strongswan.git
8 years agoUpdate fallback drop policies if required.
Tobias Brunner [Fri, 29 Jul 2011 10:34:51 +0000 (12:34 +0200)]
Update fallback drop policies if required.

8 years agoAllow routing table IDs > 255 when filtering them.
Tobias Brunner [Fri, 29 Jul 2011 10:16:18 +0000 (12:16 +0200)]
Allow routing table IDs > 255 when filtering them.

8 years agoDUMM: Allow addresses to be configured with net prefix.
Tobias Brunner [Fri, 29 Jul 2011 10:14:02 +0000 (12:14 +0200)]
DUMM: Allow addresses to be configured with net prefix.

8 years agoFixed host_create_from_subnet when no prefix is given.
Tobias Brunner [Fri, 29 Jul 2011 10:11:20 +0000 (12:11 +0200)]
Fixed host_create_from_subnet when no prefix is given.

8 years agoInstall fallback drop policies for all three directions.
Tobias Brunner [Thu, 28 Jul 2011 12:24:42 +0000 (14:24 +0200)]
Install fallback drop policies for all three directions.

8 years agoInstall fallback drop policies to avoid transmitting unencrypted packets.
Tobias Brunner [Wed, 27 Jul 2011 11:44:33 +0000 (13:44 +0200)]
Install fallback drop policies to avoid transmitting unencrypted packets.

During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed.  In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.

8 years agoRemove policies in kernel interfaces based on their priority.
Tobias Brunner [Wed, 27 Jul 2011 11:41:35 +0000 (13:41 +0200)]
Remove policies in kernel interfaces based on their priority.

This allows to unroute a connection while the same connection is
currently established.  In this case both CHILD_SAs share the same
reqid but the installed policies have different priorities.

8 years agoAdded missing include in mysql plugin.
Tobias Brunner [Tue, 26 Jul 2011 13:47:01 +0000 (15:47 +0200)]
Added missing include in mysql plugin.

This was previously pulled in via linked_list.h->iterator.h->library.h.

8 years agoAdded tnc, imc, imv debug message groups to man page.
Tobias Brunner [Tue, 26 Jul 2011 07:38:13 +0000 (09:38 +0200)]
Added tnc, imc, imv debug message groups to man page.

8 years agoshow correct network topology in shunt-policies scenarios
Andreas Steffen [Tue, 26 Jul 2011 05:55:20 +0000 (07:55 +0200)]
show correct network topology in shunt-policies scenarios

8 years agoInherit authentication information during IKE_SA rekeying
Martin Willi [Mon, 25 Jul 2011 12:08:18 +0000 (14:08 +0200)]
Inherit authentication information during IKE_SA rekeying

8 years agoAdded a log message when roam jobs get created.
Tobias Brunner [Thu, 21 Jul 2011 17:44:42 +0000 (19:44 +0200)]
Added a log message when roam jobs get created.

8 years agoReadded docs for some arguments to global functions.
Tobias Brunner [Thu, 21 Jul 2011 16:32:28 +0000 (18:32 +0200)]
Readded docs for some arguments to global functions.

Those were overzealously removed in 28623fc5389829858c78c759a214aa5c64ea26c6.

8 years agoFixed sleep command in two test cases.
Tobias Brunner [Thu, 21 Jul 2011 14:34:37 +0000 (16:34 +0200)]
Fixed sleep command in two test cases.

8 years agoAdded NEWS about job priorities and IKE_SA_INIT dropping.
Tobias Brunner [Thu, 21 Jul 2011 14:26:30 +0000 (16:26 +0200)]
Added NEWS about job priorities and IKE_SA_INIT dropping.

8 years agoDocumentation about job priorities added to man page.
Tobias Brunner [Thu, 21 Jul 2011 14:17:08 +0000 (16:17 +0200)]
Documentation about job priorities added to man page.

Also includes docs about IKE_SA_INIT dropping.

8 years agofixed esn type
Andreas Steffen [Wed, 20 Jul 2011 21:11:19 +0000 (23:11 +0200)]
fixed esn type

8 years agofixed some more misspellings
Andreas Steffen [Wed, 20 Jul 2011 20:19:01 +0000 (22:19 +0200)]
fixed some more misspellings

8 years agoFixed common misspellings.
Tobias Brunner [Wed, 20 Jul 2011 13:57:53 +0000 (15:57 +0200)]
Fixed common misspellings.

Mostly found by 'codespell'.

8 years agoRemoved old ikev2bis draft.
Tobias Brunner [Wed, 20 Jul 2011 13:57:29 +0000 (15:57 +0200)]
Removed old ikev2bis draft.

