aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * vici: Add ike/child-rekey eventsTobias Brunner2015-08-172-0/+108
| |
| * vici: Document the ike/child-updown eventsTobias Brunner2015-08-171-0/+23
| |
| * vici: Don't include a child-sas section in ike-updown eventTobias Brunner2015-08-171-2/+0
| | | | | | | | | | | | This makes it clearer that only the data concerning the IKE_SA is transmitted (there could be CHILD_SAs e.g. during IKEv1 reauthentication).
| * vici: Explicitly notify listeners of the type of ike/child-updown eventTobias Brunner2015-08-171-0/+11
|/
* Version bump to 5.3.3dr55.3.3dr5Andreas Steffen2015-08-161-1/+1
|
* Fixed AR identities in mutual TNC measurements caseAndreas Steffen2015-08-153-2/+11
|
* kernel-pfroute: Don't install virtual IPs if charon.install_virtual_ip is ↵Tobias Brunner2015-08-131-0/+17
| | | | disabled
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-134-4/+4
|
* Fixed some typosTobias Brunner2015-08-135-8/+8
|
* kernel-netlink: When adding a policy do an update if it already existsTobias Brunner2015-08-131-1/+9
| | | | | | | | | | This may be the case when SAs are reestablished after a crash of the IKE daemon. We could actually always do updates. The kernel doesn't care, the only difference is the possible EEXIST if XFRM_MSG_NEWPOLICY is used. The advantage of not doing this, though, is that we get a warning in the log if a policy already exists, as that should usually not be the case.
* kernel-pfkey: When adding policies do an update if they already existTobias Brunner2015-08-131-1/+10
| | | | | This may be the case when SAs are reestablished after a crash of the IKE daemon.
* pki: Optionally extract public key from given private key in --issueTobias Brunner2015-08-102-6/+30
| | | | Fixes #618.
* conf: Clarify resolution for two time settingsTobias Brunner2015-08-102-4/+4
| | | | Fixes #1061.
* Version bump to 5.3.3dr45.3.3dr4Andreas Steffen2015-08-101-1/+1
|
* identification: Use UTF8String instead of the legacy T61String to encode DNsTobias Brunner2015-08-061-1/+1
| | | | | | | When strings in RDNs contain characters outside the character set for PrintableString use UTF8String as the passed string is most likely in that encoding (RFC 5280 actually recommends to use only those two string types).
* whitelist: Use hash() method so DNs with different string types matchTobias Brunner2015-08-061-1/+1
| | | | | | | | | | strongSwan uses PrintableString when encoding DNs from strings (if the character set permits it, otherwise T61String is currently used) but certificates might be encoded with UTF8String even for simple ASCII strings. By ignoring this string type when hashing RDNs we make sure the same hash results in this case as long as the actual string values are the same. Fixes #991.
* identification: Add hash() methodTobias Brunner2015-08-063-3/+135
| | | | | | | Compared to hashing the encoding we can ignore string types of RDNs when hashing DNs, making hash() compatible to equals() that does the same. Fixes #991.
* pkcs11: Fix encoding of RSA keys if unnecessarily zero prefixedTobias Brunner2015-08-061-3/+8
| | | | | | | | | | | | | | Some tokens/libraries seem to prefix all numbers with zero bytes even if not necessary (e.g. the default exponent 0x010001). If we don't fix that, the fingerprints calculated based on the retrieved values will be incorrect. Even if the pkcs1 plugin can properly handle numbers that are not in two's complement since a81bd670b086 ("Added PUBKEY_RSA_MODULUS encoding type") we prefix them with zero if necessary as other encoders might expect them in two's complement. Fixes #1012.
* updown: Pass virtual IPs assigned to a peer to the updown scriptTobias Brunner2015-08-062-8/+20
| | | | | | Previously only received virtual IPs were available. References #1008.
* eap-radius: Don't send RADIUS Accounting Start messages twiceTobias Brunner2015-08-061-0/+5
| | | | | | | | If a client does Mode Config during reauthentication the assign_vips() event might be triggered twice, we should not send another Start message in that case. Fixes #937.
