51fefe4606
kernel-netlink: Allow setting firewall marks on routing rule
2013-10-11 15:32:44 +02:00
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
bd085dd978
attr-sql: Use a serializable transaction when inserting identities
2013-10-11 15:29:10 +02:00
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
e745f5f69f
sql: Don't use MyISAM engine and set collation/charset for all tables
...
The MyISAM engine doesn't support transactions.
2013-10-11 15:16:05 +02:00
03c801cb2b
pool: Change transaction handling
2013-10-11 15:16:05 +02:00
ec6ad6b086
pool: Move the pool utility to its own directory in src
2013-10-11 15:16:05 +02:00
5abe3c52d3
attr-sql: Handle concurrent insertion of identities
...
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
2013-10-11 15:16:05 +02:00
4b8b1354ce
attr-sql: Don't use database transactions in create_attribute_enumerator
...
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
2013-10-11 15:16:05 +02:00
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
d53002f088
libipsec: Enforce byte/packet lifetimes on SAs
2013-10-11 10:23:18 +02:00
12fdc2b16b
kernel-libipsec: Support ESPv3 TFC padding
2013-10-11 10:23:18 +02:00
293515f95c
libipsec: remove extra RFC4303 TFC padding appended to inner payload
2013-10-11 10:23:17 +02:00
d53f9b9637
kernel-libipsec: Support query_sa() to report usage statistics
2013-10-11 10:23:17 +02:00
b08967d6d8
libipsec: Support usage statistics and query_sa() on IPsec SAs
2013-10-11 10:23:17 +02:00
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
4817595876
updown: Install forwarding rules with the actually used protocol
2013-10-11 10:15:22 +02:00
c5d9b133e0
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
2013-10-11 10:15:21 +02:00
e48e530b44
starter: Reject connections having both 'ah' and 'esp' keywords set
...
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
2013-10-11 10:15:21 +02:00
757343d90e
ike: Define keylength for aescmac algorithm
2013-10-11 10:15:21 +02:00
a1379e3210
ikev1: Support parsing of AH+IPComp proposals
2013-10-11 10:15:21 +02:00
25f74be8f9
starter: Remove obsolete 'auth' option
2013-10-11 10:15:21 +02:00
d489e75579
ikev1: Accept more than two certificate payloads
2013-10-11 10:15:21 +02:00
3771b85806
ikev1: Support en-/decoding of SA payloads with AH algorithms
2013-10-11 10:15:21 +02:00
44e6aa4fb7
kernel-handler: Whitespace cleanups
2013-10-11 10:15:21 +02:00
f6037b5506
stroke: List proposals in statusall without leading '/' in AH SAs
2013-10-11 10:15:21 +02:00
4bf92306eb
ikev1: Delete quick modes with the negotiated SA protocol
2013-10-11 10:15:21 +02:00
5d569e07fd
trap-manager: Install trap with SA protocol of the first configured proposal
2013-10-11 10:15:21 +02:00
21b096f3b8
child-sa: Save protocol during SPI allocation
...
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
2013-10-11 10:15:21 +02:00
908fe1632d
ikev1: Negotiate SPI with the first/negotiated proposal protocol
2013-10-11 10:15:21 +02:00
cdab8630d9
ikev2: Allocate SPI with the protocol of the first/negotiated proposal
2013-10-11 10:15:21 +02:00
f0c59e1cf8
proposal: Strip redundant integrity algos for ESP proposals only
2013-10-11 10:15:21 +02:00
0576412989
stroke: Configure proposal with AH protocol if 'ah' option set
2013-10-11 10:15:20 +02:00
a07b97e804
starter: Add an 'ah' keyword for Authentication Header Security Associations
2013-10-11 10:15:20 +02:00
3588299fb8
Keep a copy of the tnccs instance for PT-TLS handover
2013-10-09 19:03:07 +02:00
3e3db3743e
xauth-pam: Make trimming of email addresses optional
...
Fixes #430 .
2013-10-04 10:49:54 +02:00
d2e4dd75b7
ikev1: Accept reauthentication attempts with a keep unique policy from same host
...
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
2013-09-30 13:51:12 +02:00
9c19d7ca31
ikev1: Don't log a reauthentication detection message if no children adopted
...
When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.
2013-09-30 13:51:11 +02:00
ee99f37ecc
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
...
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
2013-09-30 13:51:11 +02:00
e4b7b48c1e
eap-radius: Increase buffer for attributes sent in RADIUS accounting messages
...
64 bytes might be too short for user names/identities.
