strongswan.git
8 years agoMerge branch 'android-mobility'
Tobias Brunner [Thu, 18 Oct 2012 10:28:14 +0000 (12:28 +0200)]
Merge branch 'android-mobility'

This brings support for MOBIKE to the Android app.  The app also tries
to keep the connection up as long as possible.

DNS queries are now handled by a new class that uses independent threads to
resolve them, this allows to cancel them e.g. if no network connectivity is
available (otherwise the app would block until the DNS query returns).

8 years agoUse a shortcut to resolve numeric IP addresses (no need for separate threads)
Tobias Brunner [Thu, 18 Oct 2012 07:10:18 +0000 (09:10 +0200)]
Use a shortcut to resolve numeric IP addresses (no need for separate threads)

8 years agoUse native threads in host resolver so that it works even if processor has no threads
Tobias Brunner [Thu, 18 Oct 2012 08:47:51 +0000 (10:47 +0200)]
Use native threads in host resolver so that it works even if processor has no threads

8 years agoTerminate unused resolver threads after a timeout
Tobias Brunner [Thu, 18 Oct 2012 06:46:24 +0000 (08:46 +0200)]
Terminate unused resolver threads after a timeout

8 years agoOnly create more threads if needed in host_resolver_t
Tobias Brunner [Wed, 17 Oct 2012 16:04:33 +0000 (18:04 +0200)]
Only create more threads if needed in host_resolver_t

8 years agoUse a helper function to add milliseconds to timeval structs
Tobias Brunner [Tue, 16 Oct 2012 10:38:54 +0000 (12:38 +0200)]
Use a helper function to add milliseconds to timeval structs

8 years agoandroid: Ignore if peer is unreachable when reestablishing an SA
Tobias Brunner [Tue, 16 Oct 2012 11:41:02 +0000 (13:41 +0200)]
android: Ignore if peer is unreachable when reestablishing an SA

8 years agoandroid: Use a shorter timeout for retransmits
Tobias Brunner [Tue, 16 Oct 2012 10:05:50 +0000 (12:05 +0200)]
android: Use a shorter timeout for retransmits

8 years agoandroid: Use keyingtries=%forever and dpd|closeaction=restart
Tobias Brunner [Tue, 16 Oct 2012 09:50:53 +0000 (11:50 +0200)]
android: Use keyingtries=%forever and dpd|closeaction=restart

We also ignore the CHILD_SA_DOWN event.

This should allow us to keep the connection up as long as the user does
not manually disconnect.

8 years agoResolve hosts by DNS name in separate threads so we can cancel them
Tobias Brunner [Tue, 16 Oct 2012 08:57:02 +0000 (10:57 +0200)]
Resolve hosts by DNS name in separate threads so we can cancel them

getaddrinfo(3) may block a long time so proper termination of the daemon may
block if DNS servers are not reachable.

getaddrinfo(3) is an optional cancellation point in posix threads so it
might still block a shutdown but at least on Android (with the signal based
pthread_cancel implementation) it works, on Linux starter will kill charon
anyway after a while.

8 years agono need to include pa_tnc_msg.h
Andreas Steffen [Thu, 18 Oct 2012 05:00:32 +0000 (07:00 +0200)]
no need to include pa_tnc_msg.h

8 years agorefactored PA-TNC message handling by IMVs
Andreas Steffen [Wed, 17 Oct 2012 21:15:14 +0000 (23:15 +0200)]
refactored PA-TNC message handling by IMVs

8 years agorefactored PA-TNC message handling by IMCs
Andreas Steffen [Wed, 17 Oct 2012 07:58:00 +0000 (09:58 +0200)]
refactored PA-TNC message handling by IMCs

8 years agoincreased IMC/IMV debug level to 3
Andreas Steffen [Wed, 17 Oct 2012 07:45:19 +0000 (09:45 +0200)]
increased IMC/IMV debug level to 3

8 years agoremoved unused variable
Andreas Steffen [Tue, 16 Oct 2012 13:17:39 +0000 (15:17 +0200)]
removed unused variable

8 years agoandroid: Handle unreachable peers via alert
Tobias Brunner [Mon, 15 Oct 2012 12:50:22 +0000 (14:50 +0200)]
android: Handle unreachable peers via alert

8 years agoAdded a new alert that is raised if peer does not respond to initial IKE message
Tobias Brunner [Mon, 15 Oct 2012 11:12:43 +0000 (13:12 +0200)]
Added a new alert that is raised if peer does not respond to initial IKE message

8 years agoandroid: Use 0.0.0.0/0 as local traffic selector
Tobias Brunner [Mon, 15 Oct 2012 09:02:18 +0000 (11:02 +0200)]
android: Use 0.0.0.0/0 as local traffic selector

This is helpful if the responder also wants to tunnel e.g. multicast
packages.

