Tobias Brunner
4469e3d050
ikev2: Fix reauthentication if peer assigns a different virtual IP
...
Before this change a reqid set on the create_child_t task was used as
indicator of the CHILD_SA being rekeyed. Only if that was not the case
would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we
don't know which virtual IP the gateway will eventually assign).
On the other hand, in case of a rekeying the VIP is expected to remain
the same, so the local TS would simply equal the VIP.
Since c949a4d501
reauthenticated CHILD_SAs also have the reqid
set. Which meant that the local TS would contain the previously
assigned VIP, basically rendering the gateway unable to assign a
different VIP to the client as the resulting TS would not match
the client's proposal anymore.
Fixes #553 .
2014-04-15 16:19:06 +02:00
Andreas Steffen
37cb91d737
Added NEWS for 5.2.0dr1
2014-04-15 10:04:27 +02:00
Andreas Steffen
fa6c5f3506
Handle tag separators
2014-04-15 09:28:38 +02:00
Andreas Steffen
edd2ed860f
Renewed expired user certificate
2014-04-15 09:28:37 +02:00
Andreas Steffen
9b7f9ab5d2
Updated SWID scenarios
2014-04-15 09:21:06 +02:00
Andreas Steffen
14007fd1d9
swid_generator software-id does not generate empty lines any more
2014-04-15 09:21:06 +02:00
Andreas Steffen
975472e42f
Added result information to TPMRA workitems
...
On the occasion got rid of complicated functional component stuff
2014-04-15 09:21:06 +02:00
Andreas Steffen
1d7324133b
Indicate IMV in assessment log statement
2014-04-15 09:21:06 +02:00
Andreas Steffen
3e7044b45e
Implemented segmented SWID tag attributes on IMV side
2014-04-15 09:21:06 +02:00
Andreas Steffen
8c40609f96
Use python-based swidGenerator to generated SWID tags
2014-04-15 09:21:06 +02:00
Andreas Steffen
8505ce1cc6
Updated imv database templates
2014-04-15 09:21:05 +02:00
Andreas Steffen
b138bbee4e
Optimized PTS measurements
2014-04-15 09:21:05 +02:00
Andreas Steffen
40e8c67392
Use cached pid for product-based package access
2014-04-15 09:21:05 +02:00
Andreas Steffen
48f37c448c
Make Attestation IMV independent of OS IMV
2014-04-15 09:21:05 +02:00
Andreas Steffen
4894bfa227
Separated IMV session management from IMV policy database
2014-04-15 09:21:05 +02:00
Andreas Steffen
0bd64fa5bf
Renamed the AIK public key parameter to imc-attestation.aik_pubkey
2014-04-15 09:21:05 +02:00
Andreas Steffen
c54c26dd17
Implemented configurable Device ID in OS IMC
2014-04-15 09:21:05 +02:00
Andreas Steffen
6d1b4b6baf
Version bump to 5.2.0dr1
2014-04-15 09:20:38 +02:00
Andreas Steffen
266fcdce2b
Version bump to 5.1.3
2014-04-14 15:18:38 +02:00
Tobias Brunner
e59ce07bfa
NEWS: Added info about CVE-2014-2338
2014-04-14 13:32:36 +02:00
Martin Willi
8503077175
ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs
...
Prevents a responder peer to trick us into established state by starting
IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.
Fixes CVE-2014-2338.
2014-04-14 13:29:49 +02:00
Tobias Brunner
abd7d3be9c
eap-mschapv2: Fix potential leaks in case of invalid messages from servers
2014-04-09 18:27:02 +02:00
Tobias Brunner
f0923ff377
pts: Make sure the complete AIK blob has been read
2014-04-09 17:47:32 +02:00
Tobias Brunner
8d34e55375
attr: Don't shift the 32-bit netmask by 32
...
This is undefined behavior as per the C99 standard (sentence 1185):
"If the value of the right operand is negative or is greater or equal
to the width of the promoted left operand, the behavior is undefined."
Apparently shifts may be done modulo the width on some platforms so
a shift by 32 would not shift at all.
