strongswan.git
6 years agostroke: Add certificates extracted from PKCS#12 files to correct credential set
Tobias Brunner [Mon, 15 Jul 2013 08:59:13 +0000 (10:59 +0200)]
stroke: Add certificates extracted from PKCS#12 files to correct credential set

Only keys and shared secrets are moved from the temporary credential set after
loading all secrets.

6 years agopkcs12: Add plugin dependencies with soft dependencies on the most common algorithms
Tobias Brunner [Mon, 15 Jul 2013 08:48:19 +0000 (10:48 +0200)]
pkcs12: Add plugin dependencies with soft dependencies on the most common algorithms

6 years agoleak-detective: remove hdr entry when reallocating zero bytes
Martin Willi [Fri, 12 Jul 2013 17:58:02 +0000 (19:58 +0200)]
leak-detective: remove hdr entry when reallocating zero bytes

6 years agoleak-detective: print total of allocated/leaked bytes in usage/report
Martin Willi [Fri, 12 Jul 2013 17:57:17 +0000 (19:57 +0200)]
leak-detective: print total of allocated/leaked bytes in usage/report

6 years agodumm: add include for in.h, if_bridge.h now uses struct in6_addr
Martin Willi [Fri, 12 Jul 2013 16:19:32 +0000 (18:19 +0200)]
dumm: add include for in.h, if_bridge.h now uses struct in6_addr

6 years agoRecognize critical IssuingDistributionPoint CRL extension
Andreas Steffen [Fri, 12 Jul 2013 07:00:47 +0000 (09:00 +0200)]
Recognize critical IssuingDistributionPoint CRL extension

6 years agoOverride policy recommendation in enforcement
Andreas Steffen [Thu, 11 Jul 2013 08:34:00 +0000 (10:34 +0200)]
Override policy recommendation in enforcement

6 years agoopenssl plugin can replace random, hmac, and gcm plugins
Andreas Steffen [Wed, 10 Jul 2013 18:38:07 +0000 (20:38 +0200)]
openssl plugin can replace random, hmac, and gcm plugins

6 years agoAdded openssl-ikev2/net2net-pkcs12 scenario
Andreas Steffen [Wed, 10 Jul 2013 18:25:49 +0000 (20:25 +0200)]
Added openssl-ikev2/net2net-pkcs12 scenario

6 years agoAdded ikev2/net2net-pkcs12 scenario
Andreas Steffen [Wed, 10 Jul 2013 18:17:44 +0000 (20:17 +0200)]
Added ikev2/net2net-pkcs12 scenario

6 years agoVersion bump to 5.1.0dr3
Andreas Steffen [Wed, 10 Jul 2013 15:50:20 +0000 (17:50 +0200)]
Version bump to 5.1.0dr3

6 years agoconntrack -F makes ikev2/nat-rw scenario to work always
Andreas Steffen [Wed, 10 Jul 2013 15:07:56 +0000 (17:07 +0200)]
conntrack -F makes ikev2/nat-rw scenario to work always

6 years agoleak-detective: add a usage threshold option based on the number of allocations
Martin Willi [Wed, 10 Jul 2013 15:27:31 +0000 (17:27 +0200)]
leak-detective: add a usage threshold option based on the number of allocations

6 years agoleak-detective: set_state() only affects the calling thread
Martin Willi [Wed, 10 Jul 2013 15:16:49 +0000 (17:16 +0200)]
leak-detective: set_state() only affects the calling thread

The only user (bfd backtraces) is fine with that, and we really should not
mess the enable flag while doing allocations with other threads.

6 years agoleak-detective: take a copy of backtrace while printing traces
Martin Willi [Wed, 10 Jul 2013 15:15:00 +0000 (17:15 +0200)]
leak-detective: take a copy of backtrace while printing traces

As we don't want to hold the lock, we must make sure backtraces keep valid
while printing them.

