7 years agomem-pool: Fix potential memory leak and lost leases when reassigning leases
Tobias Brunner [Tue, 11 Nov 2014 17:50:26 +0000 (18:50 +0100)]
mem-pool: Fix potential memory leak and lost leases when reassigning leases

If no offline leases are available for the current client and assigning online
leases is disabled, and if all IPs of the pool have already been assigned to
clients we look for offline leases that previously were assigned to other

In case the current client has online leases the previous code would
replace the existing mapping entry and besides resulting in a memory leak
the online leases would be lost forever (even if the client later releases
the addresses).  If this happens repeatedly the number of available addresses
would decrease even though the total number of online and offline leases seen
in `ipsec leases` would indicate that there are free addresses available.

Fixes #764.

7 years agoandroid: New release based on 5.2.1 and after adding EAP-TLS
Tobias Brunner [Thu, 6 Nov 2014 16:16:27 +0000 (17:16 +0100)]
android: New release based on 5.2.1 and after adding EAP-TLS

Also enables support for IKEv2 fragmentation, provides improved MOBIKE
handling and optionally enables PFS for CHILD_SAs.

7 years agoandroid: Build binaries for MIPS
Tobias Brunner [Thu, 6 Nov 2014 16:11:55 +0000 (17:11 +0100)]
android: Build binaries for MIPS

7 years agoandroid: Increase fragment size
Tobias Brunner [Thu, 6 Nov 2014 16:05:47 +0000 (17:05 +0100)]
android: Increase fragment size

We use the same value we use as MTU on TUN devices.

7 years agoandroid: Enable IKEv2 fragmentation
Tobias Brunner [Thu, 6 Nov 2014 15:56:54 +0000 (16:56 +0100)]
android: Enable IKEv2 fragmentation

7 years agoMerge branch 'android-eap-tls'
Tobias Brunner [Thu, 6 Nov 2014 15:33:01 +0000 (16:33 +0100)]
Merge branch 'android-eap-tls'

This adds support for EAP-TLS authentication on Android.

EAP-only authentication is currently not allowed because the AAA identity
is not configurable, so to prevent anyone with a valid certificate from
impersonating the AAA server and thus the gateway, we authenticate the
gateway (like we do with other authentication methods).
Also, it's currently not possible to select a specific CA certificate to
authenticate the AAA server certificate, so it either must be issued by the
same CA as that of the gateway or automatic CA certificate selection must
be used.

7 years agoandroid: Use %any as AAA identity, but disable EAP-only authentication
Tobias Brunner [Tue, 21 Oct 2014 16:28:24 +0000 (18:28 +0200)]
android: Use %any as AAA identity, but disable EAP-only authentication

Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway.  So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.

7 years agoandroid: Add support for signature schemes used by EAP-TLS
Tobias Brunner [Tue, 21 Oct 2014 16:03:49 +0000 (18:03 +0200)]
android: Add support for signature schemes used by EAP-TLS

7 years agoandroid: Allow enumeration of untrusted certificates
Tobias Brunner [Wed, 10 Sep 2014 14:54:12 +0000 (16:54 +0200)]
android: Allow enumeration of untrusted certificates

7 years agoandroid: Handle EAP-TLS in Android service
Tobias Brunner [Wed, 10 Sep 2014 09:35:04 +0000 (11:35 +0200)]
android: Handle EAP-TLS in Android service

7 years agoandroid: Enable EAP-TLS plugin in the app
Tobias Brunner [Wed, 10 Sep 2014 09:33:39 +0000 (11:33 +0200)]
android: Enable EAP-TLS plugin in the app

7 years agoandroid: Add EAP-TLS VPN type to the GUI
Tobias Brunner [Wed, 10 Sep 2014 09:28:48 +0000 (11:28 +0200)]
android: Add EAP-TLS VPN type to the GUI

7 years agoandroid: Change how features of VPN types are stored and checked
Tobias Brunner [Wed, 10 Sep 2014 09:25:03 +0000 (11:25 +0200)]
android: Change how features of VPN types are stored and checked

7 years agotesting: Update tkm/multiple-clients/evaltest.dat
Reto Buerki [Thu, 30 Oct 2014 16:43:01 +0000 (17:43 +0100)]
testing: Update tkm/multiple-clients/evaltest.dat

Since the CC context is now properly reset in the bus listener plugin,
the second connection from host dave re-uses the first CC ID. Adjust
the expect string on gateway sun accordingly.

