aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Add python package MIT licenseBjörn Schuberg2015-03-182-0/+20
|
* vici: Expose Session as a top-level symbol in python packageBjörn Schuberg2015-03-181-0/+1
|
* vici: Introduce main API Session class in python packageBjörn Schuberg2015-03-181-1/+244
|
* vici: Add a python vici command execution handlerBjörn Schuberg2015-03-182-1/+134
|
* vici: Add vici python protocol handlerBjörn Schuberg2015-03-184-0/+199
|
* swanctl: Cache entered PKCS#12 decryption secretMartin Willi2015-03-181-6/+23
| | | | | It is usually used more than once, but most likely the same for decryption and MAC verification.
* swanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directoryMartin Willi2015-03-184-0/+128
|
* swanctl: Generalize private key decryption to support other credential typesMartin Willi2015-03-181-55/+97
|
* encoding: Verify the length of KE payload data for known groupsMartin Willi2015-03-181-0/+67
| | | | | | | IKE is very strict in the length of KE payloads, and it should be safe to strictly verify their length. Not doing so is no direct threat, but allows DDoS amplification by sending short KE payloads for large groups using the target as the source address.
* ikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeyingMartin Willi2015-03-181-0/+6
|
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-185-0/+176
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* Replace kid by aik_id in ITA TBOOT functional componentAndreas Steffen2015-03-161-7/+2
|
* Fixed two BLISS key type identifier stringsAndreas Steffen2015-03-161-2/+2
|
* charon-systemd: Add missing semicolonMartin Willi2015-03-161-1/+1
| | | | References #887, fixes f3c83322.
* osx: Include eap-gtc plugin in build instructionsMartin Willi2015-03-161-1/+1
|
* Create TPM TBOOT Measurement groupAndreas Steffen2015-03-151-0/+18
|
* vici: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-4/+4
| | | | Fixes #886.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* charon-systemd: Add support to configure user and group via strongswan.confTobias Brunner2015-03-131-6/+19
| | | | Fixes #887.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauthMartin Willi2015-03-111-1/+0
| | | | | | | | | We are actually not in rekeying state, but just trigger a separate, new IKE_SA as a replacement for the current IKE_SA. Switching to the REKEYING state disables the invocation of both IKE and CHILD_SA updown hooks as initiator, preventing the removal of any firewall rules. Fixes #885.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* ikev1: Don't handle DPD timeout job if IKE_SA got passiveMartin Willi2015-03-101-0/+6
| | | | | | While a passively installed IKE_SA does not queue a DPD timeout job, one that switches from active to passive might execute it. Ignore such a queued job if the IKE_SA is in passive state.
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-094-6/+10
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-0910-17/+19
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* tkm: Use the inbound flag do determine peer role in CHILD_SA exchangeMartin Willi2015-03-091-5/+1
| | | | | This was not available during initial implementation, but fits just fine to avoid reconstructing the peer role.
* Revert "child-sa: Remove the obsolete update logic"Martin Willi2015-03-091-1/+6
| | | | | | | | | While the the meaning of the "inbound" flag on the kernel_interface->add_sa() call is not very clear, we still need that update logic to allow installation of inbound SAs without SPI allocation. This is used in the HA plugin as a passive node. This reverts commit 698ed656.
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* tkm: Disable RFC 7427 signature authenticationTobias Brunner2015-03-091-0/+4
| | | | | | TKM can't verify such signatures so we'd fail in the authorize hook. Skipping the algorithm identifier doesn't help if the peer uses anything other than SHA-1, so config changes would be required.
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* files: Add simple plugin to load files from file:// URIsTobias Brunner2015-03-096-0/+300
|
* daemon: Remove scheduled jobs before unloading pluginsTobias Brunner2015-03-091-1/+2
| | | | | | | Especially callback jobs might refer to memory that gets invalid after the plugins got unlaoded, so make sure we destroy these jobs before. References #840.
* scheduler: Add method to remove all scheduled jobsTobias Brunner2015-03-092-5/+21
| | | | References #840.
* plugin-loader: Increase log level for warning about plugin features that ↵Tobias Brunner2015-03-091-3/+3
| | | | | | | | | failed to load Since we can't get rid of all unmet dependencies (at least not in every possible plugin configuration) the message is more confusing than helpful. In particular because a detailed warning about plugin features that failed to load due to unmet dependencies is only logged on level 2.
* tls-peer: Make sure to use the right trusted public key for peerTobias Brunner2015-03-091-4/+8
| | | | | | | | | In case a CA certificate uses the same subject DN as the server the previous code could end up trying to verify the server's signature with the CA certificate's public key. By comparing the certificate with the one sent by the peer we make sure to use the right one. Fixes #849.
* pkcs11: Convert RFC 3279 ECDSA signatures when verifyingTobias Brunner2015-03-091-4/+33
| | | | References #873.
* pkcs11: Properly encode RFC 3279 ECDSA signaturesTobias Brunner2015-03-091-2/+19
| | | | Fixes #873.
* pkcs11: Properly encode EC_POINTs created on a tokenTobias Brunner2015-03-091-5/+8
| | | | | | | Some tokens might not fail when creating EC public keys in the incorrect format, but they will later not be able to use them to verify signatures. References #872.
* pkcs11: Properly handle EC_POINTs returned as ASN.1 octet stringTobias Brunner2015-03-091-1/+43
| | | | | | | This is the correct encoding but we internally only use unwrapped keys and some tokens return them unwrapped. Fixes #872.
* Updated products in imv databaseAndreas Steffen2015-03-081-0/+137
|
* attest: output trusted flag and device descriptionAndreas Steffen2015-03-081-8/+10
|
* Make access requestor IP address available to TNC serverAndreas Steffen2015-03-0824-244/+550
|
* Remove obsolete _updown_espmark scriptTobias Brunner2015-03-063-440/+1
| | | | According to NEWS it was created to support kernels < 2.6.16.
* _updown: Remove obsolete stuff from default scriptTobias Brunner2015-03-061-192/+7
|
* ikev1: Set protocol ID and SPIs in INITIAL-CONTACT notification payloadsTobias Brunner2015-03-061-2/+13
| | | | | | | The payload we sent before is not compliant with RFC 2407 and thus some peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error). Fixes #819.
* x509: Use subjectKeyIdentifier provided by issuer cert when checking CRL issuerTobias Brunner2015-03-061-18/+15
| | | | | | | | | Some CAs don't use SHA-1 hashes of the public key as subjectKeyIdentifier and authorityKeyIdentifier. If that's the case we can't force the calculation of the hash to compare that to authorityKeyIdentifier in the CRL, instead we use the subjectKeyIdentifier stored in the issuer certificate, if available. Otherwise, we fall back to the SHA-1 hash (or comparing the DNs) as before.
* kernel-pfkey: Add option to set receive buffer size of event socketTobias Brunner2015-03-061-0/+13
| | | | | | | | If many requests are sent to the kernel the events generated by these requests may fill the receive buffer before the daemon is able to read these messages. Fixes #783.
* ikev2: Try all RSA signature schemes if none is configuredTobias Brunner2015-03-041-4/+19
|
* ikev2: Consider signature schemes in rightauth when sending hash algorithmsTobias Brunner2015-03-041-14/+54
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 13:29:01 +0000