strongswan.git
6 years agoeap-radius: use IKE_SA unique id instead of peer identity to manage virtual IPs
Martin Willi [Wed, 17 Apr 2013 09:11:52 +0000 (11:11 +0200)]
eap-radius: use IKE_SA unique id instead of peer identity to manage virtual IPs

Fixes some corner cases if multiple tunnels use the same peer identity.

6 years agoDon't unset IKE_SA on bus before we released virtual IPs and attributes
Martin Willi [Wed, 17 Apr 2013 09:09:23 +0000 (11:09 +0200)]
Don't unset IKE_SA on bus before we released virtual IPs and attributes

6 years agoNew Android release after adding AES-GCM, IPv6-in-IPv4 and using kernel-netlink
Tobias Brunner [Fri, 3 May 2013 13:16:14 +0000 (15:16 +0200)]
New Android release after adding AES-GCM, IPv6-in-IPv4 and using kernel-netlink

libipsec now supports AES-GCM, IPv6 tunnels over IPv4 are supported,
native x86 libraries are built (requires a new Vstr build script).
Also, the existing kernel-netlink plugin now provides the kernel-net
implementation, which should be more stable in case multiple interfaces
are up and have IP addresses installed on them.

6 years agolibipsec: Fix memory leak in event relay
Tobias Brunner [Mon, 22 Apr 2013 13:41:22 +0000 (15:41 +0200)]
libipsec: Fix memory leak in event relay

6 years agoandroid: Use stronger ESP proposal including AES-GCM
Tobias Brunner [Mon, 22 Apr 2013 13:39:41 +0000 (15:39 +0200)]
android: Use stronger ESP proposal including AES-GCM

6 years agolibipsec: Add support for AES-GCM
Tobias Brunner [Mon, 22 Apr 2013 12:57:11 +0000 (14:57 +0200)]
libipsec: Add support for AES-GCM

6 years agolibipsec: Wrap traditional algorithms in AEAD wrapper
Tobias Brunner [Thu, 18 Apr 2013 15:02:41 +0000 (17:02 +0200)]
libipsec: Wrap traditional algorithms in AEAD wrapper

6 years agoandroid: Remove unused methods on NetworkManager/network_manager_t
Tobias Brunner [Tue, 16 Apr 2013 13:01:47 +0000 (15:01 +0200)]
android: Remove unused methods on NetworkManager/network_manager_t

6 years agoandroid: Ignore interface 'lo'
Tobias Brunner [Tue, 16 Apr 2013 12:54:48 +0000 (14:54 +0200)]
android: Ignore interface 'lo'

Android adds a default route via 'lo' if no connectivity is available
causing charon to send packets via lo and triggering DPD.

6 years agoandroid: Repurpose android-net to simply handle connectivity events
Tobias Brunner [Tue, 16 Apr 2013 12:40:19 +0000 (14:40 +0200)]
android: Repurpose android-net to simply handle connectivity events

Using the events by NetworkManager/ConnectivityManager to trigger roam events
instead of the events generated by the kernel-netlink plugin the noise level
is much lower.

6 years agokernel-netlink: Add an option to disable roam events
Tobias Brunner [Tue, 16 Apr 2013 11:54:25 +0000 (13:54 +0200)]
kernel-netlink: Add an option to disable roam events

6 years agoandroid: Replace android-net plugin with kernel-netlink
Tobias Brunner [Tue, 16 Apr 2013 12:31:09 +0000 (14:31 +0200)]
android: Replace android-net plugin with kernel-netlink

Virtual IPs are not handled by the kernel-netlink plugin and tun devices are
ignored.

