ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
12,573 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

12573 Commits

Author SHA1 Message Date
Martin Willi c4c9d291d2 ikev1: Add an option to accept unencrypted ID/HASH payloads 
Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in
unencrypted form, probably to allow PSK lookup based on the ID payloads. We
by default reject that, but accept it if the
charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf.

Initial patch courtesy of Paul Stewart.
 2014-04-17 08:52:28 +02:00
Tobias Brunner 4469e3d050 ikev2: Fix reauthentication if peer assigns a different virtual IP 
Before this change a reqid set on the create_child_t task was used as
indicator of the CHILD_SA being rekeyed.  Only if that was not the case
would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we
don't know which virtual IP the gateway will eventually assign).
On the other hand, in case of a rekeying the VIP is expected to remain
the same, so the local TS would simply equal the VIP.

Since c949a4d501 reauthenticated CHILD_SAs also have the reqid
set.  Which meant that the local TS would contain the previously
assigned VIP, basically rendering the gateway unable to assign a
different VIP to the client as the resulting TS would not match
the client's proposal anymore.

Fixes #553.
 2014-04-15 16:19:06 +02:00
Andreas Steffen 37cb91d737 Added NEWS for 5.2.0dr1 2014-04-15 10:04:27 +02:00
Andreas Steffen fa6c5f3506 Handle tag separators 2014-04-15 09:28:38 +02:00
Andreas Steffen edd2ed860f Renewed expired user certificate 2014-04-15 09:28:37 +02:00
Andreas Steffen 9b7f9ab5d2 Updated SWID scenarios 2014-04-15 09:21:06 +02:00
Andreas Steffen 14007fd1d9 swid_generator software-id does not generate empty lines any more 2014-04-15 09:21:06 +02:00
Andreas Steffen 975472e42f Added result information to TPMRA workitems 
On the occasion got rid of complicated functional component stuff
 2014-04-15 09:21:06 +02:00
Andreas Steffen 1d7324133b Indicate IMV in assessment log statement 2014-04-15 09:21:06 +02:00
Andreas Steffen 3e7044b45e Implemented segmented SWID tag attributes on IMV side 2014-04-15 09:21:06 +02:00
Andreas Steffen 8c40609f96 Use python-based swidGenerator to generated SWID tags 2014-04-15 09:21:06 +02:00
Andreas Steffen 8505ce1cc6 Updated imv database templates 2014-04-15 09:21:05 +02:00
Andreas Steffen b138bbee4e Optimized PTS measurements 2014-04-15 09:21:05 +02:00
Andreas Steffen 40e8c67392 Use cached pid for product-based package access 2014-04-15 09:21:05 +02:00
Andreas Steffen 48f37c448c Make Attestation IMV independent of OS IMV 2014-04-15 09:21:05 +02:00
Andreas Steffen 4894bfa227 Separated IMV session management from IMV policy database 2014-04-15 09:21:05 +02:00
Andreas Steffen 0bd64fa5bf Renamed the AIK public key parameter to imc-attestation.aik_pubkey 2014-04-15 09:21:05 +02:00
Andreas Steffen c54c26dd17 Implemented configurable Device ID in OS IMC 2014-04-15 09:21:05 +02:00
Andreas Steffen 6d1b4b6baf Version bump to 5.2.0dr1 2014-04-15 09:20:38 +02:00
Andreas Steffen 266fcdce2b Version bump to 5.1.3 2014-04-14 15:18:38 +02:00
Tobias Brunner e59ce07bfa NEWS: Added info about CVE-2014-2338 2014-04-14 13:32:36 +02:00
Martin Willi 8503077175 ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs 
Prevents a responder peer to trick us into established state by starting
IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.

Fixes CVE-2014-2338.
 2014-04-14 13:29:49 +02:00
Tobias Brunner abd7d3be9c eap-mschapv2: Fix potential leaks in case of invalid messages from servers 2014-04-09 18:27:02 +02:00
Tobias Brunner f0923ff377 pts: Make sure the complete AIK blob has been read 2014-04-09 17:47:32 +02:00
Tobias Brunner 8d34e55375 attr: Don't shift the 32-bit netmask by 32 
This is undefined behavior as per the C99 standard (sentence 1185):

 "If the value of the right operand is negative or is greater or equal
  to the width of the promoted left operand, the behavior is undefined."

