strongswan.git
5 years agostroke: use a stream service to handle stroke requests
Martin Willi [Fri, 28 Jun 2013 12:35:12 +0000 (14:35 +0200)]
stroke: use a stream service to handle stroke requests

5 years agostream: allow async read/write callback to destroy the stream explicitly
Martin Willi [Tue, 2 Jul 2013 12:09:45 +0000 (14:09 +0200)]
stream: allow async read/write callback to destroy the stream explicitly

5 years agostream: don't close underlying socket when creating a stream from it
Martin Willi [Tue, 2 Jul 2013 12:04:51 +0000 (14:04 +0200)]
stream: don't close underlying socket when creating a stream from it

5 years agowatcher: add some debugging statements
Martin Willi [Tue, 2 Jul 2013 12:03:51 +0000 (14:03 +0200)]
watcher: add some debugging statements

5 years agowatcher: if the processor has no threads, execute the job with watcher thread
Martin Willi [Tue, 2 Jul 2013 09:01:10 +0000 (11:01 +0200)]
watcher: if the processor has no threads, execute the job with watcher thread

This is important during shutdown, where we might need to signal some FDs while
all idle threads are gone already.

5 years agoprocessor: add a getter for the threads passed to set_threads()
Martin Willi [Tue, 2 Jul 2013 09:00:27 +0000 (11:00 +0200)]
processor: add a getter for the threads passed to set_threads()

5 years agowatcher: unregister a watcher FD if its thread gets cancelled
Martin Willi [Mon, 1 Jul 2013 16:38:42 +0000 (18:38 +0200)]
watcher: unregister a watcher FD if its thread gets cancelled

5 years agowatcher: release threads waiting in remove() when watcher thread gets cancelled
Martin Willi [Mon, 1 Jul 2013 16:34:08 +0000 (18:34 +0200)]
watcher: release threads waiting in remove() when watcher thread gets cancelled

During daemon shutdown, users might call remove() after processor.set_threads(0)
has been called. This gets problematic, as a watch event might be unable
to signal completion when no threads are available anymore. Work around this
issue by cancelling waiters once processor.cancel() has been called.

5 years agostream: support keeping the service alive outside of service callback
Martin Willi [Mon, 1 Jul 2013 12:57:28 +0000 (14:57 +0200)]
stream: support keeping the service alive outside of service callback

5 years agostream: add read/write_all() methods to stream
Martin Willi [Mon, 1 Jul 2013 08:36:52 +0000 (10:36 +0200)]
stream: add read/write_all() methods to stream

5 years agostream: support cancellation of stream service callback
Martin Willi [Fri, 28 Jun 2013 12:33:03 +0000 (14:33 +0200)]
stream: support cancellation of stream service callback

5 years agostream: use a service constructor to create services
Martin Willi [Fri, 28 Jun 2013 12:55:27 +0000 (14:55 +0200)]
stream: use a service constructor to create services

It does not make much sense to reference running services in the manager,
especially as unregistration would need the URI (which a user would have to
store instead of the service reference).

5 years agostream: replace print/vprint() convenience functions by a FILE* getter
Martin Willi [Fri, 28 Jun 2013 12:33:41 +0000 (14:33 +0200)]
stream: replace print/vprint() convenience functions by a FILE* getter

While this will complicate the implementation of streams not based on a fd,
it allows us to unleash the full power of FILE based convenience functions.

5 years agostream: add a concurrency option to services, limiting parallel callbacks
Martin Willi [Fri, 28 Jun 2013 09:50:59 +0000 (11:50 +0200)]
stream: add a concurrency option to services, limiting parallel callbacks

5 years agostream: add a job priority option to stream services
Martin Willi [Fri, 28 Jun 2013 08:32:30 +0000 (10:32 +0200)]
stream: add a job priority option to stream services

5 years agostream: add backlog option to stream services, forward to listen()
Martin Willi [Fri, 28 Jun 2013 08:20:13 +0000 (10:20 +0200)]
stream: add backlog option to stream services, forward to listen()

