]>
git.ipfire.org Git - people/ms/strongswan.git/log
Martin Willi [Mon, 18 Mar 2013 09:12:22 +0000 (10:12 +0100)]
Merge branch 'stroke-counters'
Extend stroke counters functionality by connection specific counters, and
a resetcounters command to reset the global or connection counters.
Martin Willi [Mon, 18 Mar 2013 09:11:46 +0000 (10:11 +0100)]
Merge branch 'stroke-timeout'
Add a strongswan.conf timeout option for stroke control commands.
Martin Willi [Mon, 18 Mar 2013 09:09:35 +0000 (10:09 +0100)]
Merge branch 'netlink-align'
Fixes some Netlink alignment issues, and then refactors Netlink XFRM message
attribute handling.
Martin Willi [Fri, 15 Mar 2013 15:01:32 +0000 (16:01 +0100)]
Use netlink_add_attribute() to copy over attributes during update_sa()
Martin Willi [Fri, 15 Mar 2013 14:17:13 +0000 (15:17 +0100)]
Use a helper function to add XFRM_MARK attribute
Martin Willi [Fri, 15 Mar 2013 14:05:00 +0000 (15:05 +0100)]
Use netlink_reserve() helper function in XFRM to simplify message construction
Martin Willi [Fri, 15 Mar 2013 13:32:51 +0000 (14:32 +0100)]
Add a Netlink utility function to add a RTA header and reserve space for data
Martin Willi [Fri, 15 Mar 2013 13:32:25 +0000 (14:32 +0100)]
Correctly check buffer length in netlink_add_attribute()
Martin Willi [Fri, 15 Mar 2013 13:01:15 +0000 (14:01 +0100)]
Avoid unneeded termination of netlink algorithm name arrays with END_OF_LIST
Martin Willi [Fri, 15 Mar 2013 09:55:22 +0000 (10:55 +0100)]
Add a "resetcounters" command to ipsec, clearing global or connection counters
Martin Willi [Fri, 15 Mar 2013 09:41:04 +0000 (10:41 +0100)]
Add connection name specific stroke counters
Martin Willi [Thu, 3 Jan 2013 13:09:05 +0000 (14:09 +0100)]
Add a chunk_from_str() initializer that does not include 0-terminator
Martin Willi [Fri, 8 Mar 2013 14:21:36 +0000 (15:21 +0100)]
Add missing XAuthRespPSK switch case to IKEv1 key derivation
Martin Willi [Mon, 11 Mar 2013 14:17:50 +0000 (15:17 +0100)]
strdup() iface passed to queue_route_reinstall(), fixing double-free
Martin Willi [Mon, 11 Mar 2013 14:16:13 +0000 (15:16 +0100)]
Support mutliple subnets and ranges as external load-tester addresses
Martin Willi [Mon, 11 Mar 2013 13:49:02 +0000 (14:49 +0100)]
Add a constructor to create in-memory pools from an address range
Martin Willi [Mon, 11 Mar 2013 11:32:21 +0000 (12:32 +0100)]
When adding Netlink attributes, increase header length with potential alignment
If the payload is unaligned, we must make sure the total netlink message
length includes the added alignment for the first attribute.
Martin Willi [Mon, 11 Mar 2013 10:30:47 +0000 (11:30 +0100)]
Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0
Martin Willi [Mon, 11 Mar 2013 09:52:13 +0000 (10:52 +0100)]
Ignore fourth Qick Mode message sent by Windows servers.
Initial patch by Paul Stewart, fixes #289.
Andreas Steffen [Mon, 11 Mar 2013 08:30:20 +0000 (09:30 +0100)]
added ITA Echo PA-TNC Subtype and ITA Echo Attribute type
Andreas Steffen [Mon, 11 Mar 2013 08:29:22 +0000 (09:29 +0100)]
version bump to 5.0.3dr4
Andreas Steffen [Mon, 11 Mar 2013 07:54:02 +0000 (08:54 +0100)]
moved ar_id from imv_agent to imv_state
Tobias Brunner [Fri, 8 Mar 2013 15:43:07 +0000 (16:43 +0100)]
esc() is only used if dladdr(3) is available
Tobias Brunner [Thu, 7 Mar 2013 17:21:02 +0000 (18:21 +0100)]
Fix maximum size of a mem_pool_t
Tobias Brunner [Thu, 7 Mar 2013 12:53:54 +0000 (13:53 +0100)]
New Android release after adding translations and Cert/EAP authentication
Also fixed a race condition during reauthentication and a freeze that
might happen while disconnecting.
