strongswan.git
7 years agoconftest: Fix log level settings for stdout
Thomas Klute [Thu, 3 Jan 2013 15:03:44 +0000 (16:03 +0100)]
conftest: Fix log level settings for stdout

This patch fixes bug #272 ("conftest ignores log settings for stdout").
http://wiki.strongswan.org/issues/272

According to the documentation of add_logger in src/libcharon/bus/bus.h,
the relevant log levels of a logger are registered with the logging
subsystem when adding the logger. If the log levels change later, the
logger must be re-added to propagate the new settings. In conftest.c,
the stdout logger is initialized and added before reading the logging
settings, but wasn't re-added after reading the settings.

7 years agoconftest: Make outgoing sequence number set by reset_seq configurable
Thomas Klute [Wed, 19 Dec 2012 13:14:55 +0000 (14:14 +0100)]
conftest: Make outgoing sequence number set by reset_seq configurable

This is useful for certain test cases. Passing the sequence number to
the callback requires a new struct that contains both the number and the
xfrm_usersa_id. The new configuration parameter is called oseq in
accordance with the kernel name, see the comment in the reset_cb
callback function for details.

7 years agoInclude opensslconf.h before checking its defines
Martin Willi [Thu, 3 Jan 2013 10:12:05 +0000 (11:12 +0100)]
Include opensslconf.h before checking its defines

7 years agoDon't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined
Martin Willi [Thu, 3 Jan 2013 10:05:49 +0000 (11:05 +0100)]
Don't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined

7 years agomake pacman.sh run under cron
Andreas Steffen [Wed, 26 Dec 2012 08:28:17 +0000 (09:28 +0100)]
make pacman.sh run under cron

7 years agodeleted newly constructed attributes in send_assessment
Andreas Steffen [Mon, 24 Dec 2012 11:06:07 +0000 (12:06 +0100)]
deleted newly constructed attributes in send_assessment

7 years agoAdded Russian and Ukrainian strings for Android client
Dmitry Korzhevin [Mon, 24 Dec 2012 10:44:28 +0000 (11:44 +0100)]
Added Russian and Ukrainian strings for Android client

7 years agoAdd parantheses to avoid compiler warning
Martin Willi [Fri, 21 Dec 2012 08:48:35 +0000 (09:48 +0100)]
Add parantheses to avoid compiler warning

7 years agoSend empty CDATA batch if TNC client has no data to send
Andreas Steffen [Sun, 23 Dec 2012 21:16:30 +0000 (22:16 +0100)]
Send empty CDATA batch if TNC client has no data to send

7 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Thu, 20 Dec 2012 08:31:38 +0000 (09:31 +0100)]
Fixed some typos, courtesy of codespell

7 years agoRaise an alert if IKE SA is kept
Adrian-Ken Rueegsegger [Wed, 19 Dec 2012 14:48:35 +0000 (15:48 +0100)]
Raise an alert if IKE SA is kept

This alert is raised when the establishment of a child SA fails but the
IKE SA is kept.

7 years agostroke: Drop unneeded [MY|OTHER]_NETBITS
Reto Buerki [Tue, 18 Dec 2012 15:11:19 +0000 (16:11 +0100)]
stroke: Drop unneeded [MY|OTHER]_NETBITS

7 years agostroke: Enable install_policy in add_connection()
Reto Buerki [Wed, 18 Jul 2012 14:19:31 +0000 (16:19 +0200)]
stroke: Enable install_policy in add_connection()

7 years agoAdd support for draft-ietf-ipsec-nat-t-ike-03 and earlier
Volker RĂ¼melin [Sat, 15 Dec 2012 13:11:26 +0000 (14:11 +0100)]
Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier

This adds support for early versions of the draft that eventually
resulted in RFC 3947.

