strongswan.git
6 years agocharon-xpc: Use correct namespace when setting default settings
Tobias Brunner [Mon, 22 Jul 2013 15:44:37 +0000 (17:44 +0200)]
charon-xpc: Use correct namespace when setting default settings

6 years agotnc-pdp: Fix reading port setting from strongswan.conf
Tobias Brunner [Mon, 22 Jul 2013 15:43:54 +0000 (17:43 +0200)]
tnc-pdp: Fix reading port setting from strongswan.conf

6 years agofixed typo 5.1.0rc1
Andreas Steffen [Fri, 19 Jul 2013 18:07:32 +0000 (20:07 +0200)]
fixed typo

6 years agoupdated some TNC scenarios
Andreas Steffen [Fri, 19 Jul 2013 17:36:07 +0000 (19:36 +0200)]
updated some TNC scenarios

6 years agoprocessor: force synchronous execute_job() if set_threads(0) has been called
Martin Willi [Fri, 19 Jul 2013 13:27:07 +0000 (15:27 +0200)]
processor: force synchronous execute_job() if set_threads(0) has been called

During daemon shutdown, some idle threads might be lingering around even if
set_threads(0) already has been called. To avoid any races, we enforce
synchronous execution of the job.

6 years agoproposal: correctly enumerate registered AEADs to build default IKE proposal
Martin Willi [Fri, 19 Jul 2013 13:01:53 +0000 (15:01 +0200)]
proposal: correctly enumerate registered AEADs to build default IKE proposal

AEADs are not returned (anymore) with the encryption enumerator.

6 years agoVersion bump to 5.1.0rc1
Andreas Steffen [Fri, 19 Jul 2013 08:40:49 +0000 (10:40 +0200)]
Version bump to 5.1.0rc1

6 years agotkm: Properly refer to includes now that AM_CPPFLAGS is used
Tobias Brunner [Fri, 19 Jul 2013 07:02:04 +0000 (09:02 +0200)]
tkm: Properly refer to includes now that AM_CPPFLAGS is used

6 years agokeychain: Use AM_CPPFLAGS instead of INCLUDES
Tobias Brunner [Fri, 19 Jul 2013 07:01:39 +0000 (09:01 +0200)]
keychain: Use AM_CPPFLAGS instead of INCLUDES

6 years agoFix various API doc issues and typos
Tobias Brunner [Thu, 18 Jul 2013 15:27:11 +0000 (17:27 +0200)]
Fix various API doc issues and typos

Partially based on an old patch by Adrian-Ken Rueegsegger.

6 years agoidentification: parse identities having a "@@" prefix as ID_RFC822_ADDR
Martin Willi [Thu, 18 Jul 2013 14:45:10 +0000 (16:45 +0200)]
identification: parse identities having a "@@" prefix as ID_RFC822_ADDR

Original patch by Gerald Richter.

6 years agoNEWS: mention watcher and stream services
Martin Willi [Thu, 18 Jul 2013 14:10:48 +0000 (16:10 +0200)]
NEWS: mention watcher and stream services

6 years agoMerge branch 'ipc-service'
Martin Willi [Thu, 18 Jul 2013 14:03:14 +0000 (16:03 +0200)]
Merge branch 'ipc-service'

Adds network transparency and TCP support to the IPC interfaces of different
plugins using the new stream and stream service classes. A central watcher
thread can watch multiple file descriptors to handle connection requests
for these and other services using only a single thread.

6 years agostream-service: move CAP_CHOWN check from plugins to service constructor
Martin Willi [Thu, 18 Jul 2013 13:46:17 +0000 (15:46 +0200)]
stream-service: move CAP_CHOWN check from plugins to service constructor

A plugin service can be a TCP socket now, so it does not make much sense
to strictly check for CAP_CHOWN.

6 years agoprocessor: remove the now unused get_threads() method again
Martin Willi [Thu, 18 Jul 2013 09:42:59 +0000 (11:42 +0200)]
processor: remove the now unused get_threads() method again

6 years agowatcher: use processors new execute_job() to notify FDs
Martin Willi [Thu, 18 Jul 2013 09:40:40 +0000 (11:40 +0200)]
watcher: use processors new execute_job() to notify FDs

Just queueing is problematic, as all threads might be busy waiting for events
that the queued (but never executed) job delivers.

