strongswan.git
6 years agoMerged libpts into libimcv
Andreas Steffen [Fri, 29 Aug 2014 10:18:21 +0000 (12:18 +0200)]
Merged libpts into libimcv

6 years agoAdded out message queue for imv_msg receive method
Andreas Steffen [Fri, 29 Aug 2014 04:23:16 +0000 (06:23 +0200)]
Added out message queue for imv_msg receive method

6 years agoImplemented IF-M segmentation
Andreas Steffen [Thu, 28 Aug 2014 19:14:13 +0000 (21:14 +0200)]
Implemented IF-M segmentation

6 years agoAdded request variable to get_info_string method
Andreas Steffen [Tue, 19 Aug 2014 05:42:40 +0000 (07:42 +0200)]
Added request variable to get_info_string method

6 years agoImplemented IF-M segmentation contracts
Andreas Steffen [Tue, 5 Aug 2014 16:36:03 +0000 (18:36 +0200)]
Implemented IF-M segmentation contracts

6 years agoAllow to treat specified Attribute-Type-Not-Supported errors as non-fatal
Andreas Steffen [Thu, 17 Jul 2014 13:16:38 +0000 (15:16 +0200)]
Allow to treat specified Attribute-Type-Not-Supported errors as non-fatal

6 years agotesting: Updated swanctl certificates and keys
Tobias Brunner [Fri, 3 Oct 2014 10:32:23 +0000 (12:32 +0200)]
testing: Updated swanctl certificates and keys

6 years agotesting: Wait a bit in swanctl scenarios before interacting with the daemon
Tobias Brunner [Fri, 3 Oct 2014 10:20:37 +0000 (12:20 +0200)]
testing: Wait a bit in swanctl scenarios before interacting with the daemon

6 years agotesting: Actually build swanctl
Tobias Brunner [Fri, 3 Oct 2014 10:16:03 +0000 (12:16 +0200)]
testing: Actually build swanctl

6 years agotesting: Make sure the whitelist plugin is ready before configuring it
Tobias Brunner [Fri, 3 Oct 2014 10:04:53 +0000 (12:04 +0200)]
testing: Make sure the whitelist plugin is ready before configuring it

6 years agotesting: Update PKCS#12 containers
Tobias Brunner [Fri, 3 Oct 2014 10:04:32 +0000 (12:04 +0200)]
testing: Update PKCS#12 containers

6 years agotesting: Update PKCS#8 keys
Tobias Brunner [Fri, 3 Oct 2014 09:53:35 +0000 (11:53 +0200)]
testing: Update PKCS#8 keys

6 years agotesting: Update public keys in DNSSEC scenarios
Tobias Brunner [Fri, 3 Oct 2014 09:34:49 +0000 (11:34 +0200)]
testing: Update public keys in DNSSEC scenarios

The tests are successful even if the public keys are not stored locally,
but an additional DNS query is required to fetch them.

6 years agotesting: Update public keys and certificates in DNS zone
Tobias Brunner [Fri, 3 Oct 2014 09:30:57 +0000 (11:30 +0200)]
testing: Update public keys and certificates in DNS zone

6 years agotesting: Update carols certificate in several test cases
Tobias Brunner [Fri, 3 Oct 2014 09:22:11 +0000 (11:22 +0200)]
testing: Update carols certificate in several test cases

6 years agotesting: Add some notes about how to reissue attribute certificates
Martin Willi [Fri, 3 Oct 2014 10:31:01 +0000 (12:31 +0200)]
testing: Add some notes about how to reissue attribute certificates

6 years agotesting: Reissue attribute certificates for the new holder certificates
Martin Willi [Fri, 3 Oct 2014 10:26:56 +0000 (12:26 +0200)]
testing: Reissue attribute certificates for the new holder certificates

Due to the expired and reissued holder certificates of carol and dave, new
attribute certificates are required to match the holder certificates serial in
the ikev2/acert-{cached,fallback,inline} tests.

