]>
git.ipfire.org Git - thirdparty/strongswan.git/log
Tobias Brunner [Tue, 13 Aug 2013 14:58:33 +0000 (16:58 +0200)]
socket-default: Allow setting firewall mark on outbound packets
Tobias Brunner [Tue, 13 Aug 2013 14:53:06 +0000 (16:53 +0200)]
kernel-netlink: Allow setting firewall marks on routing rule
Tobias Brunner [Tue, 13 Aug 2013 13:15:45 +0000 (15:15 +0200)]
ipsec_types: Add utility function to parse mark_t from strings
Tobias Brunner [Fri, 11 Oct 2013 13:29:30 +0000 (15:29 +0200)]
Merge branch 'database-transactions'
This adds support for transactions to the database_t interface and the two
current implementations.
The pool utility is also moved to its own directory in src/.
Tobias Brunner [Thu, 10 Oct 2013 09:02:16 +0000 (11:02 +0200)]
attr-sql: Use a serializable transaction when inserting identities
Tobias Brunner [Thu, 10 Oct 2013 08:58:40 +0000 (10:58 +0200)]
database: Add support for serializable transactions
Tobias Brunner [Fri, 6 Sep 2013 12:09:32 +0000 (14:09 +0200)]
sql: Don't use MyISAM engine and set collation/charset for all tables
The MyISAM engine doesn't support transactions.
Tobias Brunner [Fri, 6 Sep 2013 09:29:17 +0000 (11:29 +0200)]
pool: Change transaction handling
Tobias Brunner [Thu, 5 Sep 2013 16:00:48 +0000 (18:00 +0200)]
pool: Move the pool utility to its own directory in src
Tobias Brunner [Fri, 13 Sep 2013 11:25:49 +0000 (13:25 +0200)]
attr-sql: Handle concurrent insertion of identities
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
Tobias Brunner [Thu, 5 Sep 2013 15:03:11 +0000 (17:03 +0200)]
attr-sql: Don't use database transactions in create_attribute_enumerator
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
Tobias Brunner [Thu, 5 Sep 2013 14:50:23 +0000 (16:50 +0200)]
sqlite: Implement transaction handling
Tobias Brunner [Thu, 5 Sep 2013 14:46:24 +0000 (16:46 +0200)]
mysql: Implement transaction handling
Tobias Brunner [Fri, 6 Sep 2013 06:16:39 +0000 (08:16 +0200)]
database: Add interface to handle transactions
Tobias Brunner [Thu, 5 Sep 2013 13:33:24 +0000 (15:33 +0200)]
mysql: Ensure connections are properly released in multi-threaded environments
Tobias Brunner [Thu, 3 Oct 2013 08:24:59 +0000 (10:24 +0200)]
crypto-factory: Try next available RNG implementation if constructor fails
Tobias Brunner [Thu, 3 Oct 2013 08:23:30 +0000 (10:23 +0200)]
crypto-factory: Order entries by algorithm identifier and (optionally) speed
Tobias Brunner [Thu, 3 Oct 2013 08:14:49 +0000 (10:14 +0200)]
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
Tobias Brunner [Fri, 11 Oct 2013 11:57:05 +0000 (13:57 +0200)]
vstr: Forward actual field width
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
Martin Willi [Tue, 25 Jun 2013 15:09:07 +0000 (17:09 +0200)]
unit-tests: support testing when leak-detective has not been enabled
Martin Willi [Fri, 11 Oct 2013 09:40:02 +0000 (11:40 +0200)]
NEWS: Updates for the ah, libipsec-usestats and printf-hook merges
Martin Willi [Fri, 11 Oct 2013 09:12:38 +0000 (11:12 +0200)]
Merge branch 'printf-hook'
Adds a custom printf hook implementation as a fallback if neither the glibc
style hooks nor vstr is available. This can avoid the Vstr dependency on some
systems at the cost of slower and less complete printf functions.
