Andreas Steffen
e689de6b8c
Optimized PT-TLS data transfer
2013-08-15 23:34:23 +02:00
Andreas Steffen
6aff4b5ce8
Show host address of peer connecting to PT-TLS socket
2013-08-15 23:34:23 +02:00
Andreas Steffen
0a09b02dcf
Set client identity with TLS certificate authentication
2013-08-15 23:34:23 +02:00
Andreas Steffen
9cc606d22a
Fixed memory leak in SASL PLAIN
2013-08-15 23:34:23 +02:00
Andreas Steffen
663ea1407d
added --optionsfrom capability
2013-08-15 23:34:23 +02:00
Andreas Steffen
7c027f7983
Use client identities from successful authentications, only
2013-08-15 23:34:23 +02:00
Andreas Steffen
d6719c974c
Add pt-tls-client to .gitignore
2013-08-15 23:34:23 +02:00
Andreas Steffen
97b1d39de5
Extract client identity and authentication type from SASL authentication
2013-08-15 23:34:22 +02:00
Andreas Steffen
6d6100c2bc
Added some debug statements
2013-08-15 23:34:22 +02:00
Andreas Steffen
f420d5f380
enabled SASL PLAIN authentication
2013-08-15 23:34:22 +02:00
Andreas Steffen
8327c44b74
PT-TLS connection is properly terminated
2013-08-15 23:34:22 +02:00
Andreas Steffen
12b3db5006
moved tnc_imv plugin to libtnccs thanks to recommendation callback function
2013-08-15 23:34:22 +02:00
Andreas Steffen
9d8c28e2f5
Documented plugin move from libcharon to libtnccs in strongswan.conf
2013-08-15 23:34:22 +02:00
Andreas Steffen
e8f65c5cde
Moved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins to libtnccs
2013-08-15 23:34:22 +02:00
Andreas Steffen
180a2f2642
rapid PT-TLS AR/PDP prototype
2013-08-15 23:34:22 +02:00
Andreas Steffen
f5b5d262e8
Add PT-TLS interface to strongSwan PDP
2013-08-15 23:34:22 +02:00
Tobias Brunner
f853e7bcc0
ikev1: Fix calculation of the number of fragments
...
The old code resulted in too few fragments in some cases.
2013-08-15 15:15:34 +02:00
Tobias Brunner
c81a6ff907
ikev1: When sending fragments, use ports to decide if a non-ESP marker is added
...
This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).
2013-08-15 15:12:00 +02:00
Tobias Brunner
e42ab08a73
ikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold
...
This regression was introduced with c949a4d5
.
2013-08-13 10:08:08 +02:00
Tobias Brunner
3f29ff82c3
libipsec: Don't limit traditional algorithms to AES and SHA1/2
...
Closes #377 .
2013-08-12 12:21:57 +02:00
Tobias Brunner
11f468533f
kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY
...
77d4a02
and 55da01f
only updated the address flag when a job was created,
which obviously had the same limitation as the old code.
Fixes #374 .
2013-08-12 12:08:23 +02:00
Tobias Brunner
55da01f348
kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin
...
There was no proper locking and the issue regarding the address
flag also existed.
2013-08-12 12:03:48 +02:00
Tobias Brunner
77d4a0281a
kernel-netlink: Ensure address changes are not missed in roam events
...
If multiple roam events are triggered within ROAM_DELAY, only one job is
created. The old code set the address flag to the value of the last
triggering call. So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.
The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues. For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE. So address updates might occasionally get
triggered where none would actually be required.
Fixes #374 .
2013-08-12 12:02:55 +02:00
Martin Willi
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
Martin Willi
881e9a7e2e
updown: remove description of unsupported PLUTO_ variables
...
These have been set by pluto, but are not by charons updown plugin.
2013-08-08 14:48:32 +02:00
Martin Willi
3b6d8855e8
scripts: link against librt only if required
...
With glibc, this seems to be the case for 2.17 and older versions only.
2013-08-08 09:12:52 +02:00
Martin Willi
62e1c80803
scripts: link malloc_speed against librt
2013-08-08 09:09:00 +02:00
Tobias Brunner
e99cfe5f20
strongswan.conf: Add note about reserved threads
2013-08-07 09:06:01 +02:00
Tobias Brunner
58e32e4871
tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages
...
Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.
2013-07-31 22:16:58 +02:00
Tobias Brunner
3a938a6f85
NEWS: Add info about CVE-2013-5018
2013-07-31 22:16:58 +02:00
Tobias Brunner
d12fc14616
whitelist: Fix compilation on FreeBSD
2013-07-31 22:16:58 +02:00
Tobias Brunner
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
Tobias Brunner
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
Andreas Steffen
cc5bedbb98
Callback job is not needed any more
2013-07-31 22:13:49 +02:00
Martin Willi
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00
Martin Willi
aafb6fa6c2
charon-xpc: use kernel-libipsec instead of kernel-pfkey
2013-07-31 11:41:37 +02:00
Martin Willi
546235d34c
charon-xpc: fix TS getting after changing CHILD_SA API
2013-07-31 11:41:31 +02:00
Martin Willi
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
Tobias Brunner
a566c5f837
receiver: Avoid cloning packet data when verifying COOKIE payloads
...
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.
Fixes #369 .
2013-07-29 22:04:24 +02:00
Tobias Brunner
1cf8022839
unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributes
...
Cisco devices seem to add 6 bytes of padding between each address/mask
pair.
Fixes #366 .
2013-07-29 21:44:27 +02:00
Andreas Steffen
e8b8a6d958
version bump to 5.0.1
2013-07-29 17:16:41 +02:00
Andreas Steffen
ef580b0137
tnc-pdp now uses watcher_t
2013-07-29 17:16:21 +02:00
Andreas Steffen
4c961168cc
Updated PTS database scheme to new workitems model
2013-07-29 11:41:47 +02:00
Tobias Brunner
4dc8978000
ikev2: Only schedule half-open-timeout delete job after successfully handling IKE_SA_INIT
...
We want to avoid this allocation if the initial message is invalid (e.g.
if the message ID is != 0).
2013-07-29 11:25:43 +02:00
Martin Willi
68957d1811
NEWS: mention xauth-radius backend in eap-radius plugin
2013-07-29 11:08:54 +02:00
Martin Willi
2cfe88aacb
testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radius
...
As eap-radius now provides its own XAuth backend and eap-radius is loaded before
xauth-eap, we have to enforce the exact XAuth backend to use.
2013-07-29 10:35:59 +02:00
Martin Willi
14dfdf7dac
Merge branch 'xauth-radius'
...
Implements verification of XAuth credentials using simple RADIUS User-Name and
(encrypted) User-Password attributes. The XAuth backend is implemented in the
eap-radius plugin, reusing all existing infrastructure and features found in
that plugin, including RADIUS accounting.
2013-07-29 09:00:56 +02:00
Martin Willi
9d75f04eee
testing: add a testcase for plain XAuth RADIUS authentication
2013-07-29 09:00:49 +02:00
Martin Willi
44bb1dc3da
charon-cmd: add --eap-identity and --xauth-username options
2013-07-29 09:00:49 +02:00
Martin Willi
3a399574c2
eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend
2013-07-29 09:00:49 +02:00