]>
git.ipfire.org Git - people/ms/strongswan.git/log
Martin Willi [Wed, 29 Oct 2014 11:06:04 +0000 (12:06 +0100)]
man: Document identification type prefixes in ipsec.conf(5)
Martin Willi [Wed, 29 Oct 2014 10:53:03 +0000 (11:53 +0100)]
identification: Support custom types in string constructor prefixes
Martin Willi [Wed, 29 Oct 2014 10:18:35 +0000 (11:18 +0100)]
identification: Support prefixes in string constructors for an explicit type
Martin Willi [Wed, 29 Oct 2014 10:12:38 +0000 (11:12 +0100)]
unit-tests: Re-align identification_create_from_string() unit test table data
Martin Willi [Wed, 22 Oct 2014 09:24:51 +0000 (11:24 +0200)]
threading: Support rwlock try_write_lock() on Windows
We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This
issue was caused by a MinGW-w64 bug (mingw-w64 fix
46f77afc ). Using a newer
toolchain works fine.
While try_write_lock() obviously can fail, not supporting it is not really an
option, as some algorithms depend on occasionally successful calls. Certificate
caching in the certificate manager and the cred_set cache rely on successful
try_write_lock()ing.
Martin Willi [Wed, 22 Oct 2014 09:23:49 +0000 (11:23 +0200)]
threading: Add a more explicit rwlock try_write_lock() testing
Tobias Brunner [Tue, 28 Oct 2014 15:42:06 +0000 (16:42 +0100)]
message: Include encrypted fragment payload in payload (order) rules
Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted
because they don't contain an SA payload.
It also prevents a warning when ordering payloads.
Fixes #752.
Tobias Brunner [Fri, 24 Oct 2014 09:14:51 +0000 (11:14 +0200)]
cert-cache: Prevent that a cached issuer is freed too early
Previously we got no reference to the cached issuer certificate
before releasing the lock of the cache line, this allowed other
threads, or even the same thread if it replaces a cache line, to
destroy that issuer certificate in cache() (or flush()) before
get_ref() for the issuer certificate is finally called.
Tobias Brunner [Wed, 22 Oct 2014 17:43:22 +0000 (19:43 +0200)]
unit-tests: Fix internet checksum tests on big-endian systems
We actually need to do a byte-swap, which ntohs() only does on
little-endian systems.
Fixes #747.
Tobias Brunner [Wed, 22 Oct 2014 17:41:40 +0000 (19:41 +0200)]
chunk: Fix internet checksum calculation on big-endian systems
ntohs() might be defined as noop (#define ntohs(x) (x)) so we have
to manually shorten the negated value (gets promoted to an int).
Fixes #747.
Martin Willi [Wed, 22 Oct 2014 12:50:09 +0000 (14:50 +0200)]
updown: Explicitly pass caller PATH to updown script
When invoking /bin/sh, its default PATH is used. On some systems, that does
not include the PATH where the ipsec script is installed, as charon is invoked
with a custom PATH. Explicitly setting the PATH of charon should fix this
case, properly invoking the (default) updown script.
Fixes #745.
