| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The FreeBSD and Mac OS X kernels interpret sadb_sa_replay as the size of the
replay window in bytes. Linux on the other hand does the same for PF_KEY it
does for XFRM so sadb_sa_replay denotes the number of packets/bits in the
window. Similarly, the window size on Linux is limited to 32 by the four
byte default bitmap used for IPsec SAs (may only be changed with
XFRMA_REPLAY_ESN_VAL), which is not the case on the other platforms.
|
| | |
|
| |
|
|
|
|
| |
While our ASN.1 parser can't handle BER indefinite length encoding, the OpenSSL
backend can. Some PKCS#12 containers get encoded this way, so we should
support loading such files in the pem plugin.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Since 42e0a317c64b ("ike: Only parse payloads valid for the current IKE
version") payload types are checked before creating objects. This check
failed for internally used payload types (e.g. proposal substructures),
which have a type >= 256, i.e. outside the IKE payload type range.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
To make accept/recvmsg cancelable, we wrap them with poll. As poll itself
does not honor pending cancellations when entering the function, we use our
variant that checks for pending cancellation requests before entering poll().
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This requires moving test files so that the Makefile for the tests can be
included after building libstrongswan, which requires the plugin when
building monolithically. Due to this a static helper library is required
as directly referring to object files (or source files) is not possible.
It's also necessary to avoid any link-time dependency on libstrongswan in
bliss_huffman, to avoid circular dependencies (bliss_huffman -> libstrongswan
-> bliss -> bliss_huffman).
|
| |
|
|
|
|
| |
Theoretically, n could be zero and these variables are then used
uninitialized. Older GCC versions warn about this and on Travis where we
compile with -Werror this causes the tests to fail.
|
| | |
|
| | |
|
| |
|
|
|
| |
When cancelling a builder, finalize throws an error which we might prefer
to avoid.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
In recent ruby versions, extensions get built with -Wformat. As we use custom
printf specifiers, that does not work for us. As there does not seem to be a
reliable way to override -Wformat, we use a variable for the format string,
which prevents gcc from doing the -Wformat check in that particular situation.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The transform identifier used in AH transforms is not the same as the
authentication algorithm identifier used in the transform attributes in
AH (and ESP) transforms.
|
| |
|
|
|
| |
While they SHOULD be sent as 16-bit values according to RFC 3173
a responder MUST be able to accept CPI values encoded in four bytes.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This allows using e.g. AES for PKCS#8 and PKCS#12 files.
Some legacy schemes defined in RFC 2898 are not supported (like RC2).
Fixes #740.
|
| |
|
|
|
|
|
|
| |
The OID (1.3.6.1.4.1.3029.1.2) is technically not correct, the correct
one is (1.3.6.1.4.1.3029.1.1.2). Every other library or tool (like OpenSSL)
uses the incorrect one so we do the same.
References #740.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While it was always documented as boolean setting, the option is currently
handled as integer value, for which yes/no values do not work. Instead the
default of TRUE is used for a no value.
The option has been moved a lot during the last years, and in some locations
was handled as bool, in some as integer. In the latest codebase it
congruently used integer, which is actually not what is documented and used
in testing.
Fixes #781.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iOS and Mac OS X clients establish individual IPsec SAs for the traffic
selectors received in Split-Include attributes (might have been different
in earlier releases). If we return 0.0.0.0/0 as TSr that either results
in a bunch of Quick Mode exchanges (for each TS), or with the latest
client releases an error notify (ATTRIBUTES_NOT_SUPPORTED).
We also can't install the IPsec SA with all configured subnets as that
would cause conflicts if the client later negotiates SAs for other subnets,
which iOS 8 does based on traffic to such subnets.
For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to
override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept
the Quick Mode response. Likewise, we also have to narrow the TS before
installing the IPsec SAs and policies.
So we basically have to follow the client's proposal and only modify TSr
if we received 0.0.0.0/0. Since we don't get the original TS in the
narrow hook we handle the inbound QM messages and make note of IKE_SAs on
which we received a TSr of 0.0.0.0/0.
Fixes #737.
|
| |
|
|
| |
The second call resulted in a /32 subnet previously.
|
| | |
|
| |
|
|
|
|
| |
Similar to the inbound rules, the ALE filter processes IP-in-IP packets for
outbound tunnel mode traffic. When using an outbound default-drop policy,
Windows does not allow connection initiation without these explicit rules.
|
| |
|
|
|
|
|
|
|
|
|
| |
When processing inbound tunnel mode packets, Windows decrypts packets and
filters them as IP-in-IP packets. We therefore require an ALE filter that
calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them
when using a default-drop policy.
Without these rules, any outbound packet created an ALE state that allows
inbound packets as well. Processing inbound packets without any outbound
traffic fails without these rules.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
As the underlying C functions, send/recv on ruby sockets are not guaranteed
to send/recv all requested bytes. Use wrapper functions to make sure we get
all bytes needed.
|
| |
|
|
| |
Fixes #780.
|
| |
|
|
| |
pki tool
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
