Tobias Brunner
51fefe4606
kernel-netlink: Allow setting firewall marks on routing rule
2013-10-11 15:32:44 +02:00
Tobias Brunner
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
Tobias Brunner
bd085dd978
attr-sql: Use a serializable transaction when inserting identities
2013-10-11 15:29:10 +02:00
Tobias Brunner
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
Tobias Brunner
e745f5f69f
sql: Don't use MyISAM engine and set collation/charset for all tables
...
The MyISAM engine doesn't support transactions.
2013-10-11 15:16:05 +02:00
Tobias Brunner
03c801cb2b
pool: Change transaction handling
2013-10-11 15:16:05 +02:00
Tobias Brunner
ec6ad6b086
pool: Move the pool utility to its own directory in src
2013-10-11 15:16:05 +02:00
Tobias Brunner
5abe3c52d3
attr-sql: Handle concurrent insertion of identities
...
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
2013-10-11 15:16:05 +02:00
Tobias Brunner
4b8b1354ce
attr-sql: Don't use database transactions in create_attribute_enumerator
...
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
2013-10-11 15:16:05 +02:00
Tobias Brunner
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
Tobias Brunner
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
Tobias Brunner
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
Tobias Brunner
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
Tobias Brunner
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
Tobias Brunner
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
Tobias Brunner
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
Tobias Brunner
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
Martin Willi
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
Martin Willi
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
Martin Willi
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
Martin Willi
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
Martin Willi
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
Martin Willi
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
Martin Willi
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
Martin Willi
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
Martin Willi
d53002f088
libipsec: Enforce byte/packet lifetimes on SAs
2013-10-11 10:23:18 +02:00
Martin Willi
12fdc2b16b
kernel-libipsec: Support ESPv3 TFC padding
2013-10-11 10:23:18 +02:00
Martin Willi
293515f95c
libipsec: remove extra RFC4303 TFC padding appended to inner payload
2013-10-11 10:23:17 +02:00
Martin Willi
d53f9b9637
kernel-libipsec: Support query_sa() to report usage statistics
2013-10-11 10:23:17 +02:00
Martin Willi
b08967d6d8
libipsec: Support usage statistics and query_sa() on IPsec SAs
2013-10-11 10:23:17 +02:00
Martin Willi
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
Martin Willi
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
Martin Willi
4817595876
updown: Install forwarding rules with the actually used protocol
2013-10-11 10:15:22 +02:00
Martin Willi
c5d9b133e0
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
2013-10-11 10:15:21 +02:00
Martin Willi
e48e530b44
starter: Reject connections having both 'ah' and 'esp' keywords set
...
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
2013-10-11 10:15:21 +02:00
Martin Willi
757343d90e
ike: Define keylength for aescmac algorithm
2013-10-11 10:15:21 +02:00
Martin Willi
a1379e3210
ikev1: Support parsing of AH+IPComp proposals
2013-10-11 10:15:21 +02:00
Martin Willi
25f74be8f9
starter: Remove obsolete 'auth' option
2013-10-11 10:15:21 +02:00
Martin Willi
d489e75579
ikev1: Accept more than two certificate payloads
2013-10-11 10:15:21 +02:00
Martin Willi
3771b85806
ikev1: Support en-/decoding of SA payloads with AH algorithms
2013-10-11 10:15:21 +02:00
Martin Willi
44e6aa4fb7
kernel-handler: Whitespace cleanups
2013-10-11 10:15:21 +02:00
Martin Willi
f6037b5506
stroke: List proposals in statusall without leading '/' in AH SAs
2013-10-11 10:15:21 +02:00
Martin Willi
4bf92306eb
ikev1: Delete quick modes with the negotiated SA protocol
2013-10-11 10:15:21 +02:00
Martin Willi
5d569e07fd
trap-manager: Install trap with SA protocol of the first configured proposal
2013-10-11 10:15:21 +02:00
Martin Willi
21b096f3b8
child-sa: Save protocol during SPI allocation
...
