Tobias Brunner
3c206f2e81
hashtable: Add destroy_function method
2014-06-19 14:00:48 +02:00
Tobias Brunner
dcb168413f
stroke: Add --daemon option
2014-06-19 13:56:38 +02:00
Tobias Brunner
02de66e1bf
starter: Use stream abstraction to communicate with stroke plugin
2014-06-19 13:56:37 +02:00
Tobias Brunner
906a409608
stroke: Use stream abstraction to communicate with stroke plugin
...
Without this changing charon.plugins.stroke.socket would not really
work.
2014-06-19 13:56:37 +02:00
Martin Willi
b384daafde
winhttp: Fix a typo to properly release connection handle
...
Fixes a rather large memory leak in HTTP fetches.
2014-06-19 11:09:20 +02:00
Martin Willi
9f950af17a
load-tester: Add a crl option to include a CRL uri in generated certificates
2014-06-19 10:48:27 +02:00
Martin Willi
8b855a97c2
bus: Properly va_copy() argument list before passing it to printf() functions
...
As we later potentially use args again, we can't consume it with printf
functions without copying it first. Clone list before passing it to any
consuming function.
Fixes #621 .
2014-06-19 10:10:54 +02:00
Martin Willi
758dc8a953
child-sa: Set replay window on both inbound and outbound SA
...
While the outbound SA actually does not need a replay window, the kernel rejects
zero replay windows on SAs using ESN. The ESN flag is required to use the full
sequence number in ICV calculation, hence we set the replay window.
This restores the behavior we had before 30c009c2
.
2014-06-18 16:54:19 +02:00
Martin Willi
8b9b11919d
kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows
...
Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.
2014-06-18 15:04:57 +02:00
Andreas Steffen
927dff2366
The policy_started check is not needed any more
2014-06-18 14:01:02 +02:00
Tobias Brunner
abe116cdf8
ikev1: Allow late connection switching based on XAuth username
2014-06-18 09:30:07 +02:00
Tobias Brunner
aba55fdffe
identification: Only use either , or / to separate RDNs
...
If a DN starts with a slash (or whitespace and a slash) slashes will
be used, otherwise commas.
2014-06-18 09:24:03 +02:00
Tobias Brunner
846fd70eec
sshkey: Fix loading of ECDSA keys from files
2014-06-18 09:16:24 +02:00
Tobias Brunner
1cda692110
sshkey: Add support to parse SSH public keys from files with left|rightsigkey
2014-06-18 09:16:24 +02:00
Martin Willi
5885ec2a27
vici: Support memory stats without leak-detective on Windows
2014-06-17 17:55:45 +02:00
Martin Willi
df93458685
swanctl: Add a --stats command to print daemon infos and statistics
2014-06-17 17:55:45 +02:00
Martin Willi
65689ce76a
vici: Add a stats command returning various daemon infos and statistics
2014-06-17 17:55:45 +02:00
Martin Willi
19ea055092
swanctl: Support private key decryption passhprases in swanctl.conf
...
While there is no real security benefit of storing private keys encrypted if
the passphrase is stored along with it, there still seems to be demand for this
functionality. We add it for compatibility with ipsec.secrets, even if it is
not really recommended.
2014-06-17 17:52:14 +02:00
Martin Willi
5b7725f3b0
swanctl: Document replay_window option
2014-06-17 16:49:02 +02:00
Martin Willi
d73a46171d
vici: Support a replay_window CHILD_SA option
2014-06-17 16:41:31 +02:00
Martin Willi
d5367d2262
starter: Add a replay_window connection option
2014-06-17 16:41:31 +02:00
Martin Willi
823ce4a37f
kernel-pfkey: Support connection specific replay window sizes up to 32 packets
2014-06-17 16:41:30 +02:00
Martin Willi
44098fbaca
kernel-netlink: Support connection specific replay window sizes
2014-06-17 16:41:30 +02:00
Martin Willi
30c009c2fe
kernel-interface: Add a replay_window parameter to add_sa()
2014-06-17 16:41:30 +02:00
Martin Willi
bdcaa5e680
child-cfg: Store connection specific replay window on CHILD_SA config
2014-06-17 15:42:02 +02:00
Martin Willi
dff39a4c5b
windows: Declare strerror_s()
...
Older MinGW versions seem to miss this function declaration. Fixes build on
Travis using Ubuntu 12.04.