6 years agoandroid: Set strongswan.conf options before initializing other libraries
Tobias Brunner [Tue, 16 Apr 2013 12:23:07 +0000 (14:23 +0200)]
android: Set strongswan.conf options before initializing other libraries

6 years agokernel-netlink: Define defaults for routing table and prio
Tobias Brunner [Tue, 16 Apr 2013 11:46:32 +0000 (13:46 +0200)]
kernel-netlink: Define defaults for routing table and prio

6 years agoopenssl: Define a default for FIPS_MODE
Tobias Brunner [Fri, 3 May 2013 13:00:54 +0000 (15:00 +0200)]
openssl: Define a default for FIPS_MODE

6 years agoIn memwipe_check(), don't put magic on stack when calling do_magic()
Martin Willi [Fri, 3 May 2013 12:17:37 +0000 (14:17 +0200)]
In memwipe_check(), don't put magic on stack when calling do_magic()

Otherwise the magic might be on the stack while checking it.

6 years agoDump stack if memwipe() check fails
Martin Willi [Fri, 3 May 2013 09:41:51 +0000 (11:41 +0200)]
Dump stack if memwipe() check fails

6 years agoUse attest database in tnc/tnccs-20-os scenario 5.0.4
Andreas Steffen [Sun, 21 Apr 2013 14:31:23 +0000 (16:31 +0200)]
Use attest database in tnc/tnccs-20-os scenario

6 years agofixed a 64bit time_t issue
Andreas Steffen [Sun, 21 Apr 2013 14:07:13 +0000 (16:07 +0200)]
fixed a 64bit time_t issue

6 years agodestroy SQL query
Andreas Steffen [Sun, 21 Apr 2013 14:00:23 +0000 (16:00 +0200)]
destroy SQL query

6 years agoKeep last AR ID
Andreas Steffen [Sun, 21 Apr 2013 06:19:30 +0000 (08:19 +0200)]
Keep last AR ID

6 years agoAdded use of openssl-fips library to NEWS
Andreas Steffen [Fri, 19 Apr 2013 16:49:43 +0000 (18:49 +0200)]
Added use of openssl-fips library to NEWS

6 years agocheck for successful activation of FIPS mode
Andreas Steffen [Fri, 19 Apr 2013 16:46:52 +0000 (18:46 +0200)]
check for successful activation of FIPS mode

6 years agoinstall FIPS-aware OpenSSL Debian packages
Andreas Steffen [Fri, 19 Apr 2013 16:36:38 +0000 (18:36 +0200)]
install FIPS-aware OpenSSL Debian packages

6 years agoAdded openssl-ikev2/rw-cpa scenario
Andreas Steffen [Thu, 18 Apr 2013 10:46:36 +0000 (12:46 +0200)]
Added openssl-ikev2/rw-cpa scenario

6 years agobuild openssl-fips in KVM root-image
Andreas Steffen [Thu, 18 Apr 2013 10:46:02 +0000 (12:46 +0200)]
build openssl-fips in KVM root-image

6 years agofixed typo
Andreas Steffen [Fri, 19 Apr 2013 16:33:41 +0000 (18:33 +0200)]
fixed typo

6 years agoDuring libstrongswan initialization, check if memwipe() works as expected
Martin Willi [Thu, 18 Apr 2013 10:37:39 +0000 (12:37 +0200)]
During libstrongswan initialization, check if memwipe() works as expected

6 years agoadded libstrongswan.plugins.openssl.fips_mode to man page
Andreas Steffen [Tue, 16 Apr 2013 11:44:06 +0000 (13:44 +0200)]
added libstrongswan.plugins.openssl.fips_mode to man page

6 years agosupport of OpenSSL FIPS-140-2 library
Andreas Steffen [Tue, 16 Apr 2013 10:37:04 +0000 (12:37 +0200)]
support of OpenSSL FIPS-140-2 library

6 years agobuild soup plugin in KVM test environment
Andreas Steffen [Mon, 15 Apr 2013 18:23:41 +0000 (20:23 +0200)]
build soup plugin in KVM test environment

6 years agodisable reauth, too
Andreas Steffen [Mon, 15 Apr 2013 18:21:19 +0000 (20:21 +0200)]
disable reauth, too

