ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
11,995 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

11995 Commits

Author SHA1 Message Date
Tobias Brunner 000235f1c5 traffic-selector: Print ICMP[v6] message type and code in a more readable way 2013-10-17 16:57:39 +02:00
Tobias Brunner 4bebe45abb traffic-selector: Store ICMP[v6] message type and code properly 
We now store them as defined in RFC 4301, section 4.4.1.1.
 2013-10-17 16:57:39 +02:00
Tobias Brunner d6a1960d34 traffic-selector: Move class to its own Doxygen group 2013-10-17 16:57:38 +02:00
Tobias Brunner 5eb802ab18 Merge branch 'ecc-brainpool' 
Adds support for ECC Brainpool curves for DH exchanges.
 2013-10-17 16:56:31 +02:00
Tobias Brunner 7313499914 proposal: Add ECC Brainpool DH groups to the default proposal 2013-10-17 13:36:09 +02:00
Tobias Brunner 606aae3aa1 openssl: Add workaround if ECC Brainpool curves are not defined 2013-10-17 13:36:08 +02:00
Tobias Brunner 3c29d2822f openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL 
OpenSSL does not include them in releases before 1.0.2.
 2013-10-17 13:36:08 +02:00
Andreas Steffen cca372465d ecc: Added ECC Brainpool ECDH groups as registered with IANA 2013-10-17 11:57:04 +02:00
Tobias Brunner be97277bdb unit-tests: Make test for bio_writer_t more portable 2013-10-17 11:44:03 +02:00
Tobias Brunner f6cadb7f54 libipsec: Don't print ciphertext with ICV in log message 2013-10-17 11:43:58 +02:00
Tobias Brunner f5c5fd6f74 libipsec: Properly calculate padding length especially for AES-GCM 2013-10-17 11:42:45 +02:00
Tobias Brunner 812ae898bf utils: Add utility function to calculate padding length 2013-10-17 10:25:34 +02:00
Tobias Brunner 32fef0c6e9 stroke: Reuse reqids of established CHILD_SAs when routing connections 2013-10-17 10:23:32 +02:00
Tobias Brunner 6278e64230 trap-manager: Make sure a config is not trapped twice 2013-10-17 10:23:32 +02:00
Tobias Brunner dd438ee22c Doxygen fixes 2013-10-15 11:25:55 +02:00
Andreas Steffen a37ab690cc Set recommendation in the case of PCR measurement failures 2013-10-13 22:17:18 +02:00
Andreas Steffen b0761f1f0a Add linux/fip_rules.h to include files 2013-10-13 20:51:10 +02:00
Andreas Steffen 6623dfa84d Revert refactoring which broke CentOS build 2013-10-13 19:56:04 +02:00
Andreas Steffen 1ca57d497f Increase debug level in libipsec/rw-suite-b scenario 2013-10-11 21:34:59 +02:00
Andreas Steffen 1486fe786a Use bold font to display key size 2013-10-11 21:23:10 +02:00
Andreas Steffen fcf355036f Added swid_directory option 2013-10-11 20:59:24 +02:00
Andreas Steffen 3bd4536185 Added tnc/tnccs-11-supplicant scenario 2013-10-11 20:18:59 +02:00
Andreas Steffen cae778147a Define aaa.strongswan.org in /etc/hosts 2013-10-11 20:16:59 +02:00
Tobias Brunner d14ba7e7fd testing: Add libipsec/host2host-cert scenario 2013-10-11 18:04:48 +02:00
Tobias Brunner d9020264f4 checksum: The pool utility was moved to its own directory 2013-10-11 17:42:29 +02:00
Tobias Brunner 0f6f7ba22c ccm: Add missing comma in get_iv_gen method signature 2013-10-11 17:42:25 +02:00
Tobias Brunner bfeb8b5c47 iv-gen: Add missing header files to Makefile.am 2013-10-11 17:42:05 +02:00
Tobias Brunner 1c1ba803ac NEWS: Updates for the recent merges 2013-10-11 16:20:41 +02:00
Tobias Brunner 5ef630189a Merge branch 'iv-gen' 
Modularizes the generation of initialization vectors, which allows to use
different methods depending on the algorithms.  For instance for AES-GCM
sequential IVs are now used instead of the earlier random IVs, which are
still used for other algorithms e.g. AES-CBC.
 2013-10-11 15:55:49 +02:00
Tobias Brunner 0c6f6c4e34 iv_gen: Mask sequential IVs with a random salt 
This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.
 2013-10-11 15:55:40 +02:00
Tobias Brunner e8229ad558 iv_gen: Provide external sequence number (IKE, ESP) 
This prevents duplicate sequential IVs in case of a HA failover.
 2013-10-11 15:55:40 +02:00
Tobias Brunner d74c254dfd ipsec: Use IV generator to encrypt ESP messages 2013-10-11 15:55:40 +02:00
Tobias Brunner b5010707a0 ikev2: Use IV generator to encrypt encrypted payload 2013-10-11 15:55:40 +02:00
Tobias Brunner 50bd28d549 iv_gen: aead_t implementations provide an IV generator 2013-10-11 15:55:40 +02:00
Tobias Brunner b3e1eb2afe iv_gen: Add IV generator that allocates IVs sequentially 2013-10-11 15:55:40 +02:00
Tobias Brunner 53d1f2dbfd iv_gen: Add IV generator that allocates IVs randomly 
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
 2013-10-11 15:55:40 +02:00
Tobias Brunner 403057aa5a crypto: Add generic interface for IV generators 2013-10-11 15:55:40 +02:00
Tobias Brunner b38f7f703b apidoc: Move mac_prf to prf Doxygen group 2013-10-11 15:55:40 +02:00
Tobias Brunner af22622a9d Merge branch 'radius-unity' 
Adds support for Cisco Unity specific RADIUS attributes.