2014-06-17 15:23:33 +02:00
Martin Willi
1bcf850738
windows: Extend strerror_r/s by extended POSIX errno strings
2014-06-17 15:23:33 +02:00
Martin Willi
c2119cded4
windows: Implement strerror_r using strerror_s
2014-06-17 15:23:33 +02:00
Martin Willi
8b5d41a274
windows: Wrap most Winsock2 Posix functions to set errno
...
While Winsock provides many Posix compatibility functions, they do not set
errno, but use WSAGetLastError() for error reporting. The wrapped functions
derive an errno from WSAGetLastError() on failure.
2014-06-17 15:23:32 +02:00
Martin Willi
bc1139480f
watcher: Prevent race condition spawning multiple watcher threads
...
If file descriptors get added and removed in rapid succession, the active
watcher thread might not take notice of it and continues running. However, add()
spawns a watcher thread whenever a file descriptor is added to an empty set.
This could result in multiple watcher threads, which is fixed by a proper
check for running watchers.
2014-06-17 15:19:47 +02:00
Martin Willi
23750961d5
thread-value: Defer cleanup handling to thread termination on Windows
...
Instead of cleaning up all thread-values during destruction, cleanup handler
is invoked when a thread detaches. Thread detaching is cough using the Windows
DllMain() entry point, and allows us to basically revert 204098a7
.
Using this mechanism, we make sure that the cleanup handler is invoked by the
the correct thread. Further, this mechanism works for externally-spawned
threads which run outside of our thread_cb() routine, and works more efficiently
with short-running threads.
2014-06-17 15:19:40 +02:00
Martin Willi
2d846c2035
socket-win: Use non-overlapped I/O and socket event selection
...
The use of overlapped I/O was incorrect, as we passed stack based buffers, but
did not cancel/wait for pending completion on all sockets. Our receive-from-all
socket interface is actually tricky to implement using overlapped I/O. Switch
to WSAEventSelect() event management, which can be canceled properly while
working in a select()-like way.
2014-06-17 15:19:25 +02:00
Martin Willi
eef7427b0f
bus: Add a handle_vips() hook invoked after handling configuration attributes
...
Similar to assign_vips() used by a peer assigning virtual IPs to the other peer,
the handle_vips() hook gets invoked on a peers after receiving attributes. On
release of the same attributes the hook gets invoked again.
This is useful to inspect handled attributes, as the ike_updown() hook is
invoked after authentication, when attributes have not been handled yet.
2014-06-17 15:14:51 +02:00
Martin Willi
7fc98a840b
ikev1: Invoke the assign_vips() bus hook for IKEv1 as well
2014-06-16 15:59:17 +02:00
Martin Willi
9d257034d8
ike: Create an enumerator for (un-)handled configuration attributes on IKE_SA
2014-06-16 15:59:17 +02:00
Martin Willi
5ae3221075
ike: Store unhandled attributes on IKE_SA as well
2014-06-16 15:59:16 +02:00
Andreas Steffen
dacb75f5c0
Split swanctl --raw mode into single-line and --pretty mode
2014-06-14 15:40:22 +02:00
Andreas Steffen
3a9602d58b
Allow multiple hash values in the file reference database
2014-06-10 16:48:15 +02:00
Andreas Steffen
8fc0eae37b
Added Android 4.3 and 4.4.3 to imv database
2014-06-10 16:19:00 +02:00
Andreas Steffen
6d092615e3
Added missing units (s = seconds)
2014-06-10 16:18:23 +02:00
Andreas Steffen
352fd7a94b
Fixes in SWID entity support
2014-06-08 11:13:51 +02:00
Martin Willi
9c62511c08
windows: Link against psapi32
...
On some version GetModuleFileNameEx/GetModuleInformation is in psapi32 instead
of kernel32. We link to both libraries to make sure we have it.
2014-06-06 16:28:28 +02:00
Martin Willi
8c2c63e09d
backtrace: Use GetModuleInformation/GetModuleFileNameEx directly on Win32
...
The K32 variants are actually needed on 64-bit only.
2014-06-06 16:28:28 +02:00
Martin Willi
cab59c73fc
windows: Use WINAPI call convention for Windows API callbacks
...
For x86_64 it does not actually matter, but for i686 builds the call convention
is different with WINAPI.
