aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* sec-updater: Import SWID tags of updated packagesAndreas Steffen2017-09-093-57/+207
| | | | | | | sec-updater downloads the deb package files from security updates from a given linux repository and uses the swid_generator command to derive a SWID tag. The SWID tag is then imported into strongTNC using the manage.py importswid command.
* libimcv: Corrected captionAndreas Steffen2017-09-091-1/+1
|
* pt-tls-client: Introduced --options as a synonym for --optionsfromAndreas Steffen2017-09-092-3/+4
|
* sec-updater: Write to log only if at least one update is found.Andreas Steffen2017-09-072-19/+98
|
* android: New release after adding OCSP, CRL cache and some other stuffTobias Brunner2017-09-041-2/+2
|
* ike: Reset local SPI if retrying to connect in state IKE_CONNECTINGTobias Brunner2017-09-043-11/+19
| | | | | | | | | | | | | | In case we send retransmits for an IKE_SA_INIT where we propose a DH group the responder will reject we might later receive delayed responses that either contain INVALID_KE_PAYLOAD notifies with the group we already use or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again, a KE payload with a group different from the one we proposed. So far we didn't change the initiator SPI when restarting the connection, i.e. these delayed responses were processed and might have caused fatal errors due to a failed DH negotiation or because of the internal retry counter in the ike-init task. Changing the initiator SPI avoids that as we won't process the delayed responses anymore that caused this confusion.
* ike-sa-manager: Add method to change the initiator SPI of an IKE_SATobias Brunner2017-09-042-4/+99
|
* ike-init: Fail if DH group in KE payload does not match proposed groupTobias Brunner2017-09-041-1/+5
|
* android: Add disconnect button to dialog if already connected to profileTobias Brunner2017-09-041-31/+54
|
* android: Load x509 plugin to generate OCSP requests and parse responsesTobias Brunner2017-09-041-1/+1
| | | | BoringSSL does not support OpenSSL's OCSP API.
* android: Add support to POST data via SimpleFetcherTobias Brunner2017-09-042-6/+62
| | | | That's required for OCSP verification.
* android: Add option to clear cached CRLsTobias Brunner2017-09-049-1/+146
|
* android: Cache CRLs in app directoryTobias Brunner2017-09-043-10/+132
| | | | Fixes #2405.
* android: Pass absolute path to the app's data directory via JNITobias Brunner2017-09-042-6/+11
|
* android: Hide app selection in profile editor on Android < 5Tobias Brunner2017-09-042-0/+9
|
* android: Only apply app filter on Android 5 and newerTobias Brunner2017-09-041-1/+2
|
* android: Catch OutOfMemoryError when importing profilesTobias Brunner2017-09-041-1/+9
| | | | | Not sure if this is actually caused because e.g. the file is too large or due to some encoding issue.
* android: Catch NullPointerException when parsing invalid certificatesTobias Brunner2017-09-041-16/+25
|
* android: Catch NullPointerException when calling VpnService.prepare()Tobias Brunner2017-09-041-0/+6
| | | | According to the Play Console this occurs occasionally.
* imv-os: Updated security update evaluationAndreas Steffen2017-09-014-35/+36
|
* libimcv: Updated database schemeAndreas Steffen2017-09-011-5/+11
|
* sec-updater: Checks for security updatesAndreas Steffen2017-09-019-362/+267
| | | | | | sec-updater checks for security updates and backports in Debian/ Ubuntu repositories and sets the security flags in the strongTNC policy database accordingly.
* imv-attestation: Fixed file hash measurementsAndreas Steffen2017-09-014-37/+119
| | | | | | The introduction of file versions broke file hash measurements. This has been fixed by using a generic product versions having an empty package name.
* ike-cfg: Fix memory leak when checking for configured addressTobias Brunner2017-08-291-0/+1
|
* sw-collector.8: Some cleanupsAndreas Steffen2017-08-251-9/+9
|
* kernel-netlink: Set usable state whenever an interface appearsTobias Brunner2017-08-231-2/+2
| | | | | | | | If an interface is renamed we already have an entry (based on the ifindex) allocated but previously only set the usable state once based on the original name. Fixes #2403.
