sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity
17,874 Commits 101 Branches 327 Tags
Commit Graph

17874 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
304c7615bd ike-auth: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 2021-03-21 12:22:43 +01:00
Tobias Brunner
1e08167fc0 child-create: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 2021-03-21 12:22:43 +01:00
Tobias Brunner
5094ad602d ike-mobike: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
This changes the MID of the first IKE_AUTH message.
 2021-03-21 12:22:42 +01:00
Tobias Brunner
7e7c2778f0 ike-config: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
This changes the MID of the first IKE_AUTH message.
 2021-03-21 12:22:42 +01:00
Tobias Brunner
f3f3f25676 ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH 
The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.
 2021-03-21 12:22:42 +01:00
Tobias Brunner
a6fee86af4 ike-cert-pre: Support IKE_INTERMEDIATE exchange between IKE_SA_INIT and IKE_AUTH 
The first IKE_AUTH does not have MID 1 if that's the case.
 2021-03-21 12:22:42 +01:00
Tobias Brunner
6059db73c2 status: Add return_need_more() utility function 2021-03-21 12:22:42 +01:00
Tobias Brunner
259ee217cf message: Add rules for IKE_FOLLOWUP_KE exchanges 2021-03-21 12:22:42 +01:00
Tobias Brunner
5cab54fe54 wip: ike-header: Add IKE_FOLLOWUP_KE exchange type 2021-03-21 12:22:42 +01:00
Tobias Brunner
9f9b165cca message: Add rules for IKE_INTERMEDIATE exchanges 2021-03-21 12:22:42 +01:00
Tobias Brunner
5be6907b0e wip: ike-header: Add IKE_INTERMEDIATE exchange type 2021-03-21 12:22:42 +01:00
Tobias Brunner
0274431403 wip: notify-payload: Add notify types for multiple key exchanges 2021-03-21 12:22:42 +01:00
Tobias Brunner
6d94980fb3 wip: notify-payload: Add notify type for IKE_INTERMEDIATE exchange 2021-03-21 12:22:42 +01:00
Tobias Brunner
a6d5cb6c81 proposal-substructure: Encode additional key exchange methods 2021-03-21 12:22:42 +01:00
Tobias Brunner
5837fac164 child-cfg: Add method to check if an algorithm is proposed 2021-03-21 12:22:42 +01:00
Tobias Brunner
679ad84164 child-cfg: Generalize get_ke_method() method 2021-03-21 12:22:42 +01:00
Tobias Brunner
d7ab3a2588 ike-cfg: Generalize get_ke_method() method 2021-03-21 12:22:42 +01:00
Tobias Brunner
a3588bf943 proposal: Generalize KE methods 2021-03-21 12:22:42 +01:00
Tobias Brunner
0494de1883 proposal: Make all key exchange transforms optional in ESP/AH proposals 2021-03-21 12:22:42 +01:00
Tobias Brunner
a6ccfd08e7 proposal: Skip all KE transforms if PROPOSAL_SKIP_KE given 2021-03-21 12:22:42 +01:00
Tobias Brunner
f91e4b3709 transform: Add helper to check if transform type negotiates key exchange 2021-03-21 12:22:42 +01:00
Tobias Brunner
18ffccbd67 transform: Add additional key exchange transform types 2021-03-21 12:22:42 +01:00
Tobias Brunner
0cce60bbe7 Rename diffie_hellman_t to key_exchange_t and change the interface etc. 
This makes it more generic so we can use it for QSKE methods.
 2021-03-21 12:22:42 +01:00
Andreas Steffen
a91eb3eb96 wolfssl: Support SHA3 2021-03-20 11:15:42 +01:00
Andreas Steffen
b57215ba2b wolfssl: Support AES_ECB 2021-03-20 11:15:42 +01:00
Andreas Steffen
bd323ae6c8 openssl: Migrate from deprecated EC_POINT_[set|get]_affine_coordinates_GFp() functions 2021-03-19 08:50:27 +01:00
