027676f750
capabilities: Add function to check if a capability is held, without keeping it
...
This can be useful if capabilities are not required anymore after
dropping privileges.
2013-07-18 15:25:35 +02:00
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
2e9e2fa848
eap-sim-pcsc: fix compiler warning
2013-07-18 14:59:19 +02:00
896abbefc5
nm: omit deprecated g_type_init() when using >= GLIB 2.36
2013-07-18 14:21:17 +02:00
2d5a20061a
soup: omit deprecated g_type_init() when using >= GLIB 2.36
2013-07-18 14:20:57 +02:00
b146ecbc4e
libfast: cancel thread if it fails to accept fcgi sessions
2013-07-18 12:24:38 +02:00
890f20989f
libfast: add a fast_ prefix to all classes, avoiding namespace clashes
2013-07-18 12:24:38 +02:00
b9c47eae06
xpc: allow easy copy & pase of ./configure instructions
2013-07-18 12:17:56 +02:00
7f1adbe94e
xpc: use -idirafter to build against openssl headers from /usr/include
2013-07-18 12:17:56 +02:00
06e8712cb3
xpc: forward some risen alerts over XPC to App
2013-07-18 12:17:56 +02:00
e7ee45ef38
xpc: enable close_ike_on_child_failure
2013-07-18 12:17:56 +02:00
e37c5d46d3
xpc: send a "connecting" event when establishing a connection starts
2013-07-18 12:17:56 +02:00
3ffa310c44
xpc: use osx-attr plugin to install configuration attributes
2013-07-18 12:17:56 +02:00
c7ac7f92e9
xpc: update README with new events, markdown style fixes
2013-07-18 12:17:55 +02:00
4edcc86149
xpc: send child_updown events over XPC channel
2013-07-18 12:17:55 +02:00
d60c8d2c74
xpc: support termination of IKE_SAs using XPC RPC on connection channel
2013-07-18 12:17:55 +02:00
790ad9e677
xpc: move XPC RPC reply creation to command dispatching
2013-07-18 12:17:55 +02:00
a0c125eacb
xpc: terminate daemon when last XPC connection to App gone
2013-07-18 12:17:55 +02:00
6aae6268d7
xpc: fix some refcounting issues related to XPC connections
2013-07-18 12:17:55 +02:00
22bffc647d
xpc: no need to clear channel table, they are bound to IKE_SA lifetime
2013-07-18 12:17:55 +02:00
1a3f71d97a
xpc: add support for logging over XPC channels
2013-07-18 12:17:55 +02:00
fbc89786b5
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
2013-07-18 12:17:55 +02:00
dcf8a3c78b
xpc: add a description of the basic XPC protocol to README
2013-07-18 12:17:55 +02:00
d5966e71e9
xpc: use the same XPC message "type" mechanism on Mach service as on channels
2013-07-18 12:17:55 +02:00
39d15dde67
xpc: ask App for passwords using connection specific channel
2013-07-18 12:17:55 +02:00
8279ce99c4
xpc: use IKE_SA specific XPC return channels for further communication
2013-07-18 12:17:55 +02:00
bc74e18223
xpc: don't send certificate requests, there are too many when using keychain
2013-07-18 12:17:55 +02:00
5016370390
xpc: build with support for the keychain plugin
2013-07-18 12:17:55 +02:00
e73a653451
xpc: add support for initiate simple IKEv2 EAP connections
2013-07-18 12:17:54 +02:00
3dcc9d7aa7
xpc: move dispatching to dedicated class, using dedicated thread
2013-07-18 12:17:54 +02:00
4204d1d71a
xpc: use non-inlining variant of vstr, compiler does not like it
2013-07-18 12:17:54 +02:00
6f8c626b81
xpc: add Xcode project for a charon controlled through XPC
2013-07-18 12:17:54 +02:00
61177388bd
syslog: setlogmask() to include LOG_INFO
...
LOG_INFO seems to be excluded by default on some systems (OS X).
2013-07-18 12:17:54 +02:00
55dacbfac2
keychain: flush certificate cache after reloading System keychain
2013-07-18 12:17:54 +02:00
57dce77ba6
keychain: monitor changes in the system keychain, reload when necessary
2013-07-18 12:17:54 +02:00
dcd8bdde4f
keychain: use SearchCopyNext keychain enumeration for System certs as well
...
SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.