Martin Willi [Fri, 27 Sep 2013 16:16:46 +0000 (18:16 +0200)]
printf-hook-builtin: Print NaN/Infinity floating point values as such
Martin Willi [Fri, 27 Sep 2013 14:13:14 +0000 (16:13 +0200)]
printf-hook-builtin: Correctly round up floating point values
Martin Willi [Fri, 11 Oct 2013 08:55:05 +0000 (10:55 +0200)]
printf-hook-builtin: Add some preliminary floating point support
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
Martin Willi [Fri, 27 Sep 2013 09:16:11 +0000 (11:16 +0200)]
printf-hook-builtin: Support GNU %m specifier
Martin Willi [Fri, 11 Oct 2013 09:06:02 +0000 (11:06 +0200)]
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
Martin Willi [Fri, 27 Sep 2013 10:19:11 +0000 (12:19 +0200)]
printf-hook: Add some basic printf() string/integer test functions
Martin Willi [Fri, 27 Sep 2013 15:30:17 +0000 (17:30 +0200)]
printf-hook: Move glibc/vstr printf hook backends to separate files
Martin Willi [Fri, 11 Oct 2013 08:24:27 +0000 (10:24 +0200)]
Merge branch 'libipsec-usestats'
Brings SA usage statistics and volume based expiration to libipsec and the
associated kernel-libipsec plugin. Additionally removes any ESPv3 style TFC
padding found in incoming packets.
Martin Willi [Mon, 30 Sep 2013 13:47:27 +0000 (15:47 +0200)]
libipsec: Enforce byte/packet lifetimes on SAs
Martin Willi [Mon, 23 Sep 2013 14:26:11 +0000 (16:26 +0200)]
kernel-libipsec: Support ESPv3 TFC padding
Martin Willi [Mon, 23 Sep 2013 14:23:54 +0000 (16:23 +0200)]
libipsec: remove extra RFC4303 TFC padding appended to inner payload
Martin Willi [Mon, 23 Sep 2013 10:46:43 +0000 (12:46 +0200)]
kernel-libipsec: Support query_sa() to report usage statistics
Martin Willi [Mon, 23 Sep 2013 10:10:07 +0000 (12:10 +0200)]
libipsec: Support usage statistics and query_sa() on IPsec SAs
Martin Willi [Mon, 23 Sep 2013 10:35:33 +0000 (12:35 +0200)]
kernel: Use a time_t to report use time in query_policy()
Martin Willi [Mon, 23 Sep 2013 10:28:13 +0000 (12:28 +0200)]
kernel: Use a time_t to report use time in query_sa()
Martin Willi [Fri, 11 Oct 2013 08:15:43 +0000 (10:15 +0200)]
Merge branch 'ah'
Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.
Martin Willi [Thu, 10 Oct 2013 16:09:57 +0000 (18:09 +0200)]
ipsec.conf: Add a description for the new 'ah' keyword.
Martin Willi [Wed, 9 Oct 2013 14:10:33 +0000 (16:10 +0200)]
testing: Add an IKEv1 host2host AH transport mode test case
Martin Willi [Wed, 9 Oct 2013 14:10:08 +0000 (16:10 +0200)]
testing: Add an IKEv1 net2net AH test case
Martin Willi [Wed, 9 Oct 2013 13:20:22 +0000 (15:20 +0200)]
testing: Add an IKEv2 host2host AH transport mode test case
Martin Willi [Wed, 9 Oct 2013 13:10:40 +0000 (15:10 +0200)]
testing: Add an IKEv2 net2net AH test case
Martin Willi [Wed, 9 Oct 2013 13:05:46 +0000 (15:05 +0200)]
testing: Allow AH packets in default INPUT/OUTPUT chains
Martin Willi [Wed, 9 Oct 2013 12:48:50 +0000 (14:48 +0200)]
updown: Install forwarding rules with the actually used protocol
Martin Willi [Wed, 9 Oct 2013 12:48:25 +0000 (14:48 +0200)]
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
Martin Willi [Wed, 9 Oct 2013 12:09:08 +0000 (14:09 +0200)]
starter: Reject connections having both 'ah' and 'esp' keywords set
We currently don't support mixed proposals or bundles, so don't create the
illusion we would.