6 years agoFix checksum calculation with DESTDIR installations
Tobias Brunner [Mon, 15 Apr 2013 14:48:46 +0000 (16:48 +0200)]
Fix checksum calculation with DESTDIR installations

6 years agoversion bump to 5.0.4
Andreas Steffen [Sun, 14 Apr 2013 17:58:17 +0000 (19:58 +0200)]
version bump to 5.0.4

6 years agoAdded charon.initiator_only option which causes charon to ignore IKE initiation reque...
Andreas Steffen [Sun, 14 Apr 2013 17:57:49 +0000 (19:57 +0200)]
Added charon.initiator_only option which causes charon to ignore IKE initiation requests by peers

6 years agoAllow SHA1_Init()/SHA1_Update() to fail if OpenSSL version >= 1.0
Martin Willi [Tue, 9 Apr 2013 09:48:47 +0000 (11:48 +0200)]
Allow SHA1_Init()/SHA1_Update() to fail if OpenSSL version >= 1.0

6 years agoCheck RSA_public_decrypt() length before constructing and comparing a chunk
Martin Willi [Tue, 9 Apr 2013 09:38:51 +0000 (11:38 +0200)]
Check RSA_public_decrypt() length before constructing and comparing a chunk

If decryption fails, it returns -1. chunk_equals() should catch that error,
but be more explicit in error checking.

6 years agoRSA_check_key() may return -1 if it fails
Martin Willi [Tue, 9 Apr 2013 09:37:15 +0000 (11:37 +0200)]
RSA_check_key() may return -1 if it fails

6 years agoRAND_bytes/RAND_pseudo_bytes returns -1 if it is not supported by RAND method
Martin Willi [Tue, 9 Apr 2013 09:12:16 +0000 (11:12 +0200)]
RAND_bytes/RAND_pseudo_bytes returns -1 if it is not supported by RAND method

6 years agoCheck return value of ECDSA_Verify() correctly
Martin Willi [Tue, 9 Apr 2013 08:56:09 +0000 (10:56 +0200)]
Check return value of ECDSA_Verify() correctly

6 years agoeap-radius: Add an option to exclude ports from Called/Calling-Station-Id
Martin Willi [Thu, 4 Apr 2013 14:05:05 +0000 (16:05 +0200)]
eap-radius: Add an option to exclude ports from Called/Calling-Station-Id

6 years agoversion bump to 5.0.4dr1
Andreas Steffen [Tue, 9 Apr 2013 13:20:49 +0000 (15:20 +0200)]
version bump to 5.0.4dr1

6 years agofixed another printf statement
Andreas Steffen [Tue, 9 Apr 2013 13:16:49 +0000 (15:16 +0200)]
fixed another printf statement

6 years agofixed printf statements
Andreas Steffen [Mon, 8 Apr 2013 20:21:14 +0000 (22:21 +0200)]
fixed printf statements

6 years agoemit a single assig_vips bus message for all VIPs
Andreas Steffen [Sat, 6 Apr 2013 12:16:30 +0000 (14:16 +0200)]
emit a single assig_vips bus message for all VIPs

6 years agoifmap plugin subscribes to assing_vip bus signal
Andreas Steffen [Thu, 4 Apr 2013 11:40:57 +0000 (13:40 +0200)]
ifmap plugin subscribes to assing_vip bus signal

6 years agoAdded missing sasl Doxygen group
Tobias Brunner [Fri, 5 Apr 2013 12:54:29 +0000 (14:54 +0200)]
Added missing sasl Doxygen group

6 years agounity: Check IKE_SA in only after enumerating virtual IPs
Tobias Brunner [Fri, 5 Apr 2013 11:45:04 +0000 (13:45 +0200)]
unity: Check IKE_SA in only after enumerating virtual IPs

6 years agofixed configure options 5.0.3
Andreas Steffen [Thu, 4 Apr 2013 19:09:07 +0000 (21:09 +0200)]
fixed configure options