5 years agostream: add support for TCP stream services
Martin Willi [Thu, 27 Jun 2013 15:25:51 +0000 (17:25 +0200)]
stream: add support for TCP stream services

5 years agostream: add support for TCP streams
Martin Willi [Thu, 27 Jun 2013 15:25:21 +0000 (17:25 +0200)]
stream: add support for TCP streams

5 years agostream: add support for UNIX stream services
Martin Willi [Wed, 26 Jun 2013 15:16:33 +0000 (17:16 +0200)]
stream: add support for UNIX stream services

5 years agostream: add support for UNIX streams
Martin Willi [Wed, 26 Jun 2013 15:08:14 +0000 (17:08 +0200)]
stream: add support for UNIX streams

5 years agostream: support async operation using watcher
Martin Willi [Thu, 27 Jun 2013 13:49:11 +0000 (15:49 +0200)]
stream: support async operation using watcher

5 years agostream: add printf()-style covenience functions
Martin Willi [Thu, 27 Jun 2013 09:46:41 +0000 (11:46 +0200)]
stream: add printf()-style covenience functions

5 years agostream: create library instance of stream-manager
Martin Willi [Thu, 27 Jun 2013 08:16:00 +0000 (10:16 +0200)]
stream: create library instance of stream-manager

5 years agostream: add a manager to dynamically register streams and services
Martin Willi [Wed, 26 Jun 2013 15:28:19 +0000 (17:28 +0200)]
stream: add a manager to dynamically register streams and services

5 years agostream: add a stream service class abstracting services using BSD sockets
Martin Willi [Wed, 26 Jun 2013 15:13:11 +0000 (17:13 +0200)]
stream: add a stream service class abstracting services using BSD sockets

5 years agostream: add a stream class abstracting BSD sockets
Martin Willi [Wed, 26 Jun 2013 15:03:19 +0000 (17:03 +0200)]
stream: add a stream class abstracting BSD sockets

Currently only synchronous operation is supported, but this will be extended
with asynchronous methods using the new watcher.

5 years agowatcher: add a centralized an generic facility to monitor file descriptors
Martin Willi [Mon, 24 Jun 2013 12:58:01 +0000 (14:58 +0200)]
watcher: add a centralized an generic facility to monitor file descriptors

5 years agokernel-pfkey: Fail route installation if remote TS matches peer
Tobias Brunner [Thu, 18 Jul 2013 13:41:36 +0000 (15:41 +0200)]
kernel-pfkey: Fail route installation if remote TS matches peer

5 years agokernel-libipsec: Fail route installation if remote TS matches peer
Tobias Brunner [Thu, 18 Jul 2013 13:41:13 +0000 (15:41 +0200)]
kernel-libipsec: Fail route installation if remote TS matches peer

5 years agocapabilities: Some plugins don't actually require capabilities at runtime
Tobias Brunner [Mon, 8 Jul 2013 16:24:43 +0000 (18:24 +0200)]
capabilities: Some plugins don't actually require capabilities at runtime

5 years agocapabilities: Add function to check if a capability is held, without keeping it
Tobias Brunner [Mon, 8 Jul 2013 15:48:16 +0000 (17:48 +0200)]
capabilities: Add function to check if a capability is held, without keeping it

This can be useful if capabilities are not required anymore after
dropping privileges.

5 years agoNEWS: leak-detective improvements
Martin Willi [Thu, 18 Jul 2013 13:13:49 +0000 (15:13 +0200)]
NEWS: leak-detective improvements

5 years agoNEWS: add keychain plugin
Martin Willi [Thu, 18 Jul 2013 13:07:00 +0000 (15:07 +0200)]
NEWS: add keychain plugin

5 years agoautoconf: replace autogen.sh custom script with a call to autoreconf -i
Martin Willi [Thu, 18 Jul 2013 10:01:18 +0000 (12:01 +0200)]
autoconf: replace autogen.sh custom script with a call to autoreconf -i

5 years agoautomake: replace INCLUDES by AM_CPPFLAGS
Martin Willi [Wed, 17 Jul 2013 12:45:39 +0000 (14:45 +0200)]
automake: replace INCLUDES by AM_CPPFLAGS

INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.

