strongswan.git
6 years agoMerge branch 'ike-address-ranges'
Martin Willi [Wed, 4 Sep 2013 08:43:35 +0000 (10:43 +0200)]
Merge branch 'ike-address-ranges'

Adds support for multiple subnets and address ranges in left/right ipsec.conf
options. As responder the connection is acceptable if the address is in one of
the ranges/subnets. To initiate connections, at least one single IP or hostname
is required for the peer address.

6 years agoman: add support for multiple addresses/ranges/subnets in ipsec.conf left=
Martin Willi [Thu, 25 Jul 2013 14:43:19 +0000 (16:43 +0200)]
man: add support for multiple addresses/ranges/subnets in ipsec.conf left=

6 years agoike: support multiple addresses, ranges and subnets in IKE address config
Martin Willi [Thu, 25 Jul 2013 13:37:13 +0000 (15:37 +0200)]
ike: support multiple addresses, ranges and subnets in IKE address config

Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.

6 years agoike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
Martin Willi [Thu, 25 Jul 2013 12:07:40 +0000 (14:07 +0200)]
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr

6 years agobackends: use ike_cfg host matching functions
Martin Willi [Thu, 25 Jul 2013 11:42:11 +0000 (13:42 +0200)]
backends: use ike_cfg host matching functions

6 years agoike-cfg: add methods to match a host against configured local/remote addresses
Martin Willi [Thu, 25 Jul 2013 11:41:33 +0000 (13:41 +0200)]
ike-cfg: add methods to match a host against configured local/remote addresses

6 years agotrap-manager: use ike_cfg resolver functions
Martin Willi [Thu, 25 Jul 2013 11:40:53 +0000 (13:40 +0200)]
trap-manager: use ike_cfg resolver functions

6 years agoike-sa: use ike_cfg resolver functions
Martin Willi [Thu, 25 Jul 2013 11:40:26 +0000 (13:40 +0200)]
ike-sa: use ike_cfg resolver functions

6 years agoike-cfg: add a method to resolve local/remote hosts with port
Martin Willi [Thu, 25 Jul 2013 11:39:15 +0000 (13:39 +0200)]
ike-cfg: add a method to resolve local/remote hosts with port

6 years agoMerge branch 'ikev1-pushmode'
Martin Willi [Wed, 4 Sep 2013 08:35:26 +0000 (10:35 +0200)]
Merge branch 'ikev1-pushmode'

Implements Mode Config Push mode in IKEv1 using the existing modeconfig=push
ipsec.conf option.

6 years agostroke: ignore a leftsourceip if a rightsourceip is given as well
Martin Willi [Tue, 3 Sep 2013 13:44:43 +0000 (15:44 +0200)]
stroke: ignore a leftsourceip if a rightsourceip is given as well

As we always negotiate virtual IPs in charon, having both left- and
rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single
configuration payload exchange only.

6 years agoman: update ipsec.conf modeconfig keyword
Martin Willi [Fri, 19 Jul 2013 14:01:36 +0000 (16:01 +0200)]
man: update ipsec.conf modeconfig keyword

6 years agoikev1: implement mode config push mode
Martin Willi [Fri, 19 Jul 2013 13:58:15 +0000 (15:58 +0200)]
ikev1: implement mode config push mode

6 years agostroke: re-enable modeconfig keyword
Martin Willi [Fri, 19 Jul 2013 13:47:33 +0000 (15:47 +0200)]
stroke: re-enable modeconfig keyword

6 years agopeer-cfg: add a pull/push mode option to use with mode config
Martin Willi [Fri, 19 Jul 2013 12:24:04 +0000 (14:24 +0200)]
peer-cfg: add a pull/push mode option to use with mode config

6 years agopubkey_speed: Add missing plugins
Tobias Brunner [Wed, 4 Sep 2013 07:47:23 +0000 (09:47 +0200)]
pubkey_speed: Add missing plugins

The pkcs1 plugin is required to test the gmp/gcrypt plugins. Likewise,
the pem plugin is required when testing the openssl plugin.

Fixes #401.

6 years agopubkey_speed: sudo is not required
Tobias Brunner [Wed, 4 Sep 2013 07:28:49 +0000 (09:28 +0200)]
pubkey_speed: sudo is not required

Also, refer to pubkey_speed properly when not being called from the same
directory.

