Tobias Brunner
20c99edab9
android: Remove dependency on libvstr
2013-11-13 11:40:47 +01:00
Tobias Brunner
334f44cd29
unit-tests: Initialize tests with a callback
2013-11-06 10:31:07 +01:00
Tobias Brunner
8d2450d8b8
plugin-loader: Convenience function added to add plugin dirs in build tree
2013-11-06 10:31:07 +01:00
Martin Willi
09d0c9030a
unit-tests: Separate test runner to a library, reusable by other tests
...
Other users may make use of the noinst libtest.la helper library to implement
unit tests. For libstrongswan, tests.[ch] provide the configuration for test
runner to perform unit tests in a simple manner.
2013-11-06 10:31:07 +01:00
Martin Willi
5a3230a250
unit-tests: Use some include magic to define test suite constructors
...
Avoid editing of several files when creating test suites by using a single
header file to define test suite constructor functions.
2013-11-06 10:31:07 +01:00
Martin Willi
d9d0eef92b
unit-tests: Check printing of strings having zero length
2013-11-06 10:31:07 +01:00
Martin Willi
61934203e2
unit-tests: Add some basic tests if PRI* printf specifiers work as expected
2013-11-06 10:31:06 +01:00
Martin Willi
a4cbda35ce
unit-tests: Add a semaphore wait cancel test
2013-11-06 10:31:06 +01:00
Martin Willi
fae1b85223
unit-tests: Add a semaphore absolute timed wait test
2013-11-06 10:31:06 +01:00
Martin Willi
a14935ea4b
unit-tests: Add a semaphore timed wait test case
2013-11-06 10:31:06 +01:00
Martin Willi
ffab2e0c95
unit-tests: Add a simple semaphore test
2013-11-06 10:31:06 +01:00
Martin Willi
b1bfe59560
unit-tests: Add a spinlock test case
2013-11-06 10:31:06 +01:00
Martin Willi
478dc0257c
unit-tests: Add a rwlock condvar thread cancel test
2013-11-06 10:31:05 +01:00
Martin Willi
b92c173b28
unit-tests: Add a rwlock condvar absolute timed wait test
2013-11-06 10:31:05 +01:00
Martin Willi
af19213c54
unit-tests: Add a rwlock condvar wait test
2013-11-06 10:31:05 +01:00
Martin Willi
1032f52d68
unit-tests: Add a rwlock condvar broadcast test
2013-11-06 10:31:05 +01:00
Martin Willi
f644b9e853
unit-tests: Add a rwlock condvar test
2013-11-06 10:31:05 +01:00
Martin Willi
dac31fe1a0
unit-tests: Add a rwlock test case
2013-11-06 10:31:05 +01:00
Martin Willi
8b25b5c36f
unit-tests: Add a condvar test where wait gets cancelled
2013-11-06 10:31:04 +01:00
Martin Willi
b7db393d01
unit-tests: Add a condvar test working on a recursive mutex
2013-11-06 10:31:04 +01:00
Martin Willi
8699a32b74
unit-tests: Add a condvar absolute timed wait test
2013-11-06 10:31:04 +01:00
Martin Willi
31f9f777b3
unit-tests: Add a condvar timed wait test
2013-11-06 10:31:04 +01:00
Martin Willi
9a0a891e6b
unit-tests: Add condvar broadcast test
2013-11-06 10:31:04 +01:00
Martin Willi
13183a74d4
unit-tests: Add a simple condvar test
2013-11-06 10:31:04 +01:00
Martin Willi
21df985148
unit-tests: Add a thread local storage cleanup test
2013-11-06 10:31:03 +01:00
Martin Willi
0b00e63e49
unit-tests: Add a thread local storage fuzzer test
2013-11-06 10:31:03 +01:00
Martin Willi
fd26b7ff1b
unit-tests: Add a thread cleanup pop test
2013-11-06 10:31:03 +01:00
Martin Willi
4aec0c5543
unit-tests: Add cleanup test cases for different thread exit situations
2013-11-06 10:31:03 +01:00
Martin Willi
e5b34086f1
unit-tests: Add a test for thread_cancellation_point()
2013-11-06 10:31:03 +01:00
Martin Willi
49e6848bd0
unit-tests: Add thread cancellability testing
2013-11-06 10:31:03 +01:00
Martin Willi
855747eab7
unit-tests: Add a simple thread_cancel() test
2013-11-06 10:31:02 +01:00
Martin Willi
