Andreas Steffen
81419b9748
use DNs in tnc/tnccs-20-tls scenario
2013-03-03 10:47:17 +01:00
Andreas Steffen
c9418d4fd3
added getpwuid_r and initgroups to whitelist
2013-03-03 09:04:49 +01:00
Andreas Steffen
eeb69761ae
third parameter was not copied
2013-03-02 22:03:07 +01:00
Tobias Brunner
11adf114c1
Fixed Doxygen comments after scanning complete src directory
2013-03-02 18:31:53 +01:00
Tobias Brunner
b42f2cacac
Include the whole src directory in apidoc and make source files browsable
...
But still only scan header files as Doxygen can't figure out how they
are related to source files (at least not for class methods).
2013-03-02 18:31:53 +01:00
Tobias Brunner
cd612784e4
Prevent Doxygen from processing __attribute__(...)
...
Doxygen produces additional members/classes from these attributes.
2013-03-02 18:31:52 +01:00
Tobias Brunner
b6a387f7b0
Updated Doxyfile.in with a recent version of Doxygen
2013-03-02 18:28:18 +01:00
Tobias Brunner
9804fccea3
Removed backend for old Android frontend patch
...
Moved the remaining DNS handler to a new plugin.
2013-03-02 18:27:23 +01:00
Andreas Steffen
b038c62e4a
added ERX_SUPPORTED IKEv2 Notify
2013-03-02 17:18:37 +01:00
Andreas Steffen
de218eb09c
added some new TCG IF-M message subtypes and attributes
2013-03-02 17:03:37 +01:00
Andreas Steffen
9e9e12bbf8
version bump to 5.0.3dr3
2013-03-02 16:19:57 +01:00
Tobias Brunner
e88b529a30
android: Mitigate race condition on reauthentication
...
If the TUN device gets recreated while another thread in handle_plain()
has not yet called select(2) but already stored the file descriptor of the
old TUN device in its FD set, select() will fail with EBADF.
Fixes #301 .
2013-03-01 17:06:01 +01:00
Tobias Brunner
4c969f7906
openssl: The EVP GCM interface requires at least OpenSSL 1.0.1
2013-03-01 16:57:45 +01:00
Martin Willi
4dd8d5430d
Merge branch 'multi-eap'
...
Fixes the use of EAP methods in the non-first authentication round if the
initiator demands mutual EAP. Also mutual EAP can now be enforced when the
initiator sets rightauth=eap, not only with rightauth=any.
2013-03-01 11:36:41 +01:00
Martin Willi
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
Martin Willi
adf239abca
Merge branch 'systime'
...
Add a systime-fix plugin allowing an embedded system to validate certificates
if the system time has not been synchronized after boot. Certificates of
established tunnels can be re-validated after the system time gets valid.
2013-03-01 11:33:47 +01:00
Martin Willi
b611d8ba48
Merge branch 'ikev1-rekeying'
...
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.
2013-03-01 11:32:02 +01:00
Martin Willi
ec1b4e6638
Merge branch 'vip-shunts'
...
Installs bypass policies for the physical address if a virtual address is
assigned, and installs a proper source route to actually use the physical
address for bypassed destinations.
Conflicts:
src/libcharon/plugins/unity/unity_handler.c
2013-03-01 11:30:13 +01:00
Martin Willi
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
Martin Willi
53fcc70acc
When running with an unprivileged user, initialize supplementary groups
2013-03-01 11:27:01 +01:00
Martin Willi
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
Martin Willi
00683b6864
Merge branch 'ikev1-mm-retransmits'
...
Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.
2013-03-01 11:24:42 +01:00
Martin Willi
d634109f1d
Merge branch 'tfc-notify'
...
Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if
kernel does not support it.
2013-03-01 11:16:58 +01:00
Martin Willi
5c55be4915
Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support it
2013-03-01 11:12:17 +01:00
Martin Willi
53e62f5d0c
Indicate support for processing ESPv3 TFC padding in Netlink IPsec backend
2013-03-01 11:11:51 +01:00
Martin Willi
76f7d80e80
Introduce "features" for the kernel backends returning kernel capabilities
2013-03-01 11:11:24 +01:00
Tobias Brunner
9a70fe8412
testing: Add a script to easily connect to a host via SSH
...