6 years agoprocessor: add an execute_job() method to directly execute an important job
Martin Willi [Thu, 18 Jul 2013 09:37:42 +0000 (11:37 +0200)]
processor: add an execute_job() method to directly execute an important job

If all worker threads are busy and waiting for an event, we must ensure that
a job delivering that event gets executed. This new method has this property
for CRITICAL jobs, using a worker if we have one, but executing the job directly
if not.

6 years agowatcher: properly support multiple watch callback types for the same FD
Martin Willi [Wed, 17 Jul 2013 14:07:47 +0000 (16:07 +0200)]
watcher: properly support multiple watch callback types for the same FD

6 years agowatcher: read multiple notifications if available
Martin Willi [Wed, 17 Jul 2013 14:03:23 +0000 (16:03 +0200)]
watcher: read multiple notifications if available

Use non-blocking I/O on the read end of the notify pipe. This also makes sure
the read does not block should select() signal data while there is none.

6 years agocertexpire: add an option to enforce exporting trustchains having a private key
Martin Willi [Tue, 15 Nov 2011 17:13:53 +0000 (17:13 +0000)]
certexpire: add an option to enforce exporting trustchains having a private key

6 years agoerror-notify: catch and forward some alerts related to certificate validation
Martin Willi [Tue, 9 Jul 2013 12:28:10 +0000 (14:28 +0200)]
error-notify: catch and forward some alerts related to certificate validation

6 years agobus: raise certificate validation alerts using credential manager hook
Martin Willi [Tue, 9 Jul 2013 12:21:40 +0000 (14:21 +0200)]
bus: raise certificate validation alerts using credential manager hook

6 years agocredmgr: introduce a hook function to catch trust chain validation errors
Martin Willi [Tue, 9 Jul 2013 09:55:32 +0000 (11:55 +0200)]
credmgr: introduce a hook function to catch trust chain validation errors

6 years agolookip: double size of id field in message
Martin Willi [Mon, 4 Feb 2013 09:02:14 +0000 (10:02 +0100)]
lookip: double size of id field in message

6 years agoerror-notify: increase size of string/identity fields in messages
Martin Willi [Mon, 4 Feb 2013 08:59:54 +0000 (09:59 +0100)]
error-notify: increase size of string/identity fields in messages

6 years agowhitelist: use a read-copy when listing entries
Martin Willi [Mon, 8 Jul 2013 09:44:52 +0000 (11:44 +0200)]
whitelist: use a read-copy when listing entries

While this requires a little more overhead, we can free the lock should the
stream block, allowing other threads to add/remove entries.

6 years agowhitelist: fix error handling when creating the socket fails
Martin Willi [Mon, 8 Jul 2013 08:52:49 +0000 (10:52 +0200)]
whitelist: fix error handling when creating the socket fails

6 years agolookip: fix error handling when creating the socket fails
Martin Willi [Mon, 8 Jul 2013 08:40:25 +0000 (10:40 +0200)]
lookip: fix error handling when creating the socket fails

6 years agoerror-notify: fix error handling when creating the socket fails
Martin Willi [Mon, 8 Jul 2013 08:39:23 +0000 (10:39 +0200)]
error-notify: fix error handling when creating the socket fails

6 years agokernel-pfroute: use watcher to receive kernel events
Martin Willi [Mon, 1 Jul 2013 13:48:22 +0000 (15:48 +0200)]
kernel-pfroute: use watcher to receive kernel events

6 years agokernel-pfkey: use watcher to receive networking events
Martin Willi [Mon, 1 Jul 2013 13:45:01 +0000 (15:45 +0200)]
kernel-pfkey: use watcher to receive networking events

6 years agokernel-netlink: use watcher to receive kernel events for net/ipsec
Martin Willi [Mon, 1 Jul 2013 13:42:22 +0000 (15:42 +0200)]
kernel-netlink: use watcher to receive kernel events for net/ipsec