6 years agocleaned up XML code in tnccs-11 plugin
Andreas Steffen [Thu, 4 Apr 2013 15:12:00 +0000 (17:12 +0200)]
cleaned up XML code in tnccs-11 plugin

6 years agoduplicheck: track multiple IKE_SAs in checking state to avoid any races
Martin Willi [Thu, 4 Apr 2013 13:43:37 +0000 (15:43 +0200)]
duplicheck: track multiple IKE_SAs in checking state to avoid any races

When two consequent duplicates have been detected, track state of each checking
IKE_SA separately, avoiding potential race conditions between the active SA
and the different SAs in checking state.

6 years agofixed memory leak
Andreas Steffen [Wed, 3 Apr 2013 19:29:04 +0000 (21:29 +0200)]
fixed memory leak

6 years agoproperly handle orphaned renewSession jobs
Andreas Steffen [Wed, 3 Apr 2013 14:44:44 +0000 (16:44 +0200)]
properly handle orphaned renewSession jobs

6 years agosupport chunked HTTP responses
Andreas Steffen [Wed, 3 Apr 2013 10:08:52 +0000 (12:08 +0200)]
support chunked HTTP responses

6 years agoimplemented periodic IF-MAP RenewSession request
Andreas Steffen [Tue, 2 Apr 2013 14:49:53 +0000 (16:49 +0200)]
implemented periodic IF-MAP RenewSession request

6 years agoRefactor check_for_rekeyed_child() in quick_mode task
Martin Willi [Wed, 3 Apr 2013 15:08:00 +0000 (17:08 +0200)]
Refactor check_for_rekeyed_child() in quick_mode task

6 years agoReuse reqid of an existing Quick Mode, even if it has been rekeyed
Martin Willi [Wed, 3 Apr 2013 13:56:26 +0000 (15:56 +0200)]
Reuse reqid of an existing Quick Mode, even if it has been rekeyed

If two peers rekey Quick Modes at the same time, the original Quick Mode is
in REKEYING state and hence the requid is not reused. This is required though,
as two identical policies won't work if they have different requids.

6 years agoList all stroke counters when "all" is given, and report if connection not known
Martin Willi [Wed, 3 Apr 2013 12:58:08 +0000 (14:58 +0200)]
List all stroke counters when "all" is given, and report if connection not known

6 years agoDefer CHILD_SA rekeying if allocating an SPI fails
Martin Willi [Wed, 3 Apr 2013 10:16:27 +0000 (12:16 +0200)]
Defer CHILD_SA rekeying if allocating an SPI fails

6 years agoAccept a certificate/key pair to use client authentication in tls_test
Martin Willi [Tue, 2 Apr 2013 14:09:17 +0000 (16:09 +0200)]
Accept a certificate/key pair to use client authentication in tls_test

6 years agoversion bump to 5.0.3
Andreas Steffen [Tue, 2 Apr 2013 06:55:33 +0000 (08:55 +0200)]
version bump to 5.0.3

6 years agoallow retrieval of private keys from other credential sets
Andreas Steffen [Mon, 1 Apr 2013 20:32:20 +0000 (22:32 +0200)]
allow retrieval of private keys from other credential sets

6 years agoimprove checking of sent and received http messages
Andreas Steffen [Mon, 1 Apr 2013 20:31:44 +0000 (22:31 +0200)]
improve checking of sent and received http messages

6 years agoUpdated strongswan.conf(5) man page
Tobias Brunner [Mon, 1 Apr 2013 12:35:39 +0000 (14:35 +0200)]
Updated strongswan.conf(5) man page

6 years agoLoad raw keys before possibly destroying the identity
Tobias Brunner [Mon, 1 Apr 2013 11:46:23 +0000 (13:46 +0200)]
Load raw keys before possibly destroying the identity

If no identity (or %any) is configured the identification_t object is
destroyed and an invalid object was associated with the created pubkey
certificate.
Actually using %any does not work as the certificate would not match
when the client later provides an identity.

