fb7cb97d6e
libimcv: Link against ws_w32 on Windows
2014-06-04 15:53:06 +02:00
17c17665cb
libpttls: Link against ws_w32 on Windows
2014-06-04 15:53:05 +02:00
262802f101
libtnccs: Link against ws_w32 on Windows
2014-06-04 15:53:05 +02:00
30308c5fdb
libtls: Link against ws_w32 on Windows
2014-06-04 15:53:05 +02:00
ee2498e3d6
bus: Build syslog logger depending on syslog() availability
2014-06-04 15:53:05 +02:00
89e46c41f1
windows: Include for Vista instead of defining CondVar/SRWLock functions ourself
2014-06-04 15:53:05 +02:00
8120b3c339
windows: Don't redeclare inet_ntop/pton if already defined
2014-06-04 15:53:05 +02:00
1f3bf4175d
windows: Check for existence of error codes before defining them
2014-06-04 15:53:05 +02:00
89c3ff6d2c
windows: Check for clock_gettime() function itself as well
...
CLOCK_THREAD_CPUTIME_ID seems to be defined sometimes even if clock_gettime() is
missing.
2014-06-04 15:53:05 +02:00
3d50dd47ef
windows: Overload sleep() cancellable when it is defined in <unistd.h>
2014-06-04 15:53:04 +02:00
9df2a04a93
sqlite: Avoid name clash when building on Windows
2014-06-04 15:53:04 +02:00
8e1c0d15a9
mysql: Add Windows support
...
As the mysql_config script is not available for Windows, we use a hardcoded
library name and no additional CFLAGS. This builds fine against the binary
MySQL Connector/C distribution.
2014-06-04 15:53:04 +02:00
df4341747c
charon-svc: Implement a Windows IKE service using libcharon
...
The resulting binary can be either run as Windows service or directly as
console application.
2014-06-04 15:53:04 +02:00
87b43dd8b0
libcharon: Link against Winsock2 on Windows
2014-06-04 15:53:04 +02:00
b9dca7057c
filelog: Ignore flush_line option if setlinebuf() not supported
2014-06-04 15:53:04 +02:00
efcf249aeb
windows: Provide a close(2) that can close both file handles and sockets
2014-06-04 15:53:04 +02:00
740404d481
chunk: Fallback to recv() on Windows chunk_from_fd() when operating on socket
2014-06-04 15:53:04 +02:00
9ff1716029
windows: Don't use function macros to overload send/recv() and friends
...
While the macro versions would not catch non-function invocations, we actually
have to use catch all to support the sender_t.send() function.
2014-06-04 15:53:03 +02:00
87664d92ca
controller: Remove unused <dlfcn.h> include
2014-06-04 15:53:03 +02:00
c6503d451a
charon: Don't use syslog() if not supported
2014-06-04 15:53:03 +02:00
d1eff687cf
encoding: Don't explicitly include <arpa/inet.h>
2014-06-04 15:53:03 +02:00
3ecfc83c6b
payload: Use common prefixes for all payload type identifiers
...
The old identifiers did not use a proper namespace and often clashed with
other defines.
2014-06-04 15:53:03 +02:00
06c33ebf6a
openssl: Fix includes to prevent <winsock2.h> to complain about include order
2014-06-04 15:53:03 +02:00
4f310a2e75
openssl: Undef OpenSSLs X509_NAME defined by <wincrypt.h>
2014-06-04 15:53:02 +02:00
b7a4d44bd0
openssl: Check and link against libeay32 instead of libcrypto on Windows
...
Most Windows OpenSSL builds come with the crypto library named libeay32.
2014-06-04 15:53:02 +02:00
f3c809e615
windows: Provide a strndup(3) replacement
2014-06-04 15:53:02 +02:00
8f3a3656d3
sha1: Include <library.h> instead of directly including <arpa/inet.h>
...
On Windows we don't have <arpa/inet.h>
2014-06-04 15:53:02 +02:00
2dbb719b76
x509: Undef OCSP_RESPONSE from <wincrypt.h> before using it
2014-06-04 15:53:02 +02:00
4163421f91
plugins: Don't link with -rdynamic on Windows
2014-06-04 15:53:02 +02:00
110e42361e
unit-tests: Uninline dlopen() and friends, make more dynamic, fix dlerror()
...
As the error string contains a newline, we have to remove that before
returning the string.
2014-06-04 15:53:02 +02:00
204098a752
thread-value: Immediately cleanup all Windows TLS values on destroy
2014-06-04 15:53:02 +02:00
9dec601f30
windows: Prevent queueing of multiple thread cancel APCs
...
This avoids any races during cleanup invocation if multiple cancel() requests
come in.
