d05d85fe65
kernel-interface: Pass full list of traffic selectors to add_sa()
...
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
2015-02-20 13:34:47 +01:00
fd9417607c
libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()
2015-02-20 13:34:47 +01:00
2a1c9e20bd
kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
...
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
2015-02-20 13:34:32 +01:00
3e779ff555
libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()
2015-02-19 15:42:22 +01:00
7f82a8f34b
osx: Update the README with App related bits
2014-12-17 16:54:28 +01:00
dacd667c84
osx: Initial import of the Objective-C App graphical user interface
2014-12-17 16:53:45 +01:00
1c6188a0c2
charon-xpc: Add a work-around to trigger IP address add events after boot
2014-12-16 17:22:27 +01:00
fc02a9d4b9
android: New release based on 5.2.1 and after adding EAP-TLS
...
Also enables support for IKEv2 fragmentation, provides improved MOBIKE
handling and optionally enables PFS for CHILD_SAs.
2014-11-06 17:16:27 +01:00
baa4e774c1
android: Build binaries for MIPS
2014-11-06 17:11:55 +01:00
bdc4cea316
android: Increase fragment size
...
We use the same value we use as MTU on TUN devices.
2014-11-06 17:05:47 +01:00
6fddf2af73
android: Enable IKEv2 fragmentation
2014-11-06 16:56:54 +01:00
0e44999867
android: Use %any as AAA identity, but disable EAP-only authentication
...
Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway. So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.
2014-11-06 16:28:40 +01:00
4b39a4117a
android: Add support for signature schemes used by EAP-TLS
2014-11-06 16:28:40 +01:00
0ef74bec98
android: Allow enumeration of untrusted certificates
2014-11-06 16:28:40 +01:00
34ca3795c8
android: Handle EAP-TLS in Android service
2014-11-06 16:28:40 +01:00
93923149e4
android: Enable EAP-TLS plugin in the app
2014-11-06 16:28:40 +01:00
a1700c9903
android: Add EAP-TLS VPN type to the GUI
2014-11-06 16:28:40 +01:00
a64089738d
android: Change how features of VPN types are stored and checked
2014-11-06 16:28:40 +01:00
fdeda63df0
android: Fix PA-TNC construction based on data passed via JNI
2014-10-15 13:55:13 +02:00
3307de1f8d
android: Implement get_contracts() method in IMC state object
2014-10-14 10:37:55 +02:00
f4e6f89aa9
android: libpts does not exist anymore, don't attempt to load it
2014-10-14 10:12:16 +02:00
bed09f2baf
android: Update receive_message() to new imc_msg_t.receive() signature
2014-10-13 18:16:47 +02:00
f502e503fb
android: Remove references to libpts
2014-10-13 17:18:06 +02:00
5421092b75
plugin-loader: Support a reload() callback for static features
2014-09-22 13:55:12 +02:00
f9ceb5b543
android: Reduce CHILD_SA lifetime
2014-09-12 10:21:50 +02:00
1fe3b02838
android: Add DH groups to ESP proposals
2014-09-12 10:21:49 +02:00
ac1b3a6ddd
android: Reestablish IKE_SA if CHILD_SA rekeying failed
2014-09-12 10:18:13 +02:00
a39c28bb35
android: Report error if CHILD_SA rekeying fails
2014-09-12 10:18:13 +02:00
e58764ca0f
android: Add support for querying use stats of a CHILD_SA
2014-09-09 10:57:51 +02:00
ffa9b67189
dns-proxy: Don't use proxy socket if we fail to bypass it
...
This will result in an infinite loop as packets sent over that socket
will again pass through the TUN device and the DNS proxy.
Apparently, bypassing fails when airplane mode is enabled.
Fixes #662 .
2014-07-30 09:48:08 +02:00
8d31df9099
android: New release after adding certificate import, DNS proxy and GUI changes
2014-07-22 11:34:09 +02:00
ffff7219ef
android: For keyingtries > 0 notify the GUI if the limit is reached when reestablishing
...