8 years agoAdded missing load-tester options to man page.
Tobias Brunner [Mon, 18 Jul 2011 17:01:18 +0000 (19:01 +0200)]
Added missing load-tester options to man page.

8 years agoCount running load-tester threads properly.
Tobias Brunner [Mon, 18 Jul 2011 16:45:13 +0000 (18:45 +0200)]
Count running load-tester threads properly.

8 years agoFix load-tester.shutdown_when_complete option.
Tobias Brunner [Mon, 18 Jul 2011 16:42:47 +0000 (18:42 +0200)]
Fix load-tester.shutdown_when_complete option.

It didn't work when used together with delete_after_established=yes.

8 years agoFix listener registration in load-tester plugin.
Tobias Brunner [Mon, 18 Jul 2011 16:42:21 +0000 (18:42 +0200)]
Fix listener registration in load-tester plugin.

This fixes the load-tester.shutdown_when_complete option.

8 years agoremoved stray code
Andreas Steffen [Mon, 18 Jul 2011 08:22:29 +0000 (10:22 +0200)]
removed stray code

8 years agoadded libimcv.plugins.imv_scanner options to strongswan.conf
Andreas Steffen [Sun, 17 Jul 2011 09:07:30 +0000 (11:07 +0200)]
added libimcv.plugins.imv_scanner options to strongswan.conf

8 years agoadded ikev2/net2net-esn scenario
Andreas Steffen [Sat, 16 Jul 2011 12:12:23 +0000 (14:12 +0200)]
added ikev2/net2net-esn scenario

8 years agoadded log and status output for ESN
Andreas Steffen [Sat, 16 Jul 2011 09:09:38 +0000 (11:09 +0200)]
added log and status output for ESN

8 years agoadded IKEv2 exchange type IKE_SESSION_RESUME from RFC 5723
Andreas Steffen [Fri, 15 Jul 2011 05:48:36 +0000 (07:48 +0200)]
added IKEv2 exchange type IKE_SESSION_RESUME from RFC 5723

8 years agoversion bump to 4.5.3rc1
Andreas Steffen [Thu, 14 Jul 2011 21:27:07 +0000 (23:27 +0200)]
version bump to 4.5.3rc1

8 years agoalice is now master in the ha/both-active scenario
Andreas Steffen [Thu, 14 Jul 2011 15:31:47 +0000 (17:31 +0200)]
alice is now master in the ha/both-active scenario

8 years agoshort form changed
Andreas Steffen [Thu, 14 Jul 2011 14:49:41 +0000 (16:49 +0200)]
short form changed

8 years agoFix parentheses in write() to CLUSTERIP control files
Martin Willi [Thu, 14 Jul 2011 13:56:10 +0000 (15:56 +0200)]
Fix parentheses in write() to CLUSTERIP control files

8 years agoshunt manager installs policies with %any hosts
Andreas Steffen [Thu, 14 Jul 2011 11:51:36 +0000 (13:51 +0200)]
shunt manager installs policies with %any hosts

8 years agoadded HOME_AGENT_ADDRESS CP attribute type
Andreas Steffen [Thu, 14 Jul 2011 09:05:13 +0000 (11:05 +0200)]
added HOME_AGENT_ADDRESS CP attribute type

8 years agofixed typo
Andreas Steffen [Thu, 14 Jul 2011 08:53:37 +0000 (10:53 +0200)]
fixed typo

8 years agoupdated IANA IKEv2 Notify Message Types
Andreas Steffen [Thu, 14 Jul 2011 08:51:24 +0000 (10:51 +0200)]
updated IANA IKEv2 Notify Message Types

8 years agoNEWS for the 4.5.3dr8 release
Andreas Steffen [Thu, 14 Jul 2011 07:25:36 +0000 (09:25 +0200)]
NEWS for the 4.5.3dr8 release

8 years agocheck if violating_ports have been assigned
Andreas Steffen [Wed, 13 Jul 2011 21:05:22 +0000 (23:05 +0200)]
check if violating_ports have been assigned

8 years agosupport of error_offset in PA-TNC INVALID PARAMETER error messages
Andreas Steffen [Wed, 13 Jul 2011 20:18:32 +0000 (22:18 +0200)]
support of error_offset in PA-TNC INVALID PARAMETER error messages

8 years agoadd relative PB-TNC message offset
Andreas Steffen [Wed, 13 Jul 2011 16:59:35 +0000 (18:59 +0200)]
add relative PB-TNC message offset

8 years agoreturn offset value
Andreas Steffen [Wed, 13 Jul 2011 16:58:58 +0000 (18:58 +0200)]
return offset value

