strongswan.git
10 years agofixed release of virtual IP for XAUTH identities
Andreas Steffen [Sun, 26 Sep 2010 08:16:30 +0000 (10:16 +0200)]
fixed release of virtual IP for XAUTH identities

10 years agoinclude RFC 5998
Andreas Steffen [Mon, 20 Sep 2010 18:03:20 +0000 (20:03 +0200)]
include RFC 5998

10 years agodraft-ietf-ipsecme-eap-mutual will be released as RFC 5998.
Tobias Brunner [Thu, 16 Sep 2010 08:27:49 +0000 (10:27 +0200)]
draft-ietf-ipsecme-eap-mutual will be released as RFC 5998.

10 years agothe updated IKEv2 RFC 5996 has been released
Andreas Steffen [Wed, 15 Sep 2010 10:55:31 +0000 (12:55 +0200)]
the updated IKEv2 RFC 5996 has been released

10 years agoadded notify messages defined in RFC 5996
Andreas Steffen [Wed, 15 Sep 2010 10:48:58 +0000 (12:48 +0200)]
added notify messages defined in RFC 5996

10 years agoshow validity of OCSP responses
Andreas Steffen [Fri, 10 Sep 2010 20:14:12 +0000 (22:14 +0200)]
show validity of OCSP responses

10 years agoAdded missing options (corrected some default values).
Tobias Brunner [Fri, 10 Sep 2010 09:18:31 +0000 (11:18 +0200)]
Added missing options (corrected some default values).

10 years agoMoved load-tester configuration to a separate section.
Tobias Brunner [Fri, 10 Sep 2010 08:00:02 +0000 (10:00 +0200)]
Moved load-tester configuration to a separate section.

10 years agoAdded information about logger configuration.
Tobias Brunner [Thu, 9 Sep 2010 16:55:26 +0000 (18:55 +0200)]
Added information about logger configuration.

10 years agoMore information about IKEv2 retransmissions added.
Tobias Brunner [Thu, 9 Sep 2010 16:50:24 +0000 (18:50 +0200)]
More information about IKEv2 retransmissions added.

10 years agoAdding most of the strongswan.conf options from the wiki.
Tobias Brunner [Thu, 9 Sep 2010 16:49:04 +0000 (18:49 +0200)]
Adding most of the strongswan.conf options from the wiki.

10 years agoAdded strongswan.conf(5) stub.
Tobias Brunner [Thu, 9 Sep 2010 12:03:22 +0000 (14:03 +0200)]
Added strongswan.conf(5) stub.

10 years agoMoved man pages for config files to a separate directory.
Tobias Brunner [Thu, 9 Sep 2010 11:15:36 +0000 (13:15 +0200)]
Moved man pages for config files to a separate directory.

10 years agoversion bump to 4.5.0dr2
Andreas Steffen [Fri, 10 Sep 2010 05:37:28 +0000 (07:37 +0200)]
version bump to 4.5.0dr2

10 years agofixed memory leak
Andreas Steffen [Thu, 9 Sep 2010 19:38:22 +0000 (21:38 +0200)]
fixed memory leak

10 years agoCompare subject against all key identifiers in has_subject()
Martin Willi [Thu, 9 Sep 2010 15:40:16 +0000 (17:40 +0200)]
Compare subject against all key identifiers in has_subject()

10 years agohas_subject() now resolves ID_KEY_IDs
Andreas Steffen [Thu, 9 Sep 2010 15:14:06 +0000 (17:14 +0200)]
has_subject() now resolves ID_KEY_IDs

10 years agoDo not change cipherspec while we have buffered handshake fragments pending
Martin Willi [Thu, 9 Sep 2010 12:27:41 +0000 (14:27 +0200)]
Do not change cipherspec while we have buffered handshake fragments pending

10 years agoadded ikev1/net2net-same-nets scenario
Andreas Steffen [Thu, 9 Sep 2010 11:37:22 +0000 (13:37 +0200)]
added ikev1/net2net-same-nets scenario

10 years agoConditional exclusion of tls_test script completed.
Tobias Brunner [Thu, 9 Sep 2010 11:19:51 +0000 (13:19 +0200)]
Conditional exclusion of tls_test script completed.

10 years agoFixed typo.
Tobias Brunner [Thu, 9 Sep 2010 11:19:22 +0000 (13:19 +0200)]
Fixed typo.

