strongswan.git
4 years agoVersion bump to 5.3.0
Andreas Steffen [Fri, 27 Mar 2015 19:55:48 +0000 (20:55 +0100)]
Version bump to 5.3.0

4 years agoFixed PB-TNC error handling
Andreas Steffen [Fri, 27 Mar 2015 13:39:56 +0000 (14:39 +0100)]
Fixed PB-TNC error handling

4 years agoAdded configurations for 3.18 and 3.19 KMV guest kernels
Andreas Steffen [Fri, 27 Mar 2015 10:36:34 +0000 (11:36 +0100)]
Added configurations for 3.18 and 3.19 KMV guest kernels

4 years agoFixed strongswan.conf man page entry of imc-attestation
Andreas Steffen [Fri, 27 Mar 2015 10:14:49 +0000 (11:14 +0100)]
Fixed strongswan.conf man page entry of imc-attestation

4 years agoAdded tnc/tnccs-20-pt-tls scenario
Andreas Steffen [Fri, 27 Mar 2015 09:56:50 +0000 (10:56 +0100)]
Added tnc/tnccs-20-pt-tls scenario

4 years agocmac: Reset state before doing set_key()
Martin Willi [Fri, 27 Mar 2015 15:07:53 +0000 (16:07 +0100)]
cmac: Reset state before doing set_key()

4 years agoaf-alg: Reset hmac/xcbc state before doing set_key()
Martin Willi [Fri, 27 Mar 2015 15:06:21 +0000 (16:06 +0100)]
af-alg: Reset hmac/xcbc state before doing set_key()

4 years agoxcbc: Reset XCBC state in set_key()
Martin Willi [Fri, 27 Mar 2015 14:51:52 +0000 (15:51 +0100)]
xcbc: Reset XCBC state in set_key()

If some partial data has been appended, a truncated key gets invalid if it
is calculated from the pending state.

4 years agohmac: Reset the underlying hasher before doing set_key() with longer keys
Martin Willi [Fri, 27 Mar 2015 14:48:29 +0000 (15:48 +0100)]
hmac: Reset the underlying hasher before doing set_key() with longer keys

The user might have done a non-complete append, having some state in the
hasher.

Fixes #909.

4 years agocrypto-tester: Test set_key() after a doing a partial append on prf/signers
Martin Willi [Fri, 27 Mar 2015 14:46:24 +0000 (15:46 +0100)]
crypto-tester: Test set_key() after a doing a partial append on prf/signers

While that use is uncommon in real-world use, nonetheless should HMAC set a
correct key and reset any underlying hasher.

4 years agostroke: Properly parse bliss key strength in public key constraint
Tobias Brunner [Wed, 25 Mar 2015 12:27:15 +0000 (13:27 +0100)]
stroke: Properly parse bliss key strength in public key constraint

4 years agoeap-tnc: Free eap-tnc object if IKE_SA not found to get IPs
Tobias Brunner [Wed, 25 Mar 2015 12:24:37 +0000 (13:24 +0100)]
eap-tnc: Free eap-tnc object if IKE_SA not found to get IPs

4 years agotnccs-20: Fix error handling in build()
Tobias Brunner [Wed, 25 Mar 2015 12:23:14 +0000 (13:23 +0100)]
tnccs-20: Fix error handling in build()

4 years agoandroid: Add messages/ita directory to tnccs-20 plugin
Tobias Brunner [Wed, 25 Mar 2015 10:52:41 +0000 (11:52 +0100)]
android: Add messages/ita directory to tnccs-20 plugin

4 years agoandroid: Sync libstrongswan Makefile.am and Android.mk
Tobias Brunner [Wed, 25 Mar 2015 10:40:04 +0000 (11:40 +0100)]
android: Sync libstrongswan Makefile.am and Android.mk

4 years agolibtnccs: Set apidoc category to libtnccs and move plugins
Tobias Brunner [Wed, 25 Mar 2015 10:23:26 +0000 (11:23 +0100)]
libtnccs: Set apidoc category to libtnccs and move plugins

4 years agolibtnccs: Fix apidoc category for split IF-TNCCS 2.0 header files
Tobias Brunner [Wed, 25 Mar 2015 10:21:00 +0000 (11:21 +0100)]
libtnccs: Fix apidoc category for split IF-TNCCS 2.0 header files

Fixes 80322d2cee75 ("Split IF-TNCCS 2.0 protocol processing into
separate TNC client and server handlers").