6 years agoeap-radius: use watcher instead of receiver thread on DAE socket
Martin Willi [Mon, 1 Jul 2013 09:52:42 +0000 (11:52 +0200)]
eap-radius: use watcher instead of receiver thread on DAE socket

6 years agodhcp: use watcher instead of dedicated receiver thread
Martin Willi [Mon, 1 Jul 2013 07:47:28 +0000 (09:47 +0200)]
dhcp: use watcher instead of dedicated receiver thread

6 years agofarp: use watcher instead of dedicated receiver thread
Martin Willi [Mon, 1 Jul 2013 09:59:56 +0000 (11:59 +0200)]
farp: use watcher instead of dedicated receiver thread

6 years agoload-tester: use a stream service to dispatch control connections
Martin Willi [Mon, 1 Jul 2013 10:18:15 +0000 (12:18 +0200)]
load-tester: use a stream service to dispatch control connections

6 years agowhitelist: use a stream service to accept client connections
Martin Willi [Mon, 1 Jul 2013 12:47:11 +0000 (14:47 +0200)]
whitelist: use a stream service to accept client connections

Use SOCK_STREAM, as we don't have SOCK_SEQPACKET on TCP. To have network
transparency, the message now uses network byte order.

6 years agolookip: use stream service with async I/O dispatching
Martin Willi [Mon, 1 Jul 2013 10:47:45 +0000 (12:47 +0200)]
lookip: use stream service with async I/O dispatching

Now uses SOCK_STREAM, as SOCK_SEQPACKET is not available over TCP. To have
network transparency, the message now uses network byte order.

6 years agoerror-notify: use a stream service to accept client connections
Martin Willi [Mon, 1 Jul 2013 09:42:18 +0000 (11:42 +0200)]
error-notify: use a stream service to accept client connections

As TCP does not have SOCK_SEQPACKET, we now use SOCK_STREAM for the error-notify
socket. To have network transparency, the message now uses network byte order.

6 years agoduplicheck: use a stream service to accept client connections
Martin Willi [Mon, 1 Jul 2013 09:19:01 +0000 (11:19 +0200)]
duplicheck: use a stream service to accept client connections

As we can't use SOCK_SEQPACKET over TCP, we now have to provide message
boundaries ourselves. We do this by appending a 16-bit length header to each
sent duplicate identity.

6 years agostroke: use a stream service to handle stroke requests
Martin Willi [Fri, 28 Jun 2013 12:35:12 +0000 (14:35 +0200)]
stroke: use a stream service to handle stroke requests

6 years agostream: allow async read/write callback to destroy the stream explicitly
Martin Willi [Tue, 2 Jul 2013 12:09:45 +0000 (14:09 +0200)]
stream: allow async read/write callback to destroy the stream explicitly

6 years agostream: don't close underlying socket when creating a stream from it
Martin Willi [Tue, 2 Jul 2013 12:04:51 +0000 (14:04 +0200)]
stream: don't close underlying socket when creating a stream from it

6 years agowatcher: add some debugging statements
Martin Willi [Tue, 2 Jul 2013 12:03:51 +0000 (14:03 +0200)]
watcher: add some debugging statements

6 years agowatcher: if the processor has no threads, execute the job with watcher thread
Martin Willi [Tue, 2 Jul 2013 09:01:10 +0000 (11:01 +0200)]
watcher: if the processor has no threads, execute the job with watcher thread

This is important during shutdown, where we might need to signal some FDs while
all idle threads are gone already.

6 years agoprocessor: add a getter for the threads passed to set_threads()
Martin Willi [Tue, 2 Jul 2013 09:00:27 +0000 (11:00 +0200)]
processor: add a getter for the threads passed to set_threads()

6 years agowatcher: unregister a watcher FD if its thread gets cancelled
Martin Willi [Mon, 1 Jul 2013 16:38:42 +0000 (18:38 +0200)]
watcher: unregister a watcher FD if its thread gets cancelled

6 years agowatcher: release threads waiting in remove() when watcher thread gets cancelled
Martin Willi [Mon, 1 Jul 2013 16:34:08 +0000 (18:34 +0200)]
watcher: release threads waiting in remove() when watcher thread gets cancelled

During daemon shutdown, users might call remove() after processor.set_threads(0)
has been called. This gets problematic, as a watch event might be unable
to signal completion when no threads are available anymore. Work around this
issue by cancelling waiters once processor.cancel() has been called.