5 years agoautoconf: rename configure.in to configure.ac
Martin Willi [Wed, 17 Jul 2013 12:04:41 +0000 (14:04 +0200)]
autoconf: rename configure.in to configure.ac

configure.ac has been the recommended name for autoconf input for several
years now. Newer autotools start to complain about the configure.in, so we
finally change it.

5 years agoeap-sim-pcsc: fix compiler warning
Martin Willi [Thu, 18 Jul 2013 12:55:05 +0000 (14:55 +0200)]
eap-sim-pcsc: fix compiler warning

5 years agonm: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:21:17 +0000 (14:21 +0200)]
nm: omit deprecated g_type_init() when using >= GLIB 2.36

5 years agosoup: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:19:37 +0000 (14:19 +0200)]
soup: omit deprecated g_type_init() when using >= GLIB 2.36

5 years agolibfast: cancel thread if it fails to accept fcgi sessions
Martin Willi [Wed, 20 Feb 2013 14:21:51 +0000 (15:21 +0100)]
libfast: cancel thread if it fails to accept fcgi sessions

5 years agolibfast: add a fast_ prefix to all classes, avoiding namespace clashes
Martin Willi [Wed, 17 Jul 2013 09:50:45 +0000 (11:50 +0200)]
libfast: add a fast_ prefix to all classes, avoiding namespace clashes

5 years agoMerge branch 'charon-xpc'
Martin Willi [Thu, 18 Jul 2013 10:18:32 +0000 (12:18 +0200)]
Merge branch 'charon-xpc'

Implement a charon daemon controlled by the Apple specific XPC mechanism,
acting as a backend for a yet to build unprivileged GUI. The keychain plugin
coming with this merge provides certificates from the OS X keychain service.

5 years agoxpc: allow easy copy & pase of ./configure instructions
Martin Willi [Wed, 26 Jun 2013 08:37:19 +0000 (10:37 +0200)]
xpc: allow easy copy & pase of ./configure instructions

5 years agoxpc: use -idirafter to build against openssl headers from /usr/include
Martin Willi [Wed, 29 May 2013 12:50:47 +0000 (14:50 +0200)]
xpc: use -idirafter to build against openssl headers from /usr/include

5 years agoxpc: forward some risen alerts over XPC to App
Martin Willi [Mon, 27 May 2013 12:47:27 +0000 (14:47 +0200)]
xpc: forward some risen alerts over XPC to App

5 years agoxpc: enable close_ike_on_child_failure
Martin Willi [Mon, 27 May 2013 12:08:39 +0000 (14:08 +0200)]
xpc: enable close_ike_on_child_failure

5 years agoxpc: send a "connecting" event when establishing a connection starts
Martin Willi [Wed, 22 May 2013 15:22:47 +0000 (17:22 +0200)]
xpc: send a "connecting" event when establishing a connection starts

5 years agoxpc: use osx-attr plugin to install configuration attributes
Martin Willi [Wed, 15 May 2013 14:04:43 +0000 (16:04 +0200)]
xpc: use osx-attr plugin to install configuration attributes

5 years agoxpc: update README with new events, markdown style fixes
Martin Willi [Fri, 3 May 2013 16:35:11 +0000 (18:35 +0200)]
xpc: update README with new events, markdown style fixes

5 years agoxpc: send child_updown events over XPC channel
Martin Willi [Thu, 2 May 2013 16:11:47 +0000 (18:11 +0200)]
xpc: send child_updown events over XPC channel

5 years agoxpc: support termination of IKE_SAs using XPC RPC on connection channel
Martin Willi [Thu, 2 May 2013 15:45:58 +0000 (17:45 +0200)]
xpc: support termination of IKE_SAs using XPC RPC on connection channel