6 years agobacktrace: add a clone() method
Martin Willi [Wed, 10 Jul 2013 15:14:20 +0000 (17:14 +0200)]
backtrace: add a clone() method

6 years agoleak-detective: remove hdr from the allocation list during realloc()
Martin Willi [Wed, 10 Jul 2013 14:29:18 +0000 (16:29 +0200)]
leak-detective: remove hdr from the allocation list during realloc()

If realloc moves an allocation, the original allocation gets freed. We
therefore must remove the hdr from the list, as it is invalid. We can add it
afterwards once it has been updated, allowing us to unlock the list during
reallocation.

6 years agoFixed alignment of device ID column 5.1.0dr2
Andreas Steffen [Wed, 10 Jul 2013 09:37:22 +0000 (11:37 +0200)]
Fixed alignment of device ID column

6 years agoandroid: New release after adding support for EAP-TNC
Tobias Brunner [Mon, 8 Jul 2013 16:45:46 +0000 (18:45 +0200)]
android: New release after adding support for EAP-TNC

Also disabled listening on IPv6 because the Linux kernel currently does
not support UDP encapsulation for IPv6.

6 years agoMerge branch 'android-byod'
Tobias Brunner [Mon, 8 Jul 2013 16:50:09 +0000 (18:50 +0200)]
Merge branch 'android-byod'

Adds support for EAP-TNC with a custom Android-specific IMC that
collects data such as installed packages, file hashes or system
settings.

Some parts of the implementation are based on the bachelor semester
project 'strongSwan Android 4 Client with Endpoint Assessment' by
Christoph Bühler and Patrick Lötscher.

6 years agoandroid: Properly handle dotted-quad notation of IPv6 addresses
Tobias Brunner [Mon, 8 Jul 2013 13:38:47 +0000 (15:38 +0200)]
android: Properly handle dotted-quad notation of IPv6 addresses

For nestat output like ::ffff:127.0.0.1:9876 we shall not treat 127 as
port but 9876 instead.

6 years agoandroid: Allow IMC state to be dismissed with a swipe gesture
Tobias Brunner [Fri, 5 Jul 2013 15:20:21 +0000 (17:20 +0200)]
android: Allow IMC state to be dismissed with a swipe gesture

6 years agoandroid: Use explicit locale when converting settings names
Tobias Brunner [Wed, 3 Jul 2013 14:30:44 +0000 (16:30 +0200)]
android: Use explicit locale when converting settings names

Apparently, these functions use the user's default locale which might not
yield the expected result (e.g. lowercase I is not i in the Turkish
locale but ı instead).

6 years agoandroid: Add information about transmitted data if EAP-TNC is selected
Tobias Brunner [Wed, 3 Jul 2013 14:27:36 +0000 (16:27 +0200)]
android: Add information about transmitted data if EAP-TNC is selected

6 years agoandroid: Reuse certificate selector as generic two line button
Tobias Brunner [Wed, 3 Jul 2013 08:58:25 +0000 (10:58 +0200)]
android: Reuse certificate selector as generic two line button

6 years agoandroid: Add device ID in BeginHandshake
Tobias Brunner [Mon, 24 Jun 2013 13:58:34 +0000 (15:58 +0200)]
android: Add device ID in BeginHandshake

6 years agoandroid: Add new VpnType to enable BYOD features
Tobias Brunner [Wed, 19 Jun 2013 10:41:09 +0000 (12:41 +0200)]
android: Add new VpnType to enable BYOD features

6 years agoUse strpfx() helper where appropriate
Tobias Brunner [Wed, 19 Jun 2013 10:39:12 +0000 (12:39 +0200)]
Use strpfx() helper where appropriate

6 years agoutils: Add helper function to check a string for a given prefix
Tobias Brunner [Wed, 19 Jun 2013 10:24:40 +0000 (12:24 +0200)]
utils: Add helper function to check a string for a given prefix

6 years agoutils: Convert string helper macros to static inline functions
Tobias Brunner [Wed, 19 Jun 2013 10:22:29 +0000 (12:22 +0200)]
utils: Convert string helper macros to static inline functions

6 years agoandroid: Use a different set of plugins if BYOD features are enabled
Tobias Brunner [Wed, 19 Jun 2013 10:00:04 +0000 (12:00 +0200)]
android: Use a different set of plugins if BYOD features are enabled