8 years agoadd PID/Program Name to netstat output
Andreas Steffen [Thu, 7 Jul 2011 07:22:27 +0000 (09:22 +0200)]
add PID/Program Name to netstat output

8 years agoadapted tnc scenarios to new imcvs library path
Andreas Steffen [Wed, 6 Jul 2011 19:55:17 +0000 (21:55 +0200)]
adapted tnc scenarios to new imcvs library path

8 years agoinstall IMC and IMV dynamic libraries in imcvs directory
Andreas Steffen [Wed, 6 Jul 2011 19:53:40 +0000 (21:53 +0200)]
install IMC and IMV dynamic libraries in imcvs directory

8 years agoAdded news about policy history.
Tobias Brunner [Wed, 6 Jul 2011 11:03:45 +0000 (13:03 +0200)]
Added news about policy history.

8 years agoRecord usage history of policies in PF_KEY kernel interface.
Tobias Brunner [Wed, 6 Jul 2011 10:56:34 +0000 (12:56 +0200)]
Record usage history of policies in PF_KEY kernel interface.

The implementation is nearly the same as in the Netlink kernel interface.

8 years agoSimplified destruction of policy_sa_t objects in Netlink interface.
Tobias Brunner [Wed, 6 Jul 2011 10:49:54 +0000 (12:49 +0200)]
Simplified destruction of policy_sa_t objects in Netlink interface.

8 years agoAdapted shunt manager to changed kernel interface (reqid in del_policy).
Tobias Brunner [Wed, 6 Jul 2011 10:48:26 +0000 (12:48 +0200)]
Adapted shunt manager to changed kernel interface (reqid in del_policy).

8 years agoSome code cleanup in Netlink kernel interface.
Tobias Brunner [Fri, 1 Jul 2011 09:58:19 +0000 (11:58 +0200)]
Some code cleanup in Netlink kernel interface.

8 years agoSome code cleanup in PF_KEY kernel interface.
Tobias Brunner [Tue, 28 Jun 2011 09:39:56 +0000 (11:39 +0200)]
Some code cleanup in PF_KEY kernel interface.

8 years agoReduce memory usage of policy history caching.
Tobias Brunner [Mon, 27 Jun 2011 09:00:48 +0000 (11:00 +0200)]
Reduce memory usage of policy history caching.

Only cache data as needed (e.g. traffic selectors only for forward
policies) and at most once for each IPsec SA.

8 years agoUse has_more in decrypt_payloads instead of calling enumerate twice.
Tobias Brunner [Thu, 9 Jun 2011 07:55:44 +0000 (09:55 +0200)]
Use has_more in decrypt_payloads instead of calling enumerate twice.

8 years agoAdded linked_list_t.has_more which checks if any elements follow an enumerator's...
Tobias Brunner [Thu, 9 Jun 2011 07:53:12 +0000 (09:53 +0200)]
Added linked_list_t.has_more which checks if any elements follow an enumerator's current position.

8 years agoMake sure the enumerator stops after all items have been enumerated.
Tobias Brunner [Thu, 9 Jun 2011 07:49:28 +0000 (09:49 +0200)]
Make sure the enumerator stops after all items have been enumerated.

This also changes how insert_before behaves, before enumeration items
are inserted first, after enumeration last.

8 years agoKeep the mutex locked as long as possible when deleting policies.
Tobias Brunner [Wed, 8 Jun 2011 16:27:48 +0000 (18:27 +0200)]
Keep the mutex locked as long as possible when deleting policies.

This change tries to prevent a race condition where a thread tries to
install the same policy another thread is currently deleting. If the
second thread releases the mutex in del_policy too early the first
thread could assume the policy does not exist (as it is not cached
anymore) but would not be able to actually install it if the second
thread was not yet able to delete it.

8 years agoProperly unlock the policy if no change in the kernel is required.
Tobias Brunner [Wed, 8 Jun 2011 11:58:33 +0000 (13:58 +0200)]
Properly unlock the policy if no change in the kernel is required.

8 years agoMake sure access to policy is thread-safe during installation of route.
Tobias Brunner [Tue, 7 Jun 2011 13:21:59 +0000 (15:21 +0200)]
Make sure access to policy is thread-safe during installation of route.

8 years agoLinked list style cleanups
Martin Willi [Tue, 7 Jun 2011 08:16:22 +0000 (08:16 +0000)]
Linked list style cleanups

8 years agoFinally removed deprecated iterator_t.
Tobias Brunner [Thu, 19 May 2011 17:38:46 +0000 (19:38 +0200)]
Finally removed deprecated iterator_t.

