strongswan.git
10 years agoDisable whitelist plugin by default
Martin Willi [Thu, 12 May 2011 07:07:14 +0000 (09:07 +0200)]
Disable whitelist plugin by default

10 years agoProtect the communication with the SIM card during a transaction from access by a...
Duncan Salerno [Thu, 12 May 2011 04:19:59 +0000 (06:19 +0200)]
Protect the communication with the SIM card during a transaction from access by a second application

10 years agoprotection against insane IMCs and IMVs
Andreas Steffen [Wed, 11 May 2011 17:34:01 +0000 (19:34 +0200)]
protection against insane IMCs and IMVs

10 years agoDo not use deprecated vte_terminal_fork_command()
Martin Willi [Wed, 11 May 2011 10:12:02 +0000 (12:12 +0200)]
Do not use deprecated vte_terminal_fork_command()

10 years agoReturn correct status code in kernel_netlink_ipsec_t.query_sa.
Tobias Brunner [Tue, 10 May 2011 13:45:42 +0000 (15:45 +0200)]
Return correct status code in kernel_netlink_ipsec_t.query_sa.

10 years agochunk_clear not clear_chunk.
Tobias Brunner [Tue, 10 May 2011 13:40:46 +0000 (15:40 +0200)]
chunk_clear not clear_chunk.

10 years agopluto: Securely wipe quick mode keys from memory.
Thomas Egerer [Tue, 10 May 2011 13:39:00 +0000 (15:39 +0200)]
pluto: Securely wipe quick mode keys from memory.

Keying material is derived in two separate steps for local and remote
endpoint. This allows us to securely wipe local/remote secrets
separately, too -- a precondition to wipe quick mode keys from memory in
a secure fashion.

10 years agopluto: Securely wipe sensitive data from memory.
Thomas Egerer [Tue, 10 May 2011 13:19:46 +0000 (15:19 +0200)]
pluto: Securely wipe sensitive data from memory.

10 years agoterminate imc/imv that couldn't be initialized properly
Andreas Steffen [Tue, 10 May 2011 05:03:37 +0000 (07:03 +0200)]
terminate imc/imv that couldn't be initialized properly

10 years agolock the set_message_types() method for imvs
Andreas Steffen [Mon, 9 May 2011 05:55:59 +0000 (07:55 +0200)]
lock the set_message_types() method for imvs

10 years agocosmetics
Andreas Steffen [Mon, 9 May 2011 05:47:20 +0000 (07:47 +0200)]
cosmetics

10 years agoWipe memory after using key material (incomplete, to be continued)
Martin Willi [Mon, 9 May 2011 12:33:22 +0000 (14:33 +0200)]
Wipe memory after using key material (incomplete, to be continued)

10 years agoUse memwipe() in chunk_clear()
Martin Willi [Mon, 9 May 2011 11:20:24 +0000 (13:20 +0200)]
Use memwipe() in chunk_clear()

10 years agoAdded a memwipe() function to safely overwrite sensitive memory
Martin Willi [Mon, 9 May 2011 11:16:27 +0000 (13:16 +0200)]
Added a memwipe() function to safely overwrite sensitive memory

10 years agofixed debug output
Andreas Steffen [Sun, 8 May 2011 22:49:59 +0000 (00:49 +0200)]
fixed debug output

10 years agoadapted state_machine for retry batches
Andreas Steffen [Sun, 8 May 2011 22:49:36 +0000 (00:49 +0200)]
adapted state_machine for retry batches

10 years agoversion bump to 4.5.2rc2
Andreas Steffen [Sun, 8 May 2011 15:56:05 +0000 (17:56 +0200)]
version bump to 4.5.2rc2

10 years agolock the set_message_types() method
Andreas Steffen [Sat, 7 May 2011 15:51:43 +0000 (17:51 +0200)]
lock the set_message_types() method

10 years agoadded missing comma
Andreas Steffen [Sat, 7 May 2011 08:22:57 +0000 (10:22 +0200)]
added missing comma

10 years agorefactored tnccs->remove_connection()
Andreas Steffen [Fri, 6 May 2011 13:13:05 +0000 (15:13 +0200)]
refactored tnccs->remove_connection()

10 years agoid of non-registered threads defaults to 0
Andreas Steffen [Fri, 6 May 2011 04:22:19 +0000 (06:22 +0200)]
id of non-registered threads defaults to 0

10 years agoMigrated scheduler_t to INIT/METHOD macros
Martin Willi [Thu, 5 May 2011 09:11:30 +0000 (11:11 +0200)]
Migrated scheduler_t to INIT/METHOD macros

10 years agoMigrated callback_job to INIT/METHOD macros
Martin Willi [Mon, 2 May 2011 08:36:10 +0000 (10:36 +0200)]
Migrated callback_job to INIT/METHOD macros

10 years agoMigrated processor to INIT/METHOD macros
Martin Willi [Mon, 2 May 2011 08:25:02 +0000 (10:25 +0200)]
Migrated processor to INIT/METHOD macros

10 years agoTypo in NEWS fixed.
Tobias Brunner [Thu, 5 May 2011 08:31:33 +0000 (10:31 +0200)]
Typo in NEWS fixed.

