strongswan.git
9 years agoSome minor comment fixes.
Tobias Brunner [Tue, 6 Jul 2010 08:48:55 +0000 (10:48 +0200)]
Some minor comment fixes.

9 years agoSome whitespace and code style fixes.
Tobias Brunner [Mon, 5 Jul 2010 16:52:50 +0000 (18:52 +0200)]
Some whitespace and code style fixes.

9 years agoDo not include files from libcharon in libhydra.
Tobias Brunner [Mon, 5 Jul 2010 16:49:41 +0000 (18:49 +0200)]
Do not include files from libcharon in libhydra.

9 years agoMove callback_job_t to libhydra.
Tobias Brunner [Mon, 5 Jul 2010 13:32:54 +0000 (15:32 +0200)]
Move callback_job_t to libhydra.

9 years agoFixing Doxygen groups after moving processor.
Tobias Brunner [Mon, 5 Jul 2010 13:24:58 +0000 (15:24 +0200)]
Fixing Doxygen groups after moving processor.

9 years agoRefer to processor via hydra and not charon.
Tobias Brunner [Mon, 5 Jul 2010 11:52:05 +0000 (13:52 +0200)]
Refer to processor via hydra and not charon.

9 years agoMove processor_t (thread-pool) to libhydra.
Tobias Brunner [Mon, 5 Jul 2010 11:46:04 +0000 (13:46 +0200)]
Move processor_t (thread-pool) to libhydra.

9 years agoSupport different hash/sig algorithms in handshake signing, including ECDSA
Martin Willi [Thu, 2 Sep 2010 08:29:32 +0000 (10:29 +0200)]
Support different hash/sig algorithms in handshake signing, including ECDSA

9 years agoAdded TLS ClientCertificateType identifiers
Martin Willi [Thu, 2 Sep 2010 08:05:11 +0000 (10:05 +0200)]
Added TLS ClientCertificateType identifiers

9 years agoAdded TLS specific Hash and Signature Algorithm identifiers
Martin Willi [Thu, 2 Sep 2010 07:21:45 +0000 (09:21 +0200)]
Added TLS specific Hash and Signature Algorithm identifiers

9 years agoFixed typos in tls_writer method descriptions
Martin Willi [Thu, 2 Sep 2010 08:28:51 +0000 (10:28 +0200)]
Fixed typos in tls_writer method descriptions

9 years agoRespect key types in stroke key/certificate backend
Martin Willi [Thu, 2 Sep 2010 10:37:27 +0000 (12:37 +0200)]
Respect key types in stroke key/certificate backend

9 years agoAdded an enumerator for registered credential builders
Martin Willi [Thu, 2 Sep 2010 07:46:09 +0000 (09:46 +0200)]
Added an enumerator for registered credential builders

9 years agoMigrated credential_factory to INIT/METHOD macros
Martin Willi [Thu, 2 Sep 2010 07:30:48 +0000 (09:30 +0200)]
Migrated credential_factory to INIT/METHOD macros

9 years agoadapted evaltest.dat to new RULE_OCSP_VALIDATION
Andreas Steffen [Wed, 1 Sep 2010 20:22:27 +0000 (22:22 +0200)]
adapted evaltest.dat to new RULE_OCSP_VALIDATION

9 years agocosmetics in debug output
Andreas Steffen [Wed, 1 Sep 2010 12:30:14 +0000 (14:30 +0200)]
cosmetics in debug output

9 years agodefined aaa_identity
Andreas Steffen [Tue, 31 Aug 2010 22:16:19 +0000 (00:16 +0200)]
defined aaa_identity

9 years agoincrease number of message due to large certificate payloads
Andreas Steffen [Tue, 31 Aug 2010 22:11:23 +0000 (00:11 +0200)]
increase number of message due to large certificate payloads

9 years agoclarified debug output
Andreas Steffen [Tue, 31 Aug 2010 21:22:39 +0000 (23:22 +0200)]
clarified debug output

9 years agofixed typo
Andreas Steffen [Tue, 31 Aug 2010 19:42:14 +0000 (21:42 +0200)]
fixed typo

9 years agoDo not process any more TLS handshake messages on fatal alerts
Martin Willi [Tue, 31 Aug 2010 16:08:46 +0000 (18:08 +0200)]
Do not process any more TLS handshake messages on fatal alerts

