strongswan.git
2 years agoscripts: Add -d option to oid2der to decode DER encoded OIDs
Tobias Brunner [Wed, 18 Oct 2017 14:28:04 +0000 (16:28 +0200)]
scripts: Add -d option to oid2der to decode DER encoded OIDs

2 years agoman: Fix documentation of inbound mark behavior in ipsec.conf(5)
Tobias Brunner [Wed, 23 Aug 2017 09:41:50 +0000 (11:41 +0200)]
man: Fix documentation of inbound mark behavior in ipsec.conf(5)

2 years agovici: Make setting mark on inbound SA configurable
Tobias Brunner [Wed, 23 Aug 2017 09:25:52 +0000 (11:25 +0200)]
vici: Make setting mark on inbound SA configurable

2 years agochild-cfg: Optionally set mark on inbound SA
Tobias Brunner [Wed, 23 Aug 2017 09:22:50 +0000 (11:22 +0200)]
child-cfg: Optionally set mark on inbound SA

2 years agoeap-radius: Optionally send Class attributes in RADIUS accounting messages
Tobias Brunner [Mon, 23 Oct 2017 10:08:17 +0000 (12:08 +0200)]
eap-radius: Optionally send Class attributes in RADIUS accounting messages

If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.

Fixes #2451.

2 years agoikev2: Abort make-before-break reauth if we don't find children to recreate
Tobias Brunner [Tue, 26 Sep 2017 09:31:15 +0000 (11:31 +0200)]
ikev2: Abort make-before-break reauth if we don't find children to recreate

We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.

References #2430.

2 years agoopenssl: Also load EC keys from an ENGINE
Tobias Brunner [Wed, 6 Sep 2017 08:41:37 +0000 (10:41 +0200)]
openssl: Also load EC keys from an ENGINE

2 years agolibcharon: Added Cisco FlexVPN Supported VID
Andreas Steffen [Fri, 27 Oct 2017 18:14:43 +0000 (20:14 +0200)]
libcharon: Added Cisco FlexVPN Supported VID

2 years agounit-tests: Fix "using integer constants in boolean context" warning
Tobias Brunner [Mon, 23 Oct 2017 12:38:00 +0000 (14:38 +0200)]
unit-tests: Fix "using integer constants in boolean context" warning

This warning has been seen in GCC 7.x with -Wall, however, because == has
higher precedence than ?: the code was actually not correct.

2 years agostreams: Remove registered systemd stream service
Tobias Brunner [Wed, 18 Oct 2017 07:25:15 +0000 (09:25 +0200)]
streams: Remove registered systemd stream service

Fixes: 59db98fb941c ("stream: Add basic stream service for systemd sockets")

2 years agostreams: Named systemd sockets are only supported since systemd v227
Tobias Brunner [Thu, 12 Oct 2017 16:40:15 +0000 (18:40 +0200)]
streams: Named systemd sockets are only supported since systemd v227

2 years agostarter: Add the correct keywords header file to EXTRA_DIST
Tobias Brunner [Wed, 11 Oct 2017 16:10:46 +0000 (18:10 +0200)]
starter: Add the correct keywords header file to EXTRA_DIST

The fix for gperf in 0ae19f0ced8d added the generated header to
EXTRA_DIST but that's already added to the distribution because it is
contained in *_SOURCES, what was not added, though, was the .h.in file.

Also fixes the reference to the header file in the .c rule here and for
stroke in out-of-tree builds.

Fixes: 0ae19f0ced8d ("configure: Fix gperf length parameter determination")

2 years agowatcher: Don't notify watcher if removed FD was not found
Tobias Brunner [Thu, 7 Sep 2017 07:51:49 +0000 (09:51 +0200)]
watcher: Don't notify watcher if removed FD was not found

This can happen if a stream is used blocking exclusively (the FD is
never registered with watcher, but is removed in the stream's destructor
just in case it ever was - doing this conditionally would require an
additional flag in streams).  There may be no thread reading from
the read end of the notify pipe (e.g. in starter), causing the write
to the notify pipe to block after it's full.  Anyway, doing a relatively
expensive FD update is unnecessary if there were no changes.