6 years agostarter: Allow specifying the ipsec.conf location in strongswan.conf
Shea Levy [Tue, 30 Sep 2014 19:14:47 +0000 (15:14 -0400)]
starter: Allow specifying the ipsec.conf location in strongswan.conf

6 years agostroke: Allow specifying the ipsec.secrets location in strongswan.conf
Shea Levy [Tue, 30 Sep 2014 19:11:03 +0000 (15:11 -0400)]
stroke: Allow specifying the ipsec.secrets location in strongswan.conf

6 years agolibrary: Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var
Shea Levy [Tue, 30 Sep 2014 18:31:50 +0000 (14:31 -0400)]
library: Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var

6 years agoDon't fail to install if sysconfdir isn't writable
Shea Levy [Fri, 19 Sep 2014 18:32:22 +0000 (14:32 -0400)]
Don't fail to install if sysconfdir isn't writable

6 years agoikev1: Be more verbose if a peer config would match, but is unusable for Mode
Martin Willi [Thu, 25 Sep 2014 15:09:53 +0000 (17:09 +0200)]
ikev1: Be more verbose if a peer config would match, but is unusable for Mode

6 years agoikev2: Reorder task activation for established IKE SAs
Tobias Brunner [Fri, 19 Sep 2014 11:44:16 +0000 (13:44 +0200)]
ikev2: Reorder task activation for established IKE SAs

We now prefer MOBIKE tasks over delete tasks then the rest.

6 years agoRevert "ikev2: Insert MOBIKE tasks at the front of the queue"
Tobias Brunner [Fri, 19 Sep 2014 11:40:14 +0000 (13:40 +0200)]
Revert "ikev2: Insert MOBIKE tasks at the front of the queue"

This reverts commit 3293d146289d7c05e6c6089ae1f7cdbcea378e63.

The position of tasks in the queue does not actually determine the order
in which they are activated.  Instead this is determined by the
statements in task_manager_v2_t.initiate().

6 years agoMerge branch 'curl-features'
Martin Willi [Wed, 24 Sep 2014 15:37:13 +0000 (17:37 +0200)]
Merge branch 'curl-features'

Enable missing https:// support in the curl plugin by initializing libcurl
appropriately.

To initialize the SSL backend properly as required, we rely on our specific
crypto backends (openssl, gcrypt) that already provide this functionality.

Fixes #692.

6 years agotravis: Disable soup in "all" test
Martin Willi [Wed, 24 Sep 2014 13:53:46 +0000 (15:53 +0200)]
travis: Disable soup in "all" test

On Ubuntu 12.04, there seems to be a resource leak related to pthread keys
when initializing glib or related libraries more than once. With our repeated
initialization for libstrongswan tests, we hit the following error:

  Lib (gthread-posix.c): Unexpected error from C library during
  'pthread_key_create': Resource temporarily unavailable.

The problem is not reproducible on a newer Gnome stack, hence we disable the
glib based soup plugin until we have a more recent Ubuntu on Travis.

6 years agocurl: For SSL features, depend on thread-safety provided by our crypto plugins
Martin Willi [Wed, 24 Sep 2014 11:13:19 +0000 (13:13 +0200)]
curl: For SSL features, depend on thread-safety provided by our crypto plugins

To use SSL in curl, we need to initialize the SSL library in a thread-safe
manner and provide the appropriate callbacks. As we already do that in our
crypto plugins using these libraries, we depend on these features.

This implies that we need the same plugin enabled (openssl, gcrypt) as the
curl backend is configured to use to fetch from HTTPS URIs.

6 years agoconfigure: Load fetcher plugins after crypto base plugins
Martin Willi [Wed, 24 Sep 2014 10:24:13 +0000 (12:24 +0200)]
configure: Load fetcher plugins after crypto base plugins

Some fetcher plugins (such as curl) might build upon OpenSSL to implement
HTTPS fetching. As we set (and can't unset) threading callbacks in our
openssl plugin, we must ensure that OpenSSL functions don't get called after
openssl plugin unloading.

We achieve that by loading curl and all other fetcher plugins after the base
crypto plugins, including openssl.

6 years agocurl: Dynamically query supported protocols and register appropriate features
Martin Willi [Thu, 28 Aug 2014 09:11:12 +0000 (11:11 +0200)]
curl: Dynamically query supported protocols and register appropriate features

6 years agoleak-detective: Whitelist libssl SSL_COMP_get_compression_methods()
Martin Willi [Thu, 28 Aug 2014 09:10:21 +0000 (11:10 +0200)]
leak-detective: Whitelist libssl SSL_COMP_get_compression_methods()

This function is called by libcurl initialization with SSL, and uses
a static allocation of compression algorithms not freed.