5 years agoxpc: move XPC RPC reply creation to command dispatching
Martin Willi [Thu, 2 May 2013 14:43:44 +0000 (16:43 +0200)]
xpc: move XPC RPC reply creation to command dispatching

5 years agoxpc: terminate daemon when last XPC connection to App gone
Martin Willi [Thu, 2 May 2013 12:40:23 +0000 (14:40 +0200)]
xpc: terminate daemon when last XPC connection to App gone

5 years agoxpc: fix some refcounting issues related to XPC connections
Martin Willi [Thu, 2 May 2013 12:28:19 +0000 (14:28 +0200)]
xpc: fix some refcounting issues related to XPC connections

5 years agoxpc: no need to clear channel table, they are bound to IKE_SA lifetime
Martin Willi [Thu, 2 May 2013 11:58:22 +0000 (13:58 +0200)]
xpc: no need to clear channel table, they are bound to IKE_SA lifetime

5 years agoxpc: add support for logging over XPC channels
Martin Willi [Fri, 3 May 2013 14:55:22 +0000 (16:55 +0200)]
xpc: add support for logging over XPC channels

5 years agoxpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
Martin Willi [Thu, 2 May 2013 09:58:43 +0000 (11:58 +0200)]
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)

5 years agoxpc: add a description of the basic XPC protocol to README
Martin Willi [Thu, 2 May 2013 09:22:51 +0000 (11:22 +0200)]
xpc: add a description of the basic XPC protocol to README

5 years agoxpc: use the same XPC message "type" mechanism on Mach service as on channels
Martin Willi [Thu, 2 May 2013 08:54:55 +0000 (10:54 +0200)]
xpc: use the same XPC message "type" mechanism on Mach service as on channels

5 years agoxpc: ask App for passwords using connection specific channel
Martin Willi [Thu, 2 May 2013 08:36:37 +0000 (10:36 +0200)]
xpc: ask App for passwords using connection specific channel

5 years agoxpc: use IKE_SA specific XPC return channels for further communication
Martin Willi [Fri, 3 May 2013 14:53:29 +0000 (16:53 +0200)]
xpc: use IKE_SA specific XPC return channels for further communication

5 years agoxpc: don't send certificate requests, there are too many when using keychain
Martin Willi [Wed, 1 May 2013 09:06:11 +0000 (11:06 +0200)]
xpc: don't send certificate requests, there are too many when using keychain

5 years agoxpc: build with support for the keychain plugin
Martin Willi [Fri, 3 May 2013 14:51:29 +0000 (16:51 +0200)]
xpc: build with support for the keychain plugin

5 years agoxpc: add support for initiate simple IKEv2 EAP connections
Martin Willi [Fri, 26 Apr 2013 13:17:36 +0000 (15:17 +0200)]
xpc: add support for initiate simple IKEv2 EAP connections

5 years agoxpc: move dispatching to dedicated class, using dedicated thread
Martin Willi [Fri, 3 May 2013 14:24:05 +0000 (16:24 +0200)]
xpc: move dispatching to dedicated class, using dedicated thread

5 years agoxpc: use non-inlining variant of vstr, compiler does not like it
Martin Willi [Fri, 26 Apr 2013 12:32:32 +0000 (14:32 +0200)]
xpc: use non-inlining variant of vstr, compiler does not like it

5 years agoxpc: add Xcode project for a charon controlled through XPC
Martin Willi [Wed, 24 Apr 2013 08:38:19 +0000 (10:38 +0200)]
xpc: add Xcode project for a charon controlled through XPC

5 years agosyslog: setlogmask() to include LOG_INFO
Martin Willi [Wed, 15 May 2013 08:36:08 +0000 (10:36 +0200)]
syslog: setlogmask() to include LOG_INFO

LOG_INFO seems to be excluded by default on some systems (OS X).