6 years agoandroid: IMC state fragment is a button that shows remediation instructions or log
Tobias Brunner [Thu, 30 May 2013 10:16:30 +0000 (12:16 +0200)]
android: IMC state fragment is a button that shows remediation instructions or log

6 years agoandroid: Show remediation instructions instead of log on failure
Tobias Brunner [Thu, 30 May 2013 10:04:59 +0000 (12:04 +0200)]
android: Show remediation instructions instead of log on failure

6 years agoandroid: Properly hide the IMC state fragment initially
Tobias Brunner [Thu, 30 May 2013 09:57:39 +0000 (11:57 +0200)]
android: Properly hide the IMC state fragment initially

6 years agoandroid: Add activity that displays a list of remediation instructions
Tobias Brunner [Thu, 30 May 2013 09:55:44 +0000 (11:55 +0200)]
android: Add activity that displays a list of remediation instructions

On large displays a two-pane layout is used that displays the list next
to the actual instructions.

6 years agoandroid: Add fragment for a list of remediation instructions
Tobias Brunner [Thu, 30 May 2013 09:47:01 +0000 (11:47 +0200)]
android: Add fragment for a list of remediation instructions

This fragment can later be used in one- or two-pane layouts.

6 years agoandroid: Add adapter for remediation instructions
Tobias Brunner [Thu, 30 May 2013 09:38:05 +0000 (11:38 +0200)]
android: Add adapter for remediation instructions

6 years agoandroid: Add fragment that displays a single remediation instruction
Tobias Brunner [Thu, 30 May 2013 09:18:24 +0000 (11:18 +0200)]
android: Add fragment that displays a single remediation instruction

6 years agoandroid: RemediationInstruction implements Parcelable interface
Tobias Brunner [Thu, 30 May 2013 09:11:28 +0000 (11:11 +0200)]
android: RemediationInstruction implements Parcelable interface

6 years agoandroid: Background for state panels provides separator
Tobias Brunner [Thu, 30 May 2013 08:50:08 +0000 (10:50 +0200)]
android: Background for state panels provides separator

6 years agoandroid: Add fragment that displays the IMC state
Tobias Brunner [Fri, 17 May 2013 16:18:07 +0000 (18:18 +0200)]
android: Add fragment that displays the IMC state

The fragment hides itself if the state is unknown or the assessment
succeeded.

6 years agoandroid: Handle and store IETF remediation instructions
Tobias Brunner [Fri, 17 May 2013 11:15:14 +0000 (13:15 +0200)]
android: Handle and store IETF remediation instructions

6 years agoandroid: Add a parser for XML remediation instructions
Tobias Brunner [Fri, 17 May 2013 11:08:54 +0000 (13:08 +0200)]
android: Add a parser for XML remediation instructions

6 years agoandroid: Show different error message depending on IMC state
Tobias Brunner [Thu, 16 May 2013 11:32:50 +0000 (13:32 +0200)]
android: Show different error message depending on IMC state

6 years agoandroid: Clear error only when the user explicitly dismisses the dialog
Tobias Brunner [Wed, 15 May 2013 16:35:00 +0000 (18:35 +0200)]
android: Clear error only when the user explicitly dismisses the dialog

The previous code worked fine on rotation changes as the fragment is
destroyed and recreated causing onCreate to be called, which restores the
saved error state.  But if the user switches to a different application
and then back this is not the case.  The dialog still gets dismissed (as
we have to do so to avoid nasty exceptions on rotation changes) but since
that implicitly cleared the error state the UI was never fully restored.

