Martin Willi
d86bb6ef4d
Implemented Traffic Flow Confidentiality padding in kernel_interface
2010-12-20 09:45:39 +01:00
Andreas Steffen
814873a356
version bump to 4.5.1dr4
2010-12-19 09:46:59 +01:00
Andreas Steffen
f10e72341c
cast enumerated algorithm type as int
2010-12-18 20:24:53 +01:00
Andreas Steffen
840e7044e2
updated NEWS with new ipsec listalgs feature
2010-12-18 16:44:29 +01:00
Andreas Steffen
5932f41fcc
trace back crypto algorithms to the plugins that registered them
2010-12-18 16:31:12 +01:00
Tobias Brunner
ae09bc62bc
Added news about changes regarding strongswan.conf.
2010-12-17 17:32:14 +01:00
Tobias Brunner
5889e864a0
Moved "Reading values" section, typo fixed.
2010-12-17 17:31:42 +01:00
Andreas Steffen
c0cadd7182
version bump to 4.5.1dr3
2010-12-15 08:56:32 +01:00
Jiri Bohac
19b7f763b3
Install selectors on transport mode IPsec SAs.
...
This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:
- IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
of the set of traffic selectors
- IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid. Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA. Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.
2010-12-13 15:28:40 +01:00
Andreas Steffen
e27554144a
increase sleep time in mediation scenarios
2010-12-12 21:54:44 +01:00
Andreas Steffen
7883e7ce33
fixed bug in mem_cred.c:add_crl()
2010-12-12 21:34:27 +01:00
Andreas Steffen
836d9a795b
reverted Connection ID to capital letters
2010-12-12 12:55:14 +01:00
Andreas Steffen
dc1b2eb2e8
fixed a bug in enum_from_name() function
2010-12-12 12:54:36 +01:00
Andreas Steffen
458e7779a8
reorganized ikev2/rw-eap-tnc scenarios
2010-12-12 12:51:14 +01:00
Andreas Steffen
146e9123a2
added the ikev2/rw-eap-tnc-20 scenario
2010-12-12 10:47:16 +01:00
Andreas Steffen
1b7e081bfa
NEWS for the 4.5.1dr2 release
2010-12-12 10:46:43 +01:00
Andreas Steffen
c2e625514d
some more cosmetics
2010-12-12 10:19:54 +01:00
Andreas Steffen
41216e6518
final cosmetics in PB-TNC debug output
2010-12-12 10:17:43 +01:00
Andreas Steffen
54eb669dd5
implemented PB-TNC message parsing checks
2010-12-12 00:42:31 +01:00
Andreas Steffen
3a4695dc5e
some code optimizations
2010-12-11 00:52:53 +01:00
Andreas Steffen
781730b86a
support handshake retry requests
2010-12-10 23:41:12 +01:00
Andreas Steffen
4ca368d223
the PB-TNC protocol is working
2010-12-10 23:21:13 +01:00
Andreas Steffen
512d2e045f
refactored message handling
2010-12-10 17:09:21 +01:00
Andreas Steffen
af1e3ff567
do not accept results and recommendation messages from clients
2010-12-10 17:04:11 +01:00
Andreas Steffen
7289f4424a
defined some additional Private Enterprise Numbers
2010-12-10 14:58:33 +01:00
Andreas Steffen
5988fc0dfd
define pb_tnc_state_machine_t object
2010-12-10 14:56:40 +01:00
Andreas Steffen
755f2419a5
debug cosmetics
2010-12-10 11:55:02 +01:00
Martin Willi
cf5866b9c0
Renamed purgex509/crl to purgecerts/crls to be consistent with list commands
2010-12-10 11:21:55 +01:00
Andreas Steffen
7e7efa647e
implemented handling of received PB-TNC messages
2010-12-10 11:16:57 +01:00
Martin Willi
6aa144ddb7
Added options to flush CRLs/X509 certs from the cert cache
2010-12-10 09:45:22 +01:00
Andreas Steffen
68fada37b1
refactored PB-TNC state machine in receive direction
2010-12-09 23:38:38 +01:00
Andreas Steffen
7382a639fb
refactored PB-TNC state machine in send direction
2010-12-09 23:18:55 +01:00
Andreas Steffen
4333c48a1b
pb_tnc_batch_t class implements parsing and building of PB-TNC batches
2010-12-09 21:33:12 +01:00
Andreas Steffen
2f942ba67d
fixed memory corruption
2010-12-08 12:15:53 +01:00
Martin Willi
86993d6b90
Never register IKE_SA during checkout_new, as rekeying keeps it checked out
2010-12-07 16:30:38 +01:00
Tobias Brunner
e6f42b0721
Include the destination net in the policy priority calculation.
...
The resulting priorities are as follows:
IPv6 IPv4
routed normal routed normal
max 4096(+3) 2048(+3) 4096(+3) 2048(+3)
min 3072 1024 3840 1792
Where min is for a policy between two single hosts and max is
for /0 on both ends (lower priorities are preferred by the kernel).
(+3) applies for cases where no protocol and no ports are defined.
2010-12-07 12:14:50 +01:00
Andreas Steffen
4332cd7f95
added newline
2010-12-07 09:02:55 +01:00
Andreas Steffen
faccd69068
re-introduced comment
2010-12-07 09:01:28 +01:00
Andreas Steffen
a42aaed64f
Migrated stroke_control_t to INIT/METHOD macros
2010-12-07 08:58:57 +01:00
Andreas Steffen
d31aec9fa7
Migrated stroke_plugin_t to INIT/METHOD macros
2010-12-07 08:01:56 +01:00
Thomas Egerer
76ce213c43
Guarantee entry->other is set when calling put_connected_peers
...
Given the original intent of entry->host, the check for DoS attacks, it
can happen that this value remains NULL when an entry is created. This
is particularly awkward if put_connected_peers is called to check if a
connection to a given peer already exists, since it takes the address
family into consideration (git commit b74219d0) which is gleaned from
entry->host.
This patch guarantees that entry->other is a clone of host before
put_connected_peers is called.
2010-12-06 10:56:57 +01:00
Andreas Steffen
2965eb3cc7
added sql/multi-level-ca scenario
2010-12-05 21:53:43 +01:00
Andreas Steffen
93cbe45c09
stupid typo
2010-12-05 15:48:22 +01:00
Andreas Steffen
fba18c5105
cosmetics
2010-12-05 15:23:18 +01:00
Andreas Steffen
02f08ef910
cosmetics
2010-12-05 15:16:15 +01:00
Andreas Steffen
a6bf8e9118
added parsing checks
2010-12-05 15:01:01 +01:00
Andreas Steffen
58d73d38bc
output TLS-independent error messages
2010-12-05 14:55:18 +01:00
Andreas Steffen
13a7f5f3e3
added certificate_authorities and certificate_distribution_points tables
2010-12-05 11:30:06 +01:00
Andreas Steffen
2da636fd9b
support of reqid field in SQL database
2010-12-05 11:21:40 +01:00
Andreas Steffen
e150442bed
fixed pb_reason_string_message_t class
2010-12-05 11:20:18 +01:00