d86bb6ef4d
Implemented Traffic Flow Confidentiality padding in kernel_interface
2010-12-20 09:45:39 +01:00
814873a356
version bump to 4.5.1dr4
2010-12-19 09:46:59 +01:00
f10e72341c
cast enumerated algorithm type as int
2010-12-18 20:24:53 +01:00
840e7044e2
updated NEWS with new ipsec listalgs feature
2010-12-18 16:44:29 +01:00
5932f41fcc
trace back crypto algorithms to the plugins that registered them
2010-12-18 16:31:12 +01:00
ae09bc62bc
Added news about changes regarding strongswan.conf.
2010-12-17 17:32:14 +01:00
5889e864a0
Moved "Reading values" section, typo fixed.
2010-12-17 17:31:42 +01:00
c0cadd7182
version bump to 4.5.1dr3
2010-12-15 08:56:32 +01:00
19b7f763b3
Install selectors on transport mode IPsec SAs.
...
This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:
- IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
of the set of traffic selectors
- IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid. Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA. Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.
2010-12-13 15:28:40 +01:00
e27554144a
increase sleep time in mediation scenarios
2010-12-12 21:54:44 +01:00
7883e7ce33
fixed bug in mem_cred.c:add_crl()
2010-12-12 21:34:27 +01:00
836d9a795b
reverted Connection ID to capital letters
2010-12-12 12:55:14 +01:00
dc1b2eb2e8
fixed a bug in enum_from_name() function
2010-12-12 12:54:36 +01:00
458e7779a8
reorganized ikev2/rw-eap-tnc scenarios
2010-12-12 12:51:14 +01:00
146e9123a2
added the ikev2/rw-eap-tnc-20 scenario
2010-12-12 10:47:16 +01:00
1b7e081bfa
NEWS for the 4.5.1dr2 release
2010-12-12 10:46:43 +01:00
c2e625514d
some more cosmetics
2010-12-12 10:19:54 +01:00
41216e6518
final cosmetics in PB-TNC debug output
2010-12-12 10:17:43 +01:00
54eb669dd5
implemented PB-TNC message parsing checks
2010-12-12 00:42:31 +01:00
3a4695dc5e
some code optimizations
2010-12-11 00:52:53 +01:00
781730b86a
support handshake retry requests
2010-12-10 23:41:12 +01:00
4ca368d223
the PB-TNC protocol is working
2010-12-10 23:21:13 +01:00
512d2e045f
refactored message handling
2010-12-10 17:09:21 +01:00
af1e3ff567
do not accept results and recommendation messages from clients
2010-12-10 17:04:11 +01:00
7289f4424a
defined some additional Private Enterprise Numbers
2010-12-10 14:58:33 +01:00
5988fc0dfd
define pb_tnc_state_machine_t object
2010-12-10 14:56:40 +01:00
755f2419a5
debug cosmetics
2010-12-10 11:55:02 +01:00
cf5866b9c0
Renamed purgex509/crl to purgecerts/crls to be consistent with list commands
2010-12-10 11:21:55 +01:00
7e7efa647e
implemented handling of received PB-TNC messages
2010-12-10 11:16:57 +01:00
6aa144ddb7
Added options to flush CRLs/X509 certs from the cert cache
2010-12-10 09:45:22 +01:00
68fada37b1
refactored PB-TNC state machine in receive direction
2010-12-09 23:38:38 +01:00
7382a639fb
refactored PB-TNC state machine in send direction
2010-12-09 23:18:55 +01:00
4333c48a1b
pb_tnc_batch_t class implements parsing and building of PB-TNC batches
2010-12-09 21:33:12 +01:00
2f942ba67d
fixed memory corruption
2010-12-08 12:15:53 +01:00
86993d6b90
Never register IKE_SA during checkout_new, as rekeying keeps it checked out
2010-12-07 16:30:38 +01:00
e6f42b0721
Include the destination net in the policy priority calculation.
...
The resulting priorities are as follows:
IPv6 IPv4
routed normal routed normal
max 4096(+3) 2048(+3) 4096(+3) 2048(+3)
min 3072 1024 3840 1792
Where min is for a policy between two single hosts and max is
for /0 on both ends (lower priorities are preferred by the kernel).
(+3) applies for cases where no protocol and no ports are defined.
2010-12-07 12:14:50 +01:00
4332cd7f95
added newline
2010-12-07 09:02:55 +01:00
faccd69068
re-introduced comment
2010-12-07 09:01:28 +01:00
a42aaed64f
Migrated stroke_control_t to INIT/METHOD macros
2010-12-07 08:58:57 +01:00
d31aec9fa7
Migrated stroke_plugin_t to INIT/METHOD macros
2010-12-07 08:01:56 +01:00
76ce213c43
Guarantee entry->other is set when calling put_connected_peers
...
Given the original intent of entry->host, the check for DoS attacks, it
can happen that this value remains NULL when an entry is created. This
is particularly awkward if put_connected_peers is called to check if a
connection to a given peer already exists, since it takes the address
family into consideration (git commit b74219d0) which is gleaned from
entry->host.
This patch guarantees that entry->other is a clone of host before
put_connected_peers is called.
2010-12-06 10:56:57 +01:00
2965eb3cc7
added sql/multi-level-ca scenario
2010-12-05 21:53:43 +01:00
93cbe45c09
stupid typo
2010-12-05 15:48:22 +01:00
fba18c5105
cosmetics
2010-12-05 15:23:18 +01:00
02f08ef910
cosmetics
2010-12-05 15:16:15 +01:00
a6bf8e9118
added parsing checks
2010-12-05 15:01:01 +01:00
58d73d38bc
output TLS-independent error messages
2010-12-05 14:55:18 +01:00
13a7f5f3e3
added certificate_authorities and certificate_distribution_points tables
2010-12-05 11:30:06 +01:00
2da636fd9b
support of reqid field in SQL database
2010-12-05 11:21:40 +01:00
e150442bed
fixed pb_reason_string_message_t class
2010-12-05 11:20:18 +01:00
Martin Willi