Martin Willi
d05d85fe65
kernel-interface: Pass full list of traffic selectors to add_sa()
...
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
2015-02-20 13:34:47 +01:00
Martin Willi
fd9417607c
libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()
2015-02-20 13:34:47 +01:00
Martin Willi
2a1c9e20bd
kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
...
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
2015-02-20 13:34:32 +01:00
Martin Willi
3e779ff555
libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()
2015-02-19 15:42:22 +01:00
Martin Willi
7f82a8f34b
osx: Update the README with App related bits
2014-12-17 16:54:28 +01:00
Martin Willi
dacd667c84
osx: Initial import of the Objective-C App graphical user interface
2014-12-17 16:53:45 +01:00
Martin Willi
1c6188a0c2
charon-xpc: Add a work-around to trigger IP address add events after boot
2014-12-16 17:22:27 +01:00
Tobias Brunner
fc02a9d4b9
android: New release based on 5.2.1 and after adding EAP-TLS
...
Also enables support for IKEv2 fragmentation, provides improved MOBIKE
handling and optionally enables PFS for CHILD_SAs.
2014-11-06 17:16:27 +01:00
Tobias Brunner
baa4e774c1
android: Build binaries for MIPS
2014-11-06 17:11:55 +01:00
Tobias Brunner
bdc4cea316
android: Increase fragment size
...
We use the same value we use as MTU on TUN devices.
2014-11-06 17:05:47 +01:00
Tobias Brunner
6fddf2af73
android: Enable IKEv2 fragmentation
2014-11-06 16:56:54 +01:00
Tobias Brunner
0e44999867
android: Use %any as AAA identity, but disable EAP-only authentication
...
Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway. So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.
2014-11-06 16:28:40 +01:00
Tobias Brunner
4b39a4117a
android: Add support for signature schemes used by EAP-TLS
2014-11-06 16:28:40 +01:00
Tobias Brunner
0ef74bec98
android: Allow enumeration of untrusted certificates
2014-11-06 16:28:40 +01:00
Tobias Brunner
34ca3795c8
android: Handle EAP-TLS in Android service
2014-11-06 16:28:40 +01:00
Tobias Brunner
93923149e4
android: Enable EAP-TLS plugin in the app
2014-11-06 16:28:40 +01:00
Tobias Brunner
a1700c9903
android: Add EAP-TLS VPN type to the GUI
2014-11-06 16:28:40 +01:00
Tobias Brunner
a64089738d
android: Change how features of VPN types are stored and checked
2014-11-06 16:28:40 +01:00
Tobias Brunner
fdeda63df0
android: Fix PA-TNC construction based on data passed via JNI
2014-10-15 13:55:13 +02:00
Tobias Brunner
3307de1f8d
android: Implement get_contracts() method in IMC state object
2014-10-14 10:37:55 +02:00
Tobias Brunner
f4e6f89aa9
android: libpts does not exist anymore, don't attempt to load it
2014-10-14 10:12:16 +02:00
Tobias Brunner
bed09f2baf
android: Update receive_message() to new imc_msg_t.receive() signature
2014-10-13 18:16:47 +02:00
Tobias Brunner
f502e503fb
android: Remove references to libpts
2014-10-13 17:18:06 +02:00
Martin Willi
5421092b75
plugin-loader: Support a reload() callback for static features
2014-09-22 13:55:12 +02:00
Tobias Brunner
f9ceb5b543
android: Reduce CHILD_SA lifetime
2014-09-12 10:21:50 +02:00
Tobias Brunner
1fe3b02838
android: Add DH groups to ESP proposals
2014-09-12 10:21:49 +02:00
Tobias Brunner
ac1b3a6ddd
android: Reestablish IKE_SA if CHILD_SA rekeying failed
2014-09-12 10:18:13 +02:00
Tobias Brunner
a39c28bb35
android: Report error if CHILD_SA rekeying fails
2014-09-12 10:18:13 +02:00
Tobias Brunner
e58764ca0f
android: Add support for querying use stats of a CHILD_SA
2014-09-09 10:57:51 +02:00
Tobias Brunner
ffa9b67189
dns-proxy: Don't use proxy socket if we fail to bypass it
...