Martin Willi [Fri, 21 Jun 2013 14:01:03 +0000 (16:01 +0200)]
ike: Define keylength for aescmac algorithm
Martin Willi [Fri, 21 Jun 2013 14:00:22 +0000 (16:00 +0200)]
ikev1: Support parsing of AH+IPComp proposals
Martin Willi [Thu, 20 Jun 2013 15:10:13 +0000 (17:10 +0200)]
starter: Remove obsolete 'auth' option
Martin Willi [Thu, 20 Jun 2013 15:07:27 +0000 (17:07 +0200)]
ikev1: Accept more than two certificate payloads
Martin Willi [Thu, 20 Jun 2013 15:06:46 +0000 (17:06 +0200)]
ikev1: Support en-/decoding of SA payloads with AH algorithms
Martin Willi [Thu, 20 Jun 2013 14:16:39 +0000 (16:16 +0200)]
kernel-handler: Whitespace cleanups
Martin Willi [Thu, 20 Jun 2013 14:16:06 +0000 (16:16 +0200)]
stroke: List proposals in statusall without leading '/' in AH SAs
Martin Willi [Thu, 20 Jun 2013 14:15:31 +0000 (16:15 +0200)]
ikev1: Delete quick modes with the negotiated SA protocol
Martin Willi [Thu, 20 Jun 2013 14:14:52 +0000 (16:14 +0200)]
trap-manager: Install trap with SA protocol of the first configured proposal
Martin Willi [Thu, 20 Jun 2013 14:13:35 +0000 (16:13 +0200)]
child-sa: Save protocol during SPI allocation
This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.
Martin Willi [Thu, 20 Jun 2013 14:12:58 +0000 (16:12 +0200)]
ikev1: Negotiate SPI with the first/negotiated proposal protocol
Martin Willi [Thu, 20 Jun 2013 14:12:14 +0000 (16:12 +0200)]
ikev2: Allocate SPI with the protocol of the first/negotiated proposal
Martin Willi [Thu, 20 Jun 2013 14:10:55 +0000 (16:10 +0200)]
proposal: Strip redundant integrity algos for ESP proposals only
Martin Willi [Thu, 20 Jun 2013 14:09:51 +0000 (16:09 +0200)]
stroke: Configure proposal with AH protocol if 'ah' option set
Martin Willi [Thu, 20 Jun 2013 14:08:23 +0000 (16:08 +0200)]
starter: Add an 'ah' keyword for Authentication Header Security Associations
Andreas Steffen [Fri, 11 Oct 2013 07:53:42 +0000 (09:53 +0200)]
Version bump to 5.1.1rc1
Andreas Steffen [Wed, 9 Oct 2013 17:03:07 +0000 (19:03 +0200)]
Keep a copy of the tnccs instance for PT-TLS handover
Tobias Brunner [Fri, 4 Oct 2013 08:49:54 +0000 (10:49 +0200)]
xauth-pam: Make trimming of email addresses optional
Fixes #430.
Martin Willi [Wed, 18 Sep 2013 12:11:40 +0000 (14:11 +0200)]
ikev1: Accept reauthentication attempts with a keep unique policy from same host
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
Martin Willi [Wed, 18 Sep 2013 11:59:44 +0000 (13:59 +0200)]
ikev1: Don't log a reauthentication detection message if no children adopted
When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.
Martin Willi [Wed, 18 Sep 2013 11:56:45 +0000 (13:56 +0200)]
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
Tobias Brunner [Tue, 10 Sep 2013 14:51:20 +0000 (16:51 +0200)]
eap-radius: Increase buffer for attributes sent in RADIUS accounting messages
64 bytes might be too short for user names/identities.
Tobias Brunner [Fri, 27 Sep 2013 07:11:55 +0000 (09:11 +0200)]
openssl: Properly log FIPS mode when enabled via openssl.conf
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412.
Tobias Brunner [Thu, 26 Sep 2013 11:03:38 +0000 (13:03 +0200)]
android: New release after fixing remediation instructions regression
Tobias Brunner [Thu, 26 Sep 2013 11:50:23 +0000 (13:50 +0200)]
android: Change progress dialog handling
With the previous code the dialog sometimes was hidden for a short while
before it got reopened.
Tobias Brunner [Thu, 26 Sep 2013 11:00:45 +0000 (13:00 +0200)]
android: Clear remediation instructions when starting a new connection
Tobias Brunner [Thu, 26 Sep 2013 08:15:03 +0000 (10:15 +0200)]
starter: Don't ignore keyingtries with rekey=no
Since keyingtries also affects the number of retries initially or when
reestablishing an SA it should not be affected by the rekey option.
Fixes #418.
Tobias Brunner [Tue, 24 Sep 2013 07:24:59 +0000 (09:24 +0200)]
load-tester: Fix crash if private key was not loaded successfully
Fixes #417.
Tobias Brunner [Mon, 23 Sep 2013 15:01:53 +0000 (17:01 +0200)]
printf-hook: Write to output stream instead of the FD directly when using Vstr
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
Tobias Brunner [Mon, 23 Sep 2013 12:33:29 +0000 (14:33 +0200)]
android: New release after improving recovery after connectivity changes
Tobias Brunner [Fri, 20 Sep 2013 13:07:41 +0000 (15:07 +0200)]
android: Change state handling to display errors occurring while the app is hidden
A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.