4 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Wed, 25 Mar 2015 09:59:36 +0000 (10:59 +0100)]
Fixed some typos, courtesy of codespell

4 years agokernel-netlink: Copy current usage stats to new SA in update_sa()
Tobias Brunner [Mon, 23 Mar 2015 17:37:48 +0000 (18:37 +0100)]
kernel-netlink: Copy current usage stats to new SA in update_sa()

This is needed to fix usage stats sent via RADIUS Accounting if clients
use MOBIKE or e.g. the kernel notifies us about a changed NAT mapping.
The upper layers won't expect the stats to get reset if only the IPs have
changed (and some kernel interface might actually allow such updates
without reset).

It also fixes traffic based lifetimes in such situations.

Fixes #799.

4 years agochild-sa: Add a new state to track rekeyed IKEv1 CHILD_SAs
Tobias Brunner [Tue, 24 Mar 2015 17:36:49 +0000 (18:36 +0100)]
child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAs

This is needed to handle DELETEs properly, which was previously done via
CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents
reauthentication.

4 years agoikev1: Inverse check when applying received KE value during Quick Mode 5.3.0rc1
Martin Willi [Tue, 24 Mar 2015 08:37:38 +0000 (09:37 +0100)]
ikev1: Inverse check when applying received KE value during Quick Mode

Fixes Quick Mode negotiation when PFS is in use.

4 years agoVersion bump to 5.3.0rc1
Andreas Steffen [Mon, 23 Mar 2015 22:15:31 +0000 (23:15 +0100)]
Version bump to 5.3.0rc1

4 years agotesting: added tnc/tnccs-20-mutual scenario
Andreas Steffen [Mon, 23 Mar 2015 22:01:13 +0000 (23:01 +0100)]
testing: added tnc/tnccs-20-mutual scenario

4 years agoImplemented PB-TNC mutual half-duplex protocol
Andreas Steffen [Sun, 22 Mar 2015 00:07:31 +0000 (01:07 +0100)]
Implemented PB-TNC mutual half-duplex protocol

4 years agoOptionally announce PB-TNC mutual protocol capability
Andreas Steffen [Sat, 21 Mar 2015 11:30:24 +0000 (12:30 +0100)]
Optionally announce PB-TNC mutual protocol capability

4 years agoSplit IF-TNCCS 2.0 protocol processing into separate TNC client and server handlers
Andreas Steffen [Fri, 20 Mar 2015 21:01:46 +0000 (22:01 +0100)]
Split IF-TNCCS 2.0 protocol processing into separate TNC client and server handlers

4 years agoMerge branch 'dh-checks'
Martin Willi [Mon, 23 Mar 2015 16:54:20 +0000 (17:54 +0100)]
Merge branch 'dh-checks'

Extend the diffie-hellman interface by success return values, and do some
basic length checks for DH public values.

4 years agoencoding: Remove DH public value verification from KE payload
Martin Willi [Mon, 23 Mar 2015 13:34:11 +0000 (14:34 +0100)]
encoding: Remove DH public value verification from KE payload

This commit reverts 84738b1a and 2ed5f569.

As we have no DH group available in the KE payload for IKEv1, the verification
can't work in that stage. Instead, we now verify DH groups in the DH backends,
which works for any IKE version or any other purpose.