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
2013-10-11 10:15:21 +02:00
Martin Willi
908fe1632d
ikev1: Negotiate SPI with the first/negotiated proposal protocol
2013-10-11 10:15:21 +02:00
Martin Willi
cdab8630d9
ikev2: Allocate SPI with the protocol of the first/negotiated proposal
2013-10-11 10:15:21 +02:00
Martin Willi
f0c59e1cf8
proposal: Strip redundant integrity algos for ESP proposals only
2013-10-11 10:15:21 +02:00
Martin Willi
0576412989
stroke: Configure proposal with AH protocol if 'ah' option set
2013-10-11 10:15:20 +02:00
Martin Willi
a07b97e804
starter: Add an 'ah' keyword for Authentication Header Security Associations
2013-10-11 10:15:20 +02:00
Andreas Steffen
3588299fb8
Keep a copy of the tnccs instance for PT-TLS handover
2013-10-09 19:03:07 +02:00
Tobias Brunner
3e3db3743e
xauth-pam: Make trimming of email addresses optional
...
Fixes #430 .
2013-10-04 10:49:54 +02:00
Martin Willi
d2e4dd75b7
ikev1: Accept reauthentication attempts with a keep unique policy from same host
...
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
2013-09-30 13:51:12 +02:00
Martin Willi
9c19d7ca31
ikev1: Don't log a reauthentication detection message if no children adopted
...
When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.
2013-09-30 13:51:11 +02:00
Martin Willi
ee99f37ecc
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
...
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
2013-09-30 13:51:11 +02:00
Tobias Brunner
e4b7b48c1e
eap-radius: Increase buffer for attributes sent in RADIUS accounting messages
...
64 bytes might be too short for user names/identities.
2013-09-27 13:37:12 +02:00
Tobias Brunner
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
Tobias Brunner
e4d63cfae7
android: New release after fixing remediation instructions regression
2013-09-26 13:53:39 +02:00
Tobias Brunner
00f7b29422
android: Change progress dialog handling
...
With the previous code the dialog sometimes was hidden for a short while
before it got reopened.
2013-09-26 13:53:25 +02:00
Tobias Brunner
cfed5679b8
android: Clear remediation instructions when starting a new connection
2013-09-26 13:00:45 +02:00
Tobias Brunner
a2cebbe674
starter: Don't ignore keyingtries with rekey=no
...
Since keyingtries also affects the number of retries initially or when
reestablishing an SA it should not be affected by the rekey option.
Fixes #418 .
2013-09-26 10:17:48 +02:00
Tobias Brunner
90031b2fc7
load-tester: Fix crash if private key was not loaded successfully
...
Fixes #417 .
2013-09-24 09:27:12 +02:00
Tobias Brunner
ed72f2d65e
printf-hook: Write to output stream instead of the FD directly when using Vstr
...
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
2013-09-24 08:44:00 +02:00
Tobias Brunner
c17cbfdb72
android: New release after improving recovery after connectivity changes
2013-09-23 14:33:29 +02:00
Tobias Brunner
3817231333
android: Change state handling to display errors occurring while the app is hidden
...
A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.
This was necessary because the state fragment is now unregistered from
state changes when it is not shown.
2013-09-23 12:01:43 +02:00
Tobias Brunner
b4a5b185fc
android: Don't update state fragments when they are not displayed
...
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
2013-09-23 12:01:42 +02:00
Tobias Brunner
561f94ae58
ikev2: Force an update of the host addresses on the first response
...
This is especially useful on Android where we are able to send messages
even if we don't know the correct local address (this is possible
because we don't set source addresses in outbound messages). This way
we may learn the correct local address if it e.g. changed right before
reestablishing an SA.
Updating the local address later is tricky without MOBIKE as the
responder might not update the associated IPsec SAs properly.
2013-09-23 11:50:12 +02:00
Tobias Brunner
9292357030
ike-sa: Resolve hosts before reestablishing an IKE_SA
2013-09-23 11:49:52 +02:00
Tobias Brunner
e3f64a79c2
android: Several plugins were moved from libcharon to libtnccs
...