This will result in an infinite loop as packets sent over that socket
will again pass through the TUN device and the DNS proxy.
Apparently, bypassing fails when airplane mode is enabled.
Fixes #662 .
2014-07-30 09:48:08 +02:00
Tobias Brunner
8d31df9099
android: New release after adding certificate import, DNS proxy and GUI changes
2014-07-22 11:34:09 +02:00
Tobias Brunner
ffff7219ef
android: For keyingtries > 0 notify the GUI if the limit is reached when reestablishing
...
The IKE_SA is destroyed anyway, so letting the GUI remain in
"connecting" state would be incorrect.
We still use keyingtries=0 for now, though. And we still abort after the
first failed attempt initially, in case there is a configuration error.
2014-07-22 11:10:36 +02:00
Tobias Brunner
5fd9e5fd00
android: Terminate IKE_SA if initial IKE_SA_INIT fails
...
Since VpnStateService.disconnect() is now not called until the error
dialog is dismissed the daemon would continue to try connecting.
So while the error dialog is shown the connection might actually be
successfully established in the background, which is not intended.
This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of
the second connection attempt (due to keyingtries=0).
2014-07-22 11:10:36 +02:00
Tobias Brunner
945832c67d
android: Only allow DNS queries for the configured hostname
2014-07-22 11:10:36 +02:00
Tobias Brunner
e77f226a0f
android: Add optional filter functionality to DNS proxy
...
If specified only queries for a list of allowed host names will be
proxied.
2014-07-22 11:10:36 +02:00
Tobias Brunner
c66f5f844d
android: Recreate the TUN device without DNS when reestablishing IKE_SAs
...
This enables DNS resolution while reestablishing if the VPN gateway pushed
DNS servers to the client that are only reachable via VPN.
2014-07-22 11:10:36 +02:00
Tobias Brunner
36aab70ab0
android: Add method to BuilderAdapter to re-establish without DNS-related data
...
Non-DNS data is cached in the BuilderAdapter so the TUN device can be
recreated easily (since the CHILD_SA is gone we couldn't actually gather
that information).
2014-07-22 11:10:36 +02:00
Tobias Brunner
cc1712a8f4
android: Use DNS proxy when reestablishing IKE_SAs
2014-07-22 11:10:36 +02:00
Tobias Brunner
614359a7d5
bus: Add ike_reestablish_pre hook, called before DNS resolution
...
The old hook is renamed to ike_reestablish_post and is now also called
when the initiation of the new IKE_SA failed.
2014-07-22 11:10:36 +02:00
Tobias Brunner
2dc26c557e
android: Add DNS proxy implementation
...
This class proxies DNS requests over VPN-protected UDP sockets.
It is not really Android specific and might be useful for
kernel-libipsec or libipsec in general too, so we could maybe move it later
to libipsec (might need some portability work).
2014-07-22 11:10:36 +02:00
Tobias Brunner
394be2d556
android: Delay disconnecting on errors until user dismisses them
...
If e.g. reauthentication fails we don't want to close the TUN device
until the user acknowledged the error and is thus aware of the failure.
2014-07-22 10:55:51 +02:00
Tobias Brunner
08d545e29a
android: Set CHILD_STATE_DOWN when the IKE_SA gets reestablished
2014-07-22 10:55:51 +02:00
Tobias Brunner
fb5d541503
android: Set CHILD_STATE_DOWN whenever the CHILD_SA goes down
...
No matter what triggers it. We also don't close the TUN device, but we
might handle that differently in the future to allow reestablishing the
IKE_SA if host names have to be re-resolved via DNS.
2014-07-22 10:55:51 +02:00
Tobias Brunner
1435bd2e1b
android: Change to CONNECTING state if CHILD_SA goes down
...
Unless we are disconnecting. This currently triggers the connecting
dialog, perhaps just updating the status text would do too (when switching
from CONNECTED to CONNECTING, not from DISCONNECTED to CONNECTING).
