Adds support for multiple subnets and address ranges in left/right ipsec.conf
options. As responder the connection is acceptable if the address is in one of
the ranges/subnets. To initiate connections, at least one single IP or hostname
is required for the peer address.
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
As we always negotiate virtual IPs in charon, having both left- and
rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single
configuration payload exchange only.
Introduces multiple rounds in the eap-radius XAuth backend, concatenating
answers to a single password to verify using a RADIUS User-Password attribute.
This is known to work fine with iOS and OS X clients, allowing two-factor
authentication with proper dialogs.
Different XAuth "profiles" for each backend can be selected using a generic
colon sperated suffix for the XAuth string.
The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.
The parts can be accessed with the variables:
PACKAGE_VERSION_MAJOR
PACKAGE_VERSION_MINOR
PACKAGE_VERSION_BUILD
PACKAGE_VERSION_REVIEW
The last part will be empty for regular releases.
AM_CPPFLAGS only takes preprocessor flags like -I or -D, so it did not
forward -rdynamic to the linker (--export-dynamic), which meant that the
symbols defined in the executable itself were not resolvable via dlsym().
Fixes#394.
The retry code introduced in dc8b083 got the memset() arguments wrong.
Fix this to ensure the buffer gets zeroed, for real.
It probably doesn't matter as we do reset the message length on retry, so
the stale data shouldn't be seen by anyone.
Found-by: git grep 'memset\s*\([^,]*,\s*[^,]*,\s*0\s*\)'
Martin Willi