10 years agodebug output of inbound and outbound TNCCS batches
Andreas Steffen [Thu, 9 Sep 2010 09:14:48 +0000 (11:14 +0200)]
debug output of inbound and outbound TNCCS batches

10 years agosupport non EAP-TTLS conformant RADIUS-type attribute segmentation
Andreas Steffen [Thu, 9 Sep 2010 09:13:48 +0000 (11:13 +0200)]
support non EAP-TTLS conformant RADIUS-type attribute segmentation

10 years agoFixed copy/paste error.
Tobias Brunner [Thu, 9 Sep 2010 08:10:43 +0000 (10:10 +0200)]
Fixed copy/paste error.

10 years agoadded explanatory comments
Andreas Steffen [Thu, 9 Sep 2010 06:57:13 +0000 (08:57 +0200)]
added explanatory comments

10 years agosend well-formed TNCCS-Batch
Andreas Steffen [Wed, 8 Sep 2010 11:44:34 +0000 (13:44 +0200)]
send well-formed TNCCS-Batch

10 years agomax max_message_count configurable and move it into tls_eap_t
Andreas Steffen [Wed, 8 Sep 2010 10:58:40 +0000 (12:58 +0200)]
max max_message_count configurable and move it into tls_eap_t

10 years agohandle TLS_PURPOSE_EAP_TNC
Andreas Steffen [Wed, 8 Sep 2010 10:11:44 +0000 (12:11 +0200)]
handle TLS_PURPOSE_EAP_TNC

10 years agoAdded a simple led plugin to control Linux LEDs based on IKE activity
Martin Willi [Wed, 8 Sep 2010 09:59:00 +0000 (11:59 +0200)]
Added a simple led plugin to control Linux LEDs based on IKE activity

10 years agomoved tls_t existance test into tls_eap_create() again
Andreas Steffen [Wed, 8 Sep 2010 09:09:11 +0000 (11:09 +0200)]
moved tls_t existance test into tls_eap_create() again

10 years agogeneralized tls_eap_t to support EAP_TNC wrapping the TNC_IF_TNCCS protocol
Andreas Steffen [Wed, 8 Sep 2010 09:01:47 +0000 (11:01 +0200)]
generalized tls_eap_t to support EAP_TNC wrapping the TNC_IF_TNCCS protocol

10 years agoRead the compression type byte for EC groups, only
Martin Willi [Wed, 8 Sep 2010 08:32:55 +0000 (10:32 +0200)]
Read the compression type byte for EC groups, only

10 years agoadded non-standard SERPENT and TWOFISH support to kernel_netlink plugin
Andreas Steffen [Wed, 8 Sep 2010 05:22:31 +0000 (07:22 +0200)]
added non-standard SERPENT and TWOFISH support to kernel_netlink plugin

10 years agoadded openssl-ikev2/rw-eap-tls-only scenario
Andreas Steffen [Tue, 7 Sep 2010 15:14:32 +0000 (17:14 +0200)]
added openssl-ikev2/rw-eap-tls-only scenario

10 years agoadded qcStatements OID
Andreas Steffen [Tue, 7 Sep 2010 09:17:51 +0000 (11:17 +0200)]
added qcStatements OID

10 years agoFixed typos
Martin Willi [Tue, 7 Sep 2010 08:24:40 +0000 (10:24 +0200)]
Fixed typos

10 years agoBuild tls_test script only if TLS stack is enabled
Martin Willi [Tue, 7 Sep 2010 08:21:44 +0000 (10:21 +0200)]
Build tls_test script only if TLS stack is enabled

10 years agoAdded PKCS#11 NEWS
Martin Willi [Tue, 7 Sep 2010 08:21:25 +0000 (10:21 +0200)]
Added PKCS#11 NEWS

10 years agoAdded (EAP-)TLS NEWS
Martin Willi [Tue, 7 Sep 2010 08:10:36 +0000 (10:10 +0200)]
Added (EAP-)TLS NEWS

10 years agoInclude ec_point_format extension in ClientHello
Martin Willi [Mon, 6 Sep 2010 16:51:38 +0000 (18:51 +0200)]
Include ec_point_format extension in ClientHello

