| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| | |
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With the introduction of PT-TLS, we started sending TLS close notifies after
the application layer completes (7bbf7aa9). While this makes sense for TCP based
transports, it is not required in EAP methods. In EAP, handshake completion
can be directly signaled using the outer EAP-SUCCESS message. This also saves
one round-trip in the EAP exchange.
Windows 7/8 does not seem to like TLS close notifies at all in EAP, and either
stalls (EAP-TTLS) or disconnects (PEAP).
Fixes #556.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When rekey_child_sa is called while enumerating the children of an IKE_SA, and
the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a
QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas)
invalidating the current element of the child_sa_enumerator. The enumerate
function of linked_list_t will then advance to an element with unpredictable
contents most likely resulting in an segmentation violation. A similar behavior
should be observed when delete_child_sa is called.
This patch creates a list of protocol/spi values while holding the
child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren
after releasing the enumerator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If the MySQL client library is linked against OpenSSL the mysql plugin
will cause a segmentation fault when it is unloaded after the openssl
plugin has already been deinitialized. This is very similar to the issues
with curl (see 44b6a34d438f).
Fixes #814.
|
| | |
|
| |
|
|
|
|
|
| |
Instead of silently setting the string value to NULL, we fail completely in
sending the message to notify the user.
Fixes #844.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
While we fixed the wrong values in the description with d39e04b5, the example
values are still off by one.
Fixes #828.
|
| |
|
|
|
|
|
| |
A type is returned only if upper layers successfully created a record, that is
returns NEED_MORE. If we do not check for the return value, we might check a
previous record or the uninitialized type variable and falsely reset the
sequence number.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Coverity is still not happy when the result of an integer division is
assigned to a double (without e.g. casting the result to an int first to
indicate the intent). The shift should avoid this issue.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Before this fix it was possible to crash charon with an IKE_SA_INIT
message containing a KE payload with DH group MODP_CUSTOM(1025).
Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
prevents it from getting negotiated.
Fixes CVE-2014-9221.
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Mainline the OS X App providing the graphical user interface for the charon-xpc
privileged helper.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
While they usually are not included in a normal strongSwan build, the XPC
header indirectly defines these Mach types. To build charon-xpc, which uses
both XPC and strongSwan includes, we have to redefine these types.
|
| | |
| |
| |
| |
| |
| |
| | |
On OS X 10.10, when installing a virtual IP on a tun device, there is a chance
that a RTM_IFANNOUNCE is sent before the IP is ready on that link when calling
getifaddrs(). As we don't get an RTM_NEWADDR event either, that race lets us
miss the virtual IP install event, failing the add_ip() call.
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The FreeBSD and Mac OS X kernels interpret sadb_sa_replay as the size of the
replay window in bytes. Linux on the other hand does the same for PF_KEY it
does for XFRM so sadb_sa_replay denotes the number of packets/bits in the
window. Similarly, the window size on Linux is limited to 32 by the four
byte default bitmap used for IPsec SAs (may only be changed with
XFRMA_REPLAY_ESN_VAL), which is not the case on the other platforms.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
While our ASN.1 parser can't handle BER indefinite length encoding, the OpenSSL
backend can. Some PKCS#12 containers get encoded this way, so we should
support loading such files in the pem plugin.
|
| | |
|
| | |
|
| | |
|
| | |
|