c320c61160
unit-tests: Add thread_exit() tests to both join and detach test cases
2013-11-06 10:31:02 +01:00
Martin Willi
274e6beb00
unit-tests: Add a simple thread detach test
2013-11-06 10:31:02 +01:00
Martin Willi
5d4a882f45
unit-tests: Add a simple thread join() test
2013-11-06 10:31:02 +01:00
Martin Willi
b942528419
unit-tests: Add test suite for streams and services
2013-11-06 10:31:02 +01:00
Martin Willi
8eda87af86
unit-tests: Add a few test cases for watcher
2013-11-06 10:31:02 +01:00
Martin Willi
23b8f9bf86
unit-tests: Support testing multi-threaded code
2013-11-06 10:31:01 +01:00
Martin Willi
f23fd4c59b
unit-tests: Use a home-brew thread barrier to remove pthread dependency
2013-11-06 10:31:01 +01:00
Martin Willi
b74b8addf8
unit-tests: Show how many test vectors have failed on test failure
2013-11-06 10:31:01 +01:00
Martin Willi
b4d43a542f
unit-tests: Skip fmemopen() based printf() tests if not available
2013-11-06 10:31:01 +01:00
Martin Willi
45766923b8
unit-tests: Avoid name clash with clone() from <sched.h>
2013-11-06 10:31:01 +01:00
Martin Willi
1254ad01b9
unit-tests: Fix a compiler warning in identification tests
2013-11-06 10:31:01 +01:00
Martin Willi
382fa8b419
unit-tests: Clean up memory in new asn1 unit tests
...
Test runner checks for leaks when leak detective is enabled.
2013-11-06 10:31:00 +01:00
Martin Willi
712940d161
unit-tests: Pass linked_list->invoke* varargs as uintptr_t
...
Passing integers of unspecified length may result in passing an integer shorter
than uintptr_t. When reading them back, we might get more data than passed,
resulting in a failure.
2013-11-06 10:31:00 +01:00
Martin Willi
f7b8396af0
unit-tests: Initialize backtracing before printing any backtraces
2013-11-06 10:31:00 +01:00
Martin Willi
bbb62267e0
thread: Note that tread_cancellation_point temporarily activates cancelability
2013-11-06 10:31:00 +01:00
Martin Willi
7a13990964
backtrace: Support backtracing even if library is not initialized
...
But of course backtracing must be initialized anyway using backtrace_init().
2013-11-06 10:31:00 +01:00
Martin Willi
a5860cddae
unit-tests: Enable libstrongswan tests even if --enable-unit-tests not set
...
As we don't depend on the check framework anymore, we can enable the unit tests
by default. These are built/executed with "make check" only, so it makes no
sense to disable them.
2013-11-06 10:31:00 +01:00
Martin Willi
35e8eb93a0
unit-tests: Implement testing framework without "check"
2013-11-06 10:30:59 +01:00
Martin Willi
56866ecf3d
leak-detective: Call {gm,local}time_r() to allocate static buffer
...
On OS X Mavericks, these functions use a static allocation and are hard
to whitelist using other means.
2013-11-06 10:30:59 +01:00
Martin Willi
ef6d78d6ef
leak-detective: Register OS X specific hooks just once
...
If we initialize libstrongswan more than once in the same process, we may
not register the hooks twice.
2013-11-06 10:30:59 +01:00
Martin Willi
f192526c3f
leak-detective: Reset leak list during cleanup
...
This resets leak detective state should it get created/destroyed more than once.
2013-11-06 10:30:59 +01:00
Martin Willi
a426851f63
leak-detective: Use callback functions to report leaks and usage information
...
This is more flexible than printing reports to a FILE.
2013-11-06 10:30:59 +01:00
Martin Willi
9ae1140118
unit-tests: Move test suites to its own subfolder
2013-11-06 10:30:58 +01:00
Tobias Brunner
c49c3f3208
ikev2: Properly free DH secret in case of errors during IKE key derivation
...
Fixes #437 .
