Martin Willi
3a399574c2
eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend
2013-07-29 09:00:49 +02:00
Martin Willi
c434b2a4a9
eap-radius: support plain XAuth RADIUS authentication using User-Password
2013-07-29 09:00:49 +02:00
Martin Willi
6bc0ce020d
libradius: support encryption of User-Password attributes
2013-07-29 09:00:48 +02:00
Martin Willi
84044f9c73
utils: add round_up/down() helper functions
2013-07-29 09:00:48 +02:00
Martin Willi
15483a6223
libradius: refactor generic RADIUS en-/decryption function to a message method
2013-07-29 09:00:48 +02:00
Martin Willi
9aeb6cea4c
eap-radius: export function to build common attributes of Access-Request
2013-07-29 09:00:48 +02:00
Martin Willi
94ec80e74c
eap-radius: export function to process common attributes of Access-Accept
2013-07-29 09:00:48 +02:00
Martin Willi
7612a6e42f
mem-pool: add option for reusing online leases, and disable it by default
...
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.
This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.
2013-07-29 08:56:09 +02:00
Martin Willi
c5d2d867f1
mem-pool: replace per-identity online/offline lists by more efficient arrays
...
This saves two lists per connected peer identity, up to 0.4KB.
2013-07-29 08:55:21 +02:00
Martin Willi
d882880e87
mem-pool: refcount online lease when reassigning it to another tunnel
...
When we reassign an online lease for the same peer, we have to refcount it.
Otherwise we would set it offline if one of the tunnels goes down, but it is
actually still in use by a the second tunnel. This can finally lead in
assigning the same virtual IP to different peers.
2013-07-26 13:12:22 +02:00
Tobias Brunner
77ccff82cf
ikev1: Always send ID payloads (traffic selectors) during Quick Mode
...
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).
Fixes #319 .
2013-07-25 17:08:17 +02:00
Tobias Brunner
1f2d9c7688
watcher: Made notify array initialization compatible with older GCC versions
2013-07-25 16:57:42 +02:00
Tobias Brunner
ebb4ad1baa
unit-tests: Add additional tests for host_t
2013-07-25 11:28:26 +02:00
Tobias Brunner
7a192c57a3
imv-attestation: Properly measure complete directories
2013-07-25 11:28:26 +02:00
Tobias Brunner
116363e5c6
array: Number of items in get_size() is unsigned
...
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
2013-07-25 11:28:01 +02:00
Tobias Brunner
d7dc4fedd1
stream: Ensure UNIX socket path is null terminated
2013-07-24 16:17:23 +02:00
Tobias Brunner
e7d717cf01
kernel-pfkey: Add sanity check when deleting policies
2013-07-24 16:17:22 +02:00
Tobias Brunner
e5455e9413
imv-os: check_packages() fails if product query fails
2013-07-24 16:17:22 +02:00
Tobias Brunner
cfca183d55
pkcs5: Add missing break statements when checking crypto primitives
2013-07-24 16:17:22 +02:00
Tobias Brunner
346a4a1fc2
imv-scanner: Properly check snprintf() return value
2013-07-24 16:17:22 +02:00
Tobias Brunner
16748bdff7
socket-dynamic: Properly initialize IPv6 address
2013-07-24 16:17:22 +02:00
Tobias Brunner
5baec6448d
unit-tests: Add test for host_create_netmask()
2013-07-24 16:17:21 +02:00
Tobias Brunner
6e2ec33f9d
host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128
2013-07-24 16:17:03 +02:00
Tobias Brunner
a00ac1d9ee
imv-attestation: Use proper cast for length when using %.*s
2013-07-24 10:54:47 +02:00
Tobias Brunner
0c76d820dc
tnc-ifmap: Use proper cast for length when using %.*s
2013-07-24 10:54:47 +02:00
Tobias Brunner
cfdd23b967
capabilities: Proper error handling when reading groups
2013-07-24 10:54:26 +02:00
Tobias Brunner
3021139f6f
strongswan.conf: Moved some stuff around
