Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs | Martin Willi | 2014-04-14 | 1 | -0/+9 | |
| | | | | | | | Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338. | |||||
* | eap-mschapv2: Fix potential leaks in case of invalid messages from servers | Tobias Brunner | 2014-04-09 | 1 | -0/+4 | |
| | ||||||
* | stroke: Fix memory leak when printing unknown AC group OIDs | Tobias Brunner | 2014-04-09 | 1 | -0/+1 | |
| | ||||||
* | ike-cfg: Properly compare IKE proposals for equality5.1.3rc1 | Tobias Brunner | 2014-04-03 | 1 | -1/+1 | |
| | ||||||
* | tls: Support a maximum TLS version to negotiate using TLS socket abstraction | Martin Willi | 2014-04-01 | 1 | -1/+1 | |
| | ||||||
* | tls: Support a null encryption flag on TLS socket abstraction | Martin Willi | 2014-04-01 | 1 | -2/+2 | |
| | ||||||
* | aead: Support custom AEAD salt sizes | Martin Willi | 2014-03-31 | 1 | -2/+27 | |
| | | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces. | |||||
* | ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeying | Martin Willi | 2014-03-31 | 1 | -0/+12 | |
| | | | | | Works around issues related to system time changes and kernel backends using that system time, such as Linux XFRM. | |||||
* | Properly hash pointers for hash tables where appropriate | Tobias Brunner | 2014-03-31 | 3 | -54/+5 | |
| | | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket. | |||||
* | eap-radius: Add option to not close IKE_SAs on timeouts during interim ↵ | Tobias Brunner | 2014-03-31 | 1 | -1/+6 | |
| | | | | | | accouting updates Fixes #528. | |||||
* | ikev1: Accept SPI size of any length <= 16 in ISAKMP proposal | Tobias Brunner | 2014-03-31 | 1 | -4/+12 | |
| | | | | Fixes #533. | |||||
* | proposal: Don't fail DH proposal matching if peer includes NONE | Tobias Brunner | 2014-03-31 | 1 | -4/+19 | |
| | | | | | | | | The DH transform is optional for ESP/AH proposals. The initiator can include NONE (0) in its proposal to indicate that while it prefers to do a DH exchange, the responder may still decide to not do so. Fixes #532. | |||||
* | ikev2: Cache all received attribute certificates to auth config | Martin Willi | 2014-03-31 | 1 | -1/+27 | |
| | ||||||
* | ikev2: Send all known and valid attribute certificates for subject cert | Martin Willi | 2014-03-31 | 1 | -0/+46 | |
| | ||||||
* | ikev2: Slightly refactor certificate payload construction to separate functions | Martin Willi | 2014-03-31 | 1 | -37/+56 | |
| | ||||||
* | ike: Support encoding of attribute certificates in CERT payloads | Martin Willi | 2014-03-31 | 1 | -1/+6 | |
| | ||||||
* | x509: Replace fixed acert group string getter by a more dynamic group enumerator | Martin Willi | 2014-03-31 | 1 | -16/+68 | |
| | ||||||
* | tnc-pdp: Fix monolithic build | Tobias Brunner | 2014-03-20 | 1 | -1/+2 | |
| | ||||||
* | tnc-ifmap: Get a reference to the client cert as it is also used in an auth ↵ | Tobias Brunner | 2014-03-10 | 1 | -1/+1 | |
| | | | | config | |||||
* | stroke: Use thread-safe dirname(3) | Tobias Brunner | 2014-02-24 | 1 | -6/+4 | |
| | ||||||
* | stroke: Use dirname(3) correctly | Tobias Brunner | 2014-02-24 | 1 | -5/+5 | |
| | ||||||
* | uclibc only defines strndup(3) if _GNU_SOURCE is defined | Tobias Brunner | 2014-02-19 | 2 | -3/+6 | |
| | | | | References #516. | |||||
* | stroke: Use proper modifiers to print size_t arguments | Tobias Brunner | 2014-02-18 | 1 | -1/+1 | |
| | ||||||
* | lookip: Properly return from disconnect callback job | Tobias Brunner | 2014-02-18 | 1 | -1/+3 | |
| | | | | References #518. | |||||
* | lookip: Disconnect asynchronously to avoid dead-locking watcher unregistration | Martin Willi | 2014-02-17 | 1 | -3/+30 | |
| | | | | | | | | | While it really would be desirable to allow stream destruction during on_read() callbacks, this does not work anymore since e49b2998. Until we have a proper solution for this issue, use asynchronous disconnects for the only user doing so. Fixes #518. | |||||
