3ea7165a27
Merge branch 'icmp'
...
Improves handling of ICMP[v6] traffic selectors that specify message type and
code.
Fixes #421 .
2013-10-17 16:59:07 +02:00
6956061197
ipsec.conf.5: Note about ICMP[v6] message type/code added
2013-10-17 16:57:39 +02:00
4c185d11ad
updown: Properly configure ICMP[v6] message type and code in firewall rules
2013-10-17 16:57:39 +02:00
9739a0bf67
updown: Pass ICMP[v6] message type and code to updown script
...
The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.
2013-10-17 16:57:39 +02:00
59213396fa
kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel
2013-10-17 16:57:39 +02:00
406a504ca7
kernel-netlink: Convert ports in acquires to ICMP[v6] type and code
2013-10-17 16:57:39 +02:00
ddc2d3c8e4
kernel-netlink: Properly install policies with ICMP[v6] types and codes
2013-10-17 16:57:39 +02:00
000235f1c5
traffic-selector: Print ICMP[v6] message type and code in a more readable way
2013-10-17 16:57:39 +02:00
4bebe45abb
traffic-selector: Store ICMP[v6] message type and code properly
...
We now store them as defined in RFC 4301, section 4.4.1.1.
2013-10-17 16:57:39 +02:00
d6a1960d34
traffic-selector: Move class to its own Doxygen group
2013-10-17 16:57:38 +02:00
5eb802ab18
Merge branch 'ecc-brainpool'
...
Adds support for ECC Brainpool curves for DH exchanges.
2013-10-17 16:56:31 +02:00
7313499914
proposal: Add ECC Brainpool DH groups to the default proposal
2013-10-17 13:36:09 +02:00
606aae3aa1
openssl: Add workaround if ECC Brainpool curves are not defined
2013-10-17 13:36:08 +02:00
3c29d2822f
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
...
OpenSSL does not include them in releases before 1.0.2.
2013-10-17 13:36:08 +02:00
cca372465d
ecc: Added ECC Brainpool ECDH groups as registered with IANA
2013-10-17 11:57:04 +02:00
be97277bdb
unit-tests: Make test for bio_writer_t more portable
2013-10-17 11:44:03 +02:00
f6cadb7f54
libipsec: Don't print ciphertext with ICV in log message
2013-10-17 11:43:58 +02:00
f5c5fd6f74
libipsec: Properly calculate padding length especially for AES-GCM
2013-10-17 11:42:45 +02:00
812ae898bf
utils: Add utility function to calculate padding length
2013-10-17 10:25:34 +02:00
32fef0c6e9
stroke: Reuse reqids of established CHILD_SAs when routing connections
2013-10-17 10:23:32 +02:00
6278e64230
trap-manager: Make sure a config is not trapped twice
2013-10-17 10:23:32 +02:00
dd438ee22c
Doxygen fixes
2013-10-15 11:25:55 +02:00
a37ab690cc
Set recommendation in the case of PCR measurement failures
2013-10-13 22:17:18 +02:00
b0761f1f0a
Add linux/fip_rules.h to include files
2013-10-13 20:51:10 +02:00
6623dfa84d
Revert refactoring which broke CentOS build
2013-10-13 19:56:04 +02:00
1ca57d497f
Increase debug level in libipsec/rw-suite-b scenario
2013-10-11 21:34:59 +02:00
1486fe786a
Use bold font to display key size
2013-10-11 21:23:10 +02:00
fcf355036f
Added swid_directory option
2013-10-11 20:59:24 +02:00
3bd4536185
Added tnc/tnccs-11-supplicant scenario
2013-10-11 20:18:59 +02:00
cae778147a
Define aaa.strongswan.org in /etc/hosts
2013-10-11 20:16:59 +02:00
d14ba7e7fd
testing: Add libipsec/host2host-cert scenario
2013-10-11 18:04:48 +02:00
d9020264f4
checksum: The pool utility was moved to its own directory
2013-10-11 17:42:29 +02:00
0f6f7ba22c
ccm: Add missing comma in get_iv_gen method signature
2013-10-11 17:42:25 +02:00
bfeb8b5c47
iv-gen: Add missing header files to Makefile.am
2013-10-11 17:42:05 +02:00
1c1ba803ac
NEWS: Updates for the recent merges
2013-10-11 16:20:41 +02:00
5ef630189a
Merge branch 'iv-gen'
...
Modularizes the generation of initialization vectors, which allows to use
different methods depending on the algorithms. For instance for AES-GCM
sequential IVs are now used instead of the earlier random IVs, which are
still used for other algorithms e.g. AES-CBC.
2013-10-11 15:55:49 +02:00
0c6f6c4e34
iv_gen: Mask sequential IVs with a random salt
...
This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.
2013-10-11 15:55:40 +02:00
e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
d74c254dfd
ipsec: Use IV generator to encrypt ESP messages
2013-10-11 15:55:40 +02:00
b5010707a0
ikev2: Use IV generator to encrypt encrypted payload
2013-10-11 15:55:40 +02:00
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
af22622a9d
Merge branch 'radius-unity'
...
Adds support for Cisco Unity specific RADIUS attributes.
References #383 .
2013-10-11 15:52:36 +02:00
feb3c4ff22
eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK
2013-10-11 15:52:22 +02:00
1a809e46f8
eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes
...
Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).
So if the following attributes would be configured for a RADIUS user
CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
CVPN3000-IPSec-Split-Tunneling-Policy := 1
A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.
2013-10-11 15:52:22 +02:00
66229619cf
eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes
...
The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.
2013-10-11 15:52:22 +02:00
121c64f0d5
Merge branch 'dnscert'
...
The new dnscert plugin adds support for authentication via CERT resource
records that are protected with DNSSEC.
2013-10-11 15:49:24 +02:00
Tobias Brunner