47c76c1b05
rwlock: Re-acquire rwlock even if condvar wait times out
...
A caller expects that the associated rwlock is held, whether the condvar
gets signaled or the wait times out.
2013-10-23 11:52:26 +02:00
b891c22aa9
Updated and split data.sql
2013-10-23 00:26:02 +02:00
50d7a55c96
Support Ubuntu 13.10 measurements
2013-10-21 21:33:30 +02:00
27bf5c06dc
check it specified IF-TNCCS protocol is enabled
2013-10-21 21:03:53 +02:00
8e8e97d10d
kernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution
...
This reverts commit b0761f1f0a
2013-10-18 09:52:54 +02:00
4c185d11ad
updown: Properly configure ICMP[v6] message type and code in firewall rules
2013-10-17 16:57:39 +02:00
9739a0bf67
updown: Pass ICMP[v6] message type and code to updown script
...
The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.
2013-10-17 16:57:39 +02:00
59213396fa
kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel
2013-10-17 16:57:39 +02:00
406a504ca7
kernel-netlink: Convert ports in acquires to ICMP[v6] type and code
2013-10-17 16:57:39 +02:00
ddc2d3c8e4
kernel-netlink: Properly install policies with ICMP[v6] types and codes
2013-10-17 16:57:39 +02:00
000235f1c5
traffic-selector: Print ICMP[v6] message type and code in a more readable way
2013-10-17 16:57:39 +02:00
4bebe45abb
traffic-selector: Store ICMP[v6] message type and code properly
...
We now store them as defined in RFC 4301, section 4.4.1.1.
2013-10-17 16:57:39 +02:00
d6a1960d34
traffic-selector: Move class to its own Doxygen group
2013-10-17 16:57:38 +02:00
7313499914
proposal: Add ECC Brainpool DH groups to the default proposal
2013-10-17 13:36:09 +02:00
606aae3aa1
openssl: Add workaround if ECC Brainpool curves are not defined
2013-10-17 13:36:08 +02:00
3c29d2822f
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
...
OpenSSL does not include them in releases before 1.0.2.
2013-10-17 13:36:08 +02:00
cca372465d
ecc: Added ECC Brainpool ECDH groups as registered with IANA
2013-10-17 11:57:04 +02:00
be97277bdb
unit-tests: Make test for bio_writer_t more portable
2013-10-17 11:44:03 +02:00
f6cadb7f54
libipsec: Don't print ciphertext with ICV in log message
2013-10-17 11:43:58 +02:00
f5c5fd6f74
libipsec: Properly calculate padding length especially for AES-GCM
2013-10-17 11:42:45 +02:00
812ae898bf
utils: Add utility function to calculate padding length
2013-10-17 10:25:34 +02:00
32fef0c6e9
stroke: Reuse reqids of established CHILD_SAs when routing connections
2013-10-17 10:23:32 +02:00
6278e64230
trap-manager: Make sure a config is not trapped twice
2013-10-17 10:23:32 +02:00
dd438ee22c
Doxygen fixes
2013-10-15 11:25:55 +02:00
a37ab690cc
Set recommendation in the case of PCR measurement failures
2013-10-13 22:17:18 +02:00
b0761f1f0a
Add linux/fip_rules.h to include files
2013-10-13 20:51:10 +02:00
6623dfa84d
Revert refactoring which broke CentOS build
2013-10-13 19:56:04 +02:00
d9020264f4
checksum: The pool utility was moved to its own directory
2013-10-11 17:42:29 +02:00
0f6f7ba22c
ccm: Add missing comma in get_iv_gen method signature
2013-10-11 17:42:25 +02:00
bfeb8b5c47
iv-gen: Add missing header files to Makefile.am
2013-10-11 17:42:05 +02:00
0c6f6c4e34
iv_gen: Mask sequential IVs with a random salt
...
This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.
2013-10-11 15:55:40 +02:00
e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
d74c254dfd
ipsec: Use IV generator to encrypt ESP messages
2013-10-11 15:55:40 +02:00
b5010707a0
ikev2: Use IV generator to encrypt encrypted payload
2013-10-11 15:55:40 +02:00
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
feb3c4ff22
eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK
2013-10-11 15:52:22 +02:00
1a809e46f8
eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes
...
Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).
So if the following attributes would be configured for a RADIUS user
CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
CVPN3000-IPSec-Split-Tunneling-Policy := 1
A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.
2013-10-11 15:52:22 +02:00
66229619cf
eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes
...
The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.
2013-10-11 15:52:22 +02:00
b638c131de
dnscert: Add DNS CERT support for pubkey authentication
...
Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers. As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.
The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.
2013-10-11 15:45:42 +02:00
8ac54970f5
ipseckey: Properly handle failure to create a certificate
...
Also, try the next key (if available) if parsing an IPSECKEY failed.
2013-10-11 15:45:41 +02:00
e8130a9498
ipseckey: Refactor creation of certificate enumerator
...
Reduces nesting and fixes a memory leak (rrsig_enum).
2013-10-11 15:45:41 +02:00
de5ea570f1
ipseckey: Depend on plugin features to create public key and certificate objects
2013-10-11 15:45:41 +02:00
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
cd25d291f7
kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC
...
