strongswan.git
6 years agoikev1: Always send ID payloads (traffic selectors) during Quick Mode
Tobias Brunner [Thu, 25 Jul 2013 15:08:17 +0000 (17:08 +0200)]
ikev1: Always send ID payloads (traffic selectors) during Quick Mode

Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).

Fixes #319.

6 years agowatcher: Made notify array initialization compatible with older GCC versions
Tobias Brunner [Thu, 25 Jul 2013 14:57:42 +0000 (16:57 +0200)]
watcher: Made notify array initialization compatible with older GCC versions

6 years agounit-tests: Add additional tests for host_t
Tobias Brunner [Wed, 24 Jul 2013 10:16:52 +0000 (12:16 +0200)]
unit-tests: Add additional tests for host_t

6 years agoimv-attestation: Properly measure complete directories
Tobias Brunner [Wed, 24 Jul 2013 14:23:14 +0000 (16:23 +0200)]
imv-attestation: Properly measure complete directories

6 years agoarray: Number of items in get_size() is unsigned
Tobias Brunner [Wed, 24 Jul 2013 14:03:38 +0000 (16:03 +0200)]
array: Number of items in get_size() is unsigned

Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.

6 years agostream: Ensure UNIX socket path is null terminated
Tobias Brunner [Wed, 24 Jul 2013 09:18:31 +0000 (11:18 +0200)]
stream: Ensure UNIX socket path is null terminated

6 years agokernel-pfkey: Add sanity check when deleting policies
Tobias Brunner [Wed, 24 Jul 2013 09:11:25 +0000 (11:11 +0200)]
kernel-pfkey: Add sanity check when deleting policies

6 years agoimv-os: check_packages() fails if product query fails
Tobias Brunner [Wed, 24 Jul 2013 09:04:34 +0000 (11:04 +0200)]
imv-os: check_packages() fails if product query fails

6 years agopkcs5: Add missing break statements when checking crypto primitives
Tobias Brunner [Wed, 24 Jul 2013 08:58:34 +0000 (10:58 +0200)]
pkcs5: Add missing break statements when checking crypto primitives

6 years agoimv-scanner: Properly check snprintf() return value
Tobias Brunner [Wed, 24 Jul 2013 08:45:32 +0000 (10:45 +0200)]
imv-scanner: Properly check snprintf() return value

6 years agosocket-dynamic: Properly initialize IPv6 address
Tobias Brunner [Wed, 24 Jul 2013 08:36:49 +0000 (10:36 +0200)]
socket-dynamic: Properly initialize IPv6 address

6 years agounit-tests: Add test for host_create_netmask()
Tobias Brunner [Wed, 24 Jul 2013 08:33:06 +0000 (10:33 +0200)]
unit-tests: Add test for host_create_netmask()

6 years agohost: Prevent overflow in host_create_netmask() if mask is 0 or 32/128
Tobias Brunner [Wed, 24 Jul 2013 08:31:52 +0000 (10:31 +0200)]
host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128

6 years agoimv-attestation: Use proper cast for length when using %.*s
Tobias Brunner [Wed, 24 Jul 2013 07:04:09 +0000 (09:04 +0200)]
imv-attestation: Use proper cast for length when using %.*s

6 years agotnc-ifmap: Use proper cast for length when using %.*s
Tobias Brunner [Wed, 24 Jul 2013 07:00:35 +0000 (09:00 +0200)]
tnc-ifmap: Use proper cast for length when using %.*s

6 years agocapabilities: Proper error handling when reading groups
Tobias Brunner [Wed, 24 Jul 2013 06:43:10 +0000 (08:43 +0200)]
capabilities: Proper error handling when reading groups

6 years agostrongswan.conf: Moved some stuff around
Tobias Brunner [Tue, 23 Jul 2013 10:23:05 +0000 (12:23 +0200)]
strongswan.conf: Moved some stuff around

6 years agoipsec: Add --piddir to retrieve the PID/socket directory
Tobias Brunner [Mon, 22 Jul 2013 16:12:04 +0000 (18:12 +0200)]
ipsec: Add --piddir to retrieve the PID/socket directory

