593251fcf6
array: Fix compilation on FreeBSD
2014-02-13 10:46:46 +01:00
50fdff70e8
libpts: Move settings to <ns>.plugins with fallback to libimcv
2014-02-12 14:34:34 +01:00
1ec3476398
libimcv: Move settings to <ns>.imcv and <ns>.plugins with fallback
2014-02-12 14:34:34 +01:00
abd5c7bea2
libtnccs: Move settings to <ns>.tnc and <ns>.plugins with fallback
2014-02-12 14:34:34 +01:00
505a69eba4
attr: Silently skip over load option
2014-02-12 14:34:34 +01:00
c75acc4c44
conf: Install strongswan.conf template from a separate directory
2014-02-12 14:34:33 +01:00
9925eeabd2
settings: Add support to enumerate sections and key/value pairs with fallbacks
2014-02-12 14:34:33 +01:00
f4da1989cd
settings: Implement subsections and key/value pairs with sorted arrays
...
Is a bit more memory efficient (also due to lazy instantiation) and
lookups for sections with lots of subsections/keys (e.g. charon.plugins) are
faster.
2014-02-12 14:34:33 +01:00
b3613c49a2
array: Add fallback for qsort_r using thread-local value
...
Cygwin for example does not support qsort_r.
2014-02-12 14:34:33 +01:00
190a278854
plugin-loader: Optionally use load option in each plugin section to load plugins
...
This now works because all plugins use the same config namespace.
If <ns>.load_modular is true, the list of plugins to load is determined
via the value of the <ns>.plugins.<name>.load options.
Using includes the following is possible:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
charon-cmd {
load_modular = yes
plugins {
include strongswan.d/charon-cmd/*.conf
}
}
Where each .conf file would contain something like:
<name> {
load = yes
<option> = <value>
}
To increase the priority of individual plugins load = <priority> can be
used (the default is 1). For instance, to use openssl instead of the
built-in crypto plugins set in strongswan.d/charon/openssl.conf:
openssl {
load = 10
}
If two plugins have the same priority their order in the default plugin
list is preserved. Plugins not found in that list are ordered
alphabetically before other plugins with the same priority.
2014-02-12 14:34:33 +01:00
79962d9e99
array: Add array_bsearch function
2014-02-12 14:34:33 +01:00
132b00ce02
array: Add array_sort function
2014-02-12 14:34:33 +01:00
1c306c0ee9
libcharon: Remove unused charon->name
2014-02-12 14:34:33 +01:00
9222bfc695
charon-tkm: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
10c4f4e1fd
libhydra: Remove unused hydra->daemon
2014-02-12 14:34:32 +01:00
d347a130f5
libhydra: Use lib->ns instead of hydra->daemon
2014-02-12 14:34:32 +01:00
409adef43c
libtls: Move settings to <ns>.tls with fallback to libtls
2014-02-12 14:34:32 +01:00
eb9b375aa1
attr-sql: Use namespace for attr-sql config, with fallback
2014-02-12 14:34:32 +01:00
8dc6e71632
lib: All settings use configured namespace
2014-02-12 14:34:32 +01:00
7a684aece4
lib: Add default config fallback for configured namespace
...
All settings in the configured global namespace fall back to libstrongswan.
2014-02-12 14:34:32 +01:00
dbed07782b
unit-tests: Test how settings_t handles some invalid data
2014-02-12 14:34:32 +01:00
1713d88278
settings: Add method that allows to define fallback sections for other sections
...
The fallbacks are currently only used for single value lookups.
Enumerators are not affected by them.
2014-02-12 14:34:32 +01:00
ef72d4cc3f
settings: Make print_key() not rely on null-terminated beginning of key buffer
...
The key to print (e.g. until the next .) still has to be
null-terminated.
2014-02-12 14:34:32 +01:00
24d2bb7793
unit-tests: Add tests for includes and file loading in settings_t
2014-02-12 14:34:32 +01:00
25ee33ba65
settings: Allow empty strings in section key
2014-02-12 14:34:32 +01:00
9f9a6b0681
unit-tests: Add tests for enumerators in settings_t
2014-02-12 14:34:32 +01:00
cd0523e0a4
unit-tests: Add tests for setters in settings_t
2014-02-12 14:34:31 +01:00
9f2870216d
unit-tests: Add basic tests for settings_t
2014-02-12 14:34:31 +01:00
34d3bfcf14
lib: Add global config namespace
2014-02-12 14:34:31 +01:00
4f8bd6d404
pool: Typo in Makefile fixed
2014-02-12 14:34:09 +01:00
6e288ed19c
pool: Install SQL schemas from src/pool
...
This allows us to install the schemas if either the attr-sql or sql
plugin is enabled, since both use the same schema (at least in parts).