Fixes #1453.

2 years agostream: Add basic stream service for systemd sockets
aszlig [Wed, 30 Aug 2017 00:36:34 +0000 (02:36 +0200)]
stream: Add basic stream service for systemd sockets

This allows systemd socket activation by passing URIs such as systemd://foo
to plugins such as VICI.

For example setting charon.plugins.vici.socket = systemd://vici, a
systemd socket file descriptor with the name "vici" will be picked up.

So these would be the corresponding unit options:

  [Socket]
  FileDescriptorName=vici
  Service=strongswan.service

  ListenStream=/run/charon.vici

The implementation currently is very basic and right now only the first
file descriptor for a particular identifier is picked up if there are
multiple socket units with the same FileDescriptorName.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Closes strongswan/strongswan#79.

2 years agostarter: Don't define any hard-coded proposal strings
Tobias Brunner [Wed, 30 Aug 2017 13:15:31 +0000 (15:15 +0200)]
starter: Don't define any hard-coded proposal strings

Just rely on the default proposals by charon if nothing is defined. The
hard-coded IKE proposal used curve25519, which depends on an optional
plugin (while enabled by default it might still not be loaded, or, like
on Debian, shipped in an optional package). With charon's default
proposal only loaded algorithms are proposed for IKE avoiding this issue.

2 years agoconfigure: Also check for libcrypto on Windows
Tobias Brunner [Wed, 30 Aug 2017 10:30:02 +0000 (12:30 +0200)]
configure: Also check for libcrypto on Windows

With OpenSSL 1.1.0 the library is now named libcrypto too on Windows.
Check for libeay32 first so we don't link against the build environment's
version of OpenSSL instead of the native one that might be available.

2 years agoopenssl: Fix call of X509_CRL_get0_signature() with OpenSSL 1.1.0
Tobias Brunner [Fri, 6 Oct 2017 13:26:19 +0000 (15:26 +0200)]
openssl: Fix call of X509_CRL_get0_signature() with OpenSSL 1.1.0

The order of arguments in X509_CRL_get0_signature() is not the same as that
of X509_get0_signature().

Fixes: 989ba4b6cd16 ("openssl: Update CRL API to OpenSSL 1.1.0")

2 years agokernel-netlink: Add strings for newer XFRM attribute types
Tobias Brunner [Fri, 6 Oct 2017 14:41:09 +0000 (16:41 +0200)]
kernel-netlink: Add strings for newer XFRM attribute types

2 years agoconfigure: Fix gperf length parameter determination
Tobias Brunner [Tue, 26 Sep 2017 10:23:36 +0000 (12:23 +0200)]
configure: Fix gperf length parameter determination

gperf is not actually a build dependency as the generated files are
shipped in the tarball.  So the type depends on the gperf version on
the host that ran gperf and created the tarball, which might not be
the same as that on the actual build host, and gperf might not even
be installed there, leaving the type undetermined.

Fixes: e0e43229736a ("configure: Detect type of length parameter for gperf generated function")

2 years agolibimcv: Renamed SW Request to SWIMA Request
Andreas Steffen [Wed, 27 Sep 2017 08:01:56 +0000 (10:01 +0200)]
libimcv: Renamed SW Request to SWIMA Request

2 years agoVersion bump to 5.6.1dr3 5.6.1dr3
Andreas Steffen [Tue, 26 Sep 2017 20:43:38 +0000 (22:43 +0200)]
Version bump to 5.6.1dr3

2 years agoSWIMA attribute name changes
Andreas Steffen [Sat, 23 Sep 2017 13:22:52 +0000 (15:22 +0200)]
SWIMA attribute name changes

draft-ietf-sacm-nea-swima-patnc-01 changes some SWIMA attribute
names.

