53fcc70acc
When running with an unprivileged user, initialize supplementary groups
2013-03-01 11:27:01 +01:00
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
00683b6864
Merge branch 'ikev1-mm-retransmits'
...
Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.
2013-03-01 11:24:42 +01:00
d634109f1d
Merge branch 'tfc-notify'
...
Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if
kernel does not support it.
2013-03-01 11:16:58 +01:00
5c55be4915
Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support it
2013-03-01 11:12:17 +01:00
53e62f5d0c
Indicate support for processing ESPv3 TFC padding in Netlink IPsec backend
2013-03-01 11:11:51 +01:00
76f7d80e80
Introduce "features" for the kernel backends returning kernel capabilities
2013-03-01 11:11:24 +01:00
81f9cd39fd
openssl: Provide AES-GCM implementation
2013-02-28 18:17:42 +01:00
a89ebab62e
Fix cleanup in crypto_tester if AEAD implementation fails
2013-02-28 18:17:42 +01:00
5f7f4fa398
Order of arguments in Doxygen comment fixed
2013-02-28 18:17:42 +01:00
8656f35ae1
Fix auth_cfg_t.clone() for single-valued auth rules
...
By using the default list enumerator and adding the rules with the public
add() method, clones of auth_cfg_t objects would return the values for
single-valued auth rules in the wrong order (i.e. the oldest instead of the
newest value was returned). Using the internal enumerator (which the comment
already suggested) fixes this, but the clone will not be a full clone as
it does not contain any old values for single-valued auth rules. Since
these will never be used anyway, this should be fine.
2013-02-28 18:11:38 +01:00
6e935c6fe0
Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACT
...
In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.
2013-02-28 18:07:29 +01:00
bc07fef09c
Use SIGUSR2 for SIG_CANCEL on Android
...
SIGRTMIN is defined as 32 while sigset_t is defined as
unsigned long (i.e. holds 32 signals). Hence, the signal
could never be blocked. Sending the signal still canceled
threads, but sometimes in situations where they shouldn't
have been canceled (e.g. while holding a lock).
Fixes #298 .
2013-02-26 11:40:34 +01:00
0ac34e9e6a
Android.mk updated to latest Makefiles
...
Fixes #300 .
2013-02-26 10:11:36 +01:00
e2857be823
For IKEv1 Main Mode, use message hash to detect early retransmissions
...
As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.
2013-02-25 12:12:38 +01:00
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
9eaed7a5bb
Use INIT macro to initialize IKE_SA manager entries
2013-02-25 12:10:02 +01:00
0d237763dc
openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8g
...
Fixes #292 .
2013-02-20 18:34:54 +01:00
371b752f00
treat IF-M and IF-TNCCS remediation instructions/parameters in an equal way
2013-02-19 20:00:57 +01:00
65cdda5cf8
Streamlined log messages in ipseckey plugin
2013-02-19 12:25:00 +01:00
a4ddc0bb26
Encode RSA public keys in RFC 3110 DNSKEY format
2013-02-19 12:25:00 +01:00
f2145c8d3a
Moved configuration from resolver manager to unbound plugin
...
Also streamlined log messages in unbound plugin.
2013-02-19 12:25:00 +01:00
95650c0836
ipseckey: Report IPSECKEYs with invalid DNSSEC security state
2013-02-19 12:25:00 +01:00
932717fbde
ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.conf
2013-02-19 12:25:00 +01:00
a77bbc3b8c
Added ipseckey plugin, which provides support for public keys in IPSECKEY RRs
2013-02-19 12:25:00 +01:00
cfd07978d0
unbound: Implementation of query method of unbound_resolver_t
2013-02-19 11:57:21 +01:00
5a4126b490
unbound: Implemented resolver_response_t as unbound_response_t
2013-02-19 11:57:21 +01:00
62ea67e700
Implemented rr_set_t interface
2013-02-19 11:57:21 +01:00
4a335a2164
unbound: Implemented rr_t as unbound_rr_t
2013-02-19 11:57:21 +01:00
9f963a7cfc
Added unbound plugin implementing the resolver interface using libunbound
2013-02-19 11:57:21 +01:00
b1505b345b
Added manager for DNS resolvers
2013-02-19 11:57:21 +01:00
ffdeeb6609
Added interface for DNS resolvers
2013-02-19 11:57:21 +01:00
c381e46855
added missing return statement
2013-02-19 10:24:23 +01:00
69faf63528
Fix encoding of issuerAndSubject while handling SCEP pending state
2013-02-19 09:53:47 +01:00
0f7cb0caf4
reject PB-Experimental messages with NOSKIP flag set
2013-02-19 09:31:34 +01:00
9b4a8e1ced
added parameter descriptions
2013-02-19 07:44:57 +01:00
2c1219c217
removed superfluous debug output
2013-02-15 15:19:16 +01:00
b5b76df012
Add a timeout to clean up PDP RADIUS connections
2013-02-14 17:20:09 +01:00
dadd9744b6
Keep the PDP connections lock while accessing its objects
...
When we introduce connection timeouts, the state may disappear at any time.
This change prevents that, but is not very clear. We probably have to refactor
connection handling.
2013-02-14 17:19:56 +01:00
37884ab10f
Add locking to TNC-PDP connections
2013-02-14 17:19:49 +01:00
d20a2cc5f3
Add IF-M message subtype getter to IMC/IMV messages
2013-02-14 17:18:24 +01:00
bbe9261bbf
Use a generic constructor to create PA-TNC error attributes
2013-02-14 17:18:00 +01:00
4755ab505d
Add a global return_success() method implementation
2013-02-14 17:17:45 +01:00
de32b8aed6
Add a convenience method to check pen_type_t for vendor and type
2013-02-14 17:17:30 +01:00
d03b338487
Add a comparison function for pen_type_t
2013-02-14 17:17:22 +01:00
9db54bbcd4
Whitespace and comment cleanups in pen.[ch]
2013-02-14 17:17:07 +01:00
f838f457a8
resolve dependency on libtls
2013-02-14 17:15:33 +01:00
e212033ef2
Merge branch 'ike-dscp'
2013-02-14 17:11:35 +01:00
285668b6e3
Check if recommendations is set before applying language preference
2013-02-14 17:09:28 +01:00
a9df87bf89
PT-TLS dispatcher TNCCS constructor takes peer identities to pass to factory
2013-02-14 17:09:28 +01:00
Martin Willi