8 years agoRemoved unneeded and confusing insert_after method from linked_list_t.
Tobias Brunner [Thu, 19 May 2011 17:26:06 +0000 (19:26 +0200)]
Removed unneeded and confusing insert_after method from linked_list_t.

8 years agoReplaced more complex iterator usages.
Tobias Brunner [Thu, 19 May 2011 16:52:57 +0000 (18:52 +0200)]
Replaced more complex iterator usages.

8 years agoAdded a function to reset the enumerator of a linked list.
Tobias Brunner [Thu, 19 May 2011 16:13:38 +0000 (18:13 +0200)]
Added a function to reset the enumerator of a linked list.

8 years agoReplaced ike_sa_t.create_additional_address_iterator with enumerator.
Tobias Brunner [Thu, 19 May 2011 16:05:53 +0000 (18:05 +0200)]
Replaced ike_sa_t.create_additional_address_iterator with enumerator.

8 years agoReplaced ike_sa_t.create_child_sa_iterator with enumerator.
Tobias Brunner [Thu, 19 May 2011 15:27:32 +0000 (17:27 +0200)]
Replaced ike_sa_t.create_child_sa_iterator with enumerator.

This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.

8 years agoReplaced pkcs7_t.create_certificate_iterator with enumerator.
Tobias Brunner [Thu, 19 May 2011 14:30:43 +0000 (16:30 +0200)]
Replaced pkcs7_t.create_certificate_iterator with enumerator.

The method is currently not used.

8 years agoReplaced simple iterator usages.
Tobias Brunner [Thu, 19 May 2011 14:18:30 +0000 (16:18 +0200)]
Replaced simple iterator usages.

8 years ago"this" removed from comments.
Tobias Brunner [Thu, 19 May 2011 12:00:49 +0000 (14:00 +0200)]
"this" removed from comments.

8 years agoRecord the history of a policy installed in the kernel.
Tobias Brunner [Fri, 13 May 2011 15:08:11 +0000 (17:08 +0200)]
Record the history of a policy installed in the kernel.

This allows to properly delete a policy e.g. if reauth=yes and
auto=route, because reqids are increased during reauthentication.

It also avoids overriding an installed policy with a trap policy.

8 years agoAdd the reqid to kernel_ipsec_t.del_policy.
Tobias Brunner [Fri, 13 May 2011 10:50:29 +0000 (12:50 +0200)]
Add the reqid to kernel_ipsec_t.del_policy.

8 years agoAdded a replace function to linked_list_t.
Tobias Brunner [Fri, 13 May 2011 09:52:49 +0000 (11:52 +0200)]
Added a replace function to linked_list_t.

8 years agoAdded an insert_after and insert_before function to linked_list_t.
Tobias Brunner [Fri, 13 May 2011 09:51:58 +0000 (11:51 +0200)]
Added an insert_after and insert_before function to linked_list_t.

8 years agoMigrated linked_list_t to INIT/METHOD macros.
Tobias Brunner [Fri, 13 May 2011 08:56:31 +0000 (10:56 +0200)]
Migrated linked_list_t to INIT/METHOD macros.

8 years agoCache the most recent reqid in the PF_KEY kernel interface.
Tobias Brunner [Tue, 10 May 2011 12:00:03 +0000 (14:00 +0200)]
Cache the most recent reqid in the PF_KEY kernel interface.

This makes the PF_KEY kernel interface behave the same as the Netlink
kernel interface.

8 years agocorrected description of shunt-policies scenario
Andreas Steffen [Tue, 5 Jul 2011 20:07:42 +0000 (22:07 +0200)]
corrected description of shunt-policies scenario

8 years agoinstall PASS and DROP shunt policies via PFKEYv2 interface
Andreas Steffen [Tue, 5 Jul 2011 19:57:27 +0000 (21:57 +0200)]
install PASS and DROP shunt policies via PFKEYv2 interface

8 years agoAdded news about library dir change.
Tobias Brunner [Tue, 5 Jul 2011 13:26:50 +0000 (15:26 +0200)]
Added news about library dir change.

8 years agoDon't install the libraries directly in lib/.
Tobias Brunner [Wed, 8 Jun 2011 13:49:15 +0000 (15:49 +0200)]
Don't install the libraries directly in lib/.

Instead use a subdirectory (prefix/lib/ipsec by default). Also moved the
plugins from libexec to a subdirectory of that dir.