8 years agoLog IP addresses for discarded inbound IPsec packets
Tobias Brunner [Mon, 15 Oct 2012 09:19:34 +0000 (11:19 +0200)]
Log IP addresses for discarded inbound IPsec packets

8 years agoandroid: Bypass/protect previously bypassed sockets if connectivity changes
Tobias Brunner [Thu, 11 Oct 2012 16:48:17 +0000 (18:48 +0200)]
android: Bypass/protect previously bypassed sockets if connectivity changes

8 years agoandroid: Support for IPsec SA update added
Tobias Brunner [Wed, 10 Oct 2012 13:31:24 +0000 (15:31 +0200)]
android: Support for IPsec SA update added

8 years agoUse pointers for lookups in IPsec SA manager
Tobias Brunner [Wed, 10 Oct 2012 17:17:17 +0000 (19:17 +0200)]
Use pointers for lookups in IPsec SA manager

8 years agoIPsec SA manager implements update_sa()
Tobias Brunner [Wed, 10 Oct 2012 13:31:02 +0000 (15:31 +0200)]
IPsec SA manager implements update_sa()

8 years agoSetter for src and destination address of ipsec_sa_t added
Tobias Brunner [Wed, 10 Oct 2012 13:29:25 +0000 (15:29 +0200)]
Setter for src and destination address of ipsec_sa_t added

8 years agoandroid: Trigger roam events in case connectivity changes
Tobias Brunner [Wed, 10 Oct 2012 12:42:12 +0000 (14:42 +0200)]
android: Trigger roam events in case connectivity changes

8 years agoandroid: Register NetworkManager as BroadcastReceiver and relay events via JNI
Tobias Brunner [Wed, 10 Oct 2012 12:14:30 +0000 (14:14 +0200)]
android: Register NetworkManager as BroadcastReceiver and relay events via JNI

8 years agoandroid: Determine source address dynamically
Tobias Brunner [Wed, 10 Oct 2012 10:26:51 +0000 (12:26 +0200)]
android: Determine source address dynamically

8 years agoandroid: Added NetworkManager class which allows to retrieve a local IP address
Tobias Brunner [Wed, 10 Oct 2012 10:10:20 +0000 (12:10 +0200)]
android: Added NetworkManager class which allows to retrieve a local IP address

8 years agoandroid: Increase compile warnings
Tobias Brunner [Wed, 10 Oct 2012 10:11:31 +0000 (12:11 +0200)]
android: Increase compile warnings

8 years agoandroid: Fixed "Configure" button in Android VPN dialog
Tobias Brunner [Wed, 10 Oct 2012 09:56:34 +0000 (11:56 +0200)]
android: Fixed "Configure" button in Android VPN dialog

8 years agoandroid: Don't use the default ESP proposal as it includes unsupported algorithms
Tobias Brunner [Tue, 9 Oct 2012 12:01:33 +0000 (14:01 +0200)]
android: Don't use the default ESP proposal as it includes unsupported algorithms

8 years agoRemove unused this parameter to load_issuer_cert/key(), as it is uninitialized
Martin Willi [Tue, 16 Oct 2012 12:11:14 +0000 (14:11 +0200)]
Remove unused this parameter to load_issuer_cert/key(), as it is uninitialized

8 years agoGenerate a load-tester certificate only for DN or subjectAltName identities
Martin Willi [Mon, 1 Oct 2012 13:38:20 +0000 (15:38 +0200)]
Generate a load-tester certificate only for DN or subjectAltName identities

8 years agoAdd a load-tester initiator_match option to match custom initiator_id
Martin Willi [Mon, 1 Oct 2012 13:14:35 +0000 (15:14 +0200)]
Add a load-tester initiator_match option to match custom initiator_id

8 years agoEncode non-DN load-tester identities as subjectAltNames
Martin Willi [Mon, 1 Oct 2012 13:13:49 +0000 (15:13 +0200)]
Encode non-DN load-tester identities as subjectAltNames

8 years agoAdd a load-tester digest option for issuing peer certificates
Martin Willi [Mon, 1 Oct 2012 12:44:55 +0000 (14:44 +0200)]
Add a load-tester digest option for issuing peer certificates