9 years agoLoad a left/rightcert2 for EAP-TLS even if no left/rightauth2 is defined
Martin Willi [Tue, 31 Aug 2010 16:02:46 +0000 (18:02 +0200)]
Load a left/rightcert2 for EAP-TLS even if no left/rightauth2 is defined

9 years agoStrictly check if the server certificate matches the TLS server identity
Martin Willi [Tue, 31 Aug 2010 16:07:38 +0000 (18:07 +0200)]
Strictly check if the server certificate matches the TLS server identity

9 years agoUse the AAA Identity for EAP authentication, if given
Martin Willi [Tue, 31 Aug 2010 16:06:02 +0000 (18:06 +0200)]
Use the AAA Identity for EAP authentication, if given

9 years agoAdded support for the ipsec.conf aaa_identity keyword
Martin Willi [Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)]
Added support for the ipsec.conf aaa_identity keyword

9 years agoAdded an AAA identity authentication config option
Martin Willi [Tue, 31 Aug 2010 15:26:20 +0000 (17:26 +0200)]
Added an AAA identity authentication config option

9 years agoAdded strongswan.conf options for EAP-TLS/TTLS fragment size
Martin Willi [Tue, 31 Aug 2010 14:10:55 +0000 (16:10 +0200)]
Added strongswan.conf options for EAP-TLS/TTLS fragment size

9 years agoSupport processing of partial TLS record headers
Martin Willi [Tue, 31 Aug 2010 08:03:03 +0000 (10:03 +0200)]
Support processing of partial TLS record headers

9 years agoMigrated EAP-TTLS to the generic TLS helper
Martin Willi [Tue, 31 Aug 2010 07:12:40 +0000 (09:12 +0200)]
Migrated EAP-TTLS to the generic TLS helper

9 years agoMigrated EAP-TLS to the generic TLS helper
Martin Willi [Tue, 31 Aug 2010 07:12:20 +0000 (09:12 +0200)]
Migrated EAP-TLS to the generic TLS helper

9 years agoImplemented a generic TLS EAP helper to implement EAP-TLS, TTLS and other variants
Martin Willi [Tue, 31 Aug 2010 07:11:09 +0000 (09:11 +0200)]
Implemented a generic TLS EAP helper to implement EAP-TLS, TTLS and other variants

9 years agoSupport output fragmentation of TLS records
Martin Willi [Tue, 31 Aug 2010 06:57:26 +0000 (08:57 +0200)]
Support output fragmentation of TLS records

9 years agoMoved EAP type/code definitions to a seprate header file in libstrongswan
Martin Willi [Tue, 31 Aug 2010 06:55:48 +0000 (08:55 +0200)]
Moved EAP type/code definitions to a seprate header file in libstrongswan

9 years agoImplemented buffering of partial records in TLS stack
Martin Willi [Thu, 26 Aug 2010 10:27:56 +0000 (12:27 +0200)]
Implemented buffering of partial records in TLS stack

9 years agoLog TLS handshake subtypes as handshakes
Martin Willi [Thu, 26 Aug 2010 10:18:24 +0000 (12:18 +0200)]
Log TLS handshake subtypes as handshakes

9 years agoAdded a TLS debug level option, use debugging hook
Martin Willi [Thu, 26 Aug 2010 10:17:22 +0000 (12:17 +0200)]
Added a TLS debug level option, use debugging hook

9 years agoDo not strdup() zero length strings in identification_create_from_string()
Martin Willi [Tue, 31 Aug 2010 13:34:08 +0000 (15:34 +0200)]
Do not strdup() zero length strings in identification_create_from_string()

9 years agoCorrected some URLs.
Tobias Brunner [Tue, 31 Aug 2010 12:46:53 +0000 (14:46 +0200)]
Corrected some URLs.

9 years agoEnable the generation of unencrypted messages (e.g. ME connectivity checks).
Tobias Brunner [Mon, 30 Aug 2010 15:24:07 +0000 (17:24 +0200)]
Enable the generation of unencrypted messages (e.g. ME connectivity checks).

9 years agofixed typos
Andreas Steffen [Mon, 30 Aug 2010 14:22:33 +0000 (16:22 +0200)]
fixed typos

9 years agofixed copy-and-paste errors
Andreas Steffen [Mon, 30 Aug 2010 13:42:44 +0000 (15:42 +0200)]
fixed copy-and-paste errors

9 years agocreated an eap-tnc method hull
Andreas Steffen [Mon, 30 Aug 2010 13:36:24 +0000 (15:36 +0200)]
created an eap-tnc method hull

9 years agofor the time being assume a single request/response exchange for a given EAP method
Andreas Steffen [Mon, 30 Aug 2010 13:35:13 +0000 (15:35 +0200)]
for the time being assume a single request/response exchange for a given EAP method

9 years agoPort floating patch partially reversed.
Tobias Brunner [Mon, 30 Aug 2010 12:54:31 +0000 (14:54 +0200)]
Port floating patch partially reversed.