2013-07-18 12:17:54 +02:00
0bdd453392
keychain: load certificates from System Roots Keychain
2013-07-18 12:17:54 +02:00
bc6c7bf39e
keychain: load certificates only once during startup, improving performance
2013-07-18 12:17:54 +02:00
6f00ddb90c
keychain: support on-the-fly enumeration of trusted/untrusted certificates
2013-07-18 12:17:54 +02:00
7b8edabd8a
keychain: add a stub for a credential plugin using OS X Keychain Services
2013-07-18 12:17:54 +02:00
5d36f04ee2
credmgr: stop querying for secrets once we get a perfect match
2013-07-18 12:17:54 +02:00
69039e83f8
credmgr: don't use pointers for id_match_t enum values
2013-07-18 12:17:54 +02:00
c3e7b3de0b
openssl: parse X.509 extended key usage from extension parsing loop
...
Otherwise parsing gets aborted if unknown critical extensions are handled as
error.
2013-07-18 12:17:53 +02:00
3f55f203ee
openssl: show which critical X.509 extension is not supported
2013-07-18 12:17:53 +02:00
437a6feb07
hashtable: add common hashtable hash/equals functions for pointer/string keys
2013-07-18 12:17:53 +02:00
01c0267778
thread: implicitly create thread_t if an external thread calls thread_current()
2013-07-18 12:17:53 +02:00
07a9d5c91a
ike: Fix reestablishing SAs if no child-creating tasks are queued
2013-07-18 10:40:08 +02:00
2b0c8ee37d
ike-sa: uninstall CHILD_SAs before removing virtual IPs
...
a3854d83
2013-07-18 10:35:38 +02:00
79b6ead1e4
unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were received
2013-07-17 18:23:57 +02:00
56b0fac8c9
unity: Allow UNITY_LOCAL_LAN to be longer than 8 bytes
2013-07-17 18:23:57 +02:00
c7d0b80abb
unity: Fix memory leak in provider
2013-07-17 18:23:57 +02:00
a9ffb48f21
ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer
...
We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any
CHILD_SA requires it.
2013-07-17 18:16:59 +02:00
68db844f99
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
2013-07-17 18:16:58 +02:00
b79fdab878
ikev1: Support closeaction of CHILD_SA.
...
When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.
2013-07-17 18:16:58 +02:00
fae4d67adc
kernel-pfroute: Ignore IP address changes if address is %any
2013-07-17 17:45:18 +02:00
b308a97944
kernel-pfroute: Properly enumerate sockaddrs in interface messages
...
The ifa_msghdr and rt_msghdr structs are not compatible (at least not on
FreeBSD).
2013-07-17 17:45:18 +02:00
5310f485d9
kernel-pfroute: Provide name of interfaces on which virtual IPs are installed
2013-07-17 17:45:18 +02:00
e9c1ca0278
kernel-pfroute: Ignore virtual IPs in address map
...
As the virtual flag is set after the address has been added to the map,
we make sure we ignore virtual IPs when doing lookups.
2013-07-17 17:45:18 +02:00
cb082d15ef
kernel-pfroute: Make sure source addresses are not virtual and usable
...
It seems we sometimes get the virtual IP as source (with
rightsubnet=0.0.0.0/0) even if the exclude route is already
installed. Might be a timing issue because shortly afterwards the
lookup seems to succeed.
2013-07-17 17:45:18 +02:00
527663d6b6
kernel-pfroute: Don't report an error when trying to reinstall a route
2013-07-17 17:45:18 +02:00
8afd0f05e3
kernel-pfkey: Provide interface name when installing exclude route
2013-07-17 17:45:18 +02:00
0745f846d0
kernel-pfroute: Reinstall routes on interface/address changes
2013-07-17 17:45:17 +02:00
7b9c3fb41f
kernel-pfroute: Trigger a roam event if a new interface appears
2013-07-17 17:45:17 +02:00
e50b20539b
kernel-pfroute: Use ref_get() to allocate sequence numbers
2013-07-17 17:45:17 +02:00
baa6419ec1
kernel-pfroute: Make time that is waited for VIPs to appear configurable
...
One second might be too short for IPs to appear/disappear, especially on
virtualized hosts.
2013-07-17 17:45:17 +02:00
dc8b083d9f
kernel-pfroute: Retry route lookup without source address on failure
...
The known source address might be gone resulting in an error, making
learning a new source address impossible.
2013-07-17 17:45:17 +02:00
bbd9df25a9
kernel-pfkey: Remove latest IPsec SA mapping when deleting a policy
...
If IPsec SAs are rekeyed due to an address change (e.g. because
update_sa is not supported) the exact same policy with the same reqid
will be installed, but with different addresses. After the rekeying the
old SA and its policies are removed, using the first matching mapping
breaks the mapping between the policies and the new SA (at least on
FreeBSD, the Linux kernel might only use the reqid for this). Using the
oldest matching SA is still an approximation but it solves the above
issue.
