]>
git.ipfire.org Git - people/ms/strongswan.git/log
Tobias Brunner [Mon, 5 Aug 2013 16:20:50 +0000 (18:20 +0200)]
aes-test: Add script to test AES implementations according to AESAVS/GCMVS
Tobias Brunner [Tue, 6 Aug 2013 15:27:35 +0000 (17:27 +0200)]
chunk: Print chunks without separator if + modifier is used
Tobias Brunner [Tue, 6 Aug 2013 15:27:15 +0000 (17:27 +0200)]
utils: Add case-insensitive version of strpfx()
Martin Willi [Fri, 23 Aug 2013 12:22:29 +0000 (14:22 +0200)]
stroke: stop enumerating IKE_SAs in statusall if output stream gets closed
If the output stream is not interested in more information, it can close the
the stream. Checking for stream errors avoids useless enumeration of IKE_SAs,
saving resources. This allows to use "ipsec statusall | head" to monitor the
daemon, or stop enumerating IKE_SAs after a specific entry has been found.
Andreas Steffen [Thu, 22 Aug 2013 15:24:20 +0000 (17:24 +0200)]
Cleaned configuration files in PT-TLS client scenario
Tobias Brunner [Wed, 21 Aug 2013 14:52:19 +0000 (16:52 +0200)]
kernel: Restore enumeration of all addresses when searching for address in TS
Since
f52cf07532 addresses on ignored, down or loopback interfaces were
not considered as valid addresses anymore when searching for an address
contained in the local traffic selector. This meant that route
installation failed, for instance, if charon.install_virtual_ip_on was
set to 'lo', or, on gateways, if internal interfaces were ignored with
the charon.interfaces_* options.
Tobias Brunner [Wed, 21 Aug 2013 09:27:28 +0000 (11:27 +0200)]
conftest: Disable reset_seq hook on systems other than Linux
Fixes #386.
Tobias Brunner [Wed, 21 Aug 2013 06:28:12 +0000 (08:28 +0200)]
kernel-netlink: Fix calculation of ESN bitmap length
While bmp_len stores the number of u_int32_t the allocated bitmap
actually consists of those integers.
Andreas Steffen [Mon, 19 Aug 2013 10:28:12 +0000 (12:28 +0200)]
Added stand-alone pt-tls-client to NEWS
Andreas Steffen [Mon, 19 Aug 2013 10:20:57 +0000 (12:20 +0200)]
Flush iptables rules on alice
Andreas Steffen [Mon, 19 Aug 2013 09:44:51 +0000 (11:44 +0200)]
Fixes in tnc scenarios
Andreas Steffen [Mon, 19 Aug 2013 09:36:23 +0000 (11:36 +0200)]
Added tnc/tnccs-20-pt-tls scenario
Andreas Steffen [Mon, 19 Aug 2013 08:03:23 +0000 (10:03 +0200)]
Version bump to 5.1.1dr1
Andreas Steffen [Mon, 19 Aug 2013 07:52:12 +0000 (09:52 +0200)]
Process PB-TNC batches received via PT-TLS asynchronously
Andreas Steffen [Mon, 19 Aug 2013 07:50:57 +0000 (09:50 +0200)]
Optimize TLS socket buffer for TLS_MAX_FRAGMENT_LEN
Andreas Steffen [Fri, 16 Aug 2013 12:14:13 +0000 (14:14 +0200)]
Output handler of a given workitem
Andreas Steffen [Fri, 16 Aug 2013 12:13:35 +0000 (14:13 +0200)]
Implemented SWID Tag Inventory attribute
Andreas Steffen [Thu, 15 Aug 2013 21:32:26 +0000 (23:32 +0200)]
deleted moved files
Andreas Steffen [Thu, 15 Aug 2013 21:26:00 +0000 (23:26 +0200)]
Implemented SWID prototype IMC/IMV pair
Andreas Steffen [Tue, 13 Aug 2013 20:04:49 +0000 (22:04 +0200)]
Updated the SWID attributes
Andreas Steffen [Tue, 13 Aug 2013 15:09:53 +0000 (17:09 +0200)]
Optimized PT-TLS data transfer
Andreas Steffen [Mon, 12 Aug 2013 09:54:25 +0000 (11:54 +0200)]
Show host address of peer connecting to PT-TLS socket
Andreas Steffen [Mon, 12 Aug 2013 09:53:46 +0000 (11:53 +0200)]
Set client identity with TLS certificate authentication
Andreas Steffen [Mon, 12 Aug 2013 09:52:32 +0000 (11:52 +0200)]
Fixed memory leak in SASL PLAIN
Andreas Steffen [Mon, 12 Aug 2013 06:51:13 +0000 (08:51 +0200)]
added --optionsfrom capability
Andreas Steffen [Mon, 12 Aug 2013 06:25:48 +0000 (08:25 +0200)]
Use client identities from successful authentications, only