7 years agoNEWS about error-notify
Martin Willi [Wed, 19 Dec 2012 09:43:35 +0000 (10:43 +0100)]
NEWS about error-notify

7 years agoAdd missing error_notify_msg.h to distribution tarball
Martin Willi [Wed, 21 Nov 2012 10:12:53 +0000 (11:12 +0100)]
Add missing error_notify_msg.h to distribution tarball

7 years agoAdd an error-notify sample application to listen to error notifications
Martin Willi [Thu, 8 Nov 2012 10:22:26 +0000 (11:22 +0100)]
Add an error-notify sample application to listen to error notifications

7 years agoAdd an error-notify plugin to send catched alerts to listening applications
Martin Willi [Tue, 6 Nov 2012 15:46:49 +0000 (16:46 +0100)]
Add an error-notify plugin to send catched alerts to listening applications

7 years agoRaise an alert if half-open timeout limit reached
Martin Willi [Tue, 6 Nov 2012 14:26:15 +0000 (15:26 +0100)]
Raise an alert if half-open timeout limit reached

7 years agoRaise an alert if an authorize() hook fails
Martin Willi [Tue, 6 Nov 2012 10:48:58 +0000 (11:48 +0100)]
Raise an alert if an authorize() hook fails

7 years agoRaise an alert if allocating virtual IPs fails
Martin Willi [Tue, 6 Nov 2012 10:43:19 +0000 (11:43 +0100)]
Raise an alert if allocating virtual IPs fails

7 years agoRaise an alert if kernel policy installation fails
Martin Willi [Tue, 6 Nov 2012 10:33:29 +0000 (11:33 +0100)]
Raise an alert if kernel policy installation fails

7 years agoRaise an alert if kernel SA installation fails
Martin Willi [Tue, 6 Nov 2012 10:32:18 +0000 (11:32 +0100)]
Raise an alert if kernel SA installation fails

7 years agoRaise an alert on traffic selector mismatch
Martin Willi [Tue, 6 Nov 2012 10:27:38 +0000 (11:27 +0100)]
Raise an alert on traffic selector mismatch

7 years agoRaise alerts when enforcing IKE_SA unique policy
Martin Willi [Tue, 6 Nov 2012 10:19:52 +0000 (11:19 +0100)]
Raise alerts when enforcing IKE_SA unique policy

7 years agoRaise an alert if CHILD_SA proposals mismatch
Martin Willi [Tue, 6 Nov 2012 10:05:04 +0000 (11:05 +0100)]
Raise an alert if CHILD_SA proposals mismatch

7 years agoRaise an alert if IKE proposals mismatch
Martin Willi [Tue, 6 Nov 2012 10:01:49 +0000 (11:01 +0100)]
Raise an alert if IKE proposals mismatch

7 years agoRaise an alert of generating local authentication data fails
Martin Willi [Mon, 5 Nov 2012 14:33:34 +0000 (15:33 +0100)]
Raise an alert of generating local authentication data fails

7 years agoAdd NEWS about BER capable OpenSSL PKCS#7 backend
Martin Willi [Wed, 19 Dec 2012 09:38:42 +0000 (10:38 +0100)]
Add NEWS about BER capable OpenSSL PKCS#7 backend

7 years agoFree leaking scep attributes
Martin Willi [Thu, 29 Nov 2012 15:48:18 +0000 (16:48 +0100)]
Free leaking scep attributes

7 years agoCorrected error message if enveloped-data decryption fails
Martin Willi [Thu, 29 Nov 2012 15:35:41 +0000 (16:35 +0100)]
Corrected error message if enveloped-data decryption fails

7 years agoFix up serialNumber in openssl PKCS#7 if it has a leading MSB set
Martin Willi [Thu, 29 Nov 2012 15:35:06 +0000 (16:35 +0100)]
Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set

7 years agoDon't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin
Martin Willi [Thu, 29 Nov 2012 15:12:45 +0000 (16:12 +0100)]
Don't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin

7 years agoImplement PKCS#7 decryption using openssl
Martin Willi [Thu, 29 Nov 2012 14:56:53 +0000 (15:56 +0100)]
Implement PKCS#7 decryption using openssl

7 years agoMake available wrapped certificates while verifying PKCS#7 signatures in openssl
Martin Willi [Thu, 29 Nov 2012 13:39:35 +0000 (14:39 +0100)]
Make available wrapped certificates while verifying PKCS#7 signatures in openssl