2014-06-04 15:53:01 +02:00
0fa9c95811
windows: Provide a complete native Windows threading backend
2014-06-04 15:53:01 +02:00
a48570a046
windows: Provide a cancellable usleep(), but with ms resolution only
2014-06-04 15:53:01 +02:00
986a577097
windows: Add a sleep function acting as cancellation point
2014-06-04 15:53:01 +02:00
266ee0a190
windows: Provide a sched_yield() implementation
2014-06-04 15:53:01 +02:00
5f35b73344
libipsec: Avoid name clash with sched.h clone()
2014-06-04 15:53:01 +02:00
4de7401a98
windows: Provide a time_monotonic() based on GetTickCount64()
2014-06-04 15:53:01 +02:00
965e846cc3
library: Change init/deinit order to allow utils to depend on threading
2014-06-04 15:53:01 +02:00
c46cee6f6d
chunk: Don't depend on pthread directly
2014-06-04 15:53:00 +02:00
f1c9653e04
utils: Don't directly depend on pthread
2014-06-04 15:53:00 +02:00
eb94f58595
strerror: Don't directly depend on pthread
2014-06-04 15:53:00 +02:00
4189cd2f03
windows: Link libhydra against Winsock2
2014-06-04 15:53:00 +02:00
a506b922f3
windows: Provide a strdup variant safe when passing zero-length strings
2014-06-04 15:53:00 +02:00
d8e56dfe32
unit-tests: Don't test Unix socket stream/services on Windows
2014-06-04 15:53:00 +02:00
adaa9f3942
unit-tests: Use send/recv on socket in watcher tests
...
Windows does not support read/write on sockets.
2014-06-04 15:53:00 +02:00
aa5b49c037
stream: Separate TCP/Unix stream helpers from stream/service implementations
...
This allows us to disable Unix sockets cleanly on Windows. Replaces some
read/write calls with recv/send counterparts, as Winsock does not like
read/writes.
2014-06-04 15:53:00 +02:00
93f78d8225
watcher: Add Windows support
...
Instead of a pipe we use a TCP socketpair (can't select() a _pipe()), and
Windsock2 send/recv functions instead of read/write.
Currently supported (and required) are file descriptors provided by Winsock
only; we might use a separate mechanism for traditional file handles if
required (or switch to Windows events and WaitForMultipleObjects) for a future
version.
2014-06-04 15:52:59 +02:00
df0769299a
windows: Map WSAGetLastError() to errno failures in wrapped send/recv/from/to
2014-06-04 15:52:59 +02:00
20021277f2
windows: Add send/recv and sendto/recvfrom wrappers supporting MSG_DONTWAIT
2014-06-04 15:52:59 +02:00
82fcb80276
windows: Implement socketpair() using TCP sockets
2014-06-04 15:52:59 +02:00
87a79e6a03
windows: Add utils_init/deinit functions to initialize Winsock2
2014-06-04 15:52:59 +02:00
fb81820796
windows: Provide a setenv() wrapper
2014-06-04 15:52:59 +02:00
7458952575
unit-tests: Use Windows path for chunk tests, and socket functions if required
2014-06-04 15:52:59 +02:00
a8c86599e4
unit-tests: Don't depend on sockaddr_un to test invalid host_t family
2014-06-04 15:52:59 +02:00
4aaf0320d0
unit-tests: Add support for Windows build
...
Instead of signals we catch Windows exceptions. Currently not supported are
timers, which is more a convenience thing anyway.
2014-06-04 15:52:58 +02:00
a2216a2868
windows: Fix up PRI* printf formatters when building against own backend
2014-06-04 15:52:58 +02:00
95a8d53dbe
windows: Use localtime/gmtime to implement _r variants
...
The _s variants and friends do not seem to work on Windows 7 and always fail.
2014-06-04 15:52:58 +02:00
a4719c5767
asn1: Return a zeroed ASN1 time if gmtime_r() conversion fails
2014-06-04 15:52:58 +02:00
8f129319ff
utils: Printf() defined time output should gmtime/localtime_r() fail
2014-06-04 15:52:58 +02:00
087e02e47e
backtrace: Inline esc() helper, making it available to all build variants
2014-06-04 15:52:58 +02:00
2127831cda
backtrace: Support backtraces on Windows without DbgHelp
...
While DbgHelp provides a convenient API to create backtraces, any executable
linking against DbgHelp gets a more than a significant slow down. Further, it
can only lookup global symbols, as it expects PDB files we can't produce with a
MinGW build.
With some core Kernel32.dll functionality, we can capture stack traces much
faster. Together with the optional libbfd, we can print very fine backtraces.