4 years agodiffie-hellman: Verify public DH values in backends
Martin Willi [Mon, 23 Mar 2015 13:32:11 +0000 (14:32 +0100)]
diffie-hellman: Verify public DH values in backends

4 years agodiffie-hellman: Add a bool return value to set_other_public_value()
Martin Willi [Mon, 23 Mar 2015 12:09:32 +0000 (13:09 +0100)]
diffie-hellman: Add a bool return value to set_other_public_value()

4 years agodiffie-hellman: Add a bool return value to get_my_public_value()
Martin Willi [Mon, 23 Mar 2015 10:37:27 +0000 (11:37 +0100)]
diffie-hellman: Add a bool return value to get_my_public_value()

4 years agolibimcv: Allow pts_t.set_peer_public_value() to fail
Martin Willi [Mon, 23 Mar 2015 10:28:57 +0000 (11:28 +0100)]
libimcv: Allow pts_t.set_peer_public_value() to fail

4 years agolibimcv: Allow pts_t.get_my_public_value() to fail
Martin Willi [Mon, 23 Mar 2015 10:25:37 +0000 (11:25 +0100)]
libimcv: Allow pts_t.get_my_public_value() to fail

4 years agoencoding: Allow ke_payload_create_from_diffie_hellman() to fail
Martin Willi [Mon, 23 Mar 2015 10:10:40 +0000 (11:10 +0100)]
encoding: Allow ke_payload_create_from_diffie_hellman() to fail

4 years agodiffie-hellman: Use bool instead of status_t as get_shared_secret() return value
Martin Willi [Mon, 23 Mar 2015 09:54:24 +0000 (10:54 +0100)]
diffie-hellman: Use bool instead of status_t as get_shared_secret() return value

While such a change is not unproblematic, keeping status_t makes the API
inconsistent once we introduce return values for the public value operations.

4 years agoload-tester: Migrate NULL DH implementation to INIT/METHOD macros
Martin Willi [Mon, 23 Mar 2015 09:44:55 +0000 (10:44 +0100)]
load-tester: Migrate NULL DH implementation to INIT/METHOD macros

4 years agoikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SA
Tobias Brunner [Mon, 23 Mar 2015 09:58:30 +0000 (10:58 +0100)]
ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SA

OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs.
This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd
meant to delete the old one.

What isakmpd does might not be standard compliant. As RFC 2408 puts
it:

  Deletion which is concerned with an ISAKMP SA will contain a
  Protocol-Id of ISAKMP and the SPIs are the initiator and responder
  cookies from the ISAKMP Header.

This could either be interpreted as "copy the SPIs from the ISAKMP
header of the current message to the DELETE payload" (which is what
strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs
for IKE), or as clarification that ISAKMP "cookies" are actually the
SPIs meant to be put in the payload (but that any ISAKMP SA may be
deleted).

4 years agoencoding: Add getter for IKE SPIs in IKEv1 DELETE payloads
Tobias Brunner [Mon, 23 Mar 2015 09:53:58 +0000 (10:53 +0100)]
encoding: Add getter for IKE SPIs in IKEv1 DELETE payloads

4 years agopki: Choose default digest based on the signature key
Tobias Brunner [Tue, 17 Mar 2015 13:40:02 +0000 (14:40 +0100)]
pki: Choose default digest based on the signature key

4 years agopki: Use SHA-256 as default for signatures
Tobias Brunner [Mon, 16 Mar 2015 17:25:22 +0000 (18:25 +0100)]
pki: Use SHA-256 as default for signatures

Since the BLISS private key supports this we don't do any special
handling anymore (if the user choses a digest that is not supported,
signing will simply fail later because no signature scheme will be found).

4 years agotrap-manager: Add option to ignore traffic selectors from acquire events
Tobias Brunner [Thu, 12 Mar 2015 10:50:20 +0000 (11:50 +0100)]
trap-manager: Add option to ignore traffic selectors from acquire events

The specific traffic selectors from the acquire events, which are derived
from the triggering packet, are usually prepended to those from the
config.  Some implementations might not be able to handle these properly.

References #860.

