Tobias Brunner
80b267f9e3
Use filter instead of findstring to check for enabled plugins in Android.mk.
...
findstring is not prefix-safe (i.e. android matches android-log). On
the other hand filter matches words separated by whitespace and if no
wildcard (%) is used the full word has to match.
2012-08-08 15:07:43 +02:00
Tobias Brunner
162621ed57
Moved Android specific logger to separate plugin.
...
This is mainly because the other parts of the existing android plugin
can not be built in the NDK (access to keystore and system properties are
not part of the stable NDK libraries).
2012-08-08 15:07:43 +02:00
Tobias Brunner
657a3ba609
Link android plugin against liblog in the NDK.
...
Doesn't seem to hurt the build within the source tree.
2012-08-08 15:07:43 +02:00
Tobias Brunner
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
Tobias Brunner
73940eb712
Make path to Android OpenSSL headers configurable.
2012-08-08 15:07:43 +02:00
Tobias Brunner
4528e74a5c
Don't require STRONGSWAN_CONF to be defined.
2012-08-08 15:07:42 +02:00
Tobias Brunner
a9f169f699
Don't require PLUGINDIR to be defined.
...
If it is not available, we just load monolithically built plugins.
2012-08-08 15:07:42 +02:00
Martin Willi
4e98ca1800
Remove queued IKEv1 message before processing it
...
Avoids destruction or processing of a queued message in
recursive process_message() call.
2012-08-08 14:54:03 +02:00
Tobias Brunner
6204c1182d
Include src address in hash of initial message for Main Mode
...
If two initiators use the same SPI and also use the same SA proposal the
hash for the initial message would be exactly the same. For IKEv2 and
Aggressive Mode that's not a problem as these messages include random
data (Ni, KEi payloads).
2012-08-08 14:47:36 +02:00
Andreas Steffen
fa1baac315
implemented deletion of product_file database entries
2012-08-07 15:06:12 +02:00
Adrian-Ken Rueegsegger
9c2f08860d
Add DH group 15 (MODP-3072) to IKE proposal
2012-08-06 11:22:33 +02:00
Martin Willi
7c6d6b0d89
PEM loading soft-depends on MD5 only, as unencrypted files don't need MD5
...
Fixes #211 .
2012-08-03 15:25:17 +02:00
Martin Willi
bd28543512
Rebuild charon after running ./configure to reflect plugin changes
2012-08-03 13:11:45 +02:00
Martin Willi
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
Tobias Brunner
decc467a4f
Implemented recursive mutex without thread-specific counter
2012-08-03 11:30:18 +02:00
Tobias Brunner
920f29e7d5
Use a single thread-specific value for our custom rwlock_t implementation
...
The pthread implementation on Android currently only supports 64
different thread-specific values per process, which we hit easily when
every rwlock_t requires one.
2012-08-03 11:30:18 +02:00
Martin Willi
f02a305569
Fix linking of addrblock plugin when building monolithic
...
Fixes #212 .
2012-08-03 10:50:21 +02:00
Martin Willi
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
Martin Willi
804d702b0a
Add some more NEWS about 5.0.1
2012-08-02 12:23:59 +02:00
Martin Willi
11d6bc3eb0
Move MODP_CUSTOM va_arg fetching out of loop
...
It seems problematic at least on PPC with gcc 4.3, fixes #208 .
2012-08-02 12:08:27 +02:00
Andreas Steffen
ecfd714c78
updated NEWS
2012-07-31 17:25:30 +02:00
Andreas Steffen
3e7565eee0
libimcv requires nonce plugin
2012-07-31 16:46:46 +02:00
Martin Willi
f701ba8389
Lookup IKEv1 PSK even if the peer identity is not known
2012-07-31 15:39:33 +02:00
Andreas Steffen
6ff1d5bb32
update state before handling status
2012-07-30 23:19:25 +02:00
Andreas Steffen
af8354da1a
implemented support if functional sub-components
2012-07-30 20:49:42 +02:00
Andreas Steffen
e0c66bebcf
extended and documented ipsec attest
2012-07-30 20:49:42 +02:00
Tobias Brunner
63ac6d00b0
Proper fallback if capability dropping is not available
2012-07-27 14:46:42 +02:00
Tobias Brunner
8ff1094823
The use of $< in Makefiles is not portable
...
It requires GNU make which is not what most people use on e.g. FreeBSD.
Fixes #205 .
2012-07-27 13:47:59 +02:00
Tobias Brunner
d511a71daa
Include stdint.h for UINTxx_MAX defines
...
Fixes #205 .
2012-07-27 13:47:59 +02:00
Andreas Steffen
df0f88a4b3
measure all kernel modules and optimize firefox and thunderbird measurements
2012-07-27 11:47:22 +02:00
Andreas Steffen
9e99d2c378
with --relative --file do not insert absolute filenames into database
2012-07-27 11:47:22 +02:00
Martin Willi
777bcdc0d5
Don't include acquiring packet traffic selectors in IKEv1
...
As we only can negotiate a single TS in IKEv1, don't prepend the
triggering packet TS, as we do in IKEv2. Otherwise we don't establish
the TS of the configuration, but only that of the triggering packet.
Fixes #207 .
2012-07-26 15:45:49 +02:00
Martin Willi
8b560a4565
Implement late peer config switching after XAuth authentication
...
If additional authentication constraints, such as group membership,
is not fulfilled by an XAuth backend, we search for another
peer configuration that fulfills all constraints, including those
from phase1.
2012-07-26 15:17:36 +02:00
Martin Willi
40ca05cff8
Check if XAuth round complies to configured authentication round
2012-07-26 12:40:27 +02:00
Martin Willi
6a8786b55f
Show which group would be required when failing in constraint check
2012-07-26 12:39:53 +02:00
Martin Willi
874f7c7e2c
Don't add ANY identity constraint to auth config, as XAuth rounds don't use one
2012-07-26 12:38:34 +02:00
Martin Willi
9191946a63
Merge auth config items added from XAuth backends to IKE_SA
2012-07-26 12:07:48 +02:00
Martin Willi
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
Andreas Steffen
15f78beb0f
IMA SHA1 file measurement is not needed any more
2012-07-23 22:19:30 +02:00
Andreas Steffen
327dcf96db
fixed typo
2012-07-23 22:19:30 +02:00
Martin Willi
81419807f5
Release leaking child config after uninstalling shunt policy
2012-07-23 17:15:40 +02:00
Andreas Steffen
e6b01ce42d
moved PA-TNC message logging to level 1
2012-07-23 13:04:28 +02:00
Andreas Steffen
ab957aacce
transport IMA file info via PTS Component Evidence Policy URI
2012-07-23 12:51:37 +02:00
Andreas Steffen
838f683cde
ipsec attest now deletes file hashes
2012-07-22 09:29:39 +02:00
Andreas Steffen
2c9a833b7a
buffer PA-TNC attributes until Generate Attestation Evidence attribute is received
2012-07-21 16:43:24 +02:00
Andreas Steffen
6f46681a48
allow --rel as an abbreviation for --relative
2012-07-21 15:58:13 +02:00
Andreas Steffen
4c02086241
moved all shadow PCR stuff to the pts_pcr class
2012-07-21 15:58:13 +02:00
Martin Willi
3b7468b245
Support Unity split-include/exclude options in attr plugin
2012-07-20 17:36:27 +02:00
Martin Willi
73514b3217
Don't print hexdumps on loglevel 1 if hash verification fails
2012-07-20 17:36:27 +02:00
Andreas Steffen
5a6c18853e
created a pts_pcr class for PCR computations
2012-07-20 14:57:28 +02:00