Tobias Brunner [Mon, 20 Oct 2014 13:32:01 +0000 (15:32 +0200)]
ip-packet: Fix length in IPv6 header of generated packets
Andreas Steffen [Sat, 18 Oct 2014 12:05:53 +0000 (14:05 +0200)]
Increased fragment size to 1400 in ipv6/net2net-ikev1 scenario
Andreas Steffen [Sat, 18 Oct 2014 12:05:18 +0000 (14:05 +0200)]
Enabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenario
Andreas Steffen [Sat, 18 Oct 2014 10:12:17 +0000 (12:12 +0200)]
Version bump to 5.2.1
Andreas Steffen [Fri, 17 Oct 2014 15:59:43 +0000 (17:59 +0200)]
Remove unneeded get_count() method
Andreas Steffen [Fri, 17 Oct 2014 14:11:40 +0000 (16:11 +0200)]
Process TCG/PTS File Measurement attribute incrementally
Andreas Steffen [Thu, 16 Oct 2014 11:38:51 +0000 (13:38 +0200)]
Exempt TCG/SEG attributes from unsupported case statement
Andreas Steffen [Thu, 16 Oct 2014 05:49:14 +0000 (07:49 +0200)]
Request IF-M segmentation contract for TCG/PTS subtype
Martin Willi [Wed, 15 Oct 2014 12:26:03 +0000 (14:26 +0200)]
tls: Fix an invalid free on CBC encryption failure
Martin Willi [Wed, 15 Oct 2014 12:20:36 +0000 (14:20 +0200)]
tls: Fix a memory leak if AEAD encryption fails
Martin Willi [Wed, 15 Oct 2014 12:17:30 +0000 (14:17 +0200)]
tls: Check all bytes of the padding if they equal the padding length
Tobias Brunner [Mon, 13 Oct 2014 16:18:56 +0000 (18:18 +0200)]
android: Fix PA-TNC construction based on data passed via JNI
Tobias Brunner [Mon, 13 Oct 2014 16:17:30 +0000 (18:17 +0200)]
libimcv: Add generic constructor for PA-TNC attributes
Tobias Brunner [Tue, 14 Oct 2014 15:26:48 +0000 (17:26 +0200)]
backtrace: Fix symbol lookup in dynamic symtab via libbfd
Tobias Brunner [Tue, 14 Oct 2014 15:10:59 +0000 (17:10 +0200)]
swid-inventory: Remove unused variable end_of_tag
Tobias Brunner [Tue, 14 Oct 2014 14:46:07 +0000 (16:46 +0200)]
swanctl: Fix man page build on FreeBSD
BSD make seems to only evaluate $< for certain rules (like the suffix rule
used to generate the config template).
Martin Willi [Tue, 14 Oct 2014 10:43:16 +0000 (12:43 +0200)]
thread: Test for pending cancellation requests before select()ing on OS X
This fixes some vici test cases on OS X, where the test thread tries to cancel
the watcher thread during cleanup, but fails as select() does not honor the
pre-issued cancellation request.
Martin Willi [Tue, 14 Oct 2014 10:13:32 +0000 (12:13 +0200)]
vici: Return default value for get_int() if message value is empty string
This is the behavior of some strtol() implementations, and it makes sense,
so force it.
Martin Willi [Tue, 14 Oct 2014 09:57:06 +0000 (11:57 +0200)]
process: Don't use the shells built-in echo in tests
On OS X, the /bin/sh built-in echo does not support -n.
Martin Willi [Tue, 14 Oct 2014 09:55:36 +0000 (11:55 +0200)]
process: Don't use absolute path names for true/false/cat in unit tests
But use the (builtin) shell commands instead, as on OS X true/false are under
/usr/bin.
Martin Willi [Tue, 14 Oct 2014 09:40:43 +0000 (11:40 +0200)]
kernel-pfroute: Check for RTM_IFANNOUNCE availability
This message is not available on OS X.
Martin Willi [Tue, 14 Oct 2014 09:40:03 +0000 (11:40 +0200)]
process: Include missing <signal.h> for raise(3)
Fixes OS X build.
Tobias Brunner [Tue, 14 Oct 2014 13:35:08 +0000 (15:35 +0200)]
ike: Add IKEv2 in description of fragment_size option in strongswan.conf
Tobias Brunner [Tue, 14 Oct 2014 12:05:48 +0000 (14:05 +0200)]
ip-packet: Fix removal of TFC padding for IPv6
The IPv6 length field denotes the payload length after the 40 bytes header.
Fixes: 293515f95cf5 ("libipsec: remove extra RFC4303 TFC padding appended to inner payload")
Tobias Brunner [Tue, 14 Oct 2014 09:07:32 +0000 (11:07 +0200)]
vici: Add vici.gemspec.in and vici.rb to distribution
Martin Willi [Tue, 14 Oct 2014 09:11:34 +0000 (11:11 +0200)]
travis: Build-test updown and ext-auth plugins for Windows
Tobias Brunner [Tue, 14 Oct 2014 08:37:55 +0000 (10:37 +0200)]
android: Implement get_contracts() method in IMC state object
Tobias Brunner [Tue, 14 Oct 2014 08:12:02 +0000 (10:12 +0200)]
android: libpts does not exist anymore, don't attempt to load it
Tobias Brunner [Mon, 13 Oct 2014 16:15:34 +0000 (18:15 +0200)]
android: Update receive_message() to new imc_msg_t.receive() signature
Tobias Brunner [Mon, 13 Oct 2014 16:10:18 +0000 (18:10 +0200)]
libimcv: Add fallback if IPSEC_SCRIPT is not defined
This is the case on Android.