2014-07-22 10:55:51 +02:00
Tobias Brunner
d4bf6bfb15
android: Do not use deprecated TwoLineListItem
2014-07-22 10:41:51 +02:00
Tobias Brunner
7073bfe4e9
android: Add support for ECDSA private keys
...
With 4.4.4 these work fine now.
2014-07-22 10:41:51 +02:00
Tobias Brunner
3dc92ff9cf
android: Show a confirmation dialog before importing certificates
...
Since the import activity can be triggered by any other app on the
system we shouldn't just import every certificate we get.
Also, in some situations (e.g. if no passphrase has been set yet for the
system-wide certificate store) we are the only application that can open
certificate files. So if a user clicked on a certificate file she would
just get a confirmation Toast about a successful import, with no indication
whatsoever where the certificate was actually imported. The new dialog
shows the app icon to indicate that strongSwan is involved.
2014-07-22 10:41:51 +02:00
Tobias Brunner
1ed922c918
android: Use Storage Access Framework to import certificates
...
Thanks to the SAF, introduced with Android 4.4, browsing and opening
files on the system is very easy to implement.
On older systems the menu option is removed.
2014-07-22 10:41:51 +02:00
Tobias Brunner
94cc8f6a72
android: Add activity to import certificate files
...
Such files can e.g. be opened from the Download view, if they are
associated with one of the supported mime-types.
2014-07-22 10:41:50 +02:00
Tobias Brunner
ac200bcda5
android: Imported certificates may be clicked to delete them
2014-07-22 10:41:50 +02:00
Tobias Brunner
eb01649079
android: Reload CA certificates without AsyncTask
...
We already use loaders in the GUI that can handle this asynchronously.
2014-07-22 10:41:50 +02:00
Tobias Brunner
918200378d
android: Change how CA certificate reloads are initiated
2014-07-22 10:41:50 +02:00
Tobias Brunner
08de6a08f0
android: Add option to reload CA certificates to TrustedCertificatesActivity
2014-07-22 10:41:50 +02:00
Tobias Brunner
2312985b2a
android: Replace option to reload CA certificates with CA certificate view
...
The reload option will be added there.
2014-07-22 10:41:50 +02:00
Tobias Brunner
1353f08fbc
android: Only close TrustedCertificatesActivity on click when selecting a certificate
2014-07-22 10:41:50 +02:00
Tobias Brunner
9c841b1f34
android: Set action when using TrustedCertificatesActivity to select a certificate
2014-07-22 10:41:50 +02:00
Tobias Brunner
f21a69dbec
android: Allow selection of local certificates
2014-07-22 10:41:49 +02:00
Tobias Brunner
3b2b536b70
android: Change how CA certificates from different sources are accessed
2014-07-22 10:41:49 +02:00
Tobias Brunner
8cdce00eb1
android: Cache certificates from multiple KeyStores
...
Including the new local one.
2014-07-22 10:41:49 +02:00
Tobias Brunner
8d3a058abc
android: Register local certificate store provider when the app is initialized
2014-07-22 10:41:49 +02:00
Tobias Brunner
5eb4297046
android: Add Provider for the local certificate store
2014-07-22 10:41:49 +02:00
Tobias Brunner
544267889e
android: Add KeyStoreSpi implementation that uses LocalCertificateStore
2014-07-22 10:41:49 +02:00
Tobias Brunner
275888d255
android: Add local certificate store
...
The class manages certificates stored in files within the app's
private data directory.
2014-07-22 10:41:49 +02:00
Tobias Brunner
463a6cd005
android: Move TrustedCertificateEntry to a new package
2014-07-22 10:41:49 +02:00
Tobias Brunner
6684195505
android: Subclass Application to provide static access to the application context
2014-07-22 10:41:49 +02:00
Tobias Brunner
7229bdd5c7
android: Target latest SDK version
2014-07-22 10:41:49 +02:00
Tobias Brunner
140ce41a39
android: Add utility method to convert a byte array to a hex string
2014-07-22 10:41:48 +02:00
Tobias Brunner
9d994ba5ea
android: Remove unused hash argument from getTrustedCertificates()
2014-07-22 10:41:48 +02:00
Tobias Brunner
b9fd95f476
android: Use correct tag to define category for CREATE_SHORTCUT intent-filter
2014-07-22 10:41:48 +02:00
Tobias Brunner
3e4ce88633
android: Define HAVE_DLADDR as plugin loader checks for it
2014-06-24 15:53:25 +02:00
Martin Willi
30c009c2fe
kernel-interface: Add a replay_window parameter to add_sa()
2014-06-17 16:41:30 +02:00
Martin Willi
8d74ec9e80
ike: Add an additional but separate AEAD proposal to CHILD config
...