7 years agoImplement openssl PKCS#7 certficiate enumeration
Martin Willi [Thu, 29 Nov 2012 13:30:08 +0000 (14:30 +0100)]
Implement openssl PKCS#7 certficiate enumeration

7 years agoFix doxygen grouping regarding containers and PKCS#7
Martin Willi [Thu, 29 Nov 2012 11:02:07 +0000 (12:02 +0100)]
Fix doxygen grouping regarding containers and PKCS#7

7 years agoEnable pkcs7 plugin when building scepclient on Android
Martin Willi [Thu, 29 Nov 2012 10:53:13 +0000 (11:53 +0100)]
Enable pkcs7 plugin when building scepclient on Android

7 years agoMove PKCS#9 attribute lists to pkcs7 plugin, as we currently use it there only
Martin Willi [Thu, 29 Nov 2012 10:52:27 +0000 (11:52 +0100)]
Move PKCS#9 attribute lists to pkcs7 plugin, as we currently use it there only

7 years agoImplement get_attribute() in openssl PKCS#7 backend
Martin Willi [Thu, 29 Nov 2012 10:39:49 +0000 (11:39 +0100)]
Implement get_attribute() in openssl PKCS#7 backend

7 years agoAllocate data returned by pkcs7_t.get_attribute()
Martin Willi [Thu, 29 Nov 2012 10:29:46 +0000 (11:29 +0100)]
Allocate data returned by pkcs7_t.get_attribute()

7 years agoImplement OpenSSL PKCS#7 signed-data parsing and verification
Martin Willi [Wed, 28 Nov 2012 17:45:30 +0000 (18:45 +0100)]
Implement OpenSSL PKCS#7 signed-data parsing and verification

7 years agoAdd a stub for OpenSSL PKCS#7 parsing
Martin Willi [Wed, 28 Nov 2012 13:59:49 +0000 (14:59 +0100)]
Add a stub for OpenSSL PKCS#7 parsing

7 years agoRemove unused monolithic PKCS#7 code
Martin Willi [Wed, 28 Nov 2012 11:44:05 +0000 (12:44 +0100)]
Remove unused monolithic PKCS#7 code

7 years agoMigrated scepclient to new modular PKCS# API
Martin Willi [Wed, 28 Nov 2012 11:41:38 +0000 (12:41 +0100)]
Migrated scepclient to new modular PKCS# API

7 years agoFix encryption algorithm/key size argument processing in PKCS#7 enveloped-data
Martin Willi [Wed, 28 Nov 2012 11:41:15 +0000 (12:41 +0100)]
Fix encryption algorithm/key size argument processing in PKCS#7 enveloped-data

7 years agoProperly clone PKCS#7 attributes passed to builder
Martin Willi [Wed, 28 Nov 2012 11:40:55 +0000 (12:40 +0100)]
Properly clone PKCS#7 attributes passed to builder

7 years agoFix enum names for container_type_t
Martin Willi [Tue, 27 Nov 2012 16:37:55 +0000 (17:37 +0100)]
Fix enum names for container_type_t

7 years agoAdd a --show option to pki --pkcs7 to print contained certificates
Martin Willi [Tue, 27 Nov 2012 16:37:25 +0000 (17:37 +0100)]
Add a --show option to pki --pkcs7 to print contained certificates

7 years agoAdd an enumerator for PKCS#7 contained certificates
Martin Willi [Tue, 27 Nov 2012 16:35:30 +0000 (17:35 +0100)]
Add an enumerator for PKCS#7 contained certificates

7 years agopki --pkcs7 --verify shows prints the signing time, if available
Martin Willi [Tue, 27 Nov 2012 16:10:37 +0000 (17:10 +0100)]
pki --pkcs7 --verify shows prints the signing time, if available

7 years agoAdd a getter for signed PKCS#7 attributes
Martin Willi [Tue, 27 Nov 2012 16:10:23 +0000 (17:10 +0100)]
Add a getter for signed PKCS#7 attributes