2013-11-06 10:24:19 +01:00
Andreas Steffen
2da887da35
unit-tests: completed asn1_suite
2013-11-04 18:35:25 +01:00
Andreas Steffen
79b8a384b5
Updated test_runner.h with new suites
2013-11-03 21:34:42 +01:00
Andreas Steffen
7817d88e1a
unit-tests: 100% function coverage for asn1.c
2013-11-03 17:40:51 +01:00
Andreas Steffen
54bce665c4
unit-tests: 12 asn1 functions tested
2013-11-02 21:20:04 +01:00
Andreas Steffen
c3103700fc
Some minor refactoring in asn1.c
2013-11-02 21:17:46 +01:00
Andreas Steffen
1347c936bd
Do not free zero-length integer
2013-11-02 02:11:32 +01:00
Andreas Steffen
a40c4bc28c
unit-tests: Added tests for pen_type_t
2013-11-01 22:29:29 +01:00
Andreas Steffen
6db81edac3
Added IFOM_CAPABILITY notify message type
2013-11-01 14:07:11 +01:00
Andreas Steffen
dc4dd88c42
Updated copyright statement
2013-11-01 13:46:58 +01:00
Martin Willi
10900ed7e7
charon-xpc: Set AUTH_RULE_IDENTITY_LOOSE on responder config
...
This allows the server to use a different IKE identity as long as the
configured hostname is contained in the certificate.
2013-11-01 12:05:48 +01:00
Martin Willi
b76e96e2ef
ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
...
Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().
2013-11-01 11:33:29 +01:00
Volker Rümelin
643da9d2e6
ikev1: Properly initialize list of fragments in case fragment ID is 0
...
Fixes CVE-2013-6076.
2013-10-31 21:58:42 +01:00
Martin Willi
7f4a13fffb
identification: Properly check length before comparing for binary DN equality
...
Fixes CVE-2013-6075.
2013-10-31 21:57:07 +01:00
Martin Willi
ed3eb62723
unit-tests: Additionally do reverse match checking with empty identities
2013-10-31 21:57:07 +01:00
Martin Willi
e02b12e374
unit-tests: Test matching against some empty data identities
2013-10-31 21:57:07 +01:00
Martin Willi
df12b3a61f
unit-tests: Test for equality against some empty data identities
2013-10-31 21:57:07 +01:00
Martin Willi
c409be2506
unit-tests: Let identity equality test fail if a->equals(b) != b->equals(a)
2013-10-31 21:57:07 +01:00
Andreas Steffen
2590cd20d3
PB-TNC PDP_REFERRAL message doesn't have to be in RESULT batch
2013-10-31 12:01:47 +01:00
Ansis Atteka
4334735605
updown: fix segfault when interface name can't be resolved
...
The child_updown() function sets up environment variables to the updown
script. Sometimes call to hydra->kernel_interface->get_interface() could
fail and iface variable could be left uninitialized. This patch fixes
this issue by passing "unknown" as interface name.
Here is the stacktrace:
0 0x00007fa90791f445 in raise () from /lib/x86_64-linux-gnu/libc.so.6
1 0x00007fa907922bab in abort () from /lib/x86_64-linux-gnu/libc.so.6
2 0x0000000000401ed7 in segv_handler (signal=11) at charon.c:183
3 <signal handler called>
4 0x00007fa90793221f in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
5 0x00007fa9079f0580 in __vsnprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6
6 0x00007fa9079f04c8 in __snprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6
7 0x00007fa8f9b95b86 in snprintf (
__fmt=0x7fa8f9b961b8 "2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='%s%s%s' PLUTO_CONNECTION='%s' PLUTO_INTERFACE='%s' PLUTO_REQID='%u' PLUTO_ME='%H' PLUTO_MY_ID='%Y' PLUTO_MY_CLIENT='%H/%u' PLUTO_MY_PORT='%u' PLUTO_MY_PROTOCOL='%u"..., __n=1024, __s=0x7fa8f7923440 "2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-host' PLUTO_CONNECTION='remote-40.0.0.40' PLUTO_INTERFACE='\367\250\177")
at /usr/include/x86_64-linux-gnu/bits/stdio2.h:65
8 child_updown (this=0x8486b0, ike_sa=0x7fa8e4005f80, child_sa=0x7fa8d4008290, up=true) at updown_listener.c:308
9 0x00007fa907ecc11c in ?? () from /usr/lib/strongswan/libcharon.so.0
10 0x00007fa907ef89bf in ?? () from /usr/lib/strongswan/libcharon.so.0
11 0x00007fa907ef2fc8 in ?? () from /usr/lib/strongswan/libcharon.so.0
12 0x00007fa907ee84ff in ?? () from /usr/lib/strongswan/libcharon.so.0
13 0x00007fa907ee3067 in ?? () from /usr/lib/strongswan/libcharon.so.0
14 0x00007fa90835e8fb in ?? () from /usr/lib/strongswan/libstrongswan.so.0
15 0x00007fa908360d30 in ?? () from /usr/lib/strongswan/libstrongswan.so.0
16 0x00007fa907cade9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
17 0x00007fa9079db4bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
18 0x0000000000000000 in ?? ()
Signed-Off-By: Ansis Atteka <aatteka@nicira.com>
2013-10-30 09:29:41 +01:00
Tobias Brunner
19046552b6
ipsec: Updated ipsec(8)
2013-10-29 17:22:45 +01:00
Tobias Brunner
71687f4fad
ipsec: Remove unused distro.txt
2013-10-29 16:34:10 +01:00
Tobias Brunner
5ac29360fc
utils: Include stdio.h for fmemopen() replacement
...