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
2014-05-16 16:51:19 +02:00
Martin Willi
879e3d12ca
ike: Add an additional but separate AEAD proposal to IKE config, if supported
2014-05-16 16:51:19 +02:00
Tobias Brunner
446c036794
android: New release based on 5.1.3
...
Also links OpenSSL statically and doesn't limit the number of packets
during EAP-TTLS.
2014-04-25 14:39:22 +02:00
Tobias Brunner
8064764070
android: Use static version of libcrypto
...
System.loadLibrary() searches in system directories first (at least in
recent releases), that is, our own build wouldn't actually get used.
2014-04-25 14:26:31 +02:00
Martin Willi
65117a0764
nm: Bump NetworkManager plugin version to 1.3.1
2014-04-24 15:53:38 +02:00
Tobias Brunner
65ee857a88
android: Don't limit number to packets during EAP-TTLS
2014-02-18 11:32:37 +01:00
Tobias Brunner
1c306c0ee9
libcharon: Remove unused charon->name
2014-02-12 14:34:33 +01:00
Tobias Brunner
10c4f4e1fd
libhydra: Remove unused hydra->daemon
2014-02-12 14:34:32 +01:00
Tobias Brunner
34d3bfcf14
lib: Add global config namespace
2014-02-12 14:34:31 +01:00
Tobias Brunner
0b506edb19
nm: Require the PSK to be at least 20 characters long
2013-11-27 18:36:58 +01:00
Tobias Brunner
692a421aa0
nm: German translation updated
2013-11-27 18:36:58 +01:00
Tobias Brunner
594878e552
nm: Add PSK option to auth-dialog
2013-11-27 18:36:58 +01:00
Tobias Brunner
63528ebd3f
nm: Add pre-shared key option in GUI
2013-11-27 18:36:58 +01:00
Tobias Brunner
cfaec93111
nm: Make intltool recognize glade files properly
2013-11-27 18:36:58 +01:00
Tobias Brunner
85adb98daf
android: New release based on 5.1.1
...
This fixes issues with IVs and padding in ESP handling and removes the
Vstr dependency.
2013-11-13 17:41:24 +01:00
Tobias Brunner
20c99edab9
android: Remove dependency on libvstr
2013-11-13 11:40:47 +01:00
Martin Willi
10900ed7e7
charon-xpc: Set AUTH_RULE_IDENTITY_LOOSE on responder config
...
This allows the server to use a different IKE identity as long as the
configured hostname is contained in the certificate.
2013-11-01 12:05:48 +01:00
Martin Willi
1ba47fa565
charon-xpc: Load missing eap-md5 plugin after enabling it
2013-10-28 15:18:11 +01:00
Martin Willi
9f2a4d3315
charon-xpc: Disable warnings about deprecated functions
...
This avoids all the deprecated warnings when using OpenSSL functins.
2013-10-28 14:51:59 +01:00
Martin Willi
f5ea7d781f
charon-xpc: Avoid -all_load linker flag
...
This seems to be not required anymore with the LLVM 5 toolchain.
2013-10-28 14:51:51 +01:00
Martin Willi
a1c2ed8820
charon-xpc: Properly xpc_retain() connections we xpc_release()
2013-10-28 14:51:40 +01:00
Martin Willi
888d8d73ab
charon-xpc: Properly cast SA identifier to uintptr representation
2013-10-28 14:51:28 +01:00
Martin Willi
3e40dbb128
charon-xpc: Don’t build against libvstr anymore
...
