strongswan.git
5 years agohost: Add function to create two hosts from a range definition
Tobias Brunner [Tue, 28 Oct 2014 17:14:29 +0000 (18:14 +0100)]
host: Add function to create two hosts from a range definition

5 years agomem-pool: Add basic unit tests
Tobias Brunner [Fri, 24 Oct 2014 14:48:34 +0000 (16:48 +0200)]
mem-pool: Add basic unit tests

5 years agolibhydra: Add test runner
Tobias Brunner [Fri, 24 Oct 2014 14:47:26 +0000 (16:47 +0200)]
libhydra: Add test runner

5 years agomem-pool: Correctly ignore first and last addresses of subnets and adjust size
Tobias Brunner [Fri, 24 Oct 2014 13:40:09 +0000 (15:40 +0200)]
mem-pool: Correctly ignore first and last addresses of subnets and adjust size

Previously one more than the first and last address was ignored.
And if the base address is not the network ID of the subnet we
should not skip it.  But we should adjust the size as it does not
represent the actual number of IP addresses assignable.

5 years agoikev1: Don't inherit children if INITITAL_CONTACT was seen
Thomas Egerer [Thu, 9 Oct 2014 09:15:07 +0000 (11:15 +0200)]
ikev1: Don't inherit children if INITITAL_CONTACT was seen

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
5 years agoikev1: Send INITIAL_CONTACT notify in Main Mode
Thomas Egerer [Thu, 9 Oct 2014 09:13:43 +0000 (11:13 +0200)]
ikev1: Send INITIAL_CONTACT notify in Main Mode

We currently send the notify in Main Mode only, as it is explicitly not allowed
by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make
that work, we'd need to handle that notify in Aggressive Mode, which could
allow a MitM to inject such notifies and do some harm.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
5 years agoMerge branch 'policy-constraints'
Martin Willi [Thu, 30 Oct 2014 10:42:04 +0000 (11:42 +0100)]
Merge branch 'policy-constraints'

Fixes handling of invalid policies in end entity certificates by not rejecting
the full certificate, but just invalidating the affected policy. Additionally
adds a bunch of unit tests for the constraints plugin, and some minor fixes
to the nameConstraints handling.

Currently we still reject CAs that use invalid policy mapping; we should accept
such certificates and just invalid affected policies in a next iteration.

Fixes #453.

5 years agopki: Print and document the name constraint type for DNS or email constraints
Martin Willi [Wed, 15 Oct 2014 10:33:17 +0000 (12:33 +0200)]
pki: Print and document the name constraint type for DNS or email constraints

As email constraints may be for a specific host, it is not clear from the
name itself if it is a DNS or email constraint.

5 years agoconstraints: Add permitted/excludedNameConstraints check
Martin Willi [Tue, 14 Oct 2014 14:29:28 +0000 (16:29 +0200)]
constraints: Add permitted/excludedNameConstraints check

5 years agoconstraints: Use a more specific FQDN/email name constraint matching
Martin Willi [Wed, 15 Oct 2014 10:10:54 +0000 (12:10 +0200)]
constraints: Use a more specific FQDN/email name constraint matching

While RFC 5280 is not very specific about the matching rules of subjectAltNames,
it has some examples how to match email and FQDN constraints. We try to follow
these examples, and restrict DNS names to subdomain matching and email to
full email, host or domain matching.

5 years agoconstraints: Add requireExplicitPolicy tests
Martin Willi [Tue, 14 Oct 2014 13:25:24 +0000 (15:25 +0200)]
constraints: Add requireExplicitPolicy tests

5 years agoconstraints: Add inhibitAnyPolicy tests
Martin Willi [Tue, 14 Oct 2014 13:00:22 +0000 (15:00 +0200)]
constraints: Add inhibitAnyPolicy tests

5 years agoconstraints: Add inhibitPolicyMapping tests
Martin Willi [Tue, 14 Oct 2014 12:56:46 +0000 (14:56 +0200)]
constraints: Add inhibitPolicyMapping tests

5 years agoconstraints: Don't reject certificates with invalid certificate policies
Martin Willi [Fri, 10 Oct 2014 14:33:56 +0000 (16:33 +0200)]
constraints: Don't reject certificates with invalid certificate policies

Instead of rejecting the certificate completely if a certificate has a policy
OID that is actually not allowed by the issuer CA, we accept it. However, the
certificate policy itself is still considered invalid, and is not returned
in the auth config resulting from trust chain operations.