10 years agoNote about certificates added to CA section in ipsec.conf man page.
Tobias Brunner [Wed, 4 May 2011 16:23:00 +0000 (18:23 +0200)]
Note about certificates added to CA section in ipsec.conf man page.

10 years agotesting: Properly align numbers of succeeded and failed tests in overview page.
Tobias Brunner [Wed, 4 May 2011 15:12:33 +0000 (17:12 +0200)]
testing: Properly align numbers of succeeded and failed tests in overview page.

10 years agotesting: Add crumbtrail to overview page which lists all tests.
Tobias Brunner [Wed, 4 May 2011 14:59:34 +0000 (16:59 +0200)]
testing: Add crumbtrail to overview page which lists all tests.

10 years agotesting: Directly link to index.html of tests to allow browsing via file://.
Tobias Brunner [Wed, 4 May 2011 14:21:59 +0000 (16:21 +0200)]
testing: Directly link to index.html of tests to allow browsing via file://.

10 years agotesting: Avoid adding additional spacing around testresults.
Tobias Brunner [Wed, 4 May 2011 14:19:34 +0000 (16:19 +0200)]
testing: Avoid adding additional spacing around testresults.

10 years agotesting: Replace back link in results with crumbtrail to improve navigation.
Tobias Brunner [Wed, 4 May 2011 13:50:16 +0000 (15:50 +0200)]
testing: Replace back link in results with crumbtrail to improve navigation.

10 years agoAdded NEWS about duplicheck and coupling plugins
Martin Willi [Thu, 5 May 2011 07:38:48 +0000 (09:38 +0200)]
Added NEWS about duplicheck and coupling plugins

10 years agoFix algorithm type for signers, fixes warning with gcc 4.5
Martin Willi [Tue, 3 May 2011 09:32:40 +0000 (11:32 +0200)]
Fix algorithm type for signers, fixes warning with gcc 4.5

10 years agoCache group name in sys_logger_t to avoid problems with Vstr.
Tobias Brunner [Tue, 3 May 2011 08:50:28 +0000 (10:50 +0200)]
Cache group name in sys_logger_t to avoid problems with Vstr.

Because syslog(3) is not replaced when using the Vstr wrapper, %N can
not be resolved properly.

10 years agoMigrated sys_logger_t to INIT/METHOD macros.
Tobias Brunner [Tue, 3 May 2011 08:21:58 +0000 (10:21 +0200)]
Migrated sys_logger_t to INIT/METHOD macros.

10 years agoMigrated file_logger_t to INIT/METHOD macros.
Tobias Brunner [Tue, 3 May 2011 08:21:03 +0000 (10:21 +0200)]
Migrated file_logger_t to INIT/METHOD macros.

10 years agoversion bump to 4.5.2rc1
Andreas Steffen [Mon, 2 May 2011 20:15:43 +0000 (22:15 +0200)]
version bump to 4.5.2rc1

10 years agoRemoved superfluous parameter missed in e5e5bcc92f.
Tobias Brunner [Mon, 2 May 2011 15:13:14 +0000 (17:13 +0200)]
Removed superfluous parameter missed in e5e5bcc92f.

10 years agoFix a potential memleak if two threads fingerprint a credential simultaneously
Martin Willi [Mon, 2 May 2011 13:03:56 +0000 (15:03 +0200)]
Fix a potential memleak if two threads fingerprint a credential simultaneously

10 years agoAccept name fields in EAP-MD5 messages
Martin Willi [Mon, 2 May 2011 07:25:28 +0000 (09:25 +0200)]
Accept name fields in EAP-MD5 messages

10 years agoadded missing tab
Andreas Steffen [Thu, 28 Apr 2011 11:30:40 +0000 (13:30 +0200)]
added missing tab

10 years agoadapted debug output
Andreas Steffen [Thu, 28 Apr 2011 11:27:44 +0000 (13:27 +0200)]
adapted debug output

10 years agodo not send messages of type TNC_VENDORID_ANY or subtye TNC_SUBTYPE_ANY
Andreas Steffen [Thu, 28 Apr 2011 11:27:17 +0000 (13:27 +0200)]
do not send messages of type TNC_VENDORID_ANY or subtye TNC_SUBTYPE_ANY

10 years agoTypo fixed.
Tobias Brunner [Thu, 28 Apr 2011 10:50:30 +0000 (12:50 +0200)]
Typo fixed.