* eap-radius: Change trigger for Accounting Start messages for IKEv1Tobias Brunner2015-08-062-6/+13
| | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937.
* testing: Update AAA certificate on Freeradius as wellAndreas Steffen2015-08-052-42/+42
|
* testing: Updated expired AAA server certificateAndreas Steffen2015-08-049-88/+115
|
* configure: Explicitly disable unused parameter warnings in qsort_r testTobias Brunner2015-08-041-1/+1
| | | | | | | | When compiling with -Wextra (and without disabling these warnings globally) the tests would otherwise fail due to the unused arguments in the cmp() functions. Fixes #1053.
* printf-hook-builtin: Fix invalid memory accessTobias Brunner2015-08-041-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When precision is given for a string, we must not run unbounded strlen() as it will read beyond the given length. It might even cause a crash if the given pointer is near end of heap or mapping. Fixes numerous valgrind errors such as: ==19215== Invalid read of size 1 ==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853) ==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084) ==19215== by 0x52CE464: dntoa (identification.c:337) ==19215== by 0x52CE464: identification_printf_hook (identification.c:837) ==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) ==19215== by 0x57040EB: vlog (bus.c:388) ==19215== by 0x570427D: log_ (bus.c:430) ==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) ==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) ==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) ==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) ==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) ==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) ==19215== by 0x52C3125: load_feature (plugin_loader.c:716) ==19215== by 0x52C3125: load_provided (plugin_loader.c:778) ==19215== by 0x52C3A20: load_features (plugin_loader.c:799) ==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) ==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd ==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296) ==19215== by 0x52CD198: chunk_printable (chunk.c:759) ==19215== by 0x52CE442: dntoa (identification.c:334) ==19215== by 0x52CE442: identification_printf_hook (identification.c:837) ==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) ==19215== by 0x57040EB: vlog (bus.c:388) ==19215== by 0x570427D: log_ (bus.c:430) ==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) ==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) ==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) ==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) ==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) ==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) ==19215== by 0x52C3125: load_feature (plugin_loader.c:716) ==19215== by 0x52C3125: load_provided (plugin_loader.c:778) ==19215== by 0x52C3A20: load_features (plugin_loader.c:799) ==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
* kernel-netlink: Use PAGE_SIZE as default size for the netlink receive bufferTobias Brunner2015-08-042-2/+12
| | | | | | | | The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to the PAGE_SIZE if it is lower than 8192 or to that value otherwise. In some cases (e.g. for dump messages) the kernel might use up to 16k for messages, which might require increasing this value.
* kernel-netlink: Actually verify if the netlink message exceeds the buffer sizeTobias Brunner2015-08-041-2/+2
| | | | | | It might equal it and that's fine. With MSG_TRUNC we get the actual message size and can only report an error if we haven't received the complete message.
* ha: Properly initialize algo variables when installing CHILD_SAsTobias Brunner2015-08-041-1/+1
| | | | | | | | | | If AEAD algorithms are used no integrity algorithm will be received from the other HA node. But since AUTH_UNDEFINED is 1024 and not 0 this value was incorrectly added to the proposal, resulting in a failure during key derivation. The variables are now explicitly initialized to 0, as already was the case for the IKE SAs. Fixes #1051.
* ha: Sync remote address in HA_IKE_ADD, tooThomas Egerer2015-08-042-0/+11
| | | | | | | | | | | | When the IKE_SA is synced without the remote address, after a reauthentication charon is not able to find it in its connected_peers table since the destination host will be %any (it's missing in the message, hence the default from the newly created ike_sa_t -- %any -- will be used). By adding the value to the HA_IKE_ADD message, we should be able to solve this problem. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* jobs: Don't execute rekey CHILD_SA job on passive IKE_SAsThomas Egerer2015-08-041-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Disable NAT keepalives in state PASSIVEThomas Egerer2015-08-041-3/+12
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* testing: Don't run do-tests when hosts are not runningTobias Brunner2015-08-031-0/+1
| | | | | | running_any is satisfied if at least one host is running. We could easily add a running_all() helper to check if all hosts are running if it turns out that's not strong enough.