Tobias Brunner [Mon, 13 Oct 2014 15:59:47 +0000 (17:59 +0200)]
libimcv: Updated Android.mk to latest Makefile.am
Tobias Brunner [Mon, 13 Oct 2014 15:18:06 +0000 (17:18 +0200)]
android: Remove references to libpts
Tobias Brunner [Mon, 13 Oct 2014 15:17:45 +0000 (17:17 +0200)]
libimcv: Remove reference to libpts
Tobias Brunner [Mon, 13 Oct 2014 15:11:57 +0000 (17:11 +0200)]
libimcv: Fix Doxygen comments after merging libpts into libimcv
Tobias Brunner [Mon, 13 Oct 2014 14:56:30 +0000 (16:56 +0200)]
watcher: Doxygen comment fixed
Tobias Brunner [Mon, 13 Oct 2014 14:51:20 +0000 (16:51 +0200)]
charon-systemd: Typo in log message fixed
Avesh Agarwal [Mon, 13 Oct 2014 14:15:33 +0000 (16:15 +0200)]
libimcv: Fix harcoded IMCV_DEFAULT_POLICY_SCRIPT name
I came across an issue with src/libimcv/imcv.c where
IMCV_DEFAULT_POLICY_SCRIPT is hardcoded.
It fails where ipsec_script is renamed to, for example, strongswan from
default ipsec.
Tobias Brunner [Mon, 13 Oct 2014 13:48:55 +0000 (15:48 +0200)]
testing: Enable nat table for iptables on 3.17 kernels
Tobias Brunner [Fri, 10 Oct 2014 10:55:39 +0000 (12:55 +0200)]
ike: Do remote address updates also when behind static NATs
We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.
The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.
Tobias Brunner [Fri, 10 Oct 2014 10:44:15 +0000 (12:44 +0200)]
ike: Remove redundant check for local NAT when handling changed NAT mappings
Andreas Steffen [Sat, 11 Oct 2014 13:01:21 +0000 (15:01 +0200)]
testing: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID Inventory attribute
Andreas Steffen [Sat, 11 Oct 2014 12:49:23 +0000 (14:49 +0200)]
Support of multiple directed segmentation contracts
Andreas Steffen [Sat, 11 Oct 2014 12:48:38 +0000 (14:48 +0200)]
unit-tests: Updated Makefile
Andreas Steffen [Sat, 11 Oct 2014 12:47:36 +0000 (14:47 +0200)]
unit-tests: Added test for seg_contract_manager
Andreas Steffen [Sat, 11 Oct 2014 12:46:38 +0000 (14:46 +0200)]
Added KVM config for 3.16 and 3.17 kernels
Andreas Steffen [Sat, 11 Oct 2014 09:40:32 +0000 (11:40 +0200)]
Updated build-database.sh script to 3.13.0-37 kernel
Tobias Brunner [Fri, 10 Oct 2014 16:37:13 +0000 (18:37 +0200)]
testing: Ensure no guest is running when modifying images
Sometimes guests are not stopped properly. If images are then modified
they will be corrupted.
Tobias Brunner [Fri, 10 Oct 2014 15:37:41 +0000 (17:37 +0200)]
testing: Enable virtio console for guests
This allows accessing the guests with `virsh console <name>`.
Using a serial console would also be possible but our kernel configs
have no serial drivers enabled, CONFIG_VIRTIO_CONSOLE is enabled though.
So to avoid having to recompile the kernels let's do it this way, only
requires rebuilding the guest images.
References #729.