When --enable-bfd-backtraces is used on Windows, a libbfd.dll is required for
the build. Such a DLL can be created from the binutils sources using:
# build binutils with mingw...
# extract archive members from binutils libraries
x86_64-w64-mingw32-ar x $BINUTILS/bfd/.libs/libbfd.a
x86_64-w64-mingw32-ar x $BINUTILS/intl/libintl.a
x86_64-w64-mingw32-ar x $BINUTILS/libiberty/libiberty.a
# create self-contained libbfd.a, with index
x86_64-w64-mingw32-ar qs libbfd.a *.o
# create DLL from static library
x86_64-w64-mingw32-dlltool -e libbfd.o -l libbfd.lib libbfd.a
x86_64-w64-mingw32-gcc -shared libbfd.a libbfd.o -o libbfd.dll
2014-06-04 15:52:58 +02:00
a7e943a640
backtrace: Add DbgHelp based Windows support for creating/printing backtraces
2014-06-04 15:52:57 +02:00
1f2b8c8c80
printf-hook-builtin: Support Windows console colors using TTY escape codes
2014-06-04 15:52:57 +02:00
71bf82d474
windows: Link libstrongswan against ws2_32.dll
2014-06-04 15:52:57 +02:00
e7f3ceb7c8
capabilities: Add build support for Windows
...
We might extend it in the future using some Windows rights management.
2014-06-04 15:52:57 +02:00
d3c30b356c
windows: Use _getmaxstdio as replacement for syscall(_SC_OPEN_MAX)
2014-06-03 12:24:35 +02:00
a3f7dfc1ca
windows: replace mkdir() with Windows _mkdir() variant
2014-06-03 12:24:35 +02:00
c6b588bf06
thread: Add a Windows pthread variant to print thread identifiers
2014-06-03 12:24:34 +02:00
2e6c203bad
windows: Provide wrappers for dlopen() function family
2014-06-03 12:24:34 +02:00
40a924090e
crl: Undefine <wincrypt.h>'s CRL_REASON_* and use our enum values instead
2014-06-03 12:24:34 +02:00
43c5388470
tun-device: Rearrange headers to build properly when tun devices not supported
2014-06-03 12:24:34 +02:00
922ee2c529
windows: Add a common Windows header for platform specific wrappers
...
Include some more basic system headers in utils.h, so we can use that common
header on the different platforms.
2014-06-03 12:24:34 +02:00
b4c51061c3
imv-swid: Cast json object strings when using it as chunk pointer
...
While the string is actually const, we don't have a const chunk to handle such
strings properly in chunks. Fixes compiler warnings.
2014-06-03 12:23:57 +02:00
7a6d2f2bce
Allow large lines output by swid_generator to be processed
2014-05-31 21:25:47 +02:00
3d4818bf18
Make REST POST request timeout configurable
2014-05-31 21:25:47 +02:00
59db666094
Detect RADIUS packet retransmissions
2014-05-31 20:37:57 +02:00
9635a92187
Fixed swid_generator interface
2014-05-31 20:37:57 +02:00
a5ce2f0b23
Detect oversize SWID tags
2014-05-31 20:37:57 +02:00
ed27e0e7c7
max_attr_size is an uint32_t value
2014-05-31 20:37:57 +02:00
13a87236c2
Update of Ubuntu 14.04 kernel
2014-05-31 20:37:57 +02:00
543447cb6b
Wait for the arrival of the TCPG_PTS_DH_NONCE_PARAMS_RESP
2014-05-31 20:37:57 +02:00
3a726816a2
Increased maximum PT-TLS message size to 2MB
2014-05-31 20:37:56 +02:00
096c726b5b
log SWID tags and tag IDs on debug level 3
2014-05-31 20:37:56 +02:00
4dda2984e3
Automatic determination of maximum PB-TNC batch and PA-TNC message size
2014-05-31 20:37:56 +02:00
75498e6b33
Completed the command line options of the pt-tls-client
2014-05-31 20:37:56 +02:00
34cd3e102e
Split TCG SWID Request attribute into chunks if needed
2014-05-31 20:37:56 +02:00
32cb700cd0
Added Debian 7.5 product and all Debian armv6l products
2014-05-31 20:37:56 +02:00
7b05b0bc28
Fixed typo in tables.sql
2014-05-31 20:37:56 +02:00
a123f470f0
Additional index to improve performance
2014-05-31 20:37:56 +02:00
b7679e90e3
Support targeted retrieval of SWID tags
2014-05-31 20:37:56 +02:00
e14507cb71
curl: Don't set CURLOPT_FAILONERROR
...
With the strongTNC REST API some errors will actually be accompanied by
a response we want to receive completely.
2014-05-31 20:37:55 +02:00
344c9f91f3
Implemented SWID REST API
2014-05-31 20:37:55 +02:00
8c26db8c62
Set entity_name to strongSwan Project
2014-05-31 20:37:55 +02:00
6b6b857cb6
Updated strongSwan SWID Tag from ISO 2009 to 2014 format
2014-05-31 20:37:55 +02:00
b2b54bd71d
Make sure getpass() is available
...