A user must make sure to rely on the returned auth config certificate policies
instead of the policies contained in the certificate; even if the certificate
is valid, the policy OID itself in the certificate are not to be trusted
anymore.

5 years agoconstraints: Add certificate policy and policy mapping unit tests
Martin Willi [Fri, 10 Oct 2014 13:23:21 +0000 (15:23 +0200)]
constraints: Add certificate policy and policy mapping unit tests

5 years agoMerge branch 'id-type-prefix'
Martin Willi [Thu, 30 Oct 2014 10:21:22 +0000 (11:21 +0100)]
Merge branch 'id-type-prefix'

Introduce generic identity prefixes to enforce a specific type.

5 years agoNEWS: Mention identity prefixes
Martin Willi [Thu, 30 Oct 2014 10:21:01 +0000 (11:21 +0100)]
NEWS: Mention identity prefixes

5 years agoswanctl: Document identity type prefixes
Martin Willi [Wed, 29 Oct 2014 11:15:39 +0000 (12:15 +0100)]
swanctl: Document identity type prefixes

5 years agoman: Document identification type prefixes in ipsec.conf(5)
Martin Willi [Wed, 29 Oct 2014 11:06:04 +0000 (12:06 +0100)]
man: Document identification type prefixes in ipsec.conf(5)

5 years agoidentification: Support custom types in string constructor prefixes
Martin Willi [Wed, 29 Oct 2014 10:53:03 +0000 (11:53 +0100)]
identification: Support custom types in string constructor prefixes

5 years agoidentification: Support prefixes in string constructors for an explicit type
Martin Willi [Wed, 29 Oct 2014 10:18:35 +0000 (11:18 +0100)]
identification: Support prefixes in string constructors for an explicit type

5 years agounit-tests: Re-align identification_create_from_string() unit test table data
Martin Willi [Wed, 29 Oct 2014 10:12:38 +0000 (11:12 +0100)]
unit-tests: Re-align identification_create_from_string() unit test table data

5 years agothreading: Support rwlock try_write_lock() on Windows
Martin Willi [Wed, 22 Oct 2014 09:24:51 +0000 (11:24 +0200)]
threading: Support rwlock try_write_lock() on Windows

We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This
issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer
toolchain works fine.

While try_write_lock() obviously can fail, not supporting it is not really an
option, as some algorithms depend on occasionally successful calls. Certificate
caching in the certificate manager and the cred_set cache rely on successful
try_write_lock()ing.

5 years agothreading: Add a more explicit rwlock try_write_lock() testing
Martin Willi [Wed, 22 Oct 2014 09:23:49 +0000 (11:23 +0200)]
threading: Add a more explicit rwlock try_write_lock() testing

5 years agomessage: Include encrypted fragment payload in payload (order) rules
Tobias Brunner [Tue, 28 Oct 2014 15:42:06 +0000 (16:42 +0100)]
message: Include encrypted fragment payload in payload (order) rules

Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted
because they don't contain an SA payload.

It also prevents a warning when ordering payloads.

Fixes #752.

5 years agocert-cache: Prevent that a cached issuer is freed too early
Tobias Brunner [Fri, 24 Oct 2014 09:14:51 +0000 (11:14 +0200)]
cert-cache: Prevent that a cached issuer is freed too early

Previously we got no reference to the cached issuer certificate
before releasing the lock of the cache line, this allowed other
threads, or even the same thread if it replaces a cache line, to
destroy that issuer certificate in cache() (or flush()) before
get_ref() for the issuer certificate is finally called.

