Andreas Steffen
2a43f7fd9e
Added new Android versions to PTS database
2014-02-04 06:59:01 +01:00
Martin Willi
0c5dfb741f
testing: Fetch the FreeRADIUS tarball from the "old" directory
...
Fixes #483 .
2014-01-31 17:51:45 +01:00
Martin Willi
1f4883008e
unit-tests: Add some test cases for HTTP GET/POST fetches
2014-01-31 12:18:32 +01:00
Martin Willi
1691b19900
unit-tests: Fix test_runner_run() apidoc
2014-01-29 13:38:10 +01:00
Tobias Brunner
3114cecdbe
pki: Declare correct section in pki --issue man page
2014-01-24 16:17:46 +01:00
Martin Willi
0cec570a4b
NEWS: Add unit testing improvements
2014-01-24 13:19:55 +01:00
Martin Willi
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
Martin Willi
763e035335
child-sa: Add a getter for CHILD_SA install time
2014-01-23 16:19:22 +01:00
Martin Willi
76d073c5ab
Merge branch 'pam-session'
...
Add support for PAM session management in xauth-pam.
2014-01-23 16:14:46 +01:00
Martin Willi
572582f5de
NEWS: Introduce PAM session management
2014-01-23 16:11:54 +01:00
Martin Willi
c5dc94dc8a
man: Document xauth-pam session option
2014-01-23 16:07:04 +01:00
Andrea Bonomi
2312504d1e
xauth-pam: Open/close a PAM session for each connected client
...
Signed-off-by: Andrea Bonomi <a.bonomi@endian.com>
2014-01-23 16:07:04 +01:00
Martin Willi
7dc8bf495b
xauth-pam: Sanitize XAuth attributes before passing them to PAM
2014-01-23 16:07:04 +01:00
Martin Willi
5770e28e96
Merge branch 'vendor-ids'
...
Refactors IKEv2 vendor ID handling, and introduces some IDs seen when talking
to Cisco devices.
2014-01-23 16:04:48 +01:00
Martin Willi
c7c2e24a56
ikev2: Add Cisco FRAGMENTATION vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:04 +01:00
Martin Willi
2c6d204bec
ikev2: Add Cisco Copyright vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:01 +01:00
Martin Willi
f84d1cb2f9
ikev2: Add Cisco Delete Reason vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:03:55 +01:00
Martin Willi
a8d8e631f9
ikev2: Use a more dynamic vendor ID database, as we use with IKEv1
2014-01-23 16:02:18 +01:00
Martin Willi
6a620f9936
Merge branch 'chunk-mmap'
...
Introduces file mmap/munmap() wrappers and provides a fallback if mmap() is not
supported. Replaces all mmap() uses by the new functions.
2014-01-23 15:57:45 +01:00
Martin Willi
853498155e
libpts: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Martin Willi
7ae878c357
tnccs: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Martin Willi
88fa7f62be
pem: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Martin Willi
ecdef634aa
stroke: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
b8d0103e31
radattr: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
39badc53cd
libfast: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
69be6a9e05
integrity-checker: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
b9ee059ca9
chunk: Externalize error reporting in chunk_write()
...
This avoids passing that arbitrary label just for error messages, and gives
greater flexibility in handling errors.
2014-01-23 15:55:32 +01:00
Martin Willi
37374a292a
chunk: Provide a fallback chunk_map() if mmap is not available
2014-01-23 15:55:32 +01:00
Martin Willi
1c4a3459f7
chunk: Use dynamically allocated buffer in chunk_from_fd()
...
When acting on files, we can use fstat() to estimate the buffer size. On
non-file FDs, we dynamically increase an allocated buffer.
Additionally we slightly change the function signature to properly handle
zero-length files and add appropriate unit tests.
2014-01-23 15:55:32 +01:00
Martin Willi
595b6d9a82
chunk: Add functions to map file contents to a chunk
2014-01-23 15:55:32 +01:00
Tobias Brunner
fa9b6e88a0
Merge branch 'unity-fixes'
...
