Commit Graph

13190 Commits

Author SHA1 Message Date
Tobias Brunner 479060d2d6 ipsec: Add a fourth priority class for bypass policies 2014-06-19 14:20:33 +02:00
Tobias Brunner 566d1a90cd Remove kernel-klips plugin 2014-06-19 14:20:33 +02:00
Tobias Brunner 3bf98189d7 kernel-netlink: Follow RFC 6724 when selecting IPv6 source addresses
Instead of using the first address we find on an interface we should
consider properties like an address' scope or whether it is temporary
or public.

Fixes #543.
2014-06-19 14:16:41 +02:00
Tobias Brunner 6364219281 Merge branch 'ipsec.conf-parser'
Replaces the ipsec.conf parser in starter.  The new parser is also based
on flex/bison but it simply returns key/value collections of all sections.
It already resolves also= and allows overriding options in all included
sections (not only %default), options set in included section can also
be cleared again (key=).  It provides other improvements too, like quoted
strings	(with escape sequences), unlimited includes and better
whitespace/comment handling.

Fixes #423.
Fixes #560.
2014-06-19 14:09:09 +02:00
Tobias Brunner f4d29bf16d starter: Don't directly refer to source files in Makefile for unit tests
Older versions of automake have trouble recursively cleaning such
constructs properly.
2014-06-19 14:00:49 +02:00
Tobias Brunner 6719c4c828 starter: Explicitly allow @# at the beginning of strings
Since we treat everything after # as comment identities of type
ID_KEY_ID couldn't be parsed otherwise, unless quoted.
2014-06-19 14:00:49 +02:00
Tobias Brunner 2d88617e7d starter: Add --conftest option to test ipsec.conf syntax 2014-06-19 14:00:49 +02:00
Tobias Brunner a953f3ad4a starter: Remove old parser 2014-06-19 14:00:49 +02:00
Tobias Brunner 81ba3c1a5e starter: Use new parser to read config file 2014-06-19 14:00:49 +02:00
Tobias Brunner 640c75bb2e starter: Move kw_entry_t definition 2014-06-19 14:00:49 +02:00
Tobias Brunner 8839796c3e starter: Remove unused ARG_LST argument type 2014-06-19 14:00:49 +02:00
Tobias Brunner f245ac6cc0 starter: Add tests for ipsec.conf parser 2014-06-19 14:00:48 +02:00
Tobias Brunner a1625fdc9b unit-tests: Make fixture functions optional 2014-06-19 14:00:48 +02:00
Tobias Brunner f609682e5d starter: Add new bison/flex based parser for ipsec.conf
The parser simply returns key/value pairs of all sections, it already
resolves also= and allows overriding options in all included sections
(not only %default), options set in included section can also be cleared
again (key=).
It provides other improvements too, like quoted strings (with escape
sequences), unlimited includes and better whitespace/comment handling.
2014-06-19 14:00:48 +02:00
Tobias Brunner 4ef86a849b starter: Remove out of date README 2014-06-19 14:00:48 +02:00
Tobias Brunner 9dbf2019e2 collections: Add interface for read-only dictionaries 2014-06-19 14:00:48 +02:00
Tobias Brunner 3c206f2e81 hashtable: Add destroy_function method 2014-06-19 14:00:48 +02:00
Tobias Brunner dcb168413f stroke: Add --daemon option 2014-06-19 13:56:38 +02:00
Tobias Brunner 02de66e1bf starter: Use stream abstraction to communicate with stroke plugin 2014-06-19 13:56:37 +02:00
Tobias Brunner 906a409608 stroke: Use stream abstraction to communicate with stroke plugin
Without this changing charon.plugins.stroke.socket would not really
work.
2014-06-19 13:56:37 +02:00
Martin Willi b384daafde winhttp: Fix a typo to properly release connection handle
Fixes a rather large memory leak in HTTP fetches.
2014-06-19 11:09:20 +02:00
Martin Willi 9f950af17a load-tester: Add a crl option to include a CRL uri in generated certificates 2014-06-19 10:48:27 +02:00
Martin Willi 8b855a97c2 bus: Properly va_copy() argument list before passing it to printf() functions
As we later potentially use args again, we can't consume it with printf
functions without copying it first. Clone list before passing it to any
consuming function.