5 years agounit-tests: Fix internet checksum tests on big-endian systems
Tobias Brunner [Wed, 22 Oct 2014 17:43:22 +0000 (19:43 +0200)]
unit-tests: Fix internet checksum tests on big-endian systems

We actually need to do a byte-swap, which ntohs() only does on
little-endian systems.

Fixes #747.

5 years agochunk: Fix internet checksum calculation on big-endian systems
Tobias Brunner [Wed, 22 Oct 2014 17:41:40 +0000 (19:41 +0200)]
chunk: Fix internet checksum calculation on big-endian systems

ntohs() might be defined as noop (#define ntohs(x) (x)) so we have
to manually shorten the negated value (gets promoted to an int).

Fixes #747.

5 years agoupdown: Explicitly pass caller PATH to updown script
Martin Willi [Wed, 22 Oct 2014 12:50:09 +0000 (14:50 +0200)]
updown: Explicitly pass caller PATH to updown script

When invoking /bin/sh, its default PATH is used. On some systems, that does
not include the PATH where the ipsec script is installed, as charon is invoked
with a custom PATH. Explicitly setting the PATH of charon should fix this
case, properly invoking the (default) updown script.

Fixes #745.

5 years agoip-packet: Fix length in IPv6 header of generated packets
Tobias Brunner [Mon, 20 Oct 2014 13:32:01 +0000 (15:32 +0200)]
ip-packet: Fix length in IPv6 header of generated packets

5 years agoIncreased fragment size to 1400 in ipv6/net2net-ikev1 scenario 5.2.1
Andreas Steffen [Sat, 18 Oct 2014 12:05:53 +0000 (14:05 +0200)]
Increased fragment size to 1400 in ipv6/net2net-ikev1 scenario

5 years agoEnabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenario
Andreas Steffen [Sat, 18 Oct 2014 12:05:18 +0000 (14:05 +0200)]
Enabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenario

5 years agoVersion bump to 5.2.1
Andreas Steffen [Sat, 18 Oct 2014 10:12:17 +0000 (12:12 +0200)]
Version bump to 5.2.1

5 years agoRemove unneeded get_count() method
Andreas Steffen [Fri, 17 Oct 2014 15:59:43 +0000 (17:59 +0200)]
Remove unneeded get_count() method

5 years agoProcess TCG/PTS File Measurement attribute incrementally
Andreas Steffen [Fri, 17 Oct 2014 14:11:40 +0000 (16:11 +0200)]
Process TCG/PTS File Measurement attribute incrementally

5 years agoExempt TCG/SEG attributes from unsupported case statement
Andreas Steffen [Thu, 16 Oct 2014 11:38:51 +0000 (13:38 +0200)]
Exempt TCG/SEG attributes from unsupported case statement

5 years agoRequest IF-M segmentation contract for TCG/PTS subtype
Andreas Steffen [Thu, 16 Oct 2014 05:49:14 +0000 (07:49 +0200)]
Request IF-M segmentation contract for TCG/PTS subtype

5 years agotls: Fix an invalid free on CBC encryption failure
Martin Willi [Wed, 15 Oct 2014 12:26:03 +0000 (14:26 +0200)]
tls: Fix an invalid free on CBC encryption failure

5 years agotls: Fix a memory leak if AEAD encryption fails
Martin Willi [Wed, 15 Oct 2014 12:20:36 +0000 (14:20 +0200)]
tls: Fix a memory leak if AEAD encryption fails

5 years agotls: Check all bytes of the padding if they equal the padding length
Martin Willi [Wed, 15 Oct 2014 12:17:30 +0000 (14:17 +0200)]
tls: Check all bytes of the padding if they equal the padding length

5 years agoandroid: Fix PA-TNC construction based on data passed via JNI
Tobias Brunner [Mon, 13 Oct 2014 16:18:56 +0000 (18:18 +0200)]
android: Fix PA-TNC construction based on data passed via JNI