The IKE_SA is destroyed anyway, so letting the GUI remain in
"connecting" state would be incorrect.
We still use keyingtries=0 for now, though. And we still abort after the
first failed attempt initially, in case there is a configuration error.
2014-07-22 11:10:36 +02:00
5fd9e5fd00
android: Terminate IKE_SA if initial IKE_SA_INIT fails
...
Since VpnStateService.disconnect() is now not called until the error
dialog is dismissed the daemon would continue to try connecting.
So while the error dialog is shown the connection might actually be
successfully established in the background, which is not intended.
This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of
the second connection attempt (due to keyingtries=0).
2014-07-22 11:10:36 +02:00
945832c67d
android: Only allow DNS queries for the configured hostname
2014-07-22 11:10:36 +02:00
e77f226a0f
android: Add optional filter functionality to DNS proxy
...
If specified only queries for a list of allowed host names will be
proxied.
2014-07-22 11:10:36 +02:00
c66f5f844d
android: Recreate the TUN device without DNS when reestablishing IKE_SAs
...
This enables DNS resolution while reestablishing if the VPN gateway pushed
DNS servers to the client that are only reachable via VPN.
2014-07-22 11:10:36 +02:00
36aab70ab0
android: Add method to BuilderAdapter to re-establish without DNS-related data
...
Non-DNS data is cached in the BuilderAdapter so the TUN device can be
recreated easily (since the CHILD_SA is gone we couldn't actually gather
that information).
2014-07-22 11:10:36 +02:00
cc1712a8f4
android: Use DNS proxy when reestablishing IKE_SAs
2014-07-22 11:10:36 +02:00
614359a7d5
bus: Add ike_reestablish_pre hook, called before DNS resolution
...
The old hook is renamed to ike_reestablish_post and is now also called
when the initiation of the new IKE_SA failed.
2014-07-22 11:10:36 +02:00
2dc26c557e
android: Add DNS proxy implementation
...
This class proxies DNS requests over VPN-protected UDP sockets.
It is not really Android specific and might be useful for
kernel-libipsec or libipsec in general too, so we could maybe move it later
to libipsec (might need some portability work).
2014-07-22 11:10:36 +02:00
394be2d556
android: Delay disconnecting on errors until user dismisses them
...
If e.g. reauthentication fails we don't want to close the TUN device
until the user acknowledged the error and is thus aware of the failure.
2014-07-22 10:55:51 +02:00
08d545e29a
android: Set CHILD_STATE_DOWN when the IKE_SA gets reestablished
2014-07-22 10:55:51 +02:00
fb5d541503
android: Set CHILD_STATE_DOWN whenever the CHILD_SA goes down
...
No matter what triggers it. We also don't close the TUN device, but we
might handle that differently in the future to allow reestablishing the
IKE_SA if host names have to be re-resolved via DNS.
2014-07-22 10:55:51 +02:00
1435bd2e1b
android: Change to CONNECTING state if CHILD_SA goes down
...
Unless we are disconnecting. This currently triggers the connecting
dialog, perhaps just updating the status text would do too (when switching
from CONNECTED to CONNECTING, not from DISCONNECTED to CONNECTING).
2014-07-22 10:55:51 +02:00
d4bf6bfb15
android: Do not use deprecated TwoLineListItem
2014-07-22 10:41:51 +02:00
7073bfe4e9
android: Add support for ECDSA private keys
...
With 4.4.4 these work fine now.
2014-07-22 10:41:51 +02:00
3dc92ff9cf
android: Show a confirmation dialog before importing certificates
...
Since the import activity can be triggered by any other app on the
system we shouldn't just import every certificate we get.
Also, in some situations (e.g. if no passphrase has been set yet for the
system-wide certificate store) we are the only application that can open
certificate files. So if a user clicked on a certificate file she would
just get a confirmation Toast about a successful import, with no indication
whatsoever where the certificate was actually imported. The new dialog
shows the app icon to indicate that strongSwan is involved.
2014-07-22 10:41:51 +02:00
1ed922c918
android: Use Storage Access Framework to import certificates
...