This was necessary because the state fragment is now unregistered from
state changes when it is not shown.
Tobias Brunner [Fri, 20 Sep 2013 12:07:40 +0000 (14:07 +0200)]
android: Don't update state fragments when they are not displayed
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
Tobias Brunner [Fri, 20 Sep 2013 12:05:53 +0000 (14:05 +0200)]
ikev2: Force an update of the host addresses on the first response
This is especially useful on Android where we are able to send messages
even if we don't know the correct local address (this is possible
because we don't set source addresses in outbound messages). This way
we may learn the correct local address if it e.g. changed right before
reestablishing an SA.
Updating the local address later is tricky without MOBIKE as the
responder might not update the associated IPsec SAs properly.
Tobias Brunner [Fri, 20 Sep 2013 12:03:23 +0000 (14:03 +0200)]
ike-sa: Resolve hosts before reestablishing an IKE_SA
Tobias Brunner [Fri, 20 Sep 2013 09:16:21 +0000 (11:16 +0200)]
android: Several plugins were moved from libcharon to libtnccs
These were moved in commits
e8f65c5cde and
12b3db5006 .
Tobias Brunner [Fri, 20 Sep 2013 08:30:02 +0000 (10:30 +0200)]
android: Properly handle failures while initializing charon
Ansis Atteka [Mon, 23 Sep 2013 04:21:39 +0000 (21:21 -0700)]
kernel-netlink: Allow to override xfrm_acq_expires value
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Andreas Steffen [Tue, 17 Sep 2013 19:57:08 +0000 (21:57 +0200)]
Implemented TCG/PB-PDP_Referral message
Andreas Steffen [Tue, 17 Sep 2013 09:19:11 +0000 (11:19 +0200)]
Allow vendor-specific PB-TNC messages
Andreas Steffen [Tue, 17 Sep 2013 08:58:53 +0000 (10:58 +0200)]
ignore *.1 manpage files
Andreas Steffen [Tue, 17 Sep 2013 08:57:46 +0000 (10:57 +0200)]
Version bump to 5.1.1dr4
Tobias Brunner [Fri, 13 Sep 2013 13:30:40 +0000 (15:30 +0200)]
Merge branch 'pubkeys'
Adds support to pki --pub to convert public keys to other formats
including SSH keys and DNSKEYs. SSH public keys can also be read
from files in the format used by OpenSSH.
Tobias Brunner [Mon, 19 Aug 2013 11:15:28 +0000 (13:15 +0200)]
sshkey: Add support for parsing keys from files
Tobias Brunner [Fri, 16 Aug 2013 11:13:49 +0000 (13:13 +0200)]
sshkey: Add encoding for ECDSA keys
Tobias Brunner [Fri, 16 Aug 2013 11:12:47 +0000 (13:12 +0200)]
openssl: Add support for generic encoding of EC public keys
Tobias Brunner [Thu, 15 Aug 2013 10:43:30 +0000 (12:43 +0200)]
pki: --pub also accepts public keys (i.e. to convert them to a different format)
Tobias Brunner [Thu, 15 Aug 2013 10:43:01 +0000 (12:43 +0200)]
pki: Add support to encode public keys in SSH key format
Tobias Brunner [Thu, 15 Aug 2013 10:42:09 +0000 (12:42 +0200)]
sshkey: Add encoder for RSA keys
Tobias Brunner [Wed, 14 Aug 2013 16:23:00 +0000 (18:23 +0200)]
openssl: Add generic RSA public key encoding
Tobias Brunner [Thu, 15 Aug 2013 10:29:06 +0000 (12:29 +0200)]
openssl: Add helper function to convert BIGNUMs to chunks
Tobias Brunner [Wed, 14 Aug 2013 16:22:13 +0000 (18:22 +0200)]
pki: Load dnskey plugin to encode public keys in RFC 3110 format
Tobias Brunner [Fri, 13 Sep 2013 13:15:40 +0000 (15:15 +0200)]
Merge branch 'man-pki'
This adds man pages for all pki sub-commands and promotes pki to a
regular program installed in $prefix/bin.
The usage output of several commands was fixed too.
Tobias Brunner [Fri, 13 Sep 2013 13:14:00 +0000 (15:14 +0200)]
pki: Don't print an error if no arguments are given