6 years agostarter: Properly refer to the ipsec script if it was renamed
Tobias Brunner [Mon, 22 Jul 2013 15:59:49 +0000 (17:59 +0200)]
starter: Properly refer to the ipsec script if it was renamed

6 years agocoupling: Fix call to call_hook()
Tobias Brunner [Mon, 22 Jul 2013 15:53:56 +0000 (17:53 +0200)]
coupling: Fix call to call_hook()

6 years agostrongswan.conf: Add missing options
Tobias Brunner [Mon, 22 Jul 2013 15:45:43 +0000 (17:45 +0200)]
strongswan.conf: Add missing options

6 years agocharon-xpc: Use correct namespace when setting default settings
Tobias Brunner [Mon, 22 Jul 2013 15:44:37 +0000 (17:44 +0200)]
charon-xpc: Use correct namespace when setting default settings

6 years agotnc-pdp: Fix reading port setting from strongswan.conf
Tobias Brunner [Mon, 22 Jul 2013 15:43:54 +0000 (17:43 +0200)]
tnc-pdp: Fix reading port setting from strongswan.conf

6 years agofixed typo 5.1.0rc1
Andreas Steffen [Fri, 19 Jul 2013 18:07:32 +0000 (20:07 +0200)]
fixed typo

6 years agoupdated some TNC scenarios
Andreas Steffen [Fri, 19 Jul 2013 17:36:07 +0000 (19:36 +0200)]
updated some TNC scenarios

6 years agoprocessor: force synchronous execute_job() if set_threads(0) has been called
Martin Willi [Fri, 19 Jul 2013 13:27:07 +0000 (15:27 +0200)]
processor: force synchronous execute_job() if set_threads(0) has been called

During daemon shutdown, some idle threads might be lingering around even if
set_threads(0) already has been called. To avoid any races, we enforce
synchronous execution of the job.

6 years agoproposal: correctly enumerate registered AEADs to build default IKE proposal
Martin Willi [Fri, 19 Jul 2013 13:01:53 +0000 (15:01 +0200)]
proposal: correctly enumerate registered AEADs to build default IKE proposal

AEADs are not returned (anymore) with the encryption enumerator.

6 years agoVersion bump to 5.1.0rc1
Andreas Steffen [Fri, 19 Jul 2013 08:40:49 +0000 (10:40 +0200)]
Version bump to 5.1.0rc1

6 years agotkm: Properly refer to includes now that AM_CPPFLAGS is used
Tobias Brunner [Fri, 19 Jul 2013 07:02:04 +0000 (09:02 +0200)]
tkm: Properly refer to includes now that AM_CPPFLAGS is used

6 years agokeychain: Use AM_CPPFLAGS instead of INCLUDES
Tobias Brunner [Fri, 19 Jul 2013 07:01:39 +0000 (09:01 +0200)]
keychain: Use AM_CPPFLAGS instead of INCLUDES

6 years agoFix various API doc issues and typos
Tobias Brunner [Thu, 18 Jul 2013 15:27:11 +0000 (17:27 +0200)]
Fix various API doc issues and typos

Partially based on an old patch by Adrian-Ken Rueegsegger.

6 years agoidentification: parse identities having a "@@" prefix as ID_RFC822_ADDR
Martin Willi [Thu, 18 Jul 2013 14:45:10 +0000 (16:45 +0200)]
identification: parse identities having a "@@" prefix as ID_RFC822_ADDR

Original patch by Gerald Richter.

6 years agoNEWS: mention watcher and stream services
Martin Willi [Thu, 18 Jul 2013 14:10:48 +0000 (16:10 +0200)]
NEWS: mention watcher and stream services

6 years agoMerge branch 'ipc-service'
Martin Willi [Thu, 18 Jul 2013 14:03:14 +0000 (16:03 +0200)]
Merge branch 'ipc-service'

Adds network transparency and TCP support to the IPC interfaces of different
plugins using the new stream and stream service classes. A central watcher
thread can watch multiple file descriptors to handle connection requests
for these and other services using only a single thread.