6 years agostream: support keeping the service alive outside of service callback
Martin Willi [Mon, 1 Jul 2013 12:57:28 +0000 (14:57 +0200)]
stream: support keeping the service alive outside of service callback

6 years agostream: add read/write_all() methods to stream
Martin Willi [Mon, 1 Jul 2013 08:36:52 +0000 (10:36 +0200)]
stream: add read/write_all() methods to stream

6 years agostream: support cancellation of stream service callback
Martin Willi [Fri, 28 Jun 2013 12:33:03 +0000 (14:33 +0200)]
stream: support cancellation of stream service callback

6 years agostream: use a service constructor to create services
Martin Willi [Fri, 28 Jun 2013 12:55:27 +0000 (14:55 +0200)]
stream: use a service constructor to create services

It does not make much sense to reference running services in the manager,
especially as unregistration would need the URI (which a user would have to
store instead of the service reference).

6 years agostream: replace print/vprint() convenience functions by a FILE* getter
Martin Willi [Fri, 28 Jun 2013 12:33:41 +0000 (14:33 +0200)]
stream: replace print/vprint() convenience functions by a FILE* getter

While this will complicate the implementation of streams not based on a fd,
it allows us to unleash the full power of FILE based convenience functions.

6 years agostream: add a concurrency option to services, limiting parallel callbacks
Martin Willi [Fri, 28 Jun 2013 09:50:59 +0000 (11:50 +0200)]
stream: add a concurrency option to services, limiting parallel callbacks

6 years agostream: add a job priority option to stream services
Martin Willi [Fri, 28 Jun 2013 08:32:30 +0000 (10:32 +0200)]
stream: add a job priority option to stream services

6 years agostream: add backlog option to stream services, forward to listen()
Martin Willi [Fri, 28 Jun 2013 08:20:13 +0000 (10:20 +0200)]
stream: add backlog option to stream services, forward to listen()

6 years agostream: add support for TCP stream services
Martin Willi [Thu, 27 Jun 2013 15:25:51 +0000 (17:25 +0200)]
stream: add support for TCP stream services

6 years agostream: add support for TCP streams
Martin Willi [Thu, 27 Jun 2013 15:25:21 +0000 (17:25 +0200)]
stream: add support for TCP streams

6 years agostream: add support for UNIX stream services
Martin Willi [Wed, 26 Jun 2013 15:16:33 +0000 (17:16 +0200)]
stream: add support for UNIX stream services

6 years agostream: add support for UNIX streams
Martin Willi [Wed, 26 Jun 2013 15:08:14 +0000 (17:08 +0200)]
stream: add support for UNIX streams

6 years agostream: support async operation using watcher
Martin Willi [Thu, 27 Jun 2013 13:49:11 +0000 (15:49 +0200)]
stream: support async operation using watcher

6 years agostream: add printf()-style covenience functions
Martin Willi [Thu, 27 Jun 2013 09:46:41 +0000 (11:46 +0200)]
stream: add printf()-style covenience functions

6 years agostream: create library instance of stream-manager
Martin Willi [Thu, 27 Jun 2013 08:16:00 +0000 (10:16 +0200)]
stream: create library instance of stream-manager

6 years agostream: add a manager to dynamically register streams and services
Martin Willi [Wed, 26 Jun 2013 15:28:19 +0000 (17:28 +0200)]
stream: add a manager to dynamically register streams and services

6 years agostream: add a stream service class abstracting services using BSD sockets
Martin Willi [Wed, 26 Jun 2013 15:13:11 +0000 (17:13 +0200)]
stream: add a stream service class abstracting services using BSD sockets

6 years agostream: add a stream class abstracting BSD sockets
Martin Willi [Wed, 26 Jun 2013 15:03:19 +0000 (17:03 +0200)]
stream: add a stream class abstracting BSD sockets

Currently only synchronous operation is supported, but this will be extended
with asynchronous methods using the new watcher.