10 years agolog unsupported IMC_IMV message types
Andreas Steffen [Thu, 28 Apr 2011 00:27:08 +0000 (02:27 +0200)]
log unsupported IMC_IMV message types

10 years agolist registered TNCCS message types
Andreas Steffen [Wed, 27 Apr 2011 23:34:03 +0000 (01:34 +0200)]
list registered TNCCS message types

10 years agoIKEv2 was only partially the default for connections with auto=route and auto=start.
Tobias Brunner [Wed, 27 Apr 2011 09:33:06 +0000 (11:33 +0200)]
IKEv2 was only partially the default for connections with auto=route and auto=start.

Connections with auto=route and auto=start that did not have
keyexchange=ikev2 explicitly specified did get added to charon,
but did not get routed or started by charon.

10 years agoFixed two typos in kernel-pfroute plugin.
Tobias Brunner [Tue, 26 Apr 2011 15:28:11 +0000 (17:28 +0200)]
Fixed two typos in kernel-pfroute plugin.

10 years agofixed loop error in parsing of OCSP basic responses
Andreas Steffen [Tue, 26 Apr 2011 10:32:19 +0000 (12:32 +0200)]
fixed loop error in parsing of OCSP basic responses

10 years agoMigrated eap_sim_file to INIT/METHOD macros
Andreas Steffen [Fri, 22 Apr 2011 09:30:42 +0000 (11:30 +0200)]
Migrated eap_sim_file to INIT/METHOD macros

10 years agofixed segmentation fault due to null pointer
Andreas Steffen [Fri, 22 Apr 2011 08:11:16 +0000 (10:11 +0200)]
fixed segmentation fault due to null pointer

10 years agodebug type is EAP_TLS
Andreas Steffen [Thu, 21 Apr 2011 19:04:11 +0000 (21:04 +0200)]
debug type is EAP_TLS

10 years agodo not include length field in non-fragmented EAP-PEAP packets
Andreas Steffen [Thu, 21 Apr 2011 17:50:36 +0000 (19:50 +0200)]
do not include length field in non-fragmented EAP-PEAP packets

10 years agoWin 7 accepts compressed EAP Identity request
Andreas Steffen [Thu, 21 Apr 2011 17:17:18 +0000 (19:17 +0200)]
Win 7 accepts compressed EAP Identity request

10 years agoadded level 3 debug output of forwarded EAP payloads
Andreas Steffen [Thu, 21 Apr 2011 11:24:26 +0000 (13:24 +0200)]
added level 3 debug output of forwarded EAP payloads

10 years agoResolve and connect to RADIUS servers not before required
Martin Willi [Thu, 21 Apr 2011 09:40:25 +0000 (11:40 +0200)]
Resolve and connect to RADIUS servers not before required

10 years agoRevert alloc_str changes
Martin Willi [Thu, 21 Apr 2011 11:21:26 +0000 (13:21 +0200)]
Revert alloc_str changes

This reverts commit fdead26ffe1da8501a6ff5e0639a6f44c723e763.
This reverts commit 3e2419ebe32de72d824864eb2e0e677a7c197af1.
This reverts commit 17ce69b47a1efd6234960cf7d1f50712aee61db5.

10 years agoIf key not found, strdup default value, too
Martin Willi [Thu, 21 Apr 2011 08:57:17 +0000 (10:57 +0200)]
If key not found, strdup default value, too

10 years agoUse thread save settings alloc_str function where appropriate
Martin Willi [Thu, 21 Apr 2011 08:48:16 +0000 (10:48 +0200)]
Use thread save settings alloc_str function where appropriate

10 years agoAdded a thread save, allocating settings get_str variant called alloc_str
Martin Willi [Thu, 21 Apr 2011 08:10:26 +0000 (10:10 +0200)]
Added a thread save, allocating settings get_str variant called alloc_str

10 years agoBe a little more liberal in checking maximum payload count
Martin Willi [Wed, 20 Apr 2011 13:15:00 +0000 (15:15 +0200)]
Be a little more liberal in checking maximum payload count