2013-07-17 17:45:17 +02:00
a9f14ada34
kernel-pfkey: Correctly handle IPSEC_PROTO_ANY in an acquire
2013-07-17 17:45:17 +02:00
84693a3d79
linked-list: Remove barely used has_more() method
...
This required some refactoring when handling encrypted payloads.
Also changed log messages so that "encrypted payload" is logged instead
of "encryption payload" (even if we internally still call it that) as
that's the name used in RFC 5996.
2013-07-17 17:42:53 +02:00
1a9528f916
linked-list: Don't require an argument for the item when enumerating
2013-07-17 17:42:53 +02:00
cf4172637a
linked-list: Remove unused clone_function() method
2013-07-17 17:42:53 +02:00
0f3ddbd189
linked-list: Remove barely used find_last() method
2013-07-17 17:42:53 +02:00
be3c09d020
linked-list: Remove unused replace() method
...
Its functionality can be replicated by calling insert_before() followed
by remove_at(). Not the other way around, though, because remove_at()
changes the enumerator position.
2013-07-17 17:42:53 +02:00
c6f1d0de94
child-sa: refactor proxy transport mode address lookup
2013-07-17 17:20:18 +02:00
2745ae264a
child-sa: replace traffic selector lists by arrays
...
Saves up to another 0.5KB of memory per CHILD_SA.
2013-07-17 17:20:18 +02:00
553bb78730
child-sa: replace get_traffic_selectors() with create_ts_enumerator()
...
Not directly returning a linked list allows us to change the internals of
the CHILD_SA transparently.
2013-07-17 17:20:18 +02:00
6207fadb6c
ikev2: replace linked lists by arrays in task manager
...
Eliminates another three lists, 0.5KB per IKE_SA.
2013-07-17 17:20:18 +02:00
926776ec80
auth-cfg: use array instead of linked list
...
Saves another 4 linked lists (1KB) per IKE_SA
2013-07-17 17:20:18 +02:00
c907b57f56
proposal: use array to store proposal list
...
Removes another two linked lists (0.5KB) of memory per IKE/CHILD_SA pair.
2013-07-17 17:20:18 +02:00
5cd64f979c
proposal: use a single list to store all transforms
...
Beside that it makes the code actually simpler, it reduces the number of lists
stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.
2013-07-17 17:20:17 +02:00
893da0411f
ike-sa: use arrays instead of linked lists in long lived collections
...
This saves about 1.5KB of memory per IKE_SA.
2013-07-17 17:20:17 +02:00
4730c4b32b
unit-tests: implement tests for array collection
2013-07-17 17:20:17 +02:00
2621ff4d40
array: introduce an array collection storing elements very efficiently
...
Currently we use the very versatile linked-list collection to store elements
with variable count. This is fine, but very inefficient: Due to the many
methods in the linked list, on 64-bit platforms an empty list alone is more
than 200 bytes. As we currently have about 50 lists per IKE_SA/CHILD_SA pair,
this takes up to 10KB just for managing the empty lists. This is about the
half of memory used by an IKE_SA/CHILD_SA pair, and obviously way too much.
The new array type is not an object, but a collection of functions on an
abstract type.
The following lists are per IKE_SA and should be considered for a replacement
with more efficient arrays (this uses load-testers on-demand created dynamic
configurations, other scenarios have different lists):
14 -> ike_sa_create() @ src/libcharon/sa/ike_sa.c:2198
10 -> auth_cfg_create() @ src/libstrongswan/credentials/auth_cfg.c:1088
6 -> task_manager_v2_create() @ src/libcharon/sa/ikev2/task_manager_v2.c:1505
6 -> proposal_create() @ src/libcharon/config/proposal.c:592
5 -> peer_cfg_create() @ src/libcharon/config/peer_cfg.c:657
4 -> child_sa_create() @ src/libcharon/sa/child_sa.c:1090
2 -> child_cfg_create() @ src/libcharon/config/child_cfg.c:536
1 -> ike_cfg_create() @ src/libcharon/config/ike_cfg.c:330
1 -> put_connected_peers() @ src/libcharon/sa/ike_sa_manager.c:854
2013-07-17 17:20:17 +02:00
f067348134
kernel-libipsec: Log error if no local address is found when installing routes
2013-07-15 14:37:31 +02:00
1ee1163214
dumm: Sort templates by name
2013-07-15 14:37:05 +02:00
591f923134
stroke: Add certificates extracted from PKCS#12 files to correct credential set
...