This might now be required because Vstr is not necessarily required
anymore, which means stdio.h might not be pulled in by prinf_hook.h.
2013-10-29 16:18:35 +01:00
Tobias Brunner
60ddf6284f
Use exact mask when calling umask(2)
...
Due to the previous negation the high bits of the mask were set, which
at least some versions of the Android build system prevent with a compile-time
check.
2013-10-29 16:01:55 +01:00
Martin Willi
d402e87d16
whitelist: Read multiple commands until client closes connection
...
This restores the same behavior we had before e11c02c8
, and fixes the whitelist
add/remove-from command.
2013-10-29 14:22:52 +01:00
Tobias Brunner
348b9d82b4
libtnccs: Add dummy entry to pb_tnc_tcg_msg_infos
...
That's required because the first message type in pb_tnc_tcg_msg_type_t
is 1 not 0.
2013-10-29 13:36:15 +01:00
Tobias Brunner
751670a93b
swid: Properly clean up after reading SWID tag
2013-10-29 13:18:05 +01:00
Tobias Brunner
1dd58b0e21
Fixed some typos
2013-10-29 11:44:23 +01:00
Martin Willi
1ba47fa565
charon-xpc: Load missing eap-md5 plugin after enabling it
2013-10-28 15:18:11 +01:00
Martin Willi
9f2a4d3315
charon-xpc: Disable warnings about deprecated functions
...
This avoids all the deprecated warnings when using OpenSSL functins.
2013-10-28 14:51:59 +01:00
Martin Willi
f5ea7d781f
charon-xpc: Avoid -all_load linker flag
...
This seems to be not required anymore with the LLVM 5 toolchain.
2013-10-28 14:51:51 +01:00
Martin Willi
a1c2ed8820
charon-xpc: Properly xpc_retain() connections we xpc_release()
2013-10-28 14:51:40 +01:00
Martin Willi
888d8d73ab
charon-xpc: Properly cast SA identifier to uintptr representation
2013-10-28 14:51:28 +01:00
Martin Willi
3e40dbb128
charon-xpc: Don’t build against libvstr anymore
...
We now have our own printf backend and use it instead of Vstr.
2013-10-28 14:51:03 +01:00
Martin Willi
6a3cfbdc0d
charon-xpc: Build with EAP-MD5 support
2013-10-28 14:49:19 +01:00
Martin Willi
9df621d21f
utils: Fix check for fmemopen() fallback implementation
2013-10-24 15:58:49 +02:00
Martin Willi
8465514157
unit-tests: Set sa_len in sockaddr template data, if required
2013-10-24 15:37:21 +02:00
Martin Willi
e71c57467c
printf-hook-builtin: Don't rely on isinf() return value signedness
...
Many systems don't return a negative value for negative infinities; so do
a separate check.
2013-10-24 15:37:20 +02:00
Martin Willi
5ce3c9b15a
watcher: Rebuild fdset when select() fails
...
This should make sure we refresh the fdset if a user closes an FD it just
removed. Some selects() seem to complain about the bad FD before signaling the
notification pipe.