Andreas Steffen [Fri, 9 Aug 2013 20:18:13 +0000 (22:18 +0200)]
Add pt-tls-client to .gitignore
Andreas Steffen [Fri, 9 Aug 2013 20:10:37 +0000 (22:10 +0200)]
Extract client identity and authentication type from SASL authentication
Andreas Steffen [Fri, 9 Aug 2013 13:21:33 +0000 (15:21 +0200)]
Added some debug statements
Andreas Steffen [Fri, 9 Aug 2013 11:35:02 +0000 (13:35 +0200)]
enabled SASL PLAIN authentication
Andreas Steffen [Thu, 8 Aug 2013 19:48:46 +0000 (21:48 +0200)]
PT-TLS connection is properly terminated
Andreas Steffen [Thu, 8 Aug 2013 17:43:43 +0000 (19:43 +0200)]
moved tnc_imv plugin to libtnccs thanks to recommendation callback function
Andreas Steffen [Thu, 8 Aug 2013 09:17:33 +0000 (11:17 +0200)]
Documented plugin move from libcharon to libtnccs in strongswan.conf
Andreas Steffen [Thu, 8 Aug 2013 09:02:17 +0000 (11:02 +0200)]
Moved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins to libtnccs
Andreas Steffen [Wed, 7 Aug 2013 17:41:29 +0000 (19:41 +0200)]
rapid PT-TLS AR/PDP prototype
Andreas Steffen [Wed, 31 Jul 2013 20:09:38 +0000 (22:09 +0200)]
Add PT-TLS interface to strongSwan PDP
Tobias Brunner [Thu, 15 Aug 2013 13:15:34 +0000 (15:15 +0200)]
ikev1: Fix calculation of the number of fragments
The old code resulted in too few fragments in some cases.
Tobias Brunner [Thu, 15 Aug 2013 13:12:00 +0000 (15:12 +0200)]
ikev1: When sending fragments, use ports to decide if a non-ESP marker is added
This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).
Tobias Brunner [Tue, 13 Aug 2013 08:03:54 +0000 (10:03 +0200)]
ikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold
This regression was introduced with
c949a4d5 .
Tobias Brunner [Mon, 12 Aug 2013 10:20:09 +0000 (12:20 +0200)]
libipsec: Don't limit traditional algorithms to AES and SHA1/2
Closes #377.
Tobias Brunner [Mon, 12 Aug 2013 10:06:25 +0000 (12:06 +0200)]
kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY
77d4a02 and
55da01f only updated the address flag when a job was created,
which obviously had the same limitation as the old code.
Fixes #374.
Tobias Brunner [Mon, 12 Aug 2013 09:40:22 +0000 (11:40 +0200)]
kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin
There was no proper locking and the issue regarding the address
flag also existed.
Tobias Brunner [Mon, 12 Aug 2013 09:23:34 +0000 (11:23 +0200)]
kernel-netlink: Ensure address changes are not missed in roam events
If multiple roam events are triggered within ROAM_DELAY, only one job is
created. The old code set the address flag to the value of the last
triggering call. So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.
The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues. For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE. So address updates might occasionally get
triggered where none would actually be required.
Fixes #374.
Martin Willi [Fri, 9 Aug 2013 07:13:39 +0000 (09:13 +0200)]
backtrace: rename clone() method clashing with system call
Fixes #376.
Martin Willi [Thu, 8 Aug 2013 12:48:32 +0000 (14:48 +0200)]
updown: remove description of unsupported PLUTO_ variables
These have been set by pluto, but are not by charons updown plugin.
Martin Willi [Thu, 8 Aug 2013 07:12:52 +0000 (09:12 +0200)]
scripts: link against librt only if required
With glibc, this seems to be the case for 2.17 and older versions only.
Martin Willi [Thu, 8 Aug 2013 07:09:00 +0000 (09:09 +0200)]
scripts: link malloc_speed against librt
Tobias Brunner [Wed, 7 Aug 2013 07:06:01 +0000 (09:06 +0200)]
strongswan.conf: Add note about reserved threads
Tobias Brunner [Wed, 31 Jul 2013 14:24:32 +0000 (16:24 +0200)]
tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages
Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.
