strongswan.git
10 years agoBuild tls_test script only if TLS stack is enabled
Martin Willi [Tue, 7 Sep 2010 08:21:44 +0000 (10:21 +0200)]
Build tls_test script only if TLS stack is enabled

10 years agoAdded PKCS#11 NEWS
Martin Willi [Tue, 7 Sep 2010 08:21:25 +0000 (10:21 +0200)]
Added PKCS#11 NEWS

10 years agoAdded (EAP-)TLS NEWS
Martin Willi [Tue, 7 Sep 2010 08:10:36 +0000 (10:10 +0200)]
Added (EAP-)TLS NEWS

10 years agoInclude ec_point_format extension in ClientHello
Martin Willi [Mon, 6 Sep 2010 16:51:38 +0000 (18:51 +0200)]
Include ec_point_format extension in ClientHello

10 years agoAdded TLS specific EC point formats
Martin Willi [Mon, 6 Sep 2010 16:42:43 +0000 (18:42 +0200)]
Added TLS specific EC point formats

10 years agoRenamed ecp_format to ansi_format, as point formats in TLS use different identifiers
Martin Willi [Mon, 6 Sep 2010 16:36:27 +0000 (18:36 +0200)]
Renamed ecp_format to ansi_format, as point formats in TLS use different identifiers

10 years agoEnable the random plugin for scripts
Martin Willi [Mon, 6 Sep 2010 16:11:05 +0000 (18:11 +0200)]
Enable the random plugin for scripts

10 years agoAccept TLS records with zero-length plaintext
Martin Willi [Mon, 6 Sep 2010 15:04:59 +0000 (17:04 +0200)]
Accept TLS records with zero-length plaintext

10 years agoAdded strongswan.conf option to filter for specific TLS suites
Martin Willi [Mon, 6 Sep 2010 14:44:47 +0000 (16:44 +0200)]
Added strongswan.conf option to filter for specific TLS suites

10 years agoAdded strongswan.conf options to filter cipher suites by specific algorithms
Martin Willi [Mon, 6 Sep 2010 14:37:45 +0000 (16:37 +0200)]
Added strongswan.conf options to filter cipher suites by specific algorithms

10 years agoRegister missing AUTH_HMAC_SHA384 algorithm without truncation
Martin Willi [Mon, 6 Sep 2010 14:36:16 +0000 (16:36 +0200)]
Register missing AUTH_HMAC_SHA384 algorithm without truncation

10 years agoFixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Martin Willi [Mon, 6 Sep 2010 14:35:53 +0000 (16:35 +0200)]
Fixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

10 years agoPrepend point format to ECDH public key
Martin Willi [Mon, 6 Sep 2010 13:31:32 +0000 (15:31 +0200)]
Prepend point format to ECDH public key

10 years agoLog the selected (EC)DH group
Martin Willi [Mon, 6 Sep 2010 09:19:47 +0000 (11:19 +0200)]
Log the selected (EC)DH group

10 years agoParse unsupported TLS Hello extensions properly
Martin Willi [Mon, 6 Sep 2010 08:55:15 +0000 (10:55 +0200)]
Parse unsupported TLS Hello extensions properly

10 years agoAdded TLS extension identifiers from RFC 3546
Martin Willi [Mon, 6 Sep 2010 08:54:11 +0000 (10:54 +0200)]
Added TLS extension identifiers from RFC 3546

10 years agoOf course, mark is also supported by pluto.
Tobias Brunner [Mon, 6 Sep 2010 10:04:26 +0000 (12:04 +0200)]
Of course, mark is also supported by pluto.

10 years agomark_in and mark_out are also supported by pluto.
Tobias Brunner [Mon, 6 Sep 2010 09:53:59 +0000 (11:53 +0200)]
mark_in and mark_out are also supported by pluto.

10 years agoDo not propose (EC)DHE suites if we do not support them
Martin Willi [Fri, 3 Sep 2010 16:24:03 +0000 (18:24 +0200)]
Do not propose (EC)DHE suites if we do not support them

10 years agoOffer only algorithms/suites we have a registered public key backend for
Martin Willi [Fri, 3 Sep 2010 16:11:03 +0000 (18:11 +0200)]
Offer only algorithms/suites we have a registered public key backend for

10 years agoAdded a final flag to builder registration to enumerate the actually supported algorithms
Martin Willi [Fri, 3 Sep 2010 16:09:48 +0000 (18:09 +0200)]
Added a final flag to builder registration to enumerate the actually supported algorithms

