Andreas Steffen
02d431022c
Refactored certificate management for the vici and stroke interfaces
2015-12-12 00:19:24 +01:00
Andreas Steffen
4df09fe563
Modified vici_cert_info class for use with load_creds and vici_cred
2015-12-11 22:14:38 +01:00
Andreas Steffen
9dd8bfb2ce
Changed some certificate_type_names and added x509_flag_names
2015-12-11 18:26:55 +01:00
Andreas Steffen
44d3b02b57
Removed VICI protocol versioning
2015-12-11 18:26:55 +01:00
Andreas Steffen
b6dba6db74
Use of certificate_printer by swanctl --list-certs command
2015-12-11 18:26:55 +01:00
Andreas Steffen
334119b843
Share vici_cert_info.c with vici_cred.c
2015-12-11 18:26:55 +01:00
Andreas Steffen
ef43df6cbe
Allow msSmartcardLogon EKU to be built
2015-12-11 18:26:54 +01:00
Andreas Steffen
fad851e2d3
Use VICI 2.0 protocol version for certificate queries
2015-12-11 18:26:54 +01:00
Andreas Steffen
5d909303d8
Sort certificate types during enumeration
2015-12-11 18:26:54 +01:00
Andreas Steffen
75749971e1
Define VICI protocol versions
2015-12-11 18:26:54 +01:00
Tobias Brunner
74270c8c86
vici: Don't report memory usage via leak-detective
...
This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.
2015-12-11 18:26:53 +01:00
Andreas Steffen
fd90f0613c
Print OCSP single responses
2015-12-11 18:26:53 +01:00
Andreas Steffen
3317d0e77b
Standardized printing of certificate information
...
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
2015-12-11 18:26:53 +01:00
Tobias Brunner
36d42daf4d
imv-attestation: Fix memory leaks when creating functional components
2015-12-11 15:18:38 +01:00
Tobias Brunner
7f52715655
ipsec: Fix stop command on systems where sleep(1) only supports integers
...
Fixes #1231 .
2015-12-10 11:46:21 +01:00
Martin Willi
1a8a420c1c
vici: Fix documentation about the initiate/terminate timeout
2015-12-07 10:28:45 +01:00
Martin Willi
eaca77d03e
vici: Honor an optionally passed IKE configuration name in initiate/install
...
If two IKE configurations have CHILD configurations with the same name,
we have no control about the CHILD_SA that actually gets controlled. The
new "ike" parameter specifies the peer config name to find the "child" config
under.
2015-12-07 10:28:45 +01:00
Martin Willi
5e79ae2d65
vici: Support completely asynchronous initiating and termination
...
In some situations the vici client is not interested in waiting for a
timeout at all, so don't register a logging callback if the timeout argument
is negative.
2015-12-07 10:28:45 +01:00
Martin Willi
1db918c4f8
vici: Use an empty local auth round if none given
...
While it hardly makes sense to use none for negotiated SAs, it actually does
when installing shunt policies.
2015-12-07 10:05:07 +01:00
Martin Willi
b26ba1b4a4
vici: Limit start action undoing to IKE_SAs using the base peer config name
...
If two peer configs use the same child config names, potentailly delete
the wrong CHILD_SA. Check the peer config name as well to avoid that.
2015-12-07 10:05:07 +01:00
Martin Willi
23b1f71372
vici: Close empty IKE_SAs after undoing CHILD_SA start actions
2015-12-07 10:05:07 +01:00
Martin Willi
2facf18833
vici: Use value based array to store CHILD_SA ids during restart
...
The previous approach stored a pointer to a volatile stack variable, which
works for a single ID, but not for multiple.
2015-12-07 10:05:07 +01:00
Martin Willi
01caed533b
array: Add an insert/create function for value based arrays
2015-12-07 10:05:07 +01:00
Martin Willi
f3b2d4a9d8
vici: Undo start actions when unloading configs
2015-12-07 10:05:07 +01:00
Tobias Brunner
63a778a25d
vici: Fix clean-local target for Perl bindings if they were not built
...
This is called when running `make distclean` (or indirectly via `make
distcheck`).
2015-12-04 12:10:57 +01:00
Martin Willi
057e6cc524
byteorder: Provide a fallback for le32toh/htole32()
...
Some older toolchains don't provide these macros, so implement them using
the gcc builtins. We also provide 64-bit variants as used by chapoly.
2015-12-04 10:29:09 +01:00
Martin Willi
8fa0c7bc77
byteorder: Add 32-bit unaligned little-endian conversion functions
2015-12-04 10:29:09 +01:00
Martin Willi
9709418871
swanctl: Explicitly link against -lpthread and -ldl if required
...