6 years agocurl: Try to initialize with SSL support to handle https:// URIs
Martin Willi [Thu, 28 Aug 2014 09:09:26 +0000 (11:09 +0200)]
curl: Try to initialize with SSL support to handle https:// URIs

If initialization fails, we fall back to the old behavior.

6 years agoNEWS: Introduce charon-systemd
Martin Willi [Wed, 24 Sep 2014 09:35:03 +0000 (11:35 +0200)]
NEWS: Introduce charon-systemd

6 years agoMerge branch 'netlink-cleanups'
Martin Willi [Wed, 24 Sep 2014 09:20:53 +0000 (11:20 +0200)]
Merge branch 'netlink-cleanups'

In preparation for larger parallelization changes in kernel-netlink, this
merge does some general code cleanup in that plugin.

6 years agowatcher: Add a method to query the watcher state
Martin Willi [Thu, 10 Jul 2014 14:27:18 +0000 (16:27 +0200)]
watcher: Add a method to query the watcher state

This allows a user to check if the watcher is actually running, and potentially
perform read operations directly instead of relying on watcher.

6 years agokernel-netlink: Define and use rtnetlink message types
Martin Willi [Thu, 10 Jul 2014 16:01:21 +0000 (18:01 +0200)]
kernel-netlink: Define and use rtnetlink message types

6 years agokernel-netlink: Pass protocol specific enum names to socket constructor
Martin Willi [Thu, 10 Jul 2014 12:21:20 +0000 (14:21 +0200)]
kernel-netlink: Pass protocol specific enum names to socket constructor

This avoid the hard dependency on enum names, and makes kernel_netlink_shared
independent of kernel_netlink_ipsec.

6 years agokernel-netlink: Clean up socket initialization, handle 0 as valid socket fd
Martin Willi [Wed, 9 Jul 2014 14:47:06 +0000 (16:47 +0200)]
kernel-netlink: Clean up socket initialization, handle 0 as valid socket fd

6 years agokernel-netlink: Clean up response buffer management
Martin Willi [Wed, 9 Jul 2014 14:16:16 +0000 (16:16 +0200)]
kernel-netlink: Clean up response buffer management

6 years agokernel-netlink: Use recv() instead of recvfrom()
Martin Willi [Wed, 9 Jul 2014 14:04:16 +0000 (16:04 +0200)]
kernel-netlink: Use recv() instead of recvfrom()

As we are not interested in the returned address, there is really no need
in passing that argument.

6 years agokernel-netlink: Avoid casting the NLMSG_DATA() return value
Martin Willi [Wed, 9 Jul 2014 13:53:14 +0000 (15:53 +0200)]
kernel-netlink: Avoid casting the NLMSG_DATA() return value

There is really no need for doing so, and it makes the code just unreadable.

6 years agokernel-netlink: Define netlink buffer as an union having a netlink header
Martin Willi [Wed, 9 Jul 2014 13:47:24 +0000 (15:47 +0200)]
kernel-netlink: Define netlink buffer as an union having a netlink header

This allows us to streamline the netlink buffers, and avoid extensive
casting.

6 years agoMerge branch 'systemd'
Martin Willi [Wed, 24 Sep 2014 09:17:29 +0000 (11:17 +0200)]
Merge branch 'systemd'

Introduces a systemd specific charon-systemd IKE daemon based on libcharon.
Uses systemd APIs for startup control and journal logging and a new systemd
service unit using swanctl as configuration backend.

6 years agotravis: Disable build of native systemd IKE daemon
Martin Willi [Fri, 12 Sep 2014 08:35:23 +0000 (10:35 +0200)]
travis: Disable build of native systemd IKE daemon

Travis still uses Ubuntu 12.04, where no systemd libraries are available. Skip
systemd support on Travis until we have a more recent Ubuntu distribution.