This doesn't require any entries in /etc/hosts and the correct SSH
config is used to allow password-less access.
2013-02-28 18:21:14 +01:00
Tobias Brunner
81f9cd39fd
openssl: Provide AES-GCM implementation
2013-02-28 18:17:42 +01:00
Tobias Brunner
a89ebab62e
Fix cleanup in crypto_tester if AEAD implementation fails
2013-02-28 18:17:42 +01:00
Tobias Brunner
5f7f4fa398
Order of arguments in Doxygen comment fixed
2013-02-28 18:17:42 +01:00
Tobias Brunner
8656f35ae1
Fix auth_cfg_t.clone() for single-valued auth rules
...
By using the default list enumerator and adding the rules with the public
add() method, clones of auth_cfg_t objects would return the values for
single-valued auth rules in the wrong order (i.e. the oldest instead of the
newest value was returned). Using the internal enumerator (which the comment
already suggested) fixes this, but the clone will not be a full clone as
it does not contain any old values for single-valued auth rules. Since
these will never be used anyway, this should be fine.
2013-02-28 18:11:38 +01:00
Tobias Brunner
6e935c6fe0
Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACT
...
In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.
2013-02-28 18:07:29 +01:00
Martin Willi
61f1693df1
Support different authentication schemes for PT-TLS
2013-02-28 16:46:08 +01:00
Martin Willi
807f2facd0
Request a TLS client certificate even if no peer identity is given
...
This allows a peer to perform client authentication if it wants, but skip
it if not.
2013-02-28 16:46:08 +01:00
Martin Willi
257c80cb5b
Wrap tls_t.get_{server,peer}_id methods in tls_socket_t
2013-02-28 16:46:08 +01:00
Martin Willi
2de481e32b
Delegate tls_t.get_{peer,server}_id to handshake layer
...
This allows to get updated peer identities if the peer can't authenticate,
or does when it is optional.
2013-02-28 16:46:08 +01:00
Martin Willi
2ae0c9e618
Implement a SASL PLAIN mechanism using shared secrets
2013-02-28 16:46:07 +01:00
Martin Willi
66d8fd690c
Implement SASL authentication in PT-TLS client
2013-02-28 16:46:07 +01:00
Martin Willi
3542c4f18a
Implement SASL authentication in PT-TLS server
2013-02-28 16:46:07 +01:00
Martin Willi
5b1a10836c
Define PT-TLS SASL result codes
2013-02-28 16:46:07 +01:00
Martin Willi
4a801beb3e
Define an interface for SASL mechanisms and provide a static factory
2013-02-28 16:46:07 +01:00
Martin Willi
806126eab2
Pass a client identity to pt_tls_client, usable for TLS or SASL authentication
2013-02-28 16:46:07 +01:00
Martin Willi
55854ecc25
Don't close underlying file descriptor before destroying a tls_socket
...
tls_socket cleanup usually sends a TLS close notify, for which it uses a valid
socket.
2013-02-28 16:46:07 +01:00
Martin Willi
d8a94c18c6
Apply a mutual EAP auth_cfg not before the EAP method completes
2013-02-26 13:15:27 +01:00
Martin Willi
cc787697b8
Be a little more verbose why a peer_cfg is inacceptable
2013-02-26 13:15:27 +01:00
Martin Willi
289b9b7b31
Refactor auth_cfg applying to a common function
2013-02-26 13:15:27 +01:00
Tobias Brunner
bc07fef09c
Use SIGUSR2 for SIG_CANCEL on Android
...
SIGRTMIN is defined as 32 while sigset_t is defined as
unsigned long (i.e. holds 32 signals). Hence, the signal
could never be blocked. Sending the signal still canceled
threads, but sometimes in situations where they shouldn't
have been canceled (e.g. while holding a lock).
Fixes #298 .
2013-02-26 11:40:34 +01:00
Tobias Brunner
0ac34e9e6a
Android.mk updated to latest Makefiles
...
Fixes #300 .
2013-02-26 10:11:36 +01:00
Martin Willi
e2857be823
For IKEv1 Main Mode, use message hash to detect early retransmissions
...
As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.
2013-02-25 12:12:38 +01:00
Martin Willi
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00