8 years agoLoad a multiple load-tester CA certificates from a directory
Martin Willi [Mon, 1 Oct 2012 12:34:03 +0000 (14:34 +0200)]
Load a multiple load-tester CA certificates from a directory

8 years agoAdded load-tester options to read issuing CA certificate and key from files
Martin Willi [Mon, 1 Oct 2012 12:01:13 +0000 (14:01 +0200)]
Added load-tester options to read issuing CA certificate and key from files

8 years agoUse proper offset when adding mark attribute in kernel-netlink plugin
Tobias Brunner [Mon, 15 Oct 2012 09:11:29 +0000 (11:11 +0200)]
Use proper offset when adding mark attribute in kernel-netlink plugin

8 years agoAlso add mark when querying current replay state in kernel-netlink plugin
Tobias Brunner [Fri, 12 Oct 2012 16:34:21 +0000 (18:34 +0200)]
Also add mark when querying current replay state in kernel-netlink plugin

8 years agoallow registration of multiple message type
Andreas Steffen [Sun, 14 Oct 2012 15:37:00 +0000 (17:37 +0200)]
allow registration of multiple message type

8 years agoimplemented IETF Operational Status attribute
Andreas Steffen [Sat, 13 Oct 2012 18:34:50 +0000 (20:34 +0200)]
implemented IETF Operational Status attribute

8 years agocorrected class description
Andreas Steffen [Sat, 13 Oct 2012 08:38:10 +0000 (10:38 +0200)]
corrected class description

8 years agoimplemented IETF Factory Default Password Enabled attribute
Andreas Steffen [Fri, 12 Oct 2012 20:04:51 +0000 (22:04 +0200)]
implemented IETF Factory Default Password Enabled attribute

8 years agoadded tnc/tnccs-20-os scenario
Andreas Steffen [Fri, 12 Oct 2012 07:50:15 +0000 (09:50 +0200)]
added tnc/tnccs-20-os scenario

8 years agoimplemented the Forwarding Enabled attribute
Andreas Steffen [Fri, 12 Oct 2012 07:49:44 +0000 (09:49 +0200)]
implemented the Forwarding Enabled attribute

8 years agominor fixes in imc_attestation.c
Andreas Steffen [Thu, 11 Oct 2012 22:53:07 +0000 (00:53 +0200)]
minor fixes in imc_attestation.c

8 years agoFixed update_sa in kernel-netlink plugin if marks are used
Tobias Brunner [Thu, 11 Oct 2012 17:08:47 +0000 (19:08 +0200)]
Fixed update_sa in kernel-netlink plugin if marks are used

8 years agoFixed compilation of android_handler_t
Tobias Brunner [Thu, 11 Oct 2012 09:12:05 +0000 (11:12 +0200)]
Fixed compilation of android_handler_t

8 years agoversion bump to 5.0.2dr1
Andreas Steffen [Thu, 11 Oct 2012 07:21:38 +0000 (09:21 +0200)]
version bump to 5.0.2dr1

8 years agoimplemented os_info_t class
Andreas Steffen [Wed, 10 Oct 2012 19:54:05 +0000 (21:54 +0200)]
implemented os_info_t class

8 years agoRemove outdated TODO information
Martin Willi [Wed, 10 Oct 2012 11:10:28 +0000 (13:10 +0200)]
Remove outdated TODO information

8 years agoimplemented IETF String Version attribute
Andreas Steffen [Wed, 10 Oct 2012 10:30:18 +0000 (12:30 +0200)]
implemented IETF String Version attribute

8 years agorestrict package name and package version number fields to 255 octets
Andreas Steffen [Wed, 10 Oct 2012 07:03:11 +0000 (09:03 +0200)]
restrict package name and package version number fields to 255 octets

8 years agocreated OS IMC/IMV pair
Andreas Steffen [Tue, 9 Oct 2012 21:58:17 +0000 (23:58 +0200)]
created OS IMC/IMV pair

8 years agoimplemented IETF Installed Packages attribute
Andreas Steffen [Tue, 9 Oct 2012 21:28:15 +0000 (23:28 +0200)]
implemented IETF Installed Packages attribute

8 years agofixed PA-TNC error code to Invalid Parameter
Andreas Steffen [Tue, 9 Oct 2012 21:22:03 +0000 (23:22 +0200)]
fixed PA-TNC error code to Invalid Parameter

8 years agocheck for zero product vendor ID and non-zero product ID
Andreas Steffen [Tue, 9 Oct 2012 18:07:51 +0000 (20:07 +0200)]
check for zero product vendor ID and non-zero product ID