2 years agokernel-pfroute: Delay call to if_indextoname(3) when handling RTM_IFINFO
Tobias Brunner [Mon, 28 Aug 2017 17:12:16 +0000 (19:12 +0200)]
kernel-pfroute: Delay call to if_indextoname(3) when handling RTM_IFINFO

It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.

2 years agocontroller: Consider any IKE_SA destruction as success when terminating
Tobias Brunner [Mon, 14 Aug 2017 09:14:38 +0000 (11:14 +0200)]
controller: Consider any IKE_SA destruction as success when terminating

2 years agoconfigure: Detect type of length parameter for gperf generated function
Tobias Brunner [Mon, 18 Sep 2017 15:57:05 +0000 (17:57 +0200)]
configure: Detect type of length parameter for gperf generated function

Since 3.1 gperf uses size_t for the length parameter instead of an
unsigned int.

2 years agoutils: Include stdint.h
Tobias Brunner [Thu, 14 Sep 2017 09:59:30 +0000 (11:59 +0200)]
utils: Include stdint.h

Recent releases of glibc don't include the full stdint.h header in some
network headers included by utils.h.  So uintptr_t might not be defined.
Since we use fixed width integers, including the latter, all over the place
we make sure the complete file is included.

Fixes #2425.

2 years agosec-updater: Make sure `success` is initialized
Tobias Brunner [Thu, 14 Sep 2017 17:25:42 +0000 (19:25 +0200)]
sec-updater: Make sure `success` is initialized

2 years agodhcp: Fix warning regarding unaligned pointer value due to packed struct
Tobias Brunner [Thu, 14 Sep 2017 17:33:07 +0000 (19:33 +0200)]
dhcp: Fix warning regarding unaligned pointer value due to packed struct

We don't need to access this as uint32_t so just cast it to a char*.

2 years agodhcp: Don't use signed char for DHCP options
Tobias Brunner [Thu, 14 Sep 2017 17:11:10 +0000 (19:11 +0200)]
dhcp: Don't use signed char for DHCP options

The value of DHCP_OPTEND is 255.  When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.

2 years agoimv-agent: Fix get_attribute() call for preferred language
Tobias Brunner [Thu, 14 Sep 2017 16:27:13 +0000 (18:27 +0200)]
imv-agent: Fix get_attribute() call for preferred language

2 years agobliss: Fix compile error of unit tests due to uninitialized variable
Tobias Brunner [Thu, 14 Sep 2017 16:04:38 +0000 (18:04 +0200)]
bliss: Fix compile error of unit tests due to uninitialized variable

2 years agotravis: Use Clang 4.0 instead of 3.9 due to va_start() warnings
Tobias Brunner [Thu, 14 Sep 2017 13:33:59 +0000 (15:33 +0200)]
travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings

This is a follow up on the issue documented in the previous commit.

To build with -Werror and Clang 3.9 we'd have to change all enum arguments
that are used as last argument before ... to e.g. u_int, which affects
quite a lot of places (crypto-factory, MODP_CUSTOM constructors, auth-cfg,
bus, vici-builder, vici-message).  Besides that it doesn't look as nice
it also seems a bit too much hassle just to cater to the whims of a
particular version of one compiler, so we just don't build with that
version on Travis and use 4.0 instead.

2 years agosettings: Fix possible undefined behavior with va_start() and bool
Tobias Brunner [Thu, 14 Sep 2017 13:31:00 +0000 (15:31 +0200)]
settings: Fix possible undefined behavior with va_start() and bool

This fixes compilation with -Werror when using Clang 4.0 (but not 3.9)
and possibly prevents undefined behavior.

According to the C standard the following applies to the second
parameter of the va_start() macro (subclause 7.16.1.4, paragraph 4):

  The parameter parmN is the identifier of the rightmost parameter
  in the variable parameter list in the function definition (the
  one just before the ...). If the parameter parmN is declared with
  the register storage class, with a function or array type, or with
  a type that is not compatible with the type that results after
  application of the default argument promotions, the behavior is
  undefined.