2013-09-27 13:37:12 +02:00
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
e4d63cfae7
android: New release after fixing remediation instructions regression
2013-09-26 13:53:39 +02:00
00f7b29422
android: Change progress dialog handling
...
With the previous code the dialog sometimes was hidden for a short while
before it got reopened.
2013-09-26 13:53:25 +02:00
cfed5679b8
android: Clear remediation instructions when starting a new connection
2013-09-26 13:00:45 +02:00
a2cebbe674
starter: Don't ignore keyingtries with rekey=no
...
Since keyingtries also affects the number of retries initially or when
reestablishing an SA it should not be affected by the rekey option.
Fixes #418 .
2013-09-26 10:17:48 +02:00
90031b2fc7
load-tester: Fix crash if private key was not loaded successfully
...
Fixes #417 .
2013-09-24 09:27:12 +02:00
ed72f2d65e
printf-hook: Write to output stream instead of the FD directly when using Vstr
...
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
2013-09-24 08:44:00 +02:00
c17cbfdb72
android: New release after improving recovery after connectivity changes
2013-09-23 14:33:29 +02:00
3817231333
android: Change state handling to display errors occurring while the app is hidden
...
A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.
This was necessary because the state fragment is now unregistered from
state changes when it is not shown.
2013-09-23 12:01:43 +02:00
b4a5b185fc
android: Don't update state fragments when they are not displayed
...
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
2013-09-23 12:01:42 +02:00
561f94ae58
ikev2: Force an update of the host addresses on the first response
...
This is especially useful on Android where we are able to send messages
even if we don't know the correct local address (this is possible
because we don't set source addresses in outbound messages). This way
we may learn the correct local address if it e.g. changed right before
reestablishing an SA.
Updating the local address later is tricky without MOBIKE as the
responder might not update the associated IPsec SAs properly.
2013-09-23 11:50:12 +02:00
9292357030
ike-sa: Resolve hosts before reestablishing an IKE_SA
2013-09-23 11:49:52 +02:00
e3f64a79c2
android: Several plugins were moved from libcharon to libtnccs
...
These were moved in commits e8f65c5cde12b3db5006
2013-09-23 11:49:52 +02:00
c3ee829eee
android: Properly handle failures while initializing charon
2013-09-23 11:49:52 +02:00
255b9dac5d
kernel-netlink: Allow to override xfrm_acq_expires value
...
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
2013-09-23 10:45:14 +02:00
2c4d772a79
Implemented TCG/PB-PDP_Referral message
2013-09-17 21:57:08 +02:00
ddfc589600
Allow vendor-specific PB-TNC messages
2013-09-17 11:19:11 +02:00
ab155e6907
ignore *.1 manpage files
2013-09-17 10:58:53 +02:00
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
90afd2c929
pki: --pub also accepts public keys (i.e. to convert them to a different format)
2013-09-13 15:23:49 +02:00
21626bdf77
pki: Add support to encode public keys in SSH key format
2013-09-13 15:23:49 +02:00
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
ed56c86ec1
pki: Don't print an error if no arguments are given
2013-09-13 15:14:00 +02:00
0dc8ba8779
pki: Install pki(1) as utility directly in $prefix/bin
...
ipsec pki is maintained as alias.
2013-09-13 15:07:36 +02:00
1a8ffea315
pki: Add example commands to setup a simple CA
2013-09-13 15:07:36 +02:00
b068c4ec9d
pki: Add pki --verify man page
2013-09-13 15:07:36 +02:00
4adeaa5eb9
pki: Add pki --pub man page
2013-09-13 15:07:36 +02:00
a319eff80d
pki: Add pki --print man page
2013-09-13 15:07:35 +02:00
e69fd30538
pki: Add pki --keyid man page
2013-09-13 15:07:35 +02:00
558771400e
pki: Add pki --pkcs7 man page
2013-09-13 15:07:35 +02:00
bb8e2e1759
pki: Add pki --req man page
2013-09-13 15:07:35 +02:00
96aa5a1ddd
pki: Add pki --signcrl man page
2013-09-13 15:07:35 +02:00
42e3a21e24
pki: Add pki --issue man page
2013-09-13 15:07:35 +02:00
3a643b8901
pki: Add pki --self man page
...
Can be opened with "man pki --self".
2013-09-13 15:07:35 +02:00
a612f6e338
pki: Add pki --gen man page
...
Can be opened with "man pki --gen".
2013-09-13 15:07:29 +02:00
34cff9349b
pki: Add ipsec-pki(8) man page
...