5 years agolibimcv: Add generic constructor for PA-TNC attributes
Tobias Brunner [Mon, 13 Oct 2014 16:17:30 +0000 (18:17 +0200)]
libimcv: Add generic constructor for PA-TNC attributes

5 years agobacktrace: Fix symbol lookup in dynamic symtab via libbfd
Tobias Brunner [Tue, 14 Oct 2014 15:26:48 +0000 (17:26 +0200)]
backtrace: Fix symbol lookup in dynamic symtab via libbfd

5 years agoswid-inventory: Remove unused variable end_of_tag
Tobias Brunner [Tue, 14 Oct 2014 15:10:59 +0000 (17:10 +0200)]
swid-inventory: Remove unused variable end_of_tag

5 years agoswanctl: Fix man page build on FreeBSD
Tobias Brunner [Tue, 14 Oct 2014 14:46:07 +0000 (16:46 +0200)]
swanctl: Fix man page build on FreeBSD

BSD make seems to only evaluate $< for certain rules (like the suffix rule
used to generate the config template).

5 years agothread: Test for pending cancellation requests before select()ing on OS X
Martin Willi [Tue, 14 Oct 2014 10:43:16 +0000 (12:43 +0200)]
thread: Test for pending cancellation requests before select()ing on OS X

This fixes some vici test cases on OS X, where the test thread tries to cancel
the watcher thread during cleanup, but fails as select() does not honor the
pre-issued cancellation request.

5 years agovici: Return default value for get_int() if message value is empty string
Martin Willi [Tue, 14 Oct 2014 10:13:32 +0000 (12:13 +0200)]
vici: Return default value for get_int() if message value is empty string

This is the behavior of some strtol() implementations, and it makes sense,
so force it.

5 years agoprocess: Don't use the shells built-in echo in tests
Martin Willi [Tue, 14 Oct 2014 09:57:06 +0000 (11:57 +0200)]
process: Don't use the shells built-in echo in tests

On OS X, the /bin/sh built-in echo does not support -n.

5 years agoprocess: Don't use absolute path names for true/false/cat in unit tests
Martin Willi [Tue, 14 Oct 2014 09:55:36 +0000 (11:55 +0200)]
process: Don't use absolute path names for true/false/cat in unit tests

But use the (builtin) shell commands instead, as on OS X true/false are under
/usr/bin.

5 years agokernel-pfroute: Check for RTM_IFANNOUNCE availability
Martin Willi [Tue, 14 Oct 2014 09:40:43 +0000 (11:40 +0200)]
kernel-pfroute: Check for RTM_IFANNOUNCE availability

This message is not available on OS X.

5 years agoprocess: Include missing <signal.h> for raise(3)
Martin Willi [Tue, 14 Oct 2014 09:40:03 +0000 (11:40 +0200)]
process: Include missing <signal.h> for raise(3)

Fixes OS X build.

5 years agoike: Add IKEv2 in description of fragment_size option in strongswan.conf
Tobias Brunner [Tue, 14 Oct 2014 13:35:08 +0000 (15:35 +0200)]
ike: Add IKEv2 in description of fragment_size option in strongswan.conf

5 years agoip-packet: Fix removal of TFC padding for IPv6
Tobias Brunner [Tue, 14 Oct 2014 12:05:48 +0000 (14:05 +0200)]
ip-packet: Fix removal of TFC padding for IPv6

The IPv6 length field denotes the payload length after the 40 bytes header.

