sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity
9,033 Commits 101 Branches 327 Tags
Commit Graph

9033 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
95e41fb80a starter: Drop support for %defaultroute. 2012-06-11 17:33:29 +02:00
Tobias Brunner
163b227386 starter: Migrated logging to libstrongswan. 2012-06-11 17:33:29 +02:00
Tobias Brunner
bcfb6b8efc starter: Remove unneeded starter_exec function. 2012-06-11 17:33:29 +02:00
Tobias Brunner
d7c3fd5421 scepclient: Option added to read PKCS#10 certificate request from a file. 2012-06-11 17:33:29 +02:00
Tobias Brunner
cea9bf563a scepclient: Option added to read self-signed certificate from a file. 2012-06-11 17:33:29 +02:00
Tobias Brunner
3a7c6b39b5 scepclient: Generate uppercase transaction ID. 2012-06-11 17:33:29 +02:00
Tobias Brunner
f79b665243 scepclient: Use HTTP 1.0 for all requests. 2012-06-11 17:33:28 +02:00
Tobias Brunner
1d81b1ab18 scepclient: Options added to specify digest/signature algorithms. 
Also changed the defaults to DES/MD5 as that's what should be used
if GetCACaps is not used to learn the issuers capabilities.
 2012-06-11 17:33:28 +02:00
Tobias Brunner
cc55783f36 Added function to convert integrity algorithms to hash algorithms (if based on one). 2012-06-11 17:33:28 +02:00
Tobias Brunner
82e526ce81 Properly encode 0 in ASN.1. 
According to X.690 an INTEGER object always has at least one content
octet.
 2012-06-11 17:09:20 +02:00
Tobias Brunner
e8120632ae Don't use chunk_skip() in asn1_length(). 
chunk_skip() returns chunk_empty if the length of the chunk is equal to
the number of bytes to skip, this is problematic as asn1_length() modifies
the original chunk.  asn1_parser_t for instance uses the modified chunk to
later calculate the length of the resulting ASN.1 object which produces
incorrect results if it is based on chunk_empty.
 2012-06-11 17:09:20 +02:00
Tobias Brunner
6e6d78a561 Changed memory management and call logic in PKCS#7 parser/generator. 2012-06-11 17:09:20 +02:00
Tobias Brunner
2bf125f0ed Changed memory management and attribute handling in PKCS#9 wrapper. 2012-06-11 17:09:20 +02:00
Tobias Brunner
f912fedc9b scepclient: Also number CA certificates in case there is more than one. 
Also, only number them if there are multiple certificates.
 2012-06-11 17:09:19 +02:00
Tobias Brunner
04ff78aa33 scepclient: Store received RA certificates, using CA cert name as base. 2012-06-11 17:09:19 +02:00
Tobias Brunner
c6a2aa49b4 scepclient: Use pkcs7_t and pkcs9_t, remove all dependencies to pluto/libfreeswan. 2012-06-11 17:09:19 +02:00
Tobias Brunner
ea92d4f305 Added get_attributes() method to pkcs7_t. 2012-06-11 17:09:19 +02:00
Tobias Brunner
dd93aefc09 scepclient: Local generation of file names. 2012-06-11 17:09:19 +02:00
Tobias Brunner
50e51bee54 scepclient: Replaced usages of datatot(). 2012-06-11 17:09:19 +02:00
Tobias Brunner
a2ddcc3695 scepclient: Migrated logging to libstrongswan. 2012-06-11 17:09:19 +02:00
Tobias Brunner
a69d8dd000 Log group added for applications other than daemons. 2012-06-11 17:09:19 +02:00
Tobias Brunner
25924d3e45 scepclient: Some code cleanup. 2012-06-11 17:09:19 +02:00
Tobias Brunner
07f0abd7ac Updated PKCS#7 parser/generator in libstrongswan. 
Added some functionality from pluto's version, updated usage of asn1
and crypto primitives. It does compile but is not really tested yet.