Can be opened either with "man ipsec pki" or "man ipsec-pki".
Since man(1) only supports one level of subpages, the forthcoming man
pages for each command will have to be opened with "man pki --<command>".
2013-09-13 14:32:51 +02:00
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
f5dcb38ead
resolve: Remove comment when using resolvconf(8)
...
Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.
Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.
Fixes #410 .
2013-09-13 14:13:21 +02:00
2b84ccd6a6
libipsec: fix memory management when cloning ip_packet
2013-09-13 13:56:44 +02:00
96136a1229
libipsec: check for a policy with the reqid of the SA on decapsulation
...
To prevent a client from sending a packet with a source address of a different
client, we require a policy bound via reqid to the decapsulating SA.
2013-09-13 13:56:43 +02:00
791fde1669
stroke: don't remove a matching peer config if used by other child configs
...
When configurations get merged during add, we should not remove peer configs
if other connection entries use the same peer config.
2013-09-13 13:56:31 +02:00
11ac36b016
conftest: Don't load plugins incrementally
...
This is not supported by the plugin loader, so we simply combine the
plugin lists and load them all at once.
2013-09-13 11:44:04 +02:00
fafa768478
ikev1: Fix double free when searching for redundant CHILD_SAs
...
Fixes #411 .
2013-09-13 10:14:45 +02:00
be8179abd2
Build all IMC/IMVs with -no-undefined
2013-09-12 01:44:50 +02:00
7d87b24634
pt-tls-client: Report loaded plugins
2013-09-12 01:44:49 +02:00
5d45bcfc5f
pt-tls-client: Abort if no tnccs-manager is available
2013-09-12 01:44:49 +02:00
9af44ef5d9
Build all shared libraries with -no-undefined and link them properly
...
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
2013-09-12 01:44:49 +02:00
bf32cdfbf6
tun_device: Add warning if TUN devices are not supported by platform
2013-09-12 01:44:49 +02:00
5ec08a6a05
Make sure libstrongswan is initialized first in IMCs and IMVs
2013-09-11 20:58:18 +02:00
4eb6149ae8
sockets: Initialize the whole ancillary data buffer not only the actual struct
...
This avoids uninitialized bytes that Valgrind seems to notice otherwise.
Fixes #395 .
2013-09-10 13:42:59 +02:00
7d938be9e9
ikev1: For PFS prefer DH group from IKE_SA over first configured
...
If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.
2013-09-10 10:28:32 +02:00
ec331a7dd6
kernel-netlink: increase buffer size for RT netlink messages
...
Commit 940e1b0f66
2013-09-10 09:34:09 +02:00
c1ebc7b1cc
Fixed double free causing swapped ends to crash
2013-09-07 08:25:10 +02:00
847b148f91
Minor performance tuning
2013-09-07 07:39:03 +02:00
3adffcd9eb
Implemented targeted SWID request
2013-09-06 22:06:39 +02:00
ae32172619
Make SWID directory where tags are stored configurable
2013-09-05 12:25:02 +02:00
9b8137fdd3
Added tags table and some tag samples
2013-09-05 11:29:23 +02:00
b28686d530
swid_inventory object has a get_count method
2013-09-04 21:56:25 +02:00
bd3eaaef9b
Count collected SWID tags or tag IDs
2013-09-04 21:30:36 +02:00
cee1a86385
Proceed with attestation only if Attestation IMC returns a discovery response
2013-09-04 21:30:36 +02:00
a4b996c0bc
libipsec: Properly initialize variables when creating AEAD wrapper
2013-09-04 16:18:29 +02:00
c742905f50
android: Fix compilation after PTS header files were moved
2013-09-04 16:18:29 +02:00
cd764f42b9
libpts: Android.mk updated
2013-09-04 16:18:29 +02:00
1fd5c7fbac
load-tester: support extended traffic selector syntax, as in leftsubnet
...
In addition the initiator may use %unique as port, using a distinct port for
each connection, starting from 1025.
2013-09-04 10:49:48 +02:00
47b4a51402
load-tester: add an option to test transport/beet connections
2013-09-04 10:49:48 +02:00
3070697f9f
ike: support multiple addresses, ranges and subnets in IKE address config
...