Martin Willi [Fri, 10 Oct 2014 09:42:28 +0000 (11:42 +0200)]
Merge branch 'vici-ruby'
Adds a ruby gem for the VICI protocol, along with some documentation
improvements and some minor fixes to vici and swanctl.
Martin Willi [Fri, 10 Oct 2014 09:03:47 +0000 (11:03 +0200)]
NEWS: Introduce the vici ruby gem
Martin Willi [Thu, 9 Oct 2014 14:48:29 +0000 (16:48 +0200)]
swanctl: Fix exit codes based on errno
As fprintf() most likely sets errno, we should save it before printing the
error message.
Martin Willi [Thu, 9 Oct 2014 14:15:29 +0000 (16:15 +0200)]
vici: Cancel processor before calling library_deinit()
For non-direct libstrongswan users, the deinitialization segfaults because
of the missing worker thread cancellation.
Martin Willi [Thu, 9 Oct 2014 14:14:38 +0000 (16:14 +0200)]
vici: Reduce debug level during thread spawning
We want to avoid libvici users to get a cluttered stderr for no real error.
Martin Willi [Thu, 9 Oct 2014 14:11:29 +0000 (16:11 +0200)]
vici: Don't include-depend on libstrongswan for boolean types
As we want to avoid the libstrongswan include dependencies for libvici, avoid
the use of the bool type. Unfortunately this change may break the ABI for
vici_dump(). As this function is mostly for debugging purposes, we do it
nonetheless; my apologies if somebody already relies on the ABI stability of
that function.
Martin Willi [Thu, 9 Oct 2014 15:22:08 +0000 (17:22 +0200)]
vici: Document the ruby gem and add some simple examples
Martin Willi [Thu, 9 Oct 2014 14:42:01 +0000 (16:42 +0200)]
vici: Add some simple libvici examples to the README
Martin Willi [Wed, 8 Oct 2014 16:13:31 +0000 (18:13 +0200)]
vici: Document the available vici command and event messages
Martin Willi [Wed, 8 Oct 2014 11:46:22 +0000 (13:46 +0200)]
vici: Use "gem"-assisted vici ruby gem building and installation
Martin Willi [Wed, 8 Oct 2014 11:44:44 +0000 (13:44 +0200)]
configure: Add global --enable-ruby-gems and --with-rubygemdir options
This provides the options to build and install ruby gems for components
providing them, such as vici.
Martin Willi [Wed, 1 Oct 2014 13:59:43 +0000 (15:59 +0200)]
vici: Add a ruby gem providing a native vici interface
Martin Willi [Mon, 6 Oct 2014 16:13:39 +0000 (18:13 +0200)]
vici: Return a success result for the clear-creds command
Even if the command actually can't fail, this looks more aligned to similar
commands.
Martin Willi [Tue, 30 Sep 2014 16:43:20 +0000 (18:43 +0200)]
vici: Fix message encoding type values in documentation
Volker RĂ¼melin [Thu, 25 Sep 2014 07:18:17 +0000 (09:18 +0200)]
ikev1: Add fragmentation support for Windows peers
I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.
Tested with Windows XP, 7 and 8.1.
Tobias Brunner [Thu, 9 Oct 2014 08:10:23 +0000 (10:10 +0200)]
eap-radius: Add option to set interval for interim accounting updates
Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval. But it might be useful if RADIUS is
only used for accounting.
Tobias Brunner [Fri, 10 Oct 2014 07:48:06 +0000 (09:48 +0200)]
NEWS: IKEv2 fragmentation mentioned
Tobias Brunner [Fri, 10 Oct 2014 07:35:27 +0000 (09:35 +0200)]
Merge branch 'ikev2-fragmentation'
This adds support for IKEv2 fragmentation as per RFC 7383.
Tobias Brunner [Tue, 16 Sep 2014 14:52:23 +0000 (16:52 +0200)]
testing: Add ikev2/net2net-fragmentation scenario
Tobias Brunner [Tue, 16 Sep 2014 14:51:58 +0000 (16:51 +0200)]
testing: Update ikev1/net2net-fragmentation scenario
Tobias Brunner [Tue, 16 Sep 2014 13:51:21 +0000 (15:51 +0200)]
message: Limit maximum number of IKEv2 fragments
The maximum for IKEv1 is already 255 due to the 8-bit fragment number.