Tobias Brunner [Thu, 7 Mar 2013 12:50:29 +0000 (13:50 +0100)]
android: Add support for combined certificate and EAP authentication
This uses RFC 4739 multiple authentication rounds to first
authenticate the client with a certificate followed by an
EAP authentication round with username and password.
Martin Willi [Thu, 7 Mar 2013 13:10:50 +0000 (14:10 +0100)]
Merge branch 'pt-tls'
Martin Willi [Thu, 7 Mar 2013 11:13:26 +0000 (12:13 +0100)]
If controller operations have a callback, don't succeed before hook gets called
Martin Willi [Thu, 7 Mar 2013 10:45:33 +0000 (11:45 +0100)]
Add a stroke command timeout option, and report status of completed command
Martin Willi [Thu, 7 Mar 2013 08:50:43 +0000 (09:50 +0100)]
As Quick Mode initiator, select a subset of the proposed and the returned TS
Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.
Based on an initial patch from Paul Stewart.
Martin Willi [Wed, 6 Mar 2013 13:39:51 +0000 (14:39 +0100)]
If TLS peer authentication not required, the client does nonetheless, allow it to fail
Andreas Steffen [Wed, 6 Mar 2013 10:50:32 +0000 (11:50 +0100)]
added some otherNames OIDs
Martin Willi [Tue, 5 Mar 2013 16:52:07 +0000 (17:52 +0100)]
Fix some apidoc in mem_pool.h
Tobias Brunner [Mon, 4 Mar 2013 17:05:49 +0000 (18:05 +0100)]
testing: Add screen package to base image
Makes working in a single SSH session easier.
Tobias Brunner [Mon, 4 Mar 2013 17:01:10 +0000 (18:01 +0100)]
testing: Enable ssh connection to second IP by name (e.g. moon1)
Tobias Brunner [Mon, 4 Mar 2013 10:55:26 +0000 (11:55 +0100)]
testing: ssh script accepts IP addresses instead of host names
Tobias Brunner [Mon, 4 Mar 2013 10:36:47 +0000 (11:36 +0100)]
testing: ssh script forwards arguments to ssh command
This allows to execute commands on a virtual host.
Andreas Steffen [Tue, 5 Mar 2013 08:08:25 +0000 (09:08 +0100)]
removed unneeded DS files
Andreas Steffen [Mon, 4 Mar 2013 22:21:21 +0000 (23:21 +0100)]
instead of cloning use extract_buf() method
Martin Willi [Mon, 4 Mar 2013 14:50:21 +0000 (15:50 +0100)]
Don't invoke addr2line if dladdr() did not yield a filename
Martin Willi [Mon, 4 Mar 2013 14:46:34 +0000 (15:46 +0100)]
When receiving critical signals, additionally log backtraces to syslog/files
Martin Willi [Mon, 4 Mar 2013 14:45:03 +0000 (15:45 +0100)]
backtrace_t.log() takes a NULL file pointer to log to registered dbg() hook
Martin Willi [Mon, 4 Mar 2013 14:07:03 +0000 (15:07 +0100)]
Don't use color escapes when printing backtraces to a non-TTY file
Martin Willi [Mon, 4 Mar 2013 14:04:56 +0000 (15:04 +0100)]
Add a utility function to resolve TTY color escape codes dynamically
Andreas Steffen [Sun, 3 Mar 2013 16:18:09 +0000 (17:18 +0100)]
make TNC Access Requestor ID available to IMVs
Andreas Steffen [Sun, 3 Mar 2013 16:17:08 +0000 (17:17 +0100)]
updated NEWS
Andreas Steffen [Sun, 3 Mar 2013 10:59:07 +0000 (11:59 +0100)]
upgraded KVM test suite to Linux 3.8 kernel
Andreas Steffen [Sun, 3 Mar 2013 10:43:52 +0000 (11:43 +0100)]
added openssl-ikev2/alg-aes-gcm scenario
Andreas Steffen [Sun, 3 Mar 2013 09:47:17 +0000 (10:47 +0100)]
use DNs in tnc/tnccs-20-tls scenario
Andreas Steffen [Sun, 3 Mar 2013 08:04:49 +0000 (09:04 +0100)]
added getpwuid_r and initgroups to whitelist
Andreas Steffen [Sat, 2 Mar 2013 21:03:07 +0000 (22:03 +0100)]
third parameter was not copied
Tobias Brunner [Sat, 2 Mar 2013 14:26:45 +0000 (15:26 +0100)]
Fixed Doxygen comments after scanning complete src directory
Tobias Brunner [Sat, 2 Mar 2013 13:58:33 +0000 (14:58 +0100)]
Include the whole src directory in apidoc and make source files browsable
But still only scan header files as Doxygen can't figure out how they
are related to source files (at least not for class methods).