8 years agoignore ports of IPv4 and IPv6 loopback interfaces
Andreas Steffen [Tue, 5 Jul 2011 07:16:01 +0000 (09:16 +0200)]
ignore ports of IPv4 and IPv6 loopback interfaces

8 years agofixed UTF-8 representation of polish reason string
Andreas Steffen [Tue, 5 Jul 2011 05:44:46 +0000 (07:44 +0200)]
fixed UTF-8 representation of polish reason string

8 years agoversion bump to 4.5.3dr8
Andreas Steffen [Tue, 5 Jul 2011 05:37:36 +0000 (07:37 +0200)]
version bump to 4.5.3dr8

8 years agodelete orphan file
Andreas Steffen [Mon, 4 Jul 2011 21:02:06 +0000 (23:02 +0200)]
delete orphan file

8 years agostart and stop apache server on dave
Andreas Steffen [Mon, 4 Jul 2011 20:40:46 +0000 (22:40 +0200)]
start and stop apache server on dave

8 years agoadded ITA Scanner IMC/IMV pair to tnccs-11-radius-block scenario
Andreas Steffen [Mon, 4 Jul 2011 20:32:34 +0000 (22:32 +0200)]
added ITA Scanner IMC/IMV pair to tnccs-11-radius-block scenario

8 years agofixed debug statement
Andreas Steffen [Mon, 4 Jul 2011 20:27:46 +0000 (22:27 +0200)]
fixed debug statement

8 years agoadded ITA Scanner IMC/IMV pair to tnccs-20 and tnccs-20-block scenarios
Andreas Steffen [Mon, 4 Jul 2011 19:44:22 +0000 (21:44 +0200)]
added ITA Scanner IMC/IMV pair to tnccs-20 and tnccs-20-block scenarios

8 years agoadded ITA Scanner IMC/IMV pair which detects open server ports on TNC clients
Andreas Steffen [Mon, 4 Jul 2011 19:40:25 +0000 (21:40 +0200)]
added ITA Scanner IMC/IMV pair which detects open server ports on TNC clients

8 years agoadded support if the IETF port filter attribute
Andreas Steffen [Fri, 1 Jul 2011 16:10:33 +0000 (18:10 +0200)]
added support if the IETF port filter attribute

8 years agoagain a bitwise or is required
Andreas Steffen [Thu, 30 Jun 2011 20:26:36 +0000 (22:26 +0200)]
again a bitwise or is required

8 years agoversion bump to 4.5.3dr7
Andreas Steffen [Wed, 29 Jun 2011 14:51:33 +0000 (16:51 +0200)]
version bump to 4.5.3dr7

8 years agofixed sql/shunt-policies scenario
Andreas Steffen [Wed, 29 Jun 2011 06:23:58 +0000 (08:23 +0200)]
fixed sql/shunt-policies scenario

8 years agoimplemented PASS and DROP shunt policies
Andreas Steffen [Tue, 28 Jun 2011 17:42:54 +0000 (19:42 +0200)]
implemented PASS and DROP shunt policies

8 years agoInitialize trap_manager listener with INIT macro, too
Martin Willi [Tue, 28 Jun 2011 15:19:20 +0000 (17:19 +0200)]
Initialize trap_manager listener with INIT macro, too

8 years agoMigrated trap_manager_t to INIT/METHOD macros
Andreas Steffen [Tue, 28 Jun 2011 12:42:29 +0000 (14:42 +0200)]
Migrated trap_manager_t to INIT/METHOD macros

8 years agoversion bump to 4.5.3dr6
Andreas Steffen [Mon, 27 Jun 2011 20:35:20 +0000 (22:35 +0200)]
version bump to 4.5.3dr6

8 years agooops, should have been a bitwise and
Andreas Steffen [Sat, 25 Jun 2011 12:57:49 +0000 (14:57 +0200)]
oops, should have been a bitwise and

8 years agofixed copy-and-paste error
Andreas Steffen [Sat, 25 Jun 2011 12:21:20 +0000 (14:21 +0200)]
fixed copy-and-paste error

8 years agooutput all known PA-TNC subtype names
Andreas Steffen [Fri, 24 Jun 2011 15:31:47 +0000 (17:31 +0200)]
output all known PA-TNC subtype names

8 years agoadded tnc/tnccs-20-server-retry scenario
Andreas Steffen [Thu, 23 Jun 2011 17:59:27 +0000 (19:59 +0200)]
added tnc/tnccs-20-server-retry scenario

8 years agorenamed tncss-20-retry scenario to tnccs-20-client-retry
Andreas Steffen [Thu, 23 Jun 2011 17:59:00 +0000 (19:59 +0200)]
renamed tncss-20-retry scenario to tnccs-20-client-retry