10 years agoFixed key type of ECDHE_RSA groups
Martin Willi [Fri, 3 Sep 2010 15:24:39 +0000 (17:24 +0200)]
Fixed key type of ECDHE_RSA groups

10 years agoUse a dynamic curve enumerator to list/convert TLS named curves
Martin Willi [Fri, 3 Sep 2010 15:05:39 +0000 (17:05 +0200)]
Use a dynamic curve enumerator to list/convert TLS named curves

10 years agoUse ECDH group check where appropriate
Martin Willi [Fri, 3 Sep 2010 14:22:49 +0000 (16:22 +0200)]
Use ECDH group check where appropriate

10 years agoAdded a generic function to check if a DH group is an EC group
Martin Willi [Fri, 3 Sep 2010 14:22:10 +0000 (16:22 +0200)]
Added a generic function to check if a DH group is an EC group

10 years agoAdd ECDHE enabled cipher suites, including ECDSA variants
Martin Willi [Fri, 3 Sep 2010 10:54:40 +0000 (12:54 +0200)]
Add ECDHE enabled cipher suites, including ECDSA variants

10 years agoAdded support for a non-truncated SHA384 HMAC variant, as used by TLS
Martin Willi [Fri, 3 Sep 2010 10:51:26 +0000 (12:51 +0200)]
Added support for a non-truncated SHA384 HMAC variant, as used by TLS

10 years agoSelect private key based on received cipher suites
Martin Willi [Fri, 3 Sep 2010 10:50:18 +0000 (12:50 +0200)]
Select private key based on received cipher suites

10 years agoSupport for EC curve Hello extension, EC curve fallback
Martin Willi [Fri, 3 Sep 2010 09:45:55 +0000 (11:45 +0200)]
Support for EC curve Hello extension, EC curve fallback

10 years agoAdded server support for ECDHE key exchange
Martin Willi [Fri, 3 Sep 2010 09:00:37 +0000 (11:00 +0200)]
Added server support for ECDHE key exchange

10 years agoAdded client support for ECDHE key exchange
Martin Willi [Fri, 3 Sep 2010 09:00:07 +0000 (11:00 +0200)]
Added client support for ECDHE key exchange

10 years agoAdded TLS EC curve type and name identifiers
Martin Willi [Fri, 3 Sep 2010 08:59:01 +0000 (10:59 +0200)]
Added TLS EC curve type and name identifiers

10 years agofixed typo
Andreas Steffen [Fri, 3 Sep 2010 11:30:40 +0000 (13:30 +0200)]
fixed typo

10 years agoupdown script variable is called PLUTO_UDP_ENC
Andreas Steffen [Fri, 3 Sep 2010 10:57:16 +0000 (12:57 +0200)]
updown script variable is called PLUTO_UDP_ENC

10 years agoFixed left-/rightnexthop ipsec.conf options.
Tobias Brunner [Fri, 3 Sep 2010 09:44:01 +0000 (11:44 +0200)]
Fixed left-/rightnexthop ipsec.conf options.

10 years agoCheck for queued TLS alerts after each handshake part
Martin Willi [Fri, 3 Sep 2010 07:32:39 +0000 (09:32 +0200)]
Check for queued TLS alerts after each handshake part

10 years agoAdded support for MODP_CUSTOM to gcrypt plugin
Martin Willi [Fri, 3 Sep 2010 07:32:18 +0000 (09:32 +0200)]
Added support for MODP_CUSTOM to gcrypt plugin

10 years agoAdded support for MODP_CUSTOM to openssl plugin
Martin Willi [Fri, 3 Sep 2010 07:31:51 +0000 (09:31 +0200)]
Added support for MODP_CUSTOM to openssl plugin

10 years agoadapted debug options
Andreas Steffen [Fri, 3 Sep 2010 07:29:56 +0000 (09:29 +0200)]
adapted debug options

10 years agoadapted debug options
Andreas Steffen [Fri, 3 Sep 2010 07:27:16 +0000 (09:27 +0200)]
adapted debug options

10 years agoremoved redundant debug output
Andreas Steffen [Thu, 2 Sep 2010 20:19:25 +0000 (22:19 +0200)]
removed redundant debug output

10 years agoversion bump to 4.5.0dr2
Andreas Steffen [Thu, 2 Sep 2010 20:18:52 +0000 (22:18 +0200)]
version bump to 4.5.0dr2

10 years agooptimized FreeRadius scenarios for debug output
Andreas Steffen [Thu, 2 Sep 2010 12:37:27 +0000 (14:37 +0200)]
optimized FreeRadius scenarios for debug output