6 years agoman: Skip installation of ipsec.conf/secrets manpages when not building starter
Martin Willi [Thu, 11 Sep 2014 13:56:03 +0000 (15:56 +0200)]
man: Skip installation of ipsec.conf/secrets manpages when not building starter

6 years agoinit: Update starter systemd service to distinguish it from strongswan-swanctl
Martin Willi [Mon, 15 Sep 2014 13:52:47 +0000 (15:52 +0200)]
init: Update starter systemd service to distinguish it from strongswan-swanctl

6 years agoinit: Provide a service file for charon-systemd using swanctl
Martin Willi [Thu, 11 Sep 2014 14:23:53 +0000 (16:23 +0200)]
init: Provide a service file for charon-systemd using swanctl

6 years agosystemd: Check if ./configure detected a systemd system unit directory
Martin Willi [Mon, 15 Sep 2014 13:38:06 +0000 (15:38 +0200)]
systemd: Check if ./configure detected a systemd system unit directory

6 years agosystemd: Discover and check systemd libraries with pkg-config during configure
Martin Willi [Fri, 12 Sep 2014 08:29:29 +0000 (10:29 +0200)]
systemd: Discover and check systemd libraries with pkg-config during configure

6 years agosystemd: Add a native systemd journal logger
Martin Willi [Thu, 11 Sep 2014 15:26:34 +0000 (17:26 +0200)]
systemd: Add a native systemd journal logger

6 years agoplugin-loader: Support a reload() callback for static features
Martin Willi [Fri, 12 Sep 2014 09:07:22 +0000 (11:07 +0200)]
plugin-loader: Support a reload() callback for static features

6 years agosystemd: Provide a charon-systemd daemon targeting full systemd integration
Martin Willi [Thu, 17 Jul 2014 14:16:23 +0000 (16:16 +0200)]
systemd: Provide a charon-systemd daemon targeting full systemd integration

6 years agoswanctl: Complete --load-creds command summary
Martin Willi [Thu, 7 Aug 2014 13:23:47 +0000 (15:23 +0200)]
swanctl: Complete --load-creds command summary

6 years agoswanctl: Fix description of load-pools command summary
Martin Willi [Thu, 7 Aug 2014 13:23:27 +0000 (15:23 +0200)]
swanctl: Fix description of load-pools command summary

6 years agoswanctl: Add a --load-all command, performing --load-{creds,pools,conns}
Martin Willi [Thu, 7 Aug 2014 13:22:40 +0000 (15:22 +0200)]
swanctl: Add a --load-all command, performing --load-{creds,pools,conns}

6 years agoswanctl: Add a --reload-settings command
Martin Willi [Thu, 17 Jul 2014 16:14:34 +0000 (18:14 +0200)]
swanctl: Add a --reload-settings command

6 years agovici: Add a command to reload strongswan.conf
Martin Willi [Thu, 17 Jul 2014 16:02:09 +0000 (18:02 +0200)]
vici: Add a command to reload strongswan.conf

6 years agoencoding: Accept all exchange types for non IKEv1/IKEv2 major versions
Martin Willi [Wed, 10 Sep 2014 09:14:22 +0000 (11:14 +0200)]
encoding: Accept all exchange types for non IKEv1/IKEv2 major versions

6 years agosettings: Make loading a NULL or empty pattern a (nop-)success
Martin Willi [Mon, 25 Aug 2014 08:36:01 +0000 (10:36 +0200)]
settings: Make loading a NULL or empty pattern a (nop-)success

6 years agosettings: Use strongswan.conf used during library initialization for reload
Martin Willi [Thu, 17 Jul 2014 16:07:05 +0000 (18:07 +0200)]
settings: Use strongswan.conf used during library initialization for reload

Since 4b670a20 we require an explicit strongswan.conf to re-load configurations.
However, the define was missing in the build, breaking SIGHUP based config
reloading.

Fixes #651.