4 years agounit-tests: Fix settings test after merging multi-line strings
Tobias Brunner [Mon, 23 Mar 2015 09:46:32 +0000 (10:46 +0100)]
unit-tests: Fix settings test after merging multi-line strings

4 years agoswanctl: Append /ESN to proposal for a CHILD_SA using Extended Sequence Numbers
Martin Willi [Mon, 23 Mar 2015 09:12:06 +0000 (10:12 +0100)]
swanctl: Append /ESN to proposal for a CHILD_SA using Extended Sequence Numbers

We previously printed just the value for the "esn" keyword, which is "1", and
not helpful as such.

Fixes #904.

4 years agounit-tests: Depend on SHA1/SHA256 features for mgf1 test cases
Martin Willi [Mon, 23 Mar 2015 08:53:34 +0000 (09:53 +0100)]
unit-tests: Depend on SHA1/SHA256 features for mgf1 test cases

4 years agoman: More accurately describe features of the new parser in ipsec.conf(5)
Tobias Brunner [Thu, 19 Mar 2015 17:34:26 +0000 (18:34 +0100)]
man: More accurately describe features of the new parser in ipsec.conf(5)

4 years agosettings: Merge quoted strings that span multiple lines
Tobias Brunner [Thu, 19 Mar 2015 17:34:02 +0000 (18:34 +0100)]
settings: Merge quoted strings that span multiple lines

4 years agostarter: Merge quoted strings that span multiple lines
Tobias Brunner [Thu, 19 Mar 2015 17:33:19 +0000 (18:33 +0100)]
starter: Merge quoted strings that span multiple lines

4 years agoencoding: Don't verify length of IKEv1 KE payloads
Tobias Brunner [Fri, 20 Mar 2015 15:32:56 +0000 (16:32 +0100)]
encoding: Don't verify length of IKEv1 KE payloads

The verification introduced with 84738b1aed95 ("encoding: Verify the length
of KE payload data for known groups") can't be done for IKEv1 as the KE
payload does not contain the DH group.

4 years agocharon-systemd: Optionally load plugin list from charon-systemd.load
Tobias Brunner [Thu, 19 Mar 2015 15:19:24 +0000 (16:19 +0100)]
charon-systemd: Optionally load plugin list from charon-systemd.load

4 years agoapidoc: Limit INPUT to src subdirectory and README.md
Martin Willi [Thu, 19 Mar 2015 11:17:03 +0000 (12:17 +0100)]
apidoc: Limit INPUT to src subdirectory and README.md

While 0909bf6c explicitly includes the whole source tree (to cover README.md),
this has the unpleasant side effect of covering a workspace under "testing"
with all its sources, or any other potential subdirectory that exists.

4 years agoutils: Fix enum_flags_to_string parameter name to match Doxygen description
Martin Willi [Thu, 19 Mar 2015 11:14:30 +0000 (12:14 +0100)]
utils: Fix enum_flags_to_string parameter name to match Doxygen description

4 years agoattr-sql: Rename sql_attribute_t to attr_sql_provider_t
Martin Willi [Thu, 19 Mar 2015 10:24:31 +0000 (11:24 +0100)]
attr-sql: Rename sql_attribute_t to attr_sql_provider_t

As the plugin has its origins in the sql plugin, it still uses the naming
scheme for the attribute provider implementation. Rename the class to better
match the naming scheme we use in any other plugin

4 years agoikev1: Adopt virtual IPs on new IKE_SA during re-authentication
Tobias Brunner [Fri, 20 Feb 2015 15:57:13 +0000 (16:57 +0100)]
ikev1: Adopt virtual IPs on new IKE_SA during re-authentication

Some clients like iOS/Mac OS X don't do a mode config exchange on the
new SA during re-authentication.  If we don't adopt the previous virtual
IP Quick Mode rekeying will later fail.

If a client does do Mode Config we directly reassign the VIPs we migrated
from the old SA, without querying the attributes framework.

Fixes #807, #810.