6 years agopubkey_speed: Add header and fix usage
Tobias Brunner [Wed, 4 Sep 2013 07:08:46 +0000 (09:08 +0200)]
pubkey_speed: Add header and fix usage

6 years agoMerge branch 'xauth-radius-multi'
Martin Willi [Tue, 3 Sep 2013 14:32:27 +0000 (16:32 +0200)]
Merge branch 'xauth-radius-multi'

Introduces multiple rounds in the eap-radius XAuth backend, concatenating
answers to a single password to verify using a RADIUS User-Password attribute.
This is known to work fine with iOS and OS X clients, allowing two-factor
authentication with proper dialogs.

Different XAuth "profiles" for each backend can be selected using a generic
colon sperated suffix for the XAuth string.

6 years agocharon-cmd: support prompting for a PIN
Martin Willi [Wed, 24 Jul 2013 11:19:57 +0000 (13:19 +0200)]
charon-cmd: support prompting for a PIN

To support a Password and PIN XAuth combo, additionally support multiple
prompts for different credential types.

6 years agoxauth-generic: honor requested XAuth credential types as a client
Martin Willi [Wed, 24 Jul 2013 11:18:26 +0000 (13:18 +0200)]
xauth-generic: honor requested XAuth credential types as a client

Support requesting of XAuth PINs and print XAuth messages.

6 years agoattributes: shorten some Unity and XAuth attribute short names
Martin Willi [Wed, 24 Jul 2013 11:44:22 +0000 (13:44 +0200)]
attributes: shorten some Unity and XAuth attribute short names

6 years agomessage: print type of configuration payload
Martin Willi [Fri, 19 Jul 2013 13:57:53 +0000 (15:57 +0200)]
message: print type of configuration payload

6 years agomessage: print attributes for IKEv1 configuration payloads as well
Martin Willi [Fri, 19 Jul 2013 13:48:06 +0000 (15:48 +0200)]
message: print attributes for IKEv1 configuration payloads as well

6 years agoeap-radius: support XAuth configuration profiles, defining multiple XAuth rounds
Martin Willi [Tue, 23 Jul 2013 12:46:51 +0000 (14:46 +0200)]
eap-radius: support XAuth configuration profiles, defining multiple XAuth rounds

6 years agoxauth: add a configuration string option to be passed to XAuth instances
Martin Willi [Tue, 23 Jul 2013 12:24:58 +0000 (14:24 +0200)]
xauth: add a configuration string option to be passed to XAuth instances

The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.

6 years agoUse ipsec_DATA destination 5.1.1dr2
Andreas Steffen [Mon, 2 Sep 2013 12:20:33 +0000 (14:20 +0200)]
Use ipsec_DATA destination

6 years agoInstall SWID tag also in /share/
Andreas Steffen [Mon, 2 Sep 2013 12:01:05 +0000 (14:01 +0200)]
Install SWID tag also in /share/

6 years agoGenerate strongSwan SWID tag
Andreas Steffen [Mon, 2 Sep 2013 11:08:41 +0000 (13:08 +0200)]
Generate strongSwan SWID tag

6 years agoAdded regids table and some sample reqid data
Andreas Steffen [Mon, 2 Sep 2013 09:59:42 +0000 (11:59 +0200)]
Added regids table and some sample reqid data

6 years agoPull dave for OS info
Andreas Steffen [Sun, 1 Sep 2013 20:32:13 +0000 (22:32 +0200)]
Pull dave for OS info

6 years agoCorrected debug class to DBG_IMC
Andreas Steffen [Sun, 1 Sep 2013 20:27:21 +0000 (22:27 +0200)]
Corrected debug class to DBG_IMC

6 years agoautoconf: Split PACKAGE_VERSION in four parts
Tobias Brunner [Mon, 2 Sep 2013 09:26:31 +0000 (11:26 +0200)]
autoconf: Split PACKAGE_VERSION in four parts

The parts can be accessed with the variables:

PACKAGE_VERSION_MAJOR
PACKAGE_VERSION_MINOR
PACKAGE_VERSION_BUILD
PACKAGE_VERSION_REVIEW

The last part will be empty for regular releases.

