ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
11,824 Commits 7 Branches 233 Tags 88 MiB
Commit Graph

11824 Commits

Author SHA1 Message Date
Andreas Steffen e689de6b8c Optimized PT-TLS data transfer 2013-08-15 23:34:23 +02:00
Andreas Steffen 6aff4b5ce8 Show host address of peer connecting to PT-TLS socket 2013-08-15 23:34:23 +02:00
Andreas Steffen 0a09b02dcf Set client identity with TLS certificate authentication 2013-08-15 23:34:23 +02:00
Andreas Steffen 9cc606d22a Fixed memory leak in SASL PLAIN 2013-08-15 23:34:23 +02:00
Andreas Steffen 663ea1407d added --optionsfrom capability 2013-08-15 23:34:23 +02:00
Andreas Steffen 7c027f7983 Use client identities from successful authentications, only 2013-08-15 23:34:23 +02:00
Andreas Steffen d6719c974c Add pt-tls-client to .gitignore 2013-08-15 23:34:23 +02:00
Andreas Steffen 97b1d39de5 Extract client identity and authentication type from SASL authentication 2013-08-15 23:34:22 +02:00
Andreas Steffen 6d6100c2bc Added some debug statements 2013-08-15 23:34:22 +02:00
Andreas Steffen f420d5f380 enabled SASL PLAIN authentication 2013-08-15 23:34:22 +02:00
Andreas Steffen 8327c44b74 PT-TLS connection is properly terminated 2013-08-15 23:34:22 +02:00
Andreas Steffen 12b3db5006 moved tnc_imv plugin to libtnccs thanks to recommendation callback function 2013-08-15 23:34:22 +02:00
Andreas Steffen 9d8c28e2f5 Documented plugin move from libcharon to libtnccs in strongswan.conf 2013-08-15 23:34:22 +02:00
Andreas Steffen e8f65c5cde Moved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins to libtnccs 2013-08-15 23:34:22 +02:00
Andreas Steffen 180a2f2642 rapid PT-TLS AR/PDP prototype 2013-08-15 23:34:22 +02:00
Andreas Steffen f5b5d262e8 Add PT-TLS interface to strongSwan PDP 2013-08-15 23:34:22 +02:00
Tobias Brunner f853e7bcc0 ikev1: Fix calculation of the number of fragments 
The old code resulted in too few fragments in some cases.
 2013-08-15 15:15:34 +02:00
Tobias Brunner c81a6ff907 ikev1: When sending fragments, use ports to decide if a non-ESP marker is added 
This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).
 2013-08-15 15:12:00 +02:00
Tobias Brunner e42ab08a73 ikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold 
This regression was introduced with c949a4d5.
 2013-08-13 10:08:08 +02:00
Tobias Brunner 3f29ff82c3 libipsec: Don't limit traditional algorithms to AES and SHA1/2 
Closes #377.
 2013-08-12 12:21:57 +02:00
Tobias Brunner 11f468533f kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY 
77d4a02 and 55da01f only updated the address flag when a job was created,
which obviously had the same limitation as the old code.

Fixes #374.
 2013-08-12 12:08:23 +02:00
Tobias Brunner 55da01f348 kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin 
There was no proper locking and the issue regarding the address
flag also existed.
 2013-08-12 12:03:48 +02:00
Tobias Brunner 77d4a0281a kernel-netlink: Ensure address changes are not missed in roam events 
If multiple roam events are triggered within ROAM_DELAY, only one job is
created.  The old code set the address flag to the value of the last
triggering call.  So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.

The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues.  For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE.  So address updates might occasionally get
triggered where none would actually be required.