Fixes: 293515f95cf5 ("libipsec: remove extra RFC4303 TFC padding appended to inner payload")

5 years agovici: Add vici.gemspec.in and vici.rb to distribution
Tobias Brunner [Tue, 14 Oct 2014 09:07:32 +0000 (11:07 +0200)]
vici: Add vici.gemspec.in and vici.rb to distribution

5 years agotravis: Build-test updown and ext-auth plugins for Windows
Martin Willi [Tue, 14 Oct 2014 09:11:34 +0000 (11:11 +0200)]
travis: Build-test updown and ext-auth plugins for Windows

5 years agoandroid: Implement get_contracts() method in IMC state object
Tobias Brunner [Tue, 14 Oct 2014 08:37:55 +0000 (10:37 +0200)]
android: Implement get_contracts() method in IMC state object

5 years agoandroid: libpts does not exist anymore, don't attempt to load it
Tobias Brunner [Tue, 14 Oct 2014 08:12:02 +0000 (10:12 +0200)]
android: libpts does not exist anymore, don't attempt to load it

5 years agoandroid: Update receive_message() to new imc_msg_t.receive() signature
Tobias Brunner [Mon, 13 Oct 2014 16:15:34 +0000 (18:15 +0200)]
android: Update receive_message() to new imc_msg_t.receive() signature

5 years agolibimcv: Add fallback if IPSEC_SCRIPT is not defined
Tobias Brunner [Mon, 13 Oct 2014 16:10:18 +0000 (18:10 +0200)]
libimcv: Add fallback if IPSEC_SCRIPT is not defined

This is the case on Android.

5 years agolibimcv: Updated Android.mk to latest Makefile.am
Tobias Brunner [Mon, 13 Oct 2014 15:59:47 +0000 (17:59 +0200)]
libimcv: Updated Android.mk to latest Makefile.am

5 years agoandroid: Remove references to libpts
Tobias Brunner [Mon, 13 Oct 2014 15:18:06 +0000 (17:18 +0200)]
android: Remove references to libpts

5 years agolibimcv: Remove reference to libpts
Tobias Brunner [Mon, 13 Oct 2014 15:17:45 +0000 (17:17 +0200)]
libimcv: Remove reference to libpts

5 years agolibimcv: Fix Doxygen comments after merging libpts into libimcv
Tobias Brunner [Mon, 13 Oct 2014 15:11:57 +0000 (17:11 +0200)]
libimcv: Fix Doxygen comments after merging libpts into libimcv

5 years agowatcher: Doxygen comment fixed
Tobias Brunner [Mon, 13 Oct 2014 14:56:30 +0000 (16:56 +0200)]
watcher: Doxygen comment fixed

5 years agocharon-systemd: Typo in log message fixed
Tobias Brunner [Mon, 13 Oct 2014 14:51:20 +0000 (16:51 +0200)]
charon-systemd: Typo in log message fixed

5 years agolibimcv: Fix harcoded IMCV_DEFAULT_POLICY_SCRIPT name
Avesh Agarwal [Mon, 13 Oct 2014 14:15:33 +0000 (16:15 +0200)]
libimcv: Fix harcoded IMCV_DEFAULT_POLICY_SCRIPT name

I came across an issue with src/libimcv/imcv.c where
IMCV_DEFAULT_POLICY_SCRIPT is hardcoded.

It fails where ipsec_script is renamed to, for example, strongswan from
default ipsec.

5 years agotesting: Enable nat table for iptables on 3.17 kernels
Tobias Brunner [Mon, 13 Oct 2014 13:48:55 +0000 (15:48 +0200)]
testing: Enable nat table for iptables on 3.17 kernels

5 years agoike: Do remote address updates also when behind static NATs
Tobias Brunner [Fri, 10 Oct 2014 10:55:39 +0000 (12:55 +0200)]
ike: Do remote address updates also when behind static NATs

We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.

The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.