2013-10-24 15:37:20 +02:00
Martin Willi
1a20a22d09
rwlock: Disable thread cancelability while waiting in (fallback) rwlock
...
An rwlock wait is not a thread cancellation point. As a canceled thread
would not have released the mutex, the rwlock would have been left in unusable
state.
2013-10-24 14:53:53 +02:00
Martin Willi
181d071363
rwlock: Don't use buggy pthread_rwlock on OS X
...
Recursive read locks don't seem to work properly, at least on 10.9.
2013-10-24 14:53:47 +02:00
Martin Willi
2077d996a9
utils: Provide a fmemopen(3) fallback using BSD funopen()
2013-10-24 13:17:05 +02:00
Andreas Steffen
5a7e98231b
Added some example Debian SWID tags
2013-10-23 22:12:12 +02:00
Tobias Brunner
71c9565a3a
pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB
...
This allows more than one builder to try parsing the data read from STDIN.
2013-10-23 17:20:39 +02:00
Tobias Brunner
46cded2627
chunk: Add helper function to create a chunk from data read from a file descriptor
2013-10-23 17:20:39 +02:00
Martin Willi
b08292a520
semaphore: Support cancellation in wait functions of semaphore fallback
...
Semaphore wait functions should be a thread cancellation point, but did
not properly release the mutex in the fallback implementation.
2013-10-23 16:08:40 +02:00
Martin Willi
47c76c1b05
rwlock: Re-acquire rwlock even if condvar wait times out
...
A caller expects that the associated rwlock is held, whether the condvar
gets signaled or the wait times out.
2013-10-23 11:52:26 +02:00
Andreas Steffen
b891c22aa9
Updated and split data.sql
2013-10-23 00:26:02 +02:00
Andreas Steffen
50d7a55c96
Support Ubuntu 13.10 measurements
2013-10-21 21:33:30 +02:00
Andreas Steffen
27bf5c06dc
check it specified IF-TNCCS protocol is enabled
2013-10-21 21:03:53 +02:00
Tobias Brunner
8e8e97d10d
kernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution
...
This reverts commit b0761f1f0a
.
2013-10-18 09:52:54 +02:00
Tobias Brunner
4c185d11ad
updown: Properly configure ICMP[v6] message type and code in firewall rules
2013-10-17 16:57:39 +02:00
Tobias Brunner
9739a0bf67
updown: Pass ICMP[v6] message type and code to updown script
...
The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.
2013-10-17 16:57:39 +02:00
Tobias Brunner
59213396fa
kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel
2013-10-17 16:57:39 +02:00
Tobias Brunner
406a504ca7
kernel-netlink: Convert ports in acquires to ICMP[v6] type and code
2013-10-17 16:57:39 +02:00
Tobias Brunner
ddc2d3c8e4
kernel-netlink: Properly install policies with ICMP[v6] types and codes
2013-10-17 16:57:39 +02:00
Tobias Brunner
000235f1c5
traffic-selector: Print ICMP[v6] message type and code in a more readable way
2013-10-17 16:57:39 +02:00
Tobias Brunner
4bebe45abb
traffic-selector: Store ICMP[v6] message type and code properly
...
We now store them as defined in RFC 4301, section 4.4.1.1.
2013-10-17 16:57:39 +02:00
Tobias Brunner
d6a1960d34
traffic-selector: Move class to its own Doxygen group
2013-10-17 16:57:38 +02:00
Tobias Brunner
7313499914
proposal: Add ECC Brainpool DH groups to the default proposal
2013-10-17 13:36:09 +02:00
Tobias Brunner
606aae3aa1
openssl: Add workaround if ECC Brainpool curves are not defined
2013-10-17 13:36:08 +02:00
Tobias Brunner
3c29d2822f
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
...
OpenSSL does not include them in releases before 1.0.2.