Thanks to the SAF, introduced with Android 4.4, browsing and opening
files on the system is very easy to implement.
On older systems the menu option is removed.
2014-07-22 10:41:51 +02:00
94cc8f6a72
android: Add activity to import certificate files
...
Such files can e.g. be opened from the Download view, if they are
associated with one of the supported mime-types.
2014-07-22 10:41:50 +02:00
ac200bcda5
android: Imported certificates may be clicked to delete them
2014-07-22 10:41:50 +02:00
eb01649079
android: Reload CA certificates without AsyncTask
...
We already use loaders in the GUI that can handle this asynchronously.
2014-07-22 10:41:50 +02:00
918200378d
android: Change how CA certificate reloads are initiated
2014-07-22 10:41:50 +02:00
08de6a08f0
android: Add option to reload CA certificates to TrustedCertificatesActivity
2014-07-22 10:41:50 +02:00
2312985b2a
android: Replace option to reload CA certificates with CA certificate view
...
The reload option will be added there.
2014-07-22 10:41:50 +02:00
1353f08fbc
android: Only close TrustedCertificatesActivity on click when selecting a certificate
2014-07-22 10:41:50 +02:00
9c841b1f34
android: Set action when using TrustedCertificatesActivity to select a certificate
2014-07-22 10:41:50 +02:00
f21a69dbec
android: Allow selection of local certificates
2014-07-22 10:41:49 +02:00
3b2b536b70
android: Change how CA certificates from different sources are accessed
2014-07-22 10:41:49 +02:00
8cdce00eb1
android: Cache certificates from multiple KeyStores
...
Including the new local one.
2014-07-22 10:41:49 +02:00
8d3a058abc
android: Register local certificate store provider when the app is initialized
2014-07-22 10:41:49 +02:00
5eb4297046
android: Add Provider for the local certificate store
2014-07-22 10:41:49 +02:00
544267889e
android: Add KeyStoreSpi implementation that uses LocalCertificateStore
2014-07-22 10:41:49 +02:00
275888d255
android: Add local certificate store
...
The class manages certificates stored in files within the app's
private data directory.
2014-07-22 10:41:49 +02:00
463a6cd005
android: Move TrustedCertificateEntry to a new package
2014-07-22 10:41:49 +02:00
6684195505
android: Subclass Application to provide static access to the application context
2014-07-22 10:41:49 +02:00
7229bdd5c7
android: Target latest SDK version
2014-07-22 10:41:49 +02:00
140ce41a39
android: Add utility method to convert a byte array to a hex string
2014-07-22 10:41:48 +02:00
9d994ba5ea
android: Remove unused hash argument from getTrustedCertificates()
2014-07-22 10:41:48 +02:00
b9fd95f476
android: Use correct tag to define category for CREATE_SHORTCUT intent-filter
2014-07-22 10:41:48 +02:00
3e4ce88633
android: Define HAVE_DLADDR as plugin loader checks for it
2014-06-24 15:53:25 +02:00
30c009c2fe
kernel-interface: Add a replay_window parameter to add_sa()
2014-06-17 16:41:30 +02:00
8d74ec9e80
ike: Add an additional but separate AEAD proposal to CHILD config
...
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
2014-05-16 16:51:19 +02:00
879e3d12ca
ike: Add an additional but separate AEAD proposal to IKE config, if supported
2014-05-16 16:51:19 +02:00
446c036794
android: New release based on 5.1.3
...
Also links OpenSSL statically and doesn't limit the number of packets
during EAP-TTLS.
2014-04-25 14:39:22 +02:00
8064764070
android: Use static version of libcrypto
...
System.loadLibrary() searches in system directories first (at least in
recent releases), that is, our own build wouldn't actually get used.