Because bool is usually just 1 byte and therefore smaller than int (i.e.
the result of default argument promotion) its use as last argument before
... might result in undefined behavior.  This theoretically can also
apply to enums as a compiler may use a smaller base type than int.

Since Clang 3.9 (currently in use on Travis by default) a warning is
issued about this, however, that version did not yet compare the actual
size of the argument's type, causing warnings where they are not
warranted (basically for all cases where enum types are used for the
last argument).  This was apparently fixed with Clang 4.0, which only
warns about this use of bool with va_start(), which makes sense.

2 years agoDefine MODP_CUSTOM constructors as variadic functions
Tobias Brunner [Thu, 14 Sep 2017 12:03:08 +0000 (14:03 +0200)]
Define MODP_CUSTOM constructors as variadic functions

They now match the dh_constructor_t signature.  This is a follow up for
the changes merged with b668bf3f9ec1 and should fix use of MODP_CUSTOM on
Apple's ARM64 platform.

2 years agolibtnccs: Correctly read dlopen_use_rtld_now option
Tobias Brunner [Thu, 14 Sep 2017 16:07:08 +0000 (18:07 +0200)]
libtnccs: Correctly read dlopen_use_rtld_now option

Fixes: 50e4aeb22f49 ("libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()")

2 years agoplugin-loader: Correctly read dlopen_use_rtld_now option
Tobias Brunner [Thu, 14 Sep 2017 10:43:54 +0000 (12:43 +0200)]
plugin-loader: Correctly read dlopen_use_rtld_now option

Fixes: 305c4aa82cb0 ("plugin-loader: Optionally use RTLD_NOW with dlopen()")

2 years agoandroid: New release after adding delta CRL support and some bug fixes
Tobias Brunner [Mon, 18 Sep 2017 09:04:46 +0000 (11:04 +0200)]
android: New release after adding delta CRL support and some bug fixes

2 years agoandroid: Ignore IllegalArgumentException for multicast addresses
Tobias Brunner [Mon, 11 Sep 2017 17:14:31 +0000 (19:14 +0200)]
android: Ignore IllegalArgumentException for multicast addresses

Some Android versions seem to reject routes that use multicast addresses.

Fixes #2420.

2 years agoopenssl: Add support for delta CRLs
Tobias Brunner [Thu, 7 Sep 2017 10:07:32 +0000 (12:07 +0200)]
openssl: Add support for delta CRLs

2 years agocertificates: Use shared destructor for x509_cdp_t
Tobias Brunner [Thu, 7 Sep 2017 09:45:23 +0000 (11:45 +0200)]
certificates: Use shared destructor for x509_cdp_t

2 years agochild-create: Don't consider a DH group mismatch as failure as responder
Tobias Brunner [Wed, 6 Sep 2017 14:41:42 +0000 (16:41 +0200)]
child-create: Don't consider a DH group mismatch as failure as responder

This causes problems e.g. on Android where we handle the alert (and
reestablish the IKE_SA) even though it usually is no problem if the
peer retries with the requested group.  We don't consider it as a
failure on the initiator either.

2 years agolibipsec: Make sure to expire the right SA
Tobias Brunner [Mon, 14 Aug 2017 14:03:54 +0000 (16:03 +0200)]
libipsec: Make sure to expire the right SA

If an IPsec SA is actually replaced with a rekeying its entry in the
manager is freed. That means that when the hard expire is triggered a
new entry might be found at the cached pointer location.  So we have
to make sure we trigger the expire only if we found the right SA.

We could use SPI and addresses for the lookup, but this here requires
a bit less memory and is just a small change. Another option would be to
somehow cancel the queued job, but our scheduler doesn't allow that at
the moment.

Fixes #2399.

2 years agoMerge branch 'libipsec-ip-frag'
Tobias Brunner [Mon, 18 Sep 2017 08:31:58 +0000 (10:31 +0200)]
Merge branch 'libipsec-ip-frag'

This fixes "packet too short" errors when parsing fragmented IPv4
packets and correctly determines the protocol in fragmented IPv6 packets.
Protocol headers are only parsed in unfragmented IPv4 and IPv6 packets,
or IPv4 first fragments.