 2012-06-11 17:09:19 +02:00
Andreas Steffen
fd03443f42 added missing parameter in get_my_addr() and get_other_addr() calls 2012-06-09 14:06:45 +02:00
Andreas Steffen
1527307ec9 version bump to 5.0.0rc1 2012-06-09 14:05:08 +02:00
Andreas Steffen
47f8ae7cfd added ikev1/dynamic scenarios using allow-any 2012-06-08 22:54:12 +02:00
Andreas Steffen
7cc65a0376 removed whitespace 2012-06-08 22:34:49 +02:00
Andreas Steffen
d9e1b4c033 added ikev2/dynamic-two-peers scenario 2012-06-08 21:52:20 +02:00
Andreas Steffen
68f3e2462a added ikev2/dynamic-responder scenario 2012-06-08 21:24:42 +02:00
Andreas Steffen
420e77c2d0 added ikev2/dynamic-initiator scenario 2012-06-08 21:24:41 +02:00
Andreas Steffen
1d315bddd3 implemented the right|leftallowany feature 2012-06-08 21:24:41 +02:00
Martin Willi
e5f0f9ff96 Enforce uniqueness policy in IKEv1 main and aggressive modes 2012-06-08 16:15:22 +02:00
Tobias Brunner
4a10eda1a0 starter: Go back to single threaded mode. 
Mixing multiple threads and fork(2) wasn't a very good idea it seems.
At least in some environments this caused strange side-effects.
 2012-06-08 14:12:07 +02:00
Tobias Brunner
05ca56558c Disabled listening for kernel events in starter. 2012-06-08 14:12:06 +02:00
Martin Willi
82ad53b776 Try to rekey without KE exchange if peer returns INVALID_KE_PAYLOAD(NONE) 
According to RFC5996, implementations should just ignore the KE payload
if they select a non-PFS proposals. Some implementations don't, but
return MODP_NONE in INVALID_KE_PAYLOAD, hence we accept that, too.
 2012-06-08 10:35:02 +02:00
Martin Willi
2d4c347af9 While checking for redundant quick modes, compare traffic selectors 
If a configuration is instanced more than once using narrowing,
we should keep all unique quick modes up during rekeying.
 2012-06-08 10:22:03 +02:00
Martin Willi
106b938b6b Store shorter soft lifetime of in- and outbound SAs only 2012-06-08 10:22:03 +02:00
Martin Willi
7a5f372c57 Initiate quick mode rekeying with narrowed traffic selectors 2012-06-08 10:22:03 +02:00
Martin Willi
d61f2906d4 Use traffic selectors passed to quick mode constructor as initiator 2012-06-08 10:22:03 +02:00
Martin Willi
1e24fa4614 Instead of rekeying, delete a quick mode if we have a fresher instance 
If both peers initiate quick mode rekeying simultaneously, we end up
with duplicate SAs for a configuration. This can't be avoided, nor do
the standards provide an appropriate solution. Instead of closing one
SA immediately, we keep both. But once rekeying triggers, we don't
refresh the SA with the shorter soft lifetime, but delete it.
 2012-06-08 10:22:03 +02:00
Tobias Brunner
9e9295ed10 Properly handle empty RDN values in DN strings. 2012-06-07 16:50:11 +02:00
Tobias Brunner
9041c074b3 Properly install policies with ports in PF_KEY kernel interface. 2012-06-07 14:37:00 +02:00
Martin Willi
ab24a32edf As responder, enforce the same configuration while rekeying CHILD_SAs 2012-06-06 16:06:49 +02:00
Tobias Brunner
b200fa573b starter: Only handle SIGCHLD asynchronously and the rest in pselect(2). 2012-06-06 14:23:25 +02:00
Martin Willi
21043198ff Show expiration time of rekeyed CHILD_SAs in statusall 2012-06-05 10:29:43 +02:00
Tobias Brunner
18a3741042 starter: (De-)Initialize logging when forking. 2012-06-05 09:22:16 +02:00
Tobias Brunner
402ae88af9 starter: Close open file descriptors when forking daemons. 2012-06-04 18:09:56 +02:00
Tobias Brunner
89c97952bd starter: Changed signal handling now that starter is multi-threaded. 2012-06-04 18:09:56 +02:00
Tobias Brunner
c8f7a114b6 Mark CHILD_SAs used for trap policies to uninstall them properly. 
If the installation failed the state is not CHILD_ROUTED which means the
wrong priority is used to uninstall the policies.  This is a problem for
kernel interfaces that keep track of installed policies as now the proper
policy is not found (if the priority is considered).
 2012-06-04 18:04:48 +02:00
Tobias Brunner
93d9a02e9e NEWS for 4.6.4 added. 2012-05-31 17:40:01 +02:00