Tobias Brunner
000235f1c5
traffic-selector: Print ICMP[v6] message type and code in a more readable way
2013-10-17 16:57:39 +02:00
Tobias Brunner
4bebe45abb
traffic-selector: Store ICMP[v6] message type and code properly
...
We now store them as defined in RFC 4301, section 4.4.1.1.
2013-10-17 16:57:39 +02:00
Tobias Brunner
d6a1960d34
traffic-selector: Move class to its own Doxygen group
2013-10-17 16:57:38 +02:00
Tobias Brunner
5eb802ab18
Merge branch 'ecc-brainpool'
...
Adds support for ECC Brainpool curves for DH exchanges.
2013-10-17 16:56:31 +02:00
Tobias Brunner
7313499914
proposal: Add ECC Brainpool DH groups to the default proposal
2013-10-17 13:36:09 +02:00
Tobias Brunner
606aae3aa1
openssl: Add workaround if ECC Brainpool curves are not defined
2013-10-17 13:36:08 +02:00
Tobias Brunner
3c29d2822f
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
...
OpenSSL does not include them in releases before 1.0.2.
2013-10-17 13:36:08 +02:00
Andreas Steffen
cca372465d
ecc: Added ECC Brainpool ECDH groups as registered with IANA
2013-10-17 11:57:04 +02:00
Tobias Brunner
be97277bdb
unit-tests: Make test for bio_writer_t more portable
2013-10-17 11:44:03 +02:00
Tobias Brunner
f6cadb7f54
libipsec: Don't print ciphertext with ICV in log message
2013-10-17 11:43:58 +02:00
Tobias Brunner
f5c5fd6f74
libipsec: Properly calculate padding length especially for AES-GCM
2013-10-17 11:42:45 +02:00
Tobias Brunner
812ae898bf
utils: Add utility function to calculate padding length
2013-10-17 10:25:34 +02:00
Tobias Brunner
32fef0c6e9
stroke: Reuse reqids of established CHILD_SAs when routing connections
2013-10-17 10:23:32 +02:00
Tobias Brunner
6278e64230
trap-manager: Make sure a config is not trapped twice
2013-10-17 10:23:32 +02:00
Tobias Brunner
dd438ee22c
Doxygen fixes
2013-10-15 11:25:55 +02:00
Andreas Steffen
a37ab690cc
Set recommendation in the case of PCR measurement failures
2013-10-13 22:17:18 +02:00
Andreas Steffen
b0761f1f0a
Add linux/fip_rules.h to include files
2013-10-13 20:51:10 +02:00
Andreas Steffen
6623dfa84d
Revert refactoring which broke CentOS build
2013-10-13 19:56:04 +02:00
Andreas Steffen
1ca57d497f
Increase debug level in libipsec/rw-suite-b scenario
2013-10-11 21:34:59 +02:00
Andreas Steffen
1486fe786a
Use bold font to display key size
2013-10-11 21:23:10 +02:00
Andreas Steffen
fcf355036f
Added swid_directory option
2013-10-11 20:59:24 +02:00
Andreas Steffen
3bd4536185
Added tnc/tnccs-11-supplicant scenario
2013-10-11 20:18:59 +02:00
Andreas Steffen
cae778147a
Define aaa.strongswan.org in /etc/hosts
2013-10-11 20:16:59 +02:00
Tobias Brunner
d14ba7e7fd
testing: Add libipsec/host2host-cert scenario
2013-10-11 18:04:48 +02:00
Tobias Brunner
d9020264f4
checksum: The pool utility was moved to its own directory
2013-10-11 17:42:29 +02:00
Tobias Brunner
0f6f7ba22c
ccm: Add missing comma in get_iv_gen method signature
2013-10-11 17:42:25 +02:00
Tobias Brunner
bfeb8b5c47
iv-gen: Add missing header files to Makefile.am
2013-10-11 17:42:05 +02:00
Tobias Brunner
1c1ba803ac
NEWS: Updates for the recent merges
2013-10-11 16:20:41 +02:00
Tobias Brunner
5ef630189a
Merge branch 'iv-gen'
...
Modularizes the generation of initialization vectors, which allows to use
different methods depending on the algorithms. For instance for AES-GCM
sequential IVs are now used instead of the earlier random IVs, which are
still used for other algorithms e.g. AES-CBC.
2013-10-11 15:55:49 +02:00
Tobias Brunner
0c6f6c4e34
iv_gen: Mask sequential IVs with a random salt
...
This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.
2013-10-11 15:55:40 +02:00
Tobias Brunner
e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
Tobias Brunner
d74c254dfd
ipsec: Use IV generator to encrypt ESP messages
2013-10-11 15:55:40 +02:00
Tobias Brunner
b5010707a0
ikev2: Use IV generator to encrypt encrypted payload
2013-10-11 15:55:40 +02:00
Tobias Brunner
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
Tobias Brunner
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
Tobias Brunner
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
Tobias Brunner
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
Tobias Brunner
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
Tobias Brunner
af22622a9d
Merge branch 'radius-unity'
...
Adds support for Cisco Unity specific RADIUS attributes.
References #383 .
2013-10-11 15:52:36 +02:00
Tobias Brunner
feb3c4ff22
eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK
2013-10-11 15:52:22 +02:00
Tobias Brunner
1a809e46f8
eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes
...
Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).
So if the following attributes would be configured for a RADIUS user
CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
CVPN3000-IPSec-Split-Tunneling-Policy := 1
A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.
2013-10-11 15:52:22 +02:00
Tobias Brunner
66229619cf
eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes
...
The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.
2013-10-11 15:52:22 +02:00
Tobias Brunner
121c64f0d5
Merge branch 'dnscert'
...
The new dnscert plugin adds support for authentication via CERT resource
records that are protected with DNSSEC.
2013-10-11 15:49:24 +02:00
Tobias Brunner
ca28e13fe8
testing: Add ikev2/net2net-dnscert scenario
2013-10-11 15:45:42 +02:00
Tobias Brunner
a4d6a5a359
testing: Provide moon's and sun's certificate as CERT RR
2013-10-11 15:45:42 +02:00
Tobias Brunner
99a89ea7f4
testing: Enable dnscert plugin
2013-10-11 15:45:42 +02:00
Tobias Brunner
42525d1142
testing: Load testing.conf.local from the same directory as testing.conf
2013-10-11 15:45:42 +02:00
Ruslan N. Marchenko
b638c131de
dnscert: Add DNS CERT support for pubkey authentication
...
Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers. As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.
The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.
2013-10-11 15:45:42 +02:00
Tobias Brunner
8ac54970f5
ipseckey: Properly handle failure to create a certificate
...
Also, try the next key (if available) if parsing an IPSECKEY failed.
2013-10-11 15:45:41 +02:00
Tobias Brunner
e8130a9498
ipseckey: Refactor creation of certificate enumerator
...
Reduces nesting and fixes a memory leak (rrsig_enum).
2013-10-11 15:45:41 +02:00