7 years agocharon-tkm: Properly reset CC context in listener
Reto Buerki [Thu, 30 Oct 2014 15:16:40 +0000 (16:16 +0100)]
charon-tkm: Properly reset CC context in listener

Make sure that the acquired CC context is correctly reset and the
associated ID released in the authorize() function of the TKM bus

7 years agocharon-tkm: Add missing comma to enum
Reto Buerki [Thu, 30 Oct 2014 14:39:43 +0000 (15:39 +0100)]
charon-tkm: Add missing comma to enum

Add missing comma to tkm_context_kind_names enum definition.

7 years agoproposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity algorithms
Tobias Brunner [Fri, 31 Oct 2014 09:09:54 +0000 (10:09 +0100)]
proposal: Add default PRF for HMAC-MD5-128 and HMAC-SHA1-160 integrity algorithms

7 years agoMerge branch 'mem-pool-range'
Tobias Brunner [Thu, 30 Oct 2014 14:04:31 +0000 (15:04 +0100)]
Merge branch 'mem-pool-range'

Adds support to configure address pools as ranges (from-to) in
ipsec.conf and swanctl.conf.

The first and last addresses in subnet based pools are now skipped
properly and the pools' sizes are adjusted accordingly.  Which is also
the case if pools are configured with an offset, e.g.,
which reduces the number of available addresses from 254 to 155, and
assignment now starts at .100 not .101, i.e. .100-.254 are assignable
to clients.

References #744.

7 years agohost: Ignore spaces around - when parsing ranges
Tobias Brunner [Thu, 30 Oct 2014 11:32:16 +0000 (12:32 +0100)]
host: Ignore spaces around - when parsing ranges

7 years agoike-cfg: Use host_create_from_range() helper
Tobias Brunner [Tue, 28 Oct 2014 17:23:10 +0000 (18:23 +0100)]
ike-cfg: Use host_create_from_range() helper

7 years agovici: Add support for address range definitions of pools
Tobias Brunner [Mon, 27 Oct 2014 14:50:25 +0000 (15:50 +0100)]
vici: Add support for address range definitions of pools

7 years agostroke: Add support for address range definitions of in-memory pools
Tobias Brunner [Mon, 27 Oct 2014 14:31:46 +0000 (15:31 +0100)]
stroke: Add support for address range definitions of in-memory pools

7 years agohost: Add function to create two hosts from a range definition
Tobias Brunner [Tue, 28 Oct 2014 17:14:29 +0000 (18:14 +0100)]
host: Add function to create two hosts from a range definition

7 years agomem-pool: Add basic unit tests
Tobias Brunner [Fri, 24 Oct 2014 14:48:34 +0000 (16:48 +0200)]
mem-pool: Add basic unit tests

7 years agolibhydra: Add test runner
Tobias Brunner [Fri, 24 Oct 2014 14:47:26 +0000 (16:47 +0200)]
libhydra: Add test runner

7 years agomem-pool: Correctly ignore first and last addresses of subnets and adjust size
Tobias Brunner [Fri, 24 Oct 2014 13:40:09 +0000 (15:40 +0200)]
mem-pool: Correctly ignore first and last addresses of subnets and adjust size

Previously one more than the first and last address was ignored.
And if the base address is not the network ID of the subnet we
should not skip it.  But we should adjust the size as it does not
represent the actual number of IP addresses assignable.