Petr Gotthard
c5eac9c390 libcharon: Include libtpmtss in monolithic build 2021-03-17 12:14:47 +01:00
Andreas Steffen
6aef079f59 testing: Bump guest kernel to Linux 5.11 2021-03-07 14:39:44 +01:00
Andreas Steffen
87ba3a424d Version bump to 5.9.2 5.9.2 2021-02-26 11:30:13 +01:00
Tobias Brunner
88c4d8cb22 Merge branch 'sha2-no-trunc' 
Closes strongswan/strongswan#215.
 2021-02-23 17:30:11 +01:00
Tobias Brunner
875813c055 save-keys: Fix length of AES-GCM with 12-byte ICV 2021-02-23 17:28:46 +01:00
Michał Skalski
b6b8880340 save-keys: Add support for full-length HMAC-SHA256 for ESP 
Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted.  The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
 2021-02-23 17:28:46 +01:00
Michał Skalski
c632aa7b31 kernel-netlink: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:28:46 +01:00
Michał Skalski
aa6da3700a keymat: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:23:29 +01:00
Michał Skalski
7a8cd5d6d0 af-alg: Fix typo in algorithm mapping for full-size HMAC-SHA-256 2021-02-23 09:25:44 +01:00
Andreas Steffen
356f87355b Version bump to 5.9.2rc2 5.9.2rc2 2021-02-21 10:40:34 +01:00
Andreas Steffen
20c47af319 testing: Use TLS 1.3 in TNC PT-TLS tests 2021-02-21 09:48:34 +01:00
Andreas Steffen
9f55246018 testing: Added mgf1 plugin to load statement 2021-02-19 17:41:44 +01:00
Andreas Steffen
283b352cee Merge branch 'tls-fixes' 5.9.2rc1 2021-02-18 20:28:33 +01:00
Andreas Steffen
d08fa4bd0a Version bump to 5.9.2rc1 2021-02-18 20:16:17 +01:00
Tobias Brunner
48f4f9f667 pt-tls-server: Make TLS client authentication optional as appropriate 2021-02-18 15:41:52 +01:00
Tobias Brunner
82116dba66 tls-test: Add option to make client authentication optional 2021-02-18 15:39:35 +01:00
Tobias Brunner
760f3b730f tls-server: Add flag that makes client authentication optional 
This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.
 2021-02-18 15:35:46 +01:00
Tobias Brunner
11a4687930 libtls: Add control flags and replace GENERIC_NULLOK purpose with one 2021-02-18 15:10:29 +01:00
Tobias Brunner
602947d48a pt-tls-server: Explicitly request client authentication if necessary 
The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.
 2021-02-18 12:49:54 +01:00
Tobias Brunner
4b7cfb252e tls-server: Use subject DN as peer identity if it was ID_ANY 
To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
 2021-02-18 12:34:05 +01:00
Tobias Brunner
d5606ec350 testing: Adapt some checks as SHA-384 is now preferred for TLS signatures 2021-02-18 12:02:54 +01:00
Tobias Brunner
024120f8ea tls-eap: Only servers conclude EAP method after processing packets 
As client with older TLS versions, we have to ack the receipt of the server's
Finished message instead.

Fixes: 083f38259c79 ("tls-eap: Conclude EAP method also after processing packets")
 2021-02-18 12:02:32 +01:00
Stefan Berghofer
f7613cb581 ike-sa: Properly set timing info for delete after rekeying 
The job is queued properly, yet the timing information is wrong.

Signed-off-by: Stefan Berghofer <stefan.berghofer@secunet.com>

Fixes: ee61471113c2 ("implemented RFC4478 (repeated authentication)...")
 2021-02-18 10:02:55 +01:00
Tobias Brunner
d65d4eab73 NEWS: Add news for 5.9.2 2021-02-17 15:24:36 +01:00