5 years agokeychain: flush certificate cache after reloading System keychain
Martin Willi [Wed, 1 May 2013 09:14:16 +0000 (11:14 +0200)]
keychain: flush certificate cache after reloading System keychain

5 years agokeychain: monitor changes in the system keychain, reload when necessary
Martin Willi [Wed, 1 May 2013 08:38:46 +0000 (10:38 +0200)]
keychain: monitor changes in the system keychain, reload when necessary

5 years agokeychain: use SearchCopyNext keychain enumeration for System certs as well
Martin Willi [Wed, 1 May 2013 08:37:49 +0000 (10:37 +0200)]
keychain: use SearchCopyNext keychain enumeration for System certs as well

SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.

5 years agokeychain: load certificates from System Roots Keychain
Martin Willi [Tue, 30 Apr 2013 13:33:42 +0000 (15:33 +0200)]
keychain: load certificates from System Roots Keychain

5 years agokeychain: load certificates only once during startup, improving performance
Martin Willi [Tue, 30 Apr 2013 12:50:48 +0000 (14:50 +0200)]
keychain: load certificates only once during startup, improving performance

5 years agokeychain: support on-the-fly enumeration of trusted/untrusted certificates
Martin Willi [Tue, 30 Apr 2013 09:59:01 +0000 (11:59 +0200)]
keychain: support on-the-fly enumeration of trusted/untrusted certificates

5 years agokeychain: add a stub for a credential plugin using OS X Keychain Services
Martin Willi [Mon, 29 Apr 2013 09:19:57 +0000 (11:19 +0200)]
keychain: add a stub for a credential plugin using OS X Keychain Services

5 years agocredmgr: stop querying for secrets once we get a perfect match
Martin Willi [Thu, 2 May 2013 08:07:36 +0000 (10:07 +0200)]
credmgr: stop querying for secrets once we get a perfect match

5 years agocredmgr: don't use pointers for id_match_t enum values
Martin Willi [Thu, 2 May 2013 08:03:57 +0000 (10:03 +0200)]
credmgr: don't use pointers for id_match_t enum values

5 years agoopenssl: parse X.509 extended key usage from extension parsing loop
Martin Willi [Tue, 30 Apr 2013 09:55:38 +0000 (11:55 +0200)]
openssl: parse X.509 extended key usage from extension parsing loop

Otherwise parsing gets aborted if unknown critical extensions are handled as
error.

5 years agoopenssl: show which critical X.509 extension is not supported
Martin Willi [Tue, 30 Apr 2013 09:46:11 +0000 (11:46 +0200)]
openssl: show which critical X.509 extension is not supported

5 years agohashtable: add common hashtable hash/equals functions for pointer/string keys
Martin Willi [Wed, 1 May 2013 10:13:28 +0000 (12:13 +0200)]
hashtable: add common hashtable hash/equals functions for pointer/string keys

5 years agothread: implicitly create thread_t if an external thread calls thread_current()
Martin Willi [Fri, 26 Apr 2013 14:59:34 +0000 (16:59 +0200)]
thread: implicitly create thread_t if an external thread calls thread_current()

5 years agoike: Fix reestablishing SAs if no child-creating tasks are queued
Tobias Brunner [Thu, 18 Jul 2013 08:12:20 +0000 (10:12 +0200)]
ike: Fix reestablishing SAs if no child-creating tasks are queued

5 years agoike-sa: uninstall CHILD_SAs before removing virtual IPs
Martin Willi [Thu, 18 Jul 2013 08:31:52 +0000 (10:31 +0200)]
ike-sa: uninstall CHILD_SAs before removing virtual IPs

a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.