2014-04-25 14:26:31 +02:00
65117a0764
nm: Bump NetworkManager plugin version to 1.3.1
2014-04-24 15:53:38 +02:00
65ee857a88
android: Don't limit number to packets during EAP-TTLS
2014-02-18 11:32:37 +01:00
1c306c0ee9
libcharon: Remove unused charon->name
2014-02-12 14:34:33 +01:00
10c4f4e1fd
libhydra: Remove unused hydra->daemon
2014-02-12 14:34:32 +01:00
34d3bfcf14
lib: Add global config namespace
2014-02-12 14:34:31 +01:00
0b506edb19
nm: Require the PSK to be at least 20 characters long
2013-11-27 18:36:58 +01:00
692a421aa0
nm: German translation updated
2013-11-27 18:36:58 +01:00
594878e552
nm: Add PSK option to auth-dialog
2013-11-27 18:36:58 +01:00
63528ebd3f
nm: Add pre-shared key option in GUI
2013-11-27 18:36:58 +01:00
cfaec93111
nm: Make intltool recognize glade files properly
2013-11-27 18:36:58 +01:00
85adb98daf
android: New release based on 5.1.1
...
This fixes issues with IVs and padding in ESP handling and removes the
Vstr dependency.
2013-11-13 17:41:24 +01:00
20c99edab9
android: Remove dependency on libvstr
2013-11-13 11:40:47 +01:00
10900ed7e7
charon-xpc: Set AUTH_RULE_IDENTITY_LOOSE on responder config
...
This allows the server to use a different IKE identity as long as the
configured hostname is contained in the certificate.
2013-11-01 12:05:48 +01:00
1ba47fa565
charon-xpc: Load missing eap-md5 plugin after enabling it
2013-10-28 15:18:11 +01:00
9f2a4d3315
charon-xpc: Disable warnings about deprecated functions
...
This avoids all the deprecated warnings when using OpenSSL functins.
2013-10-28 14:51:59 +01:00
f5ea7d781f
charon-xpc: Avoid -all_load linker flag
...
This seems to be not required anymore with the LLVM 5 toolchain.
2013-10-28 14:51:51 +01:00
a1c2ed8820
charon-xpc: Properly xpc_retain() connections we xpc_release()
2013-10-28 14:51:40 +01:00
888d8d73ab
charon-xpc: Properly cast SA identifier to uintptr representation
2013-10-28 14:51:28 +01:00
3e40dbb128
charon-xpc: Don’t build against libvstr anymore
...
We now have our own printf backend and use it instead of Vstr.
2013-10-28 14:51:03 +01:00
6a3cfbdc0d
charon-xpc: Build with EAP-MD5 support
2013-10-28 14:49:19 +01:00
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
e4d63cfae7
android: New release after fixing remediation instructions regression
2013-09-26 13:53:39 +02:00
00f7b29422
android: Change progress dialog handling
...
With the previous code the dialog sometimes was hidden for a short while
before it got reopened.
2013-09-26 13:53:25 +02:00
cfed5679b8
android: Clear remediation instructions when starting a new connection
2013-09-26 13:00:45 +02:00
c17cbfdb72
android: New release after improving recovery after connectivity changes
2013-09-23 14:33:29 +02:00
3817231333
android: Change state handling to display errors occurring while the app is hidden
...
A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.
This was necessary because the state fragment is now unregistered from
state changes when it is not shown.
2013-09-23 12:01:43 +02:00
b4a5b185fc
android: Don't update state fragments when they are not displayed
...
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
2013-09-23 12:01:42 +02:00
c3ee829eee
android: Properly handle failures while initializing charon
2013-09-23 11:49:52 +02:00
c742905f50
android: Fix compilation after PTS header files were moved
2013-09-04 16:18:29 +02:00
3070697f9f
ike: support multiple addresses, ranges and subnets in IKE address config
...
