Martin Willi
53fcc70acc
When running with an unprivileged user, initialize supplementary groups
2013-03-01 11:27:01 +01:00
Martin Willi
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
Martin Willi
00683b6864
Merge branch 'ikev1-mm-retransmits'
...
Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.
2013-03-01 11:24:42 +01:00
Martin Willi
d634109f1d
Merge branch 'tfc-notify'
...
Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if
kernel does not support it.
2013-03-01 11:16:58 +01:00
Martin Willi
5c55be4915
Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support it
2013-03-01 11:12:17 +01:00
Martin Willi
53e62f5d0c
Indicate support for processing ESPv3 TFC padding in Netlink IPsec backend
2013-03-01 11:11:51 +01:00
Martin Willi
76f7d80e80
Introduce "features" for the kernel backends returning kernel capabilities
2013-03-01 11:11:24 +01:00
Tobias Brunner
81f9cd39fd
openssl: Provide AES-GCM implementation
2013-02-28 18:17:42 +01:00
Tobias Brunner
a89ebab62e
Fix cleanup in crypto_tester if AEAD implementation fails
2013-02-28 18:17:42 +01:00
Tobias Brunner
5f7f4fa398
Order of arguments in Doxygen comment fixed
2013-02-28 18:17:42 +01:00
Tobias Brunner
8656f35ae1
Fix auth_cfg_t.clone() for single-valued auth rules
...
By using the default list enumerator and adding the rules with the public
add() method, clones of auth_cfg_t objects would return the values for
single-valued auth rules in the wrong order (i.e. the oldest instead of the
newest value was returned). Using the internal enumerator (which the comment
already suggested) fixes this, but the clone will not be a full clone as
it does not contain any old values for single-valued auth rules. Since
these will never be used anyway, this should be fine.
2013-02-28 18:11:38 +01:00
Tobias Brunner
6e935c6fe0
Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACT
...
In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.
2013-02-28 18:07:29 +01:00
Tobias Brunner
bc07fef09c
Use SIGUSR2 for SIG_CANCEL on Android
...
SIGRTMIN is defined as 32 while sigset_t is defined as
unsigned long (i.e. holds 32 signals). Hence, the signal
could never be blocked. Sending the signal still canceled
threads, but sometimes in situations where they shouldn't
have been canceled (e.g. while holding a lock).
Fixes #298 .
2013-02-26 11:40:34 +01:00
Tobias Brunner
0ac34e9e6a
Android.mk updated to latest Makefiles
...
Fixes #300 .
2013-02-26 10:11:36 +01:00
Martin Willi
e2857be823
For IKEv1 Main Mode, use message hash to detect early retransmissions
...
As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.
2013-02-25 12:12:38 +01:00
Martin Willi
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
Martin Willi
9eaed7a5bb
Use INIT macro to initialize IKE_SA manager entries
2013-02-25 12:10:02 +01:00
Tobias Brunner
0d237763dc
openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8g
...
Fixes #292 .
2013-02-20 18:34:54 +01:00
Andreas Steffen
371b752f00
treat IF-M and IF-TNCCS remediation instructions/parameters in an equal way
2013-02-19 20:00:57 +01:00
Andreas Steffen
65cdda5cf8
Streamlined log messages in ipseckey plugin
2013-02-19 12:25:00 +01:00
Andreas Steffen
a4ddc0bb26
Encode RSA public keys in RFC 3110 DNSKEY format
2013-02-19 12:25:00 +01:00
Andreas Steffen
f2145c8d3a
Moved configuration from resolver manager to unbound plugin
...
Also streamlined log messages in unbound plugin.
2013-02-19 12:25:00 +01:00
Reto Guadagnini
95650c0836
ipseckey: Report IPSECKEYs with invalid DNSSEC security state
2013-02-19 12:25:00 +01:00
Reto Guadagnini
932717fbde
ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.conf
2013-02-19 12:25:00 +01:00
Reto Guadagnini
a77bbc3b8c
Added ipseckey plugin, which provides support for public keys in IPSECKEY RRs
2013-02-19 12:25:00 +01:00
Reto Guadagnini
cfd07978d0
unbound: Implementation of query method of unbound_resolver_t
2013-02-19 11:57:21 +01:00
Reto Guadagnini
5a4126b490
unbound: Implemented resolver_response_t as unbound_response_t
2013-02-19 11:57:21 +01:00
Reto Guadagnini
62ea67e700
Implemented rr_set_t interface
2013-02-19 11:57:21 +01:00
Reto Guadagnini
4a335a2164
unbound: Implemented rr_t as unbound_rr_t
2013-02-19 11:57:21 +01:00
Reto Guadagnini
9f963a7cfc
Added unbound plugin implementing the resolver interface using libunbound
2013-02-19 11:57:21 +01:00
Reto Guadagnini
b1505b345b
Added manager for DNS resolvers
2013-02-19 11:57:21 +01:00
Reto Guadagnini
ffdeeb6609
Added interface for DNS resolvers
2013-02-19 11:57:21 +01:00
Andreas Steffen
c381e46855
added missing return statement
2013-02-19 10:24:23 +01:00
Martin Willi
69faf63528
Fix encoding of issuerAndSubject while handling SCEP pending state
2013-02-19 09:53:47 +01:00
Andreas Steffen
0f7cb0caf4
reject PB-Experimental messages with NOSKIP flag set
2013-02-19 09:31:34 +01:00
Andreas Steffen
9b4a8e1ced
added parameter descriptions
2013-02-19 07:44:57 +01:00
Andreas Steffen
2c1219c217
removed superfluous debug output
2013-02-15 15:19:16 +01:00
Martin Willi
b5b76df012
Add a timeout to clean up PDP RADIUS connections
2013-02-14 17:20:09 +01:00
Martin Willi
dadd9744b6
Keep the PDP connections lock while accessing its objects
...
When we introduce connection timeouts, the state may disappear at any time.
This change prevents that, but is not very clear. We probably have to refactor
connection handling.
2013-02-14 17:19:56 +01:00
Martin Willi
37884ab10f
Add locking to TNC-PDP connections
2013-02-14 17:19:49 +01:00
Martin Willi
d20a2cc5f3
Add IF-M message subtype getter to IMC/IMV messages
2013-02-14 17:18:24 +01:00
Martin Willi
bbe9261bbf
Use a generic constructor to create PA-TNC error attributes
2013-02-14 17:18:00 +01:00
Martin Willi
4755ab505d
Add a global return_success() method implementation
2013-02-14 17:17:45 +01:00
Martin Willi
de32b8aed6
Add a convenience method to check pen_type_t for vendor and type
2013-02-14 17:17:30 +01:00
Martin Willi
d03b338487
Add a comparison function for pen_type_t
2013-02-14 17:17:22 +01:00
Martin Willi
9db54bbcd4
Whitespace and comment cleanups in pen.[ch]
2013-02-14 17:17:07 +01:00
Andreas Steffen
f838f457a8
resolve dependency on libtls
2013-02-14 17:15:33 +01:00
Martin Willi
e212033ef2
Merge branch 'ike-dscp'
2013-02-14 17:11:35 +01:00
Martin Willi
285668b6e3
Check if recommendations is set before applying language preference
2013-02-14 17:09:28 +01:00
Martin Willi
a9df87bf89
PT-TLS dispatcher TNCCS constructor takes peer identities to pass to factory
2013-02-14 17:09:28 +01:00