With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.
Tobias Brunner [Tue, 16 Sep 2014 13:38:38 +0000 (15:38 +0200)]
packet: Define a global default maximum size for IKE packets
Tobias Brunner [Mon, 15 Sep 2014 15:51:22 +0000 (17:51 +0200)]
message: Ensure a minimum fragment length
Tobias Brunner [Mon, 23 Jun 2014 08:26:04 +0000 (10:26 +0200)]
ikev2: Send retransmits using the latest known addresses
For instance, if a DPD exchange is initiated by the gateway when a
mobile client is roaming and it then gets a new IP address and sends
an address update via MOBIKE, the DPD retransmits would still be sent
to the old address and the SA would eventually get closed.
Tobias Brunner [Mon, 16 Jun 2014 13:50:08 +0000 (15:50 +0200)]
ikev2: Send and receive fragmented IKE messages
If a fragmented message is retransmitted only the first packet is passed
to the alert() hook.
Tobias Brunner [Mon, 16 Jun 2014 13:48:47 +0000 (15:48 +0200)]
ike: IKE_SA may fragment IKEv2 messages
Tobias Brunner [Mon, 16 Jun 2014 13:47:03 +0000 (15:47 +0200)]
ike: Do not cache MID of IKEv2 fragments
This fails if there are unencrypted payloads before an encrypted
fragment payload in the first fragment.
Tobias Brunner [Mon, 16 Jun 2014 13:46:33 +0000 (15:46 +0200)]
message: Fragment and reassemble IKEv2 messages
Tobias Brunner [Mon, 16 Jun 2014 13:38:45 +0000 (15:38 +0200)]
message: Handle encrypted fragment payload similar to the encrypted payload
Tobias Brunner [Mon, 16 Jun 2014 13:29:45 +0000 (15:29 +0200)]
ikev2: Add encrypted fragment payload
Tobias Brunner [Mon, 16 Jun 2014 13:01:28 +0000 (15:01 +0200)]
encrypted_payload: Encrypted payload can be constructed from plaintext
Tobias Brunner [Thu, 12 Jun 2014 19:42:07 +0000 (21:42 +0200)]
encrypted_payload: Expose generate() to generate the plaintext
Tobias Brunner [Thu, 12 Jun 2014 17:04:24 +0000 (19:04 +0200)]
encrypted_payload: Extract some utility functions
Tobias Brunner [Thu, 12 Jun 2014 16:39:30 +0000 (18:39 +0200)]
message: Split generate() in multiple functions
Tobias Brunner [Fri, 6 Jun 2014 14:19:55 +0000 (16:19 +0200)]
ikev2: Negotiate support for IKEv2 fragmentation
Tobias Brunner [Fri, 6 Jun 2014 13:12:16 +0000 (15:12 +0200)]
ikev2: Add notify for IKEv2 fragmentation
Tobias Brunner [Fri, 13 Jun 2014 14:00:59 +0000 (16:00 +0200)]
ikev1: Move defragmentation to message_t
Tobias Brunner [Thu, 12 Jun 2014 14:28:27 +0000 (16:28 +0200)]
ike: Move fragmentation to ike_sa_t
The message() hook on bus_t is now called exactly once before (plain) and
once after fragmenting (!plain), not twice for the complete message and again
for each individual fragment, as was the case in earlier iterations.
For inbound messages the hook is called once for each fragment (!plain)
and twice for the reassembled message.
Tobias Brunner [Thu, 12 Jun 2014 08:14:00 +0000 (10:14 +0200)]
message: fragment() generates message and fragments and caches them
Tobias Brunner [Thu, 12 Jun 2014 08:01:18 +0000 (10:01 +0200)]
message: Make packet argument optional in generate()
Tobias Brunner [Tue, 10 Jun 2014 13:53:11 +0000 (15:53 +0200)]
ikev1: Move fragment generation to message_t