If MOBIKE is enabled, we do have to switch to port 4500 with the
IKE_AUTH request, that is, before we know whether the other peer
actually supports MOBIKE or not.

9 years agoSlightly refactored port floating.
Tobias Brunner [Mon, 30 Aug 2010 10:19:37 +0000 (12:19 +0200)]
Slightly refactored port floating.

In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.

9 years agodefined EAP-TNC
Andreas Steffen [Mon, 30 Aug 2010 11:13:39 +0000 (13:13 +0200)]
defined EAP-TNC

9 years agoUnwrap crlNumber INTEGER in openssl CRL parsing
Martin Willi [Mon, 30 Aug 2010 09:22:54 +0000 (11:22 +0200)]
Unwrap crlNumber INTEGER in openssl CRL parsing

9 years agoAdded crl support to pki --print
Martin Willi [Mon, 30 Aug 2010 09:01:18 +0000 (11:01 +0200)]
Added crl support to pki --print

9 years agoTypo in doxygen comment fixed.
Tobias Brunner [Mon, 30 Aug 2010 08:49:32 +0000 (10:49 +0200)]
Typo in doxygen comment fixed.

9 years agoFixed ME after introduction of AEAD wrapper.
Tobias Brunner [Mon, 30 Aug 2010 08:48:09 +0000 (10:48 +0200)]
Fixed ME after introduction of AEAD wrapper.

9 years agoFixed pluto smartcard support after introducing encryption schemes
Martin Willi [Mon, 30 Aug 2010 08:14:45 +0000 (10:14 +0200)]
Fixed pluto smartcard support after introducing encryption schemes

9 years agoreplaced ikev2/esp-alg-aes-ctr by ikev2/alg-aes-ctr
Andreas Steffen [Sun, 29 Aug 2010 19:52:08 +0000 (21:52 +0200)]
replaced ikev2/esp-alg-aes-ctr by ikev2/alg-aes-ctr

9 years agoadded ctr ccm and gcm plugins to ikev2/rw-cert scenario
Andreas Steffen [Sun, 29 Aug 2010 19:11:00 +0000 (21:11 +0200)]
added ctr ccm and gcm plugins to ikev2/rw-cert scenario

9 years agoadded ctr ccm and gcm plugins to openssl-ikev2/rw-cert scenario
Andreas Steffen [Sun, 29 Aug 2010 19:09:25 +0000 (21:09 +0200)]
added ctr ccm and gcm plugins to openssl-ikev2/rw-cert scenario

9 years agoadded ctr ccm and gcm plugins to gcrypt-ikev2/rw-cert scenario
Andreas Steffen [Sun, 29 Aug 2010 18:50:37 +0000 (20:50 +0200)]
added ctr ccm and gcm plugins to gcrypt-ikev2/rw-cert scenario

9 years agoreplaced ikev2/esp-alg-aes-gcm by ikev2/alg-aes-gcm
Andreas Steffen [Sun, 29 Aug 2010 18:39:51 +0000 (20:39 +0200)]
replaced ikev2/esp-alg-aes-gcm by ikev2/alg-aes-gcm

9 years agoreplaced ikev2/esp-alg-aes-ccm by ikev2/alg-aes-ccm
Andreas Steffen [Sun, 29 Aug 2010 18:24:12 +0000 (20:24 +0200)]
replaced ikev2/esp-alg-aes-ccm by ikev2/alg-aes-ccm

9 years agoWin7 might send up to 7k of certificate requests
Andreas Steffen [Fri, 27 Aug 2010 14:30:05 +0000 (16:30 +0200)]
Win7 might send up to 7k of certificate requests

9 years agoFixed documentation of XAUTH in ipsec.secrets.
Tobias Brunner [Thu, 26 Aug 2010 08:25:08 +0000 (10:25 +0200)]
Fixed documentation of XAUTH in ipsec.secrets.