Tobias Brunner [Sat, 2 Mar 2013 12:33:25 +0000 (13:33 +0100)]
Prevent Doxygen from processing __attribute__(...)
Doxygen produces additional members/classes from these attributes.
Tobias Brunner [Sat, 2 Mar 2013 12:08:52 +0000 (13:08 +0100)]
Updated Doxyfile.in with a recent version of Doxygen
Tobias Brunner [Sat, 2 Mar 2013 14:57:00 +0000 (15:57 +0100)]
Removed backend for old Android frontend patch
Moved the remaining DNS handler to a new plugin.
Andreas Steffen [Sat, 2 Mar 2013 16:18:37 +0000 (17:18 +0100)]
added ERX_SUPPORTED IKEv2 Notify
Andreas Steffen [Sat, 2 Mar 2013 16:03:37 +0000 (17:03 +0100)]
added some new TCG IF-M message subtypes and attributes
Andreas Steffen [Sat, 2 Mar 2013 15:19:57 +0000 (16:19 +0100)]
version bump to 5.0.3dr3
Tobias Brunner [Fri, 1 Mar 2013 16:01:21 +0000 (17:01 +0100)]
android: Mitigate race condition on reauthentication
If the TUN device gets recreated while another thread in handle_plain()
has not yet called select(2) but already stored the file descriptor of the
old TUN device in its FD set, select() will fail with EBADF.
Fixes #301.
Tobias Brunner [Fri, 1 Mar 2013 15:56:37 +0000 (16:56 +0100)]
openssl: The EVP GCM interface requires at least OpenSSL 1.0.1
Martin Willi [Fri, 1 Mar 2013 10:36:41 +0000 (11:36 +0100)]
Merge branch 'multi-eap'
Fixes the use of EAP methods in the non-first authentication round if the
initiator demands mutual EAP. Also mutual EAP can now be enforced when the
initiator sets rightauth=eap, not only with rightauth=any.
Martin Willi [Fri, 1 Mar 2013 10:35:32 +0000 (11:35 +0100)]
Merge branch 'multi-cert'
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
Martin Willi [Fri, 1 Mar 2013 10:33:47 +0000 (11:33 +0100)]
Merge branch 'systime'
Add a systime-fix plugin allowing an embedded system to validate certificates
if the system time has not been synchronized after boot. Certificates of
established tunnels can be re-validated after the system time gets valid.
Martin Willi [Fri, 1 Mar 2013 10:32:02 +0000 (11:32 +0100)]
Merge branch 'ikev1-rekeying'
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.
Martin Willi [Fri, 1 Mar 2013 10:30:13 +0000 (11:30 +0100)]
Merge branch 'vip-shunts'
Installs bypass policies for the physical address if a virtual address is
assigned, and installs a proper source route to actually use the physical
address for bypassed destinations.
Conflicts:
src/libcharon/plugins/unity/unity_handler.c
Martin Willi [Fri, 1 Mar 2013 10:27:12 +0000 (11:27 +0100)]
Merge branch 'opaque-ports'
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
Martin Willi [Wed, 20 Feb 2013 09:38:45 +0000 (10:38 +0100)]
When running with an unprivileged user, initialize supplementary groups
Martin Willi [Fri, 22 Feb 2013 13:55:03 +0000 (14:55 +0100)]
Without MOBIKE, update remote host only if it is behind NAT
Martin Willi [Fri, 1 Mar 2013 10:24:42 +0000 (11:24 +0100)]
Merge branch 'ikev1-mm-retransmits'
Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.
Martin Willi [Fri, 1 Mar 2013 10:16:58 +0000 (11:16 +0100)]
Merge branch 'tfc-notify'
Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if
kernel does not support it.
Martin Willi [Thu, 21 Feb 2013 09:09:39 +0000 (10:09 +0100)]
Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support it
Martin Willi [Thu, 21 Feb 2013 08:45:46 +0000 (09:45 +0100)]
Indicate support for processing ESPv3 TFC padding in Netlink IPsec backend
Martin Willi [Thu, 21 Feb 2013 08:39:23 +0000 (09:39 +0100)]
Introduce "features" for the kernel backends returning kernel capabilities
Tobias Brunner [Tue, 19 Feb 2013 13:17:26 +0000 (14:17 +0100)]
testing: Add a script to easily connect to a host via SSH
This doesn't require any entries in /etc/hosts and the correct SSH
config is used to allow password-less access.