7 years agoikev1: Don't inherit children if INITITAL_CONTACT was seen
Thomas Egerer [Thu, 9 Oct 2014 09:15:07 +0000 (11:15 +0200)]
ikev1: Don't inherit children if INITITAL_CONTACT was seen

Signed-off-by: Thomas Egerer <>
7 years agoikev1: Send INITIAL_CONTACT notify in Main Mode
Thomas Egerer [Thu, 9 Oct 2014 09:13:43 +0000 (11:13 +0200)]
ikev1: Send INITIAL_CONTACT notify in Main Mode

We currently send the notify in Main Mode only, as it is explicitly not allowed
by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make
that work, we'd need to handle that notify in Aggressive Mode, which could
allow a MitM to inject such notifies and do some harm.

Signed-off-by: Thomas Egerer <>
7 years agoMerge branch 'policy-constraints'
Martin Willi [Thu, 30 Oct 2014 10:42:04 +0000 (11:42 +0100)]
Merge branch 'policy-constraints'

Fixes handling of invalid policies in end entity certificates by not rejecting
the full certificate, but just invalidating the affected policy. Additionally
adds a bunch of unit tests for the constraints plugin, and some minor fixes
to the nameConstraints handling.

Currently we still reject CAs that use invalid policy mapping; we should accept
such certificates and just invalid affected policies in a next iteration.

Fixes #453.

7 years agopki: Print and document the name constraint type for DNS or email constraints
Martin Willi [Wed, 15 Oct 2014 10:33:17 +0000 (12:33 +0200)]
pki: Print and document the name constraint type for DNS or email constraints

As email constraints may be for a specific host, it is not clear from the
name itself if it is a DNS or email constraint.

7 years agoconstraints: Add permitted/excludedNameConstraints check
Martin Willi [Tue, 14 Oct 2014 14:29:28 +0000 (16:29 +0200)]
constraints: Add permitted/excludedNameConstraints check

7 years agoconstraints: Use a more specific FQDN/email name constraint matching
Martin Willi [Wed, 15 Oct 2014 10:10:54 +0000 (12:10 +0200)]
constraints: Use a more specific FQDN/email name constraint matching

While RFC 5280 is not very specific about the matching rules of subjectAltNames,
it has some examples how to match email and FQDN constraints. We try to follow
these examples, and restrict DNS names to subdomain matching and email to
full email, host or domain matching.

7 years agoconstraints: Add requireExplicitPolicy tests
Martin Willi [Tue, 14 Oct 2014 13:25:24 +0000 (15:25 +0200)]
constraints: Add requireExplicitPolicy tests

7 years agoconstraints: Add inhibitAnyPolicy tests
Martin Willi [Tue, 14 Oct 2014 13:00:22 +0000 (15:00 +0200)]
constraints: Add inhibitAnyPolicy tests

7 years agoconstraints: Add inhibitPolicyMapping tests
Martin Willi [Tue, 14 Oct 2014 12:56:46 +0000 (14:56 +0200)]
constraints: Add inhibitPolicyMapping tests

7 years agoconstraints: Don't reject certificates with invalid certificate policies
Martin Willi [Fri, 10 Oct 2014 14:33:56 +0000 (16:33 +0200)]
constraints: Don't reject certificates with invalid certificate policies

Instead of rejecting the certificate completely if a certificate has a policy
OID that is actually not allowed by the issuer CA, we accept it. However, the
certificate policy itself is still considered invalid, and is not returned
in the auth config resulting from trust chain operations.

A user must make sure to rely on the returned auth config certificate policies
instead of the policies contained in the certificate; even if the certificate
is valid, the policy OID itself in the certificate are not to be trusted

7 years agoconstraints: Add certificate policy and policy mapping unit tests
Martin Willi [Fri, 10 Oct 2014 13:23:21 +0000 (15:23 +0200)]
constraints: Add certificate policy and policy mapping unit tests

7 years agoMerge branch 'id-type-prefix'
Martin Willi [Thu, 30 Oct 2014 10:21:22 +0000 (11:21 +0100)]
Merge branch 'id-type-prefix'

Introduce generic identity prefixes to enforce a specific type.