2014-04-09 17:09:55 +02:00
Tobias Brunner
f738753abc
nm: Fix NULL-pointer dereference when handling TUN device failure
2014-04-09 16:35:46 +02:00
Tobias Brunner
f7d04ba6c4
x509: Don't include authKeyIdentifier in self-signed certificates
...
As the comment indicates this was the intention in
d7be290643
all along.
2014-04-09 16:06:18 +02:00
Tobias Brunner
3f3680ec3f
x509: Initialize certs when building optionalSignature for OCSP requests
2014-04-09 16:06:17 +02:00
Tobias Brunner
a04ef18bda
stroke: Fix memory leak when printing unknown AC group OIDs
2014-04-09 16:06:17 +02:00
Tobias Brunner
297bc06ca9
pki: Fix memory leak when printing unknown AC group OIDs
2014-04-09 15:56:11 +02:00
Tobias Brunner
ce845838ea
pki: Removed extra continue statement
2014-04-09 15:12:27 +02:00
Andreas Steffen
98ae0492b6
Added support for msSmartcardLogon EKU
2014-04-08 13:09:03 +02:00
Andreas Steffen
e2df745122
Added some more OIDs
2014-04-08 11:32:30 +02:00
Andreas Steffen
6a44fcf929
Initialize m1 to suppress compiler warning
2014-04-07 13:29:39 +02:00
Andreas Steffen
4e9123a0b1
Fixed another dirname/basename refactoring bug.
...
file was freed before use.
2014-04-07 12:07:00 +02:00
Andreas Steffen
d982e38b8b
Fixed dirname/basename refactoring bug.
...
Variables used in a database query have to be kept until the end of the enumeration
2014-04-07 12:05:55 +02:00
Andreas Steffen
60451e2fb6
Added SHA3 OIDs
2014-04-04 23:44:55 +02:00
Andreas Steffen
ab8ed95bfc
Fixed pretest script in tnc/tnccs-20-pt-tls scenario
2014-04-04 23:04:54 +02:00
Tobias Brunner
23f34f6ed5
ike-cfg: Properly compare IKE proposals for equality
2014-04-03 09:46:41 +02:00
Tobias Brunner
adc1157487
leak-detective: LEAK_DETECTIVE_DISABLE completely disables LD
...
If lib->leak_detective is non-null some code parts (e.g. the plugin
loader) assume LD is actually used.
2014-04-03 09:44:26 +02:00
Tobias Brunner
7a61bf9032
testing: Run 'conntrack -F' before all test scenarios
...
This prevents failures due to remaining conntrack entries.
2014-04-02 11:55:05 +02:00
Tobias Brunner
f678bce84c
unit-tests: Verify two bytes at once when testing chunk_clear()
...
This reduces the chances of arbitrary test failures if the memory area
already got overwritten.
2014-04-02 11:50:11 +02:00
Martin Willi
b87f7840bc
Merge branch 'tls-unit-tests'
...
Add some initial unit-tests to libtls, testing all supported cipher suites
against self, both with and without client authentication, for all supported
TLS versions.
2014-04-01 14:53:28 +02:00
Martin Willi
5ba9f73457
tls: Add a test case to check correct enum name mapping of cipher suites
2014-04-01 14:52:18 +02:00
Martin Willi
2c8d77394c
tls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0
2014-04-01 14:52:18 +02:00
Martin Willi
74162ed997
tls: Remove superfluous initializers in TLS AEAD implementations
2014-04-01 14:52:18 +02:00
Martin Willi
e15f64cc81
tls: Support a maximum TLS version to negotiate using TLS socket abstraction
2014-04-01 14:28:55 +02:00
Martin Willi
5313880261
tls: Support a null encryption flag on TLS socket abstraction
2014-04-01 14:28:55 +02:00
Martin Willi
ddf5222096
tls: Introduce a generic TLS purpose that accepts NULL encryption ciphers
2014-04-01 14:28:55 +02:00
Martin Willi
ac5717c9e9
tls: Export a function to list supported TLS cipher suites
2014-04-01 14:28:55 +02:00
Martin Willi
c0efaaebe3
tls: Create a unit-test runner
2014-04-01 14:28:55 +02:00