9 years agoPrefer AES/Camellia suites over 3DES/NULL encryption
Martin Willi [Wed, 25 Aug 2010 16:30:09 +0000 (18:30 +0200)]
Prefer AES/Camellia suites over 3DES/NULL encryption

9 years agoSend TLS alerts for errors in TLS handshake building
Martin Willi [Wed, 25 Aug 2010 16:24:27 +0000 (18:24 +0200)]
Send TLS alerts for errors in TLS handshake building

9 years agoRefactored fragment building, use correct TLS content type for non-first fragments
Martin Willi [Wed, 25 Aug 2010 16:04:59 +0000 (18:04 +0200)]
Refactored fragment building, use correct TLS content type for non-first fragments

9 years agoUpdate delete_payload length when adding SPIs
Martin Willi [Wed, 25 Aug 2010 15:03:09 +0000 (17:03 +0200)]
Update delete_payload length when adding SPIs

9 years agoMigrated delete_payload to INIT/METHOD macros, replaced iterator
Martin Willi [Wed, 25 Aug 2010 15:00:01 +0000 (17:00 +0200)]
Migrated delete_payload to INIT/METHOD macros, replaced iterator

9 years agoUse different return values in payload decryption to distinguish between integrity...
Martin Willi [Wed, 25 Aug 2010 13:29:53 +0000 (15:29 +0200)]
Use different return values in payload decryption to distinguish between integrity and syntax errors

9 years agoImplemented a TLS utility to test on any TLS secured TCP connection
Martin Willi [Wed, 25 Aug 2010 10:57:13 +0000 (12:57 +0200)]
Implemented a TLS utility to test on any TLS secured TCP connection

9 years agoAdded a simple high level TLS wrapper for sockets
Martin Willi [Wed, 25 Aug 2010 10:51:01 +0000 (12:51 +0200)]
Added a simple high level TLS wrapper for sockets

9 years agoInitialize output chunk before appending data to it
Martin Willi [Wed, 25 Aug 2010 10:43:21 +0000 (12:43 +0200)]
Initialize output chunk before appending data to it

9 years agoAdded private key support to in-memory credential set
Martin Willi [Tue, 24 Aug 2010 16:17:34 +0000 (18:17 +0200)]
Added private key support to in-memory credential set

9 years agoAdded certificate support to in-memory credential set
Martin Willi [Tue, 24 Aug 2010 14:59:45 +0000 (16:59 +0200)]
Added certificate support to in-memory credential set

9 years agoCheck if colliding rekey actually created an IKE_INIT
Thomas Egerer [Tue, 24 Aug 2010 12:55:47 +0000 (14:55 +0200)]
Check if colliding rekey actually created an IKE_INIT

In some cases (especially if a child is half-open) the colliding
rekey-job might not have created the ike_init member. If so, the
nonce check fails with SIGSEGV.

9 years agoAdded a ike_name logger option to prefix the IKE_SA name on each line
Martin Willi [Wed, 25 Aug 2010 07:53:43 +0000 (09:53 +0200)]
Added a ike_name logger option to prefix the IKE_SA name on each line

9 years agoremoved tls_record_t definition
Andreas Steffen [Tue, 24 Aug 2010 17:18:44 +0000 (19:18 +0200)]
removed tls_record_t definition

9 years agoPass NULL peer identity to omit TLS peer authentication, added eap-ttls.request_peer_...
Martin Willi [Tue, 24 Aug 2010 09:34:43 +0000 (11:34 +0200)]
Pass NULL peer identity to omit TLS peer authentication, added eap-ttls.request_peer_auth option

9 years agoSkip the close notify if application layer completes successfully
Martin Willi [Tue, 24 Aug 2010 08:29:54 +0000 (10:29 +0200)]
Skip the close notify if application layer completes successfully

9 years agoadded ikev2/rw-eap-tls-fragments scenario
Andreas Steffen [Tue, 24 Aug 2010 08:12:15 +0000 (10:12 +0200)]
added ikev2/rw-eap-tls-fragments scenario

9 years agouse correct network diagram
Andreas Steffen [Tue, 24 Aug 2010 08:09:58 +0000 (10:09 +0200)]
use correct network diagram

9 years agosupport fragmentation in AVPs
Andreas Steffen [Tue, 24 Aug 2010 07:02:40 +0000 (09:02 +0200)]
support fragmentation in AVPs

9 years agoremoved some redundant debug output
Andreas Steffen [Tue, 24 Aug 2010 07:00:52 +0000 (09:00 +0200)]
removed some redundant debug output