7 years agoNEWS: Mention identity prefixes
Martin Willi [Thu, 30 Oct 2014 10:21:01 +0000 (11:21 +0100)]
NEWS: Mention identity prefixes

7 years agoswanctl: Document identity type prefixes
Martin Willi [Wed, 29 Oct 2014 11:15:39 +0000 (12:15 +0100)]
swanctl: Document identity type prefixes

7 years agoman: Document identification type prefixes in ipsec.conf(5)
Martin Willi [Wed, 29 Oct 2014 11:06:04 +0000 (12:06 +0100)]
man: Document identification type prefixes in ipsec.conf(5)

7 years agoidentification: Support custom types in string constructor prefixes
Martin Willi [Wed, 29 Oct 2014 10:53:03 +0000 (11:53 +0100)]
identification: Support custom types in string constructor prefixes

7 years agoidentification: Support prefixes in string constructors for an explicit type
Martin Willi [Wed, 29 Oct 2014 10:18:35 +0000 (11:18 +0100)]
identification: Support prefixes in string constructors for an explicit type

7 years agounit-tests: Re-align identification_create_from_string() unit test table data
Martin Willi [Wed, 29 Oct 2014 10:12:38 +0000 (11:12 +0100)]
unit-tests: Re-align identification_create_from_string() unit test table data

7 years agothreading: Support rwlock try_write_lock() on Windows
Martin Willi [Wed, 22 Oct 2014 09:24:51 +0000 (11:24 +0200)]
threading: Support rwlock try_write_lock() on Windows

We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This
issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer
toolchain works fine.

While try_write_lock() obviously can fail, not supporting it is not really an
option, as some algorithms depend on occasionally successful calls. Certificate
caching in the certificate manager and the cred_set cache rely on successful

7 years agothreading: Add a more explicit rwlock try_write_lock() testing
Martin Willi [Wed, 22 Oct 2014 09:23:49 +0000 (11:23 +0200)]
threading: Add a more explicit rwlock try_write_lock() testing

7 years agomessage: Include encrypted fragment payload in payload (order) rules
Tobias Brunner [Tue, 28 Oct 2014 15:42:06 +0000 (16:42 +0100)]
message: Include encrypted fragment payload in payload (order) rules

Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted
because they don't contain an SA payload.

It also prevents a warning when ordering payloads.

Fixes #752.

7 years agocert-cache: Prevent that a cached issuer is freed too early
Tobias Brunner [Fri, 24 Oct 2014 09:14:51 +0000 (11:14 +0200)]
cert-cache: Prevent that a cached issuer is freed too early

Previously we got no reference to the cached issuer certificate
before releasing the lock of the cache line, this allowed other
threads, or even the same thread if it replaces a cache line, to
destroy that issuer certificate in cache() (or flush()) before
get_ref() for the issuer certificate is finally called.

7 years agounit-tests: Fix internet checksum tests on big-endian systems
Tobias Brunner [Wed, 22 Oct 2014 17:43:22 +0000 (19:43 +0200)]
unit-tests: Fix internet checksum tests on big-endian systems

We actually need to do a byte-swap, which ntohs() only does on
little-endian systems.

Fixes #747.

7 years agochunk: Fix internet checksum calculation on big-endian systems
Tobias Brunner [Wed, 22 Oct 2014 17:41:40 +0000 (19:41 +0200)]
chunk: Fix internet checksum calculation on big-endian systems

ntohs() might be defined as noop (#define ntohs(x) (x)) so we have
to manually shorten the negated value (gets promoted to an int).

Fixes #747.

7 years agoupdown: Explicitly pass caller PATH to updown script
Martin Willi [Wed, 22 Oct 2014 12:50:09 +0000 (14:50 +0200)]
updown: Explicitly pass caller PATH to updown script

When invoking /bin/sh, its default PATH is used. On some systems, that does
not include the PATH where the ipsec script is installed, as charon is invoked
with a custom PATH. Explicitly setting the PATH of charon should fix this
case, properly invoking the (default) updown script.

Fixes #745.