10 years agoadded ikev2/rw-eap-tnc-radius scenario
Andreas Steffen [Thu, 2 Sep 2010 12:36:52 +0000 (14:36 +0200)]
added ikev2/rw-eap-tnc-radius scenario

10 years agoadded radius init script mit increased debugging
Andreas Steffen [Thu, 2 Sep 2010 11:19:24 +0000 (13:19 +0200)]
added radius init script mit increased debugging

10 years agodisplay configuration and log of FreeRadius servers
Andreas Steffen [Thu, 2 Sep 2010 11:15:49 +0000 (13:15 +0200)]
display configuration and log of FreeRadius servers

10 years agoAdd DHE enabled RSA variants to the supported TLS suites
Martin Willi [Thu, 2 Sep 2010 17:27:37 +0000 (19:27 +0200)]
Add DHE enabled RSA variants to the supported TLS suites

10 years agoAdded TLS server side support for DHE suites
Martin Willi [Thu, 2 Sep 2010 17:27:13 +0000 (19:27 +0200)]
Added TLS server side support for DHE suites

10 years agoAdded TLS client side support for DHE suites
Martin Willi [Thu, 2 Sep 2010 17:26:19 +0000 (19:26 +0200)]
Added TLS client side support for DHE suites

10 years agoStore a MODP group we use for each TLS suite
Martin Willi [Thu, 2 Sep 2010 17:24:56 +0000 (19:24 +0200)]
Store a MODP group we use for each TLS suite

10 years agoAdded support for MODP_CUSTOM to gmp plugin
Martin Willi [Thu, 2 Sep 2010 17:23:37 +0000 (19:23 +0200)]
Added support for MODP_CUSTOM to gmp plugin

10 years agoAdded a MODP_CUSTOM DH group which takes g and p as constructor arguments
Martin Willi [Thu, 2 Sep 2010 17:06:34 +0000 (19:06 +0200)]
Added a MODP_CUSTOM DH group which takes g and p as constructor arguments

10 years agoImplemented "signature algorithm" hello extension
Martin Willi [Thu, 2 Sep 2010 17:19:17 +0000 (19:19 +0200)]
Implemented "signature algorithm" hello extension

10 years agoAdded TLS extension identifiers
Martin Willi [Thu, 2 Sep 2010 17:07:45 +0000 (19:07 +0200)]
Added TLS extension identifiers

10 years agoAdded generic TLS data sign/verify, hash/sig algorithm construction
Martin Willi [Thu, 2 Sep 2010 17:15:16 +0000 (19:15 +0200)]
Added generic TLS data sign/verify, hash/sig algorithm construction

10 years agoContinue with a randomized premaster if decryption failed / version mismatches
Martin Willi [Thu, 2 Sep 2010 12:48:30 +0000 (14:48 +0200)]
Continue with a randomized premaster if decryption failed / version mismatches

10 years agopluto: Removed unused lifetime from raw_eroute.
Tobias Brunner [Thu, 2 Sep 2010 16:59:53 +0000 (18:59 +0200)]
pluto: Removed unused lifetime from raw_eroute.

10 years agopluto: Added support for statically configured reqids.
Tobias Brunner [Thu, 2 Sep 2010 14:05:21 +0000 (16:05 +0200)]
pluto: Added support for statically configured reqids.

10 years agotesting: Added ikev1 xfrm mark scenarios.
Tobias Brunner [Mon, 30 Aug 2010 08:04:16 +0000 (10:04 +0200)]
testing: Added ikev1 xfrm mark scenarios.

10 years agopluto: Make marks available in updown script.
Tobias Brunner [Mon, 30 Aug 2010 08:01:37 +0000 (10:01 +0200)]
pluto: Make marks available in updown script.

10 years agopluto: Fixed comparison of connections, if marks are specified.
Tobias Brunner [Mon, 30 Aug 2010 07:59:25 +0000 (09:59 +0200)]
pluto: Fixed comparison of connections, if marks are specified.

10 years agopluto: Store xfrm marks on connection and use them when installing SAs and policies.
Tobias Brunner [Mon, 30 Aug 2010 07:56:53 +0000 (09:56 +0200)]
pluto: Store xfrm marks on connection and use them when installing SAs and policies.

10 years agostarter: Some whitespace cleanup.
Tobias Brunner [Mon, 30 Aug 2010 06:58:56 +0000 (08:58 +0200)]
starter: Some whitespace cleanup.