It's not on Android for example.
2014-05-29 12:28:53 +02:00
95d13fcc3f
starter: Fix build on Android
...
While the (default) ipsec script does not work on Android starter still
passes the script's name to charon if leftfirewall is configured.
2014-05-28 18:20:42 +02:00
58c639e584
Some more files to measure
2014-05-21 14:00:31 +02:00
ba6c27f063
Added all SWID tables and example regids
2014-05-21 14:00:31 +02:00
b9dd46d8a9
peer-cfg: Add missing UNIQUE_NEVER to unique_policy_names
2014-05-19 18:05:51 +02:00
b9dfeb5de4
unit-tests: Sync threads with main thread in test_cleanup_cancel()
...
Without synchronization threads could get canceled before they could
disable their cancelability.
2014-05-19 16:06:52 +02:00
403ad5dd85
pfkey: Always include stdint.h
...
On some systems (e.g. on Debian/kFreeBSD) that header is required when
including ipsec.h, on Linux we require it too when including pfkeyv2.h,
so to simplify things we just always include it.
2014-05-19 14:53:24 +02:00
271c2dd24e
soup: Add support to retrieve the response code
2014-05-19 14:29:48 +02:00
350c1dead9
unit-tests: Allow some HTTP write operations to fail
...
Because CURLOPT_FAILONERROR is enabled in the curl plugin an error code
will often (not always) cause the client to close the TCP connection
before the server has written the complete response.
2014-05-19 14:28:45 +02:00
703a0b4c3e
curl: Add support to return the response code
2014-05-19 14:28:40 +02:00
deb8975bd2
unit-tests: Add a test case for HTTP response codes
2014-05-19 14:24:12 +02:00
9a18593752
fetcher: Add option to retrieve response code from a fetcher
2014-05-19 14:20:50 +02:00
032dcb8989
unit-tests: Defer failures by worker threads
...
In some cases the main thread is not ready to immediately call siglongjmp(),
e.g. if it currently holds a mutex that is later required during
shutdown.
Therefore, we delay handling errors in worker threads until the main
thread performs the next check itself (or the test function ends).
The same issue remains with SIGALRM.
2014-05-19 14:06:55 +02:00
435fecd751
unit-tests: Make sure plugins in the builddir are loaded
...
When running the tests in GDB the working directory apparently is
different. With the relative path used previously the plugins would not
be found and those installed on the system would get used.
2014-05-19 14:06:43 +02:00
7c888e0d23
unit-tests: Don't assert failures for unreadable settings files as root
...
The file can still be read by root even if nobody has read privileges.
2014-05-16 17:50:29 +02:00
2f893f278d
proposal: Don't return a default IKE proposal without encryption/AEAD algs
2014-05-16 16:51:19 +02:00
8d74ec9e80
ike: Add an additional but separate AEAD proposal to CHILD config
...
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
2014-05-16 16:51:19 +02:00
879e3d12ca
ike: Add an additional but separate AEAD proposal to IKE config, if supported
2014-05-16 16:51:19 +02:00
356846db5d
child-cfg: Allow passing NULL as proposal to add_proposal()
...
Making the API consistent to the one of ike_cfg.
2014-05-16 16:01:21 +02:00
3312c447ef
ike-cfg: Allow passing NULL to add_proposal()
...
This simplifies adding default proposals with constructors potentially
returning NULL.
2014-05-16 16:01:21 +02:00
8642f8bdb7
proposal: Use an additional "default" constructor specific to AEAD algorithms
...
This allows a caller to create a separated proposal for supported AEAD
algorithms, as required by RFC 5996.
2014-05-16 16:01:21 +02:00
0fc4dd429d
proposal: Don't include AEAD algorithms in the default proposal
...
According to RFC 5996 3.3 we should use a separate proposal for AEAD algorithms.
This was not clear in RFC 5282, hence we previously included both AEAD and
non-AEAD algorithms in a single proposal.
2014-05-16 16:01:21 +02:00
064fe9c963
enum: Return boolean result for enum_from_name() lookup
...
Handling the result for enum_from_name() is difficult, as checking for
negative return values requires a cast if the enum type is unsigned. The new
signature clearly differentiates lookup result from lookup value.
Further, this actually allows to convert real -1 enum values, which could not
be distinguished from "not-found" and the -1 return value.
This also fixes several clang warnings where enums are unsigned.
2014-05-16 15:42:07 +02:00
9ee8b3b41f
enum: Don't directly include enum.h
...
To allow enum.h to depend on utils.h definitions, avoid its direct inclusion.
Instead include utils.h, which includes enum.h as well.