5 years agoike: Remove redundant check for local NAT when handling changed NAT mappings
Tobias Brunner [Fri, 10 Oct 2014 10:44:15 +0000 (12:44 +0200)]
ike: Remove redundant check for local NAT when handling changed NAT mappings

5 years agotesting: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID Inventory... 5.2.1rc1
Andreas Steffen [Sat, 11 Oct 2014 13:01:21 +0000 (15:01 +0200)]
testing: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID Inventory attribute

5 years agoSupport of multiple directed segmentation contracts
Andreas Steffen [Sat, 11 Oct 2014 12:49:23 +0000 (14:49 +0200)]
Support of multiple directed segmentation contracts

5 years agounit-tests: Updated Makefile
Andreas Steffen [Sat, 11 Oct 2014 12:48:38 +0000 (14:48 +0200)]
unit-tests: Updated Makefile

5 years agounit-tests: Added test for seg_contract_manager
Andreas Steffen [Sat, 11 Oct 2014 12:47:36 +0000 (14:47 +0200)]
unit-tests: Added test for seg_contract_manager

5 years agoAdded KVM config for 3.16 and 3.17 kernels
Andreas Steffen [Sat, 11 Oct 2014 12:46:38 +0000 (14:46 +0200)]
Added KVM config for 3.16 and 3.17 kernels

5 years agoUpdated build-database.sh script to 3.13.0-37 kernel
Andreas Steffen [Sat, 11 Oct 2014 09:40:32 +0000 (11:40 +0200)]
Updated build-database.sh script to 3.13.0-37 kernel

5 years agotesting: Ensure no guest is running when modifying images
Tobias Brunner [Fri, 10 Oct 2014 16:37:13 +0000 (18:37 +0200)]
testing: Ensure no guest is running when modifying images

Sometimes guests are not stopped properly. If images are then modified
they will be corrupted.

5 years agotesting: Enable virtio console for guests
Tobias Brunner [Fri, 10 Oct 2014 15:37:41 +0000 (17:37 +0200)]
testing: Enable virtio console for guests

This allows accessing the guests with `virsh console <name>`.

Using a serial console would also be possible but our kernel configs
have no serial drivers enabled, CONFIG_VIRTIO_CONSOLE is enabled though.
So to avoid having to recompile the kernels let's do it this way, only
requires rebuilding the guest images.

References #729.

5 years agoMerge branch 'vici-ruby'
Martin Willi [Fri, 10 Oct 2014 09:42:28 +0000 (11:42 +0200)]
Merge branch 'vici-ruby'

Adds a ruby gem for the VICI protocol, along with some documentation
improvements and some minor fixes to vici and swanctl.

5 years agoNEWS: Introduce the vici ruby gem
Martin Willi [Fri, 10 Oct 2014 09:03:47 +0000 (11:03 +0200)]
NEWS: Introduce the vici ruby gem

5 years agoswanctl: Fix exit codes based on errno
Martin Willi [Thu, 9 Oct 2014 14:48:29 +0000 (16:48 +0200)]
swanctl: Fix exit codes based on errno

As fprintf() most likely sets errno, we should save it before printing the
error message.

5 years agovici: Cancel processor before calling library_deinit()
Martin Willi [Thu, 9 Oct 2014 14:15:29 +0000 (16:15 +0200)]
vici: Cancel processor before calling library_deinit()

For non-direct libstrongswan users, the deinitialization segfaults because
of the missing worker thread cancellation.

5 years agovici: Reduce debug level during thread spawning
Martin Willi [Thu, 9 Oct 2014 14:14:38 +0000 (16:14 +0200)]
vici: Reduce debug level during thread spawning

We want to avoid libvici users to get a cluttered stderr for no real error.

5 years agovici: Don't include-depend on libstrongswan for boolean types
Martin Willi [Thu, 9 Oct 2014 14:11:29 +0000 (16:11 +0200)]
vici: Don't include-depend on libstrongswan for boolean types

As we want to avoid the libstrongswan include dependencies for libvici, avoid
the use of the bool type. Unfortunately this change may break the ABI for
vici_dump(). As this function is mostly for debugging purposes, we do it
nonetheless; my apologies if somebody already relies on the ABI stability of
that function.