These were moved in commits e8f65c5cde
and 12b3db5006
.
2013-09-23 11:49:52 +02:00
Tobias Brunner
c3ee829eee
android: Properly handle failures while initializing charon
2013-09-23 11:49:52 +02:00
Ansis Atteka
255b9dac5d
kernel-netlink: Allow to override xfrm_acq_expires value
...
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
2013-09-23 10:45:14 +02:00
Andreas Steffen
2c4d772a79
Implemented TCG/PB-PDP_Referral message
2013-09-17 21:57:08 +02:00
Andreas Steffen
ddfc589600
Allow vendor-specific PB-TNC messages
2013-09-17 11:19:11 +02:00
Andreas Steffen
ab155e6907
ignore *.1 manpage files
2013-09-17 10:58:53 +02:00
Tobias Brunner
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
Tobias Brunner
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
90afd2c929
pki: --pub also accepts public keys (i.e. to convert them to a different format)
2013-09-13 15:23:49 +02:00
Tobias Brunner
21626bdf77
pki: Add support to encode public keys in SSH key format
2013-09-13 15:23:49 +02:00
Tobias Brunner
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
Tobias Brunner
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
Tobias Brunner
ed56c86ec1
pki: Don't print an error if no arguments are given
2013-09-13 15:14:00 +02:00
Tobias Brunner
0dc8ba8779
pki: Install pki(1) as utility directly in $prefix/bin
...
ipsec pki is maintained as alias.
2013-09-13 15:07:36 +02:00
Tobias Brunner
1a8ffea315
pki: Add example commands to setup a simple CA
2013-09-13 15:07:36 +02:00
Tobias Brunner
b068c4ec9d
pki: Add pki --verify man page
2013-09-13 15:07:36 +02:00
Tobias Brunner
4adeaa5eb9
pki: Add pki --pub man page
2013-09-13 15:07:36 +02:00
Tobias Brunner
a319eff80d
pki: Add pki --print man page
2013-09-13 15:07:35 +02:00
Tobias Brunner
e69fd30538
pki: Add pki --keyid man page
2013-09-13 15:07:35 +02:00
Tobias Brunner
558771400e
pki: Add pki --pkcs7 man page
2013-09-13 15:07:35 +02:00
Tobias Brunner
bb8e2e1759
pki: Add pki --req man page
2013-09-13 15:07:35 +02:00
Tobias Brunner
96aa5a1ddd
pki: Add pki --signcrl man page
2013-09-13 15:07:35 +02:00
Tobias Brunner
42e3a21e24
pki: Add pki --issue man page
2013-09-13 15:07:35 +02:00
Tobias Brunner
3a643b8901
pki: Add pki --self man page
...
Can be opened with "man pki --self".
2013-09-13 15:07:35 +02:00
Tobias Brunner
a612f6e338
pki: Add pki --gen man page
...
Can be opened with "man pki --gen".
2013-09-13 15:07:29 +02:00
Tobias Brunner
34cff9349b
pki: Add ipsec-pki(8) man page
...
Can be opened either with "man ipsec pki" or "man ipsec-pki".
Since man(1) only supports one level of subpages, the forthcoming man
pages for each command will have to be opened with "man pki --<command>".
2013-09-13 14:32:51 +02:00
Tobias Brunner
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
Tobias Brunner
f5dcb38ead
resolve: Remove comment when using resolvconf(8)
...
Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.
Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.
Fixes #410 .
2013-09-13 14:13:21 +02:00
Martin Willi
2b84ccd6a6
libipsec: fix memory management when cloning ip_packet
2013-09-13 13:56:44 +02:00
Martin Willi
96136a1229
libipsec: check for a policy with the reqid of the SA on decapsulation
...
To prevent a client from sending a packet with a source address of a different
client, we require a policy bound via reqid to the decapsulating SA.
2013-09-13 13:56:43 +02:00
Martin Willi
791fde1669
stroke: don't remove a matching peer config if used by other child configs
...
When configurations get merged during add, we should not remove peer configs
if other connection entries use the same peer config.