We now have our own printf backend and use it instead of Vstr.
2013-10-28 14:51:03 +01:00
Martin Willi
6a3cfbdc0d
charon-xpc: Build with EAP-MD5 support
2013-10-28 14:49:19 +01:00
Martin Willi
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
Martin Willi
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
Tobias Brunner
e4d63cfae7
android: New release after fixing remediation instructions regression
2013-09-26 13:53:39 +02:00
Tobias Brunner
00f7b29422
android: Change progress dialog handling
...
With the previous code the dialog sometimes was hidden for a short while
before it got reopened.
2013-09-26 13:53:25 +02:00
Tobias Brunner
cfed5679b8
android: Clear remediation instructions when starting a new connection
2013-09-26 13:00:45 +02:00
Tobias Brunner
c17cbfdb72
android: New release after improving recovery after connectivity changes
2013-09-23 14:33:29 +02:00
Tobias Brunner
3817231333
android: Change state handling to display errors occurring while the app is hidden
...
A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.
This was necessary because the state fragment is now unregistered from
state changes when it is not shown.
2013-09-23 12:01:43 +02:00
Tobias Brunner
b4a5b185fc
android: Don't update state fragments when they are not displayed
...
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
2013-09-23 12:01:42 +02:00
Tobias Brunner
c3ee829eee
android: Properly handle failures while initializing charon
2013-09-23 11:49:52 +02:00
Tobias Brunner
c742905f50
android: Fix compilation after PTS header files were moved
2013-09-04 16:18:29 +02:00
Martin Willi
3070697f9f
ike: support multiple addresses, ranges and subnets in IKE address config
...
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
2013-09-04 10:38:37 +02:00
Martin Willi
9aeaa7396e
peer-cfg: add a pull/push mode option to use with mode config
2013-09-04 10:33:37 +02:00
Martin Willi
a0cd955f42
charon-xpc: add a note how to build the source tarball
2013-08-29 12:28:54 +02:00
Martin Willi
74ee1120d7
charon-xpc: include and prefer AES-GCM algorithms in ESP proposal
2013-08-29 11:37:07 +02:00
Martin Willi
8fa7c5c191
charon-xpc: load missing ctr/ccm/gcm plugins
2013-07-31 16:28:11 +02:00
Martin Willi
aafb6fa6c2
charon-xpc: use kernel-libipsec instead of kernel-pfkey
2013-07-31 11:41:37 +02:00
Martin Willi
546235d34c
charon-xpc: fix TS getting after changing CHILD_SA API
2013-07-31 11:41:31 +02:00
Tobias Brunner
146fa8b2d3
charon-xpc: Use correct namespace when setting default settings
2013-07-22 17:44:37 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Martin Willi
b9c47eae06
xpc: allow easy copy & pase of ./configure instructions
2013-07-18 12:17:56 +02:00
Martin Willi
7f1adbe94e
xpc: use -idirafter to build against openssl headers from /usr/include
2013-07-18 12:17:56 +02:00
Martin Willi
06e8712cb3
xpc: forward some risen alerts over XPC to App
2013-07-18 12:17:56 +02:00
Martin Willi
e7ee45ef38
xpc: enable close_ike_on_child_failure
2013-07-18 12:17:56 +02:00
Martin Willi
e37c5d46d3
xpc: send a "connecting" event when establishing a connection starts
2013-07-18 12:17:56 +02:00
Martin Willi
3ffa310c44
xpc: use osx-attr plugin to install configuration attributes
2013-07-18 12:17:56 +02:00
Martin Willi
c7ac7f92e9
xpc: update README with new events, markdown style fixes
2013-07-18 12:17:55 +02:00
Martin Willi
4edcc86149
xpc: send child_updown events over XPC channel
2013-07-18 12:17:55 +02:00
Martin Willi
d60c8d2c74
xpc: support termination of IKE_SAs using XPC RPC on connection channel
2013-07-18 12:17:55 +02:00
Martin Willi
790ad9e677
xpc: move XPC RPC reply creation to command dispatching