10 years agopluto: Added PLUTO_UDP_ENC argument to updown script.
Tobias Brunner [Mon, 30 Aug 2010 06:54:38 +0000 (08:54 +0200)]
pluto: Added PLUTO_UDP_ENC argument to updown script.

This contains the remote UDP port in case of UDP encapsulated ESP.

10 years agopluto: Return value fixed.
Tobias Brunner [Mon, 30 Aug 2010 06:47:13 +0000 (08:47 +0200)]
pluto: Return value fixed.

10 years agopluto: Removed bare shunt table.
Tobias Brunner [Wed, 18 Aug 2010 07:41:04 +0000 (09:41 +0200)]
pluto: Removed bare shunt table.

10 years agoDo not install routes for pluto.
Tobias Brunner [Tue, 17 Aug 2010 07:48:59 +0000 (09:48 +0200)]
Do not install routes for pluto.

There are some incompatibilities with e.g. passthrough policies.
Pluto installs required source routes via updown script.

10 years agopluto: Handle changed NAT mappings via libhydra's kernel interface.
Tobias Brunner [Mon, 16 Aug 2010 17:07:30 +0000 (19:07 +0200)]
pluto: Handle changed NAT mappings via libhydra's kernel interface.

10 years agopluto: Removed no_klips flag (--noklips option).
Tobias Brunner [Mon, 16 Aug 2010 13:53:56 +0000 (15:53 +0200)]
pluto: Removed no_klips flag (--noklips option).

10 years agopluto: Removed references to KLIPS from documentation, log messages and comments.
Tobias Brunner [Mon, 16 Aug 2010 12:32:55 +0000 (14:32 +0200)]
pluto: Removed references to KLIPS from documentation, log messages and comments.

10 years agopluto: Added --debug-kernel as alias for --debug-klips.
Tobias Brunner [Mon, 16 Aug 2010 12:59:23 +0000 (14:59 +0200)]
pluto: Added --debug-kernel as alias for --debug-klips.

10 years agopluto: Replaced DBG_KLIPS with DBG_KERNEL.
Tobias Brunner [Mon, 16 Aug 2010 12:07:09 +0000 (14:07 +0200)]
pluto: Replaced DBG_KLIPS with DBG_KERNEL.

10 years agopluto: Removed the KLIPS preprocessor flag.
Tobias Brunner [Mon, 16 Aug 2010 12:02:25 +0000 (14:02 +0200)]
pluto: Removed the KLIPS preprocessor flag.

10 years agopluto: Removed unneeded kernel abstractions.
Tobias Brunner [Mon, 16 Aug 2010 09:26:31 +0000 (11:26 +0200)]
pluto: Removed unneeded kernel abstractions.

10 years agopluto: Completely removed struct kernel_ops.
Tobias Brunner [Mon, 16 Aug 2010 09:12:57 +0000 (11:12 +0200)]
pluto: Completely removed struct kernel_ops.

10 years agopluto: Refactored PF_KEY capabilities registration.
Tobias Brunner [Mon, 16 Aug 2010 08:33:37 +0000 (10:33 +0200)]
pluto: Refactored PF_KEY capabilities registration.

Although we use the kernel interface from libhydra we still need this to make
the available algorithms known to pluto.

10 years agopluto: Removed unneeded functions from PF_KEY interface.
Tobias Brunner [Wed, 11 Aug 2010 11:51:03 +0000 (13:51 +0200)]
pluto: Removed unneeded functions from PF_KEY interface.

We still use the algorithm registration.

10 years agopluto: Completely removed orphaned_holds.
Tobias Brunner [Tue, 10 Aug 2010 15:36:38 +0000 (17:36 +0200)]
pluto: Completely removed orphaned_holds.

10 years agoScheduler and processor have been moved to libstrongswan.
Tobias Brunner [Tue, 3 Aug 2010 16:57:30 +0000 (18:57 +0200)]
Scheduler and processor have been moved to libstrongswan.

Also reverts 0c21dc000d3cd5c82eb22c4481e6459978456364 as the dependency
to libcharon is no longer required.

10 years agopluto: Install IN policy of a shunt eroute with protocol.
Tobias Brunner [Tue, 10 Aug 2010 13:09:13 +0000 (15:09 +0200)]
pluto: Install IN policy of a shunt eroute with protocol.

10 years agopluto: Fixed byte-order of ports in traffic selectors.
Tobias Brunner [Tue, 3 Aug 2010 14:40:41 +0000 (16:40 +0200)]
pluto: Fixed byte-order of ports in traffic selectors.