5 years agovici: Document the ruby gem and add some simple examples
Martin Willi [Thu, 9 Oct 2014 15:22:08 +0000 (17:22 +0200)]
vici: Document the ruby gem and add some simple examples

5 years agovici: Add some simple libvici examples to the README
Martin Willi [Thu, 9 Oct 2014 14:42:01 +0000 (16:42 +0200)]
vici: Add some simple libvici examples to the README

5 years agovici: Document the available vici command and event messages
Martin Willi [Wed, 8 Oct 2014 16:13:31 +0000 (18:13 +0200)]
vici: Document the available vici command and event messages

5 years agovici: Use "gem"-assisted vici ruby gem building and installation
Martin Willi [Wed, 8 Oct 2014 11:46:22 +0000 (13:46 +0200)]
vici: Use "gem"-assisted vici ruby gem building and installation

5 years agoconfigure: Add global --enable-ruby-gems and --with-rubygemdir options
Martin Willi [Wed, 8 Oct 2014 11:44:44 +0000 (13:44 +0200)]
configure: Add global --enable-ruby-gems and --with-rubygemdir options

This provides the options to build and install ruby gems for components
providing them, such as vici.

5 years agovici: Add a ruby gem providing a native vici interface
Martin Willi [Wed, 1 Oct 2014 13:59:43 +0000 (15:59 +0200)]
vici: Add a ruby gem providing a native vici interface

5 years agovici: Return a success result for the clear-creds command
Martin Willi [Mon, 6 Oct 2014 16:13:39 +0000 (18:13 +0200)]
vici: Return a success result for the clear-creds command

Even if the command actually can't fail, this looks more aligned to similar
commands.

5 years agovici: Fix message encoding type values in documentation
Martin Willi [Tue, 30 Sep 2014 16:43:20 +0000 (18:43 +0200)]
vici: Fix message encoding type values in documentation

5 years agoikev1: Add fragmentation support for Windows peers
Volker RĂ¼melin [Thu, 25 Sep 2014 07:18:17 +0000 (09:18 +0200)]
ikev1: Add fragmentation support for Windows peers

I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.

Tested with Windows XP, 7 and 8.1.

5 years agoeap-radius: Add option to set interval for interim accounting updates
Tobias Brunner [Thu, 9 Oct 2014 08:10:23 +0000 (10:10 +0200)]
eap-radius: Add option to set interval for interim accounting updates

Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval.  But it might be useful if RADIUS is
only used for accounting.

5 years agoNEWS: IKEv2 fragmentation mentioned
Tobias Brunner [Fri, 10 Oct 2014 07:48:06 +0000 (09:48 +0200)]
NEWS: IKEv2 fragmentation mentioned

5 years agoMerge branch 'ikev2-fragmentation'
Tobias Brunner [Fri, 10 Oct 2014 07:35:27 +0000 (09:35 +0200)]
Merge branch 'ikev2-fragmentation'

This adds support for IKEv2 fragmentation as per RFC 7383.

5 years agotesting: Add ikev2/net2net-fragmentation scenario
Tobias Brunner [Tue, 16 Sep 2014 14:52:23 +0000 (16:52 +0200)]
testing: Add ikev2/net2net-fragmentation scenario

5 years agotesting: Update ikev1/net2net-fragmentation scenario
Tobias Brunner [Tue, 16 Sep 2014 14:51:58 +0000 (16:51 +0200)]
testing: Update ikev1/net2net-fragmentation scenario

5 years agomessage: Limit maximum number of IKEv2 fragments
Tobias Brunner [Tue, 16 Sep 2014 13:51:21 +0000 (15:51 +0200)]
message: Limit maximum number of IKEv2 fragments

The maximum for IKEv1 is already 255 due to the 8-bit fragment number.

With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.

5 years agopacket: Define a global default maximum size for IKE packets
Tobias Brunner [Tue, 16 Sep 2014 13:38:38 +0000 (15:38 +0200)]
packet: Define a global default maximum size for IKE packets

5 years agomessage: Ensure a minimum fragment length
Tobias Brunner [Mon, 15 Sep 2014 15:51:22 +0000 (17:51 +0200)]
message: Ensure a minimum fragment length