6 years agowatcher: add a centralized an generic facility to monitor file descriptors
Martin Willi [Mon, 24 Jun 2013 12:58:01 +0000 (14:58 +0200)]
watcher: add a centralized an generic facility to monitor file descriptors

6 years agokernel-pfkey: Fail route installation if remote TS matches peer
Tobias Brunner [Thu, 18 Jul 2013 13:41:36 +0000 (15:41 +0200)]
kernel-pfkey: Fail route installation if remote TS matches peer

6 years agokernel-libipsec: Fail route installation if remote TS matches peer
Tobias Brunner [Thu, 18 Jul 2013 13:41:13 +0000 (15:41 +0200)]
kernel-libipsec: Fail route installation if remote TS matches peer

6 years agocapabilities: Some plugins don't actually require capabilities at runtime
Tobias Brunner [Mon, 8 Jul 2013 16:24:43 +0000 (18:24 +0200)]
capabilities: Some plugins don't actually require capabilities at runtime

6 years agocapabilities: Add function to check if a capability is held, without keeping it
Tobias Brunner [Mon, 8 Jul 2013 15:48:16 +0000 (17:48 +0200)]
capabilities: Add function to check if a capability is held, without keeping it

This can be useful if capabilities are not required anymore after
dropping privileges.

6 years agoNEWS: leak-detective improvements
Martin Willi [Thu, 18 Jul 2013 13:13:49 +0000 (15:13 +0200)]
NEWS: leak-detective improvements

6 years agoNEWS: add keychain plugin
Martin Willi [Thu, 18 Jul 2013 13:07:00 +0000 (15:07 +0200)]
NEWS: add keychain plugin

6 years agoautoconf: replace autogen.sh custom script with a call to autoreconf -i
Martin Willi [Thu, 18 Jul 2013 10:01:18 +0000 (12:01 +0200)]
autoconf: replace autogen.sh custom script with a call to autoreconf -i

6 years agoautomake: replace INCLUDES by AM_CPPFLAGS
Martin Willi [Wed, 17 Jul 2013 12:45:39 +0000 (14:45 +0200)]
automake: replace INCLUDES by AM_CPPFLAGS

INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.

6 years agoautoconf: rename configure.in to configure.ac
Martin Willi [Wed, 17 Jul 2013 12:04:41 +0000 (14:04 +0200)]
autoconf: rename configure.in to configure.ac

configure.ac has been the recommended name for autoconf input for several
years now. Newer autotools start to complain about the configure.in, so we
finally change it.

6 years agoeap-sim-pcsc: fix compiler warning
Martin Willi [Thu, 18 Jul 2013 12:55:05 +0000 (14:55 +0200)]
eap-sim-pcsc: fix compiler warning

6 years agonm: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:21:17 +0000 (14:21 +0200)]
nm: omit deprecated g_type_init() when using >= GLIB 2.36

6 years agosoup: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:19:37 +0000 (14:19 +0200)]
soup: omit deprecated g_type_init() when using >= GLIB 2.36

6 years agolibfast: cancel thread if it fails to accept fcgi sessions
Martin Willi [Wed, 20 Feb 2013 14:21:51 +0000 (15:21 +0100)]
libfast: cancel thread if it fails to accept fcgi sessions

6 years agolibfast: add a fast_ prefix to all classes, avoiding namespace clashes
Martin Willi [Wed, 17 Jul 2013 09:50:45 +0000 (11:50 +0200)]
libfast: add a fast_ prefix to all classes, avoiding namespace clashes

6 years agoMerge branch 'charon-xpc'
Martin Willi [Thu, 18 Jul 2013 10:18:32 +0000 (12:18 +0200)]
Merge branch 'charon-xpc'

Implement a charon daemon controlled by the Apple specific XPC mechanism,
acting as a backend for a yet to build unprivileged GUI. The keychain plugin
coming with this merge provides certificates from the OS X keychain service.