2014-05-16 15:42:07 +02:00
8584e62368
libtps: Silence GCC set-but-unused warning in incomplete code
2014-05-16 15:42:07 +02:00
ed9bdfee41
scepclient: Cast OID_UNKNOWN before comparing it to unsigned hash_algorithm_t
...
clang uses unsigned enums and complains about the always-false -1 check.
2014-05-16 15:42:07 +02:00
78db68cecf
swanctl: Properly initialize return value of --install command
2014-05-16 15:42:07 +02:00
f5bbbd480c
xauth-pam: Fix header include guard
2014-05-16 15:42:07 +02:00
2cf5e97dd2
eap-peap: Remove dead SoH code from PEAP
...
clang complains about the unused variables.
2014-05-16 15:42:07 +02:00
e2bf45a491
tls: Move variable sized tls_record_t struct to end of tls_t data
...
clang complains about the the non-last variable length member.
2014-05-16 15:42:07 +02:00
6eff96f543
kernel-klips: Pass a pointer to a properly sized integer for algorithm lookup
2014-05-16 15:42:07 +02:00
e163427d9f
auth-cfg: Cast literal default value to pointer type
...
Fixes a clang warning.
2014-05-16 15:42:07 +02:00
0746e38c51
unbound: Explicitly cast from ldns RR type/class to our types
...
These definitions are directly derived from the RFC, so it should be safe
to cast them. clang complains about the different types, so cast them
explicitly.
2014-05-16 15:42:06 +02:00
fb515325cc
x509: Remove some unused ASN1 OID constants
2014-05-16 15:42:06 +02:00
d3cf9ca322
aes: Remove unused build variants
...
The AES code historically has different build options for various size/speed
trade-offs. We never made use of them, so just drop the obsolete code. The code
now has four hard-coded fixed tables, both inverse and original.
2014-05-16 15:42:06 +02:00
b3dd0168f1
settings: Properly match } and # in include statements
...
Found due to %option nodefault. A match for } was actually missing
and # was not properly matched if it was part of an include statement
on the last line of a file that did not end with a newline.
2014-05-15 12:03:07 +02:00
c92d44f2cf
settings: Eliminate performance warning
...
This was useful during development, but we accept that matching \n together
with %option yylineno impacts performance.
2014-05-15 12:03:07 +02:00
4102fc9c09
parser-helper: Define debug macros depending on DEBUG_LEVEL
2014-05-15 11:28:10 +02:00
66248396c6
parser-helper: Make parser_helper_file_t private
2014-05-15 11:28:10 +02:00
c976cc7d33
parser-helper: Make parser_helper_log a function
2014-05-15 11:28:10 +02:00
4b670a20a9
settings: strongswan.conf must be loaded explicitly
2014-05-15 11:28:10 +02:00
da45f9e994
settings: Replace deprecated YYLEX_PARAM with %lex-param
...
With Bison 3.x support for YYLEX_PARAM has been removed and %lex-param
should be used. Unfortunately, that option does not take expressions.
Instead we use a wrapper function that calls the lexer with the proper
scanner object, which should also be backward compatible to older Bison
versions.
2014-05-15 11:28:09 +02:00
813e510d69
settings: Include generated header after others
...
Newer Bison versions declare the parser function in the header, which
requires custom types.
2014-05-15 11:28:09 +02:00
f65ac98c64
settings: Reduce log verbosity if files can't be opened
...
Basically reintroducing 2a38b4556e
2014-05-15 11:28:09 +02:00
8b43c9ba34
settings: Adopt the new order of sections and settings when replacing configs
2014-05-15 11:28:09 +02:00
5ac20cbb87
settings: Only purge sections if necessary
...
Instead of removing and caching all values of a previous config, we only
do this for actually removed sections/settings.
2014-05-15 11:28:08 +02:00
f5dd274ab8
settings: Maintain order of sections and settings while enumerating
2014-05-15 11:28:08 +02:00
2fbbea55c5
settings: Don't overwrite values in-place
...
This is not thread safe. If threads are reading from pointers to existing
values they could get a partially updated invalid value.
Refactored assignment to a separate function.
2014-05-15 11:28:08 +02:00
725c479f8b
settings: Add functions to add sections and key/value pairs to a section
2014-05-15 11:28:07 +02:00
2fe04fb312
unit-tests: Update settings tests to match new parser
...
Empty settings are now ignored, strings are supported, newlines are
handled properly (e.g. at the end of files) etc.
2014-05-15 11:28:07 +02:00
3855dc01ec
settings: Don't enumerate key/value pairs with NULL value
2014-05-15 11:28:07 +02:00
47a3ed979b
settings: Use generated parser instead of our own
2014-05-15 11:28:07 +02:00
073d72cf49
settings: Optionally keep track of removed/replaced values
2014-05-15 11:28:06 +02:00
1f669078ac
settings: Add flex/bison based parser for strongswan.conf
...