6 years agoandroid: Add state of IMC to VpnStateService and update it via JNI
Tobias Brunner [Wed, 15 May 2013 13:52:16 +0000 (15:52 +0200)]
android: Add state of IMC to VpnStateService and update it via JNI

6 years agoandroid: Handle TCG file measurement related attributes using PTS
Tobias Brunner [Thu, 2 May 2013 16:49:26 +0000 (18:49 +0200)]
android: Handle TCG file measurement related attributes using PTS

6 years agoandroid: Android IMC state provides a Platform Trust Service (PTS) instance
Tobias Brunner [Thu, 2 May 2013 16:48:05 +0000 (18:48 +0200)]
android: Android IMC state provides a Platform Trust Service (PTS) instance

6 years agoandroid: Provide a public interface for Android IMC state
Tobias Brunner [Thu, 2 May 2013 16:47:05 +0000 (18:47 +0200)]
android: Provide a public interface for Android IMC state

6 years agolibimcv: Properly deinitialize libimcv
Tobias Brunner [Thu, 2 May 2013 12:43:28 +0000 (14:43 +0200)]
libimcv: Properly deinitialize libimcv

Other users of imcv_pa_tnc_attributes (libpts) check if it is NULL before
removing vendor IDs.

6 years agoandroid: Define IMC functions static and with lower-case names
Tobias Brunner [Thu, 2 May 2013 12:41:55 +0000 (14:41 +0200)]
android: Define IMC functions static and with lower-case names

6 years agolibpts: Skip unreadable files when measuring directories
Tobias Brunner [Thu, 2 May 2013 12:13:40 +0000 (14:13 +0200)]
libpts: Skip unreadable files when measuring directories

6 years agoandroid: Add measurement collector for ITA Device ID
Tobias Brunner [Mon, 24 Jun 2013 13:50:48 +0000 (15:50 +0200)]
android: Add measurement collector for ITA Device ID

6 years agoandroid: Add measurement collector for ITA Settings
Tobias Brunner [Fri, 26 Apr 2013 16:17:32 +0000 (18:17 +0200)]
android: Add measurement collector for ITA Settings

6 years agoandroid: Handle ITA PA-TNC attributes
Tobias Brunner [Fri, 26 Apr 2013 16:17:07 +0000 (18:17 +0200)]
android: Handle ITA PA-TNC attributes

6 years agoandroid: Overload for getMeasurement() that takes a String array as argument
Tobias Brunner [Fri, 26 Apr 2013 16:12:21 +0000 (18:12 +0200)]
android: Overload for getMeasurement() that takes a String array as argument

6 years agoandroid: Add measurement collector for Port Filter
Tobias Brunner [Fri, 26 Apr 2013 15:11:15 +0000 (17:11 +0200)]
android: Add measurement collector for Port Filter

This collector reports all listening TCP and UDP sockets/ports.

6 years agoandroid: Enum type for transport protocols added
Tobias Brunner [Fri, 26 Apr 2013 15:10:20 +0000 (17:10 +0200)]
android: Enum type for transport protocols added

6 years agoandroid: Add measurement collector for Installed Packages
Tobias Brunner [Fri, 26 Apr 2013 13:36:03 +0000 (15:36 +0200)]
android: Add measurement collector for Installed Packages

6 years agoandroid: Add measurement collector for Product Information
Tobias Brunner [Fri, 26 Apr 2013 12:29:00 +0000 (14:29 +0200)]
android: Add measurement collector for Product Information

6 years agoandroid: Also support writing of 24-bit values
Tobias Brunner [Fri, 26 Apr 2013 12:27:52 +0000 (14:27 +0200)]
android: Also support writing of 24-bit values

6 years agoandroid: Add measurement collector for String Version
Tobias Brunner [Thu, 25 Apr 2013 17:43:56 +0000 (19:43 +0200)]
android: Add measurement collector for String Version

6 years agoandroid: Interfaces for measurement collectors and attributes added
Tobias Brunner [Thu, 25 Apr 2013 17:07:34 +0000 (19:07 +0200)]
android: Interfaces for measurement collectors and attributes added

6 years agoandroid: Add a Java utility class similar to bio_writer_t
Tobias Brunner [Thu, 25 Apr 2013 16:54:40 +0000 (18:54 +0200)]
android: Add a Java utility class similar to bio_writer_t

6 years agoandroid: Add enum types for PENs and attribute types
Tobias Brunner [Thu, 25 Apr 2013 15:31:54 +0000 (17:31 +0200)]
android: Add enum types for PENs and attribute types

6 years agoandroid: Add a generic handler for PA-TNC attribute requests
Tobias Brunner [Thu, 25 Apr 2013 15:20:15 +0000 (17:20 +0200)]
android: Add a generic handler for PA-TNC attribute requests

The idea is that the Android IMC will return attributes in their binary
encoding.  This keeps the JNI interface to the IMC pretty simple.