Improves compatibility with the Cisco and Shrew clients.
Fixes #445 .
2014-01-23 11:19:38 +01:00
Tobias Brunner
21c18f536d
unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attribute
...
Cisco clients only handle the first such attribute.
2014-01-23 10:35:21 +01:00
Tobias Brunner
f8262aa1a6
unity: Change local TS to 0.0.0.0/0 as responder
...
Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is
used, otherwise Quick Mode fails.
2014-01-23 10:35:21 +01:00
Tobias Brunner
685579d6d8
unity: Send UNITY_SPLIT_INCLUDE attributes with proper padding
...
The additional 6 bytes are not actually padding but are parsed by the
Cisco client as protocol and src and dst ports (each two bytes but
strangely only the first two in network order).
2014-01-23 10:35:21 +01:00
Tobias Brunner
6b95565767
Merge branch 'ipcomp'
...
Fixes compatibility issues between firewall rules (leftfirewall=yes)
and IPComp (compress=yes), plus issues with IPComp when used with
multiple subnets in left|rightsubnet.
Fixes #436 .
2014-01-23 10:31:04 +01:00
Tobias Brunner
571025a609
testing: Add ikev2/host2host-transport-nat scenario
2014-01-23 10:27:13 +01:00
Tobias Brunner
62e050e0ef
testing: Add ipv6/rw-compress-ikev2 scenario
2014-01-23 10:27:13 +01:00
Tobias Brunner
6055e347f8
testing: Add ikev2/compress-nat scenario
2014-01-23 10:27:13 +01:00
Tobias Brunner
1fde30cc23
testing: Enable firewall for ikev2/compress scenario
...
Additionally, send a regular (small) ping as the kernel does not
compress small packets and handles those differently inbound.
2014-01-23 10:27:13 +01:00
Tobias Brunner
fe2a2d1885
kernel-netlink: Set selector on transport mode IPComp SAs
2014-01-23 10:27:13 +01:00
Tobias Brunner
cc04a6db3e
kernel-netlink: Selectively add selector on SAs that use IPComp
...
Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.
2014-01-23 10:27:12 +01:00
Tobias Brunner
7e3bbcf77a
updown: Increase buffer size for script and environment variables
2014-01-23 10:27:12 +01:00
Tobias Brunner
6d1198e71d
updown: Allow IPIP traffic if IPComp was negotiated
...
The kernel implicitly creates an IPIP SA if an IPComp SA is installed.
This SA is used inbound for small packets that are not compressed.
Since the addresses are different (they are the tunnel addresses not
those of the tunneled traffic) additional rules are required if the
traffic selector does not cover the tunnel addresses (e.g. due to a NAT).
For SAs with multiple traffic selectors duplicate rules will get installed.
2014-01-23 10:27:12 +01:00
Tobias Brunner
cf4a7395aa
updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated
2014-01-23 10:27:12 +01:00
Tobias Brunner
72a92d4f7d
curl: Replace spaces in URIs with %20
...
cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL
URIs with spaces in them.
Fixes #454 .
2014-01-23 10:19:30 +01:00
Tobias Brunner
ccb6758e5b
utils: Add strreplace function
2014-01-23 10:18:23 +01:00
Tobias Brunner
f44b1eb444
stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated
...
Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
2014-01-23 10:15:07 +01:00
Tobias Brunner
5ab03863b0
stroke: Add an option to prevent log level changes via stroke socket
2014-01-23 10:15:07 +01:00
Tobias Brunner
040cf911a6
pki: Make sure no command registers too many options
2014-01-23 10:12:24 +01:00
Tobias Brunner
079e6c2b04
pki: Increase MAX_COMMANDS to cover all currently available commands
...
Fixes #452 .
2014-01-23 10:12:15 +01:00