6 years agolibrary: Store the used root strongswan.conf configuration
Martin Willi [Thu, 17 Jul 2014 15:47:42 +0000 (17:47 +0200)]
library: Store the used root strongswan.conf configuration

6 years agotesting: Use multiple jobs to install strongSwan
Tobias Brunner [Tue, 16 Sep 2014 12:02:05 +0000 (14:02 +0200)]
testing: Use multiple jobs to install strongSwan

6 years agotesting: Add a script to build the current (or an arbitrary) source tree
Tobias Brunner [Fri, 29 Aug 2014 10:13:49 +0000 (12:13 +0200)]
testing: Add a script to build the current (or an arbitrary) source tree

This allows to (relatively) quickly (re-)build and install the current
or an arbitrary strongSwan source tree within the root image.

bindfs is used to bind mount the source directory using the regular user
and group (only works if sudo is used to run the script) so that newly
created files are not owned by root.

As with building the root image in general the guests must not be
running while executing this script.  The guest images are automatically
rebuilt after the root image has been updated so configuration files and
other modifications in guests will be lost.

6 years agotesting: Add packages to rebuild strongSwan from the repository
Tobias Brunner [Fri, 29 Aug 2014 14:22:49 +0000 (16:22 +0200)]
testing: Add packages to rebuild strongSwan from the repository

6 years agotesting: Make strongSwan build recipe more configurable
Tobias Brunner [Fri, 29 Aug 2014 09:51:54 +0000 (11:51 +0200)]
testing: Make strongSwan build recipe more configurable

6 years agoswanctl: Document --stats command
Tobias Brunner [Fri, 19 Sep 2014 09:29:45 +0000 (11:29 +0200)]
swanctl: Document --stats command

6 years agotesting: Update certs and keys in tkm tests
Reto Buerki [Wed, 17 Sep 2014 13:45:11 +0000 (15:45 +0200)]
testing: Update certs and keys in tkm tests

References #705.

6 years agotesting: Update x509-ada version to 0.1.1
Reto Buerki [Wed, 17 Sep 2014 13:44:19 +0000 (15:44 +0200)]
testing: Update x509-ada version to 0.1.1

Fixes #705.

6 years agoikev2: Don't treat initial messages as MOBIKE exchanges
Tobias Brunner [Tue, 16 Sep 2014 12:59:05 +0000 (14:59 +0200)]
ikev2: Don't treat initial messages as MOBIKE exchanges

The MOBIKE task is active during the initial exchanges but we don't want
to treat them as actual MOBIKE exchanges (i.e. there is no path probing).

6 years agoikev1: Don't cache last block of INFORMATIONAL messages as IV
Tobias Brunner [Fri, 15 Aug 2014 15:52:15 +0000 (17:52 +0200)]
ikev1: Don't cache last block of INFORMATIONAL messages as IV

We don't expect a response with the same MID, but apparently some
devices (e.g. FRITZ!Box) do that for DPDs, while still treating the
response as a new exchange.  By storing the last message block as IV
we can't decrypt the first block of such a response.

Fixes #661.

6 years agoikev1: Log IV when encrypting messages
Tobias Brunner [Fri, 15 Aug 2014 15:28:40 +0000 (17:28 +0200)]
ikev1: Log IV when encrypting messages

6 years agoikev1: Skip unusable IPComp proposals
Tobias Brunner [Fri, 15 Aug 2014 13:59:12 +0000 (15:59 +0200)]
ikev1: Skip unusable IPComp proposals

Fixes #661.

6 years agoikev1: Properly handle different proposal numbering schemes
Tobias Brunner [Fri, 15 Aug 2014 13:57:22 +0000 (15:57 +0200)]
ikev1: Properly handle different proposal numbering schemes

While the examples in RFC 2408 show proposal numbers starting at 1 and
increasing by one for each subsequent proposal this is not mandatory.
Actually, IKEv1 proposals may start at any number, the only requirement
is that the proposal numbers increase monotonically they don't have to
do so consecutively.

Most implementations follow the examples and start numbering at 1 (charon,
racoon, Shrew, Cisco, Windows XP, FRITZ!Box) but pluto was one of the
implementations that started with 0 and there might be others out there.

The previous assumption that implementations always start numbering proposals
at 0 caused problems with clients that start numbering with 1 and whose first
proposal consists of multiple protocols (e.g. ESP+IPComp).

Fixes #661.