2014-02-12 14:21:26 +01:00
b2cd0870a3
sql: Set default values for some fields in addresses table
2014-02-12 14:08:34 +01:00
de7f5305d9
libimcv: Install SQL files in /usr/share/strongswan/templates/database
2014-02-12 14:08:34 +01:00
9ca9d99bc4
sql: Install SQL schemas in /usr/share/strongswan/templates/database
2014-02-12 14:08:34 +01:00
68539c38e2
sql: Remove unused cred.sql snippet
2014-02-12 14:08:34 +01:00
ebc665be4d
asn1: Support dates before 1970-01-01 (i.e. when time_t gets negative)
...
On x86 we allow "overflows" around 1969/1970 but not for other dates.
Fixes #509 .
2014-02-12 13:54:05 +01:00
addc34d5f0
asn1: Add additional validation for parsed ASN.1 date/time values
2014-02-12 13:53:57 +01:00
9e1ce63915
ikev1: Fix config switching due to failed authentication during Aggressive mode
...
The encoded ID payload gets destroyed by the authenticator, which caused
a segmentation fault after the switch.
Fixes #501 .
2014-02-12 13:53:03 +01:00
822b22c96f
kernel-pfroute: Don't cache route entries if installation fails
2014-02-12 13:52:25 +01:00
f0f78b74d4
kernel-netlink: Don't cache route entries if installation fails
...
Fixes #500 .
2014-02-12 13:52:01 +01:00
5e75f50b70
identification: Fix printing of empty RDNs on FreeBSD
...
On FreeBSD (null) is printed for NULL even if the precision is 0.
2014-02-12 13:45:42 +01:00
f8c9c03de0
tests: Fix test for printing NULL on FreeBSD
2014-02-12 13:45:42 +01:00
d9c7fcd0ee
unit-tests: added asn1_parser tests
2014-02-10 21:29:34 +01:00
e62c6b0a24
unit-tests: added some more ASN.1 length tests
2014-02-10 21:29:34 +01:00
b351acfed6
leak_detective: Assign return value of realloc to buf
...
If realloc return a pointer value different from the value to be
reallocated, a double free can occur in this context.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-02-10 17:23:54 +01:00
7707357227
rdrand: Provide get_features() regardless of RDRAND availability
...
As having no get_features() raises a deprecated warning, we return no features
instead.
2014-02-10 11:22:16 +01:00
144f1d7041
rdrand: Move RDRAND detection log to level 2
...
When having RDRAND support, these log messages might be confusing when using
pki or other tools.
2014-02-10 11:07:50 +01:00
ac2dc3b726
updown: Return an empty DNS server enumerator if no IKE_SA available
...
The one existing caller does not handle a NULL return and always expects
an enumerator; and returning FALSE does not make sense anyway.
2014-02-06 16:38:39 +01:00
e2de972c55
charon-cmd: Request an IPv6 virtual IP if an IPv6 remote subnet given
2014-02-06 15:58:13 +01:00
fe7269c089
charon-cmd: Document new proposal options in manpage
2014-02-06 15:58:13 +01:00
c9e85424a8
charon-cmd: Add --esp/--ah-proposal options to specify CHILD_SA proposals
2014-02-06 15:58:07 +01:00
2796cf59bc
charon-cmd: Add an --ike-proposal option to specify non-default IKE proposals
2014-02-06 15:57:36 +01:00
1df1430146
charon-cmd: Block SIGUSR1 on worker threads
...
To properly shut down charon-cmd with leak reports, only the main thread
should catch SIGUSR1 to shut down the application. Work threads should ignore
SIGUSR1 to avoid any hard application termination.
2014-02-06 15:57:36 +01:00
0edd13b6c8
Document ipsec attest --session command
2014-02-05 12:06:46 +01:00
24f59868c4
Allow output of session time in UTC
2014-02-05 12:06:22 +01:00
d6804e3041
Added missing semicolon in SQL statements
2014-02-05 10:15:56 +01:00
523c2874fb
Added Android 4.3.1 to products database table
2014-02-04 19:49:34 +01:00
2a43f7fd9e
Added new Android versions to PTS database
2014-02-04 06:59:01 +01:00
1f4883008e
unit-tests: Add some test cases for HTTP GET/POST fetches
2014-01-31 12:18:32 +01:00
1691b19900
unit-tests: Fix test_runner_run() apidoc
2014-01-29 13:38:10 +01:00
3114cecdbe
pki: Declare correct section in pki --issue man page
2014-01-24 16:17:46 +01:00
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
763e035335
child-sa: Add a getter for CHILD_SA install time
2014-01-23 16:19:22 +01:00
2312504d1e
xauth-pam: Open/close a PAM session for each connected client
...