10 years agoAccept IKE_SA_INIT responses without CERTIFICATE_REQUESTs
Martin Willi [Wed, 20 Apr 2011 13:04:02 +0000 (15:04 +0200)]
Accept IKE_SA_INIT responses without CERTIFICATE_REQUESTs

10 years agoCast size_t len arguments to %.*s to int
Martin Willi [Wed, 20 Apr 2011 11:08:32 +0000 (13:08 +0200)]
Cast size_t len arguments to %.*s to int

10 years agoRemove superfluous test for peer_cfg on established IKE_SAs
Martin Willi [Wed, 20 Apr 2011 10:31:29 +0000 (12:31 +0200)]
Remove superfluous test for peer_cfg on established IKE_SAs

10 years agoAdded charon.replay window to strongswan.conf.5
Martin Willi [Tue, 19 Apr 2011 12:45:52 +0000 (14:45 +0200)]
Added charon.replay window to strongswan.conf.5

10 years agoUpdated ipsec.conf.5 with new ESN options
Martin Willi [Mon, 18 Apr 2011 14:11:40 +0000 (16:11 +0200)]
Updated ipsec.conf.5 with new ESN options

10 years agoAdd NEWS for ESN/custom replay window support
Martin Willi [Mon, 18 Apr 2011 14:00:38 +0000 (16:00 +0200)]
Add NEWS for ESN/custom replay window support

10 years agoSynchronize ESN support in HA plugin
Martin Willi [Mon, 18 Apr 2011 13:46:25 +0000 (15:46 +0200)]
Synchronize ESN support in HA plugin

10 years agoAdd NO_EXT_SEQ_NUMBER to proposal only if it has not been specified in string
Martin Willi [Mon, 18 Apr 2011 13:43:59 +0000 (15:43 +0200)]
Add NO_EXT_SEQ_NUMBER to proposal only if it has not been specified in string

10 years agoAdded proposal keywords for ESN support
Martin Willi [Mon, 18 Apr 2011 13:43:20 +0000 (15:43 +0200)]
Added proposal keywords for ESN support

10 years agoInstall ESN SAs if such a proposal has been negotiated
Martin Willi [Mon, 18 Apr 2011 13:41:23 +0000 (15:41 +0200)]
Install ESN SAs if such a proposal has been negotiated

10 years agoCopy ESN enabled replay state during update_sa, if supported
Martin Willi [Mon, 18 Apr 2011 15:57:59 +0000 (17:57 +0200)]
Copy ESN enabled replay state during update_sa, if supported

10 years agoAdd ESN support to kernel netlink plugin, including custom replay windows
Martin Willi [Mon, 18 Apr 2011 13:16:54 +0000 (15:16 +0200)]
Add ESN support to kernel netlink plugin, including custom replay windows

10 years agoAdded an esn parameter to the kernel interface add_sa functions
Martin Willi [Mon, 18 Apr 2011 13:16:23 +0000 (15:16 +0200)]
Added an esn parameter to the kernel interface add_sa functions

10 years agoUpdated copy of linux/xfrm.h to 2.6.39, featuring ESN support
Martin Willi [Mon, 18 Apr 2011 12:51:05 +0000 (14:51 +0200)]
Updated copy of linux/xfrm.h to 2.6.39, featuring ESN support

10 years agoUse strncpy when reading smartcard keyids from ipsec.secrets.
Tobias Brunner [Tue, 19 Apr 2011 16:00:16 +0000 (18:00 +0200)]
Use strncpy when reading smartcard keyids from ipsec.secrets.

10 years agopluto: Replaced some strcpy usages with strncpy.
Tobias Brunner [Tue, 19 Apr 2011 14:13:28 +0000 (16:13 +0200)]
pluto: Replaced some strcpy usages with strncpy.

10 years agoopenac: --out is a mandatory argument.
Tobias Brunner [Tue, 19 Apr 2011 15:26:19 +0000 (17:26 +0200)]
openac: --out is a mandatory argument.

10 years agoopenac: Fixed potential overflow while reading passphrase.
Tobias Brunner [Tue, 19 Apr 2011 11:34:18 +0000 (13:34 +0200)]
openac: Fixed potential overflow while reading passphrase.

10 years agoopenac: Make sure path is null-terminated.
Tobias Brunner [Tue, 19 Apr 2011 11:22:32 +0000 (13:22 +0200)]
openac: Make sure path is null-terminated.

10 years agopluto: Make sure connection name is null-terminated during DPD restart.
Tobias Brunner [Tue, 19 Apr 2011 11:20:35 +0000 (13:20 +0200)]
pluto: Make sure connection name is null-terminated during DPD restart.