This parser features several improvements over the existing one.
For instance, quoted strings (with escape sequences), unlimited includes,
relaxed newline handling (e.g. at the end of files or before/after { and }),
and the difference between empty and unset values (key = vs. key = "").
It also complains a lot more about invalid syntax. The current one accepts
pretty odd stuff (like settings or sections without name) without any
errors or warnings.
2014-05-15 11:28:06 +02:00
f99d1f7ba5
settings: Extract section and key/value pair types and helper functions
...
This allows us to use them in the upcoming parser.
2014-05-15 11:28:06 +02:00
3cb8016f0e
parser-helper: Add utility class for flex/bison based parsers
2014-05-15 11:28:06 +02:00
3784633fa5
settings: Use glob enumerator to load included files
2014-05-15 11:28:06 +02:00
96de74b879
enumerator: Add enumerator to enumerate files matching a pattern
...
This enumerator is a wrapper around glob(3). If that function is not
supported NULL is returned. If no files match or an error occurs during
the pattern expansion an error is logged and the enumerator simply returns
no items.
RFC: if GLOB_ERR is not supplied glob returns GLOB_NOMATCH if e.g. the
base directory of the pattern does not exist, which would otherwise
result in an error. This way there is at least a clear error message in
case of a typo.
2014-05-15 11:28:05 +02:00
b9b1114ab1
settings: Move to a separate folder
2014-05-15 11:28:05 +02:00
8069b3b14b
array: Allocate initial data properly if esize is 0
2014-05-15 11:28:05 +02:00
e20e0a0586
swanctl: Increase default debug level to 1
...
We initially intended to silence debugging only during thread initialization,
not for swanctl in general.
2014-05-14 16:28:01 +02:00
80b56fb468
vici: Support the close_action keyword, as we have it documented
2014-05-14 16:26:53 +02:00
cdc42256b0
ikev1: Fix debugging log when remote traffic selector selection fails
2014-05-14 10:01:57 +02:00
fa34739848
result destructor at the wrong level
2014-05-14 09:43:54 +02:00
60633a995f
build-database.sh finds all *.so files in /usr/lib
2014-05-13 10:08:04 +02:00
7207e3a7ea
Defined BIOS and EFI event types and log event info
...
On debug level 2 log EV_ACTION and EV_EFI_ACTION strings
and on level 3 dump raw event information
2014-05-13 06:21:28 +02:00
f1a272a0d0
libpts: Updated Android.mk
2014-05-12 11:46:08 +02:00
8d59090349
Implemented PT-EAP protocol (RFC 7171)
2014-05-12 06:59:21 +02:00
ab21875f50
Extended build-database.sh
2014-05-12 06:55:29 +02:00
37a73b9cc7
attest now maintains multiple versions of a file hash
2014-05-10 20:08:20 +02:00
688b5b99ed
Changed default value to libimcv.imc-attestation.pcr_info = no
2014-05-10 20:08:20 +02:00
b1b01840b6
child-sa: Reclaim old state if SA updating is not supported
...
If the state stays at UPDATING, the fallback using IKEv1 rekeying fails as
the task manager refuses to rekey a CHILD_SA in non-INSTALLED state.
2014-05-09 08:49:08 +02:00
b1076bc8fd
swanctl: By default print local swanctl version with --version
...
But add a --daemon option to query the IKE daemon for its version.
2014-05-07 15:48:17 +02:00
92884b4683
swanctl: Install empty credential folders with appropriate permissions
2014-05-07 15:48:17 +02:00
2230f18358
swanctl: Document most swanctl.conf options in manpage
2014-05-07 15:48:17 +02:00
d909e51918
swanctl: Keep swanctl.conf man/template section order as defined
2014-05-07 15:48:17 +02:00
85d26e0c87
swanctl: Add a swanctl command overview manpage
2014-05-07 15:48:17 +02:00
b18191ba0f
swanctl: Generate swanctl.conf(5) man page
2014-05-07 15:48:16 +02:00
6a461f0852
swanctl: Generate man page snippet with config options
2014-05-07 15:48:16 +02:00
5fdba04312
swanctl: Convert swanctl.conf to an options file and generate config
2014-05-07 15:48:16 +02:00
49d8a5f554
swanctl: Install swanctl.conf if it does not exist yet
2014-05-07 15:48:16 +02:00
1312eab036
swanctl: Change syntax of secrets to accept identities with special chars
...
Having identity strings in the settings key is problematic, as the parser can't
handle arbitrary characters in it. Further, the space separation makes it
impossible to define identities with spaces.