10 years agoAdded TLS specific EC point formats
Martin Willi [Mon, 6 Sep 2010 16:42:43 +0000 (18:42 +0200)]
Added TLS specific EC point formats

10 years agoRenamed ecp_format to ansi_format, as point formats in TLS use different identifiers
Martin Willi [Mon, 6 Sep 2010 16:36:27 +0000 (18:36 +0200)]
Renamed ecp_format to ansi_format, as point formats in TLS use different identifiers

10 years agoEnable the random plugin for scripts
Martin Willi [Mon, 6 Sep 2010 16:11:05 +0000 (18:11 +0200)]
Enable the random plugin for scripts

10 years agoAccept TLS records with zero-length plaintext
Martin Willi [Mon, 6 Sep 2010 15:04:59 +0000 (17:04 +0200)]
Accept TLS records with zero-length plaintext

10 years agoAdded strongswan.conf option to filter for specific TLS suites
Martin Willi [Mon, 6 Sep 2010 14:44:47 +0000 (16:44 +0200)]
Added strongswan.conf option to filter for specific TLS suites

10 years agoAdded strongswan.conf options to filter cipher suites by specific algorithms
Martin Willi [Mon, 6 Sep 2010 14:37:45 +0000 (16:37 +0200)]
Added strongswan.conf options to filter cipher suites by specific algorithms

10 years agoRegister missing AUTH_HMAC_SHA384 algorithm without truncation
Martin Willi [Mon, 6 Sep 2010 14:36:16 +0000 (16:36 +0200)]
Register missing AUTH_HMAC_SHA384 algorithm without truncation

10 years agoFixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Martin Willi [Mon, 6 Sep 2010 14:35:53 +0000 (16:35 +0200)]
Fixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

10 years agoPrepend point format to ECDH public key
Martin Willi [Mon, 6 Sep 2010 13:31:32 +0000 (15:31 +0200)]
Prepend point format to ECDH public key

10 years agoLog the selected (EC)DH group
Martin Willi [Mon, 6 Sep 2010 09:19:47 +0000 (11:19 +0200)]
Log the selected (EC)DH group

10 years agoParse unsupported TLS Hello extensions properly
Martin Willi [Mon, 6 Sep 2010 08:55:15 +0000 (10:55 +0200)]
Parse unsupported TLS Hello extensions properly

10 years agoAdded TLS extension identifiers from RFC 3546
Martin Willi [Mon, 6 Sep 2010 08:54:11 +0000 (10:54 +0200)]
Added TLS extension identifiers from RFC 3546

10 years agoOf course, mark is also supported by pluto.
Tobias Brunner [Mon, 6 Sep 2010 10:04:26 +0000 (12:04 +0200)]
Of course, mark is also supported by pluto.

10 years agomark_in and mark_out are also supported by pluto.
Tobias Brunner [Mon, 6 Sep 2010 09:53:59 +0000 (11:53 +0200)]
mark_in and mark_out are also supported by pluto.

10 years agoDo not propose (EC)DHE suites if we do not support them
Martin Willi [Fri, 3 Sep 2010 16:24:03 +0000 (18:24 +0200)]
Do not propose (EC)DHE suites if we do not support them

10 years agoOffer only algorithms/suites we have a registered public key backend for
Martin Willi [Fri, 3 Sep 2010 16:11:03 +0000 (18:11 +0200)]
Offer only algorithms/suites we have a registered public key backend for

10 years agoAdded a final flag to builder registration to enumerate the actually supported algorithms
Martin Willi [Fri, 3 Sep 2010 16:09:48 +0000 (18:09 +0200)]
Added a final flag to builder registration to enumerate the actually supported algorithms

10 years agoFixed key type of ECDHE_RSA groups
Martin Willi [Fri, 3 Sep 2010 15:24:39 +0000 (17:24 +0200)]
Fixed key type of ECDHE_RSA groups

10 years agoUse a dynamic curve enumerator to list/convert TLS named curves
Martin Willi [Fri, 3 Sep 2010 15:05:39 +0000 (17:05 +0200)]
Use a dynamic curve enumerator to list/convert TLS named curves

10 years agoUse ECDH group check where appropriate
Martin Willi [Fri, 3 Sep 2010 14:22:49 +0000 (16:22 +0200)]
Use ECDH group check where appropriate