* libimcv: Updated Android.mk after move of swid-gen(-info)Tobias Brunner2017-08-211-0/+2
|
* traffic-selector: Use single buffer for both address familiesTobias Brunner2017-08-172-159/+102
| | | | | | | | The generic field of size 0 in the union that was used previously triggered index-out-of-bounds errors with the UBSAN sanitizer that's used on OSS-Fuzz. Since the two family specific union members don't really provide any advantage, we can just use a single buffer for both families to avoid the errors.
* plugin-loader: Move indent variables into !USE_FUZZING blockTobias Brunner2017-08-151-2/+2
| | | | This avoids compile errors on Travis.
* charon-tkm: Build fix for kernel SAD testsAdrian-Ken Rueegsegger2017-08-141-2/+2
| | | | | Commit 7729577... added a flag to the get_esa_id function but the unit tests were not adjusted.
* gmp: Fix RSA signature verification for m >= nTobias Brunner2017-08-141-3/+9
| | | | | | | | By definition, m must be <= n-1, we didn't enforce that and because mpz_export() returns NULL if the passed value is zero a crash could have been triggered with m == n. Fixes CVE-2017-11185.
* sw-collector: Moved info class to libimcvAndreas Steffen2017-08-097-74/+72
|
* libimcv: Cast chunk length to int when printing as stringTobias Brunner2017-08-082-2/+4
|
* sw-collector: Cast chunk length to int when printing as stringTobias Brunner2017-08-081-7/+7
|
* sw-collector: Fix memory leak after failing to open DBTobias Brunner2017-08-081-0/+1
|
* sw-collector: Use correct variable to report failure to open history fileTobias Brunner2017-08-081-4/+5
|
* imv-database: Improve performance by creating file_hashes indexAndreas Steffen2017-08-071-0/+2
|
* sw-collector: Add missing Doxygen groupTobias Brunner2017-08-073-3/+5
| | | | Fix location of two classes.
* libimcv: Add missing Doxgen group for SWIMA-related classesTobias Brunner2017-08-072-1/+4
| | | | Fix location of swima_error_t.
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-0711-15/+15
|
* kernel-netlink: Wipe buffer used to read Netlink messagesTobias Brunner2017-08-071-2/+12
| | | | | | | | | When querying SAs the keys will end up in this buffer (the allocated messages that are returned are already wiped). The kernel also returns XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish this here as we only see the response. References #2388.
* sha2: Write final hash directly to output bufferTobias Brunner2017-08-071-56/+26
| | | | | | This avoids having the last output in internal memory that's not wiped. References #2388.
* prf-plus: Wipe seed and internal bufferTobias Brunner2017-08-071-2/+2
| | | | | | | The buffer contains key material we handed out last and the seed can contain the DH secret. References #2388.
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-074-10/+46
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* trap-manager: Don't require that remote is resolvable during installationTobias Brunner2017-08-071-10/+49
| | | | | | | | Initiation might later fail, of course, but we don't really require an IP address when installing, that is, unless the remote traffic selector is dynamic. As that would result in installing a 0.0.0.0/0 remote TS which is not ideal when a single IP is expected as remote.
* child-create: Don't log CHILD_SA initiation until we know the unique IDTobias Brunner2017-08-071-11/+13
|
* child-rekey: Add CHILD_SA name and unique ID to collision log messagesTobias Brunner2017-08-071-8/+13
|
* child-sa: Suppress CHILD_SA state changes if there is no changeTobias Brunner2017-08-071-6/+9
|
* charon-tkm: Call esa_reset() when the inbound SA is deletedTobias Brunner2017-08-074-16/+40
| | | | | | | | | After a rekeying the outbound SA and policy is deleted immediately, however, the inbound SA is not removed until a few seconds later, so delayed packets can still be processed. This adds a flag to get_esa_id() that specifies the location of the given SPI.
* charon-tkm: Remove unused get_other_esa_id() methodTobias Brunner2017-08-073-101/+0
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-19 17:01:25 +0000