2013-09-13 13:56:31 +02:00
Tobias Brunner
11ac36b016
conftest: Don't load plugins incrementally
...
This is not supported by the plugin loader, so we simply combine the
plugin lists and load them all at once.
2013-09-13 11:44:04 +02:00
Tobias Brunner
fafa768478
ikev1: Fix double free when searching for redundant CHILD_SAs
...
Fixes #411 .
2013-09-13 10:14:45 +02:00
Tobias Brunner
be8179abd2
Build all IMC/IMVs with -no-undefined
2013-09-12 01:44:50 +02:00
Tobias Brunner
7d87b24634
pt-tls-client: Report loaded plugins
2013-09-12 01:44:49 +02:00
Tobias Brunner
5d45bcfc5f
pt-tls-client: Abort if no tnccs-manager is available
2013-09-12 01:44:49 +02:00
Tobias Brunner
9af44ef5d9
Build all shared libraries with -no-undefined and link them properly
...
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
2013-09-12 01:44:49 +02:00
Tobias Brunner
bf32cdfbf6
tun_device: Add warning if TUN devices are not supported by platform
2013-09-12 01:44:49 +02:00
Andreas Steffen
5ec08a6a05
Make sure libstrongswan is initialized first in IMCs and IMVs
2013-09-11 20:58:18 +02:00
Tobias Brunner
4eb6149ae8
sockets: Initialize the whole ancillary data buffer not only the actual struct
...
This avoids uninitialized bytes that Valgrind seems to notice otherwise.
Fixes #395 .
2013-09-10 13:42:59 +02:00
Thomas Egerer
7d938be9e9
ikev1: For PFS prefer DH group from IKE_SA over first configured
...
If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.
2013-09-10 10:28:32 +02:00
Ansis Atteka
ec331a7dd6
kernel-netlink: increase buffer size for RT netlink messages
...
Commit 940e1b0f66
"Filter ignored
interfaces in kernel interfaces (for events, address enumeration,
etc.)" made charon to ignore routes with unusable interfaces.
Unusable interface is one where charon has not seen RTM_NEWLINK
message from the kernel.
Sometime RTM_NEWLINK message can be 1048 bytes large. This is
24 bytes more than currently allocated buffer of 1024 bytes.
If kernel sends such a large message, then it would be silently
ignored by charon and corresponding interface would never become
usable. Hence strongSwan might resolve invalid source IP address
in get_route() function. This would prevent IPsec tunnel to be
established.
To reproduce create a VLAN interface with following command:
vconfig add eth1 12
2013-09-10 09:34:09 +02:00
Andreas Steffen
c1ebc7b1cc
Fixed double free causing swapped ends to crash
2013-09-07 08:25:10 +02:00
Andreas Steffen
847b148f91
Minor performance tuning
2013-09-07 07:39:03 +02:00
Andreas Steffen
3adffcd9eb
Implemented targeted SWID request
2013-09-06 22:06:39 +02:00
Andreas Steffen
ae32172619
Make SWID directory where tags are stored configurable
2013-09-05 12:25:02 +02:00
Andreas Steffen
9b8137fdd3
Added tags table and some tag samples
2013-09-05 11:29:23 +02:00
Andreas Steffen
b28686d530
swid_inventory object has a get_count method
2013-09-04 21:56:25 +02:00
Andreas Steffen
bd3eaaef9b
Count collected SWID tags or tag IDs
2013-09-04 21:30:36 +02:00
Andreas Steffen
cee1a86385
Proceed with attestation only if Attestation IMC returns a discovery response
2013-09-04 21:30:36 +02:00
Tobias Brunner
a4b996c0bc
libipsec: Properly initialize variables when creating AEAD wrapper
2013-09-04 16:18:29 +02:00
Tobias Brunner
c742905f50
android: Fix compilation after PTS header files were moved
2013-09-04 16:18:29 +02:00
Tobias Brunner
cd764f42b9
libpts: Android.mk updated
2013-09-04 16:18:29 +02:00
Martin Willi
1fd5c7fbac
load-tester: support extended traffic selector syntax, as in leftsubnet
...