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
2013-09-04 10:38:37 +02:00
9aeaa7396e
peer-cfg: add a pull/push mode option to use with mode config
2013-09-04 10:33:37 +02:00
a0cd955f42
charon-xpc: add a note how to build the source tarball
2013-08-29 12:28:54 +02:00
74ee1120d7
charon-xpc: include and prefer AES-GCM algorithms in ESP proposal
2013-08-29 11:37:07 +02:00
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00
aafb6fa6c2
charon-xpc: use kernel-libipsec instead of kernel-pfkey
2013-07-31 11:41:37 +02:00
546235d34c
charon-xpc: fix TS getting after changing CHILD_SA API
2013-07-31 11:41:31 +02:00
146fa8b2d3
charon-xpc: Use correct namespace when setting default settings
2013-07-22 17:44:37 +02:00
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
b9c47eae06
xpc: allow easy copy & pase of ./configure instructions
2013-07-18 12:17:56 +02:00
7f1adbe94e
xpc: use -idirafter to build against openssl headers from /usr/include
2013-07-18 12:17:56 +02:00
06e8712cb3
xpc: forward some risen alerts over XPC to App
2013-07-18 12:17:56 +02:00
e7ee45ef38
xpc: enable close_ike_on_child_failure
2013-07-18 12:17:56 +02:00
e37c5d46d3
xpc: send a "connecting" event when establishing a connection starts
2013-07-18 12:17:56 +02:00
3ffa310c44
xpc: use osx-attr plugin to install configuration attributes
2013-07-18 12:17:56 +02:00
c7ac7f92e9
xpc: update README with new events, markdown style fixes
2013-07-18 12:17:55 +02:00
4edcc86149
xpc: send child_updown events over XPC channel
2013-07-18 12:17:55 +02:00
d60c8d2c74
xpc: support termination of IKE_SAs using XPC RPC on connection channel
2013-07-18 12:17:55 +02:00
790ad9e677
xpc: move XPC RPC reply creation to command dispatching
2013-07-18 12:17:55 +02:00
a0c125eacb
xpc: terminate daemon when last XPC connection to App gone
2013-07-18 12:17:55 +02:00
6aae6268d7
xpc: fix some refcounting issues related to XPC connections
2013-07-18 12:17:55 +02:00
22bffc647d
xpc: no need to clear channel table, they are bound to IKE_SA lifetime
2013-07-18 12:17:55 +02:00
1a3f71d97a
xpc: add support for logging over XPC channels
2013-07-18 12:17:55 +02:00
fbc89786b5
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
2013-07-18 12:17:55 +02:00
dcf8a3c78b
xpc: add a description of the basic XPC protocol to README
2013-07-18 12:17:55 +02:00
d5966e71e9
xpc: use the same XPC message "type" mechanism on Mach service as on channels
2013-07-18 12:17:55 +02:00
39d15dde67
xpc: ask App for passwords using connection specific channel
2013-07-18 12:17:55 +02:00
8279ce99c4
xpc: use IKE_SA specific XPC return channels for further communication
2013-07-18 12:17:55 +02:00
bc74e18223
xpc: don't send certificate requests, there are too many when using keychain
2013-07-18 12:17:55 +02:00
5016370390
xpc: build with support for the keychain plugin
2013-07-18 12:17:55 +02:00
e73a653451
xpc: add support for initiate simple IKEv2 EAP connections
2013-07-18 12:17:54 +02:00
3dcc9d7aa7
xpc: move dispatching to dedicated class, using dedicated thread
2013-07-18 12:17:54 +02:00
4204d1d71a
xpc: use non-inlining variant of vstr, compiler does not like it
2013-07-18 12:17:54 +02:00
6f8c626b81
xpc: add Xcode project for a charon controlled through XPC
2013-07-18 12:17:54 +02:00
b23bd71466
android: New release after adding support for EAP-TNC
...
Also disabled listening on IPv6 because the Linux kernel currently does
not support UDP encapsulation for IPv6.
2013-07-08 18:51:07 +02:00
7ccf02ee93
android: Properly handle dotted-quad notation of IPv6 addresses
...
For nestat output like ::ffff:127.0.0.1:9876 we shall not treat 127 as
port but 9876 instead.
2013-07-08 18:49:30 +02:00
97f1dfb3ec
android: Allow IMC state to be dismissed with a swipe gesture
2013-07-08 18:49:30 +02:00
a9f94d7efb
android: Use explicit locale when converting settings names
...