7 years agoip-packet: Fix length in IPv6 header of generated packets
Tobias Brunner [Mon, 20 Oct 2014 13:32:01 +0000 (15:32 +0200)]
ip-packet: Fix length in IPv6 header of generated packets

7 years agoIncreased fragment size to 1400 in ipv6/net2net-ikev1 scenario 5.2.1
Andreas Steffen [Sat, 18 Oct 2014 12:05:53 +0000 (14:05 +0200)]
Increased fragment size to 1400 in ipv6/net2net-ikev1 scenario

7 years agoEnabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenario
Andreas Steffen [Sat, 18 Oct 2014 12:05:18 +0000 (14:05 +0200)]
Enabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenario

7 years agoVersion bump to 5.2.1
Andreas Steffen [Sat, 18 Oct 2014 10:12:17 +0000 (12:12 +0200)]
Version bump to 5.2.1

7 years agoRemove unneeded get_count() method
Andreas Steffen [Fri, 17 Oct 2014 15:59:43 +0000 (17:59 +0200)]
Remove unneeded get_count() method

7 years agoProcess TCG/PTS File Measurement attribute incrementally
Andreas Steffen [Fri, 17 Oct 2014 14:11:40 +0000 (16:11 +0200)]
Process TCG/PTS File Measurement attribute incrementally

7 years agoExempt TCG/SEG attributes from unsupported case statement
Andreas Steffen [Thu, 16 Oct 2014 11:38:51 +0000 (13:38 +0200)]
Exempt TCG/SEG attributes from unsupported case statement

7 years agoRequest IF-M segmentation contract for TCG/PTS subtype
Andreas Steffen [Thu, 16 Oct 2014 05:49:14 +0000 (07:49 +0200)]
Request IF-M segmentation contract for TCG/PTS subtype

7 years agotls: Fix an invalid free on CBC encryption failure
Martin Willi [Wed, 15 Oct 2014 12:26:03 +0000 (14:26 +0200)]
tls: Fix an invalid free on CBC encryption failure

7 years agotls: Fix a memory leak if AEAD encryption fails
Martin Willi [Wed, 15 Oct 2014 12:20:36 +0000 (14:20 +0200)]
tls: Fix a memory leak if AEAD encryption fails

7 years agotls: Check all bytes of the padding if they equal the padding length
Martin Willi [Wed, 15 Oct 2014 12:17:30 +0000 (14:17 +0200)]
tls: Check all bytes of the padding if they equal the padding length

7 years agoandroid: Fix PA-TNC construction based on data passed via JNI
Tobias Brunner [Mon, 13 Oct 2014 16:18:56 +0000 (18:18 +0200)]
android: Fix PA-TNC construction based on data passed via JNI

7 years agolibimcv: Add generic constructor for PA-TNC attributes
Tobias Brunner [Mon, 13 Oct 2014 16:17:30 +0000 (18:17 +0200)]
libimcv: Add generic constructor for PA-TNC attributes

7 years agobacktrace: Fix symbol lookup in dynamic symtab via libbfd
Tobias Brunner [Tue, 14 Oct 2014 15:26:48 +0000 (17:26 +0200)]
backtrace: Fix symbol lookup in dynamic symtab via libbfd

7 years agoswid-inventory: Remove unused variable end_of_tag
Tobias Brunner [Tue, 14 Oct 2014 15:10:59 +0000 (17:10 +0200)]
swid-inventory: Remove unused variable end_of_tag

7 years agoswanctl: Fix man page build on FreeBSD
Tobias Brunner [Tue, 14 Oct 2014 14:46:07 +0000 (16:46 +0200)]
swanctl: Fix man page build on FreeBSD

BSD make seems to only evaluate $< for certain rules (like the suffix rule
used to generate the config template).

7 years agothread: Test for pending cancellation requests before select()ing on OS X
Martin Willi [Tue, 14 Oct 2014 10:43:16 +0000 (12:43 +0200)]
thread: Test for pending cancellation requests before select()ing on OS X

This fixes some vici test cases on OS X, where the test thread tries to cancel
the watcher thread during cleanup, but fails as select() does not honor the
pre-issued cancellation request.

7 years agovici: Return default value for get_int() if message value is empty string
Martin Willi [Tue, 14 Oct 2014 10:13:32 +0000 (12:13 +0200)]
vici: Return default value for get_int() if message value is empty string

This is the behavior of some strtol() implementations, and it makes sense,
so force it.