2014-06-06 16:28:28 +02:00
Andreas Steffen
e247acb8a9
Ubuntu 14.04 updated to 3.13.0-29 kernel
2014-06-06 11:18:17 +02:00
Andreas Steffen
438df3d696
Extended pt-tls-client PLUGINS list
2014-06-06 11:18:17 +02:00
Andreas Steffen
b23c7d6a38
Updated REST API
2014-06-06 10:56:12 +02:00
Tobias Brunner
35e08cde3c
android: Add all Android.mk files to the tarball
2014-06-06 10:12:26 +02:00
Martin Willi
f48c26bce3
pki: Support complex trustchain and revocation checking in --verify
2014-06-04 16:34:16 +02:00
Martin Willi
74eedc8061
unit-tests: Zero-initialize chunk to avoid free on non-successful fetch
...
If the fetch fails, the fetcher is not required to return an empty chunk. Avoid
the resulting invalid free() by initializing data.ptr to NULL.
2014-06-04 16:34:16 +02:00
Martin Willi
8a072fc50a
winhttp: Support basic authentication for URLs having credentials
2014-06-04 16:34:16 +02:00
Martin Willi
2e0816e1df
winhttp: Support new response code fetcher option
2014-06-04 16:34:15 +02:00
Martin Willi
6f90fc8061
winhttp: Implement a http(s) fetcher based on Microsofts WinHTTP API
2014-06-04 16:34:15 +02:00
Martin Willi
4b9848a2cc
kernel-wfp: Include Windows header patch for MinGW 4.8.1
2014-06-04 16:32:12 +02:00
Martin Willi
75afbeee21
kernel-wfp: Clone acquire traffic selectors only if they exist
2014-06-04 16:32:11 +02:00
Martin Willi
78bde29a7c
kernel-wfp: Install routes for trap policies
2014-06-04 16:32:11 +02:00
Martin Willi
e36d1d4124
kernel-wfp: Refactor route management to separate function
2014-06-04 16:32:11 +02:00
Martin Willi
4a8ba369b6
kernel-wfp: Install tunnel mode policies to appropriate sub-layers
...
While it is unclear if this has any effect at all, we prefer specific sublayers
to install policies as suggested.
2014-06-04 16:32:11 +02:00
Martin Willi
be32be01a8
kernel-wfp: Declare GUIDs and auth/cipher configs missing in some MinGW builds
2014-06-04 16:32:11 +02:00
Martin Willi
4b51280344
kernel-wfp: Support multiple traffic selectors on tunnel mode SAs
2014-06-04 16:32:11 +02:00
Martin Willi
4b09bd6c29
child-sa: Pass the number of total policies tied to an SA to the kernel
...
This will be useful if the kernel backend has to know how many policies
follow an SA install, for example if it must install all policies concurrently.
2014-06-04 16:32:11 +02:00
Martin Willi
5e6e214ab4
kernel-iph: Implicitly enable IP forwarding when installing routes
2014-06-04 16:32:11 +02:00
Martin Willi
c7d30c2ad1
kernel-wfp: Show a warning for packets the kernel drops in its IPsec layers
2014-06-04 16:32:10 +02:00
Martin Willi
a4f3b363da
kernel-wfp: Set flag to get UDP encapsulation with tunnel mode working
...
Having this flag set fixes connections initiated by the Windows host, but
unfortunately does not yet fix incoming connections. Connection state issue?
We still see 0xc00000e2 error events, translating to INTERNAL_ERROR.
2014-06-04 16:32:10 +02:00
Martin Willi
6de788704b
kernel-wfp: Install tunnel and trap forward policies
2014-06-04 16:32:10 +02:00
Martin Willi
1678f0a999
kernel-wfp: Manually create a ProviderContext to attach individual filters
...
This gives us more flexibility than using the intransparent FwpmIPsecTunnelAdd,
and fixes the issues we have seen with trap policies. Forward filters are
still missing, but required for site-to-site tunnels.
