Martin Willi
5900d6d469
Merge branch 'printf-hook'
...
Adds a custom printf hook implementation as a fallback if neither the glibc
style hooks nor vstr is available. This can avoid the Vstr dependency on some
systems at the cost of slower and less complete printf functions.
2013-10-11 11:12:38 +02:00
Martin Willi
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
Martin Willi
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
Martin Willi
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
Martin Willi
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
Martin Willi
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
Martin Willi
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
Martin Willi
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
Martin Willi
11282d0054
Merge branch 'libipsec-usestats'
...
Brings SA usage statistics and volume based expiration to libipsec and the
associated kernel-libipsec plugin. Additionally removes any ESPv3 style TFC
padding found in incoming packets.
2013-10-11 10:25:35 +02:00
Martin Willi
d53002f088
libipsec: Enforce byte/packet lifetimes on SAs
2013-10-11 10:23:18 +02:00
Martin Willi
12fdc2b16b
kernel-libipsec: Support ESPv3 TFC padding
2013-10-11 10:23:18 +02:00
Martin Willi
293515f95c
libipsec: remove extra RFC4303 TFC padding appended to inner payload
2013-10-11 10:23:17 +02:00
Martin Willi
d53f9b9637
kernel-libipsec: Support query_sa() to report usage statistics
2013-10-11 10:23:17 +02:00
Martin Willi
b08967d6d8
libipsec: Support usage statistics and query_sa() on IPsec SAs
2013-10-11 10:23:17 +02:00
Martin Willi
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
Martin Willi
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
Martin Willi
b59bcba2b3
Merge branch 'ah'
...
Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.
2013-10-11 10:15:43 +02:00
Martin Willi
5fdbb3c6ad
ipsec.conf: Add a description for the new 'ah' keyword.
2013-10-11 10:15:22 +02:00
Martin Willi
fa7815538f
testing: Add an IKEv1 host2host AH transport mode test case
2013-10-11 10:15:22 +02:00
Martin Willi
ef4560121d
testing: Add an IKEv1 net2net AH test case
2013-10-11 10:15:22 +02:00
Martin Willi
80a82b8d67
testing: Add an IKEv2 host2host AH transport mode test case
2013-10-11 10:15:22 +02:00
Martin Willi
850bab6d58
testing: Add an IKEv2 net2net AH test case
2013-10-11 10:15:22 +02:00
Martin Willi
71d468ec90
testing: Allow AH packets in default INPUT/OUTPUT chains
2013-10-11 10:15:22 +02:00
Martin Willi
4817595876
updown: Install forwarding rules with the actually used protocol
2013-10-11 10:15:22 +02:00
Martin Willi
c5d9b133e0
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
2013-10-11 10:15:21 +02:00
Martin Willi
e48e530b44
starter: Reject connections having both 'ah' and 'esp' keywords set
...
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
2013-10-11 10:15:21 +02:00
Martin Willi
757343d90e
ike: Define keylength for aescmac algorithm
2013-10-11 10:15:21 +02:00
Martin Willi
a1379e3210
ikev1: Support parsing of AH+IPComp proposals
2013-10-11 10:15:21 +02:00
Martin Willi
25f74be8f9
starter: Remove obsolete 'auth' option
2013-10-11 10:15:21 +02:00
Martin Willi
d489e75579
ikev1: Accept more than two certificate payloads
2013-10-11 10:15:21 +02:00
Martin Willi
3771b85806
ikev1: Support en-/decoding of SA payloads with AH algorithms
2013-10-11 10:15:21 +02:00
Martin Willi
44e6aa4fb7
kernel-handler: Whitespace cleanups
2013-10-11 10:15:21 +02:00
Martin Willi
f6037b5506
stroke: List proposals in statusall without leading '/' in AH SAs
2013-10-11 10:15:21 +02:00
Martin Willi
4bf92306eb
ikev1: Delete quick modes with the negotiated SA protocol
2013-10-11 10:15:21 +02:00
Martin Willi
5d569e07fd
trap-manager: Install trap with SA protocol of the first configured proposal
2013-10-11 10:15:21 +02:00
Martin Willi
21b096f3b8
child-sa: Save protocol during SPI allocation
...
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
2013-10-11 10:15:21 +02:00
Martin Willi
908fe1632d
ikev1: Negotiate SPI with the first/negotiated proposal protocol
2013-10-11 10:15:21 +02:00
Martin Willi
cdab8630d9
ikev2: Allocate SPI with the protocol of the first/negotiated proposal
2013-10-11 10:15:21 +02:00
Martin Willi
f0c59e1cf8
proposal: Strip redundant integrity algos for ESP proposals only
2013-10-11 10:15:21 +02:00
Martin Willi
0576412989
stroke: Configure proposal with AH protocol if 'ah' option set
2013-10-11 10:15:20 +02:00
Martin Willi
a07b97e804
starter: Add an 'ah' keyword for Authentication Header Security Associations
2013-10-11 10:15:20 +02:00
Andreas Steffen
4524e128f8
Version bump to 5.1.1rc1
2013-10-11 09:53:42 +02:00
Andreas Steffen
3588299fb8
Keep a copy of the tnccs instance for PT-TLS handover
2013-10-09 19:03:07 +02:00
Tobias Brunner
3e3db3743e
xauth-pam: Make trimming of email addresses optional
...
Fixes #430 .
2013-10-04 10:49:54 +02:00
Martin Willi
d2e4dd75b7
ikev1: Accept reauthentication attempts with a keep unique policy from same host
...
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
2013-09-30 13:51:12 +02:00
Martin Willi
9c19d7ca31
ikev1: Don't log a reauthentication detection message if no children adopted
...
When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.
2013-09-30 13:51:11 +02:00
Martin Willi
ee99f37ecc
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
...
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
2013-09-30 13:51:11 +02:00
Tobias Brunner
e4b7b48c1e
eap-radius: Increase buffer for attributes sent in RADIUS accounting messages
...
64 bytes might be too short for user names/identities.
2013-09-27 13:37:12 +02:00
Tobias Brunner
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
Tobias Brunner
e4d63cfae7
android: New release after fixing remediation instructions regression
2013-09-26 13:53:39 +02:00