2013-10-17 13:36:08 +02:00
Andreas Steffen
cca372465d
ecc: Added ECC Brainpool ECDH groups as registered with IANA
2013-10-17 11:57:04 +02:00
Tobias Brunner
be97277bdb
unit-tests: Make test for bio_writer_t more portable
2013-10-17 11:44:03 +02:00
Tobias Brunner
f6cadb7f54
libipsec: Don't print ciphertext with ICV in log message
2013-10-17 11:43:58 +02:00
Tobias Brunner
f5c5fd6f74
libipsec: Properly calculate padding length especially for AES-GCM
2013-10-17 11:42:45 +02:00
Tobias Brunner
812ae898bf
utils: Add utility function to calculate padding length
2013-10-17 10:25:34 +02:00
Tobias Brunner
32fef0c6e9
stroke: Reuse reqids of established CHILD_SAs when routing connections
2013-10-17 10:23:32 +02:00
Tobias Brunner
6278e64230
trap-manager: Make sure a config is not trapped twice
2013-10-17 10:23:32 +02:00
Tobias Brunner
dd438ee22c
Doxygen fixes
2013-10-15 11:25:55 +02:00
Andreas Steffen
a37ab690cc
Set recommendation in the case of PCR measurement failures
2013-10-13 22:17:18 +02:00
Andreas Steffen
b0761f1f0a
Add linux/fip_rules.h to include files
2013-10-13 20:51:10 +02:00
Andreas Steffen
6623dfa84d
Revert refactoring which broke CentOS build
2013-10-13 19:56:04 +02:00
Tobias Brunner
d9020264f4
checksum: The pool utility was moved to its own directory
2013-10-11 17:42:29 +02:00
Tobias Brunner
0f6f7ba22c
ccm: Add missing comma in get_iv_gen method signature
2013-10-11 17:42:25 +02:00
Tobias Brunner
bfeb8b5c47
iv-gen: Add missing header files to Makefile.am
2013-10-11 17:42:05 +02:00
Tobias Brunner
0c6f6c4e34
iv_gen: Mask sequential IVs with a random salt
...
This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.
2013-10-11 15:55:40 +02:00
Tobias Brunner
e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
Tobias Brunner
d74c254dfd
ipsec: Use IV generator to encrypt ESP messages
2013-10-11 15:55:40 +02:00
Tobias Brunner
b5010707a0
ikev2: Use IV generator to encrypt encrypted payload
2013-10-11 15:55:40 +02:00
Tobias Brunner
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
Tobias Brunner
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
Tobias Brunner
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
Tobias Brunner
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
Tobias Brunner
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
Tobias Brunner
feb3c4ff22
eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK
2013-10-11 15:52:22 +02:00
Tobias Brunner
1a809e46f8
eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes
...
Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).
So if the following attributes would be configured for a RADIUS user
CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
CVPN3000-IPSec-Split-Tunneling-Policy := 1
A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.
2013-10-11 15:52:22 +02:00
Tobias Brunner
66229619cf
eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes
...
The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.
2013-10-11 15:52:22 +02:00
Ruslan N. Marchenko
b638c131de
dnscert: Add DNS CERT support for pubkey authentication
...
Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers. As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.
The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.
2013-10-11 15:45:42 +02:00
Tobias Brunner
8ac54970f5
ipseckey: Properly handle failure to create a certificate
...
Also, try the next key (if available) if parsing an IPSECKEY failed.
2013-10-11 15:45:41 +02:00
Tobias Brunner
e8130a9498
ipseckey: Refactor creation of certificate enumerator
...
Reduces nesting and fixes a memory leak (rrsig_enum).
2013-10-11 15:45:41 +02:00
Tobias Brunner
de5ea570f1
ipseckey: Depend on plugin features to create public key and certificate objects
2013-10-11 15:45:41 +02:00
Tobias Brunner
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
Tobias Brunner
cd25d291f7
kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC
...
This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).
2013-10-11 15:32:44 +02:00
Tobias Brunner
eeb34af069
kernel-libipsec: Add an option to allow remote TS to match the IKE peer
...
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
2013-10-11 15:32:44 +02:00
Tobias Brunner
80f8b3a6d8
socket-default: Allow setting firewall mark on outbound packets
2013-10-11 15:32:44 +02:00
Tobias Brunner
51fefe4606
kernel-netlink: Allow setting firewall marks on routing rule
2013-10-11 15:32:44 +02:00
Tobias Brunner
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
Tobias Brunner
bd085dd978
attr-sql: Use a serializable transaction when inserting identities
2013-10-11 15:29:10 +02:00
Tobias Brunner
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
Tobias Brunner
e745f5f69f
sql: Don't use MyISAM engine and set collation/charset for all tables
...
The MyISAM engine doesn't support transactions.