6 years agoimv-scanner: Only add a reason string if there is something to report
Tobias Brunner [Thu, 25 Apr 2013 10:43:23 +0000 (12:43 +0200)]
imv-scanner: Only add a reason string if there is something to report

6 years agoandroid: Added a Java part to the Android IMC
Tobias Brunner [Wed, 24 Apr 2013 14:24:14 +0000 (16:24 +0200)]
android: Added a Java part to the Android IMC

6 years agoandroid: Don't attempt loading IMCs from /etc/tnc_config
Tobias Brunner [Wed, 24 Apr 2013 13:28:13 +0000 (15:28 +0200)]
android: Don't attempt loading IMCs from /etc/tnc_config

6 years agolibtnccs: Don't try to load IMCs/IMVs from a file if there is no filename
Tobias Brunner [Wed, 24 Apr 2013 13:27:31 +0000 (15:27 +0200)]
libtnccs: Don't try to load IMCs/IMVs from a file if there is no filename

6 years agoIgnore Eclipse project/workspace files
Tobias Brunner [Tue, 23 Apr 2013 16:19:34 +0000 (18:19 +0200)]
Ignore Eclipse project/workspace files

Students seem to like Eclipse to work on strongSwan.

6 years agoandroid: Build libpts and init/deinit libpts in BYOD IMC
Tobias Brunner [Wed, 24 Apr 2013 16:36:59 +0000 (18:36 +0200)]
android: Build libpts and init/deinit libpts in BYOD IMC

6 years agolibpts: Android.mk added
Tobias Brunner [Wed, 24 Apr 2013 16:36:23 +0000 (18:36 +0200)]
libpts: Android.mk added

6 years agoandroid: Added a sample IMC that sends some dummy OS data
Tobias Brunner [Thu, 11 Oct 2012 13:26:19 +0000 (15:26 +0200)]
android: Added a sample IMC that sends some dummy OS data

6 years agoandroid: Build option added to load BYOD related plugins and libraries in the Android app
Tobias Brunner [Thu, 11 Oct 2012 11:50:18 +0000 (13:50 +0200)]
android: Build option added to load BYOD related plugins and libraries in the Android app

6 years agoandroid: Added support to build tnc-imc plugin
Tobias Brunner [Thu, 11 Oct 2012 09:28:45 +0000 (11:28 +0200)]
android: Added support to build tnc-imc plugin

6 years agoandroid: Added support to build eap-tnc, tnc-tnccs and tnccs-20 plugins
Tobias Brunner [Thu, 11 Oct 2012 09:10:19 +0000 (11:10 +0200)]
android: Added support to build eap-tnc, tnc-tnccs and tnccs-20 plugins

6 years agoandroid: Added function to include source files from plugin subdirectories
Tobias Brunner [Thu, 11 Oct 2012 09:06:35 +0000 (11:06 +0200)]
android: Added function to include source files from plugin subdirectories

6 years agolibimcv: Android.mk added
Tobias Brunner [Thu, 11 Oct 2012 07:35:45 +0000 (09:35 +0200)]
libimcv: Android.mk added

6 years agoCosmetics
Andreas Steffen [Mon, 8 Jul 2013 15:58:14 +0000 (17:58 +0200)]
Cosmetics

6 years agoScanner IMV without workitems provides immediate recommendation, too
Andreas Steffen [Mon, 8 Jul 2013 15:52:30 +0000 (17:52 +0200)]
Scanner IMV without workitems provides immediate recommendation, too

6 years agoattr-sql: Add unity_split_exclude as alias for unity_local_lan
Tobias Brunner [Mon, 8 Jul 2013 15:19:56 +0000 (17:19 +0200)]
attr-sql: Add unity_split_exclude as alias for unity_local_lan