Signed-off-by: Andrea Bonomi <a.bonomi@endian.com>
2014-01-23 16:07:04 +01:00
7dc8bf495b
xauth-pam: Sanitize XAuth attributes before passing them to PAM
2014-01-23 16:07:04 +01:00
c7c2e24a56
ikev2: Add Cisco FRAGMENTATION vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:04 +01:00
2c6d204bec
ikev2: Add Cisco Copyright vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:01 +01:00
f84d1cb2f9
ikev2: Add Cisco Delete Reason vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:03:55 +01:00
a8d8e631f9
ikev2: Use a more dynamic vendor ID database, as we use with IKEv1
2014-01-23 16:02:18 +01:00
853498155e
libpts: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
7ae878c357
tnccs: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
88fa7f62be
pem: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
ecdef634aa
stroke: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
b8d0103e31
radattr: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
39badc53cd
libfast: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
69be6a9e05
integrity-checker: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
b9ee059ca9
chunk: Externalize error reporting in chunk_write()
...
This avoids passing that arbitrary label just for error messages, and gives
greater flexibility in handling errors.
2014-01-23 15:55:32 +01:00
37374a292a
chunk: Provide a fallback chunk_map() if mmap is not available
2014-01-23 15:55:32 +01:00
1c4a3459f7
chunk: Use dynamically allocated buffer in chunk_from_fd()
...
When acting on files, we can use fstat() to estimate the buffer size. On
non-file FDs, we dynamically increase an allocated buffer.
Additionally we slightly change the function signature to properly handle
zero-length files and add appropriate unit tests.
2014-01-23 15:55:32 +01:00
595b6d9a82
chunk: Add functions to map file contents to a chunk
2014-01-23 15:55:32 +01:00
21c18f536d
unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attribute
...
Cisco clients only handle the first such attribute.
2014-01-23 10:35:21 +01:00
f8262aa1a6
unity: Change local TS to 0.0.0.0/0 as responder
...
Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is
used, otherwise Quick Mode fails.
2014-01-23 10:35:21 +01:00
685579d6d8
unity: Send UNITY_SPLIT_INCLUDE attributes with proper padding
...
The additional 6 bytes are not actually padding but are parsed by the
Cisco client as protocol and src and dst ports (each two bytes but
strangely only the first two in network order).
2014-01-23 10:35:21 +01:00
fe2a2d1885
kernel-netlink: Set selector on transport mode IPComp SAs
2014-01-23 10:27:13 +01:00
cc04a6db3e
kernel-netlink: Selectively add selector on SAs that use IPComp
...
Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.
2014-01-23 10:27:12 +01:00
7e3bbcf77a
updown: Increase buffer size for script and environment variables
2014-01-23 10:27:12 +01:00
6d1198e71d
updown: Allow IPIP traffic if IPComp was negotiated
...
The kernel implicitly creates an IPIP SA if an IPComp SA is installed.
This SA is used inbound for small packets that are not compressed.
Since the addresses are different (they are the tunnel addresses not
those of the tunneled traffic) additional rules are required if the
traffic selector does not cover the tunnel addresses (e.g. due to a NAT).
For SAs with multiple traffic selectors duplicate rules will get installed.
2014-01-23 10:27:12 +01:00
cf4a7395aa
updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated
2014-01-23 10:27:12 +01:00
72a92d4f7d
curl: Replace spaces in URIs with %20
...
cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL
URIs with spaces in them.
Fixes #454 .
2014-01-23 10:19:30 +01:00
ccb6758e5b
utils: Add strreplace function
2014-01-23 10:18:23 +01:00
f44b1eb444
stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated
...
Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
2014-01-23 10:15:07 +01:00
5ab03863b0
stroke: Add an option to prevent log level changes via stroke socket
2014-01-23 10:15:07 +01:00
040cf911a6
pki: Make sure no command registers too many options
2014-01-23 10:12:24 +01:00
079e6c2b04
pki: Increase MAX_COMMANDS to cover all currently available commands
...
Fixes #452 .
2014-01-23 10:12:15 +01:00
2b8224fce3
pki: Print a warning if MAX_COMMANDS is too low
2014-01-23 10:10:53 +01:00
b0e14fcba6
pki: Properly use ?: when defining option arrays
2014-01-23 10:10:53 +01:00
54ca25800c
agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket
...
This is also required if charon-cmd is used with capability dropping.
2014-01-23 10:08:23 +01:00
53d2164c5d
ike: Simplify error handling if name resolution failed
...
This avoids a second name resolution attempt just to determine if %any
etc. was configured.
Fixes #440 .
2014-01-23 10:04:19 +01:00
be8af56e7a
ike: Use proper hostname(s) when name resolution failed
...
Was wrong since 0edce68767Fixes #440 .
2014-01-23 10:03:50 +01:00
Tobias Brunner