6 years agoconftest: Fix hook constructor resolution via dlsym()
Tobias Brunner [Fri, 30 Aug 2013 17:33:22 +0000 (19:33 +0200)]
conftest: Fix hook constructor resolution via dlsym()

AM_CPPFLAGS only takes preprocessor flags like -I or -D, so it did not
forward -rdynamic to the linker (--export-dynamic), which meant that the
symbols defined in the executable itself were not resolvable via dlsym().

Fixes #394.

6 years agoSWID IMC implements recursive tag collection in /usr/share
Andreas Steffen [Fri, 30 Aug 2013 14:25:44 +0000 (16:25 +0200)]
SWID IMC implements recursive tag collection in /usr/share

6 years agoaes-test: Rename crypt() as it conflicts with a library function on Mac OS X
Tobias Brunner [Fri, 30 Aug 2013 06:51:09 +0000 (08:51 +0200)]
aes-test: Rename crypt() as it conflicts with a library function on Mac OS X

unistd.h on Linux defines this only if _XOPEN_SOURCE is defined.

6 years agokernel-pfroute: Fix mixed up memset() call in get_route()
Mathias Krause [Thu, 29 Aug 2013 16:21:58 +0000 (18:21 +0200)]
kernel-pfroute: Fix mixed up memset() call in get_route()

The retry code introduced in dc8b083 got the memset() arguments wrong.
Fix this to ensure the buffer gets zeroed, for real.

It probably doesn't matter as we do reset the message length on retry, so
the stale data shouldn't be seen by anyone.

Found-by: git grep 'memset\s*\([^,]*,\s*[^,]*,\s*0\s*\)'
6 years agotesting: support a .gitignored testing.conf.local for site-local configurations
Martin Willi [Fri, 26 Jul 2013 09:43:18 +0000 (11:43 +0200)]
testing: support a .gitignored testing.conf.local for site-local configurations

6 years agocharon-xpc: add a note how to build the source tarball
Martin Willi [Thu, 29 Aug 2013 10:23:48 +0000 (12:23 +0200)]
charon-xpc: add a note how to build the source tarball

6 years agocharon-xpc: include and prefer AES-GCM algorithms in ESP proposal
Martin Willi [Wed, 28 Aug 2013 09:21:08 +0000 (11:21 +0200)]
charon-xpc: include and prefer AES-GCM algorithms in ESP proposal

6 years agoVersion bump to 5.1.1dr2
Andreas Steffen [Wed, 28 Aug 2013 21:00:47 +0000 (23:00 +0200)]
Version bump to 5.1.1dr2

6 years agoAdded TCG-SWID error handling
Andreas Steffen [Wed, 28 Aug 2013 20:53:57 +0000 (22:53 +0200)]
Added TCG-SWID error handling

6 years agoAdded scripts/aes-test to .gitignore
Andreas Steffen [Wed, 28 Aug 2013 20:52:30 +0000 (22:52 +0200)]
Added scripts/aes-test to .gitignore

6 years agoAdded tzset memory leak to whitelist
Andreas Steffen [Wed, 28 Aug 2013 20:51:17 +0000 (22:51 +0200)]
Added tzset memory leak to whitelist

6 years agoSelectively enable PT-TLS and/or RADIUS sockets in tnc-pdp plugin
Andreas Steffen [Mon, 26 Aug 2013 18:36:07 +0000 (20:36 +0200)]
Selectively enable PT-TLS and/or RADIUS sockets in tnc-pdp plugin

6 years agoaes-test: Support test vectors at the end of a file
Tobias Brunner [Mon, 19 Aug 2013 08:38:47 +0000 (10:38 +0200)]
aes-test: Support test vectors at the end of a file

6 years agoaes-test: Add script to test AES implementations according to AESAVS/GCMVS
Tobias Brunner [Mon, 5 Aug 2013 16:20:50 +0000 (18:20 +0200)]
aes-test: Add script to test AES implementations according to AESAVS/GCMVS

6 years agochunk: Print chunks without separator if + modifier is used
Tobias Brunner [Tue, 6 Aug 2013 15:27:35 +0000 (17:27 +0200)]
chunk: Print chunks without separator if + modifier is used

6 years agoutils: Add case-insensitive version of strpfx()
Tobias Brunner [Tue, 6 Aug 2013 15:27:15 +0000 (17:27 +0200)]
utils: Add case-insensitive version of strpfx()

6 years agostroke: stop enumerating IKE_SAs in statusall if output stream gets closed
Martin Willi [Fri, 23 Aug 2013 12:22:29 +0000 (14:22 +0200)]
stroke: stop enumerating IKE_SAs in statusall if output stream gets closed

If the output stream is not interested in more information, it can close the
the stream. Checking for stream errors avoids useless enumeration of IKE_SAs,
saving resources. This allows to use "ipsec statusall | head" to monitor the
daemon, or stop enumerating IKE_SAs after a specific entry has been found.

