Andreas Steffen
a17b6d469c
Built the CPAN file structure for the Vici::Session perl module
2015-12-01 14:52:43 +01:00
Andreas Steffen
a101bce862
Implement vici Perl binding
2015-12-01 14:52:43 +01:00
Andreas Steffen
cbc43f1b43
testing: Some more timing fixes
2015-12-01 14:51:23 +01:00
Tobias Brunner
731cf55579
swanctl: Add --list-algs command to query loaded algorithms
2015-11-30 10:55:55 +01:00
Tobias Brunner
de34defcd0
vici: Add get-algorithms command to query loaded algorithms and implementations
2015-11-30 10:55:55 +01:00
Tobias Brunner
33895f4bc5
NEWS: Added changes since 5.3.4
2015-11-26 10:38:10 +01:00
Andreas Steffen
66021f7263
Version bump to 5.3.5
2015-11-26 09:56:10 +01:00
Andreas Steffen
dddb32329c
testing: Updated expired mars.strongswan.org certificate
2015-11-26 09:55:28 +01:00
Tobias Brunner
e36b1e2edb
travis: Enable OS X build
2015-11-23 11:42:52 +01:00
Tobias Brunner
88b85e022a
sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set
...
Fixes #1213 .
2015-11-23 11:37:19 +01:00
Tobias Brunner
b675909662
kernel-pfkey: Enable ENCR_CAMELLIA_CBC when it's available
...
Fixes #1214 .
2015-11-23 11:20:30 +01:00
Tobias Brunner
45c5b992e0
man: Update description of the actions performed for different dpdaction values
...
For instance, charon does not unroute `auto=route` connections with
`dpdaction=clear`.
2015-11-18 14:55:15 +01:00
Tobias Brunner
5461efe7b9
utils: Use the more low-level __NR_ prefix to refer to the syscall number
...
The __NR_ constants are also defined in the Android headers.
2015-11-17 17:21:36 +01:00
Thom Troy
ac36ede93c
eap-radius: Add ability to configure RADIUS retransmission behavior
...
Closes strongswan/strongswan#19 .
2015-11-17 14:25:08 +01:00
Andreas Steffen
8e9adf3d09
Version bump to 5.4.0dr1
2015-11-16 16:36:50 +01:00
Andreas Steffen
722714bdfe
Version bump to 5.3.4
2015-11-16 13:22:25 +01:00
Tobias Brunner
453e204ac4
NEWS: Add info about CVE-2015-8023
2015-11-16 13:19:36 +01:00
Tobias Brunner
f9c5c80553
eap-mschapv2: Keep internal state to prevent authentication from succeeding prematurely
...
We can't allow a client to send us MSCHAPV2_SUCCESS messages before it
was authenticated successfully.
Fixes CVE-2015-8023.
2015-11-16 13:19:36 +01:00
Tobias Brunner
fe48e4ae31
android: Suppress compiler warnings about missing field initializers
...
Triggered by -Wextra for many INIT usages where we only partially
initialize a struct.
2015-11-13 18:24:45 +01:00
Tobias Brunner
ef4279f2e5
utils: Provide a fallback for sigwaitinfo() if needed
...
Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide
this on Windows.
2015-11-13 18:24:45 +01:00
Andreas Steffen
1c1f713431
testing: Error messages of curl plugin have changed
2015-11-13 14:02:45 +01:00
Andreas Steffen
c4b9b7ef2c
testing: Fixed another timing issue
2015-11-13 14:02:06 +01:00
Andreas Steffen
bec682e1da
Version bump to 5.3.4rc1
2015-11-13 12:18:28 +01:00
Tobias Brunner
268d029c15
init: Make sure basic networking is up in systemd unit
...
Connections with auto=route might otherwise not work.
References #1188 .
2015-11-13 10:20:11 +01:00
Tobias Brunner
176c24b8e1
vici: Attribute certificates are not trusted
2015-11-12 14:45:43 +01:00
Tobias Brunner
e5e352e631
vici: Properly add CRLs to the credential set
...
add_crl() ensures that old CLRs are not stored in the credential set.
2015-11-12 14:45:42 +01:00
Tobias Brunner
322a11ccbb
mode-config: Reassign migrated virtual IP if client requests %any
...
If we mistakenly detect a new IKE_SA as a reauthentication the client
won't request the previous virtual IP, but since we already migrated
it we already triggered the assign_vips() hook, so we should reassign
the migrated virtual IP.
Fixes #1152 .
2015-11-12 14:42:36 +01:00
Tobias Brunner
e161238e8e
revocation: Allow CRLs to be encoded in PEM format
...
Since the textual representation for a CRL is now standardized
in RFC 7468 one could argue that we should accept that too, even
though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to
be in DER format. But in particular for file URIs enforcing that
seems inconvenient.
Fixes #1203 .
2015-11-12 14:40:44 +01:00
Tobias Brunner
15d715dace
curl: Be less strict when considering status codes as errors
...