Closes strongswan/strongswan#80.

2 years agotesting: Add libipsec/net2net-cert-ipv6 scenario
Tobias Brunner [Fri, 1 Sep 2017 08:03:11 +0000 (10:03 +0200)]
testing: Add libipsec/net2net-cert-ipv6 scenario

2 years agoip-packet: Correctly determine protocol in fragmented IPv6 packets
Tobias Brunner [Fri, 1 Sep 2017 07:47:29 +0000 (09:47 +0200)]
ip-packet: Correctly determine protocol in fragmented IPv6 packets

We don't attempt to parse the transport headers for fragments, not even
for the initial fragment (it's not guaranteed they contain the header,
depending on the number and type of extension headers).

2 years agoip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets
Tobias Brunner [Fri, 1 Sep 2017 06:57:56 +0000 (08:57 +0200)]
ip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets

Only attempt to parse the transport header of an IPv4 packet if it's
not fragmented or the first fragment.

2 years agoMerge branch 'tkm-cid-ref'
Tobias Brunner [Fri, 15 Sep 2017 10:17:07 +0000 (12:17 +0200)]
Merge branch 'tkm-cid-ref'

This fixes IKE_SA rekey collision handling and improves error handling
if CHILD_SA setup fails.

2 years agocharon-tkm: Reset ESA on child SA create failure
Adrian-Ken Rueegsegger [Tue, 5 Sep 2017 13:56:12 +0000 (15:56 +0200)]
charon-tkm: Reset ESA on child SA create failure

Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.

2 years agocharon-tkm: Check for error when acquiring ESA ID
Adrian-Ken Rueegsegger [Mon, 4 Sep 2017 13:00:42 +0000 (15:00 +0200)]
charon-tkm: Check for error when acquiring ESA ID

2 years agocharon-tkm: Fix AE context life-cycle handling
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 16:46:05 +0000 (18:46 +0200)]
charon-tkm: Fix AE context life-cycle handling

Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.

2 years agocharon-tkm: Return current refcount when releasing ID
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 15:21:05 +0000 (17:21 +0200)]
charon-tkm: Return current refcount when releasing ID

2 years agocharon-tkm: Add acquire_ref method to ID manager
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 15:15:41 +0000 (17:15 +0200)]
charon-tkm: Add acquire_ref method to ID manager

The function acquires a reference to the given context reference id for
a specific context kind.

2 years agocharon-tkm: Store context ids as int instead of bool
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 14:58:15 +0000 (16:58 +0200)]
charon-tkm: Store context ids as int instead of bool

This is in preparation of making context ids refcountable.

2 years agocharon-tkm: Add missing whitespace log message
Adrian-Ken Rueegsegger [Fri, 1 Sep 2017 14:30:49 +0000 (16:30 +0200)]
charon-tkm: Add missing whitespace log message

2 years agochild-delete: Only let SAs expire naturally if they not already did
Tobias Brunner [Mon, 4 Sep 2017 16:11:39 +0000 (18:11 +0200)]
child-delete: Only let SAs expire naturally if they not already did

2 years agoVersion bump to 5.6.1dr2 5.6.1dr2
Andreas Steffen [Wed, 13 Sep 2017 14:56:45 +0000 (16:56 +0200)]
Version bump to 5.6.1dr2

2 years agosec-updater: Import SWID tags of updated packages
Andreas Steffen [Sat, 9 Sep 2017 11:13:28 +0000 (13:13 +0200)]
sec-updater: Import SWID tags of updated packages

sec-updater downloads the deb package files from security updates from
a given linux repository and uses the swid_generator command to
derive a SWID tag. The SWID tag is then imported into strongTNC
using the manage.py importswid command.