In addition the initiator may use %unique as port, using a distinct port for
each connection, starting from 1025.
2013-09-04 10:49:48 +02:00
Martin Willi
47b4a51402
load-tester: add an option to test transport/beet connections
2013-09-04 10:49:48 +02:00
Martin Willi
3070697f9f
ike: support multiple addresses, ranges and subnets in IKE address config
...
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
2013-09-04 10:38:37 +02:00
Martin Willi
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
Martin Willi
62282ec0ed
backends: use ike_cfg host matching functions
2013-09-04 10:38:37 +02:00
Martin Willi
6f666192bb
ike-cfg: add methods to match a host against configured local/remote addresses
2013-09-04 10:38:37 +02:00
Martin Willi
7446fa2860
trap-manager: use ike_cfg resolver functions
2013-09-04 10:38:37 +02:00
Martin Willi
0edce68767
ike-sa: use ike_cfg resolver functions
2013-09-04 10:38:36 +02:00
Martin Willi
e743275cae
ike-cfg: add a method to resolve local/remote hosts with port
2013-09-04 10:38:36 +02:00
Martin Willi
a858064455
stroke: ignore a leftsourceip if a rightsourceip is given as well
...
As we always negotiate virtual IPs in charon, having both left- and
rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single
configuration payload exchange only.
2013-09-04 10:33:38 +02:00
Martin Willi
e3311e9b87
ikev1: implement mode config push mode
2013-09-04 10:33:38 +02:00
Martin Willi
2bae838d5e
stroke: re-enable modeconfig keyword
2013-09-04 10:33:38 +02:00
Martin Willi
9aeaa7396e
peer-cfg: add a pull/push mode option to use with mode config
2013-09-04 10:33:37 +02:00
Martin Willi
e8b36eb92f
charon-cmd: support prompting for a PIN
...
To support a Password and PIN XAuth combo, additionally support multiple
prompts for different credential types.
2013-09-03 16:26:19 +02:00
Martin Willi
45797bd50b
xauth-generic: honor requested XAuth credential types as a client
...
Support requesting of XAuth PINs and print XAuth messages.
2013-09-03 16:26:19 +02:00
Martin Willi
3482cc9cf6
attributes: shorten some Unity and XAuth attribute short names
2013-09-03 16:26:19 +02:00
Martin Willi
61b0079881
message: print type of configuration payload
2013-09-03 16:26:19 +02:00
Martin Willi
8e4b258030
message: print attributes for IKEv1 configuration payloads as well
2013-09-03 16:26:19 +02:00
Martin Willi
d787ada894
eap-radius: support XAuth configuration profiles, defining multiple XAuth rounds
2013-09-03 16:26:19 +02:00
Martin Willi
510ecf612a
xauth: add a configuration string option to be passed to XAuth instances
...
The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.
2013-09-03 16:26:19 +02:00
Andreas Steffen
7a425fb24c
Use ipsec_DATA destination
2013-09-02 14:20:33 +02:00
Andreas Steffen
0c2348581c
Install SWID tag also in /share/
2013-09-02 14:01:05 +02:00
Andreas Steffen
9f85122af9
Generate strongSwan SWID tag
2013-09-02 13:08:41 +02:00
Andreas Steffen
86f00e6aff
Added regids table and some sample reqid data
2013-09-02 12:00:47 +02:00
Andreas Steffen
d1696c0eaa
Corrected debug class to DBG_IMC
2013-09-02 12:00:46 +02:00
Tobias Brunner
10a69c32c2
conftest: Fix hook constructor resolution via dlsym()
...
AM_CPPFLAGS only takes preprocessor flags like -I or -D, so it did not
forward -rdynamic to the linker (--export-dynamic), which meant that the
symbols defined in the executable itself were not resolvable via dlsym().
Fixes #394 .