7 years agoFix leak in pki --pkcs7 --decrypt
Martin Willi [Tue, 27 Nov 2012 15:35:53 +0000 (16:35 +0100)]
Fix leak in pki --pkcs7 --decrypt

7 years agoSupport multiple signerInfos while parsing PKCS#7 signed-data
Martin Willi [Tue, 27 Nov 2012 15:32:18 +0000 (16:32 +0100)]
Support multiple signerInfos while parsing PKCS#7 signed-data

7 years agoAdd a pki command to sign, verify, encrypt and decrypt PKCS#7 containers
Martin Willi [Tue, 27 Nov 2012 13:59:51 +0000 (14:59 +0100)]
Add a pki command to sign, verify, encrypt and decrypt PKCS#7 containers

7 years agoSupport encoding of PKCS#7 enveloped-data containers
Martin Willi [Tue, 27 Nov 2012 13:59:18 +0000 (14:59 +0100)]
Support encoding of PKCS#7 enveloped-data containers

7 years agoSupport encoding of PKCS#7 signed-data containers
Martin Willi [Tue, 27 Nov 2012 11:22:01 +0000 (12:22 +0100)]
Support encoding of PKCS#7 signed-data containers

7 years agoSupport encoding of PKCS#7 "data" containers
Martin Willi [Tue, 27 Nov 2012 11:21:07 +0000 (12:21 +0100)]
Support encoding of PKCS#7 "data" containers

7 years agoAdd builder parts to generate PKCS#7 containers
Martin Willi [Tue, 27 Nov 2012 11:20:16 +0000 (12:20 +0100)]
Add builder parts to generate PKCS#7 containers

7 years agoImplement PKCS#7 enveloped-data parsing and decryption
Martin Willi [Tue, 27 Nov 2012 09:32:54 +0000 (10:32 +0100)]
Implement PKCS#7 enveloped-data parsing and decryption

7 years agoImplement PKCS#7 signed-data parsing and verification
Martin Willi [Mon, 26 Nov 2012 14:05:15 +0000 (15:05 +0100)]
Implement PKCS#7 signed-data parsing and verification

7 years agoImplement PKCS#7 "data" content type parsing
Martin Willi [Mon, 26 Nov 2012 14:03:49 +0000 (15:03 +0100)]
Implement PKCS#7 "data" content type parsing

7 years agocertificate_t.has_subject() matches for certificate serialNumber
Martin Willi [Tue, 27 Nov 2012 09:02:37 +0000 (10:02 +0100)]
certificate_t.has_subject() matches for certificate serialNumber

7 years agoImplement generic PKCS#7 contentInfo parsing
Martin Willi [Mon, 26 Nov 2012 11:40:23 +0000 (12:40 +0100)]
Implement generic PKCS#7 contentInfo parsing

7 years agoAdd a plugin stub for PKCS#7 containers
Martin Willi [Mon, 26 Nov 2012 11:06:44 +0000 (12:06 +0100)]
Add a plugin stub for PKCS#7 containers

7 years agoAdd container plugin features
Martin Willi [Mon, 26 Nov 2012 11:55:25 +0000 (12:55 +0100)]
Add container plugin features

7 years agoAdd a generic interface for crypto containers and a more specific PKCS#7 interface
Martin Willi [Mon, 26 Nov 2012 11:04:16 +0000 (12:04 +0100)]
Add a generic interface for crypto containers and a more specific PKCS#7 interface

7 years agoRebuild PKCS#9 encoding after adding new attributes
Martin Willi [Fri, 23 Nov 2012 15:38:25 +0000 (16:38 +0100)]
Rebuild PKCS#9 encoding after adding new attributes

7 years agoDon't store additional encoding for each PKCS#9 attribute
Martin Willi [Fri, 23 Nov 2012 15:37:23 +0000 (16:37 +0100)]
Don't store additional encoding for each PKCS#9 attribute