7 years agoprocess: Don't use the shells built-in echo in tests
Martin Willi [Tue, 14 Oct 2014 09:57:06 +0000 (11:57 +0200)]
process: Don't use the shells built-in echo in tests

On OS X, the /bin/sh built-in echo does not support -n.

7 years agoprocess: Don't use absolute path names for true/false/cat in unit tests
Martin Willi [Tue, 14 Oct 2014 09:55:36 +0000 (11:55 +0200)]
process: Don't use absolute path names for true/false/cat in unit tests

But use the (builtin) shell commands instead, as on OS X true/false are under

7 years agokernel-pfroute: Check for RTM_IFANNOUNCE availability
Martin Willi [Tue, 14 Oct 2014 09:40:43 +0000 (11:40 +0200)]
kernel-pfroute: Check for RTM_IFANNOUNCE availability

This message is not available on OS X.

7 years agoprocess: Include missing <signal.h> for raise(3)
Martin Willi [Tue, 14 Oct 2014 09:40:03 +0000 (11:40 +0200)]
process: Include missing <signal.h> for raise(3)

Fixes OS X build.

7 years agoike: Add IKEv2 in description of fragment_size option in strongswan.conf
Tobias Brunner [Tue, 14 Oct 2014 13:35:08 +0000 (15:35 +0200)]
ike: Add IKEv2 in description of fragment_size option in strongswan.conf

7 years agoip-packet: Fix removal of TFC padding for IPv6
Tobias Brunner [Tue, 14 Oct 2014 12:05:48 +0000 (14:05 +0200)]
ip-packet: Fix removal of TFC padding for IPv6

The IPv6 length field denotes the payload length after the 40 bytes header.

Fixes: 293515f95cf5 ("libipsec: remove extra RFC4303 TFC padding appended to inner payload")

7 years agovici: Add and vici.rb to distribution
Tobias Brunner [Tue, 14 Oct 2014 09:07:32 +0000 (11:07 +0200)]
vici: Add and vici.rb to distribution

7 years agotravis: Build-test updown and ext-auth plugins for Windows
Martin Willi [Tue, 14 Oct 2014 09:11:34 +0000 (11:11 +0200)]
travis: Build-test updown and ext-auth plugins for Windows

7 years agoandroid: Implement get_contracts() method in IMC state object
Tobias Brunner [Tue, 14 Oct 2014 08:37:55 +0000 (10:37 +0200)]
android: Implement get_contracts() method in IMC state object

7 years agoandroid: libpts does not exist anymore, don't attempt to load it
Tobias Brunner [Tue, 14 Oct 2014 08:12:02 +0000 (10:12 +0200)]
android: libpts does not exist anymore, don't attempt to load it

7 years agoandroid: Update receive_message() to new imc_msg_t.receive() signature
Tobias Brunner [Mon, 13 Oct 2014 16:15:34 +0000 (18:15 +0200)]
android: Update receive_message() to new imc_msg_t.receive() signature

7 years agolibimcv: Add fallback if IPSEC_SCRIPT is not defined
Tobias Brunner [Mon, 13 Oct 2014 16:10:18 +0000 (18:10 +0200)]
libimcv: Add fallback if IPSEC_SCRIPT is not defined

This is the case on Android.

7 years agolibimcv: Updated to latest
Tobias Brunner [Mon, 13 Oct 2014 15:59:47 +0000 (17:59 +0200)]
libimcv: Updated to latest

7 years agoandroid: Remove references to libpts
Tobias Brunner [Mon, 13 Oct 2014 15:18:06 +0000 (17:18 +0200)]
android: Remove references to libpts

7 years agolibimcv: Remove reference to libpts
Tobias Brunner [Mon, 13 Oct 2014 15:17:45 +0000 (17:17 +0200)]
libimcv: Remove reference to libpts

7 years agolibimcv: Fix Doxygen comments after merging libpts into libimcv
Tobias Brunner [Mon, 13 Oct 2014 15:11:57 +0000 (17:11 +0200)]
libimcv: Fix Doxygen comments after merging libpts into libimcv