2014-06-04 16:32:10 +02:00
Martin Willi
1ca2b1615a
kernel-wfp: Print filter weight in "ipsecdump filters"
2014-06-04 16:32:10 +02:00
Martin Willi
c6f189e448
kernel-wfp: Add support for trap policies and acquires
2014-06-04 16:32:10 +02:00
Martin Willi
11e7d0677c
socket-win: Install IKE bypass policies using bypass_socket()
2014-06-04 16:32:10 +02:00
Martin Willi
f206e069f1
kernel-wfp: Implement bypass_socket() using dedicated filter rules
2014-06-04 16:32:09 +02:00
Martin Willi
2868314028
kernel-wfp: Register for WFP Net events
2014-06-04 16:32:09 +02:00
Martin Willi
6aaa432741
kernel-wfp: Add some missing IPv6 GUIDs, fix IPv6 host conversion
2014-06-04 16:32:09 +02:00
Martin Willi
288dc68596
kernel-wfp: Add an ipsecdump "filters" command to print IPsec related filters
2014-06-04 16:32:09 +02:00
Martin Willi
489a4f2192
kernel-wfp: Add an ipsecdump utility to show installed SAs/SPs on Windows
2014-06-04 16:32:09 +02:00
Martin Willi
9c974c329d
kernel-wfp: Depend on used RNG plugin features
2014-06-04 16:32:09 +02:00
Martin Willi
5a5b9925f8
kernel-wfp: Implement update_sa()
2014-06-04 16:32:09 +02:00
Martin Willi
1987b70989
kernel-wfp: Configure ports for SAs using UDP encapsulation
2014-06-04 16:32:09 +02:00
Martin Willi
9b5c95648f
kernel-wfp: Refactor SA context construction, and use IPsecSaContextCreate1()
2014-06-04 16:32:08 +02:00
Martin Willi
3551fdbbdf
kernel-iph: Fire roam events for detected address changes
2014-06-04 16:32:08 +02:00
Martin Willi
bbe42a1fa5
kernel-wfp: Allocate SPIs pseudo-randomly using a 0xc prefix
2014-06-04 16:32:08 +02:00
Martin Willi
b714746ef0
kernel-wfp: Install appropriate routes for tunnel mode policies
2014-06-04 16:32:08 +02:00
Martin Willi
0ef0493b4a
kernel-iph: Implement add/del_route()
2014-06-04 16:32:08 +02:00
Martin Willi
13e18cb2fc
kernel-iph: Implement get_nexthop()
2014-06-04 16:32:08 +02:00
Martin Willi
0cefd94007
kernel-iph: Implement get_source_addr()
2014-06-04 16:32:08 +02:00
Martin Willi
f9e6200d06
kernel-iph: Implement address enumeration
2014-06-04 16:32:08 +02:00
Martin Willi
322c341f90
kernel-iph: Implement get_interface() method
2014-06-04 16:32:07 +02:00
Martin Willi
96f1978d0e
kernel-iph: Create and maintain a cache of interfaces and associated addresses
2014-06-04 16:32:07 +02:00
Martin Willi
00780f0238
kernel-iph: Add a stub for a Windows IP Helper based networking backend
2014-06-04 16:32:07 +02:00
Martin Willi
b934929804
kernel-wfp: Disable IPsec policy updates
...
It seems that WFP requires an update of the SA context only, but not for the
filters. This allows us to omit support for (fallback) drop policies.
2014-06-04 16:32:07 +02:00
Martin Willi
7452adfad3
kernel-interface: Add a flag to indicate no policy updates required
2014-06-04 16:32:07 +02:00
Martin Willi
cd88f818fa
kernel-wfp: Increment SPIs properly, that is while in host order
2014-06-04 16:32:07 +02:00
Martin Willi
af098b5008
kernel-wfp: Triggering expire events for SAs to rekey/delete
2014-06-04 16:32:07 +02:00
Martin Willi
b3f90915f9
kernel-wfp: Enforce hard lifetimes of SAs
2014-06-04 16:32:07 +02:00
Martin Willi
b50d486e78
kernel-wfp: Add some notes about query_sa/policy() support
2014-06-04 16:32:06 +02:00
Martin Willi
f351d9ef7d
kernel-wfp: Reference SA/SP sets by SPI and destination, not reqid
...
This allows us to have multiple CHILD_SAs for the same reqid, and brings
rekeying support.
2014-06-04 16:32:06 +02:00
Martin Willi
4a8b85684f
kernel-wfp: Add support for tunnel mode connections
2014-06-04 16:32:06 +02:00
Martin Willi
f5ddda7f57
kernel-wfp: Register a WFP provider to manage IPsec tunnels
2014-06-04 16:32:06 +02:00
Martin Willi
149fc48e03
kernel-wfp: Preliminary support for transport mode connections
2014-06-04 16:32:06 +02:00
Martin Willi
b1ba0a666c
kernel-wfp: Fix/Complete some fwpuclnt functionality in MinGW
...
While MinGW declares all the required symbols, some of them are missing in the
library files. We provide missing variables locally, functions get a stub
that call the GetProcAddress()ed function from the DLL.
Also some MinGW headers define some enum values incorrectly, we overload these
using defines.
2014-06-04 16:32:06 +02:00
Martin Willi
ebb9362d85
kernel-wfp: Open and close a WFP engine
2014-06-04 16:32:06 +02:00