6 years agokernel-netlink: Optionally install protocol and ports on transport mode SAs
Tobias Brunner [Mon, 25 Aug 2014 12:45:40 +0000 (14:45 +0200)]
kernel-netlink: Optionally install protocol and ports on transport mode SAs

6 years agoMerge branch 'mobike-fixes'
Tobias Brunner [Fri, 12 Sep 2014 08:35:06 +0000 (10:35 +0200)]
Merge branch 'mobike-fixes'

These changes improve the handling of MOBIKE tasks, for instance, when
retransmitting and no path is available.

Fixes #632.

6 years agoikev2: Reduce timeout if path probing was enabled
Tobias Brunner [Mon, 28 Jul 2014 12:09:10 +0000 (14:09 +0200)]
ikev2: Reduce timeout if path probing was enabled

6 years agoikev2: Defer MOBIKE updates if no path is available
Tobias Brunner [Mon, 28 Jul 2014 11:51:27 +0000 (13:51 +0200)]
ikev2: Defer MOBIKE updates if no path is available

6 years agoike-mobike: Allow calling transmit() even when not currently path probing
Tobias Brunner [Mon, 28 Jul 2014 11:46:16 +0000 (13:46 +0200)]
ike-mobike: Allow calling transmit() even when not currently path probing

Path probing is enabled if the current path is not available anymore.

6 years agoikev2: Defer path probing if no path is currently available
Tobias Brunner [Mon, 28 Jul 2014 11:12:20 +0000 (13:12 +0200)]
ikev2: Defer path probing if no path is currently available

We do the same before initiating the task, so we should probably do it
too when we already initiated it, not just time out and destroy the SA.

6 years agoike-mobike: Return FALSE in transmit() if no path was available
Tobias Brunner [Mon, 28 Jul 2014 11:12:09 +0000 (13:12 +0200)]
ike-mobike: Return FALSE in transmit() if no path was available

6 years agoikev2: Enable path probing for currently active MOBIKE task
Tobias Brunner [Mon, 28 Jul 2014 10:25:01 +0000 (12:25 +0200)]
ikev2: Enable path probing for currently active MOBIKE task

This might not be the case if e.g. an address appeared but the old one
is still available but not actually usable.  Without this the MOBIKE
task would eventually time out even though we might be able to switch
to a working address.

6 years agoike-mobike: Add method to enable path probing
Tobias Brunner [Mon, 28 Jul 2014 10:24:33 +0000 (12:24 +0200)]
ike-mobike: Add method to enable path probing

6 years agoike-mobike: Skip peer addresses we can't send packets to when checking paths
Tobias Brunner [Mon, 28 Jul 2014 10:09:16 +0000 (12:09 +0200)]
ike-mobike: Skip peer addresses we can't send packets to when checking paths

6 years agoikev2: Skip peer addresses we can't send packets to when looking for valid paths
Tobias Brunner [Mon, 28 Jul 2014 10:04:40 +0000 (12:04 +0200)]
ikev2: Skip peer addresses we can't send packets to when looking for valid paths

6 years agoikev2: Insert MOBIKE tasks at the front of the queue
Tobias Brunner [Tue, 22 Jul 2014 16:51:57 +0000 (18:51 +0200)]
ikev2: Insert MOBIKE tasks at the front of the queue

In case we have no usable path to the other peer there is no point in
initiating any other tasks (like rekeying).

6 years agoikev2: Migrate number of pending MOBIKE updates
Tobias Brunner [Tue, 22 Jul 2014 16:30:24 +0000 (18:30 +0200)]
ikev2: Migrate number of pending MOBIKE updates

This will probably never be more than 1 since we only have one task queued
at a time and we don't migrate running tasks.

6 years agoikev2: Properly keep track of pending MOBIKE updates
Tobias Brunner [Tue, 22 Jul 2014 16:25:37 +0000 (18:25 +0200)]
ikev2: Properly keep track of pending MOBIKE updates

Because we only queue one MOBIKE task at a time, but destroy superfluous
ones only after we already increased the counter for pending MOBIKE updates,
we have to reduce the counter when such tasks are destroyed.  Otherwise, the
queued task would assume another task is queued when it is running and
ignore any successful response.

6 years agoMerge branch 'android-pfs'
Tobias Brunner [Fri, 12 Sep 2014 08:24:48 +0000 (10:24 +0200)]
Merge branch 'android-pfs'

Changes how CHILD_SA rekeying errors are handled in the Android app and adds
CHILD_SA proposals with DH groups.