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
2013-09-04 10:38:37 +02:00
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
62282ec0ed
backends: use ike_cfg host matching functions
2013-09-04 10:38:37 +02:00
6f666192bb
ike-cfg: add methods to match a host against configured local/remote addresses
2013-09-04 10:38:37 +02:00
7446fa2860
trap-manager: use ike_cfg resolver functions
2013-09-04 10:38:37 +02:00
0edce68767
ike-sa: use ike_cfg resolver functions
2013-09-04 10:38:36 +02:00
e743275cae
ike-cfg: add a method to resolve local/remote hosts with port
2013-09-04 10:38:36 +02:00
a858064455
stroke: ignore a leftsourceip if a rightsourceip is given as well
...
As we always negotiate virtual IPs in charon, having both left- and
rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single
configuration payload exchange only.
2013-09-04 10:33:38 +02:00
e3311e9b87
ikev1: implement mode config push mode
2013-09-04 10:33:38 +02:00
2bae838d5e
stroke: re-enable modeconfig keyword
2013-09-04 10:33:38 +02:00
9aeaa7396e
peer-cfg: add a pull/push mode option to use with mode config
2013-09-04 10:33:37 +02:00
e8b36eb92f
charon-cmd: support prompting for a PIN
...
To support a Password and PIN XAuth combo, additionally support multiple
prompts for different credential types.
2013-09-03 16:26:19 +02:00
45797bd50b
xauth-generic: honor requested XAuth credential types as a client
...
Support requesting of XAuth PINs and print XAuth messages.
2013-09-03 16:26:19 +02:00
3482cc9cf6
attributes: shorten some Unity and XAuth attribute short names
2013-09-03 16:26:19 +02:00
61b0079881
message: print type of configuration payload
2013-09-03 16:26:19 +02:00
8e4b258030
message: print attributes for IKEv1 configuration payloads as well
2013-09-03 16:26:19 +02:00
d787ada894
eap-radius: support XAuth configuration profiles, defining multiple XAuth rounds
2013-09-03 16:26:19 +02:00
510ecf612a
xauth: add a configuration string option to be passed to XAuth instances
...
The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.
2013-09-03 16:26:19 +02:00
7a425fb24c
Use ipsec_DATA destination
2013-09-02 14:20:33 +02:00
0c2348581c
Install SWID tag also in /share/
2013-09-02 14:01:05 +02:00
9f85122af9
Generate strongSwan SWID tag
2013-09-02 13:08:41 +02:00
86f00e6aff
Added regids table and some sample reqid data
2013-09-02 12:00:47 +02:00
d1696c0eaa
Corrected debug class to DBG_IMC
2013-09-02 12:00:46 +02:00
10a69c32c2
conftest: Fix hook constructor resolution via dlsym()
...
AM_CPPFLAGS only takes preprocessor flags like -I or -D, so it did not
forward -rdynamic to the linker (--export-dynamic), which meant that the
symbols defined in the executable itself were not resolvable via dlsym().
Fixes #394 .
2013-08-30 19:45:51 +02:00
4e2a176229
SWID IMC implements recursive tag collection in /usr/share
2013-08-30 16:25:55 +02:00
45b80880f8
kernel-pfroute: Fix mixed up memset() call in get_route()
...
The retry code introduced in dc8b083
2013-08-29 18:56:39 +02:00
a0cd955f42
charon-xpc: add a note how to build the source tarball
2013-08-29 12:28:54 +02:00
74ee1120d7
charon-xpc: include and prefer AES-GCM algorithms in ESP proposal
2013-08-29 11:37:07 +02:00
1e82e27ac5
Added TCG-SWID error handling
2013-08-28 22:53:57 +02:00
7bda0f0c8b
Added tzset memory leak to whitelist
2013-08-28 22:51:17 +02:00
0d9e375193
Selectively enable PT-TLS and/or RADIUS sockets in tnc-pdp plugin
2013-08-26 20:36:07 +02:00
f0c54e8c15
chunk: Print chunks without separator if + modifier is used
2013-08-24 16:22:51 +02:00
32a145fdbd
utils: Add case-insensitive version of strpfx()
2013-08-24 16:22:51 +02:00
49032d15be
stroke: stop enumerating IKE_SAs in statusall if output stream gets closed
...
If the output stream is not interested in more information, it can close the
the stream. Checking for stream errors avoids useless enumeration of IKE_SAs,
saving resources. This allows to use "ipsec statusall | head" to monitor the
daemon, or stop enumerating IKE_SAs after a specific entry has been found.
2013-08-23 14:27:17 +02:00
d7ae0b254d
kernel: Restore enumeration of all addresses when searching for address in TS
...
Since f52cf07532
2013-08-21 17:01:03 +02:00
85ca2f7441
conftest: Disable reset_seq hook on systems other than Linux
...