6 years agoxpc: allow easy copy & pase of ./configure instructions
Martin Willi [Wed, 26 Jun 2013 08:37:19 +0000 (10:37 +0200)]
xpc: allow easy copy & pase of ./configure instructions

6 years agoxpc: use -idirafter to build against openssl headers from /usr/include
Martin Willi [Wed, 29 May 2013 12:50:47 +0000 (14:50 +0200)]
xpc: use -idirafter to build against openssl headers from /usr/include

6 years agoxpc: forward some risen alerts over XPC to App
Martin Willi [Mon, 27 May 2013 12:47:27 +0000 (14:47 +0200)]
xpc: forward some risen alerts over XPC to App

6 years agoxpc: enable close_ike_on_child_failure
Martin Willi [Mon, 27 May 2013 12:08:39 +0000 (14:08 +0200)]
xpc: enable close_ike_on_child_failure

6 years agoxpc: send a "connecting" event when establishing a connection starts
Martin Willi [Wed, 22 May 2013 15:22:47 +0000 (17:22 +0200)]
xpc: send a "connecting" event when establishing a connection starts

6 years agoxpc: use osx-attr plugin to install configuration attributes
Martin Willi [Wed, 15 May 2013 14:04:43 +0000 (16:04 +0200)]
xpc: use osx-attr plugin to install configuration attributes

6 years agoxpc: update README with new events, markdown style fixes
Martin Willi [Fri, 3 May 2013 16:35:11 +0000 (18:35 +0200)]
xpc: update README with new events, markdown style fixes

6 years agoxpc: send child_updown events over XPC channel
Martin Willi [Thu, 2 May 2013 16:11:47 +0000 (18:11 +0200)]
xpc: send child_updown events over XPC channel

6 years agoxpc: support termination of IKE_SAs using XPC RPC on connection channel
Martin Willi [Thu, 2 May 2013 15:45:58 +0000 (17:45 +0200)]
xpc: support termination of IKE_SAs using XPC RPC on connection channel

6 years agoxpc: move XPC RPC reply creation to command dispatching
Martin Willi [Thu, 2 May 2013 14:43:44 +0000 (16:43 +0200)]
xpc: move XPC RPC reply creation to command dispatching

6 years agoxpc: terminate daemon when last XPC connection to App gone
Martin Willi [Thu, 2 May 2013 12:40:23 +0000 (14:40 +0200)]
xpc: terminate daemon when last XPC connection to App gone

6 years agoxpc: fix some refcounting issues related to XPC connections
Martin Willi [Thu, 2 May 2013 12:28:19 +0000 (14:28 +0200)]
xpc: fix some refcounting issues related to XPC connections

6 years agoxpc: no need to clear channel table, they are bound to IKE_SA lifetime
Martin Willi [Thu, 2 May 2013 11:58:22 +0000 (13:58 +0200)]
xpc: no need to clear channel table, they are bound to IKE_SA lifetime

6 years agoxpc: add support for logging over XPC channels
Martin Willi [Fri, 3 May 2013 14:55:22 +0000 (16:55 +0200)]
xpc: add support for logging over XPC channels

6 years agoxpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
Martin Willi [Thu, 2 May 2013 09:58:43 +0000 (11:58 +0200)]
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)

6 years agoxpc: add a description of the basic XPC protocol to README
Martin Willi [Thu, 2 May 2013 09:22:51 +0000 (11:22 +0200)]
xpc: add a description of the basic XPC protocol to README

6 years agoxpc: use the same XPC message "type" mechanism on Mach service as on channels
Martin Willi [Thu, 2 May 2013 08:54:55 +0000 (10:54 +0200)]
xpc: use the same XPC message "type" mechanism on Mach service as on channels

6 years agoxpc: ask App for passwords using connection specific channel
Martin Willi [Thu, 2 May 2013 08:36:37 +0000 (10:36 +0200)]
xpc: ask App for passwords using connection specific channel