4 years agoikev1: Mark rekeyed CHILD_SAs as INSTALLED
Tobias Brunner [Wed, 11 Mar 2015 14:48:51 +0000 (15:48 +0100)]
ikev1: Mark rekeyed CHILD_SAs as INSTALLED

Since we keep them around until they finally expire they otherwise would block
IKE_SA rekeying/reauthentication.

4 years agomem-pool: Remove entries without online or offline leases
Tobias Brunner [Wed, 11 Mar 2015 10:27:38 +0000 (11:27 +0100)]
mem-pool: Remove entries without online or offline leases

This avoids filling up the hash table with unused/old identities.

References #841.

4 years agokernel-handler: Log new endpoint if NAT mapping changed
Tobias Brunner [Tue, 17 Mar 2015 12:00:54 +0000 (13:00 +0100)]
kernel-handler: Log new endpoint if NAT mapping changed

4 years agochild-sa: Remove policies before states to avoid acquire events for untrapped policies
Tobias Brunner [Tue, 17 Mar 2015 08:58:00 +0000 (09:58 +0100)]
child-sa: Remove policies before states to avoid acquire events for untrapped policies

4 years agoMerge branch 'vici-python'
Martin Willi [Wed, 18 Mar 2015 14:03:28 +0000 (15:03 +0100)]
Merge branch 'vici-python'

Introduce a Python Egg for the vici plugin, contributed by Björn Schuberg.

4 years agoNEWS: Introduce vici Python Egg
Martin Willi [Fri, 6 Mar 2015 12:33:13 +0000 (13:33 +0100)]
NEWS: Introduce vici Python Egg

4 years agotravis: Install pip to install pytest in "all" tests
Martin Willi [Wed, 18 Mar 2015 13:28:17 +0000 (14:28 +0100)]
travis: Install pip to install pytest in "all" tests

This allows ./configure to detect py.test, and execute python unit tests we
provide in the vici python egg.

4 years agovici: Add support for python 3
Björn Schuberg [Mon, 9 Mar 2015 11:28:02 +0000 (12:28 +0100)]
vici: Add support for python 3

4 years agovici: Execute python tests during "check" if py.test is available
Martin Willi [Wed, 11 Mar 2015 09:18:56 +0000 (10:18 +0100)]
vici: Execute python tests during "check" if py.test is available

4 years agoconfigure: Check optional py.test availability when building with python eggs
Martin Willi [Wed, 11 Mar 2015 09:01:40 +0000 (10:01 +0100)]
configure: Check optional py.test availability when building with python eggs

4 years agovici: Add test of Packet layer in python library
Björn Schuberg [Mon, 9 Mar 2015 10:20:02 +0000 (11:20 +0100)]
vici: Add test of Packet layer in python library

4 years agovici: Add test of Message (de)serialization in python library
Björn Schuberg [Mon, 9 Mar 2015 10:12:30 +0000 (11:12 +0100)]
vici: Add test of Message (de)serialization in python library

4 years agovici: Evaluate Python streamed command results, and raise CommandException
Martin Willi [Mon, 9 Mar 2015 11:16:10 +0000 (12:16 +0100)]
vici: Evaluate Python streamed command results, and raise CommandException

4 years agovici: Catch Python GeneratorExit to properly cancel streamed event iteration
Martin Willi [Mon, 9 Mar 2015 11:06:38 +0000 (12:06 +0100)]
vici: Catch Python GeneratorExit to properly cancel streamed event iteration

4 years agovici: Fall back to heap buffer when vararg printing on stack fails
Martin Willi [Fri, 6 Mar 2015 09:54:34 +0000 (10:54 +0100)]
vici: Fall back to heap buffer when vararg printing on stack fails

This avoids failures when building log event messages including larger hexdumps.

4 years agovici: Return a Python generator instead of a list for streamed responses
Martin Willi [Mon, 2 Mar 2015 14:25:55 +0000 (15:25 +0100)]
vici: Return a Python generator instead of a list for streamed responses

In addition that it may reduce memory usage and improve performance for large
responses, it returns immediate results. This is important for longer lasting
commands, such as initiate/terminate, where immediate log feedback is preferable
when interactively calling such commands.

