Commit Graph

11793 Commits

Author SHA1 Message Date
Tobias Brunner ed0efaef4c host: Properly initialize struct sockaddr_in[6] when parsing strings
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
Tobias Brunner b3393c88c1 asn1: Fix handling of invalid ASN.1 length in is_asn1()
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
Andreas Steffen cc5bedbb98 Callback job is not needed any more 2013-07-31 22:13:49 +02:00
Martin Willi 8fa7c5c191 charon-xpc: load missing ctr/ccm/gcm plugins 2013-07-31 16:28:11 +02:00
Martin Willi aafb6fa6c2 charon-xpc: use kernel-libipsec instead of kernel-pfkey 2013-07-31 11:41:37 +02:00
Martin Willi 546235d34c charon-xpc: fix TS getting after changing CHILD_SA API 2013-07-31 11:41:31 +02:00
Martin Willi 83a0b74da8 keychain: be less verbose when loading certificates 2013-07-31 11:41:16 +02:00
Tobias Brunner a566c5f837 receiver: Avoid cloning packet data when verifying COOKIE payloads
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.

Fixes #369.
2013-07-29 22:04:24 +02:00
Tobias Brunner 1cf8022839 unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributes
Cisco devices seem to add 6 bytes of padding between each address/mask
pair.

Fixes #366.
2013-07-29 21:44:27 +02:00
Andreas Steffen e8b8a6d958 version bump to 5.0.1 2013-07-29 17:16:41 +02:00
Andreas Steffen ef580b0137 tnc-pdp now uses watcher_t 2013-07-29 17:16:21 +02:00
Andreas Steffen 4c961168cc Updated PTS database scheme to new workitems model 2013-07-29 11:41:47 +02:00
Tobias Brunner 4dc8978000 ikev2: Only schedule half-open-timeout delete job after successfully handling IKE_SA_INIT
We want to avoid this allocation if the initial message is invalid (e.g.
if the message ID is != 0).
2013-07-29 11:25:43 +02:00
Martin Willi 68957d1811 NEWS: mention xauth-radius backend in eap-radius plugin 2013-07-29 11:08:54 +02:00
Martin Willi 2cfe88aacb testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radius
As eap-radius now provides its own XAuth backend and eap-radius is loaded before
xauth-eap, we have to enforce the exact XAuth backend to use.
2013-07-29 10:35:59 +02:00
Martin Willi 14dfdf7dac Merge branch 'xauth-radius'
Implements verification of XAuth credentials using simple RADIUS User-Name and
(encrypted) User-Password attributes. The XAuth backend is implemented in the
eap-radius plugin, reusing all existing infrastructure and features found in
that plugin, including RADIUS accounting.
2013-07-29 09:00:56 +02:00
Martin Willi 9d75f04eee testing: add a testcase for plain XAuth RADIUS authentication 2013-07-29 09:00:49 +02:00
Martin Willi 44bb1dc3da charon-cmd: add --eap-identity and --xauth-username options 2013-07-29 09:00:49 +02:00
Martin Willi 3a399574c2 eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend 2013-07-29 09:00:49 +02:00
Martin Willi c434b2a4a9 eap-radius: support plain XAuth RADIUS authentication using User-Password 2013-07-29 09:00:49 +02:00
Martin Willi 6bc0ce020d libradius: support encryption of User-Password attributes 2013-07-29 09:00:48 +02:00
Martin Willi 84044f9c73 utils: add round_up/down() helper functions 2013-07-29 09:00:48 +02:00
Martin Willi 15483a6223 libradius: refactor generic RADIUS en-/decryption function to a message method 2013-07-29 09:00:48 +02:00
Martin Willi 9aeb6cea4c eap-radius: export function to build common attributes of Access-Request 2013-07-29 09:00:48 +02:00
Martin Willi 94ec80e74c eap-radius: export function to process common attributes of Access-Accept 2013-07-29 09:00:48 +02:00
Martin Willi 7612a6e42f mem-pool: add option for reusing online leases, and disable it by default
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.

This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.
2013-07-29 08:56:09 +02:00
Martin Willi c5d2d867f1 mem-pool: replace per-identity online/offline lists by more efficient arrays
This saves two lists per connected peer identity, up to 0.4KB.
2013-07-29 08:55:21 +02:00
Martin Willi d882880e87 mem-pool: refcount online lease when reassigning it to another tunnel
When we reassign an online lease for the same peer, we have to refcount it.
Otherwise we would set it offline if one of the tunnels goes down, but it is
actually still in use by a the second tunnel. This can finally lead in
assigning the same virtual IP to different peers.
2013-07-26 13:12:22 +02:00
Tobias Brunner 77ccff82cf ikev1: Always send ID payloads (traffic selectors) during Quick Mode
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).

Fixes #319.
2013-07-25 17:08:17 +02:00
Tobias Brunner 1f2d9c7688 watcher: Made notify array initialization compatible with older GCC versions 2013-07-25 16:57:42 +02:00
Tobias Brunner ebb4ad1baa unit-tests: Add additional tests for host_t 2013-07-25 11:28:26 +02:00
Tobias Brunner 7a192c57a3 imv-attestation: Properly measure complete directories 2013-07-25 11:28:26 +02:00
Tobias Brunner 116363e5c6 array: Number of items in get_size() is unsigned
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
2013-07-25 11:28:01 +02:00
Tobias Brunner d7dc4fedd1 stream: Ensure UNIX socket path is null terminated 2013-07-24 16:17:23 +02:00
Tobias Brunner e7d717cf01 kernel-pfkey: Add sanity check when deleting policies 2013-07-24 16:17:22 +02:00
Tobias Brunner e5455e9413 imv-os: check_packages() fails if product query fails 2013-07-24 16:17:22 +02:00
Tobias Brunner cfca183d55 pkcs5: Add missing break statements when checking crypto primitives 2013-07-24 16:17:22 +02:00
Tobias Brunner 346a4a1fc2 imv-scanner: Properly check snprintf() return value 2013-07-24 16:17:22 +02:00
Tobias Brunner 16748bdff7 socket-dynamic: Properly initialize IPv6 address 2013-07-24 16:17:22 +02:00
Tobias Brunner 5baec6448d unit-tests: Add test for host_create_netmask() 2013-07-24 16:17:21 +02:00
Tobias Brunner 6e2ec33f9d host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128 2013-07-24 16:17:03 +02:00
Tobias Brunner a00ac1d9ee imv-attestation: Use proper cast for length when using %.*s 2013-07-24 10:54:47 +02:00
Tobias Brunner 0c76d820dc tnc-ifmap: Use proper cast for length when using %.*s 2013-07-24 10:54:47 +02:00
Tobias Brunner cfdd23b967 capabilities: Proper error handling when reading groups 2013-07-24 10:54:26 +02:00
Tobias Brunner 3021139f6f strongswan.conf: Moved some stuff around 2013-07-23 12:23:05 +02:00
Tobias Brunner 5b1e3d3fdc ipsec: Add --piddir to retrieve the PID/socket directory 2013-07-22 18:12:04 +02:00
Tobias Brunner 517823b466 starter: Properly refer to the ipsec script if it was renamed 2013-07-22 18:00:19 +02:00
Tobias Brunner 62293ed271 coupling: Fix call to call_hook() 2013-07-22 17:53:56 +02:00
Tobias Brunner 2ed8b36a8a strongswan.conf: Add missing options 2013-07-22 17:46:41 +02:00
Tobias Brunner 146fa8b2d3 charon-xpc: Use correct namespace when setting default settings 2013-07-22 17:44:37 +02:00