2a43f7fd9e
Added new Android versions to PTS database
2014-02-04 06:59:01 +01:00
0c5dfb741f
testing: Fetch the FreeRADIUS tarball from the "old" directory
...
Fixes #483 .
2014-01-31 17:51:45 +01:00
1f4883008e
unit-tests: Add some test cases for HTTP GET/POST fetches
2014-01-31 12:18:32 +01:00
1691b19900
unit-tests: Fix test_runner_run() apidoc
2014-01-29 13:38:10 +01:00
3114cecdbe
pki: Declare correct section in pki --issue man page
2014-01-24 16:17:46 +01:00
0cec570a4b
NEWS: Add unit testing improvements
2014-01-24 13:19:55 +01:00
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
763e035335
child-sa: Add a getter for CHILD_SA install time
2014-01-23 16:19:22 +01:00
76d073c5ab
Merge branch 'pam-session'
...
Add support for PAM session management in xauth-pam.
2014-01-23 16:14:46 +01:00
572582f5de
NEWS: Introduce PAM session management
2014-01-23 16:11:54 +01:00
c5dc94dc8a
man: Document xauth-pam session option
2014-01-23 16:07:04 +01:00
2312504d1e
xauth-pam: Open/close a PAM session for each connected client
...
Signed-off-by: Andrea Bonomi <a.bonomi@endian.com>
2014-01-23 16:07:04 +01:00
7dc8bf495b
xauth-pam: Sanitize XAuth attributes before passing them to PAM
2014-01-23 16:07:04 +01:00
5770e28e96
Merge branch 'vendor-ids'
...
Refactors IKEv2 vendor ID handling, and introduces some IDs seen when talking
to Cisco devices.
2014-01-23 16:04:48 +01:00
c7c2e24a56
ikev2: Add Cisco FRAGMENTATION vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:04 +01:00
2c6d204bec
ikev2: Add Cisco Copyright vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:01 +01:00
f84d1cb2f9
ikev2: Add Cisco Delete Reason vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:03:55 +01:00
a8d8e631f9
ikev2: Use a more dynamic vendor ID database, as we use with IKEv1
2014-01-23 16:02:18 +01:00
6a620f9936
Merge branch 'chunk-mmap'
...
Introduces file mmap/munmap() wrappers and provides a fallback if mmap() is not
supported. Replaces all mmap() uses by the new functions.
2014-01-23 15:57:45 +01:00
853498155e
libpts: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
7ae878c357
tnccs: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
88fa7f62be
pem: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
ecdef634aa
stroke: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
b8d0103e31
radattr: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
39badc53cd
libfast: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
69be6a9e05
integrity-checker: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
b9ee059ca9
chunk: Externalize error reporting in chunk_write()
...
This avoids passing that arbitrary label just for error messages, and gives
greater flexibility in handling errors.
2014-01-23 15:55:32 +01:00
37374a292a
chunk: Provide a fallback chunk_map() if mmap is not available
2014-01-23 15:55:32 +01:00
1c4a3459f7
chunk: Use dynamically allocated buffer in chunk_from_fd()
...
When acting on files, we can use fstat() to estimate the buffer size. On
non-file FDs, we dynamically increase an allocated buffer.
Additionally we slightly change the function signature to properly handle
zero-length files and add appropriate unit tests.
2014-01-23 15:55:32 +01:00
595b6d9a82
chunk: Add functions to map file contents to a chunk
2014-01-23 15:55:32 +01:00
fa9b6e88a0
Merge branch 'unity-fixes'
...
Improves compatibility with the Cisco and Shrew clients.
Fixes #445 .
2014-01-23 11:19:38 +01:00
21c18f536d
unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attribute
...
Cisco clients only handle the first such attribute.
2014-01-23 10:35:21 +01:00
f8262aa1a6
unity: Change local TS to 0.0.0.0/0 as responder
...
Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is
used, otherwise Quick Mode fails.
2014-01-23 10:35:21 +01:00
685579d6d8
unity: Send UNITY_SPLIT_INCLUDE attributes with proper padding
...
The additional 6 bytes are not actually padding but are parsed by the
Cisco client as protocol and src and dst ports (each two bytes but
strangely only the first two in network order).
2014-01-23 10:35:21 +01:00
6b95565767
Merge branch 'ipcomp'
...
Fixes compatibility issues between firewall rules (leftfirewall=yes)
and IPComp (compress=yes), plus issues with IPComp when used with
multiple subnets in left|rightsubnet.
Fixes #436 .
2014-01-23 10:31:04 +01:00
571025a609
testing: Add ikev2/host2host-transport-nat scenario
2014-01-23 10:27:13 +01:00
62e050e0ef
testing: Add ipv6/rw-compress-ikev2 scenario
2014-01-23 10:27:13 +01:00
6055e347f8
testing: Add ikev2/compress-nat scenario
2014-01-23 10:27:13 +01:00
1fde30cc23
testing: Enable firewall for ikev2/compress scenario
...
Additionally, send a regular (small) ping as the kernel does not
compress small packets and handles those differently inbound.
2014-01-23 10:27:13 +01:00
fe2a2d1885
kernel-netlink: Set selector on transport mode IPComp SAs
2014-01-23 10:27:13 +01:00
cc04a6db3e
kernel-netlink: Selectively add selector on SAs that use IPComp
...
Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.
2014-01-23 10:27:12 +01:00
7e3bbcf77a
updown: Increase buffer size for script and environment variables
2014-01-23 10:27:12 +01:00
6d1198e71d
updown: Allow IPIP traffic if IPComp was negotiated
...
The kernel implicitly creates an IPIP SA if an IPComp SA is installed.
This SA is used inbound for small packets that are not compressed.
Since the addresses are different (they are the tunnel addresses not
those of the tunneled traffic) additional rules are required if the
traffic selector does not cover the tunnel addresses (e.g. due to a NAT).
For SAs with multiple traffic selectors duplicate rules will get installed.
2014-01-23 10:27:12 +01:00
cf4a7395aa
updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated
2014-01-23 10:27:12 +01:00
72a92d4f7d
curl: Replace spaces in URIs with %20
...
cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL
URIs with spaces in them.
Fixes #454 .
2014-01-23 10:19:30 +01:00
ccb6758e5b
utils: Add strreplace function
2014-01-23 10:18:23 +01:00
f44b1eb444
stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated
...
Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
2014-01-23 10:15:07 +01:00
5ab03863b0
stroke: Add an option to prevent log level changes via stroke socket
2014-01-23 10:15:07 +01:00
040cf911a6
pki: Make sure no command registers too many options
2014-01-23 10:12:24 +01:00
079e6c2b04
pki: Increase MAX_COMMANDS to cover all currently available commands
...
Fixes #452 .
2014-01-23 10:12:15 +01:00
Andreas Steffen