Tobias Brunner [Tue, 12 Feb 2013 15:46:56 +0000 (16:46 +0100)]
openssl: Provide AES-GCM implementation
Tobias Brunner [Tue, 12 Feb 2013 15:42:45 +0000 (16:42 +0100)]
Fix cleanup in crypto_tester if AEAD implementation fails
Tobias Brunner [Tue, 12 Feb 2013 15:40:54 +0000 (16:40 +0100)]
Order of arguments in Doxygen comment fixed
Tobias Brunner [Mon, 18 Feb 2013 16:23:04 +0000 (17:23 +0100)]
Fix auth_cfg_t.clone() for single-valued auth rules
By using the default list enumerator and adding the rules with the public
add() method, clones of auth_cfg_t objects would return the values for
single-valued auth rules in the wrong order (i.e. the oldest instead of the
newest value was returned). Using the internal enumerator (which the comment
already suggested) fixes this, but the clone will not be a full clone as
it does not contain any old values for single-valued auth rules. Since
these will never be used anyway, this should be fine.
Tobias Brunner [Mon, 18 Feb 2013 11:05:58 +0000 (12:05 +0100)]
Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACT
In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.
Martin Willi [Thu, 28 Feb 2013 11:03:40 +0000 (12:03 +0100)]
Support different authentication schemes for PT-TLS
Martin Willi [Thu, 28 Feb 2013 11:34:53 +0000 (12:34 +0100)]
Request a TLS client certificate even if no peer identity is given
This allows a peer to perform client authentication if it wants, but skip
it if not.
Martin Willi [Thu, 28 Feb 2013 10:44:33 +0000 (11:44 +0100)]
Wrap tls_t.get_{server,peer}_id methods in tls_socket_t
Martin Willi [Thu, 28 Feb 2013 10:39:55 +0000 (11:39 +0100)]
Delegate tls_t.get_{peer,server}_id to handshake layer
This allows to get updated peer identities if the peer can't authenticate,
or does when it is optional.
Martin Willi [Wed, 27 Feb 2013 15:27:59 +0000 (16:27 +0100)]
Implement a SASL PLAIN mechanism using shared secrets
Martin Willi [Wed, 27 Feb 2013 12:47:08 +0000 (13:47 +0100)]
Implement SASL authentication in PT-TLS client
Martin Willi [Wed, 27 Feb 2013 10:43:29 +0000 (11:43 +0100)]
Implement SASL authentication in PT-TLS server
Martin Willi [Wed, 27 Feb 2013 10:40:48 +0000 (11:40 +0100)]
Define PT-TLS SASL result codes
Martin Willi [Tue, 26 Feb 2013 13:54:36 +0000 (14:54 +0100)]
Define an interface for SASL mechanisms and provide a static factory
Martin Willi [Wed, 27 Feb 2013 13:11:00 +0000 (14:11 +0100)]
Pass a client identity to pt_tls_client, usable for TLS or SASL authentication
Martin Willi [Mon, 18 Feb 2013 10:45:01 +0000 (11:45 +0100)]
Don't close underlying file descriptor before destroying a tls_socket
tls_socket cleanup usually sends a TLS close notify, for which it uses a valid
socket.
Martin Willi [Tue, 26 Feb 2013 12:07:11 +0000 (13:07 +0100)]
Apply a mutual EAP auth_cfg not before the EAP method completes
Martin Willi [Tue, 26 Feb 2013 11:26:31 +0000 (12:26 +0100)]
Be a little more verbose why a peer_cfg is inacceptable
Martin Willi [Tue, 26 Feb 2013 11:16:31 +0000 (12:16 +0100)]
Refactor auth_cfg applying to a common function
Tobias Brunner [Tue, 26 Feb 2013 10:07:28 +0000 (11:07 +0100)]
Use SIGUSR2 for SIG_CANCEL on Android
SIGRTMIN is defined as 32 while sigset_t is defined as
unsigned long (i.e. holds 32 signals). Hence, the signal
could never be blocked. Sending the signal still canceled
threads, but sometimes in situations where they shouldn't
have been canceled (e.g. while holding a lock).
Fixes #298.
Tobias Brunner [Tue, 26 Feb 2013 09:11:36 +0000 (10:11 +0100)]
Android.mk updated to latest Makefiles
Fixes #300.
Martin Willi [Mon, 25 Feb 2013 11:08:36 +0000 (12:08 +0100)]
For IKEv1 Main Mode, use message hash to detect early retransmissions
As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.
Martin Willi [Mon, 25 Feb 2013 10:42:50 +0000 (11:42 +0100)]
Move initial message dropping to task manager
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295.
Martin Willi [Mon, 25 Feb 2013 10:52:55 +0000 (11:52 +0100)]
Use INIT macro to initialize IKE_SA manager entries
Reto Buerki [Fri, 22 Feb 2013 14:16:37 +0000 (15:16 +0100)]
Check kvm command existence in start-testing