Tobias Brunner [Fri, 10 Oct 2014 15:37:41 +0000 (17:37 +0200)]
testing: Enable virtio console for guests
This allows accessing the guests with `virsh console <name>`.
Using a serial console would also be possible but our kernel configs
have no serial drivers enabled, CONFIG_VIRTIO_CONSOLE is enabled though.
So to avoid having to recompile the kernels let's do it this way, only
requires rebuilding the guest images.
Martin Willi [Thu, 9 Oct 2014 14:11:29 +0000 (16:11 +0200)]
vici: Don't include-depend on libstrongswan for boolean types
As we want to avoid the libstrongswan include dependencies for libvici, avoid
the use of the bool type. Unfortunately this change may break the ABI for
vici_dump(). As this function is mostly for debugging purposes, we do it
nonetheless; my apologies if somebody already relies on the ABI stability of
that function.
ikev1: Add fragmentation support for Windows peers
I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.
Tobias Brunner [Thu, 9 Oct 2014 08:10:23 +0000 (10:10 +0200)]
eap-radius: Add option to set interval for interim accounting updates
Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval. But it might be useful if RADIUS is
only used for accounting.
The maximum for IKEv1 is already 255 due to the 8-bit fragment number.
With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.
Tobias Brunner [Mon, 23 Jun 2014 08:26:04 +0000 (10:26 +0200)]
ikev2: Send retransmits using the latest known addresses
For instance, if a DPD exchange is initiated by the gateway when a
mobile client is roaming and it then gets a new IP address and sends
an address update via MOBIKE, the DPD retransmits would still be sent
to the old address and the SA would eventually get closed.
Tobias Brunner [Thu, 12 Jun 2014 14:28:27 +0000 (16:28 +0200)]
ike: Move fragmentation to ike_sa_t
The message() hook on bus_t is now called exactly once before (plain) and
once after fragmenting (!plain), not twice for the complete message and again
for each individual fragment, as was the case in earlier iterations.
For inbound messages the hook is called once for each fragment (!plain)
and twice for the reassembled message.
The comment indicated this but it was always set anyway. All internal
commands are called via their absolute paths, so the script only uses PATH for
the uname command, but if that is not located in one of the configured
directories the script will fail.
Also, since the internal commands are called via their absolute paths there is
no need to add the directories to PATH.
Tobias Brunner [Thu, 2 Oct 2014 10:28:37 +0000 (12:28 +0200)]
ikev1: Don't queue more than one mode config or XAuth task
At the time we reset an IKE_SA (e.g. when re-authenticating a not yet
established SA due to a roaming event) such tasks might already be queued
by one of the phase 1 tasks. If the SA is initiated again another task will
get queued by the phase 1 task. This results in e.g. multiple mode config
requests, which most gateways will have problems with.
Tobias Brunner [Tue, 7 Oct 2014 10:01:05 +0000 (12:01 +0200)]
testing: Make TNC scenarios agnostic to the actual Debian version
The scenarios will work with new or old base images as long as the version
in use is included as product in the master data (src/libimcv/imv/data.sql).
Tobias Brunner [Tue, 7 Oct 2014 08:47:06 +0000 (10:47 +0200)]
testing: Make TKM related build recipes future-proof
The tkm scenarios recently failed due to a segmentation fault on my host
because I had an old build of the tkm library already built in the build
directory. Because the stamp file was not versioned the new release was
never checked out or built and charon-tkm was linked against the old
version causing a segmentation fault during key derivation.
Martin Willi [Mon, 6 Oct 2014 16:31:14 +0000 (18:31 +0200)]
Merge branch 'ext-auth'
Integrates the ext-auth plugin by Vyronas Tsingaras. The new child process
abstraction simplifies implementation in both the new ext-auth and the existing
updown plugin, and makes them available on the Windows platform.
Andreas Steffen [Sun, 5 Oct 2014 16:40:24 +0000 (18:40 +0200)]
OS IMV proposes IF-M segmentation contract
The OS IMV sends a TCG IF-M Segmentation contract request.
All IETF standard attributes support segmentation. Additionally
the IETF Installed Packages standard attributes supports
incremental processing while segments are received.