2013-07-23 12:23:05 +02:00
Tobias Brunner
5b1e3d3fdc
ipsec: Add --piddir to retrieve the PID/socket directory
2013-07-22 18:12:04 +02:00
Tobias Brunner
517823b466
starter: Properly refer to the ipsec script if it was renamed
2013-07-22 18:00:19 +02:00
Tobias Brunner
62293ed271
coupling: Fix call to call_hook()
2013-07-22 17:53:56 +02:00
Tobias Brunner
2ed8b36a8a
strongswan.conf: Add missing options
2013-07-22 17:46:41 +02:00
Tobias Brunner
146fa8b2d3
charon-xpc: Use correct namespace when setting default settings
2013-07-22 17:44:37 +02:00
Tobias Brunner
a14d907e33
tnc-pdp: Fix reading port setting from strongswan.conf
2013-07-22 17:43:54 +02:00
Andreas Steffen
2b1ac51c9c
fixed typo
2013-07-19 20:07:32 +02:00
Andreas Steffen
645e9291f0
updated some TNC scenarios
2013-07-19 19:36:07 +02:00
Martin Willi
dcd5129c25
processor: force synchronous execute_job() if set_threads(0) has been called
...
During daemon shutdown, some idle threads might be lingering around even if
set_threads(0) already has been called. To avoid any races, we enforce
synchronous execution of the job.
2013-07-19 15:30:22 +02:00
Martin Willi
2fa92ad256
proposal: correctly enumerate registered AEADs to build default IKE proposal
...
AEADs are not returned (anymore) with the encryption enumerator.
2013-07-19 15:05:17 +02:00
Andreas Steffen
3cd01df785
Version bump to 5.1.0rc1
2013-07-19 10:40:53 +02:00
Tobias Brunner
82b1a38601
tkm: Properly refer to includes now that AM_CPPFLAGS is used
2013-07-19 09:02:04 +02:00
Tobias Brunner
8f1b44b40c
keychain: Use AM_CPPFLAGS instead of INCLUDES
2013-07-19 09:01:39 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Martin Willi
cb6c4e0430
identification: parse identities having a "@@" prefix as ID_RFC822_ADDR
...
Original patch by Gerald Richter.
2013-07-18 16:45:10 +02:00
Martin Willi
c3b8335cfb
NEWS: mention watcher and stream services
2013-07-18 16:10:48 +02:00
Martin Willi
666dff70eb
Merge branch 'ipc-service'
...
Adds network transparency and TCP support to the IPC interfaces of different
plugins using the new stream and stream service classes. A central watcher
thread can watch multiple file descriptors to handle connection requests
for these and other services using only a single thread.
2013-07-18 16:03:14 +02:00
Martin Willi
b4b3959b22
stream-service: move CAP_CHOWN check from plugins to service constructor
...
A plugin service can be a TCP socket now, so it does not make much sense
to strictly check for CAP_CHOWN.
2013-07-18 16:00:31 +02:00
Martin Willi
1897dd730f
processor: remove the now unused get_threads() method again
2013-07-18 16:00:31 +02:00
Martin Willi
ea009869e9
watcher: use processors new execute_job() to notify FDs
...
Just queueing is problematic, as all threads might be busy waiting for events
that the queued (but never executed) job delivers.
2013-07-18 16:00:31 +02:00
Martin Willi
6653e6c13e
processor: add an execute_job() method to directly execute an important job
...
If all worker threads are busy and waiting for an event, we must ensure that
a job delivering that event gets executed. This new method has this property
for CRITICAL jobs, using a worker if we have one, but executing the job directly
if not.
2013-07-18 16:00:31 +02:00
Martin Willi
55240835b0
watcher: properly support multiple watch callback types for the same FD
2013-07-18 16:00:31 +02:00
Martin Willi
d0c25a3f23
watcher: read multiple notifications if available
...
Use non-blocking I/O on the read end of the notify pipe. This also makes sure
the read does not block should select() signal data while there is none.
2013-07-18 16:00:31 +02:00