2013-07-18 12:17:55 +02:00
Martin Willi
a0c125eacb
xpc: terminate daemon when last XPC connection to App gone
2013-07-18 12:17:55 +02:00
Martin Willi
6aae6268d7
xpc: fix some refcounting issues related to XPC connections
2013-07-18 12:17:55 +02:00
Martin Willi
22bffc647d
xpc: no need to clear channel table, they are bound to IKE_SA lifetime
2013-07-18 12:17:55 +02:00
Martin Willi
1a3f71d97a
xpc: add support for logging over XPC channels
2013-07-18 12:17:55 +02:00
Martin Willi
fbc89786b5
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
2013-07-18 12:17:55 +02:00
Martin Willi
dcf8a3c78b
xpc: add a description of the basic XPC protocol to README
2013-07-18 12:17:55 +02:00
Martin Willi
d5966e71e9
xpc: use the same XPC message "type" mechanism on Mach service as on channels
2013-07-18 12:17:55 +02:00
Martin Willi
39d15dde67
xpc: ask App for passwords using connection specific channel
2013-07-18 12:17:55 +02:00
Martin Willi
8279ce99c4
xpc: use IKE_SA specific XPC return channels for further communication
2013-07-18 12:17:55 +02:00
Martin Willi
bc74e18223
xpc: don't send certificate requests, there are too many when using keychain
2013-07-18 12:17:55 +02:00
Martin Willi
5016370390
xpc: build with support for the keychain plugin
2013-07-18 12:17:55 +02:00
Martin Willi
e73a653451
xpc: add support for initiate simple IKEv2 EAP connections
2013-07-18 12:17:54 +02:00
Martin Willi
3dcc9d7aa7
xpc: move dispatching to dedicated class, using dedicated thread
2013-07-18 12:17:54 +02:00
Martin Willi
4204d1d71a
xpc: use non-inlining variant of vstr, compiler does not like it
2013-07-18 12:17:54 +02:00
Martin Willi
6f8c626b81
xpc: add Xcode project for a charon controlled through XPC
2013-07-18 12:17:54 +02:00
Tobias Brunner
b23bd71466
android: New release after adding support for EAP-TNC
...
Also disabled listening on IPv6 because the Linux kernel currently does
not support UDP encapsulation for IPv6.
2013-07-08 18:51:07 +02:00
Tobias Brunner
7ccf02ee93
android: Properly handle dotted-quad notation of IPv6 addresses
...
For nestat output like ::ffff:127.0.0.1:9876 we shall not treat 127 as
port but 9876 instead.
2013-07-08 18:49:30 +02:00
Tobias Brunner
97f1dfb3ec
android: Allow IMC state to be dismissed with a swipe gesture
2013-07-08 18:49:30 +02:00
Tobias Brunner
a9f94d7efb
android: Use explicit locale when converting settings names
...
Apparently, these functions use the user's default locale which might not
yield the expected result (e.g. lowercase I is not i in the Turkish
locale but ı instead).
2013-07-08 18:49:30 +02:00
Tobias Brunner
e1a98e7956
android: Add information about transmitted data if EAP-TNC is selected
2013-07-08 18:49:30 +02:00
Tobias Brunner
9390499584
android: Reuse certificate selector as generic two line button
2013-07-08 18:49:30 +02:00
Tobias Brunner
671614d229
android: Add device ID in BeginHandshake
2013-07-08 18:49:30 +02:00
Tobias Brunner
8a5bffb0fe
android: Add new VpnType to enable BYOD features
2013-07-08 18:49:30 +02:00
Tobias Brunner
2ecda3421a
android: Use a different set of plugins if BYOD features are enabled
2013-07-08 18:49:29 +02:00
Tobias Brunner
6e872fea7a
android: IMC state fragment is a button that shows remediation instructions or log
2013-07-08 18:49:29 +02:00
Tobias Brunner
254d8679c6
android: Show remediation instructions instead of log on failure
2013-07-08 18:49:29 +02:00
Tobias Brunner
873f389b37
android: Properly hide the IMC state fragment initially
2013-07-08 18:49:29 +02:00
Tobias Brunner
0ef98957a7
android: Add activity that displays a list of remediation instructions
...