Fixes #386 .
2013-08-21 11:27:28 +02:00
e001cc2b07
kernel-netlink: Fix calculation of ESN bitmap length
...
While bmp_len stores the number of u_int32_t the allocated bitmap
actually consists of those integers.
2013-08-21 08:28:12 +02:00
e626821677
Version bump to 5.1.1dr1
2013-08-19 10:03:23 +02:00
1e92d5f114
Process PB-TNC batches received via PT-TLS asynchronously
2013-08-19 09:52:12 +02:00
9dc3b2053d
Optimize TLS socket buffer for TLS_MAX_FRAGMENT_LEN
2013-08-19 09:50:57 +02:00
70a80ef5d4
Output handler of a given workitem
2013-08-16 14:14:13 +02:00
4d2bac37c4
Implemented SWID Tag Inventory attribute
2013-08-16 14:13:35 +02:00
f405c15a59
deleted moved files
2013-08-15 23:34:23 +02:00
b38d9d5a54
Implemented SWID prototype IMC/IMV pair
2013-08-15 23:34:23 +02:00
0bd29a438e
Updated the SWID attributes
2013-08-15 23:34:23 +02:00
e689de6b8c
Optimized PT-TLS data transfer
2013-08-15 23:34:23 +02:00
6aff4b5ce8
Show host address of peer connecting to PT-TLS socket
2013-08-15 23:34:23 +02:00
0a09b02dcf
Set client identity with TLS certificate authentication
2013-08-15 23:34:23 +02:00
9cc606d22a
Fixed memory leak in SASL PLAIN
2013-08-15 23:34:23 +02:00
663ea1407d
added --optionsfrom capability
2013-08-15 23:34:23 +02:00
7c027f7983
Use client identities from successful authentications, only
2013-08-15 23:34:23 +02:00
d6719c974c
Add pt-tls-client to .gitignore
2013-08-15 23:34:23 +02:00
97b1d39de5
Extract client identity and authentication type from SASL authentication
2013-08-15 23:34:22 +02:00
6d6100c2bc
Added some debug statements
2013-08-15 23:34:22 +02:00
f420d5f380
enabled SASL PLAIN authentication
2013-08-15 23:34:22 +02:00
8327c44b74
PT-TLS connection is properly terminated
2013-08-15 23:34:22 +02:00
12b3db5006
moved tnc_imv plugin to libtnccs thanks to recommendation callback function
2013-08-15 23:34:22 +02:00
e8f65c5cde
Moved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins to libtnccs
2013-08-15 23:34:22 +02:00
180a2f2642
rapid PT-TLS AR/PDP prototype
2013-08-15 23:34:22 +02:00
f5b5d262e8
Add PT-TLS interface to strongSwan PDP
2013-08-15 23:34:22 +02:00
f853e7bcc0
ikev1: Fix calculation of the number of fragments
...
The old code resulted in too few fragments in some cases.
2013-08-15 15:15:34 +02:00
c81a6ff907
ikev1: When sending fragments, use ports to decide if a non-ESP marker is added
...
This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).
2013-08-15 15:12:00 +02:00
e42ab08a73
ikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold
...
This regression was introduced with c949a4d5
2013-08-13 10:08:08 +02:00
3f29ff82c3
libipsec: Don't limit traditional algorithms to AES and SHA1/2
...
Closes #377 .
2013-08-12 12:21:57 +02:00
11f468533f
kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY
...
77d4a0255da01fFixes #374 .
2013-08-12 12:08:23 +02:00
55da01f348
kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin
...
There was no proper locking and the issue regarding the address
flag also existed.
2013-08-12 12:03:48 +02:00
77d4a0281a
kernel-netlink: Ensure address changes are not missed in roam events
...
If multiple roam events are triggered within ROAM_DELAY, only one job is
created. The old code set the address flag to the value of the last
triggering call. So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.
The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues. For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE. So address updates might occasionally get
triggered where none would actually be required.
Fixes #374 .
2013-08-12 12:02:55 +02:00
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
881e9a7e2e
updown: remove description of unsupported PLUTO_ variables
...
These have been set by pluto, but are not by charons updown plugin.
2013-08-08 14:48:32 +02:00
58e32e4871
tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages
...
Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.
2013-07-31 22:16:58 +02:00
d12fc14616
whitelist: Fix compilation on FreeBSD
2013-07-31 22:16:58 +02:00
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
cc5bedbb98
Callback job is not needed any more
2013-07-31 22:13:49 +02:00
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00
Tobias Brunner