Apparently shifts may be done modulo the width on some platforms so
a shift by 32 would not shift at all.
 2014-04-09 17:09:55 +02:00
Tobias Brunner f738753abc nm: Fix NULL-pointer dereference when handling TUN device failure 2014-04-09 16:35:46 +02:00
Tobias Brunner f7d04ba6c4 x509: Don't include authKeyIdentifier in self-signed certificates 
As the comment indicates this was the intention in
d7be290643 all along.
 2014-04-09 16:06:18 +02:00
Tobias Brunner 3f3680ec3f x509: Initialize certs when building optionalSignature for OCSP requests 2014-04-09 16:06:17 +02:00
Tobias Brunner a04ef18bda stroke: Fix memory leak when printing unknown AC group OIDs 2014-04-09 16:06:17 +02:00
Tobias Brunner 297bc06ca9 pki: Fix memory leak when printing unknown AC group OIDs 2014-04-09 15:56:11 +02:00
Tobias Brunner ce845838ea pki: Removed extra continue statement 2014-04-09 15:12:27 +02:00
Andreas Steffen 98ae0492b6 Added support for msSmartcardLogon EKU 2014-04-08 13:09:03 +02:00
Andreas Steffen e2df745122 Added some more OIDs 2014-04-08 11:32:30 +02:00
Andreas Steffen 6a44fcf929 Initialize m1 to suppress compiler warning 2014-04-07 13:29:39 +02:00
Andreas Steffen 4e9123a0b1 Fixed another dirname/basename refactoring bug. 
file was freed before use.
 2014-04-07 12:07:00 +02:00
Andreas Steffen d982e38b8b Fixed dirname/basename refactoring bug. 
Variables used in a database query have to be kept until the end of the enumeration
 2014-04-07 12:05:55 +02:00
Andreas Steffen 60451e2fb6 Added SHA3 OIDs 2014-04-04 23:44:55 +02:00
Andreas Steffen ab8ed95bfc Fixed pretest script in tnc/tnccs-20-pt-tls scenario 2014-04-04 23:04:54 +02:00
Tobias Brunner 23f34f6ed5 ike-cfg: Properly compare IKE proposals for equality 2014-04-03 09:46:41 +02:00
Tobias Brunner adc1157487 leak-detective: LEAK_DETECTIVE_DISABLE completely disables LD 
If lib->leak_detective is non-null some code parts (e.g. the plugin
loader) assume LD is actually used.
 2014-04-03 09:44:26 +02:00
Tobias Brunner 7a61bf9032 testing: Run 'conntrack -F' before all test scenarios 
This prevents failures due to remaining conntrack entries.
 2014-04-02 11:55:05 +02:00
Tobias Brunner f678bce84c unit-tests: Verify two bytes at once when testing chunk_clear() 
This reduces the chances of arbitrary test failures if the memory area
already got overwritten.
 2014-04-02 11:50:11 +02:00
Martin Willi b87f7840bc Merge branch 'tls-unit-tests' 
Add some initial unit-tests to libtls, testing all supported cipher suites
against self, both with and without client authentication, for all supported
TLS versions.
 2014-04-01 14:53:28 +02:00
Martin Willi 5ba9f73457 tls: Add a test case to check correct enum name mapping of cipher suites 2014-04-01 14:52:18 +02:00
Martin Willi 2c8d77394c tls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0 2014-04-01 14:52:18 +02:00
Martin Willi 74162ed997 tls: Remove superfluous initializers in TLS AEAD implementations 2014-04-01 14:52:18 +02:00
Martin Willi e15f64cc81 tls: Support a maximum TLS version to negotiate using TLS socket abstraction 2014-04-01 14:28:55 +02:00
Martin Willi 5313880261 tls: Support a null encryption flag on TLS socket abstraction 2014-04-01 14:28:55 +02:00
Martin Willi ddf5222096 tls: Introduce a generic TLS purpose that accepts NULL encryption ciphers 2014-04-01 14:28:55 +02:00
Martin Willi ac5717c9e9 tls: Export a function to list supported TLS cipher suites 2014-04-01 14:28:55 +02:00