6 years agoipseckey: Use proper daemon name for enable option
Tobias Brunner [Mon, 1 Apr 2013 11:45:11 +0000 (13:45 +0200)]
ipseckey: Use proper daemon name for enable option

6 years agoProperly handle situation if no resolver plugins are loaded
Tobias Brunner [Mon, 1 Apr 2013 11:44:04 +0000 (13:44 +0200)]
Properly handle situation if no resolver plugins are loaded

6 years agofixed capability metadata
Andreas Steffen [Sun, 31 Mar 2013 20:15:42 +0000 (22:15 +0200)]
fixed capability metadata

6 years agofix start of wpa_supplicant
Andreas Steffen [Sun, 31 Mar 2013 17:48:00 +0000 (19:48 +0200)]
fix start of wpa_supplicant

6 years agoupdated strongswan.conf man page for tn_ifmap plugin
Andreas Steffen [Sun, 31 Mar 2013 17:05:53 +0000 (19:05 +0200)]
updated strongswan.conf man page for tn_ifmap plugin

6 years agorenamed tnc_ifmap2 plugin to tnc_ifmap
Andreas Steffen [Sun, 31 Mar 2013 14:37:30 +0000 (16:37 +0200)]
renamed tnc_ifmap2 plugin to tnc_ifmap

6 years agoremoved obsoleted tnc_ifmap plugin
Andreas Steffen [Sun, 31 Mar 2013 14:07:08 +0000 (16:07 +0200)]
removed obsoleted tnc_ifmap plugin

6 years agoimplemented http basic authentication
Andreas Steffen [Sun, 31 Mar 2013 13:59:32 +0000 (15:59 +0200)]
implemented http basic authentication

6 years agoparse IF-MAP server URI
Andreas Steffen [Sun, 31 Mar 2013 09:39:06 +0000 (11:39 +0200)]
parse IF-MAP server URI

6 years agoimplemented publish_enforcement_report and endSession methods
Andreas Steffen [Sat, 30 Mar 2013 12:19:27 +0000 (13:19 +0100)]
implemented publish_enforcement_report and endSession methods

6 years agoimplemented publish_ike_sa method
Andreas Steffen [Sat, 30 Mar 2013 08:15:16 +0000 (09:15 +0100)]
implemented publish_ike_sa method

6 years agoifmap message type is known
Andreas Steffen [Sat, 30 Mar 2013 07:22:33 +0000 (08:22 +0100)]
ifmap message type is known

6 years agoimplemented publish_device_ip method
Andreas Steffen [Sat, 30 Mar 2013 07:11:10 +0000 (08:11 +0100)]
implemented publish_device_ip method

6 years agoadded IF-MAP SOAP error handling
Andreas Steffen [Sat, 30 Mar 2013 07:10:39 +0000 (08:10 +0100)]
added IF-MAP SOAP error handling

6 years agocreated tnc_ifmap2_soap_msg class
Andreas Steffen [Fri, 29 Mar 2013 22:09:11 +0000 (23:09 +0100)]
created tnc_ifmap2_soap_msg class

6 years agoimplement NewSession and PurgePublisher messages using the libxml2 library
Andreas Steffen [Fri, 29 Mar 2013 21:29:12 +0000 (22:29 +0100)]
implement NewSession and PurgePublisher messages using the libxml2 library

6 years agoset up a new IF-MAP session
Andreas Steffen [Fri, 29 Mar 2013 08:42:06 +0000 (09:42 +0100)]
set up a new IF-MAP session

6 years agofixed typo
Andreas Steffen [Wed, 27 Mar 2013 21:56:37 +0000 (22:56 +0100)]
fixed typo

6 years agoFixed Doxygen comment in eap_radius plugin
Tobias Brunner [Wed, 27 Mar 2013 10:07:06 +0000 (11:07 +0100)]
Fixed Doxygen comment in eap_radius plugin

