ikev1: Add fragmentation support for Windows peers
I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.
Tobias Brunner [Thu, 9 Oct 2014 08:10:23 +0000 (10:10 +0200)]
eap-radius: Add option to set interval for interim accounting updates
Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval. But it might be useful if RADIUS is
only used for accounting.
The maximum for IKEv1 is already 255 due to the 8-bit fragment number.
With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.
Tobias Brunner [Mon, 23 Jun 2014 08:26:04 +0000 (10:26 +0200)]
ikev2: Send retransmits using the latest known addresses
For instance, if a DPD exchange is initiated by the gateway when a
mobile client is roaming and it then gets a new IP address and sends
an address update via MOBIKE, the DPD retransmits would still be sent
to the old address and the SA would eventually get closed.
Tobias Brunner [Thu, 12 Jun 2014 14:28:27 +0000 (16:28 +0200)]
ike: Move fragmentation to ike_sa_t
The message() hook on bus_t is now called exactly once before (plain) and
once after fragmenting (!plain), not twice for the complete message and again
for each individual fragment, as was the case in earlier iterations.
For inbound messages the hook is called once for each fragment (!plain)
and twice for the reassembled message.
The comment indicated this but it was always set anyway. All internal
commands are called via their absolute paths, so the script only uses PATH for
the uname command, but if that is not located in one of the configured
directories the script will fail.
Also, since the internal commands are called via their absolute paths there is
no need to add the directories to PATH.
Tobias Brunner [Thu, 2 Oct 2014 10:28:37 +0000 (12:28 +0200)]
ikev1: Don't queue more than one mode config or XAuth task
At the time we reset an IKE_SA (e.g. when re-authenticating a not yet
established SA due to a roaming event) such tasks might already be queued
by one of the phase 1 tasks. If the SA is initiated again another task will
get queued by the phase 1 task. This results in e.g. multiple mode config
requests, which most gateways will have problems with.
Tobias Brunner [Tue, 7 Oct 2014 10:01:05 +0000 (12:01 +0200)]
testing: Make TNC scenarios agnostic to the actual Debian version
The scenarios will work with new or old base images as long as the version
in use is included as product in the master data (src/libimcv/imv/data.sql).
Tobias Brunner [Tue, 7 Oct 2014 08:47:06 +0000 (10:47 +0200)]
testing: Make TKM related build recipes future-proof
The tkm scenarios recently failed due to a segmentation fault on my host
because I had an old build of the tkm library already built in the build
directory. Because the stamp file was not versioned the new release was
never checked out or built and charon-tkm was linked against the old
version causing a segmentation fault during key derivation.
Martin Willi [Mon, 6 Oct 2014 16:31:14 +0000 (18:31 +0200)]
Merge branch 'ext-auth'
Integrates the ext-auth plugin by Vyronas Tsingaras. The new child process
abstraction simplifies implementation in both the new ext-auth and the existing
updown plugin, and makes them available on the Windows platform.
Andreas Steffen [Sun, 5 Oct 2014 16:40:24 +0000 (18:40 +0200)]
OS IMV proposes IF-M segmentation contract
The OS IMV sends a TCG IF-M Segmentation contract request.
All IETF standard attributes support segmentation. Additionally
the IETF Installed Packages standard attributes supports
incremental processing while segments are received.
Martin Willi [Fri, 3 Oct 2014 10:26:56 +0000 (12:26 +0200)]
testing: Reissue attribute certificates for the new holder certificates
Due to the expired and reissued holder certificates of carol and dave, new
attribute certificates are required to match the holder certificates serial in
the ikev2/acert-{cached,fallback,inline} tests.
The position of tasks in the queue does not actually determine the order
in which they are activated. Instead this is determined by the
statements in task_manager_v2_t.initiate().
Martin Willi [Wed, 24 Sep 2014 13:53:46 +0000 (15:53 +0200)]
travis: Disable soup in "all" test
On Ubuntu 12.04, there seems to be a resource leak related to pthread keys
when initializing glib or related libraries more than once. With our repeated
initialization for libstrongswan tests, we hit the following error:
Lib (gthread-posix.c): Unexpected error from C library during
'pthread_key_create': Resource temporarily unavailable.
The problem is not reproducible on a newer Gnome stack, hence we disable the
glib based soup plugin until we have a more recent Ubuntu on Travis.
Martin Willi [Wed, 24 Sep 2014 11:13:19 +0000 (13:13 +0200)]
curl: For SSL features, depend on thread-safety provided by our crypto plugins
To use SSL in curl, we need to initialize the SSL library in a thread-safe
manner and provide the appropriate callbacks. As we already do that in our
crypto plugins using these libraries, we depend on these features.
This implies that we need the same plugin enabled (openssl, gcrypt) as the
curl backend is configured to use to fetch from HTTPS URIs.
Martin Willi [Wed, 24 Sep 2014 10:24:13 +0000 (12:24 +0200)]
configure: Load fetcher plugins after crypto base plugins
Some fetcher plugins (such as curl) might build upon OpenSSL to implement
HTTPS fetching. As we set (and can't unset) threading callbacks in our
openssl plugin, we must ensure that OpenSSL functions don't get called after
openssl plugin unloading.
We achieve that by loading curl and all other fetcher plugins after the base
crypto plugins, including openssl.
projects / thirdparty / strongswan.git / log
