3f29ff82c3
libipsec: Don't limit traditional algorithms to AES and SHA1/2
...
Closes #377 .
2013-08-12 12:21:57 +02:00
11f468533f
kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY
...
77d4a0255da01fFixes #374 .
2013-08-12 12:08:23 +02:00
55da01f348
kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin
...
There was no proper locking and the issue regarding the address
flag also existed.
2013-08-12 12:03:48 +02:00
77d4a0281a
kernel-netlink: Ensure address changes are not missed in roam events
...
If multiple roam events are triggered within ROAM_DELAY, only one job is
created. The old code set the address flag to the value of the last
triggering call. So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.
The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues. For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE. So address updates might occasionally get
triggered where none would actually be required.
Fixes #374 .
2013-08-12 12:02:55 +02:00
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
881e9a7e2e
updown: remove description of unsupported PLUTO_ variables
...
These have been set by pluto, but are not by charons updown plugin.
2013-08-08 14:48:32 +02:00
3b6d8855e8
scripts: link against librt only if required
...
With glibc, this seems to be the case for 2.17 and older versions only.
2013-08-08 09:12:52 +02:00
62e1c80803
scripts: link malloc_speed against librt
2013-08-08 09:09:00 +02:00
e99cfe5f20
strongswan.conf: Add note about reserved threads
2013-08-07 09:06:01 +02:00
58e32e4871
tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages
...
Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.
2013-07-31 22:16:58 +02:00
3a938a6f85
NEWS: Add info about CVE-2013-5018
2013-07-31 22:16:58 +02:00
d12fc14616
whitelist: Fix compilation on FreeBSD
2013-07-31 22:16:58 +02:00
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
cc5bedbb98
Callback job is not needed any more
2013-07-31 22:13:49 +02:00
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00
aafb6fa6c2
charon-xpc: use kernel-libipsec instead of kernel-pfkey
2013-07-31 11:41:37 +02:00
546235d34c
charon-xpc: fix TS getting after changing CHILD_SA API
2013-07-31 11:41:31 +02:00
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
a566c5f837
receiver: Avoid cloning packet data when verifying COOKIE payloads
...
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.
Fixes #369 .
2013-07-29 22:04:24 +02:00
1cf8022839
unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributes
...
Cisco devices seem to add 6 bytes of padding between each address/mask
pair.
Fixes #366 .
2013-07-29 21:44:27 +02:00
e8b8a6d958
version bump to 5.0.1
2013-07-29 17:16:41 +02:00
ef580b0137
tnc-pdp now uses watcher_t
2013-07-29 17:16:21 +02:00
4c961168cc
Updated PTS database scheme to new workitems model
2013-07-29 11:41:47 +02:00
4dc8978000
ikev2: Only schedule half-open-timeout delete job after successfully handling IKE_SA_INIT
...
We want to avoid this allocation if the initial message is invalid (e.g.
if the message ID is != 0).
2013-07-29 11:25:43 +02:00
68957d1811
NEWS: mention xauth-radius backend in eap-radius plugin
2013-07-29 11:08:54 +02:00
2cfe88aacb
testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radius
...
As eap-radius now provides its own XAuth backend and eap-radius is loaded before
xauth-eap, we have to enforce the exact XAuth backend to use.
2013-07-29 10:35:59 +02:00
14dfdf7dac
Merge branch 'xauth-radius'
...
Implements verification of XAuth credentials using simple RADIUS User-Name and
(encrypted) User-Password attributes. The XAuth backend is implemented in the
eap-radius plugin, reusing all existing infrastructure and features found in
that plugin, including RADIUS accounting.
2013-07-29 09:00:56 +02:00
9d75f04eee
testing: add a testcase for plain XAuth RADIUS authentication
2013-07-29 09:00:49 +02:00
44bb1dc3da
charon-cmd: add --eap-identity and --xauth-username options
2013-07-29 09:00:49 +02:00
3a399574c2
eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend
2013-07-29 09:00:49 +02:00
c434b2a4a9
eap-radius: support plain XAuth RADIUS authentication using User-Password
2013-07-29 09:00:49 +02:00
6bc0ce020d
libradius: support encryption of User-Password attributes
2013-07-29 09:00:48 +02:00
84044f9c73
utils: add round_up/down() helper functions
2013-07-29 09:00:48 +02:00
15483a6223
libradius: refactor generic RADIUS en-/decryption function to a message method
2013-07-29 09:00:48 +02:00
9aeb6cea4c
eap-radius: export function to build common attributes of Access-Request
2013-07-29 09:00:48 +02:00
94ec80e74c
eap-radius: export function to process common attributes of Access-Accept
2013-07-29 09:00:48 +02:00
7612a6e42f
mem-pool: add option for reusing online leases, and disable it by default
...
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.
This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.
2013-07-29 08:56:09 +02:00
c5d2d867f1
mem-pool: replace per-identity online/offline lists by more efficient arrays
...
This saves two lists per connected peer identity, up to 0.4KB.
2013-07-29 08:55:21 +02:00
d882880e87
mem-pool: refcount online lease when reassigning it to another tunnel
...
When we reassign an online lease for the same peer, we have to refcount it.
Otherwise we would set it offline if one of the tunnels goes down, but it is
actually still in use by a the second tunnel. This can finally lead in
assigning the same virtual IP to different peers.
2013-07-26 13:12:22 +02:00
77ccff82cf
ikev1: Always send ID payloads (traffic selectors) during Quick Mode
...
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).
Fixes #319 .
2013-07-25 17:08:17 +02:00
1f2d9c7688
watcher: Made notify array initialization compatible with older GCC versions
2013-07-25 16:57:42 +02:00
ebb4ad1baa
unit-tests: Add additional tests for host_t
2013-07-25 11:28:26 +02:00
7a192c57a3
imv-attestation: Properly measure complete directories
2013-07-25 11:28:26 +02:00
116363e5c6
array: Number of items in get_size() is unsigned
...
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
2013-07-25 11:28:01 +02:00
d7dc4fedd1
stream: Ensure UNIX socket path is null terminated
2013-07-24 16:17:23 +02:00
e7d717cf01
kernel-pfkey: Add sanity check when deleting policies
2013-07-24 16:17:22 +02:00
e5455e9413
imv-os: check_packages() fails if product query fails
2013-07-24 16:17:22 +02:00
cfca183d55
pkcs5: Add missing break statements when checking crypto primitives
2013-07-24 16:17:22 +02:00
346a4a1fc2
imv-scanner: Properly check snprintf() return value
2013-07-24 16:17:22 +02:00
Tobias Brunner