ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
12,119 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

12119 Commits

Author SHA1 Message Date
Martin Willi 5900d6d469 Merge branch 'printf-hook' 
Adds a custom printf hook implementation as a fallback if neither the glibc
style hooks nor vstr is available. This can avoid the Vstr dependency on some
systems at the cost of slower and less complete printf functions.
 2013-10-11 11:12:38 +02:00
Martin Willi 795cbb98c6 printf-hook-builtin: Print NaN/Infinity floating point values as such 2013-10-11 11:06:09 +02:00
Martin Willi 8af9bf70f5 printf-hook-builtin: Correctly round up floating point values 2013-10-11 11:06:09 +02:00
Martin Willi edc7a3d02f printf-hook-builtin: Add some preliminary floating point support 
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
 2013-10-11 11:06:09 +02:00
Martin Willi 7e6a4cdc84 printf-hook-builtin: Support GNU %m specifier 2013-10-11 11:06:09 +02:00
Martin Willi cabe5c0ff4 printf-hook-builtin: Add a new "builtin" backend using its own printf() routines 
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
 2013-10-11 11:06:02 +02:00
Martin Willi ebca34d782 printf-hook: Add some basic printf() string/integer test functions 2013-10-11 11:05:37 +02:00
Martin Willi 243048248b printf-hook: Move glibc/vstr printf hook backends to separate files 2013-10-11 11:05:30 +02:00
Martin Willi 11282d0054 Merge branch 'libipsec-usestats' 
Brings SA usage statistics and volume based expiration to libipsec and the
associated kernel-libipsec plugin. Additionally removes any ESPv3 style TFC
padding found in incoming packets.
 2013-10-11 10:25:35 +02:00
Martin Willi d53002f088 libipsec: Enforce byte/packet lifetimes on SAs 2013-10-11 10:23:18 +02:00
Martin Willi 12fdc2b16b kernel-libipsec: Support ESPv3 TFC padding 2013-10-11 10:23:18 +02:00
Martin Willi 293515f95c libipsec: remove extra RFC4303 TFC padding appended to inner payload 2013-10-11 10:23:17 +02:00
Martin Willi d53f9b9637 kernel-libipsec: Support query_sa() to report usage statistics 2013-10-11 10:23:17 +02:00
Martin Willi b08967d6d8 libipsec: Support usage statistics and query_sa() on IPsec SAs 2013-10-11 10:23:17 +02:00
Martin Willi d7083b6541 kernel: Use a time_t to report use time in query_policy() 2013-10-11 10:23:17 +02:00
Martin Willi c99458e94e kernel: Use a time_t to report use time in query_sa() 2013-10-11 10:23:17 +02:00
Martin Willi b59bcba2b3 Merge branch 'ah' 
Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.
 2013-10-11 10:15:43 +02:00
Martin Willi 5fdbb3c6ad ipsec.conf: Add a description for the new 'ah' keyword. 2013-10-11 10:15:22 +02:00
Martin Willi fa7815538f testing: Add an IKEv1 host2host AH transport mode test case 2013-10-11 10:15:22 +02:00
Martin Willi ef4560121d testing: Add an IKEv1 net2net AH test case 2013-10-11 10:15:22 +02:00
Martin Willi 80a82b8d67 testing: Add an IKEv2 host2host AH transport mode test case 2013-10-11 10:15:22 +02:00
Martin Willi 850bab6d58 testing: Add an IKEv2 net2net AH test case 2013-10-11 10:15:22 +02:00
Martin Willi 71d468ec90 testing: Allow AH packets in default INPUT/OUTPUT chains 2013-10-11 10:15:22 +02:00
Martin Willi 4817595876 updown: Install forwarding rules with the actually used protocol 2013-10-11 10:15:22 +02:00
Martin Willi c5d9b133e0 updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp' 2013-10-11 10:15:21 +02:00
Martin Willi e48e530b44 starter: Reject connections having both 'ah' and 'esp' keywords set 
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
 2013-10-11 10:15:21 +02:00
Martin Willi 757343d90e ike: Define keylength for aescmac algorithm 2013-10-11 10:15:21 +02:00
Martin Willi a1379e3210 ikev1: Support parsing of AH+IPComp proposals 2013-10-11 10:15:21 +02:00
Martin Willi 25f74be8f9 starter: Remove obsolete 'auth' option 2013-10-11 10:15:21 +02:00
Martin Willi d489e75579 ikev1: Accept more than two certificate payloads 2013-10-11 10:15:21 +02:00
Martin Willi 3771b85806 ikev1: Support en-/decoding of SA payloads with AH algorithms 2013-10-11 10:15:21 +02:00
Martin Willi 44e6aa4fb7 kernel-handler: Whitespace cleanups 2013-10-11 10:15:21 +02:00
Martin Willi f6037b5506 stroke: List proposals in statusall without leading '/' in AH SAs 2013-10-11 10:15:21 +02:00
Martin Willi 4bf92306eb ikev1: Delete quick modes with the negotiated SA protocol 2013-10-11 10:15:21 +02:00
Martin Willi 5d569e07fd trap-manager: Install trap with SA protocol of the first configured proposal 2013-10-11 10:15:21 +02:00
Martin Willi 21b096f3b8 child-sa: Save protocol during SPI allocation 
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
 2013-10-11 10:15:21 +02:00
Martin Willi 908fe1632d ikev1: Negotiate SPI with the first/negotiated proposal protocol 2013-10-11 10:15:21 +02:00
Martin Willi cdab8630d9 ikev2: Allocate SPI with the protocol of the first/negotiated proposal 2013-10-11 10:15:21 +02:00
Martin Willi f0c59e1cf8 proposal: Strip redundant integrity algos for ESP proposals only 2013-10-11 10:15:21 +02:00
Martin Willi 0576412989 stroke: Configure proposal with AH protocol if 'ah' option set 2013-10-11 10:15:20 +02:00
Martin Willi a07b97e804 starter: Add an 'ah' keyword for Authentication Header Security Associations 2013-10-11 10:15:20 +02:00
Andreas Steffen 4524e128f8 Version bump to 5.1.1rc1 2013-10-11 09:53:42 +02:00
Andreas Steffen 3588299fb8 Keep a copy of the tnccs instance for PT-TLS handover 2013-10-09 19:03:07 +02:00
Tobias Brunner 3e3db3743e xauth-pam: Make trimming of email addresses optional 
Fixes #430.
 2013-10-04 10:49:54 +02:00
Martin Willi d2e4dd75b7 ikev1: Accept reauthentication attempts with a keep unique policy from same host 
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
 2013-09-30 13:51:12 +02:00
Martin Willi 9c19d7ca31 ikev1: Don't log a reauthentication detection message if no children adopted 
When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.
 2013-09-30 13:51:11 +02:00
Martin Willi ee99f37ecc ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy 
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.

With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
 2013-09-30 13:51:11 +02:00
Tobias Brunner e4b7b48c1e eap-radius: Increase buffer for attributes sent in RADIUS accounting messages 
64 bytes might be too short for user names/identities.
 2013-09-27 13:37:12 +02:00
Tobias Brunner c8f34ba7b6 openssl: Properly log FIPS mode when enabled via openssl.conf 
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).

Either way, we should log whether FIPS mode is enabled or not.

References #412.
 2013-09-27 09:24:03 +02:00
Tobias Brunner e4d63cfae7 android: New release after fixing remediation instructions regression 2013-09-26 13:53:39 +02:00