10 years agoAdded a generic function to check if a DH group is an EC group
Martin Willi [Fri, 3 Sep 2010 14:22:10 +0000 (16:22 +0200)]
Added a generic function to check if a DH group is an EC group

10 years agoAdd ECDHE enabled cipher suites, including ECDSA variants
Martin Willi [Fri, 3 Sep 2010 10:54:40 +0000 (12:54 +0200)]
Add ECDHE enabled cipher suites, including ECDSA variants

10 years agoAdded support for a non-truncated SHA384 HMAC variant, as used by TLS
Martin Willi [Fri, 3 Sep 2010 10:51:26 +0000 (12:51 +0200)]
Added support for a non-truncated SHA384 HMAC variant, as used by TLS

10 years agoSelect private key based on received cipher suites
Martin Willi [Fri, 3 Sep 2010 10:50:18 +0000 (12:50 +0200)]
Select private key based on received cipher suites

10 years agoSupport for EC curve Hello extension, EC curve fallback
Martin Willi [Fri, 3 Sep 2010 09:45:55 +0000 (11:45 +0200)]
Support for EC curve Hello extension, EC curve fallback

10 years agoAdded server support for ECDHE key exchange
Martin Willi [Fri, 3 Sep 2010 09:00:37 +0000 (11:00 +0200)]
Added server support for ECDHE key exchange

10 years agoAdded client support for ECDHE key exchange
Martin Willi [Fri, 3 Sep 2010 09:00:07 +0000 (11:00 +0200)]
Added client support for ECDHE key exchange

10 years agoAdded TLS EC curve type and name identifiers
Martin Willi [Fri, 3 Sep 2010 08:59:01 +0000 (10:59 +0200)]
Added TLS EC curve type and name identifiers

10 years agofixed typo
Andreas Steffen [Fri, 3 Sep 2010 11:30:40 +0000 (13:30 +0200)]
fixed typo

10 years agoupdown script variable is called PLUTO_UDP_ENC
Andreas Steffen [Fri, 3 Sep 2010 10:57:16 +0000 (12:57 +0200)]
updown script variable is called PLUTO_UDP_ENC

10 years agoFixed left-/rightnexthop ipsec.conf options.
Tobias Brunner [Fri, 3 Sep 2010 09:44:01 +0000 (11:44 +0200)]
Fixed left-/rightnexthop ipsec.conf options.

10 years agoCheck for queued TLS alerts after each handshake part
Martin Willi [Fri, 3 Sep 2010 07:32:39 +0000 (09:32 +0200)]
Check for queued TLS alerts after each handshake part

10 years agoAdded support for MODP_CUSTOM to gcrypt plugin
Martin Willi [Fri, 3 Sep 2010 07:32:18 +0000 (09:32 +0200)]
Added support for MODP_CUSTOM to gcrypt plugin

10 years agoAdded support for MODP_CUSTOM to openssl plugin
Martin Willi [Fri, 3 Sep 2010 07:31:51 +0000 (09:31 +0200)]
Added support for MODP_CUSTOM to openssl plugin

10 years agoadapted debug options
Andreas Steffen [Fri, 3 Sep 2010 07:29:56 +0000 (09:29 +0200)]
adapted debug options

10 years agoadapted debug options
Andreas Steffen [Fri, 3 Sep 2010 07:27:16 +0000 (09:27 +0200)]
adapted debug options

10 years agoremoved redundant debug output
Andreas Steffen [Thu, 2 Sep 2010 20:19:25 +0000 (22:19 +0200)]
removed redundant debug output

10 years agoversion bump to 4.5.0dr2
Andreas Steffen [Thu, 2 Sep 2010 20:18:52 +0000 (22:18 +0200)]
version bump to 4.5.0dr2

10 years agooptimized FreeRadius scenarios for debug output
Andreas Steffen [Thu, 2 Sep 2010 12:37:27 +0000 (14:37 +0200)]
optimized FreeRadius scenarios for debug output

10 years agoadded ikev2/rw-eap-tnc-radius scenario
Andreas Steffen [Thu, 2 Sep 2010 12:36:52 +0000 (14:36 +0200)]
added ikev2/rw-eap-tnc-radius scenario

10 years agoadded radius init script mit increased debugging
Andreas Steffen [Thu, 2 Sep 2010 11:19:24 +0000 (13:19 +0200)]
added radius init script mit increased debugging