10 years agotesting: Print output of 'make oldconfig' to STDOUT, besides logging it.
Tobias Brunner [Tue, 10 Aug 2010 13:06:41 +0000 (15:06 +0200)]
testing: Print output of 'make oldconfig' to STDOUT, besides logging it.

10 years agotesting: Only sleep after a host has actually been started.
Tobias Brunner [Tue, 3 Aug 2010 14:37:12 +0000 (16:37 +0200)]
testing: Only sleep after a host has actually been started.

10 years agotesting: Build strongSwan a bit faster using make -j.
Tobias Brunner [Tue, 3 Aug 2010 14:34:47 +0000 (16:34 +0200)]
testing: Build strongSwan a bit faster using make -j.

10 years agotesting: Force the UML Kernel to x86.
Tobias Brunner [Tue, 3 Aug 2010 14:33:55 +0000 (16:33 +0200)]
testing: Force the UML Kernel to x86.

10 years agotesting: Adding kernel-netlink to pluto.load statements.
Tobias Brunner [Tue, 3 Aug 2010 11:05:33 +0000 (13:05 +0200)]
testing: Adding kernel-netlink to pluto.load statements.

10 years agotesting: Added missing host alice to test.conf.
Tobias Brunner [Tue, 3 Aug 2010 11:30:16 +0000 (13:30 +0200)]
testing: Added missing host alice to test.conf.

10 years agoCharon specific strongswan.conf options generalized.
Tobias Brunner [Tue, 3 Aug 2010 10:23:14 +0000 (12:23 +0200)]
Charon specific strongswan.conf options generalized.

10 years agopluto: Listen for kernel events via libhydra's kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:58:47 +0000 (11:58 +0200)]
pluto: Listen for kernel events via libhydra's kernel interface.

10 years agopluto: Adapted kernel.c to changed kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:53:40 +0000 (11:53 +0200)]
pluto: Adapted kernel.c to changed kernel interface.

10 years agoAdapted child_sa_t to changed kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:50:56 +0000 (11:50 +0200)]
Adapted child_sa_t to changed kernel interface.

10 years agoFixing installation of trap policies (SPI=0) in kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:49:28 +0000 (11:49 +0200)]
Fixing installation of trap policies (SPI=0) in kernel interface.

10 years agopluto: Do not close all file descriptors on startup, just redirect stdin, stdout...
Tobias Brunner [Fri, 30 Jul 2010 10:16:24 +0000 (12:16 +0200)]
pluto: Do not close all file descriptors on startup, just redirect stdin, stdout and stderr to /dev/null.

Otherwise the pipe used to synchronize pluto->events with the main
thread would be closed.

10 years agopluto: Added a generic event queue.
Tobias Brunner [Fri, 30 Jul 2010 09:51:15 +0000 (11:51 +0200)]
pluto: Added a generic event queue.

This allows to easily execute arbitrary callbacks in the context of the pluto
main thread (e.g. in order to synchronize with threads from the thread-pool).

10 years agopluto: Fixed the reqid that is passed to the updown script.
Tobias Brunner [Thu, 29 Jul 2010 11:37:39 +0000 (13:37 +0200)]
pluto: Fixed the reqid that is passed to the updown script.

10 years agopluto: Migrated setup_half_ipsec_sa to libhydra's kernel interface.
Tobias Brunner [Thu, 29 Jul 2010 11:36:23 +0000 (13:36 +0200)]
pluto: Migrated setup_half_ipsec_sa to libhydra's kernel interface.

10 years agopluto: Removed unneeded get_proto_reqid.
Tobias Brunner [Thu, 29 Jul 2010 11:33:48 +0000 (13:33 +0200)]
pluto: Removed unneeded get_proto_reqid.

We will use the same reqid for all protocols, as in charon.

10 years agopluto: Added missing return_on in out_sa.
Tobias Brunner [Thu, 29 Jul 2010 10:24:18 +0000 (12:24 +0200)]
pluto: Added missing return_on in out_sa.

10 years agopluto: Use time_monotonic() instead of time() for use time calculation.
Tobias Brunner [Thu, 29 Jul 2010 10:19:48 +0000 (12:19 +0200)]
pluto: Use time_monotonic() instead of time() for use time calculation.

That's because get_sa_info now returns a monotonic timestamp.

10 years agopluto: Removed KLIPS specific code from was_eroute_idle.
Tobias Brunner [Thu, 29 Jul 2010 16:09:44 +0000 (18:09 +0200)]
pluto: Removed KLIPS specific code from was_eroute_idle.