6 years agostream-service: move CAP_CHOWN check from plugins to service constructor
Martin Willi [Thu, 18 Jul 2013 13:46:17 +0000 (15:46 +0200)]
stream-service: move CAP_CHOWN check from plugins to service constructor

A plugin service can be a TCP socket now, so it does not make much sense
to strictly check for CAP_CHOWN.

6 years agoprocessor: remove the now unused get_threads() method again
Martin Willi [Thu, 18 Jul 2013 09:42:59 +0000 (11:42 +0200)]
processor: remove the now unused get_threads() method again

6 years agowatcher: use processors new execute_job() to notify FDs
Martin Willi [Thu, 18 Jul 2013 09:40:40 +0000 (11:40 +0200)]
watcher: use processors new execute_job() to notify FDs

Just queueing is problematic, as all threads might be busy waiting for events
that the queued (but never executed) job delivers.

6 years agoprocessor: add an execute_job() method to directly execute an important job
Martin Willi [Thu, 18 Jul 2013 09:37:42 +0000 (11:37 +0200)]
processor: add an execute_job() method to directly execute an important job

If all worker threads are busy and waiting for an event, we must ensure that
a job delivering that event gets executed. This new method has this property
for CRITICAL jobs, using a worker if we have one, but executing the job directly
if not.

6 years agowatcher: properly support multiple watch callback types for the same FD
Martin Willi [Wed, 17 Jul 2013 14:07:47 +0000 (16:07 +0200)]
watcher: properly support multiple watch callback types for the same FD

6 years agowatcher: read multiple notifications if available
Martin Willi [Wed, 17 Jul 2013 14:03:23 +0000 (16:03 +0200)]
watcher: read multiple notifications if available

Use non-blocking I/O on the read end of the notify pipe. This also makes sure
the read does not block should select() signal data while there is none.

6 years agocertexpire: add an option to enforce exporting trustchains having a private key
Martin Willi [Tue, 15 Nov 2011 17:13:53 +0000 (17:13 +0000)]
certexpire: add an option to enforce exporting trustchains having a private key

6 years agoerror-notify: catch and forward some alerts related to certificate validation
Martin Willi [Tue, 9 Jul 2013 12:28:10 +0000 (14:28 +0200)]
error-notify: catch and forward some alerts related to certificate validation

6 years agobus: raise certificate validation alerts using credential manager hook
Martin Willi [Tue, 9 Jul 2013 12:21:40 +0000 (14:21 +0200)]
bus: raise certificate validation alerts using credential manager hook

6 years agocredmgr: introduce a hook function to catch trust chain validation errors
Martin Willi [Tue, 9 Jul 2013 09:55:32 +0000 (11:55 +0200)]
credmgr: introduce a hook function to catch trust chain validation errors

6 years agolookip: double size of id field in message
Martin Willi [Mon, 4 Feb 2013 09:02:14 +0000 (10:02 +0100)]
lookip: double size of id field in message

6 years agoerror-notify: increase size of string/identity fields in messages
Martin Willi [Mon, 4 Feb 2013 08:59:54 +0000 (09:59 +0100)]
error-notify: increase size of string/identity fields in messages

6 years agowhitelist: use a read-copy when listing entries
Martin Willi [Mon, 8 Jul 2013 09:44:52 +0000 (11:44 +0200)]
whitelist: use a read-copy when listing entries

While this requires a little more overhead, we can free the lock should the
stream block, allowing other threads to add/remove entries.

