Tobias Brunner
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
Tobias Brunner
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
Andreas Steffen
cc5bedbb98
Callback job is not needed any more
2013-07-31 22:13:49 +02:00
Martin Willi
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00
Martin Willi
aafb6fa6c2
charon-xpc: use kernel-libipsec instead of kernel-pfkey
2013-07-31 11:41:37 +02:00
Martin Willi
546235d34c
charon-xpc: fix TS getting after changing CHILD_SA API
2013-07-31 11:41:31 +02:00
Martin Willi
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
Tobias Brunner
a566c5f837
receiver: Avoid cloning packet data when verifying COOKIE payloads
...
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.
Fixes #369 .
2013-07-29 22:04:24 +02:00
Tobias Brunner
1cf8022839
unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributes
...
Cisco devices seem to add 6 bytes of padding between each address/mask
pair.
Fixes #366 .
2013-07-29 21:44:27 +02:00
Andreas Steffen
e8b8a6d958
version bump to 5.0.1
2013-07-29 17:16:41 +02:00
Andreas Steffen
ef580b0137
tnc-pdp now uses watcher_t
2013-07-29 17:16:21 +02:00
Andreas Steffen
4c961168cc
Updated PTS database scheme to new workitems model
2013-07-29 11:41:47 +02:00
Tobias Brunner
4dc8978000
ikev2: Only schedule half-open-timeout delete job after successfully handling IKE_SA_INIT
...
We want to avoid this allocation if the initial message is invalid (e.g.
if the message ID is != 0).
2013-07-29 11:25:43 +02:00
Martin Willi
68957d1811
NEWS: mention xauth-radius backend in eap-radius plugin
2013-07-29 11:08:54 +02:00
Martin Willi
2cfe88aacb
testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radius
...
As eap-radius now provides its own XAuth backend and eap-radius is loaded before
xauth-eap, we have to enforce the exact XAuth backend to use.
2013-07-29 10:35:59 +02:00
Martin Willi
14dfdf7dac
Merge branch 'xauth-radius'
...
Implements verification of XAuth credentials using simple RADIUS User-Name and
(encrypted) User-Password attributes. The XAuth backend is implemented in the
eap-radius plugin, reusing all existing infrastructure and features found in
that plugin, including RADIUS accounting.
2013-07-29 09:00:56 +02:00
Martin Willi
9d75f04eee
testing: add a testcase for plain XAuth RADIUS authentication
2013-07-29 09:00:49 +02:00
Martin Willi
44bb1dc3da
charon-cmd: add --eap-identity and --xauth-username options
2013-07-29 09:00:49 +02:00
Martin Willi
3a399574c2
eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend
2013-07-29 09:00:49 +02:00
Martin Willi
c434b2a4a9
eap-radius: support plain XAuth RADIUS authentication using User-Password
2013-07-29 09:00:49 +02:00
Martin Willi
6bc0ce020d
libradius: support encryption of User-Password attributes
2013-07-29 09:00:48 +02:00
Martin Willi
84044f9c73
utils: add round_up/down() helper functions
2013-07-29 09:00:48 +02:00
Martin Willi
15483a6223
libradius: refactor generic RADIUS en-/decryption function to a message method
2013-07-29 09:00:48 +02:00
Martin Willi
9aeb6cea4c
eap-radius: export function to build common attributes of Access-Request
2013-07-29 09:00:48 +02:00
Martin Willi
94ec80e74c
eap-radius: export function to process common attributes of Access-Accept
2013-07-29 09:00:48 +02:00
Martin Willi
7612a6e42f
mem-pool: add option for reusing online leases, and disable it by default
...
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.
This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.
2013-07-29 08:56:09 +02:00
Martin Willi
c5d2d867f1
mem-pool: replace per-identity online/offline lists by more efficient arrays
...
This saves two lists per connected peer identity, up to 0.4KB.
2013-07-29 08:55:21 +02:00
Martin Willi
d882880e87
mem-pool: refcount online lease when reassigning it to another tunnel
...
When we reassign an online lease for the same peer, we have to refcount it.
Otherwise we would set it offline if one of the tunnels goes down, but it is
actually still in use by a the second tunnel. This can finally lead in
assigning the same virtual IP to different peers.
2013-07-26 13:12:22 +02:00
Tobias Brunner
77ccff82cf
ikev1: Always send ID payloads (traffic selectors) during Quick Mode
...
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).
Fixes #319 .
2013-07-25 17:08:17 +02:00
Tobias Brunner
1f2d9c7688
watcher: Made notify array initialization compatible with older GCC versions
2013-07-25 16:57:42 +02:00
Tobias Brunner
ebb4ad1baa
unit-tests: Add additional tests for host_t
2013-07-25 11:28:26 +02:00
Tobias Brunner
7a192c57a3
imv-attestation: Properly measure complete directories
2013-07-25 11:28:26 +02:00
Tobias Brunner
116363e5c6
array: Number of items in get_size() is unsigned
...
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
2013-07-25 11:28:01 +02:00
Tobias Brunner
d7dc4fedd1
stream: Ensure UNIX socket path is null terminated
2013-07-24 16:17:23 +02:00
Tobias Brunner
e7d717cf01
kernel-pfkey: Add sanity check when deleting policies
2013-07-24 16:17:22 +02:00
Tobias Brunner
e5455e9413
imv-os: check_packages() fails if product query fails
2013-07-24 16:17:22 +02:00
Tobias Brunner
cfca183d55
pkcs5: Add missing break statements when checking crypto primitives
2013-07-24 16:17:22 +02:00
Tobias Brunner
346a4a1fc2
imv-scanner: Properly check snprintf() return value
2013-07-24 16:17:22 +02:00
Tobias Brunner
16748bdff7
socket-dynamic: Properly initialize IPv6 address
2013-07-24 16:17:22 +02:00
Tobias Brunner
5baec6448d
unit-tests: Add test for host_create_netmask()
2013-07-24 16:17:21 +02:00
Tobias Brunner
6e2ec33f9d
host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128
2013-07-24 16:17:03 +02:00
Tobias Brunner
a00ac1d9ee
imv-attestation: Use proper cast for length when using %.*s
2013-07-24 10:54:47 +02:00
Tobias Brunner
0c76d820dc
tnc-ifmap: Use proper cast for length when using %.*s
2013-07-24 10:54:47 +02:00
Tobias Brunner
cfdd23b967
capabilities: Proper error handling when reading groups
2013-07-24 10:54:26 +02:00
Tobias Brunner
3021139f6f
strongswan.conf: Moved some stuff around
2013-07-23 12:23:05 +02:00
Tobias Brunner
5b1e3d3fdc
ipsec: Add --piddir to retrieve the PID/socket directory
2013-07-22 18:12:04 +02:00
Tobias Brunner
517823b466
starter: Properly refer to the ipsec script if it was renamed
2013-07-22 18:00:19 +02:00
Tobias Brunner
62293ed271
coupling: Fix call to call_hook()
2013-07-22 17:53:56 +02:00
Tobias Brunner
2ed8b36a8a
strongswan.conf: Add missing options
2013-07-22 17:46:41 +02:00
Tobias Brunner
146fa8b2d3
charon-xpc: Use correct namespace when setting default settings
2013-07-22 17:44:37 +02:00