For file:// URIs the code is 0 on success. We now do the same libcurl
would do with CURLOPT_FAILONERROR enabled.
Fixes #1203 .
2015-11-12 14:40:37 +01:00
Tobias Brunner
fdfbd401c3
eap-radius: Compare address family when handing out virtual IPs
...
This also ensures that the actually released virtual IP is removed from
the list of claimed IPs.
Fixes #1199 .
2015-11-12 14:32:11 +01:00
Tobias Brunner
d801fedb19
Merge branch 'eap-mschapv2-eap-identity'
...
This replaces the EAP-Identity with the EAP-MSCHAPv2 username, which
ensures the client is known with an authenticated identity. Previously
a client with a valid username could use a different identity (e.g. the
name of a different user) in the EAP-Identity exchange. Since we use
the EAP-Identity for uniqueness checks etc. this could be problematic.
The EAP-MSCHAPv2 username is now explicitly logged if it is different
from the EAP-Identity (or IKE identity).
Fixes #1182 .
2015-11-12 14:22:28 +01:00
Tobias Brunner
1d4b767275
eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)
2015-11-12 14:21:06 +01:00
Tobias Brunner
8f5e481953
eap-mschapv2: Provide EAP-MSCHAPv2 username as EAP-Identity
2015-11-12 14:21:06 +01:00
Tobias Brunner
310a099be4
auth-cfg: Prefer merged rules over existing ones when moving them
...
This is particularly important for single valued rules (e.g.
identities). When copying values this is already handled correctly
by the enumerator and add().
2015-11-12 14:21:06 +01:00
Tobias Brunner
3af7e09271
android: Add some (older) unit tests
2015-11-12 14:12:43 +01:00
Tobias Brunner
9e81f33b55
android: Properly handle shorter types in BufferedByteWriter
...
In Java all integer types are signed, when a negative integer is casted
to a larger type (e.g. int to long) then due to sign extension the upper
bytes are not 0. So writing that value to a byte array does not produce
the expected result. By overloading the putX() methods we make sure to
upcast the values correctly.
2015-11-12 14:12:13 +01:00
Tobias Brunner
a50f3037ad
android: Migrate to the Gradle build system
...
This uses a manual way to trigger the NDK build (the default with
on-the-fly Android.mk files does not work for us).
2015-11-12 14:11:37 +01:00
Tobias Brunner
073761ec41
android: Provide a fallback for sigwaitinfo()
2015-11-12 14:11:21 +01:00
Tobias Brunner
9be6b2e0b5
android: Replace AndroidConfigLocal.h with a header in utils/compat
2015-11-12 14:10:33 +01:00
Tobias Brunner
85af8400df
android: Fix build after updating Linux headers
...
Since we don't use the kernel-netlink plugin anymore and the headers
in the NDK are reasonably recent, we don't need this anymore (at least
when building the app).
Fixes #1172 .
2015-11-12 14:09:25 +01:00
Tobias Brunner
41feeddd48
Merge branch 'tkm-spi-label'
...
Adds the charon-tkm.spi_label and charon-tkm.spi_mask options to encode
a specific value/label in otherwise randomly generated IKE SPIs.
2015-11-11 15:45:50 +01:00
Adrian-Ken Rueegsegger
e63589a7dc
charon-tkm: Register SPI generator callback
...
Set get_spi callback of IKE SA manager to TKM-specific implementation.
2015-11-11 15:39:49 +01:00
Adrian-Ken Rueegsegger
efff791675
charon-tkm: Implement SPI generator
...
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
2015-11-11 15:39:49 +01:00
Tobias Brunner
8623ae9fc6
settings: Add settings_value_as_uint64() helper function
2015-11-11 15:39:49 +01:00
Tobias Brunner
ee09094899
ike-sa-manager: Allow plugins to provide IKE SPIs via a callback
...
Plugins must depend on `libcharon-sa-managers` to ensure the manager
exists.
2015-11-11 15:39:45 +01:00
Tobias Brunner
301ccbe0a3
libcharon: Publish IKE_SA/CHILD_SA managers as custom plugin feature
2015-11-11 15:39:08 +01:00
Tobias Brunner
7b5dcc9f27
ikev1: Also use message hashes for Quick Mode for the early retransmission check
...
We already did so during Phase 1 but because all three Quick Mode
message have the same message ID we occasionally dropped the third
message as retransmit, so we do it there too. For INFORMATIONAL
and TRANSACTION exchanges we don't expect more than one inbound message
with the same message ID so we still use them there.
Fixes #1198 .
2015-11-11 11:01:56 +01:00
Andreas Steffen
019c7c2310
testing: Check for leases in swanctl/ip-pool scenario
2015-11-11 08:43:43 +01:00
Andreas Steffen
0748517582
Version bump to 5.3.4dr3
2015-11-10 16:54:38 +01:00
Andreas Steffen
946bc3a3f5
testing: Fixed some more timing issues
2015-11-10 16:54:38 +01:00