6 years agowhitelist: fix error handling when creating the socket fails
Martin Willi [Mon, 8 Jul 2013 08:52:49 +0000 (10:52 +0200)]
whitelist: fix error handling when creating the socket fails

6 years agolookip: fix error handling when creating the socket fails
Martin Willi [Mon, 8 Jul 2013 08:40:25 +0000 (10:40 +0200)]
lookip: fix error handling when creating the socket fails

6 years agoerror-notify: fix error handling when creating the socket fails
Martin Willi [Mon, 8 Jul 2013 08:39:23 +0000 (10:39 +0200)]
error-notify: fix error handling when creating the socket fails

6 years agokernel-pfroute: use watcher to receive kernel events
Martin Willi [Mon, 1 Jul 2013 13:48:22 +0000 (15:48 +0200)]
kernel-pfroute: use watcher to receive kernel events

6 years agokernel-pfkey: use watcher to receive networking events
Martin Willi [Mon, 1 Jul 2013 13:45:01 +0000 (15:45 +0200)]
kernel-pfkey: use watcher to receive networking events

6 years agokernel-netlink: use watcher to receive kernel events for net/ipsec
Martin Willi [Mon, 1 Jul 2013 13:42:22 +0000 (15:42 +0200)]
kernel-netlink: use watcher to receive kernel events for net/ipsec

6 years agoeap-radius: use watcher instead of receiver thread on DAE socket
Martin Willi [Mon, 1 Jul 2013 09:52:42 +0000 (11:52 +0200)]
eap-radius: use watcher instead of receiver thread on DAE socket

6 years agodhcp: use watcher instead of dedicated receiver thread
Martin Willi [Mon, 1 Jul 2013 07:47:28 +0000 (09:47 +0200)]
dhcp: use watcher instead of dedicated receiver thread

6 years agofarp: use watcher instead of dedicated receiver thread
Martin Willi [Mon, 1 Jul 2013 09:59:56 +0000 (11:59 +0200)]
farp: use watcher instead of dedicated receiver thread

6 years agoload-tester: use a stream service to dispatch control connections
Martin Willi [Mon, 1 Jul 2013 10:18:15 +0000 (12:18 +0200)]
load-tester: use a stream service to dispatch control connections

6 years agowhitelist: use a stream service to accept client connections
Martin Willi [Mon, 1 Jul 2013 12:47:11 +0000 (14:47 +0200)]
whitelist: use a stream service to accept client connections

Use SOCK_STREAM, as we don't have SOCK_SEQPACKET on TCP. To have network
transparency, the message now uses network byte order.

6 years agolookip: use stream service with async I/O dispatching
Martin Willi [Mon, 1 Jul 2013 10:47:45 +0000 (12:47 +0200)]
lookip: use stream service with async I/O dispatching

Now uses SOCK_STREAM, as SOCK_SEQPACKET is not available over TCP. To have
network transparency, the message now uses network byte order.

6 years agoerror-notify: use a stream service to accept client connections
Martin Willi [Mon, 1 Jul 2013 09:42:18 +0000 (11:42 +0200)]
error-notify: use a stream service to accept client connections

As TCP does not have SOCK_SEQPACKET, we now use SOCK_STREAM for the error-notify
socket. To have network transparency, the message now uses network byte order.

6 years agoduplicheck: use a stream service to accept client connections
Martin Willi [Mon, 1 Jul 2013 09:19:01 +0000 (11:19 +0200)]
duplicheck: use a stream service to accept client connections

As we can't use SOCK_SEQPACKET over TCP, we now have to provide message
boundaries ourselves. We do this by appending a 16-bit length header to each
sent duplicate identity.

6 years agostroke: use a stream service to handle stroke requests
Martin Willi [Fri, 28 Jun 2013 12:35:12 +0000 (14:35 +0200)]
stroke: use a stream service to handle stroke requests

6 years agostream: allow async read/write callback to destroy the stream explicitly
Martin Willi [Tue, 2 Jul 2013 12:09:45 +0000 (14:09 +0200)]
stream: allow async read/write callback to destroy the stream explicitly

6 years agostream: don't close underlying socket when creating a stream from it
Martin Willi [Tue, 2 Jul 2013 12:04:51 +0000 (14:04 +0200)]
stream: don't close underlying socket when creating a stream from it

6 years agowatcher: add some debugging statements
Martin Willi [Tue, 2 Jul 2013 12:03:51 +0000 (14:03 +0200)]
watcher: add some debugging statements

6 years agowatcher: if the processor has no threads, execute the job with watcher thread
Martin Willi [Tue, 2 Jul 2013 09:01:10 +0000 (11:01 +0200)]
watcher: if the processor has no threads, execute the job with watcher thread

This is important during shutdown, where we might need to signal some FDs while
all idle threads are gone already.