10 years agodisplay configuration and log of FreeRadius servers
Andreas Steffen [Thu, 2 Sep 2010 11:15:49 +0000 (13:15 +0200)]
display configuration and log of FreeRadius servers

10 years agoAdd DHE enabled RSA variants to the supported TLS suites
Martin Willi [Thu, 2 Sep 2010 17:27:37 +0000 (19:27 +0200)]
Add DHE enabled RSA variants to the supported TLS suites

10 years agoAdded TLS server side support for DHE suites
Martin Willi [Thu, 2 Sep 2010 17:27:13 +0000 (19:27 +0200)]
Added TLS server side support for DHE suites

10 years agoAdded TLS client side support for DHE suites
Martin Willi [Thu, 2 Sep 2010 17:26:19 +0000 (19:26 +0200)]
Added TLS client side support for DHE suites

10 years agoStore a MODP group we use for each TLS suite
Martin Willi [Thu, 2 Sep 2010 17:24:56 +0000 (19:24 +0200)]
Store a MODP group we use for each TLS suite

10 years agoAdded support for MODP_CUSTOM to gmp plugin
Martin Willi [Thu, 2 Sep 2010 17:23:37 +0000 (19:23 +0200)]
Added support for MODP_CUSTOM to gmp plugin

10 years agoAdded a MODP_CUSTOM DH group which takes g and p as constructor arguments
Martin Willi [Thu, 2 Sep 2010 17:06:34 +0000 (19:06 +0200)]
Added a MODP_CUSTOM DH group which takes g and p as constructor arguments

10 years agoImplemented "signature algorithm" hello extension
Martin Willi [Thu, 2 Sep 2010 17:19:17 +0000 (19:19 +0200)]
Implemented "signature algorithm" hello extension

10 years agoAdded TLS extension identifiers
Martin Willi [Thu, 2 Sep 2010 17:07:45 +0000 (19:07 +0200)]
Added TLS extension identifiers

10 years agoAdded generic TLS data sign/verify, hash/sig algorithm construction
Martin Willi [Thu, 2 Sep 2010 17:15:16 +0000 (19:15 +0200)]
Added generic TLS data sign/verify, hash/sig algorithm construction

10 years agoContinue with a randomized premaster if decryption failed / version mismatches
Martin Willi [Thu, 2 Sep 2010 12:48:30 +0000 (14:48 +0200)]
Continue with a randomized premaster if decryption failed / version mismatches

10 years agopluto: Removed unused lifetime from raw_eroute.
Tobias Brunner [Thu, 2 Sep 2010 16:59:53 +0000 (18:59 +0200)]
pluto: Removed unused lifetime from raw_eroute.

10 years agopluto: Added support for statically configured reqids.
Tobias Brunner [Thu, 2 Sep 2010 14:05:21 +0000 (16:05 +0200)]
pluto: Added support for statically configured reqids.

10 years agotesting: Added ikev1 xfrm mark scenarios.
Tobias Brunner [Mon, 30 Aug 2010 08:04:16 +0000 (10:04 +0200)]
testing: Added ikev1 xfrm mark scenarios.

10 years agopluto: Make marks available in updown script.
Tobias Brunner [Mon, 30 Aug 2010 08:01:37 +0000 (10:01 +0200)]
pluto: Make marks available in updown script.

10 years agopluto: Fixed comparison of connections, if marks are specified.
Tobias Brunner [Mon, 30 Aug 2010 07:59:25 +0000 (09:59 +0200)]
pluto: Fixed comparison of connections, if marks are specified.

10 years agopluto: Store xfrm marks on connection and use them when installing SAs and policies.
Tobias Brunner [Mon, 30 Aug 2010 07:56:53 +0000 (09:56 +0200)]
pluto: Store xfrm marks on connection and use them when installing SAs and policies.

10 years agostarter: Some whitespace cleanup.
Tobias Brunner [Mon, 30 Aug 2010 06:58:56 +0000 (08:58 +0200)]
starter: Some whitespace cleanup.

10 years agopluto: Added PLUTO_UDP_ENC argument to updown script.
Tobias Brunner [Mon, 30 Aug 2010 06:54:38 +0000 (08:54 +0200)]
pluto: Added PLUTO_UDP_ENC argument to updown script.

This contains the remote UDP port in case of UDP encapsulated ESP.