References #383.
 2013-10-11 15:52:36 +02:00
Tobias Brunner feb3c4ff22 eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK 2013-10-11 15:52:22 +02:00
Tobias Brunner 1a809e46f8 eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes 
Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).

So if the following attributes would be configured for a RADIUS user

  CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
  CVPN3000-IPSec-Split-Tunneling-Policy := 1

A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.
 2013-10-11 15:52:22 +02:00
Tobias Brunner 66229619cf eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes 
The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.
 2013-10-11 15:52:22 +02:00
Tobias Brunner 121c64f0d5 Merge branch 'dnscert' 
The new dnscert plugin adds support for authentication via CERT resource
records that are protected with DNSSEC.
 2013-10-11 15:49:24 +02:00
Tobias Brunner ca28e13fe8 testing: Add ikev2/net2net-dnscert scenario 2013-10-11 15:45:42 +02:00
Tobias Brunner a4d6a5a359 testing: Provide moon's and sun's certificate as CERT RR 2013-10-11 15:45:42 +02:00
Tobias Brunner 99a89ea7f4 testing: Enable dnscert plugin 2013-10-11 15:45:42 +02:00
Tobias Brunner 42525d1142 testing: Load testing.conf.local from the same directory as testing.conf 2013-10-11 15:45:42 +02:00
Ruslan N. Marchenko b638c131de dnscert: Add DNS CERT support for pubkey authentication 
Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers.  As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.

The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.
 2013-10-11 15:45:42 +02:00
Tobias Brunner 8ac54970f5 ipseckey: Properly handle failure to create a certificate 
Also, try the next key (if available) if parsing an IPSECKEY failed.
 2013-10-11 15:45:41 +02:00
Tobias Brunner e8130a9498 ipseckey: Refactor creation of certificate enumerator 
Reduces nesting and fixes a memory leak (rrsig_enum).
 2013-10-11 15:45:41 +02:00