On large displays a two-pane layout is used that displays the list next
to the actual instructions.
2013-07-08 18:49:29 +02:00
Tobias Brunner
611d35e8e8
android: Add fragment for a list of remediation instructions
...
This fragment can later be used in one- or two-pane layouts.
2013-07-08 18:49:29 +02:00
Tobias Brunner
b6e05f6518
android: Add adapter for remediation instructions
2013-07-08 18:49:29 +02:00
Tobias Brunner
ea022bb194
android: Add fragment that displays a single remediation instruction
2013-07-08 18:49:29 +02:00
Tobias Brunner
c469cd2a66
android: RemediationInstruction implements Parcelable interface
2013-07-08 18:49:29 +02:00
Tobias Brunner
2b91085701
android: Background for state panels provides separator
2013-07-08 18:49:29 +02:00
Tobias Brunner
e5bf6dcddc
android: Add fragment that displays the IMC state
...
The fragment hides itself if the state is unknown or the assessment
succeeded.
2013-07-08 18:49:29 +02:00
Tobias Brunner
a05acd7629
android: Handle and store IETF remediation instructions
2013-07-08 18:49:28 +02:00
Tobias Brunner
0484989dbd
android: Add a parser for XML remediation instructions
2013-07-08 18:49:28 +02:00
Tobias Brunner
a8dc42b295
android: Show different error message depending on IMC state
2013-07-08 18:49:28 +02:00
Tobias Brunner
5e7a4193e5
android: Clear error only when the user explicitly dismisses the dialog
...
The previous code worked fine on rotation changes as the fragment is
destroyed and recreated causing onCreate to be called, which restores the
saved error state. But if the user switches to a different application
and then back this is not the case. The dialog still gets dismissed (as
we have to do so to avoid nasty exceptions on rotation changes) but since
that implicitly cleared the error state the UI was never fully restored.
2013-07-08 18:49:28 +02:00
Tobias Brunner
dc52cfab73
android: Add state of IMC to VpnStateService and update it via JNI
2013-07-08 18:49:28 +02:00
Tobias Brunner
d087f080f0
android: Handle TCG file measurement related attributes using PTS
2013-07-08 18:49:28 +02:00
Tobias Brunner
fd3aa004e4
android: Android IMC state provides a Platform Trust Service (PTS) instance
2013-07-08 18:49:28 +02:00
Tobias Brunner
0e53beda32
android: Provide a public interface for Android IMC state
2013-07-08 18:49:28 +02:00
Tobias Brunner
403165102c
android: Define IMC functions static and with lower-case names
2013-07-08 18:49:28 +02:00
Tobias Brunner
583fe0ccb6
android: Add measurement collector for ITA Device ID
2013-07-08 18:49:28 +02:00
Tobias Brunner
44330a171f
android: Add measurement collector for ITA Settings
2013-07-08 18:49:27 +02:00
Tobias Brunner
c179a3f6f2
android: Handle ITA PA-TNC attributes
2013-07-08 18:49:27 +02:00
Tobias Brunner
036fa7a166
android: Overload for getMeasurement() that takes a String array as argument
2013-07-08 18:49:27 +02:00
Tobias Brunner
ba59486fc8
android: Add measurement collector for Port Filter
...
This collector reports all listening TCP and UDP sockets/ports.
2013-07-08 18:49:27 +02:00
Tobias Brunner
6500727d6a
android: Enum type for transport protocols added
2013-07-08 18:49:27 +02:00
Tobias Brunner
7cb8f570ed
android: Add measurement collector for Installed Packages
2013-07-08 18:49:27 +02:00
Tobias Brunner
2d61172314
android: Add measurement collector for Product Information
2013-07-08 18:49:27 +02:00
Tobias Brunner
75d710ec63
android: Also support writing of 24-bit values
2013-07-08 18:49:27 +02:00
Tobias Brunner
5c9706f30b
android: Add measurement collector for String Version
2013-07-08 18:49:27 +02:00
Tobias Brunner
4eec7912a1
android: Interfaces for measurement collectors and attributes added
2013-07-08 18:49:27 +02:00
Tobias Brunner
2d378d8a74
android: Add a Java utility class similar to bio_writer_t
2013-07-08 18:49:27 +02:00
Tobias Brunner
28c268d707
android: Add enum types for PENs and attribute types
2013-07-08 18:49:26 +02:00
Tobias Brunner
c53210f9b0
android: Add a generic handler for PA-TNC attribute requests
...