Tobias Brunner [Wed, 31 Jul 2013 13:28:15 +0000 (15:28 +0200)]
NEWS: Add info about CVE-2013-5018
Tobias Brunner [Wed, 31 Jul 2013 07:03:48 +0000 (09:03 +0200)]
whitelist: Fix compilation on FreeBSD
Tobias Brunner [Tue, 30 Jul 2013 16:44:50 +0000 (18:44 +0200)]
host: Properly initialize struct sockaddr_in[6] when parsing strings
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
Tobias Brunner [Mon, 29 Jul 2013 21:45:38 +0000 (23:45 +0200)]
asn1: Fix handling of invalid ASN.1 length in is_asn1()
Fixes CVE-2013-5018.
Andreas Steffen [Wed, 31 Jul 2013 20:13:41 +0000 (22:13 +0200)]
Callback job is not needed any more
Martin Willi [Wed, 31 Jul 2013 14:27:28 +0000 (16:27 +0200)]
charon-xpc: load missing ctr/ccm/gcm plugins
Martin Willi [Wed, 31 Jul 2013 09:38:18 +0000 (11:38 +0200)]
charon-xpc: use kernel-libipsec instead of kernel-pfkey
Martin Willi [Wed, 31 Jul 2013 09:37:39 +0000 (11:37 +0200)]
charon-xpc: fix TS getting after changing CHILD_SA API
Martin Willi [Wed, 31 Jul 2013 09:36:55 +0000 (11:36 +0200)]
keychain: be less verbose when loading certificates
Tobias Brunner [Mon, 29 Jul 2013 19:59:40 +0000 (21:59 +0200)]
receiver: Avoid cloning packet data when verifying COOKIE payloads
Besides being more efficient this removes a memory leak that occurred
when a COOKIE payload was successfully verified.
Fixes #369.
Tobias Brunner [Fri, 26 Jul 2013 07:36:54 +0000 (09:36 +0200)]
unity: Handle multi-valued UNITY_SPLIT_INCLUDE/UNITY_LOCAL_LAN attributes
Cisco devices seem to add 6 bytes of padding between each address/mask
pair.
Fixes #366.
Andreas Steffen [Mon, 29 Jul 2013 15:16:41 +0000 (17:16 +0200)]
version bump to 5.0.1
Andreas Steffen [Mon, 29 Jul 2013 15:16:21 +0000 (17:16 +0200)]
tnc-pdp now uses watcher_t
Andreas Steffen [Mon, 29 Jul 2013 09:41:33 +0000 (11:41 +0200)]
Updated PTS database scheme to new workitems model
Tobias Brunner [Thu, 25 Jul 2013 11:38:35 +0000 (13:38 +0200)]
ikev2: Only schedule half-open-timeout delete job after successfully handling IKE_SA_INIT
We want to avoid this allocation if the initial message is invalid (e.g.
if the message ID is != 0).
Martin Willi [Mon, 29 Jul 2013 09:08:54 +0000 (11:08 +0200)]
NEWS: mention xauth-radius backend in eap-radius plugin
Martin Willi [Mon, 29 Jul 2013 07:36:28 +0000 (09:36 +0200)]
testing: enforce xauth-eap in ikev1/xauth-rsa-eap-md5-radius
As eap-radius now provides its own XAuth backend and eap-radius is loaded before
xauth-eap, we have to enforce the exact XAuth backend to use.
Martin Willi [Mon, 29 Jul 2013 07:00:56 +0000 (09:00 +0200)]
Merge branch 'xauth-radius'
Implements verification of XAuth credentials using simple RADIUS User-Name and
(encrypted) User-Password attributes. The XAuth backend is implemented in the
eap-radius plugin, reusing all existing infrastructure and features found in
that plugin, including RADIUS accounting.
Martin Willi [Fri, 26 Jul 2013 11:06:17 +0000 (13:06 +0200)]
testing: add a testcase for plain XAuth RADIUS authentication
Martin Willi [Wed, 24 Jul 2013 11:35:46 +0000 (13:35 +0200)]
charon-cmd: add --eap-identity and --xauth-username options
Martin Willi [Mon, 22 Jul 2013 13:59:49 +0000 (15:59 +0200)]
eap-radius: do RADIUS/IKE attribute forwarding in XAuth backend
Martin Willi [Mon, 22 Jul 2013 12:28:12 +0000 (14:28 +0200)]
eap-radius: support plain XAuth RADIUS authentication using User-Password
Martin Willi [Mon, 22 Jul 2013 12:23:01 +0000 (14:23 +0200)]
libradius: support encryption of User-Password attributes
Martin Willi [Mon, 22 Jul 2013 12:16:38 +0000 (14:16 +0200)]
utils: add round_up/down() helper functions
Martin Willi [Mon, 22 Jul 2013 11:45:31 +0000 (13:45 +0200)]
libradius: refactor generic RADIUS en-/decryption function to a message method
Martin Willi [Mon, 22 Jul 2013 08:17:38 +0000 (10:17 +0200)]
eap-radius: export function to build common attributes of Access-Request
Martin Willi [Mon, 22 Jul 2013 07:55:00 +0000 (09:55 +0200)]
eap-radius: export function to process common attributes of Access-Accept
Martin Willi [Wed, 24 Jul 2013 14:20:46 +0000 (16:20 +0200)]
mem-pool: add option for reusing online leases, and disable it by default
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.
