 | 1 | -11/+9 |
| | | | | | | | | | | | This is especially useful on Android where we are able to send messages even if we don't know the correct local address (this is possible because we don't set source addresses in outbound messages). This way we may learn the correct local address if it e.g. changed right before reestablishing an SA. Updating the local address later is tricky without MOBIKE as the responder might not update the associated IPsec SAs properly. | ||||
* | ike-sa: Resolve hosts before reestablishing an IKE_SA | Tobias Brunner | 2013-09-23 | 1 | -0/+2 |
| | |||||
* | android: Several plugins were moved from libcharon to libtnccs | Tobias Brunner | 2013-09-23 | 2 | -29/+25 |
| | | | | These were moved in commits e8f65c5cde and 12b3db5006. | ||||
* | android: Properly handle failures while initializing charon | Tobias Brunner | 2013-09-23 | 2 | -13/+23 |
| | |||||
* | kernel-netlink: Allow to override xfrm_acq_expires value | Ansis Atteka | 2013-09-23 | 2 | -6/+15 |
| | | | | | | | | | | | | | | | | When using auto=route, current xfrm_acq_expires default value implies that tunnel can be down for up to 165 seconds, if other peer rejected first IKE request with an AUTH_FAILED or NO_PROPOSAL_CHOSEN error message. These error messages are completely normal in setups where another application pushes configuration to both strongSwans without waiting for acknowledgment that they have updated their configurations. This patch allows strongswan to override xfrm_acq_expires default value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in strongswan.conf. Signed-off-by: Ansis Atteka <aatteka@nicira.com> | ||||
* | Implemented TCG/PB-PDP_Referral message | Andreas Steffen | 2013-09-17 | 6 | -13/+155 |
| | |||||
* | Allow vendor-specific PB-TNC messages | Andreas Steffen | 2013-09-17 | 23 | -138/+583 |
| | |||||
* | ignore *.1 manpage files | Andreas Steffen | 2013-09-17 | 1 | -1/+1 |
| | |||||
* | Version bump to 5.1.1dr4 | Andreas Steffen | 2013-09-17 | 1 | -1/+1 |
| | |||||
* | Merge branch 'pubkeys' | Tobias Brunner | 2013-09-13 | 15 | -38/+350 |
|\ | | | | | | | | | | | Adds support to pki --pub to convert public keys to other formats including SSH keys and DNSKEYs. SSH public keys can also be read from files in the format used by OpenSSH. | ||||
| * | sshkey: Add support for parsing keys from files | Tobias Brunner | 2013-09-13 | 1 | -1/+92 |
| | | |||||
| * | sshkey: Add encoding for ECDSA keys | Tobias Brunner | 2013-09-13 | 1 | -0/+72 |
| | | |||||
| * | openssl: Add support for generic encoding of EC public keys | Tobias Brunner | 2013-09-13 | 1 | -23/+13 |
| | | |||||
| * | pki: --pub also accepts public keys (i.e. to convert them to a different format) | Tobias Brunner | 2013-09-13 | 2 | -3/+18 |
| | | |||||
| * | pki: Add support to encode public keys in SSH key format | Tobias Brunner | 2013-09-13 | 4 | -5/+17 |
| | | |||||
| * | sshkey: Add encoder for RSA keys | Tobias Brunner | 2013-09-13 | 6 | -2/+93 |
| | | |||||
| * | openssl: Add generic RSA public key encoding | Tobias Brunner | 2013-09-13 | 1 | -3/+17 |
| | | |||||
| * | openssl: Add helper function to convert BIGNUMs to chunks | Tobias Brunner | 2013-09-13 | 2 | -0/+27 |
| | | |||||
| * | pki: Load dnskey plugin to encode public keys in RFC 3110 format | Tobias Brunner | 2013-09-13 | 1 | -1/+1 |
|/ | |||||
* | Merge branch 'man-pki' | Tobias Brunner | 2013-09-13 | 34 | -70/+1245 |
|\ | | | | | | | | | | | | | This adds man pages for all pki sub-commands and promotes pki to a regular program installed in $prefix/bin. The usage output of several commands was fixed too. | ||||
| * | pki: Don't print an error if no arguments are given | Tobias Brunner | 2013-09-13 | 1 | -1/+1 |
| | | |||||
| * | pki: Install pki(1) as utility directly in $prefix/bin | Tobias Brunner | 2013-09-13 | 17 | -99/+105 |
| | | | | | | | | ipsec pki is maintained as alias. | ||||
| * | pki: Add example commands to setup a simple CA | Tobias Brunner | 2013-09-13 | 1 | -0/+75 |
| | | |||||
| * | pki: Add pki --verify man page | Tobias Brunner | 2013-09-13 | 5 | -4/+62 |
| | | |||||
| * | pki: Add pki --pub man page | Tobias Brunner | 2013-09-13 | 5 | -4/+82 |
| | | |||||
| * | pki: Add pki --print man page | Tobias Brunner | 2013-09-13 | 4 | -2/+58 |
| | | |||||
| * | pki: Add pki --keyid man page | Tobias Brunner | 2013-09-13 | 4 | -2/+77 |
| | | |||||
| * | pki: Add pki --pkcs7 man page | Tobias Brunner | 2013-09-13 | 5 | -6/+88 |
| | | |||||
| * | pki: Add pki --req man page | Tobias Brunner | 2013-09-13 | 5 | -5/+98 |
| | | |||||
| * | pki: Add pki --signcrl man page | Tobias Brunner | 2013-09-13 | 5 | -8/+135 |
| | | |||||
| * | pki: Add pki --issue man page | Tobias Brunner | 2013-09-13 | 5 | -8/+190 |
| | |