Only keys and shared secrets are moved from the temporary credential set after
loading all secrets.
2013-07-15 10:59:13 +02:00
e0b868f79e
pkcs12: Add plugin dependencies with soft dependencies on the most common algorithms
2013-07-15 10:48:19 +02:00
1e54e40f5d
leak-detective: remove hdr entry when reallocating zero bytes
2013-07-12 20:00:16 +02:00
c93cf85356
leak-detective: print total of allocated/leaked bytes in usage/report
2013-07-12 20:00:14 +02:00
783b55cc5c
dumm: add include for in.h, if_bridge.h now uses struct in6_addr
2013-07-12 18:21:24 +02:00
126778679f
Recognize critical IssuingDistributionPoint CRL extension
2013-07-12 09:00:47 +02:00
81959e6406
leak-detective: add a usage threshold option based on the number of allocations
2013-07-10 17:28:45 +02:00
82d0317be6
leak-detective: set_state() only affects the calling thread
...
The only user (bfd backtraces) is fine with that, and we really should not
mess the enable flag while doing allocations with other threads.
2013-07-10 17:28:32 +02:00
f960b39061
leak-detective: take a copy of backtrace while printing traces
...
As we don't want to hold the lock, we must make sure backtraces keep valid
while printing them.
2013-07-10 17:28:24 +02:00
d9c459e855
backtrace: add a clone() method
2013-07-10 17:28:18 +02:00
3b26f04cf4
leak-detective: remove hdr from the allocation list during realloc()
...
If realloc moves an allocation, the original allocation gets freed. We
therefore must remove the hdr from the list, as it is invalid. We can add it
afterwards once it has been updated, allowing us to unlock the list during
reallocation.
2013-07-10 16:37:08 +02:00
979801278f
Fixed alignment of device ID column
2013-07-10 11:37:22 +02:00
b23bd71466
android: New release after adding support for EAP-TNC
...
Also disabled listening on IPv6 because the Linux kernel currently does
not support UDP encapsulation for IPv6.
2013-07-08 18:51:07 +02:00
7ccf02ee93
android: Properly handle dotted-quad notation of IPv6 addresses
...
For nestat output like ::ffff:127.0.0.1:9876 we shall not treat 127 as
port but 9876 instead.
2013-07-08 18:49:30 +02:00
97f1dfb3ec
android: Allow IMC state to be dismissed with a swipe gesture
2013-07-08 18:49:30 +02:00
a9f94d7efb
android: Use explicit locale when converting settings names
...
Apparently, these functions use the user's default locale which might not
yield the expected result (e.g. lowercase I is not i in the Turkish
locale but ı instead).
2013-07-08 18:49:30 +02:00
e1a98e7956
android: Add information about transmitted data if EAP-TNC is selected
2013-07-08 18:49:30 +02:00
9390499584
android: Reuse certificate selector as generic two line button
2013-07-08 18:49:30 +02:00
671614d229
android: Add device ID in BeginHandshake
2013-07-08 18:49:30 +02:00
8a5bffb0fe
android: Add new VpnType to enable BYOD features
2013-07-08 18:49:30 +02:00
d27f225d9a
Use strpfx() helper where appropriate
2013-07-08 18:49:30 +02:00
f460facdca
utils: Add helper function to check a string for a given prefix
2013-07-08 18:49:30 +02:00
985dcab1c2
utils: Convert string helper macros to static inline functions
2013-07-08 18:49:29 +02:00
2ecda3421a
android: Use a different set of plugins if BYOD features are enabled
2013-07-08 18:49:29 +02:00
6e872fea7a
android: IMC state fragment is a button that shows remediation instructions or log
2013-07-08 18:49:29 +02:00
254d8679c6
android: Show remediation instructions instead of log on failure
2013-07-08 18:49:29 +02:00
873f389b37
android: Properly hide the IMC state fragment initially
2013-07-08 18:49:29 +02:00
0ef98957a7
android: Add activity that displays a list of remediation instructions
...
On large displays a two-pane layout is used that displays the list next
to the actual instructions.
2013-07-08 18:49:29 +02:00
611d35e8e8
android: Add fragment for a list of remediation instructions
...
This fragment can later be used in one- or two-pane layouts.