2 years agolibimcv: Corrected caption
Andreas Steffen [Sat, 9 Sep 2017 11:10:45 +0000 (13:10 +0200)]
libimcv: Corrected caption

2 years agopt-tls-client: Introduced --options as a synonym for --optionsfrom
Andreas Steffen [Sat, 9 Sep 2017 08:31:02 +0000 (10:31 +0200)]
pt-tls-client: Introduced --options as a synonym for --optionsfrom

2 years agosec-updater: Write to log only if at least one update is found.
Andreas Steffen [Thu, 7 Sep 2017 12:50:49 +0000 (14:50 +0200)]
sec-updater: Write to log only if at least one update is found.

2 years agoandroid: New release after adding OCSP, CRL cache and some other stuff
Tobias Brunner [Mon, 4 Sep 2017 09:27:40 +0000 (11:27 +0200)]
android: New release after adding OCSP, CRL cache and some other stuff

2 years agotesting: Reduce log level of SSH client
Tobias Brunner [Tue, 29 Aug 2017 12:11:23 +0000 (14:11 +0200)]
testing: Reduce log level of SSH client

This should suppress the "Permanently added ... to the list of known
hosts" warnings that occasionally come up for no apparent reason.

2 years agoike: Reset local SPI if retrying to connect in state IKE_CONNECTING
Tobias Brunner [Tue, 29 Aug 2017 07:06:55 +0000 (09:06 +0200)]
ike: Reset local SPI if retrying to connect in state IKE_CONNECTING

In case we send retransmits for an IKE_SA_INIT where we propose a DH
group the responder will reject we might later receive delayed responses
that either contain INVALID_KE_PAYLOAD notifies with the group we already
use or, if we retransmitted an IKE_SA_INIT with the requested group but
then had to restart again, a KE payload with a group different from the
one we proposed.  So far we didn't change the initiator SPI when
restarting the connection, i.e. these delayed responses were processed
and might have caused fatal errors due to a failed DH negotiation or
because of the internal retry counter in the ike-init task.  Changing
the initiator SPI avoids that as we won't process the delayed responses
anymore that caused this confusion.

2 years agoike-sa-manager: Add method to change the initiator SPI of an IKE_SA
Tobias Brunner [Fri, 25 Aug 2017 14:45:03 +0000 (16:45 +0200)]
ike-sa-manager: Add method to change the initiator SPI of an IKE_SA

2 years agoike-init: Fail if DH group in KE payload does not match proposed group
Tobias Brunner [Fri, 25 Aug 2017 12:42:51 +0000 (14:42 +0200)]
ike-init: Fail if DH group in KE payload does not match proposed group

2 years agoMerge branch 'android-updates'
Tobias Brunner [Mon, 4 Sep 2017 08:42:00 +0000 (10:42 +0200)]
Merge branch 'android-updates'

Caches CRLs in the app directory, adds support for OCSP, adds a button
to reconnect to the "already connected" dialog, only apply/configure app
selection on Android >= 5 (older versions don't support the API), and catches
some random exceptions.

2 years agoandroid: Add disconnect button to dialog if already connected to profile
Tobias Brunner [Tue, 22 Aug 2017 16:28:39 +0000 (18:28 +0200)]
android: Add disconnect button to dialog if already connected to profile

2 years agoandroid: Load x509 plugin to generate OCSP requests and parse responses
Tobias Brunner [Wed, 23 Aug 2017 14:15:48 +0000 (16:15 +0200)]
android: Load x509 plugin to generate OCSP requests and parse responses

BoringSSL does not support OpenSSL's OCSP API.

2 years agoandroid: Add support to POST data via SimpleFetcher
Tobias Brunner [Wed, 23 Aug 2017 14:14:36 +0000 (16:14 +0200)]
android: Add support to POST data via SimpleFetcher

That's required for OCSP verification.

2 years agoandroid: Add option to clear cached CRLs
Tobias Brunner [Fri, 1 Sep 2017 17:26:52 +0000 (19:26 +0200)]
android: Add option to clear cached CRLs

2 years agoandroid: Cache CRLs in app directory
Tobias Brunner [Mon, 21 Aug 2017 13:53:20 +0000 (15:53 +0200)]
android: Cache CRLs in app directory

Fixes #2405.