Apparently, these functions use the user's default locale which might not
yield the expected result (e.g. lowercase I is not i in the Turkish
locale but ı instead).
2013-07-08 18:49:30 +02:00
e1a98e7956
android: Add information about transmitted data if EAP-TNC is selected
2013-07-08 18:49:30 +02:00
9390499584
android: Reuse certificate selector as generic two line button
2013-07-08 18:49:30 +02:00
671614d229
android: Add device ID in BeginHandshake
2013-07-08 18:49:30 +02:00
8a5bffb0fe
android: Add new VpnType to enable BYOD features
2013-07-08 18:49:30 +02:00
2ecda3421a
android: Use a different set of plugins if BYOD features are enabled
2013-07-08 18:49:29 +02:00
6e872fea7a
android: IMC state fragment is a button that shows remediation instructions or log
2013-07-08 18:49:29 +02:00
254d8679c6
android: Show remediation instructions instead of log on failure
2013-07-08 18:49:29 +02:00
873f389b37
android: Properly hide the IMC state fragment initially
2013-07-08 18:49:29 +02:00
0ef98957a7
android: Add activity that displays a list of remediation instructions
...
On large displays a two-pane layout is used that displays the list next
to the actual instructions.
2013-07-08 18:49:29 +02:00
611d35e8e8
android: Add fragment for a list of remediation instructions
...
This fragment can later be used in one- or two-pane layouts.
2013-07-08 18:49:29 +02:00
b6e05f6518
android: Add adapter for remediation instructions
2013-07-08 18:49:29 +02:00
ea022bb194
android: Add fragment that displays a single remediation instruction
2013-07-08 18:49:29 +02:00
c469cd2a66
android: RemediationInstruction implements Parcelable interface
2013-07-08 18:49:29 +02:00
2b91085701
android: Background for state panels provides separator
2013-07-08 18:49:29 +02:00
e5bf6dcddc
android: Add fragment that displays the IMC state
...
The fragment hides itself if the state is unknown or the assessment
succeeded.
2013-07-08 18:49:29 +02:00
a05acd7629
android: Handle and store IETF remediation instructions
2013-07-08 18:49:28 +02:00
0484989dbd
android: Add a parser for XML remediation instructions
2013-07-08 18:49:28 +02:00
a8dc42b295
android: Show different error message depending on IMC state
2013-07-08 18:49:28 +02:00
5e7a4193e5
android: Clear error only when the user explicitly dismisses the dialog
...
The previous code worked fine on rotation changes as the fragment is
destroyed and recreated causing onCreate to be called, which restores the
saved error state. But if the user switches to a different application
and then back this is not the case. The dialog still gets dismissed (as
we have to do so to avoid nasty exceptions on rotation changes) but since
that implicitly cleared the error state the UI was never fully restored.
2013-07-08 18:49:28 +02:00
dc52cfab73
android: Add state of IMC to VpnStateService and update it via JNI
2013-07-08 18:49:28 +02:00
d087f080f0
android: Handle TCG file measurement related attributes using PTS
2013-07-08 18:49:28 +02:00
fd3aa004e4
android: Android IMC state provides a Platform Trust Service (PTS) instance
2013-07-08 18:49:28 +02:00
0e53beda32
android: Provide a public interface for Android IMC state
2013-07-08 18:49:28 +02:00
403165102c
android: Define IMC functions static and with lower-case names
2013-07-08 18:49:28 +02:00
583fe0ccb6
android: Add measurement collector for ITA Device ID
2013-07-08 18:49:28 +02:00
44330a171f
android: Add measurement collector for ITA Settings
2013-07-08 18:49:27 +02:00
c179a3f6f2
android: Handle ITA PA-TNC attributes
2013-07-08 18:49:27 +02:00
036fa7a166
android: Overload for getMeasurement() that takes a String array as argument
2013-07-08 18:49:27 +02:00
ba59486fc8
android: Add measurement collector for Port Filter
...
This collector reports all listening TCP and UDP sockets/ports.
