aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* newhope: Properly release allocated arrays if RNG can't be createdTobias Brunner2016-10-141-8/+8
|
* nm: Add D-Bus policy to the distributionTobias Brunner2016-10-141-0/+2
|
* nm: Version bump to 1.4.1Tobias Brunner2016-10-142-1/+6
|
* kernel-netlink: Fix get_route() interface determinationChristophe Gouault2016-10-121-2/+2
| | | | | | | | | | | | A wrong variable is used (route instead of best), so much that the returned interface belongs to the last seen route instead of the best choice route. get_route() may therefore return mismatching interface and gateway. Fixes: 66e9165bc686 ("kernel-netlink: Return outbound interface in get_nexthop()") Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* Save both base and delta CRLs to diskAndreas Steffen2016-10-112-2/+9
|
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-116-4/+83
|
* mem-cred: Support storing a delta CRL together with its baseTobias Brunner2016-10-111-8/+30
| | | | | | | | | | | | So far every "newer" CRL (higher serial or by date) replaced an existing "older" CRL. This meant that delta CRLs replaced an existing base CRL and that base CRLs weren't added if a delta CRL was already stored. So the base had to be re-fetched every time after a delta CRL was added. With this change one delta CRL to the latest base may be stored. A newer delta CRL will replace an existing delta CRL (but not its base, older base CRLs are removed, though). And a newer base will replace the existing base and optional delta CRL.
* revocation: Cache valid CRL also if certificate is revokedTobias Brunner2016-10-111-10/+25
|
* pki: Don't remove zero bytes in CRL serials anymoreTobias Brunner2016-10-111-6/+7
| | | | | | This was added a few years ago because pki --signcrl once encoded serials incorrectly as eight byte blobs. But still ensure we have can handle overflows in case the serial is encoded incorrectly without zero-prefix.
* pki: Use serial of base CRL for delta CRLsTobias Brunner2016-10-111-1/+4
| | | | | According to RFC 5280 delta CRLs and complete CRLs MUST share one numbering sequence.
* openssl: Fix AES-GCM with BoringSSLTobias Brunner2016-10-111-3/+3
| | | | | | | | BoringSSL only supports a limited list of (hard-coded) algorithms via EVP_get_cipherbyname(), which does not include AES-GCM. While BoringSSL deprecated these functions they are also supported by OpenSSL (in BoringSSL a completely new interface for AEADs was added, which OpenSSL currently does not support).
* android: Identifiers for SHA2-base RSA signature schemes got renamedTobias Brunner2016-10-111-4/+4
| | | | Fixes: 40f2589abfc8 ("gmp: Support of SHA-3 RSA signatures")
* android: MGF1 implementation was moved to a pluginTobias Brunner2016-10-111-2/+1
| | | | Fixes: 188b190a70c9 ("mgf1: Refactored MGF1 as an XOF")
* ldap: Fix crash in case of empty LDAP response for CRL fetchYannick CANN2016-10-061-2/+1
| | | | | | | | | In case of an empty LDAP result during a CRL fetch (for example, due to a wrong filter attribute in the LDAP URI, or invalid LDAP configuration), the call to ldap_result2error() with NULL value for "entry" lead to a crash. Closes strongswan/strongswan#52.
* libimcv: Add Debian 8.6 to databaseTobias Brunner2016-10-051-0/+18
|
* task-manager: Only trigger retransmit cleared alert if there was at least ↵Tobias Brunner2016-10-052-2/+2
| | | | | | | | one retransmit The counter is already increased when sending the original message. Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")
* unit-tests: Enable optional logging in libcharon unit testsTobias Brunner2016-10-051-0/+17
|
* unit-tests: Add more tests for proposal creationTobias Brunner2016-10-051-8/+62
|
* proposal: Correctly add AES-GMAC for AH proposalsTobias Brunner2016-10-051-0/+41
| | | | | | We parse aes*gmac as encryption algorithm, which we have to map to an integrity algorithm. We also make sure we remove all other encryption algorithms and ensure there is an integrity algorithm.
* proposal: Enforce separate proposals for AEAD and classic encryption algorithmsTobias Brunner2016-10-051-16/+22
|
* proposal: Make sure there is a PRF defined in IKE proposalsTobias Brunner2016-10-051-14/+34
| | | | But filter PRFs from ESP proposals.
* proposal: Make DH groups mandatory in IKE proposals parsed from stringsTobias Brunner2016-10-052-21/+40
| | | | References #2051.