6 years agoprocessor: add a getter for the threads passed to set_threads()
Martin Willi [Tue, 2 Jul 2013 09:00:27 +0000 (11:00 +0200)]
processor: add a getter for the threads passed to set_threads()

6 years agowatcher: unregister a watcher FD if its thread gets cancelled
Martin Willi [Mon, 1 Jul 2013 16:38:42 +0000 (18:38 +0200)]
watcher: unregister a watcher FD if its thread gets cancelled

6 years agowatcher: release threads waiting in remove() when watcher thread gets cancelled
Martin Willi [Mon, 1 Jul 2013 16:34:08 +0000 (18:34 +0200)]
watcher: release threads waiting in remove() when watcher thread gets cancelled

During daemon shutdown, users might call remove() after processor.set_threads(0)
has been called. This gets problematic, as a watch event might be unable
to signal completion when no threads are available anymore. Work around this
issue by cancelling waiters once processor.cancel() has been called.

6 years agostream: support keeping the service alive outside of service callback
Martin Willi [Mon, 1 Jul 2013 12:57:28 +0000 (14:57 +0200)]
stream: support keeping the service alive outside of service callback

6 years agostream: add read/write_all() methods to stream
Martin Willi [Mon, 1 Jul 2013 08:36:52 +0000 (10:36 +0200)]
stream: add read/write_all() methods to stream

6 years agostream: support cancellation of stream service callback
Martin Willi [Fri, 28 Jun 2013 12:33:03 +0000 (14:33 +0200)]
stream: support cancellation of stream service callback

6 years agostream: use a service constructor to create services
Martin Willi [Fri, 28 Jun 2013 12:55:27 +0000 (14:55 +0200)]
stream: use a service constructor to create services

It does not make much sense to reference running services in the manager,
especially as unregistration would need the URI (which a user would have to
store instead of the service reference).

6 years agostream: replace print/vprint() convenience functions by a FILE* getter
Martin Willi [Fri, 28 Jun 2013 12:33:41 +0000 (14:33 +0200)]
stream: replace print/vprint() convenience functions by a FILE* getter

While this will complicate the implementation of streams not based on a fd,
it allows us to unleash the full power of FILE based convenience functions.

6 years agostream: add a concurrency option to services, limiting parallel callbacks
Martin Willi [Fri, 28 Jun 2013 09:50:59 +0000 (11:50 +0200)]
stream: add a concurrency option to services, limiting parallel callbacks

6 years agostream: add a job priority option to stream services
Martin Willi [Fri, 28 Jun 2013 08:32:30 +0000 (10:32 +0200)]
stream: add a job priority option to stream services

6 years agostream: add backlog option to stream services, forward to listen()
Martin Willi [Fri, 28 Jun 2013 08:20:13 +0000 (10:20 +0200)]
stream: add backlog option to stream services, forward to listen()

6 years agostream: add support for TCP stream services
Martin Willi [Thu, 27 Jun 2013 15:25:51 +0000 (17:25 +0200)]
stream: add support for TCP stream services

6 years agostream: add support for TCP streams
Martin Willi [Thu, 27 Jun 2013 15:25:21 +0000 (17:25 +0200)]
stream: add support for TCP streams

6 years agostream: add support for UNIX stream services
Martin Willi [Wed, 26 Jun 2013 15:16:33 +0000 (17:16 +0200)]
stream: add support for UNIX stream services

6 years agostream: add support for UNIX streams
Martin Willi [Wed, 26 Jun 2013 15:08:14 +0000 (17:08 +0200)]
stream: add support for UNIX streams

6 years agostream: support async operation using watcher
Martin Willi [Thu, 27 Jun 2013 13:49:11 +0000 (15:49 +0200)]
stream: support async operation using watcher