* | libcharon: Remove unused charon->name | Tobias Brunner | 2014-02-12 | 2 | -13/+5 | |
| | ||||||
* | libcharon: Use lib->ns instead of charon->name | Tobias Brunner | 2014-02-12 | 72 | -259/+255 | |
| | ||||||
* | libhydra: Use lib->ns instead of hydra->daemon | Tobias Brunner | 2014-02-12 | 1 | -1/+1 | |
| | ||||||
* | pool: Install SQL schemas from src/pool | Tobias Brunner | 2014-02-12 | 3 | -567/+0 | |
| | | | | | This allows us to install the schemas if either the attr-sql or sql plugin is enabled, since both use the same schema (at least in parts). | |||||
* | sql: Set default values for some fields in addresses table | Tobias Brunner | 2014-02-12 | 2 | -6/+6 | |
| | ||||||
* | sql: Install SQL schemas in /usr/share/strongswan/templates/database | Tobias Brunner | 2014-02-12 | 1 | -0/+3 | |
| | ||||||
* | sql: Remove unused cred.sql snippet | Tobias Brunner | 2014-02-12 | 1 | -24/+0 | |
| | ||||||
* | ikev1: Fix config switching due to failed authentication during Aggressive mode | Tobias Brunner | 2014-02-12 | 1 | -3/+1 | |
| | | | | | | | The encoded ID payload gets destroyed by the authenticator, which caused a segmentation fault after the switch. Fixes #501. | |||||
* | updown: Return an empty DNS server enumerator if no IKE_SA available | Martin Willi | 2014-02-06 | 1 | -1/+1 | |
| | | | | | The one existing caller does not handle a NULL return and always expects an enumerator; and returning FALSE does not make sense anyway. | |||||
* | ike: Restart inactivity counter after doing a CHILD_SA rekey | Martin Willi | 2014-01-23 | 1 | -2/+3 | |
| | | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect. | |||||
* | child-sa: Add a getter for CHILD_SA install time | Martin Willi | 2014-01-23 | 2 | -0/+20 | |
| | ||||||
* | xauth-pam: Open/close a PAM session for each connected client | Andrea Bonomi | 2014-01-23 | 4 | -9/+265 | |
| | | | | Signed-off-by: Andrea Bonomi <a.bonomi@endian.com> | |||||
* | xauth-pam: Sanitize XAuth attributes before passing them to PAM | Martin Willi | 2014-01-23 | 1 | -1/+5 | |
| | ||||||
* | ikev2: Add Cisco FRAGMENTATION vendor ID | Martin Willi | 2014-01-23 | 1 | -0/+2 | |
| | | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc. | |||||
* | ikev2: Add Cisco Copyright vendor ID | Martin Willi | 2014-01-23 | 1 | -0/+2 | |
| | | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc. | |||||
* | ikev2: Add Cisco Delete Reason vendor ID | Martin Willi | 2014-01-23 | 1 | -0/+2 | |
| | | | | Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc. | |||||
* | ikev2: Use a more dynamic vendor ID database, as we use with IKEv1 | Martin Willi | 2014-01-23 | 1 | -16/+57 | |
| | ||||||
* | stroke: Use chunk_map() instead of non-portable mmap() | Martin Willi | 2014-01-23 | 1 | -30/+6 | |
| | ||||||
* | radattr: Use chunk_map() instead of non-portable mmap() | Martin Willi | 2014-01-23 | 1 | -40/+8 | |
| | ||||||
* | chunk: Externalize error reporting in chunk_write() | Martin Willi | 2014-01-23 | 1 | -1/+10 | |
| | | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors. | |||||
* | unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attribute | Tobias Brunner | 2014-01-23 | 1 | -35/+47 | |
| | | | | Cisco clients only handle the first such attribute. | |||||
* | unity: Change local TS to 0.0.0.0/0 as responder | Tobias Brunner | 2014-01-23 | 1 | -4/+7 | |
| | | | | | Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is used, otherwise Quick Mode fails. | |||||
* | unity: Send UNITY_SPLIT_INCLUDE attributes with proper padding | Tobias Brunner | 2014-01-23 | 1 | -11/+16 | |
| | | | | | | The additional 6 bytes are not actually padding but are parsed by the Cisco client as protocol and src and dst ports (each two bytes but strangely only the first two in network order). | |||||
* | updown: Increase buffer size for script and environment variables | Tobias Brunner | 2014-01-23 | 1 | -1/+1 | |
| | ||||||
* | updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated | Tobias Brunner | 2014-01-23 | 1 | -1/+7 | |
| |