2 years agoandroid: Pass absolute path to the app's data directory via JNI
Tobias Brunner [Mon, 21 Aug 2017 13:26:06 +0000 (15:26 +0200)]
android: Pass absolute path to the app's data directory via JNI

2 years agoandroid: Hide app selection in profile editor on Android < 5
Tobias Brunner [Thu, 24 Aug 2017 13:18:32 +0000 (15:18 +0200)]
android: Hide app selection in profile editor on Android < 5

2 years agoandroid: Only apply app filter on Android 5 and newer
Tobias Brunner [Tue, 11 Jul 2017 07:44:35 +0000 (09:44 +0200)]
android: Only apply app filter on Android 5 and newer

2 years agoandroid: Catch OutOfMemoryError when importing profiles
Tobias Brunner [Mon, 10 Jul 2017 10:17:45 +0000 (12:17 +0200)]
android: Catch OutOfMemoryError when importing profiles

Not sure if this is actually caused because e.g. the file is too large
or due to some encoding issue.

2 years agoandroid: Catch NullPointerException when parsing invalid certificates
Tobias Brunner [Thu, 6 Jul 2017 13:40:42 +0000 (15:40 +0200)]
android: Catch NullPointerException when parsing invalid certificates

2 years agoandroid: Catch NullPointerException when calling VpnService.prepare()
Tobias Brunner [Thu, 6 Jul 2017 13:16:24 +0000 (15:16 +0200)]
android: Catch NullPointerException when calling VpnService.prepare()

According to the Play Console this occurs occasionally.

2 years agoVersion bump to 5.6.1dr1 5.6.1dr1
Andreas Steffen [Fri, 1 Sep 2017 11:49:09 +0000 (13:49 +0200)]
Version bump to 5.6.1dr1

2 years agoimv-os: Updated security update evaluation
Andreas Steffen [Thu, 31 Aug 2017 16:52:04 +0000 (18:52 +0200)]
imv-os: Updated security update evaluation

2 years agolibimcv: Updated database scheme
Andreas Steffen [Wed, 30 Aug 2017 11:30:18 +0000 (13:30 +0200)]
libimcv: Updated database scheme

2 years agosec-updater: Checks for security updates
Andreas Steffen [Fri, 25 Aug 2017 09:23:20 +0000 (11:23 +0200)]
sec-updater: Checks for security updates

sec-updater checks for security updates and backports in Debian/
Ubuntu repositories and sets the security flags in the strongTNC
policy database accordingly.

2 years agoimv-attestation: Fixed file hash measurements
Andreas Steffen [Fri, 1 Sep 2017 00:53:28 +0000 (02:53 +0200)]
imv-attestation: Fixed file hash measurements

The introduction of file versions broke file hash measurements.
This has been fixed by using a generic product versions having an
empty package name.

2 years agoike-cfg: Fix memory leak when checking for configured address
Tobias Brunner [Tue, 29 Aug 2017 13:24:32 +0000 (15:24 +0200)]
ike-cfg: Fix memory leak when checking for configured address

2 years agosw-collector.8: Some cleanups
Andreas Steffen [Fri, 25 Aug 2017 09:28:06 +0000 (11:28 +0200)]
sw-collector.8: Some cleanups

2 years agokernel-netlink: Set usable state whenever an interface appears
Tobias Brunner [Mon, 14 Aug 2017 15:26:08 +0000 (17:26 +0200)]
kernel-netlink: Set usable state whenever an interface appears

If an interface is renamed we already have an entry (based on the
ifindex) allocated but previously only set the usable state once
based on the original name.

Fixes #2403.

2 years agolibimcv: Updated Android.mk after move of swid-gen(-info)
Tobias Brunner [Mon, 21 Aug 2017 10:17:02 +0000 (12:17 +0200)]
libimcv: Updated Android.mk after move of swid-gen(-info)

2 years agocoverage: Use absolute path when removing paths with lcov
Tobias Brunner [Mon, 21 Aug 2017 09:08:59 +0000 (11:08 +0200)]
coverage: Use absolute path when removing paths with lcov

There is a bug in some versions of lcov that causes it to fail writing
to files via relative paths after it issued warnings (e.g. due to
negative counts in the tracefile).