2013-07-08 18:49:29 +02:00
b6e05f6518
android: Add adapter for remediation instructions
2013-07-08 18:49:29 +02:00
ea022bb194
android: Add fragment that displays a single remediation instruction
2013-07-08 18:49:29 +02:00
c469cd2a66
android: RemediationInstruction implements Parcelable interface
2013-07-08 18:49:29 +02:00
2b91085701
android: Background for state panels provides separator
2013-07-08 18:49:29 +02:00
e5bf6dcddc
android: Add fragment that displays the IMC state
...
The fragment hides itself if the state is unknown or the assessment
succeeded.
2013-07-08 18:49:29 +02:00
a05acd7629
android: Handle and store IETF remediation instructions
2013-07-08 18:49:28 +02:00
0484989dbd
android: Add a parser for XML remediation instructions
2013-07-08 18:49:28 +02:00
a8dc42b295
android: Show different error message depending on IMC state
2013-07-08 18:49:28 +02:00
5e7a4193e5
android: Clear error only when the user explicitly dismisses the dialog
...
The previous code worked fine on rotation changes as the fragment is
destroyed and recreated causing onCreate to be called, which restores the
saved error state. But if the user switches to a different application
and then back this is not the case. The dialog still gets dismissed (as
we have to do so to avoid nasty exceptions on rotation changes) but since
that implicitly cleared the error state the UI was never fully restored.
2013-07-08 18:49:28 +02:00
dc52cfab73
android: Add state of IMC to VpnStateService and update it via JNI
2013-07-08 18:49:28 +02:00
d087f080f0
android: Handle TCG file measurement related attributes using PTS
2013-07-08 18:49:28 +02:00
fd3aa004e4
android: Android IMC state provides a Platform Trust Service (PTS) instance
2013-07-08 18:49:28 +02:00
0e53beda32
android: Provide a public interface for Android IMC state
2013-07-08 18:49:28 +02:00
6bce8e1cfb
libimcv: Properly deinitialize libimcv
...
Other users of imcv_pa_tnc_attributes (libpts) check if it is NULL before
removing vendor IDs.
2013-07-08 18:49:28 +02:00
403165102c
android: Define IMC functions static and with lower-case names
2013-07-08 18:49:28 +02:00
17044a753a
libpts: Skip unreadable files when measuring directories
2013-07-08 18:49:28 +02:00
583fe0ccb6
android: Add measurement collector for ITA Device ID
2013-07-08 18:49:28 +02:00
44330a171f
android: Add measurement collector for ITA Settings
2013-07-08 18:49:27 +02:00
c179a3f6f2
android: Handle ITA PA-TNC attributes
2013-07-08 18:49:27 +02:00
036fa7a166
android: Overload for getMeasurement() that takes a String array as argument
2013-07-08 18:49:27 +02:00
ba59486fc8
android: Add measurement collector for Port Filter
...
This collector reports all listening TCP and UDP sockets/ports.
2013-07-08 18:49:27 +02:00
6500727d6a
android: Enum type for transport protocols added
2013-07-08 18:49:27 +02:00
7cb8f570ed
android: Add measurement collector for Installed Packages
2013-07-08 18:49:27 +02:00
2d61172314
android: Add measurement collector for Product Information
2013-07-08 18:49:27 +02:00
75d710ec63
android: Also support writing of 24-bit values
2013-07-08 18:49:27 +02:00
5c9706f30b
android: Add measurement collector for String Version
2013-07-08 18:49:27 +02:00
4eec7912a1
android: Interfaces for measurement collectors and attributes added
2013-07-08 18:49:27 +02:00
2d378d8a74
android: Add a Java utility class similar to bio_writer_t
2013-07-08 18:49:27 +02:00
28c268d707
android: Add enum types for PENs and attribute types
2013-07-08 18:49:26 +02:00
c53210f9b0
android: Add a generic handler for PA-TNC attribute requests
...
The idea is that the Android IMC will return attributes in their binary
encoding. This keeps the JNI interface to the IMC pretty simple.
2013-07-08 18:49:26 +02:00
2c693364a8
imv-scanner: Only add a reason string if there is something to report
2013-07-08 18:49:26 +02:00
aa4ff3b211
android: Added a Java part to the Android IMC
2013-07-08 18:49:26 +02:00
753035f6d7
android: Don't attempt loading IMCs from /etc/tnc_config
2013-07-08 18:49:26 +02:00
82aceeb151
libtnccs: Don't try to load IMCs/IMVs from a file if there is no filename
2013-07-08 18:49:26 +02:00
a6507df2ec
android: Build libpts and init/deinit libpts in BYOD IMC
2013-07-08 18:49:26 +02:00
f0e0101a1f
libpts: Android.mk added
2013-07-08 18:49:26 +02:00
Tobias Brunner