7 years agoUnify PKCS#9 set_attribute* methods to a single add_attribute
Martin Willi [Fri, 23 Nov 2012 15:27:31 +0000 (16:27 +0100)]
Unify PKCS#9 set_attribute* methods to a single add_attribute

This way the PKCS#9 implementation does not have to know
the encoding types for values

7 years agoPKCS#9 coding style cleanups
Martin Willi [Fri, 23 Nov 2012 15:00:15 +0000 (16:00 +0100)]
PKCS#9 coding style cleanups

7 years agoRemove external build_encoding method in PKCS#9
Martin Willi [Fri, 23 Nov 2012 14:48:30 +0000 (15:48 +0100)]
Remove external build_encoding method in PKCS#9

7 years agoFix deadlock in IMC/IMV managers
Tobias Brunner [Tue, 18 Dec 2012 14:50:08 +0000 (15:50 +0100)]
Fix deadlock in IMC/IMV managers

Since reserve_id() might be called from e.g. notify_connection_change()
using a write lock will not work as this can't be acquired while holding
the read lock.

Also, with the previous code it was possible that two IMCs/IMVs added by
two threads at the same time would get the same ID assigned.

7 years agoProperly select IMC/IMV according to given primary ID in reserve_id()
Tobias Brunner [Tue, 18 Dec 2012 14:49:21 +0000 (15:49 +0100)]
Properly select IMC/IMV according to given primary ID in reserve_id()

7 years agoUse a ./configure check to detect pthread spinlock availability
Martin Willi [Thu, 13 Dec 2012 10:22:40 +0000 (11:22 +0100)]
Use a ./configure check to detect pthread spinlock availability

_POSIX_SPIN_LOCKS does not seem to be defined correctly on all
systems (Debian libc 2.3.6). Fixes #262.

7 years agokernel-netlinks get_interface() considers virtual IPs, too
Martin Willi [Mon, 17 Dec 2012 13:23:44 +0000 (14:23 +0100)]
kernel-netlinks get_interface() considers virtual IPs, too

When using load-tester, we can install tunnel outer addresses on
demand. As these are installed as "virtual", we have to consider
virtual IPs in the get_interface() lookup to install "real" virtual
IPs to these dynamic external addresses.

7 years agoIf load-tester requests a virtual IP, use a dynamic local traffic selector
Martin Willi [Mon, 17 Dec 2012 13:22:25 +0000 (14:22 +0100)]
If load-tester requests a virtual IP, use a dynamic local traffic selector

7 years agoAdd missing CHILD_SA specific proposal keyword in conftest README
Martin Willi [Mon, 17 Dec 2012 09:58:47 +0000 (10:58 +0100)]
Add missing CHILD_SA specific proposal keyword in conftest README

7 years agoFix traffic selectors also as initiator in case of transport mode over NAT
Tobias Brunner [Thu, 13 Dec 2012 14:25:59 +0000 (15:25 +0100)]
Fix traffic selectors also as initiator in case of transport mode over NAT

7 years agoFix debug output if responder selected invalid traffic selectors during QM
Tobias Brunner [Thu, 13 Dec 2012 14:25:03 +0000 (15:25 +0100)]
Fix debug output if responder selected invalid traffic selectors during QM

7 years agofixed memory leak in TPM Version Info
Andreas Steffen [Thu, 13 Dec 2012 10:10:24 +0000 (11:10 +0100)]
fixed memory leak in TPM Version Info

7 years agoFixed reading of configs in conftest utility
Tobias Brunner [Thu, 13 Dec 2012 10:08:32 +0000 (11:08 +0100)]
Fixed reading of configs in conftest utility

7 years agoMigrate RADIUS accounting state while IKE_SA unique id changes during rekey
Martin Willi [Tue, 11 Dec 2012 09:40:59 +0000 (10:40 +0100)]
Migrate RADIUS accounting state while IKE_SA unique id changes during rekey

7 years agoMigrate cache and fire lookip events for unique_id change during IKE_SA rekey
Martin Willi [Mon, 10 Dec 2012 16:04:26 +0000 (17:04 +0100)]
Migrate cache and fire lookip events for unique_id change during IKE_SA rekey

7 years agoInherit virtual IP and attributes from old to new, not from new to old
Martin Willi [Mon, 10 Dec 2012 16:01:00 +0000 (17:01 +0100)]
Inherit virtual IP and attributes from old to new, not from new to old

7 years agoAvoid that ruby 1.9 redefines snprintf(3) etc.
Tobias Brunner [Mon, 10 Dec 2012 10:41:37 +0000 (11:41 +0100)]
Avoid that ruby 1.9 redefines snprintf(3) etc.