* testing: Suppress errors when checking for running hostsTobias Brunner2015-08-031-1/+1
| | | | | If libvirt is not running virsh can't connect to it and will complain that the socket does not exist.
* Version bump to 5.3.3dr35.3.3dr3Andreas Steffen2015-07-311-1/+1
|
* testing: Adapted ha/both-active scenario to new jhash valuesAndreas Steffen2015-07-316-8/+11
|
* testing: Fix initial kernel buildTobias Brunner2015-07-311-2/+2
| | | | | | The directory does not exist yet if the kernel was never built. Fixes: a4a13d0be29b ("testing: Extract and patch each kernel version only once")
* ha: Use the same init values for jhash() as Linux 4.1Tobias Brunner2015-07-311-2/+19
|
* kernel-netlink: Unlock mutex in del_policy() if mark can't be added to messageTobias Brunner2015-07-311-0/+1
|
* sql: Fix memory leak in SQL loggerTobias Brunner2015-07-281-0/+1
|
* Version bump to 5.3.3dr2Andreas Steffen2015-07-281-1/+1
|
* android: New release fixing roaming on 5+ and adding new advanced optionsTobias Brunner2015-07-281-2/+2
|
* Merge branch 'android-updates'Tobias Brunner2015-07-2838-399/+1242
|\ | | | | | | | | | | | | | | | | | | | | Fixes the roaming behavior on Android 5+, a linker issue on Android M, a few bugs, and adds several new advanced options for VPN profile (MTU, server port, split tunneling). Also adds methods and a constructor to parse settings_t from a string instead of a file. Fixes #782, #847, #865.
| * android: Keep NDK API level at 19Tobias Brunner2015-07-281-0/+1
| | | | | | | | | | | | The headers/libraries changed a lot with level 21 so that our app won't run on devices with Android < 5 when built against it. We currently don't need any new native APIs so that should be fine.
| * android: Apply split tunneling options when creating TUN deviceTobias Brunner2015-07-281-11/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Android blocks traffic for address families for which no IPs, DNS servers or routes are installed via VpnService.Builder. Since Android 5+ (API level 21) it is possible to explicitly allow such traffic to bypass the VPN. So for proper split tunneling we note whether we saw a VIP and/or DNS server of a specific family, and if not, allow traffic of that family to bypass the VPN using the new API (on older systems there is no change and such traffic will still be blocked). Otherwise, we do what we did so far, that is, simply install the received routes (traffic selectors), all other traffic will not be directed to the TUN device and use the underlying network instead. If traffic for a family should be blocked we install a default route via TUN device even if we received more specific traffic selectors from the server. libipsec will use the actual traffic selectors as IPsec policies and drop any packets it received that don't match them. We only do this if we saw any VIPs or DNS servers of a family. Otherwise the traffic for that family is blocked anyway.
| * include: Remove linux/types.h headerTobias Brunner2015-07-282-174/+1
| | | | | | | | | | This conflicts with the headers of the android-21 target. Hopefully headers on current Linux distros are recent enough.
| * android: Build against the android-21 targetTobias Brunner2015-07-281-1/+1
| |
| * android: Extend GUI so the split tunneling options can be setTobias Brunner2015-07-287-1/+45
| |
| * android: Add field for split tunneling config to data modelTobias Brunner2015-07-282-3/+28
| |
| * android: Retrigger a roam event if reportedly connected but no source ↵Tobias Brunner2015-07-281-2/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | address found In dual-stack environments the IPv6 connectivity (via autoconfiguration) might be established before the IPv4 connectivity (via DHCP). It seems Android triggers the CONNECTIVITY_ACTION broadcast already when the first family is fully configured. At that time we might not be able to find an IPv4 source address. And since Android does not trigger the broadcast again if IPv4 connectivity is established, the connection is broken afterwards. So we store the connectivity state and if we are reportedly connected but still find no source address we trigger a roam event to recheck for an IPv4 address. This will cause regular rechecks if a device enters an IPv6-only network, but I guess that's rare (otherwise we could limit the number of rechecks done between connectivity changes).
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 05:01:47 +0000