4 years agovici: Raise a Python CommandException instead of returning a CommandResult
Martin Willi [Mon, 2 Mar 2015 14:19:32 +0000 (15:19 +0100)]
vici: Raise a Python CommandException instead of returning a CommandResult

4 years agovici: Add initial Python egg documentation to README
Martin Willi [Fri, 27 Feb 2015 14:37:40 +0000 (15:37 +0100)]
vici: Add initial Python egg documentation to README

4 years agovici: Use OrderedDict to handle vici responses in Python library
Martin Willi [Fri, 27 Feb 2015 13:30:34 +0000 (14:30 +0100)]
vici: Use OrderedDict to handle vici responses in Python library

The default Python dictionaries are unordered, but order is important for some
vici trees (for example the order of authentication rounds).

4 years agovici: Return authentication rounds with unique names
Martin Willi [Fri, 27 Feb 2015 13:28:47 +0000 (14:28 +0100)]
vici: Return authentication rounds with unique names

To simplify handling of authentication rounds in dictionaries/hashtables on the
client side, we assign unique names to each authentication round when listing
connection.

4 years agovici: Rebuild ruby gem on source file changes
Martin Willi [Fri, 27 Feb 2015 13:05:12 +0000 (14:05 +0100)]
vici: Rebuild ruby gem on source file changes

4 years agovici: Use default Unix vici socket if none passed to ruby constructor
Martin Willi [Fri, 27 Feb 2015 13:03:35 +0000 (14:03 +0100)]
vici: Use default Unix vici socket if none passed to ruby constructor

While we currently have a static path instead of one generated with Autotools,
this at least is congruent to what we have in the Python library.

4 years agovici: Support non-Unix sockets for vici connections using Python
Martin Willi [Fri, 27 Feb 2015 12:59:23 +0000 (13:59 +0100)]
vici: Support non-Unix sockets for vici connections using Python

4 years agovici: Add python egg setuptools building and installation using easy_install
Martin Willi [Wed, 25 Feb 2015 15:20:10 +0000 (16:20 +0100)]
vici: Add python egg setuptools building and installation using easy_install

An uninstall target is currently not supported, as there is no trivial way with
either plain setuptools or with easy_install. pip would probably be the best
choice, but we currently don't depend on it.

4 years agovici: Generate a version specific setup.py for setuptools installation
Martin Willi [Wed, 25 Feb 2015 15:18:29 +0000 (16:18 +0100)]
vici: Generate a version specific setup.py for setuptools installation

4 years agovici: Include python package in distribution
Martin Willi [Wed, 25 Feb 2015 15:04:57 +0000 (16:04 +0100)]
vici: Include python package in distribution

4 years agoconfigure: Add --enable-python-eggs and --with-pythoneggdir options
Martin Willi [Wed, 25 Feb 2015 13:34:27 +0000 (14:34 +0100)]
configure: Add --enable-python-eggs and --with-pythoneggdir options

Detect easy_install for Python egg installation to install any egg we provide
in strongSwan.

4 years agovici: Add python package MIT license
Björn Schuberg [Sun, 15 Feb 2015 23:17:00 +0000 (00:17 +0100)]
vici: Add python package MIT license

4 years agovici: Expose Session as a top-level symbol in python package
Björn Schuberg [Sun, 15 Feb 2015 18:18:52 +0000 (19:18 +0100)]
vici: Expose Session as a top-level symbol in python package

4 years agovici: Introduce main API Session class in python package
Björn Schuberg [Sun, 15 Feb 2015 15:13:44 +0000 (16:13 +0100)]
vici: Introduce main API Session class in python package

4 years agovici: Add a python vici command execution handler
Björn Schuberg [Sat, 14 Feb 2015 14:53:25 +0000 (15:53 +0100)]
vici: Add a python vici command execution handler

4 years agovici: Add vici python protocol handler
Björn Schuberg [Sat, 14 Feb 2015 11:54:31 +0000 (12:54 +0100)]
vici: Add vici python protocol handler

4 years agoMerge branch 'swanctl-pkcs12'
Martin Willi [Wed, 18 Mar 2015 12:36:50 +0000 (13:36 +0100)]
Merge branch 'swanctl-pkcs12'

Add support for loading PKCS#12 containers from a swanctl/pkcs12 directory.