2013-08-30 19:45:51 +02:00
Andreas Steffen
4e2a176229
SWID IMC implements recursive tag collection in /usr/share
2013-08-30 16:25:55 +02:00
Mathias Krause
45b80880f8
kernel-pfroute: Fix mixed up memset() call in get_route()
...
The retry code introduced in dc8b083
got the memset() arguments wrong.
Fix this to ensure the buffer gets zeroed, for real.
It probably doesn't matter as we do reset the message length on retry, so
the stale data shouldn't be seen by anyone.
Found-by: git grep 'memset\s*\([^,]*,\s*[^,]*,\s*0\s*\)'
2013-08-29 18:56:39 +02:00
Martin Willi
a0cd955f42
charon-xpc: add a note how to build the source tarball
2013-08-29 12:28:54 +02:00
Martin Willi
74ee1120d7
charon-xpc: include and prefer AES-GCM algorithms in ESP proposal
2013-08-29 11:37:07 +02:00
Andreas Steffen
1e82e27ac5
Added TCG-SWID error handling
2013-08-28 22:53:57 +02:00
Andreas Steffen
7bda0f0c8b
Added tzset memory leak to whitelist
2013-08-28 22:51:17 +02:00
Andreas Steffen
0d9e375193
Selectively enable PT-TLS and/or RADIUS sockets in tnc-pdp plugin
2013-08-26 20:36:07 +02:00
Tobias Brunner
f0c54e8c15
chunk: Print chunks without separator if + modifier is used
2013-08-24 16:22:51 +02:00
Tobias Brunner
32a145fdbd
utils: Add case-insensitive version of strpfx()
2013-08-24 16:22:51 +02:00
Martin Willi
49032d15be
stroke: stop enumerating IKE_SAs in statusall if output stream gets closed
...
If the output stream is not interested in more information, it can close the
the stream. Checking for stream errors avoids useless enumeration of IKE_SAs,
saving resources. This allows to use "ipsec statusall | head" to monitor the
daemon, or stop enumerating IKE_SAs after a specific entry has been found.
2013-08-23 14:27:17 +02:00
Tobias Brunner
d7ae0b254d
kernel: Restore enumeration of all addresses when searching for address in TS
...
Since f52cf07532
addresses on ignored, down or loopback interfaces were
not considered as valid addresses anymore when searching for an address
contained in the local traffic selector. This meant that route
installation failed, for instance, if charon.install_virtual_ip_on was
set to 'lo', or, on gateways, if internal interfaces were ignored with
the charon.interfaces_* options.
2013-08-21 17:01:03 +02:00
Tobias Brunner
85ca2f7441
conftest: Disable reset_seq hook on systems other than Linux
...
Fixes #386 .
2013-08-21 11:27:28 +02:00
Tobias Brunner
e001cc2b07
kernel-netlink: Fix calculation of ESN bitmap length
...
While bmp_len stores the number of u_int32_t the allocated bitmap
actually consists of those integers.
