Martin Willi [Tue, 10 Nov 2015 08:42:46 +0000 (09:42 +0100)]
watcher: Check for cancellation if poll() fails with EINTR
With LinuxThreads, poll() is unfortunately no cancellation point. It seems
that poll gets woken up after cancellation, but we actively must check
for cancellation before re-entering poll to properly shut down the watcher
thread.
Tobias Brunner [Tue, 13 Oct 2015 10:10:42 +0000 (12:10 +0200)]
mode-config: Reassign migrated virtual IP if client requests %any
If we mistakenly detect a new IKE_SA as a reauthentication the client
won't request the previous virtual IP, but since we already migrated
it we already triggered the assign_vips() hook, so we should reassign
the migrated virtual IP.
Tobias Brunner [Wed, 11 Nov 2015 13:26:00 +0000 (14:26 +0100)]
revocation: Allow CRLs to be encoded in PEM format
Since the textual representation for a CRL is now standardized
in RFC 7468 one could argue that we should accept that too, even
though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to
be in DER format. But in particular for file URIs enforcing that
seems inconvenient.
Tobias Brunner [Thu, 12 Nov 2015 13:22:28 +0000 (14:22 +0100)]
Merge branch 'eap-mschapv2-eap-identity'
This replaces the EAP-Identity with the EAP-MSCHAPv2 username, which
ensures the client is known with an authenticated identity. Previously
a client with a valid username could use a different identity (e.g. the
name of a different user) in the EAP-Identity exchange. Since we use
the EAP-Identity for uniqueness checks etc. this could be problematic.
The EAP-MSCHAPv2 username is now explicitly logged if it is different
from the EAP-Identity (or IKE identity).
Tobias Brunner [Wed, 28 Oct 2015 17:53:15 +0000 (18:53 +0100)]
auth-cfg: Prefer merged rules over existing ones when moving them
This is particularly important for single valued rules (e.g.
identities). When copying values this is already handled correctly
by the enumerator and add().
Tobias Brunner [Wed, 11 Nov 2015 18:30:04 +0000 (19:30 +0100)]
android: Properly handle shorter types in BufferedByteWriter
In Java all integer types are signed, when a negative integer is casted
to a larger type (e.g. int to long) then due to sign extension the upper
bytes are not 0. So writing that value to a byte array does not produce
the expected result. By overloading the putX() methods we make sure to
upcast the values correctly.
Tobias Brunner [Fri, 23 Oct 2015 14:55:39 +0000 (16:55 +0200)]
android: Fix build after updating Linux headers
Since we don't use the kernel-netlink plugin anymore and the headers
in the NDK are reasonably recent, we don't need this anymore (at least
when building the app).
Tobias Brunner [Mon, 9 Nov 2015 16:07:25 +0000 (17:07 +0100)]
ikev1: Also use message hashes for Quick Mode for the early retransmission check
We already did so during Phase 1 but because all three Quick Mode
message have the same message ID we occasionally dropped the third
message as retransmit, so we do it there too. For INFORMATIONAL
and TRANSACTION exchanges we don't expect more than one inbound message
with the same message ID so we still use them there.
Thomas Egerer [Tue, 6 Oct 2015 09:02:45 +0000 (11:02 +0200)]
kernel-interface: Return bool for kernel interface registration
If the (un)registering of a kernel interface (net or ipsec) fails, the
plugin loader will never know, since the appropriate functions always
returns TRUE. By making the (un)register functions return a boolean
value, the loader can detect a failure during initializing the kernel
interface and abort charon startup if desired.
Tobias Brunner [Mon, 2 Nov 2015 15:22:38 +0000 (16:22 +0100)]
socket-default: Refactor setting source address when sending messages
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.
It also makes the code clearer than with all these ifdefs.
ike-natd: Create fake NAT-D payloads in a more static way
In some scenarios an IKE_SA might get restarted multiple times (e.g.
due to retransmits and delayed INVALID_KE_PAYLOAD notifies) so that
two IKE_SA_INIT messages might be sent that only differ in the
previously randomly generated NAT_DETECTION_SOURCE_IP payload.
This could cause an authentication failure on the responder if the two
peers don't use the same IKE_SA_INIT message in their InitiatorSignedOctets.
While the payload is generated in a reproducible way it will still change
when the daemon is restarted, which should make detecting the payloads
as fake a bit harder (compared to e.g. just using 0.0.0.0:0 as address).
Tobias Brunner [Fri, 6 Nov 2015 13:45:57 +0000 (14:45 +0100)]
mediation: Reschedule initiate mediation job if SA is not yet found
If the job gets queued for a newly created IKE_SA it might not yet be
checked in when the job is running, reschedule the job in that case.
This should fix the two p2pnat test scenarios, which occasionally
failed because one of the peers did not initiate the connection to
the mediation server.
Tobias Brunner [Thu, 5 Nov 2015 17:52:27 +0000 (18:52 +0100)]
ike-sa-manager: Signal entries that we don't actually check out
In some cases we call wait_for_entry() but don't actually check out the
entry afterwards (e.g. because it doesn't match certain criteria). So
there won't be a call to checkin() for such entries causing waiting
threads to get signaled. Instead, such threads would be blocked until
another thread properly checks out/in the entry (or does a blocking
enumeration).