This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.
Martin Willi [Wed, 24 Jul 2013 14:13:07 +0000 (16:13 +0200)]
mem-pool: replace per-identity online/offline lists by more efficient arrays
This saves two lists per connected peer identity, up to 0.4KB.
Martin Willi [Wed, 24 Jul 2013 13:45:39 +0000 (15:45 +0200)]
mem-pool: refcount online lease when reassigning it to another tunnel
When we reassign an online lease for the same peer, we have to refcount it.
Otherwise we would set it offline if one of the tunnels goes down, but it is
actually still in use by a the second tunnel. This can finally lead in
assigning the same virtual IP to different peers.
Tobias Brunner [Thu, 25 Jul 2013 15:08:17 +0000 (17:08 +0200)]
ikev1: Always send ID payloads (traffic selectors) during Quick Mode
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).
Fixes #319.
Tobias Brunner [Thu, 25 Jul 2013 14:57:42 +0000 (16:57 +0200)]
watcher: Made notify array initialization compatible with older GCC versions
Tobias Brunner [Wed, 24 Jul 2013 10:16:52 +0000 (12:16 +0200)]
unit-tests: Add additional tests for host_t
Tobias Brunner [Wed, 24 Jul 2013 14:23:14 +0000 (16:23 +0200)]
imv-attestation: Properly measure complete directories
Tobias Brunner [Wed, 24 Jul 2013 14:03:38 +0000 (16:03 +0200)]
array: Number of items in get_size() is unsigned
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
Tobias Brunner [Wed, 24 Jul 2013 09:18:31 +0000 (11:18 +0200)]
stream: Ensure UNIX socket path is null terminated
Tobias Brunner [Wed, 24 Jul 2013 09:11:25 +0000 (11:11 +0200)]
kernel-pfkey: Add sanity check when deleting policies
Tobias Brunner [Wed, 24 Jul 2013 09:04:34 +0000 (11:04 +0200)]
imv-os: check_packages() fails if product query fails
Tobias Brunner [Wed, 24 Jul 2013 08:58:34 +0000 (10:58 +0200)]
pkcs5: Add missing break statements when checking crypto primitives
Tobias Brunner [Wed, 24 Jul 2013 08:45:32 +0000 (10:45 +0200)]
imv-scanner: Properly check snprintf() return value
Tobias Brunner [Wed, 24 Jul 2013 08:36:49 +0000 (10:36 +0200)]
socket-dynamic: Properly initialize IPv6 address
Tobias Brunner [Wed, 24 Jul 2013 08:33:06 +0000 (10:33 +0200)]
unit-tests: Add test for host_create_netmask()
Tobias Brunner [Wed, 24 Jul 2013 08:31:52 +0000 (10:31 +0200)]
host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128
Tobias Brunner [Wed, 24 Jul 2013 07:04:09 +0000 (09:04 +0200)]
imv-attestation: Use proper cast for length when using %.*s
Tobias Brunner [Wed, 24 Jul 2013 07:00:35 +0000 (09:00 +0200)]
tnc-ifmap: Use proper cast for length when using %.*s
Tobias Brunner [Wed, 24 Jul 2013 06:43:10 +0000 (08:43 +0200)]
capabilities: Proper error handling when reading groups
Tobias Brunner [Tue, 23 Jul 2013 10:23:05 +0000 (12:23 +0200)]
strongswan.conf: Moved some stuff around
Tobias Brunner [Mon, 22 Jul 2013 16:12:04 +0000 (18:12 +0200)]
ipsec: Add --piddir to retrieve the PID/socket directory
Tobias Brunner [Mon, 22 Jul 2013 15:59:49 +0000 (17:59 +0200)]
starter: Properly refer to the ipsec script if it was renamed
Tobias Brunner [Mon, 22 Jul 2013 15:53:56 +0000 (17:53 +0200)]
coupling: Fix call to call_hook()
Tobias Brunner [Mon, 22 Jul 2013 15:45:43 +0000 (17:45 +0200)]
strongswan.conf: Add missing options