This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).
2013-10-11 15:32:44 +02:00
eeb34af069
kernel-libipsec: Add an option to allow remote TS to match the IKE peer
...
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
2013-10-11 15:32:44 +02:00
80f8b3a6d8
socket-default: Allow setting firewall mark on outbound packets
2013-10-11 15:32:44 +02:00
51fefe4606
kernel-netlink: Allow setting firewall marks on routing rule
2013-10-11 15:32:44 +02:00
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
bd085dd978
attr-sql: Use a serializable transaction when inserting identities
2013-10-11 15:29:10 +02:00
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
e745f5f69f
sql: Don't use MyISAM engine and set collation/charset for all tables
...
The MyISAM engine doesn't support transactions.
2013-10-11 15:16:05 +02:00
03c801cb2b
pool: Change transaction handling
2013-10-11 15:16:05 +02:00
ec6ad6b086
pool: Move the pool utility to its own directory in src
2013-10-11 15:16:05 +02:00
5abe3c52d3
attr-sql: Handle concurrent insertion of identities
...
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
2013-10-11 15:16:05 +02:00
4b8b1354ce
attr-sql: Don't use database transactions in create_attribute_enumerator
...
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
2013-10-11 15:16:05 +02:00
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
d53002f088
libipsec: Enforce byte/packet lifetimes on SAs
2013-10-11 10:23:18 +02:00
12fdc2b16b
kernel-libipsec: Support ESPv3 TFC padding
2013-10-11 10:23:18 +02:00
293515f95c
libipsec: remove extra RFC4303 TFC padding appended to inner payload
2013-10-11 10:23:17 +02:00
d53f9b9637
kernel-libipsec: Support query_sa() to report usage statistics
2013-10-11 10:23:17 +02:00
b08967d6d8
libipsec: Support usage statistics and query_sa() on IPsec SAs
2013-10-11 10:23:17 +02:00
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
4817595876
updown: Install forwarding rules with the actually used protocol
2013-10-11 10:15:22 +02:00
c5d9b133e0
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
2013-10-11 10:15:21 +02:00
e48e530b44
starter: Reject connections having both 'ah' and 'esp' keywords set
...
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
2013-10-11 10:15:21 +02:00
757343d90e
ike: Define keylength for aescmac algorithm
2013-10-11 10:15:21 +02:00
a1379e3210
ikev1: Support parsing of AH+IPComp proposals
2013-10-11 10:15:21 +02:00
25f74be8f9
starter: Remove obsolete 'auth' option
2013-10-11 10:15:21 +02:00
d489e75579
ikev1: Accept more than two certificate payloads
2013-10-11 10:15:21 +02:00
3771b85806
ikev1: Support en-/decoding of SA payloads with AH algorithms
2013-10-11 10:15:21 +02:00
44e6aa4fb7
kernel-handler: Whitespace cleanups
2013-10-11 10:15:21 +02:00
f6037b5506
stroke: List proposals in statusall without leading '/' in AH SAs
2013-10-11 10:15:21 +02:00
4bf92306eb
ikev1: Delete quick modes with the negotiated SA protocol
2013-10-11 10:15:21 +02:00
5d569e07fd
trap-manager: Install trap with SA protocol of the first configured proposal
2013-10-11 10:15:21 +02:00
21b096f3b8
child-sa: Save protocol during SPI allocation
...
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
2013-10-11 10:15:21 +02:00
908fe1632d
ikev1: Negotiate SPI with the first/negotiated proposal protocol
2013-10-11 10:15:21 +02:00
cdab8630d9
ikev2: Allocate SPI with the protocol of the first/negotiated proposal
2013-10-11 10:15:21 +02:00
f0c59e1cf8
proposal: Strip redundant integrity algos for ESP proposals only
2013-10-11 10:15:21 +02:00
0576412989
stroke: Configure proposal with AH protocol if 'ah' option set
2013-10-11 10:15:20 +02:00
a07b97e804
starter: Add an 'ah' keyword for Authentication Header Security Associations
2013-10-11 10:15:20 +02:00
3588299fb8
Keep a copy of the tnccs instance for PT-TLS handover
2013-10-09 19:03:07 +02:00
3e3db3743e
xauth-pam: Make trimming of email addresses optional
...
Fixes #430 .
2013-10-04 10:49:54 +02:00
d2e4dd75b7
ikev1: Accept reauthentication attempts with a keep unique policy from same host
...
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
2013-09-30 13:51:12 +02:00
9c19d7ca31
ikev1: Don't log a reauthentication detection message if no children adopted
...
When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.
2013-09-30 13:51:11 +02:00
ee99f37ecc
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
...
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
2013-09-30 13:51:11 +02:00
e4b7b48c1e
eap-radius: Increase buffer for attributes sent in RADIUS accounting messages
...
64 bytes might be too short for user names/identities.
2013-09-27 13:37:12 +02:00
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
e4d63cfae7
android: New release after fixing remediation instructions regression
2013-09-26 13:53:39 +02:00
00f7b29422
android: Change progress dialog handling
...