* ikev2: Respond with NO_PROPOSAL_CHOSEN if proposal without DH group was selectedTobias Brunner2016-10-051-0/+1
| | | | Fixes #2051.
* kernel-netlink: Consider RTA_SRC when looking for a source addressTobias Brunner2016-10-051-52/+134
|
* swanctl: Add 'private' directory/section to load any type of private keyTobias Brunner2016-10-054-5/+26
|
* pki: Add generic 'priv' key type that loads any type of private keyTobias Brunner2016-10-0512-28/+59
|
* openssl: Add a generic private key loaderTobias Brunner2016-10-057-18/+129
|
* pkcs1: Support building of KEY_ANY private keysTobias Brunner2016-10-052-5/+73
| | | | | We try to detect the type of key by parsing the basic structure of the passed ASN.1 blob.
* pki: Drop -priv suffix to specify private key typesTobias Brunner2016-10-054-16/+23
|
* ikev2: Only add NAT-D notifies to DPDs as initiatorTobias Brunner2016-10-041-8/+15
| | | | | | | | | | If a responder is natted it will usually be a static NAT (unless it's a mediated connection) in which case adding these notifies makes not much sense (if the initiator's NAT mapping had changed the responder wouldn't be able to reach it anyway). It's also problematic as some clients refuse to respond to DPDs if they contain such notifies. Fixes #2126.
* pkcs11: Look for the CKA_ID of the cert if it doesn't match the subjectKeyIdRaphael Geissert2016-10-041-4/+152
| | | | | | | | | | | | | | charon-nm fails to find the private key when its CKA_ID doesn't match the subjectKeyIdentifier of the X.509 certificate. In such cases, the private key builder now falls back to enumerating all the certificates, looking for one that matches the supplied subjectKeyIdentifier. It then uses the CKA_ID of that certificate to find the corresponding private key. It effectively means that PKCS#11 tokens where the only identifier to relate the certificate, the public key, and the private key is the CKA_ID are now supported by charon-nm. Fixes #490.
* nm: Make global CA directory configurableTobias Brunner2016-10-041-1/+2
|
* ikev1: Activate task to delete the IKE_SA in state IKE_REKEYINGTobias Brunner2016-10-041-0/+8
| | | | It does not have any CHILD_SAs attached at that point.
* ikev1: Delete Quick Mode SAs before the ISAKMP SATobias Brunner2016-10-041-2/+2
| | | | | After the ISAKMP_DELETE task has been executed the IKE_SA is destroyed so we wouldn't be able to send deletes for the Quick Mode SAs.
* ikev1: Send DELETE for rekeyed IKE_SAsTobias Brunner2016-10-041-9/+5
| | | | | | If we silently delete the IKE_SA the other peer might still use it even if only to send DPDs. If we don't answer to DPDs that might result in the deletion of the new IKE_SA too.
* starter: Install an empty ipsec.secrets fileTobias Brunner2016-10-042-1/+3
|
* starter: Don't generate a key/certificate if ipsec.secrets does not existTobias Brunner2016-10-042-70/+0
|
* watcher: Avoid allocations due to enumeratorsTobias Brunner2016-10-041-37/+83
| | | | | Since the FD set could get rebuilt quite often this change avoids having to allocate memory just to enumerate the registered FDs.
* vici: Enable IKE fragmentation by defaultTobias Brunner2016-10-042-4/+4
|
* starter: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-0/+1
|
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-1/+1
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* ikev2: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-26/+43
|
* ikev2: Send derived IKE_SA keys to busTobias Brunner2016-10-041-26/+30
|
* ikev1: Send derived CHILD_SA keys to the busTobias Brunner2016-10-041-14/+26
|
* ikev1: Send derived IKE_SA keys to busTobias Brunner2016-10-041-14/+11
|
* bus: Add new hooks for derived IKE_SA and CHILD_SA keysTobias Brunner2016-10-043-11/+131
|
* nm: Remove dummy TUN deviceTobias Brunner2016-10-041-36/+0
| | | | | Recent NM releases don't insist on getting a device back from VPN plugins.
* nm: Fix comment in service file in /etc/NetworkManager/VPNTobias Brunner2016-10-041-1/+1
|
* nm: Remove generated service file in `make clean`Tobias Brunner2016-10-041-1/+1
|
* nm: Don't add generated AppStream metadata to tarballTobias Brunner2016-10-041-1/+0
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-16 14:21:43 +0000