Fixes #374.
 2013-08-12 12:02:55 +02:00
Martin Willi a24515c515 backtrace: rename clone() method clashing with system call 
Fixes #376.
 2013-08-09 09:13:39 +02:00
Martin Willi 881e9a7e2e updown: remove description of unsupported PLUTO_ variables 
These have been set by pluto, but are not by charons updown plugin.
 2013-08-08 14:48:32 +02:00
Martin Willi 3b6d8855e8 scripts: link against librt only if required 
With glibc, this seems to be the case for 2.17 and older versions only.
 2013-08-08 09:12:52 +02:00
Martin Willi 62e1c80803 scripts: link malloc_speed against librt 2013-08-08 09:09:00 +02:00
Tobias Brunner e99cfe5f20 strongswan.conf: Add note about reserved threads 2013-08-07 09:06:01 +02:00
Tobias Brunner 58e32e4871 tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages 
Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.
 2013-07-31 22:16:58 +02:00
Tobias Brunner 3a938a6f85 NEWS: Add info about CVE-2013-5018 2013-07-31 22:16:58 +02:00
Tobias Brunner d12fc14616 whitelist: Fix compilation on FreeBSD 2013-07-31 22:16:58 +02:00
Tobias Brunner ed0efaef4c host: Properly initialize struct sockaddr_in[6] when parsing strings 
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
 2013-07-31 22:16:58 +02:00
Tobias Brunner b3393c88c1 asn1: Fix handling of invalid ASN.1 length in is_asn1() 
Fixes CVE-2013-5018.
 2013-07-31 22:16:58 +02:00
Andreas Steffen cc5bedbb98 Callback job is not needed any more 2013-07-31 22:13:49 +02:00
Martin Willi 8fa7c5c191 charon-xpc: load missing ctr/ccm/gcm plugins 2013-07-31 16:28:11 +02:00
Martin Willi aafb6fa6c2 charon-xpc: use kernel-libipsec instead of kernel-pfkey 2013-07-31 11:41:37 +02:00
Martin Willi 546235d34c charon-xpc: fix TS getting after changing CHILD_SA API 2013-07-31 11:41:31 +02:00
Martin Willi 83a0b74da8 keychain: be less verbose when loading certificates 2013-07-31 11:41:16 +02:00
Tobias Brunner a566c5f837 receiver: Avoid cloning packet data when verifying COOKIE payloads 
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.

Fixes #369.
 2013-07-29 22:04:24 +02:00
Tobias Brunner 1cf8022839 unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributes 
Cisco devices seem to add 6 bytes of padding between each address/mask
pair.

Fixes #366.
 2013-07-29 21:44:27 +02:00
Andreas Steffen e8b8a6d958 version bump to 5.0.1 2013-07-29 17:16:41 +02:00
Andreas Steffen ef580b0137 tnc-pdp now uses watcher_t 2013-07-29 17:16:21 +02:00
Andreas Steffen 4c961168cc Updated PTS database scheme to new workitems model 2013-07-29 11:41:47 +02:00
Tobias Brunner 4dc8978000 ikev2: Only schedule half-open-timeout delete job after successfully handling IKE_SA_INIT 
We want to avoid this allocation if the initial message is invalid (e.g.
if the message ID is != 0).
 2013-07-29 11:25:43 +02:00
Martin Willi 68957d1811 NEWS: mention xauth-radius backend in eap-radius plugin 2013-07-29 11:08:54 +02:00
Martin Willi 2cfe88aacb testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radius 
As eap-radius now provides its own XAuth backend and eap-radius is loaded before
xauth-eap, we have to enforce the exact XAuth backend to use.
 2013-07-29 10:35:59 +02:00
Martin Willi 14dfdf7dac Merge branch 'xauth-radius' 
Implements verification of XAuth credentials using simple RADIUS User-Name and
(encrypted) User-Password attributes. The XAuth backend is implemented in the
eap-radius plugin, reusing all existing infrastructure and features found in
that plugin, including RADIUS accounting.
 2013-07-29 09:00:56 +02:00
Martin Willi 9d75f04eee testing: add a testcase for plain XAuth RADIUS authentication 2013-07-29 09:00:49 +02:00
Martin Willi 44bb1dc3da charon-cmd: add --eap-identity and --xauth-username options 2013-07-29 09:00:49 +02:00
Martin Willi 3a399574c2 eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend 2013-07-29 09:00:49 +02:00