2013-10-11 15:16:05 +02:00
Tobias Brunner
03c801cb2b
pool: Change transaction handling
2013-10-11 15:16:05 +02:00
Tobias Brunner
ec6ad6b086
pool: Move the pool utility to its own directory in src
2013-10-11 15:16:05 +02:00
Tobias Brunner
5abe3c52d3
attr-sql: Handle concurrent insertion of identities
...
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
2013-10-11 15:16:05 +02:00
Tobias Brunner
4b8b1354ce
attr-sql: Don't use database transactions in create_attribute_enumerator
...
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
2013-10-11 15:16:05 +02:00
Tobias Brunner
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
Tobias Brunner
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
Tobias Brunner
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
Tobias Brunner
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
Tobias Brunner
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
Tobias Brunner
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
Tobias Brunner
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
Tobias Brunner
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
Martin Willi
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
Martin Willi
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
Martin Willi
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
Martin Willi
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
Martin Willi
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
Martin Willi
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
Martin Willi
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
Martin Willi
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
Martin Willi
d53002f088
libipsec: Enforce byte/packet lifetimes on SAs
2013-10-11 10:23:18 +02:00
Martin Willi
12fdc2b16b
kernel-libipsec: Support ESPv3 TFC padding
2013-10-11 10:23:18 +02:00
Martin Willi
293515f95c
libipsec: remove extra RFC4303 TFC padding appended to inner payload
2013-10-11 10:23:17 +02:00
Martin Willi
d53f9b9637
kernel-libipsec: Support query_sa() to report usage statistics
2013-10-11 10:23:17 +02:00
Martin Willi
b08967d6d8
libipsec: Support usage statistics and query_sa() on IPsec SAs
2013-10-11 10:23:17 +02:00
Martin Willi
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
Martin Willi
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
Martin Willi
4817595876
updown: Install forwarding rules with the actually used protocol
2013-10-11 10:15:22 +02:00
Martin Willi
c5d9b133e0
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
2013-10-11 10:15:21 +02:00
Martin Willi
e48e530b44
starter: Reject connections having both 'ah' and 'esp' keywords set
...
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
2013-10-11 10:15:21 +02:00
Martin Willi
757343d90e
ike: Define keylength for aescmac algorithm
2013-10-11 10:15:21 +02:00
Martin Willi
a1379e3210
ikev1: Support parsing of AH+IPComp proposals
2013-10-11 10:15:21 +02:00
Martin Willi
25f74be8f9
starter: Remove obsolete 'auth' option
2013-10-11 10:15:21 +02:00
Martin Willi
d489e75579
ikev1: Accept more than two certificate payloads
2013-10-11 10:15:21 +02:00
Martin Willi
3771b85806
ikev1: Support en-/decoding of SA payloads with AH algorithms
2013-10-11 10:15:21 +02:00
Martin Willi
44e6aa4fb7
kernel-handler: Whitespace cleanups
2013-10-11 10:15:21 +02:00
Martin Willi
f6037b5506
stroke: List proposals in statusall without leading '/' in AH SAs
2013-10-11 10:15:21 +02:00
Martin Willi
4bf92306eb
ikev1: Delete quick modes with the negotiated SA protocol
2013-10-11 10:15:21 +02:00
Martin Willi
5d569e07fd
trap-manager: Install trap with SA protocol of the first configured proposal
2013-10-11 10:15:21 +02:00
Martin Willi
21b096f3b8
child-sa: Save protocol during SPI allocation
...
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
2013-10-11 10:15:21 +02:00
Martin Willi
908fe1632d
ikev1: Negotiate SPI with the first/negotiated proposal protocol
2013-10-11 10:15:21 +02:00
Martin Willi
cdab8630d9
ikev2: Allocate SPI with the protocol of the first/negotiated proposal
2013-10-11 10:15:21 +02:00
Martin Willi
f0c59e1cf8
proposal: Strip redundant integrity algos for ESP proposals only
2013-10-11 10:15:21 +02:00
Martin Willi
0576412989
stroke: Configure proposal with AH protocol if 'ah' option set
2013-10-11 10:15:20 +02:00
Martin Willi
a07b97e804
starter: Add an 'ah' keyword for Authentication Header Security Associations
2013-10-11 10:15:20 +02:00