6 years agoattr-sql: Fix double free when adding subnets for unknown attribute types
Tobias Brunner [Mon, 8 Jul 2013 15:17:24 +0000 (17:17 +0200)]
attr-sql: Fix double free when adding subnets for unknown attribute types

6 years agoAttestion IMV provides recommendation only once
Andreas Steffen [Mon, 8 Jul 2013 15:06:51 +0000 (17:06 +0200)]
Attestion IMV provides recommendation only once

6 years agoskip enforcement if a recent measurement was successful
Andreas Steffen [Mon, 8 Jul 2013 14:08:05 +0000 (16:08 +0200)]
skip enforcement if a recent measurement was successful

6 years agolibtncif: Android.mk updated
Tobias Brunner [Fri, 5 Jul 2013 11:57:44 +0000 (13:57 +0200)]
libtncif: Android.mk updated

6 years agoandroid: Disable listening on IPv6
Tobias Brunner [Wed, 3 Jul 2013 15:59:44 +0000 (17:59 +0200)]
android: Disable listening on IPv6

As we have to use UDP encapsulation and the Linux kernel currently does
not support that this avoids issues with dual-stack gateways.

6 years agosocket-default: Add options to disable address families
Tobias Brunner [Wed, 3 Jul 2013 15:57:24 +0000 (17:57 +0200)]
socket-default: Add options to disable address families

6 years agoike: Resolve hosts only for address families currently supported
Tobias Brunner [Wed, 3 Jul 2013 15:39:58 +0000 (17:39 +0200)]
ike: Resolve hosts only for address families currently supported

6 years agonet: Socket implementations report the address families they support
Tobias Brunner [Wed, 3 Jul 2013 15:32:40 +0000 (17:32 +0200)]
net: Socket implementations report the address families they support

6 years agoAdded config-3.10
Andreas Steffen [Thu, 4 Jul 2013 21:17:10 +0000 (23:17 +0200)]
Added config-3.10

6 years agoVersion bump to 5.1.0dr2
Andreas Steffen [Thu, 4 Jul 2013 20:56:19 +0000 (22:56 +0200)]
Version bump to 5.1.0dr2

6 years agoAlways return a result string for a processed workitem
Andreas Steffen [Thu, 4 Jul 2013 20:55:58 +0000 (22:55 +0200)]
Always return a result string for a processed workitem

6 years agoMake Block stronger than Isolate in default policy
Andreas Steffen [Thu, 4 Jul 2013 20:54:47 +0000 (22:54 +0200)]
Make Block stronger than Isolate in default policy

6 years agoRegister packages under Debian 7.0 x86_64
Andreas Steffen [Thu, 4 Jul 2013 20:53:41 +0000 (22:53 +0200)]
Register packages under Debian 7.0 x86_64

6 years agoopenssl: RAND_pseudo_bytes() returns 0 if bytes are not cryptographically strong
Martin Willi [Thu, 4 Jul 2013 09:09:54 +0000 (11:09 +0200)]
openssl: RAND_pseudo_bytes() returns 0 if bytes are not cryptographically strong

For our purposes with RNG_WEAK this is fine, so accept a zero return value.

6 years agoPing from dave before shutting down tcpdump in libipsec/rw-suite-b test case 5.1.0dr1
Tobias Brunner [Mon, 1 Jul 2013 11:48:21 +0000 (13:48 +0200)]
Ping from dave before shutting down tcpdump in libipsec/rw-suite-b test case

6 years agolibipsec: Properly handle expiration if no lifetime is set
Tobias Brunner [Mon, 1 Jul 2013 11:47:11 +0000 (13:47 +0200)]
libipsec: Properly handle expiration if no lifetime is set

6 years agocharon-cmd: Ignore generated man page
Tobias Brunner [Mon, 1 Jul 2013 10:33:02 +0000 (12:33 +0200)]
charon-cmd: Ignore generated man page

6 years agoEnable libipsec and charon-cmd in strongSwan recipe
Andreas Steffen [Mon, 1 Jul 2013 10:32:33 +0000 (12:32 +0200)]
Enable libipsec and charon-cmd in strongSwan recipe