6 years agoFix detection and use of netinet/ip6.h on FreeBSD
Tobias Brunner [Wed, 27 Mar 2013 08:56:48 +0000 (09:56 +0100)]
Fix detection and use of netinet/ip6.h on FreeBSD

6 years agoDon't set USE_ATTR_SQL when the sql plugin is enabled only
Tobias Brunner [Wed, 27 Mar 2013 06:47:53 +0000 (07:47 +0100)]
Don't set USE_ATTR_SQL when the sql plugin is enabled only

6 years agoMake some private functions in plugins static
Tobias Brunner [Wed, 27 Mar 2013 06:31:57 +0000 (07:31 +0100)]
Make some private functions in plugins static

Fixes monolithic build.

6 years agoUse new strongSwan HA kernel patchset keeping iptables ABI
Martin Willi [Fri, 22 Mar 2013 10:33:51 +0000 (11:33 +0100)]
Use new strongSwan HA kernel patchset keeping iptables ABI

Allows us to install stock debian iptables without the need for patching and
compiling our own.

6 years agoDefine SSHCONF from strongswan testing directory, not TESTDIR
Martin Willi [Fri, 22 Mar 2013 10:30:59 +0000 (11:30 +0100)]
Define SSHCONF from strongswan testing directory, not TESTDIR

This fixes the use of SSHCONF in the ssh wrapper script before ./do-tests
had a chance to create the required symlinks.

6 years agoLazy unmount guest filesystem after building image, as it still might be busy
Martin Willi [Fri, 22 Mar 2013 10:27:37 +0000 (11:27 +0100)]
Lazy unmount guest filesystem after building image, as it still might be busy

6 years agocrypt_burn: Proper cleanup
Tobias Brunner [Mon, 25 Mar 2013 17:04:38 +0000 (18:04 +0100)]
crypt_burn: Proper cleanup

6 years agocrypt_burn: Fix loop condition for regular crypters
Tobias Brunner [Mon, 25 Mar 2013 17:02:07 +0000 (18:02 +0100)]
crypt_burn: Fix loop condition for regular crypters

6 years agolibpts: Cast first argument for %.*s to int
Tobias Brunner [Mon, 25 Mar 2013 16:37:52 +0000 (17:37 +0100)]
libpts: Cast first argument for %.*s to int

6 years agoerror-notify: Close file descriptors in case clients are still connected
Tobias Brunner [Mon, 25 Mar 2013 16:33:45 +0000 (17:33 +0100)]
error-notify: Close file descriptors in case clients are still connected

6 years agolibpttls: Destroy reader when handling errors during SASL
Tobias Brunner [Mon, 25 Mar 2013 16:19:51 +0000 (17:19 +0100)]
libpttls: Destroy reader when handling errors during SASL

6 years agopacman: Define gen_time out of the loop
Tobias Brunner [Mon, 25 Mar 2013 16:13:49 +0000 (17:13 +0100)]
pacman: Define gen_time out of the loop

It gets assigned if count==3 but only used later when count >= 7.

6 years agoipseckey: NULL pointer dereference fixed in error case
Tobias Brunner [Mon, 25 Mar 2013 16:02:45 +0000 (17:02 +0100)]
ipseckey: NULL pointer dereference fixed in error case

6 years agoRecipes: Disable Anet unit tests
Reto Buerki [Mon, 25 Mar 2013 15:24:29 +0000 (16:24 +0100)]
Recipes: Disable Anet unit tests

Some Anet unit tests may fail because of the network configuration on
the testing host. These failures do not indicate a problem in Anet but
are a result of unpredictable events.

6 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 25 Mar 2013 09:59:37 +0000 (10:59 +0100)]
Fixed some typos, courtesy of codespell

6 years agoAdded hostapd package to base image
Andreas Steffen [Fri, 22 Mar 2013 22:53:39 +0000 (23:53 +0100)]
Added hostapd package to base image