Fixes #621.
2014-06-19 10:10:54 +02:00
Martin Willi 758dc8a953 child-sa: Set replay window on both inbound and outbound SA
While the outbound SA actually does not need a replay window, the kernel rejects
zero replay windows on SAs using ESN. The ESN flag is required to use the full
sequence number in ICV calculation, hence we set the replay window.

This restores the behavior we had before 30c009c2.
2014-06-18 16:54:19 +02:00
Martin Willi 8b9b11919d kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows
Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.
2014-06-18 15:04:57 +02:00
Andreas Steffen d345f0b75d Added swanctl/net2net-route scenario 2014-06-18 14:57:33 +02:00
Andreas Steffen 3f5f0b8940 Added swanctl/net2net-start scenario 2014-06-18 14:35:59 +02:00
Andreas Steffen 4402bae77d Minor changes in swanctl scenarios 2014-06-18 14:35:36 +02:00
Andreas Steffen 927dff2366 The policy_started check is not needed any more 2014-06-18 14:01:02 +02:00
Andreas Steffen ed42874645 Added swanctl --list-pols and swanctl --stats do scenario log 2014-06-18 13:16:18 +02:00
Tobias Brunner d6f0372daf testing: Delete accidentally committed test cases 2014-06-18 09:38:53 +02:00
Tobias Brunner abe116cdf8 ikev1: Allow late connection switching based on XAuth username 2014-06-18 09:30:07 +02:00
Tobias Brunner aba55fdffe identification: Only use either , or / to separate RDNs
If a DN starts with a slash (or whitespace and a slash) slashes will
be used, otherwise commas.
2014-06-18 09:24:03 +02:00
Tobias Brunner 846fd70eec sshkey: Fix loading of ECDSA keys from files 2014-06-18 09:16:24 +02:00
Tobias Brunner 1cda692110 sshkey: Add support to parse SSH public keys from files with left|rightsigkey 2014-06-18 09:16:24 +02:00
Martin Willi 97dafa16a0 Merge branch 'vici-stats'
Add a vici/swanctl "stats" command to print daemon info, similar to the header
shown in "ipsec statusall".
2014-06-17 17:56:05 +02:00
Martin Willi 5885ec2a27 vici: Support memory stats without leak-detective on Windows 2014-06-17 17:55:45 +02:00
Martin Willi df93458685 swanctl: Add a --stats command to print daemon infos and statistics 2014-06-17 17:55:45 +02:00
Martin Willi 65689ce76a vici: Add a stats command returning various daemon infos and statistics 2014-06-17 17:55:45 +02:00
Martin Willi 19ea055092 swanctl: Support private key decryption passhprases in swanctl.conf
While there is no real security benefit of storing private keys encrypted if
the passphrase is stored along with it, there still seems to be demand for this
functionality. We add it for compatibility with ipsec.secrets, even if it is
not really recommended.
2014-06-17 17:52:14 +02:00
Martin Willi 28e0f9b57d Merge branch 'conn-specific-replay'
Introduces a connection specific replay_window option, overriding the global
charon.replay_window strongswan.conf option. Original patch courtesy of
Zheng Zhong and Christophe Gouault from 6Wind.
2014-06-17 16:50:14 +02:00
Martin Willi 52d77f3290 NEWS: Mention replay_window ipsec.conf option 2014-06-17 16:49:02 +02:00
Martin Willi 5b7725f3b0 swanctl: Document replay_window option 2014-06-17 16:49:02 +02:00
Martin Willi d73a46171d vici: Support a replay_window CHILD_SA option 2014-06-17 16:41:31 +02:00
Martin Willi d5367d2262 starter: Add a replay_window connection option 2014-06-17 16:41:31 +02:00
Martin Willi 823ce4a37f kernel-pfkey: Support connection specific replay window sizes up to 32 packets 2014-06-17 16:41:30 +02:00
Martin Willi 44098fbaca kernel-netlink: Support connection specific replay window sizes 2014-06-17 16:41:30 +02:00
Martin Willi 30c009c2fe kernel-interface: Add a replay_window parameter to add_sa() 2014-06-17 16:41:30 +02:00
Martin Willi bdcaa5e680 child-cfg: Store connection specific replay window on CHILD_SA config 2014-06-17 15:42:02 +02:00
Martin Willi a2c2ce9693 Merge branch 'win-errno'
Improves errno handling for Winsock2 compatibility functions.
2014-06-17 15:24:06 +02:00