Otherwise our custom printf specifiers won't work.

7 years agoProperly initialize linked list when enumerating interface addresses
Tobias Brunner [Mon, 10 Dec 2012 08:46:51 +0000 (09:46 +0100)]
Properly initialize linked list when enumerating interface addresses

7 years agorb_cvar_set() takes three arguments in Ruby 1.9
Tobias Brunner [Mon, 10 Dec 2012 08:41:32 +0000 (09:41 +0100)]
rb_cvar_set() takes three arguments in Ruby 1.9

7 years agoUse rb_errinfo() instead of ruby_errinfo for Ruby 1.9
Tobias Brunner [Thu, 8 Nov 2012 18:24:04 +0000 (19:24 +0100)]
Use rb_errinfo() instead of ruby_errinfo for Ruby 1.9

7 years agoUse proper Ruby library depending on the available version
Tobias Brunner [Thu, 8 Nov 2012 18:23:05 +0000 (19:23 +0100)]
Use proper Ruby library depending on the available version

7 years agoFixed search for ruby.h in ./configure for newer Ruby releases
Tobias Brunner [Thu, 8 Nov 2012 15:20:41 +0000 (16:20 +0100)]
Fixed search for ruby.h in ./configure for newer Ruby releases

7 years agoadd dlcose strongswan.conf option to tnc-imc/tnc-imv plugins
Andreas Steffen [Sun, 9 Dec 2012 18:40:13 +0000 (19:40 +0100)]
add dlcose strongswan.conf option to tnc-imc/tnc-imv plugins

7 years agooptionally skip dlclose() of IMCs/IMVs in order to track memory leaks
Andreas Steffen [Sun, 9 Dec 2012 18:35:23 +0000 (19:35 +0100)]
optionally skip dlclose() of IMCs/IMVs in order to track memory leaks

7 years agofixed memory leak in error case
Andreas Steffen [Sun, 9 Dec 2012 16:07:51 +0000 (17:07 +0100)]
fixed memory leak in error case

7 years agonewer releases of dpkg-query does not have PackageSpec
Andreas Steffen [Sun, 9 Dec 2012 12:55:22 +0000 (13:55 +0100)]
newer releases of dpkg-query does not have PackageSpec

7 years agoignore ports of the 127.0.1.1 internal system address
Andreas Steffen [Sun, 9 Dec 2012 12:26:34 +0000 (13:26 +0100)]
ignore ports of the 127.0.1.1 internal system address

7 years agoProperly trigger ike_updown() event if IKEv1 DPD times out
Martin Willi [Tue, 4 Dec 2012 10:11:50 +0000 (11:11 +0100)]
Properly trigger ike_updown() event if IKEv1 DPD times out

Fixes missing RADIUS Accounting Stop, #257.

7 years agoReplace optionsfrom LGPLv2 header by a GPLv2
Martin Willi [Fri, 30 Nov 2012 16:24:28 +0000 (17:24 +0100)]
Replace optionsfrom LGPLv2 header by a GPLv2

7 years agoFix GPL license header to properly "sed" it
Martin Willi [Fri, 30 Nov 2012 16:15:37 +0000 (17:15 +0100)]
Fix GPL license header to properly "sed" it

7 years agoAdd locking to IMC/IMV managers to add/remove IMC/IMVs on the fly
Martin Willi [Tue, 20 Nov 2012 13:34:00 +0000 (14:34 +0100)]
Add locking to IMC/IMV managers to add/remove IMC/IMVs on the fly