The new format uses key prefixes, similar to those used in local/remote auth
sections of connections. The secrets section takes subsections with type
prefixes, and each subsection uses "id" prefixes to define an arbitrary
number of identities.
2014-05-07 15:48:16 +02:00
a2875525ae
swanctl: List local and remote addresses in list-conns
2014-05-07 15:48:16 +02:00
43306afe8e
swanctl: Add a list-pools command to summarize pool status
2014-05-07 15:48:15 +02:00
a77acc183a
swanctl: Add a load-pools command to (re-)load pool configurations from file
2014-05-07 15:48:15 +02:00
4ee33b44df
swanctl: Encode connection "pools" as list items
2014-05-07 15:48:15 +02:00
250c6e3d90
swanctl: Fix enumeration of registered commands if MAX_COMMANDS is hit
2014-05-07 15:48:15 +02:00
7b35c02db4
swanctl: Implement a --log command to trace debugging log
2014-05-07 15:48:15 +02:00
3b22e8e995
swanctl: Add a swanctl.conf template file
2014-05-07 15:48:15 +02:00
2d5c3a0f0f
swanctl: Implement a --list-certs command to print or export daemon certificates
2014-05-07 15:48:15 +02:00
ebe78940aa
swanctl: Be more verbose while loading connections and credentials
2014-05-07 15:48:15 +02:00
51bdc1f3f1
swanctl: Add a list-conns command to query loaded connections
2014-05-07 15:48:14 +02:00
da866234bb
swanctl: Register --version as last command
2014-05-07 15:48:14 +02:00
c1e413db49
swanctl: Support groups, certs and cacerts keywords
2014-05-07 15:48:14 +02:00
818acc8638
swanctl: Load shared secrets from the swanctl.conf secrets section
2014-05-07 15:48:14 +02:00
d622e6da0f
swanctl: Load different private keys with load-creds
2014-05-07 15:48:14 +02:00
2c1511dbf8
swanctl: Add a command to (re-)load credentials
2014-05-07 15:48:14 +02:00
7c8a907895
swanctl: Use a ./configure-able swanctl base directory
2014-05-07 15:48:14 +02:00
991c9b5e77
swanctl: After loading connections, unload those that are not in config anymore
2014-05-07 15:48:14 +02:00
ee599d14ad
swanctl: Implement a load-conn command to load connections from a file
2014-05-07 15:48:13 +02:00
283b0b9e92
swanctl: Implement a list-pols command to query trap/shunt policies
2014-05-07 15:48:13 +02:00
90ae636ccb
swanctl: Implement install/uninstall commands to manage shunt/trap policies
2014-05-07 15:48:13 +02:00
073be3cad4
swanctl: Add a version command to query daemon and OS info
2014-05-07 15:48:13 +02:00
3dc377b37f
swanctl: Add a terminate command
2014-05-07 15:48:13 +02:00
cb1c409b84
swanctl: Add a subcommand to initiate connections by name
2014-05-07 15:48:13 +02:00
86910faeca
swanctl: Add a list-sas command to query active IKE_SAs
2014-05-07 15:48:13 +02:00
e381e69f9b
swanctl: Add a stub for a vici based configuration and control utility
2014-05-07 15:48:10 +02:00
4c56c4621b
libcharon: Execute scripts defined in strongswan.conf during startup/shutdown
2014-05-07 15:47:23 +02:00
1e4ee168c8
vici: Check if header has been received before processing an empty message
...
If do_read() returns with EWOULDBLOCK, we must ensure that we actually have
processed the full length header before checking the zero-initialized buffer
length.
2014-05-07 14:13:39 +02:00
afb7ef4908
vici: Properly filter by CHILD_SA name while undoing start actions
2014-05-07 14:13:39 +02:00
682c9966fa
vici: Fallback to socket listening port if no explicit local port specified
2014-05-07 14:13:39 +02:00
dffd60083d
vici: Support a "mtu" value for the tfc_padding option
2014-05-07 14:13:39 +02:00
5619d40613
vici: Handle the "trap" action as an alias for "route"
2014-05-07 14:13:39 +02:00
e0a34ee459
vici: Document errno values to expect from libvici API
2014-05-07 14:13:39 +02:00
c2b6402eb0
vici: Log owners of a just loaded shared-secret
2014-05-07 14:13:39 +02:00
41745e24f3
vici: Handle "xauth" as an alias for "eap" secrets
2014-05-07 14:13:38 +02:00
bc006ac1f4
vici: Return number of matching and closed SAs in terminate command
2014-05-07 14:13:38 +02:00
021a14b7a4
vici: Complete libvici doxygen comments
2014-05-07 14:13:38 +02:00
374511c52c
vici: Ensure we have no active users before mangling event client registrations
2014-05-07 14:13:38 +02:00
65cc8f5581
vici: Properly skip raise_event() for unknown event names
2014-05-07 14:13:38 +02:00
3a9a46c20f
vici: Increase vici message length header from 16 to 32 bits
...