5 years agounity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were received
Tobias Brunner [Mon, 15 Jul 2013 13:17:06 +0000 (15:17 +0200)]
unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were received

5 years agounity: Allow UNITY_LOCAL_LAN to be longer than 8 bytes
Tobias Brunner [Mon, 15 Jul 2013 13:15:59 +0000 (15:15 +0200)]
unity: Allow UNITY_LOCAL_LAN to be longer than 8 bytes

5 years agounity: Fix memory leak in provider
Tobias Brunner [Mon, 15 Jul 2013 13:12:35 +0000 (15:12 +0200)]
unity: Fix memory leak in provider

5 years agoipsec.conf.5: closeaction is now supported for IKEv1
Tobias Brunner [Wed, 17 Jul 2013 16:18:57 +0000 (18:18 +0200)]
ipsec.conf.5: closeaction is now supported for IKEv1

5 years agoikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer
Tobias Brunner [Thu, 4 Jul 2013 17:14:44 +0000 (19:14 +0200)]
ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer

We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any
CHILD_SA requires it.

5 years agoike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
Tobias Brunner [Wed, 3 Jul 2013 16:28:37 +0000 (18:28 +0200)]
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA

5 years agoikev1: Support closeaction of CHILD_SA.
Oliver Smith [Fri, 28 Jun 2013 16:41:19 +0000 (09:41 -0700)]
ikev1: Support closeaction of CHILD_SA.

When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.

5 years agoMerge branch 'kernel-pfroute-mobility'
Tobias Brunner [Wed, 17 Jul 2013 15:49:26 +0000 (17:49 +0200)]
Merge branch 'kernel-pfroute-mobility'

This improves the behavior of the kernel-pfroute plugin (and sometimes
the kernel-pfkey plugin) in case of mobility, mostly when used as as
client but also as gateway, if clients are mobile.

5 years agokernel-pfroute: Ignore IP address changes if address is %any
Tobias Brunner [Wed, 10 Jul 2013 14:28:55 +0000 (16:28 +0200)]
kernel-pfroute: Ignore IP address changes if address is %any

5 years agokernel-pfroute: Properly enumerate sockaddrs in interface messages
Tobias Brunner [Wed, 10 Jul 2013 14:08:56 +0000 (16:08 +0200)]
kernel-pfroute: Properly enumerate sockaddrs in interface messages

The ifa_msghdr and rt_msghdr structs are not compatible (at least not on
FreeBSD).

5 years agokernel-pfroute: Provide name of interfaces on which virtual IPs are installed
Tobias Brunner [Wed, 10 Jul 2013 13:37:35 +0000 (15:37 +0200)]
kernel-pfroute: Provide name of interfaces on which virtual IPs are installed

5 years agokernel-pfroute: Ignore virtual IPs in address map
Tobias Brunner [Wed, 10 Jul 2013 13:29:38 +0000 (15:29 +0200)]
kernel-pfroute: Ignore virtual IPs in address map

As the virtual flag is set after the address has been added to the map,
we make sure we ignore virtual IPs when doing lookups.

5 years agokernel-pfroute: Make sure source addresses are not virtual and usable
Tobias Brunner [Wed, 10 Jul 2013 13:02:48 +0000 (15:02 +0200)]
kernel-pfroute: Make sure source addresses are not virtual and usable

It seems we sometimes get the virtual IP as source (with
rightsubnet=0.0.0.0/0) even if the exclude route is already
installed.  Might be a timing issue because shortly afterwards the
lookup seems to succeed.

5 years agokernel-pfroute: Don't report an error when trying to reinstall a route
Tobias Brunner [Wed, 10 Jul 2013 10:38:21 +0000 (12:38 +0200)]
kernel-pfroute: Don't report an error when trying to reinstall a route

5 years agokernel-pfkey: Provide interface name when installing exclude route
Tobias Brunner [Wed, 10 Jul 2013 10:21:58 +0000 (12:21 +0200)]
kernel-pfkey: Provide interface name when installing exclude route

5 years agokernel-pfroute: Reinstall routes on interface/address changes
Tobias Brunner [Wed, 10 Jul 2013 10:14:19 +0000 (12:14 +0200)]
kernel-pfroute: Reinstall routes on interface/address changes

5 years agokernel-pfroute: Trigger a roam event if a new interface appears
Tobias Brunner [Wed, 10 Jul 2013 09:57:31 +0000 (11:57 +0200)]
kernel-pfroute: Trigger a roam event if a new interface appears