6 years agoandroid: Reduce CHILD_SA lifetime
Tobias Brunner [Mon, 11 Aug 2014 16:19:29 +0000 (18:19 +0200)]
android: Reduce CHILD_SA lifetime

6 years agoandroid: Add DH groups to ESP proposals
Tobias Brunner [Mon, 11 Aug 2014 16:17:00 +0000 (18:17 +0200)]
android: Add DH groups to ESP proposals

6 years agochild-cfg: Ignore duplicate proposals
Tobias Brunner [Mon, 11 Aug 2014 16:12:36 +0000 (18:12 +0200)]
child-cfg: Ignore duplicate proposals

If ESP proposals are added once with and once without DH groups
duplicates result during IKE_AUTH when DH groups are stripped.

6 years agoproposal: Fix equals()
Tobias Brunner [Mon, 11 Aug 2014 16:08:24 +0000 (18:08 +0200)]
proposal: Fix equals()

6 years agoandroid: Reestablish IKE_SA if CHILD_SA rekeying failed
Tobias Brunner [Mon, 11 Aug 2014 14:34:28 +0000 (16:34 +0200)]
android: Reestablish IKE_SA if CHILD_SA rekeying failed

6 years agoandroid: Report error if CHILD_SA rekeying fails
Tobias Brunner [Mon, 11 Aug 2014 14:09:35 +0000 (16:09 +0200)]
android: Report error if CHILD_SA rekeying fails

6 years agokernel-netlink: Add global option to configure MSS-clamping on installed routes
Tobias Brunner [Mon, 4 Aug 2014 13:57:46 +0000 (15:57 +0200)]
kernel-netlink: Add global option to configure MSS-clamping on installed routes

6 years agokernel-netlink: Add global option to set MTU on installed routes
Tobias Brunner [Mon, 4 Aug 2014 13:35:18 +0000 (15:35 +0200)]
kernel-netlink: Add global option to set MTU on installed routes

6 years agochunk: Fix Doxygen comments for chunk_internet_checksum[_inc]
Tobias Brunner [Thu, 11 Sep 2014 15:56:12 +0000 (17:56 +0200)]
chunk: Fix Doxygen comments for chunk_internet_checksum[_inc]

6 years agoauth-cfg: Fix crash after several reauthentications with multiple authentication...
Tobias Brunner [Thu, 11 Sep 2014 15:33:52 +0000 (17:33 +0200)]
auth-cfg: Fix crash after several reauthentications with multiple authentication rounds

Due to the issue described in c641974, purge() inadvertently destroyed
CA certificates that should have been kept (while the pointer to these
objects remained in the array).  This lead to incorrect reference counts
and after a few reauthentications with multiple authentication rounds,
which cause calls to purge(TRUE), to crashes.

6 years agoarray: Adjust negative index before calling remove_head|tail()
Tobias Brunner [Fri, 29 Aug 2014 08:18:07 +0000 (10:18 +0200)]
array: Adjust negative index before calling remove_head|tail()

For ARRAY_TAIL we most often want to call remove_tail() not remove_head().

6 years agoarray: Warn about caveat with array_remove_at() and value based arrays
Tobias Brunner [Thu, 11 Sep 2014 15:29:21 +0000 (17:29 +0200)]
array: Warn about caveat with array_remove_at() and value based arrays

Because enumerate() for value based arrays returns a pointer directly to
the internal array elements and because array_remove_at() or rather the
called array_remove() may move elements over the element at the currently
enumerated position, the pointer passed to enumerate() will point to a
different array element after the array_remove_at() call.  The caller
will thus operate on the wrong element if that pointer is accessed again
before calling enumerate().

For performance reasons we currently don't change the implementation to copy
each array element during enumeration to a private member of the enumerator and
return a pointer to that.  Similarly, due to the danger of subtle bugs we don't
remember the pointer passed to enumerate() to later redirect it to a copy
created during the array_remove_at() call.

6 years agoasn1: Try to fill the available binary OID buffer if possible
Tobias Brunner [Tue, 9 Sep 2014 09:46:38 +0000 (11:46 +0200)]
asn1: Try to fill the available binary OID buffer if possible