9 years agoAdded generic TLS purposes
Martin Willi [Tue, 24 Aug 2010 06:42:10 +0000 (08:42 +0200)]
Added generic TLS purposes

9 years agoClient sends empty EAP-TTLS packet on fatal alerts to properly shut down TLS
Martin Willi [Tue, 24 Aug 2010 06:41:12 +0000 (08:41 +0200)]
Client sends empty EAP-TTLS packet on fatal alerts to properly shut down TLS

9 years agoCheck if the application layer has completed successfully
Martin Willi [Tue, 24 Aug 2010 06:40:28 +0000 (08:40 +0200)]
Check if the application layer has completed successfully

9 years agoMoved TLS record parsing/generation to tls.c
Martin Willi [Mon, 23 Aug 2010 14:21:49 +0000 (16:21 +0200)]
Moved TLS record parsing/generation to tls.c

9 years agoadded debug-tls comand line option
Andreas Steffen [Mon, 23 Aug 2010 15:51:40 +0000 (17:51 +0200)]
added debug-tls comand line option

9 years agoAdded a TLS purpose for EAP-TTLS with client authentication
Martin Willi [Mon, 23 Aug 2010 12:31:21 +0000 (14:31 +0200)]
Added a TLS purpose for EAP-TTLS with client authentication

9 years agoEAP-TLS clients send an empty packet on failure to properly shut down a TLS session
Martin Willi [Mon, 23 Aug 2010 12:22:54 +0000 (14:22 +0200)]
EAP-TLS clients send an empty packet on failure to properly shut down a TLS session

9 years agoImplemented TLS Alert handling
Martin Willi [Mon, 23 Aug 2010 12:22:38 +0000 (14:22 +0200)]
Implemented TLS Alert handling

9 years agoRebuild library.lo after changing ./configure options
Martin Willi [Mon, 23 Aug 2010 10:01:48 +0000 (12:01 +0200)]
Rebuild library.lo after changing ./configure options

9 years agoBuild a trustchain even if no trust anchor is given
Martin Willi [Mon, 23 Aug 2010 09:57:40 +0000 (11:57 +0200)]
Build a trustchain even if no trust anchor is given

9 years agoAccept encryption payloads with no wrapped payloads
Martin Willi [Mon, 23 Aug 2010 09:30:36 +0000 (11:30 +0200)]
Accept encryption payloads with no wrapped payloads

9 years agoFall back to shifting with 32-bit words if 64-bit byte order conversion function...
Martin Willi [Mon, 23 Aug 2010 08:10:36 +0000 (10:10 +0200)]
Fall back to shifting with 32-bit words if 64-bit byte order conversion function missing

9 years agoUse enum mappings to resolve debug group
Martin Willi [Fri, 20 Aug 2010 18:45:31 +0000 (20:45 +0200)]
Use enum mappings to resolve debug group

9 years agoImplemented generic enum name to enum value mapping
Martin Willi [Fri, 20 Aug 2010 18:45:05 +0000 (20:45 +0200)]
Implemented generic enum name to enum value mapping

9 years agoVerify negotiated TLS version
Martin Willi [Fri, 20 Aug 2010 14:08:59 +0000 (16:08 +0200)]
Verify negotiated TLS version

9 years agoIntroducing a dedicated debug message group for libtls
Martin Willi [Fri, 20 Aug 2010 13:57:47 +0000 (15:57 +0200)]
Introducing a dedicated debug message group for libtls

9 years agoStreamlined TLS debugging output
Martin Willi [Fri, 20 Aug 2010 13:52:06 +0000 (15:52 +0200)]
Streamlined TLS debugging output

9 years agofixed build_cipher_suite_list()
Andreas Steffen [Sat, 21 Aug 2010 10:51:54 +0000 (12:51 +0200)]
fixed build_cipher_suite_list()

9 years agoIntroducing simple purposes for the TLS stack, switches various options
Martin Willi [Fri, 20 Aug 2010 13:02:25 +0000 (15:02 +0200)]
Introducing simple purposes for the TLS stack, switches various options

9 years agoFixed compiler warning
Martin Willi [Fri, 20 Aug 2010 12:57:14 +0000 (14:57 +0200)]
Fixed compiler warning

9 years agoenable the ccm and gcm plugins in the UML scenarios
Andreas Steffen [Fri, 20 Aug 2010 10:47:15 +0000 (12:47 +0200)]
enable the ccm and gcm plugins in the UML scenarios