8 years agocosmetics
Andreas Steffen [Tue, 9 Oct 2012 18:06:55 +0000 (20:06 +0200)]
cosmetics

8 years agocosmetics
Andreas Steffen [Mon, 8 Oct 2012 17:17:13 +0000 (19:17 +0200)]
cosmetics

8 years agoFix leak of PINs from ipsec.secrets
Martin Willi [Thu, 4 Oct 2012 12:45:10 +0000 (14:45 +0200)]
Fix leak of PINs from ipsec.secrets

8 years agolist multiple files with a given basename but different path names
Andreas Steffen [Mon, 8 Oct 2012 16:56:22 +0000 (18:56 +0200)]
list multiple files with a given basename but different path names

8 years agocheck length of hex-encoded IV
Andreas Steffen [Sun, 7 Oct 2012 15:07:35 +0000 (17:07 +0200)]
check length of hex-encoded IV

8 years agoallow has_noskip_flag to contain TRUE_OR_FALSE
Andreas Steffen [Sun, 7 Oct 2012 14:26:02 +0000 (16:26 +0200)]
allow has_noskip_flag to contain TRUE_OR_FALSE

8 years agofree entry in error case
Andreas Steffen [Sun, 7 Oct 2012 12:08:49 +0000 (14:08 +0200)]
free entry in error case

8 years agotest first and up in the outer while loop
Andreas Steffen [Sun, 7 Oct 2012 10:46:19 +0000 (12:46 +0200)]
test first and up in the outer while loop

8 years agofixed generation of PA-TNC error messages
Andreas Steffen [Sun, 7 Oct 2012 09:37:30 +0000 (11:37 +0200)]
fixed generation of PA-TNC error messages

8 years agoadded some new SHA-512 OIDs
Andreas Steffen [Wed, 3 Oct 2012 13:33:56 +0000 (15:33 +0200)]
added some new SHA-512 OIDs

8 years agoAdd a libfast sendfile() method to send files from disk 5.0.1
Martin Willi [Tue, 2 Oct 2012 13:37:36 +0000 (15:37 +0200)]
Add a libfast sendfile() method to send files from disk

8 years agoInclude all dev headers, even if they are configuration specific
Martin Willi [Tue, 2 Oct 2012 09:38:42 +0000 (11:38 +0200)]
Include all dev headers, even if they are configuration specific

8 years agoversion bump to 5.0.1
Andreas Steffen [Tue, 2 Oct 2012 08:39:43 +0000 (10:39 +0200)]
version bump to 5.0.1

8 years agoEnsure UNSUPPORTED_CRITICAL_PAYLOAD notify contains correct payload type
Tobias Brunner [Fri, 28 Sep 2012 20:31:06 +0000 (22:31 +0200)]
Ensure UNSUPPORTED_CRITICAL_PAYLOAD notify contains correct payload type

8 years agoMake sure hasher exists before trying to destroy it
Tobias Brunner [Fri, 28 Sep 2012 18:57:12 +0000 (20:57 +0200)]
Make sure hasher exists before trying to destroy it

8 years agoMissed one in 6c10cece
Tobias Brunner [Fri, 28 Sep 2012 18:55:40 +0000 (20:55 +0200)]
Missed one in 6c10cece

8 years agoMissed one in 3dcffed6
Tobias Brunner [Fri, 28 Sep 2012 18:50:09 +0000 (20:50 +0200)]
Missed one in 3dcffed6

8 years agoFixed RNG crypto tester
Tobias Brunner [Fri, 28 Sep 2012 17:13:40 +0000 (19:13 +0200)]
Fixed RNG crypto tester

8 years agoRequest is never NULL when responding with an INFORMATIONAL message
Tobias Brunner [Fri, 28 Sep 2012 17:10:03 +0000 (19:10 +0200)]
Request is never NULL when responding with an INFORMATIONAL message

8 years agoFixed check for rng in session ID creation of libfast
Tobias Brunner [Fri, 28 Sep 2012 17:07:53 +0000 (19:07 +0200)]
Fixed check for rng in session ID creation of libfast

8 years agoCompleted state handling in isakmp_cert_pre
Tobias Brunner [Fri, 28 Sep 2012 17:01:09 +0000 (19:01 +0200)]
Completed state handling in isakmp_cert_pre

Should not be a problem, but makes static analyzers happy.