2013-08-21 08:28:12 +02:00
Andreas Steffen
e626821677
Version bump to 5.1.1dr1
2013-08-19 10:03:23 +02:00
Andreas Steffen
1e92d5f114
Process PB-TNC batches received via PT-TLS asynchronously
2013-08-19 09:52:12 +02:00
Andreas Steffen
9dc3b2053d
Optimize TLS socket buffer for TLS_MAX_FRAGMENT_LEN
2013-08-19 09:50:57 +02:00
Andreas Steffen
70a80ef5d4
Output handler of a given workitem
2013-08-16 14:14:13 +02:00
Andreas Steffen
4d2bac37c4
Implemented SWID Tag Inventory attribute
2013-08-16 14:13:35 +02:00
Andreas Steffen
f405c15a59
deleted moved files
2013-08-15 23:34:23 +02:00
Andreas Steffen
b38d9d5a54
Implemented SWID prototype IMC/IMV pair
2013-08-15 23:34:23 +02:00
Andreas Steffen
0bd29a438e
Updated the SWID attributes
2013-08-15 23:34:23 +02:00
Andreas Steffen
e689de6b8c
Optimized PT-TLS data transfer
2013-08-15 23:34:23 +02:00
Andreas Steffen
6aff4b5ce8
Show host address of peer connecting to PT-TLS socket
2013-08-15 23:34:23 +02:00
Andreas Steffen
0a09b02dcf
Set client identity with TLS certificate authentication
2013-08-15 23:34:23 +02:00
Andreas Steffen
9cc606d22a
Fixed memory leak in SASL PLAIN
2013-08-15 23:34:23 +02:00
Andreas Steffen
663ea1407d
added --optionsfrom capability
2013-08-15 23:34:23 +02:00
Andreas Steffen
7c027f7983
Use client identities from successful authentications, only
2013-08-15 23:34:23 +02:00
Andreas Steffen
d6719c974c
Add pt-tls-client to .gitignore
2013-08-15 23:34:23 +02:00
Andreas Steffen
97b1d39de5
Extract client identity and authentication type from SASL authentication
2013-08-15 23:34:22 +02:00
Andreas Steffen
6d6100c2bc
Added some debug statements
2013-08-15 23:34:22 +02:00
Andreas Steffen
f420d5f380
enabled SASL PLAIN authentication
2013-08-15 23:34:22 +02:00
Andreas Steffen
8327c44b74
PT-TLS connection is properly terminated
2013-08-15 23:34:22 +02:00
Andreas Steffen
12b3db5006
moved tnc_imv plugin to libtnccs thanks to recommendation callback function
2013-08-15 23:34:22 +02:00
Andreas Steffen
e8f65c5cde
Moved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins to libtnccs
2013-08-15 23:34:22 +02:00
Andreas Steffen
180a2f2642
rapid PT-TLS AR/PDP prototype
2013-08-15 23:34:22 +02:00
Andreas Steffen
f5b5d262e8
Add PT-TLS interface to strongSwan PDP
2013-08-15 23:34:22 +02:00
Tobias Brunner
f853e7bcc0
ikev1: Fix calculation of the number of fragments
...
The old code resulted in too few fragments in some cases.
2013-08-15 15:15:34 +02:00
Tobias Brunner
c81a6ff907
ikev1: When sending fragments, use ports to decide if a non-ESP marker is added
...
This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).
2013-08-15 15:12:00 +02:00
Tobias Brunner
e42ab08a73
ikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold
...
This regression was introduced with c949a4d5
.
2013-08-13 10:08:08 +02:00
Tobias Brunner
3f29ff82c3
libipsec: Don't limit traditional algorithms to AES and SHA1/2
...
Closes #377 .
2013-08-12 12:21:57 +02:00
Tobias Brunner
11f468533f
kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY
...
77d4a02
and 55da01f
only updated the address flag when a job was created,
which obviously had the same limitation as the old code.
Fixes #374 .
2013-08-12 12:08:23 +02:00
Tobias Brunner
55da01f348
kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin
...
There was no proper locking and the issue regarding the address
flag also existed.
2013-08-12 12:03:48 +02:00
Tobias Brunner
77d4a0281a
kernel-netlink: Ensure address changes are not missed in roam events
...
If multiple roam events are triggered within ROAM_DELAY, only one job is
created. The old code set the address flag to the value of the last
triggering call. So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.
The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues. For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE. So address updates might occasionally get
triggered where none would actually be required.
Fixes #374 .
2013-08-12 12:02:55 +02:00
Martin Willi
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
Martin Willi
881e9a7e2e
updown: remove description of unsupported PLUTO_ variables
...
These have been set by pluto, but are not by charons updown plugin.
2013-08-08 14:48:32 +02:00
Tobias Brunner
58e32e4871
tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages
...
Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.
2013-07-31 22:16:58 +02:00
Tobias Brunner
d12fc14616
whitelist: Fix compilation on FreeBSD
2013-07-31 22:16:58 +02:00
Tobias Brunner
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
Tobias Brunner
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
Andreas Steffen
cc5bedbb98
Callback job is not needed any more
2013-07-31 22:13:49 +02:00
Martin Willi
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00