6 years agoCleaned configuration files in PT-TLS client scenario
Andreas Steffen [Thu, 22 Aug 2013 15:24:20 +0000 (17:24 +0200)]
Cleaned configuration files in PT-TLS client scenario

6 years agokernel: Restore enumeration of all addresses when searching for address in TS
Tobias Brunner [Wed, 21 Aug 2013 14:52:19 +0000 (16:52 +0200)]
kernel: Restore enumeration of all addresses when searching for address in TS

Since f52cf07532 addresses on ignored, down or loopback interfaces were
not considered as valid addresses anymore when searching for an address
contained in the local traffic selector.  This meant that route
installation failed, for instance, if charon.install_virtual_ip_on was
set to 'lo', or, on gateways, if internal interfaces were ignored with
the charon.interfaces_* options.

6 years agoconftest: Disable reset_seq hook on systems other than Linux
Tobias Brunner [Wed, 21 Aug 2013 09:27:28 +0000 (11:27 +0200)]
conftest: Disable reset_seq hook on systems other than Linux

Fixes #386.

6 years agokernel-netlink: Fix calculation of ESN bitmap length
Tobias Brunner [Wed, 21 Aug 2013 06:28:12 +0000 (08:28 +0200)]
kernel-netlink: Fix calculation of ESN bitmap length

While bmp_len stores the number of u_int32_t the allocated bitmap
actually consists of those integers.

6 years agoAdded stand-alone pt-tls-client to NEWS 5.1.1dr1
Andreas Steffen [Mon, 19 Aug 2013 10:28:12 +0000 (12:28 +0200)]
Added stand-alone pt-tls-client to NEWS

6 years agoFlush iptables rules on alice
Andreas Steffen [Mon, 19 Aug 2013 10:20:57 +0000 (12:20 +0200)]
Flush iptables rules on alice

6 years agoFixes in tnc scenarios
Andreas Steffen [Mon, 19 Aug 2013 09:44:51 +0000 (11:44 +0200)]
Fixes in tnc scenarios

6 years agoAdded tnc/tnccs-20-pt-tls scenario
Andreas Steffen [Mon, 19 Aug 2013 09:36:23 +0000 (11:36 +0200)]
Added tnc/tnccs-20-pt-tls scenario

6 years agoVersion bump to 5.1.1dr1
Andreas Steffen [Mon, 19 Aug 2013 08:03:23 +0000 (10:03 +0200)]
Version bump to 5.1.1dr1

6 years agoProcess PB-TNC batches received via PT-TLS asynchronously
Andreas Steffen [Mon, 19 Aug 2013 07:52:12 +0000 (09:52 +0200)]
Process PB-TNC batches received via PT-TLS asynchronously

6 years agoOptimize TLS socket buffer for TLS_MAX_FRAGMENT_LEN
Andreas Steffen [Mon, 19 Aug 2013 07:50:57 +0000 (09:50 +0200)]
Optimize TLS socket buffer for TLS_MAX_FRAGMENT_LEN

6 years agoOutput handler of a given workitem
Andreas Steffen [Fri, 16 Aug 2013 12:14:13 +0000 (14:14 +0200)]
Output handler of a given workitem

6 years agoImplemented SWID Tag Inventory attribute
Andreas Steffen [Fri, 16 Aug 2013 12:13:35 +0000 (14:13 +0200)]
Implemented SWID Tag Inventory attribute

6 years agodeleted moved files
Andreas Steffen [Thu, 15 Aug 2013 21:32:26 +0000 (23:32 +0200)]
deleted moved files

6 years agoImplemented SWID prototype IMC/IMV pair
Andreas Steffen [Thu, 15 Aug 2013 21:26:00 +0000 (23:26 +0200)]
Implemented SWID prototype IMC/IMV pair