6 years agostream: add printf()-style covenience functions
Martin Willi [Thu, 27 Jun 2013 09:46:41 +0000 (11:46 +0200)]
stream: add printf()-style covenience functions

6 years agostream: create library instance of stream-manager
Martin Willi [Thu, 27 Jun 2013 08:16:00 +0000 (10:16 +0200)]
stream: create library instance of stream-manager

6 years agostream: add a manager to dynamically register streams and services
Martin Willi [Wed, 26 Jun 2013 15:28:19 +0000 (17:28 +0200)]
stream: add a manager to dynamically register streams and services

6 years agostream: add a stream service class abstracting services using BSD sockets
Martin Willi [Wed, 26 Jun 2013 15:13:11 +0000 (17:13 +0200)]
stream: add a stream service class abstracting services using BSD sockets

6 years agostream: add a stream class abstracting BSD sockets
Martin Willi [Wed, 26 Jun 2013 15:03:19 +0000 (17:03 +0200)]
stream: add a stream class abstracting BSD sockets

Currently only synchronous operation is supported, but this will be extended
with asynchronous methods using the new watcher.

6 years agowatcher: add a centralized an generic facility to monitor file descriptors
Martin Willi [Mon, 24 Jun 2013 12:58:01 +0000 (14:58 +0200)]
watcher: add a centralized an generic facility to monitor file descriptors

6 years agokernel-pfkey: Fail route installation if remote TS matches peer
Tobias Brunner [Thu, 18 Jul 2013 13:41:36 +0000 (15:41 +0200)]
kernel-pfkey: Fail route installation if remote TS matches peer

6 years agokernel-libipsec: Fail route installation if remote TS matches peer
Tobias Brunner [Thu, 18 Jul 2013 13:41:13 +0000 (15:41 +0200)]
kernel-libipsec: Fail route installation if remote TS matches peer

6 years agocapabilities: Some plugins don't actually require capabilities at runtime
Tobias Brunner [Mon, 8 Jul 2013 16:24:43 +0000 (18:24 +0200)]
capabilities: Some plugins don't actually require capabilities at runtime

6 years agocapabilities: Add function to check if a capability is held, without keeping it
Tobias Brunner [Mon, 8 Jul 2013 15:48:16 +0000 (17:48 +0200)]
capabilities: Add function to check if a capability is held, without keeping it

This can be useful if capabilities are not required anymore after
dropping privileges.

6 years agoNEWS: leak-detective improvements
Martin Willi [Thu, 18 Jul 2013 13:13:49 +0000 (15:13 +0200)]
NEWS: leak-detective improvements

6 years agoNEWS: add keychain plugin
Martin Willi [Thu, 18 Jul 2013 13:07:00 +0000 (15:07 +0200)]
NEWS: add keychain plugin

6 years agoautoconf: replace autogen.sh custom script with a call to autoreconf -i
Martin Willi [Thu, 18 Jul 2013 10:01:18 +0000 (12:01 +0200)]
autoconf: replace autogen.sh custom script with a call to autoreconf -i

6 years agoautomake: replace INCLUDES by AM_CPPFLAGS
Martin Willi [Wed, 17 Jul 2013 12:45:39 +0000 (14:45 +0200)]
automake: replace INCLUDES by AM_CPPFLAGS

INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.

6 years agoautoconf: rename configure.in to configure.ac
Martin Willi [Wed, 17 Jul 2013 12:04:41 +0000 (14:04 +0200)]
autoconf: rename configure.in to configure.ac

configure.ac has been the recommended name for autoconf input for several
years now. Newer autotools start to complain about the configure.in, so we
finally change it.

6 years agoeap-sim-pcsc: fix compiler warning
Martin Willi [Thu, 18 Jul 2013 12:55:05 +0000 (14:55 +0200)]
eap-sim-pcsc: fix compiler warning

6 years agonm: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:21:17 +0000 (14:21 +0200)]
nm: omit deprecated g_type_init() when using >= GLIB 2.36

6 years agosoup: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:19:37 +0000 (14:19 +0200)]
soup: omit deprecated g_type_init() when using >= GLIB 2.36