8 years agoAdded missing break statements in NAT-T mapping handling in PF_KEY plugin
Tobias Brunner [Fri, 28 Sep 2012 16:57:56 +0000 (18:57 +0200)]
Added missing break statements in NAT-T mapping handling in PF_KEY plugin

8 years agoAdded missing break when building TLS cipher suites
Tobias Brunner [Fri, 28 Sep 2012 16:55:40 +0000 (18:55 +0200)]
Added missing break when building TLS cipher suites

8 years agoMake sure we successfully opened xfrm_acq_expires
Tobias Brunner [Fri, 28 Sep 2012 16:54:28 +0000 (18:54 +0200)]
Make sure we successfully opened xfrm_acq_expires

8 years agoAdded missing continue statement in ha socket error handling
Tobias Brunner [Fri, 28 Sep 2012 16:52:00 +0000 (18:52 +0200)]
Added missing continue statement in ha socket error handling

8 years agoFixed snprintf check in tnc-ifmap plugin
Tobias Brunner [Fri, 28 Sep 2012 16:49:16 +0000 (18:49 +0200)]
Fixed snprintf check in tnc-ifmap plugin

8 years agoMake static analyzers happy when parsing hosts from sockaddr_t
Tobias Brunner [Fri, 28 Sep 2012 16:35:26 +0000 (18:35 +0200)]
Make static analyzers happy when parsing hosts from sockaddr_t

8 years agoClarified code when hashing/comparing cached policies in kernel-netlink
Tobias Brunner [Fri, 28 Sep 2012 16:30:16 +0000 (18:30 +0200)]
Clarified code when hashing/comparing cached policies in kernel-netlink

8 years agoAvoid overrunning array when registering pki command line options
Tobias Brunner [Fri, 28 Sep 2012 16:22:54 +0000 (18:22 +0200)]
Avoid overrunning array when registering pki command line options

8 years agoUse %x to print uint32 as long ints are 64-bit long on x64 Linux
Tobias Brunner [Fri, 28 Sep 2012 16:09:08 +0000 (18:09 +0200)]
Use %x to print uint32 as long ints are 64-bit long on x64 Linux

8 years agoMake sure first argument is an int when using %.*s to print e.g. chunks
Tobias Brunner [Fri, 28 Sep 2012 16:01:49 +0000 (18:01 +0200)]
Make sure first argument is an int when using %.*s to print e.g. chunks

8 years agoAvoid memory leak when sending RADIUS accounting start message failed
Tobias Brunner [Fri, 28 Sep 2012 15:43:02 +0000 (17:43 +0200)]
Avoid memory leak when sending RADIUS accounting start message failed

8 years agoEnsure that pipe is closed when calling resolvconf(8)
Tobias Brunner [Fri, 28 Sep 2012 15:33:24 +0000 (17:33 +0200)]
Ensure that pipe is closed when calling resolvconf(8)

8 years agoAvoid memory leak when failing to read file metadata
Tobias Brunner [Fri, 28 Sep 2012 15:10:19 +0000 (17:10 +0200)]
Avoid memory leak when failing to read file metadata

8 years agoThe this->data member is never NULL
Tobias Brunner [Fri, 28 Sep 2012 15:08:16 +0000 (17:08 +0200)]
The this->data member is never NULL

8 years agoUse proper argument for sizeof when copying replay state
Tobias Brunner [Fri, 28 Sep 2012 15:00:20 +0000 (17:00 +0200)]
Use proper argument for sizeof when copying replay state

8 years agoAlgorithm names are not always static anymore, avoid string overflows
Tobias Brunner [Fri, 28 Sep 2012 14:42:50 +0000 (16:42 +0200)]
Algorithm names are not always static anymore, avoid string overflows

8 years agoCorrectly initialize payload length of encrypted payload
Tobias Brunner [Fri, 28 Sep 2012 14:30:26 +0000 (16:30 +0200)]
Correctly initialize payload length of encrypted payload

8 years agoThe eap argument of send_response is never NULL
Tobias Brunner [Fri, 28 Sep 2012 14:16:33 +0000 (16:16 +0200)]
The eap argument of send_response is never NULL

8 years agoProperly initialize sockaddr_in struct in fast and dhcp plugins
Tobias Brunner [Fri, 28 Sep 2012 14:03:09 +0000 (16:03 +0200)]
Properly initialize sockaddr_in struct in fast and dhcp plugins

8 years agoProperly initialize ima flag when adding file measurements
Tobias Brunner [Fri, 28 Sep 2012 13:51:39 +0000 (15:51 +0200)]
Properly initialize ima flag when adding file measurements

8 years agoProperly initialize chunk for PCR value in case of errors
Tobias Brunner [Fri, 28 Sep 2012 13:49:19 +0000 (15:49 +0200)]
Properly initialize chunk for PCR value in case of errors