With the previous code the dialog sometimes was hidden for a short while
before it got reopened.
2013-09-26 13:53:25 +02:00
cfed5679b8
android: Clear remediation instructions when starting a new connection
2013-09-26 13:00:45 +02:00
a2cebbe674
starter: Don't ignore keyingtries with rekey=no
...
Since keyingtries also affects the number of retries initially or when
reestablishing an SA it should not be affected by the rekey option.
Fixes #418 .
2013-09-26 10:17:48 +02:00
90031b2fc7
load-tester: Fix crash if private key was not loaded successfully
...
Fixes #417 .
2013-09-24 09:27:12 +02:00
ed72f2d65e
printf-hook: Write to output stream instead of the FD directly when using Vstr
...
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
2013-09-24 08:44:00 +02:00
c17cbfdb72
android: New release after improving recovery after connectivity changes
2013-09-23 14:33:29 +02:00
3817231333
android: Change state handling to display errors occurring while the app is hidden
...
A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.
This was necessary because the state fragment is now unregistered from
state changes when it is not shown.
2013-09-23 12:01:43 +02:00
b4a5b185fc
android: Don't update state fragments when they are not displayed
...
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
2013-09-23 12:01:42 +02:00
561f94ae58
ikev2: Force an update of the host addresses on the first response
...
This is especially useful on Android where we are able to send messages
even if we don't know the correct local address (this is possible
because we don't set source addresses in outbound messages). This way
we may learn the correct local address if it e.g. changed right before
reestablishing an SA.
Updating the local address later is tricky without MOBIKE as the
responder might not update the associated IPsec SAs properly.
2013-09-23 11:50:12 +02:00
9292357030
ike-sa: Resolve hosts before reestablishing an IKE_SA
2013-09-23 11:49:52 +02:00
e3f64a79c2
android: Several plugins were moved from libcharon to libtnccs
...
These were moved in commits e8f65c5cde12b3db5006
2013-09-23 11:49:52 +02:00
c3ee829eee
android: Properly handle failures while initializing charon
2013-09-23 11:49:52 +02:00
255b9dac5d
kernel-netlink: Allow to override xfrm_acq_expires value
...
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
2013-09-23 10:45:14 +02:00
2c4d772a79
Implemented TCG/PB-PDP_Referral message
2013-09-17 21:57:08 +02:00
ddfc589600
Allow vendor-specific PB-TNC messages
2013-09-17 11:19:11 +02:00
ab155e6907
ignore *.1 manpage files
2013-09-17 10:58:53 +02:00
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
90afd2c929
pki: --pub also accepts public keys (i.e. to convert them to a different format)
2013-09-13 15:23:49 +02:00
21626bdf77
pki: Add support to encode public keys in SSH key format
2013-09-13 15:23:49 +02:00
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
ed56c86ec1
pki: Don't print an error if no arguments are given
2013-09-13 15:14:00 +02:00
0dc8ba8779
pki: Install pki(1) as utility directly in $prefix/bin
...
ipsec pki is maintained as alias.
2013-09-13 15:07:36 +02:00
1a8ffea315
pki: Add example commands to setup a simple CA
2013-09-13 15:07:36 +02:00
b068c4ec9d
pki: Add pki --verify man page
2013-09-13 15:07:36 +02:00
4adeaa5eb9
pki: Add pki --pub man page
2013-09-13 15:07:36 +02:00
a319eff80d
pki: Add pki --print man page
2013-09-13 15:07:35 +02:00
e69fd30538
pki: Add pki --keyid man page
2013-09-13 15:07:35 +02:00
558771400e
pki: Add pki --pkcs7 man page
2013-09-13 15:07:35 +02:00
bb8e2e1759
pki: Add pki --req man page
2013-09-13 15:07:35 +02:00
96aa5a1ddd
pki: Add pki --signcrl man page
2013-09-13 15:07:35 +02:00
42e3a21e24
pki: Add pki --issue man page
2013-09-13 15:07:35 +02:00
3a643b8901
pki: Add pki --self man page
...
Can be opened with "man pki --self".
2013-09-13 15:07:35 +02:00
a612f6e338
pki: Add pki --gen man page
...
Can be opened with "man pki --gen".
2013-09-13 15:07:29 +02:00
34cff9349b
pki: Add ipsec-pki(8) man page
...
Can be opened either with "man ipsec pki" or "man ipsec-pki".
Since man(1) only supports one level of subpages, the forthcoming man
pages for each command will have to be opened with "man pki --<command>".
2013-09-13 14:32:51 +02:00
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
f5dcb38ead
resolve: Remove comment when using resolvconf(8)
...
Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.
Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.
Fixes #410 .
2013-09-13 14:13:21 +02:00
2b84ccd6a6
libipsec: fix memory management when cloning ip_packet
2013-09-13 13:56:44 +02:00
96136a1229
libipsec: check for a policy with the reqid of the SA on decapsulation
...
To prevent a client from sending a packet with a source address of a different
client, we require a policy bound via reqid to the decapsulating SA.
2013-09-13 13:56:43 +02:00
Martin Willi