Fixes #815.

4 years agoswanctl: Cache entered PKCS#12 decryption secret
Martin Willi [Wed, 11 Mar 2015 15:52:54 +0000 (16:52 +0100)]
swanctl: Cache entered PKCS#12 decryption secret

It is usually used more than once, but most likely the same for decryption and
MAC verification.

4 years agoswanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directory
Martin Willi [Wed, 11 Mar 2015 15:23:56 +0000 (16:23 +0100)]
swanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directory

4 years agoswanctl: Generalize private key decryption to support other credential types
Martin Willi [Wed, 11 Mar 2015 15:23:11 +0000 (16:23 +0100)]
swanctl: Generalize private key decryption to support other credential types

4 years agoencoding: Verify the length of KE payload data for known groups
Martin Willi [Tue, 3 Feb 2015 15:40:14 +0000 (16:40 +0100)]
encoding: Verify the length of KE payload data for known groups

IKE is very strict in the length of KE payloads, and it should be safe to
strictly verify their length. Not doing so is no direct threat, but allows DDoS
amplification by sending short KE payloads for large groups using the target
as the source address.

4 years agoikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeying
Martin Willi [Wed, 18 Mar 2015 12:32:27 +0000 (13:32 +0100)]
ikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeying

4 years agoikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SA
Martin Willi [Wed, 11 Mar 2015 10:30:51 +0000 (11:30 +0100)]
ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SA

If additional tasks get queued before/while rekeying an IKE_SA, these get
migrated to the new IKE_SA. We previously did not trigger initiation of these
tasks, though, leaving the task unexecuted until a new task gets queued.

4 years agoVersion bump to 5.3.0dr2
Andreas Steffen [Mon, 16 Mar 2015 16:15:58 +0000 (17:15 +0100)]
Version bump to 5.3.0dr2

4 years agoReplace kid by aik_id in ITA TBOOT functional component
Andreas Steffen [Mon, 16 Mar 2015 16:15:28 +0000 (17:15 +0100)]
Replace kid by aik_id in ITA TBOOT functional component

4 years agoFixed two BLISS key type identifier strings
Andreas Steffen [Sun, 15 Mar 2015 18:29:25 +0000 (19:29 +0100)]
Fixed two BLISS key type identifier strings

4 years agocharon-systemd: Add missing semicolon
Martin Willi [Mon, 16 Mar 2015 08:31:17 +0000 (09:31 +0100)]
charon-systemd: Add missing semicolon

References #887, fixes f3c83322.

4 years agoosx: Include eap-gtc plugin in build instructions
Martin Willi [Mon, 16 Mar 2015 08:27:18 +0000 (09:27 +0100)]
osx: Include eap-gtc plugin in build instructions

4 years agoAdded availability of TNC AR IP address to IMVs to NEWS 5.3.0dr1
Andreas Steffen [Sun, 15 Mar 2015 11:30:32 +0000 (12:30 +0100)]
Added availability of TNC AR IP address to IMVs to NEWS

4 years agoCreate TPM TBOOT Measurement group
Andreas Steffen [Sun, 15 Mar 2015 11:24:05 +0000 (12:24 +0100)]
Create TPM TBOOT Measurement group

4 years agovici: Use %u to print stats returned by mallinfo(3)
Tobias Brunner [Fri, 13 Mar 2015 14:20:39 +0000 (15:20 +0100)]
vici: Use %u to print stats returned by mallinfo(3)

Fixes #886.