2 years agotraffic-selector: Use single buffer for both address families
Tobias Brunner [Wed, 16 Aug 2017 14:52:13 +0000 (16:52 +0200)]
traffic-selector: Use single buffer for both address families

The generic field of size 0 in the union that was used previously
triggered index-out-of-bounds errors with the UBSAN sanitizer that's
used on OSS-Fuzz.  Since the two family specific union members don't
really provide any advantage, we can just use a single buffer for both
families to avoid the errors.

2 years agotesting: Make removal of SWID tags work with different releases
Tobias Brunner [Wed, 16 Aug 2017 08:38:44 +0000 (10:38 +0200)]
testing: Make removal of SWID tags work with different releases

The regid.2004-03.org.strongswan directory might not exist in new images.

2 years agofuzzing: Also run input that previously caused crashes
Tobias Brunner [Wed, 31 May 2017 12:37:27 +0000 (14:37 +0200)]
fuzzing: Also run input that previously caused crashes

2 years agoconfigure: Detect mpz_powm_sec() when built with -Werror
Tobias Brunner [Wed, 31 May 2017 12:33:43 +0000 (14:33 +0200)]
configure: Detect mpz_powm_sec() when built with -Werror

2 years agotravis: Use the same ASAN_OPTIONS as used by OSS-Fuzz
Tobias Brunner [Tue, 30 May 2017 17:38:31 +0000 (19:38 +0200)]
travis: Use the same ASAN_OPTIONS as used by OSS-Fuzz

2 years agoplugin-loader: Move indent variables into !USE_FUZZING block
Tobias Brunner [Tue, 30 May 2017 17:14:22 +0000 (19:14 +0200)]
plugin-loader: Move indent variables into !USE_FUZZING block

This avoids compile errors on Travis.

2 years agotravis: Run fuzz targets
Tobias Brunner [Tue, 30 May 2017 16:41:31 +0000 (18:41 +0200)]
travis: Run fuzz targets

2 years agofuzzing: Run local fuzz targets on given corpora during `make check`
Tobias Brunner [Tue, 30 May 2017 14:46:32 +0000 (16:46 +0200)]
fuzzing: Run local fuzz targets on given corpora during `make check`

The base directory of the corpora must be set in FUZZING_CORPORA.

2 years agofuzzing: Add driver to run fuzz targets on a given list of files
Tobias Brunner [Tue, 30 May 2017 14:44:22 +0000 (16:44 +0200)]
fuzzing: Add driver to run fuzz targets on a given list of files

This is enabled if the path to libFuzzer.a is not specified when running
the configure script.

2 years agocharon-tkm: Build fix for kernel SAD tests
Adrian-Ken Rueegsegger [Mon, 14 Aug 2017 16:30:15 +0000 (18:30 +0200)]
charon-tkm: Build fix for kernel SAD tests

Commit 7729577... added a flag to the get_esa_id function but the unit
tests were not adjusted.

2 years agoVersion bump to 5.6.0 5.6.0
Andreas Steffen [Mon, 14 Aug 2017 08:07:47 +0000 (10:07 +0200)]
Version bump to 5.6.0

2 years agoNEWS: Add info about CVE-2017-11185
Tobias Brunner [Tue, 8 Aug 2017 18:14:00 +0000 (20:14 +0200)]
NEWS: Add info about CVE-2017-11185

2 years agogmp: Fix RSA signature verification for m >= n
Tobias Brunner [Mon, 29 May 2017 09:59:34 +0000 (11:59 +0200)]
gmp: Fix RSA signature verification for m >= n

By definition, m must be <= n-1, we didn't enforce that and because
mpz_export() returns NULL if the passed value is zero a crash could have
been triggered with m == n.

Fixes CVE-2017-11185.