6 years agoUpdated the SWID attributes
Andreas Steffen [Tue, 13 Aug 2013 20:04:49 +0000 (22:04 +0200)]
Updated the SWID attributes

6 years agoOptimized PT-TLS data transfer
Andreas Steffen [Tue, 13 Aug 2013 15:09:53 +0000 (17:09 +0200)]
Optimized PT-TLS data transfer

6 years agoShow host address of peer connecting to PT-TLS socket
Andreas Steffen [Mon, 12 Aug 2013 09:54:25 +0000 (11:54 +0200)]
Show host address of peer connecting to PT-TLS socket

6 years agoSet client identity with TLS certificate authentication
Andreas Steffen [Mon, 12 Aug 2013 09:53:46 +0000 (11:53 +0200)]
Set client identity with TLS certificate authentication

6 years agoFixed memory leak in SASL PLAIN
Andreas Steffen [Mon, 12 Aug 2013 09:52:32 +0000 (11:52 +0200)]
Fixed memory leak in SASL PLAIN

6 years agoadded --optionsfrom capability
Andreas Steffen [Mon, 12 Aug 2013 06:51:13 +0000 (08:51 +0200)]
added --optionsfrom capability

6 years agoUse client identities from successful authentications, only
Andreas Steffen [Mon, 12 Aug 2013 06:25:48 +0000 (08:25 +0200)]
Use client identities from successful authentications, only

6 years agoAdd pt-tls-client to .gitignore
Andreas Steffen [Fri, 9 Aug 2013 20:18:13 +0000 (22:18 +0200)]
Add pt-tls-client to .gitignore

6 years agoExtract client identity and authentication type from SASL authentication
Andreas Steffen [Fri, 9 Aug 2013 20:10:37 +0000 (22:10 +0200)]
Extract client identity and authentication type from SASL authentication

6 years agoAdded some debug statements
Andreas Steffen [Fri, 9 Aug 2013 13:21:33 +0000 (15:21 +0200)]
Added some debug statements

6 years agoenabled SASL PLAIN authentication
Andreas Steffen [Fri, 9 Aug 2013 11:35:02 +0000 (13:35 +0200)]
enabled SASL PLAIN authentication

6 years agoPT-TLS connection is properly terminated
Andreas Steffen [Thu, 8 Aug 2013 19:48:46 +0000 (21:48 +0200)]
PT-TLS connection is properly terminated

6 years agomoved tnc_imv plugin to libtnccs thanks to recommendation callback function
Andreas Steffen [Thu, 8 Aug 2013 17:43:43 +0000 (19:43 +0200)]
moved tnc_imv plugin to libtnccs thanks to recommendation callback function

6 years agoDocumented plugin move from libcharon to libtnccs in strongswan.conf
Andreas Steffen [Thu, 8 Aug 2013 09:17:33 +0000 (11:17 +0200)]
Documented plugin move from libcharon to libtnccs in strongswan.conf

6 years agoMoved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins...
Andreas Steffen [Thu, 8 Aug 2013 09:02:17 +0000 (11:02 +0200)]
Moved tnc-tnccs, tnc-imc, tnccs-11, tnccs-20 and tnccs-dynamic libcharon plugins to libtnccs

6 years agorapid PT-TLS AR/PDP prototype
Andreas Steffen [Wed, 7 Aug 2013 17:41:29 +0000 (19:41 +0200)]
rapid PT-TLS AR/PDP prototype

6 years agoAdd PT-TLS interface to strongSwan PDP
Andreas Steffen [Wed, 31 Jul 2013 20:09:38 +0000 (22:09 +0200)]
Add PT-TLS interface to strongSwan PDP

6 years agoikev1: Fix calculation of the number of fragments
Tobias Brunner [Thu, 15 Aug 2013 13:15:34 +0000 (15:15 +0200)]
ikev1: Fix calculation of the number of fragments

The old code resulted in too few fragments in some cases.

6 years agoikev1: When sending fragments, use ports to decide if a non-ESP marker is added
Tobias Brunner [Thu, 15 Aug 2013 13:12:00 +0000 (15:12 +0200)]
ikev1: When sending fragments, use ports to decide if a non-ESP marker is added

This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).

6 years agoikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold
Tobias Brunner [Tue, 13 Aug 2013 08:03:54 +0000 (10:03 +0200)]
ikev2: Fix segfault when reestablishing CHILD_SAs due to closeaction=restart|hold

This regression was introduced with c949a4d5.