While we currently have no need for messages larger than 65KB, we should design
the protocol to be future-proof, as we plan to keep at least to lowest protocol
layer stable.
To avoid any allocation issues, we currently keep the message size limit at
512KB.
2014-05-07 14:13:38 +02:00
f3e1ec4a85
vici: Have an explicit "relaxed" keyword for the default revocation policy
2014-05-07 14:13:38 +02:00
585814470d
vici: Use a default child rekey time of 1 hour
2014-05-07 14:13:38 +02:00
046befeca5
vici: Use a default IKE rekey time of 4 hours
2014-05-07 14:13:38 +02:00
ff3217db4b
vici: Add low-level IPC protocol description
2014-05-07 14:13:38 +02:00
c193732162
vici: Fix descending into non-matching sections during key find
2014-05-07 14:13:38 +02:00
eacf864c21
vici: Add an IKE virtual IP and attribute backend
2014-05-07 14:13:38 +02:00
afb8f492ef
vici: Support referencing external named pools for peer configs
2014-05-07 14:13:37 +02:00
3ad9c34c92
vici: Actually add configured virtual IPs to peer config
2014-05-07 14:13:37 +02:00
e651afe67b
vici: Use a default rand_time of the difference between hard and soft lifetimes
2014-05-07 14:13:37 +02:00
c520510508
vici: Use a default hard lifetime of 110% of the soft lifetime
2014-05-07 14:13:37 +02:00
93d60c479a
vici: Make unit-tests independent from libcharon and libhydra
...
Fixes monolithic build, as we can't depend on the not yet built libcharon.
2014-05-07 14:13:37 +02:00
0963a9952c
vici: Don't compare unsigned certificate_type_t to -1
2014-05-07 14:13:37 +02:00
e00ce378fa
vici: Use non-blocking first read when receiving message during client on_read()
...
As select() and finally the watcher may signal an FD even if it does not
actually have data, we must make a non-block read to avoid hanging in the
read callback.
2014-05-07 14:13:37 +02:00
7de35b7ff6
vici: Perform specified start_action on connection load, undo it on unload
2014-05-07 14:13:37 +02:00
96071fdb55
vici: Add a generic log event to raise events for log messages
2014-05-07 14:13:37 +02:00
2676ffdb9f
vici: Be less verbose about client connections
...
Instead, log the explicit commands at a higher level.
2014-05-07 14:13:37 +02:00
101dba01ce
vici: Add a list-certs command to query different certificate types
2014-05-07 14:13:37 +02:00
b57739f721
vici: Support pinning end entity and CA certificates to connections
2014-05-07 14:13:37 +02:00
e6e975ff9d
vici: Support missing groups option in auth config
2014-05-07 14:13:37 +02:00
6efa792d22
vici: Add a load-shared command to load shared IKE and EAP secrets
2014-05-07 14:13:37 +02:00
559ef7de48
vici: Add a load-key command to load private keys
2014-05-07 14:13:36 +02:00
c12edb2a27
vici: Support loading of different certificate types
2014-05-07 14:13:36 +02:00
de190f62c2
vici: Add a credential backend
2014-05-07 14:13:36 +02:00
e1b65630b2
vici: Add a command listing all or specific loaded connections using events
2014-05-07 14:13:36 +02:00
501ddf127b
vici: Add unload-conn and get-conns commands to manage loaded connections
2014-05-07 14:13:36 +02:00
37aa250cad
vici: Make dispatcher a little more verbose
2014-05-07 14:13:36 +02:00
b3d8bd8d26
vici: Add backend providing in-memory connections
2014-05-07 14:13:36 +02:00
dd5ce0a97a
vici: Add generic callback based vici message parsing
2014-05-07 14:13:36 +02:00
1f2e63ea41
vici: Add a list-policy command to query trap and shunt policies
2014-05-07 14:13:36 +02:00
5c6e81dcf8
vici: Add install/uninstall commands to manage trap and shunt policies
2014-05-07 14:13:36 +02:00
550f3f5646
vici: Extract CHILD_SA config lookup method
2014-05-07 14:13:36 +02:00
e567675d29
vici: Refactor socket to clean up locking
...
Uses separate locks for socket read and write operations. While holding the
socket reader lock, a different thread can still claim the socket write lock.
This allows to asynchronously send event messages while holding the read
lock.
2014-05-07 14:13:36 +02:00
9bfa397eba
vici: Fix dispatcher leak when handling unknown request
2014-05-07 14:13:36 +02:00
e2496bda02
vici: Add a test case raising events during request, checks in-order delivery
2014-05-07 14:13:35 +02:00
Martin Willi