The idea is that the Android IMC will return attributes in their binary
encoding. This keeps the JNI interface to the IMC pretty simple.
2013-07-08 18:49:26 +02:00
Tobias Brunner
aa4ff3b211
android: Added a Java part to the Android IMC
2013-07-08 18:49:26 +02:00
Tobias Brunner
753035f6d7
android: Don't attempt loading IMCs from /etc/tnc_config
2013-07-08 18:49:26 +02:00
Tobias Brunner
a6507df2ec
android: Build libpts and init/deinit libpts in BYOD IMC
2013-07-08 18:49:26 +02:00
Tobias Brunner
96658d7264
android: Added a sample IMC that sends some dummy OS data
2013-07-08 18:49:26 +02:00
Tobias Brunner
933155fae6
android: Build option added to load BYOD related plugins and libraries in the Android app
2013-07-08 18:49:26 +02:00
Tobias Brunner
0015727ebd
android: Disable listening on IPv6
...
As we have to use UDP encapsulation and the Linux kernel currently does
not support that this avoids issues with dual-stack gateways.
2013-07-05 09:48:27 +02:00
Tobias Brunner
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00
Tobias Brunner
92f102c21b
android: Forward initiator flag to libipsec when adding IPsec SA
2013-06-13 13:55:58 +02:00
Martin Willi
a8c9454423
kernel-interface: add an exchange initiator parameter to add_sa()
...
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
2013-06-11 15:58:48 +02:00
Martin Willi
5c12700f9a
kernel-interface: query SAD for last use time if SPD query didn't yield one
2013-05-06 17:01:13 +02:00
Martin Willi
0be946dce3
Use the GEN silent rule when generating files with sed
2013-05-06 15:04:56 +02:00
Tobias Brunner
55321dcfb6
New Android release after adding AES-GCM, IPv6-in-IPv4 and using kernel-netlink
...
libipsec now supports AES-GCM, IPv6 tunnels over IPv4 are supported,
native x86 libraries are built (requires a new Vstr build script).
Also, the existing kernel-netlink plugin now provides the kernel-net
implementation, which should be more stable in case multiple interfaces
are up and have IP addresses installed on them.
2013-05-03 16:02:39 +02:00
Tobias Brunner
740aedfec1
android: Use stronger ESP proposal including AES-GCM
2013-05-03 16:02:39 +02:00
Tobias Brunner
61fb3267b2
android: Remove unused methods on NetworkManager/network_manager_t
2013-05-03 15:11:20 +02:00
Tobias Brunner
70dfac4459
android: Ignore interface 'lo'
...
Android adds a default route via 'lo' if no connectivity is available
causing charon to send packets via lo and triggering DPD.
2013-05-03 15:11:20 +02:00
Tobias Brunner
18dab76bfa
android: Repurpose android-net to simply handle connectivity events
...
Using the events by NetworkManager/ConnectivityManager to trigger roam events
instead of the events generated by the kernel-netlink plugin the noise level
is much lower.
2013-05-03 15:11:20 +02:00
Tobias Brunner
3b7f25906e
android: Replace android-net plugin with kernel-netlink
...
Virtual IPs are not handled by the kernel-netlink plugin and tun devices are
ignored.
2013-05-03 15:11:19 +02:00
Tobias Brunner
67332b4e22
android: Set strongswan.conf options before initializing other libraries
2013-05-03 15:11:19 +02:00
Tobias Brunner
24b5e71522
android: No need to disable CMS explicitly
...
The version check introduced with 0d237763
should take care of it.
2013-03-20 17:02:37 +01:00