6 years agolibipsec: Don't limit traditional algorithms to AES and SHA1/2
Tobias Brunner [Mon, 12 Aug 2013 10:20:09 +0000 (12:20 +0200)]
libipsec: Don't limit traditional algorithms to AES and SHA1/2

Closes #377.

6 years agokernel-netlink,pfroute: Properly update address flag within ROAM_DELAY
Tobias Brunner [Mon, 12 Aug 2013 10:06:25 +0000 (12:06 +0200)]
kernel-netlink,pfroute: Properly update address flag within ROAM_DELAY

77d4a02 and 55da01f only updated the address flag when a job was created,
which obviously had the same limitation as the old code.

Fixes #374.

6 years agokernel-pfroute: Implement roam event handling like in the kernel-netlink plugin
Tobias Brunner [Mon, 12 Aug 2013 09:40:22 +0000 (11:40 +0200)]
kernel-pfroute: Implement roam event handling like in the kernel-netlink plugin

There was no proper locking and the issue regarding the address
flag also existed.

6 years agokernel-netlink: Ensure address changes are not missed in roam events
Tobias Brunner [Mon, 12 Aug 2013 09:23:34 +0000 (11:23 +0200)]
kernel-netlink: Ensure address changes are not missed in roam events

If multiple roam events are triggered within ROAM_DELAY, only one job is
created.  The old code set the address flag to the value of the last
triggering call.  So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.

The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues.  For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE.  So address updates might occasionally get
triggered where none would actually be required.

Fixes #374.

6 years agobacktrace: rename clone() method clashing with system call
Martin Willi [Fri, 9 Aug 2013 07:13:39 +0000 (09:13 +0200)]
backtrace: rename clone() method clashing with system call

Fixes #376.

6 years agoupdown: remove description of unsupported PLUTO_ variables
Martin Willi [Thu, 8 Aug 2013 12:48:32 +0000 (14:48 +0200)]
updown: remove description of unsupported PLUTO_ variables

These have been set by pluto, but are not by charons updown plugin.

6 years agoscripts: link against librt only if required
Martin Willi [Thu, 8 Aug 2013 07:12:52 +0000 (09:12 +0200)]
scripts: link against librt only if required

With glibc, this seems to be the case for 2.17 and older versions only.

6 years agoscripts: link malloc_speed against librt
Martin Willi [Thu, 8 Aug 2013 07:09:00 +0000 (09:09 +0200)]
scripts: link malloc_speed against librt

6 years agostrongswan.conf: Add note about reserved threads
Tobias Brunner [Wed, 7 Aug 2013 07:06:01 +0000 (09:06 +0200)]
strongswan.conf: Add note about reserved threads

6 years agotnc-pdp: Initialize struct msghdr properly when reading RADIUS messages 5.1.0
Tobias Brunner [Wed, 31 Jul 2013 14:24:32 +0000 (16:24 +0200)]
tnc-pdp: Initialize struct msghdr properly when reading RADIUS messages

Before this e.g. msg_controllen was not initialized properly which could
cause invalid reads.

6 years agoNEWS: Add info about CVE-2013-5018
Tobias Brunner [Wed, 31 Jul 2013 13:28:15 +0000 (15:28 +0200)]
NEWS: Add info about CVE-2013-5018

6 years agowhitelist: Fix compilation on FreeBSD
Tobias Brunner [Wed, 31 Jul 2013 07:03:48 +0000 (09:03 +0200)]
whitelist: Fix compilation on FreeBSD

6 years agohost: Properly initialize struct sockaddr_in[6] when parsing strings
Tobias Brunner [Tue, 30 Jul 2013 16:44:50 +0000 (18:44 +0200)]
host: Properly initialize struct sockaddr_in[6] when parsing strings

Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.

6 years agoasn1: Fix handling of invalid ASN.1 length in is_asn1()
Tobias Brunner [Mon, 29 Jul 2013 21:45:38 +0000 (23:45 +0200)]
asn1: Fix handling of invalid ASN.1 length in is_asn1()

Fixes CVE-2013-5018.

6 years agoCallback job is not needed any more
Andreas Steffen [Wed, 31 Jul 2013 20:13:41 +0000 (22:13 +0200)]
Callback job is not needed any more