2013-07-08 18:49:27 +02:00
6500727d6a
android: Enum type for transport protocols added
2013-07-08 18:49:27 +02:00
7cb8f570ed
android: Add measurement collector for Installed Packages
2013-07-08 18:49:27 +02:00
2d61172314
android: Add measurement collector for Product Information
2013-07-08 18:49:27 +02:00
75d710ec63
android: Also support writing of 24-bit values
2013-07-08 18:49:27 +02:00
5c9706f30b
android: Add measurement collector for String Version
2013-07-08 18:49:27 +02:00
4eec7912a1
android: Interfaces for measurement collectors and attributes added
2013-07-08 18:49:27 +02:00
2d378d8a74
android: Add a Java utility class similar to bio_writer_t
2013-07-08 18:49:27 +02:00
28c268d707
android: Add enum types for PENs and attribute types
2013-07-08 18:49:26 +02:00
c53210f9b0
android: Add a generic handler for PA-TNC attribute requests
...
The idea is that the Android IMC will return attributes in their binary
encoding. This keeps the JNI interface to the IMC pretty simple.
2013-07-08 18:49:26 +02:00
aa4ff3b211
android: Added a Java part to the Android IMC
2013-07-08 18:49:26 +02:00
753035f6d7
android: Don't attempt loading IMCs from /etc/tnc_config
2013-07-08 18:49:26 +02:00
a6507df2ec
android: Build libpts and init/deinit libpts in BYOD IMC
2013-07-08 18:49:26 +02:00
96658d7264
android: Added a sample IMC that sends some dummy OS data
2013-07-08 18:49:26 +02:00
933155fae6
android: Build option added to load BYOD related plugins and libraries in the Android app
2013-07-08 18:49:26 +02:00
0015727ebd
android: Disable listening on IPv6
...
As we have to use UDP encapsulation and the Linux kernel currently does
not support that this avoids issues with dual-stack gateways.
2013-07-05 09:48:27 +02:00
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00
92f102c21b
android: Forward initiator flag to libipsec when adding IPsec SA
2013-06-13 13:55:58 +02:00
a8c9454423
kernel-interface: add an exchange initiator parameter to add_sa()
...
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
2013-06-11 15:58:48 +02:00
5c12700f9a
kernel-interface: query SAD for last use time if SPD query didn't yield one
2013-05-06 17:01:13 +02:00
0be946dce3
Use the GEN silent rule when generating files with sed
2013-05-06 15:04:56 +02:00
55321dcfb6
New Android release after adding AES-GCM, IPv6-in-IPv4 and using kernel-netlink
...
libipsec now supports AES-GCM, IPv6 tunnels over IPv4 are supported,
native x86 libraries are built (requires a new Vstr build script).
Also, the existing kernel-netlink plugin now provides the kernel-net
implementation, which should be more stable in case multiple interfaces
are up and have IP addresses installed on them.
2013-05-03 16:02:39 +02:00
740aedfec1
android: Use stronger ESP proposal including AES-GCM
2013-05-03 16:02:39 +02:00
61fb3267b2
android: Remove unused methods on NetworkManager/network_manager_t
2013-05-03 15:11:20 +02:00
70dfac4459
android: Ignore interface 'lo'
...
Android adds a default route via 'lo' if no connectivity is available
causing charon to send packets via lo and triggering DPD.
2013-05-03 15:11:20 +02:00
18dab76bfa
android: Repurpose android-net to simply handle connectivity events
...
Using the events by NetworkManager/ConnectivityManager to trigger roam events
instead of the events generated by the kernel-netlink plugin the noise level
is much lower.
2013-05-03 15:11:20 +02:00
3b7f25906e
android: Replace android-net plugin with kernel-netlink
...
Virtual IPs are not handled by the kernel-netlink plugin and tun devices are
ignored.
2013-05-03 15:11:19 +02:00
67332b4e22
android: Set strongswan.conf options before initializing other libraries
2013-05-03 15:11:19 +02:00
24b5e71522
android: No need to disable CMS explicitly
...
The version check introduced with 0d237763
2013-03-20 17:02:37 +01:00
Martin Willi