7 years agowatcher: Doxygen comment fixed
Tobias Brunner [Mon, 13 Oct 2014 14:56:30 +0000 (16:56 +0200)]
watcher: Doxygen comment fixed

7 years agocharon-systemd: Typo in log message fixed
Tobias Brunner [Mon, 13 Oct 2014 14:51:20 +0000 (16:51 +0200)]
charon-systemd: Typo in log message fixed

7 years agolibimcv: Fix harcoded IMCV_DEFAULT_POLICY_SCRIPT name
Avesh Agarwal [Mon, 13 Oct 2014 14:15:33 +0000 (16:15 +0200)]
libimcv: Fix harcoded IMCV_DEFAULT_POLICY_SCRIPT name

I came across an issue with src/libimcv/imcv.c where

It fails where ipsec_script is renamed to, for example, strongswan from
default ipsec.

7 years agotesting: Enable nat table for iptables on 3.17 kernels
Tobias Brunner [Mon, 13 Oct 2014 13:48:55 +0000 (15:48 +0200)]
testing: Enable nat table for iptables on 3.17 kernels

7 years agoike: Do remote address updates also when behind static NATs
Tobias Brunner [Fri, 10 Oct 2014 10:55:39 +0000 (12:55 +0200)]
ike: Do remote address updates also when behind static NATs

We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.

The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.

7 years agoike: Remove redundant check for local NAT when handling changed NAT mappings
Tobias Brunner [Fri, 10 Oct 2014 10:44:15 +0000 (12:44 +0200)]
ike: Remove redundant check for local NAT when handling changed NAT mappings

7 years agotesting: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID Inventory... 5.2.1rc1
Andreas Steffen [Sat, 11 Oct 2014 13:01:21 +0000 (15:01 +0200)]
testing: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID Inventory attribute

7 years agoSupport of multiple directed segmentation contracts
Andreas Steffen [Sat, 11 Oct 2014 12:49:23 +0000 (14:49 +0200)]
Support of multiple directed segmentation contracts

7 years agounit-tests: Updated Makefile
Andreas Steffen [Sat, 11 Oct 2014 12:48:38 +0000 (14:48 +0200)]
unit-tests: Updated Makefile

7 years agounit-tests: Added test for seg_contract_manager
Andreas Steffen [Sat, 11 Oct 2014 12:47:36 +0000 (14:47 +0200)]
unit-tests: Added test for seg_contract_manager

7 years agoAdded KVM config for 3.16 and 3.17 kernels
Andreas Steffen [Sat, 11 Oct 2014 12:46:38 +0000 (14:46 +0200)]
Added KVM config for 3.16 and 3.17 kernels

7 years agoUpdated script to 3.13.0-37 kernel
Andreas Steffen [Sat, 11 Oct 2014 09:40:32 +0000 (11:40 +0200)]
Updated script to 3.13.0-37 kernel

7 years agotesting: Ensure no guest is running when modifying images
Tobias Brunner [Fri, 10 Oct 2014 16:37:13 +0000 (18:37 +0200)]
testing: Ensure no guest is running when modifying images

Sometimes guests are not stopped properly. If images are then modified
they will be corrupted.

7 years agotesting: Enable virtio console for guests
Tobias Brunner [Fri, 10 Oct 2014 15:37:41 +0000 (17:37 +0200)]
testing: Enable virtio console for guests

This allows accessing the guests with `virsh console <name>`.

Using a serial console would also be possible but our kernel configs
have no serial drivers enabled, CONFIG_VIRTIO_CONSOLE is enabled though.
So to avoid having to recompile the kernels let's do it this way, only
requires rebuilding the guest images.

References #729.

7 years agoMerge branch 'vici-ruby'
Martin Willi [Fri, 10 Oct 2014 09:42:28 +0000 (11:42 +0200)]
Merge branch 'vici-ruby'

Adds a ruby gem for the VICI protocol, along with some documentation
improvements and some minor fixes to vici and swanctl.