We already do this for charon, as some toolchains require an explicit
link even if libstrongswan already depends on it.
2015-12-04 08:02:03 +01:00
Martin Willi
41106e7993
pki: Explicitly link against -lpthread and -ldl if required
...
We already do this for charon, as some toolchains require an explicit
link even if libstrongswan already depends on it.
2015-12-04 08:02:03 +01:00
Martin Willi
8b0c9cf155
watcher: Check for cancellation if poll() fails with EINTR
...
With LinuxThreads, poll() is unfortunately no cancellation point. It seems
that poll gets woken up after cancellation, but we actively must check
for cancellation before re-entering poll to properly shut down the watcher
thread.
2015-12-04 08:01:15 +01:00
Andreas Steffen
7d24aa0624
Extended and refactored vici perl implementation
2015-12-01 14:52:43 +01:00
Andreas Steffen
a17b6d469c
Built the CPAN file structure for the Vici::Session perl module
2015-12-01 14:52:43 +01:00
Andreas Steffen
a101bce862
Implement vici Perl binding
2015-12-01 14:52:43 +01:00
Tobias Brunner
731cf55579
swanctl: Add --list-algs command to query loaded algorithms
2015-11-30 10:55:55 +01:00
Tobias Brunner
de34defcd0
vici: Add get-algorithms command to query loaded algorithms and implementations
2015-11-30 10:55:55 +01:00
Tobias Brunner
88b85e022a
sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set
...
Fixes #1213 .
2015-11-23 11:37:19 +01:00
Tobias Brunner
b675909662
kernel-pfkey: Enable ENCR_CAMELLIA_CBC when it's available
...
Fixes #1214 .
2015-11-23 11:20:30 +01:00
Tobias Brunner
5461efe7b9
utils: Use the more low-level __NR_ prefix to refer to the syscall number
...
The __NR_ constants are also defined in the Android headers.
2015-11-17 17:21:36 +01:00
Thom Troy
ac36ede93c
eap-radius: Add ability to configure RADIUS retransmission behavior
...
Closes strongswan/strongswan#19 .
2015-11-17 14:25:08 +01:00
Tobias Brunner
f9c5c80553
eap-mschapv2: Keep internal state to prevent authentication from succeeding prematurely
...
We can't allow a client to send us MSCHAPV2_SUCCESS messages before it
was authenticated successfully.
Fixes CVE-2015-8023.
2015-11-16 13:19:36 +01:00
Tobias Brunner
fe48e4ae31
android: Suppress compiler warnings about missing field initializers
...
Triggered by -Wextra for many INIT usages where we only partially
initialize a struct.
2015-11-13 18:24:45 +01:00
Tobias Brunner
ef4279f2e5
utils: Provide a fallback for sigwaitinfo() if needed
...
Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide
this on Windows.
2015-11-13 18:24:45 +01:00
Tobias Brunner
176c24b8e1
vici: Attribute certificates are not trusted
2015-11-12 14:45:43 +01:00
Tobias Brunner
e5e352e631
vici: Properly add CRLs to the credential set
...
add_crl() ensures that old CLRs are not stored in the credential set.
2015-11-12 14:45:42 +01:00
Tobias Brunner
322a11ccbb
mode-config: Reassign migrated virtual IP if client requests %any
...
If we mistakenly detect a new IKE_SA as a reauthentication the client
won't request the previous virtual IP, but since we already migrated
it we already triggered the assign_vips() hook, so we should reassign
the migrated virtual IP.
Fixes #1152 .
2015-11-12 14:42:36 +01:00
Tobias Brunner
e161238e8e
revocation: Allow CRLs to be encoded in PEM format
...
Since the textual representation for a CRL is now standardized
in RFC 7468 one could argue that we should accept that too, even
though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to
be in DER format. But in particular for file URIs enforcing that
seems inconvenient.
Fixes #1203 .
2015-11-12 14:40:44 +01:00
Tobias Brunner
15d715dace
curl: Be less strict when considering status codes as errors
...
For file:// URIs the code is 0 on success. We now do the same libcurl
would do with CURLOPT_FAILONERROR enabled.
Fixes #1203 .
2015-11-12 14:40:37 +01:00
Tobias Brunner
fdfbd401c3
eap-radius: Compare address family when handing out virtual IPs
...
This also ensures that the actually released virtual IP is removed from
the list of claimed IPs.
Fixes #1199 .
2015-11-12 14:32:11 +01:00
Tobias Brunner
1d4b767275
eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)
2015-11-12 14:21:06 +01:00
Tobias Brunner
8f5e481953
eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-Identity
2015-11-12 14:21:06 +01:00