10 years agostarter: Make sure interface name is null-terminated.
Tobias Brunner [Tue, 19 Apr 2011 11:18:42 +0000 (13:18 +0200)]
starter: Make sure interface name is null-terminated.

10 years agoUse proper return value for ietf_attr_t.compare.
Tobias Brunner [Tue, 19 Apr 2011 11:10:18 +0000 (13:10 +0200)]
Use proper return value for ietf_attr_t.compare.

10 years agoscepclient: Proper handling of multiple received certificates.
Tobias Brunner [Tue, 19 Apr 2011 11:06:25 +0000 (13:06 +0200)]
scepclient: Proper handling of multiple received certificates.

10 years agopool: Proper cleanup in error cases when adding addresses from a file.
Tobias Brunner [Tue, 19 Apr 2011 10:55:58 +0000 (12:55 +0200)]
pool: Proper cleanup in error cases when adding addresses from a file.

10 years agopool: Proper handling of address family when adding addresses.
Tobias Brunner [Tue, 19 Apr 2011 10:43:00 +0000 (12:43 +0200)]
pool: Proper handling of address family when adding addresses.

10 years agoAdded missing return in iterator_t.insert_before of linked_list_t.
Tobias Brunner [Tue, 19 Apr 2011 10:30:23 +0000 (12:30 +0200)]
Added missing return in iterator_t.insert_before of linked_list_t.

10 years agopluto: Clarified parsing of long durations.
Tobias Brunner [Tue, 19 Apr 2011 10:20:50 +0000 (12:20 +0200)]
pluto: Clarified parsing of long durations.

10 years agoClearly mark switch cases that fall through.
Tobias Brunner [Tue, 19 Apr 2011 10:07:48 +0000 (12:07 +0200)]
Clearly mark switch cases that fall through.

10 years agoAdded missing break statement.
Tobias Brunner [Tue, 19 Apr 2011 10:07:32 +0000 (12:07 +0200)]
Added missing break statement.

10 years agopluto: Avoid potential null-pointer dereference when checking CRLs.
Tobias Brunner [Mon, 18 Apr 2011 14:35:04 +0000 (16:35 +0200)]
pluto: Avoid potential null-pointer dereference when checking CRLs.

10 years agopluto: Added missing PF_KEY debug messages.
Tobias Brunner [Mon, 18 Apr 2011 14:26:11 +0000 (16:26 +0200)]
pluto: Added missing PF_KEY debug messages.

libfreeswan does not use the version of the PF_KEY header file provided
in src/include/linux so this list is not exactly up to date.

10 years agoProperly copy interface name if unknown.
Tobias Brunner [Mon, 18 Apr 2011 14:10:36 +0000 (16:10 +0200)]
Properly copy interface name if unknown.

We use a static string if the interface name is unknown, so using memcpy
with IFNAMSIZ is incorrect as that would overrun the static string.

10 years agopluto: from_state is strictly lower than STATE_IKE_ROOF.
Tobias Brunner [Mon, 18 Apr 2011 13:46:00 +0000 (15:46 +0200)]
pluto: from_state is strictly lower than STATE_IKE_ROOF.

10 years agoFixed typo in unit-tester plugin.
Tobias Brunner [Mon, 18 Apr 2011 13:21:10 +0000 (15:21 +0200)]
Fixed typo in unit-tester plugin.

10 years agosupport unstructuredAddress in left|rightid
Andreas Steffen [Mon, 18 Apr 2011 21:40:31 +0000 (23:40 +0200)]
support unstructuredAddress in left|rightid

10 years agosend an empty EAP Ack client message if TLS was successful and handle it on the server
Andreas Steffen [Fri, 15 Apr 2011 13:02:08 +0000 (15:02 +0200)]
send an empty EAP Ack client message if TLS was successful and handle it on the server

10 years agoWindows 7 expects an uncompressed EAP Identity request
Andreas Steffen [Fri, 15 Apr 2011 13:00:37 +0000 (15:00 +0200)]
Windows 7 expects an uncompressed EAP Identity request

10 years agoAdd plugin reloading NEWS
Martin Willi [Fri, 15 Apr 2011 11:05:02 +0000 (13:05 +0200)]
Add plugin reloading NEWS

10 years agoSet broadcast flag in DHCP requests when sending broadcasts
Martin Willi [Thu, 14 Apr 2011 14:01:47 +0000 (16:01 +0200)]
Set broadcast flag in DHCP requests when sending broadcasts