strongswan.git
7 years agoFix parsing of IPv6 headers in ip_packet_t
Tobias Brunner [Fri, 28 Sep 2012 13:15:07 +0000 (15:15 +0200)]
Fix parsing of IPv6 headers in ip_packet_t

7 years agoProperly cleanup varargs in LDAP fetcher's set_option()
Tobias Brunner [Fri, 28 Sep 2012 13:13:17 +0000 (15:13 +0200)]
Properly cleanup varargs in LDAP fetcher's set_option()

7 years agoProperly cleanup varargs in enumerators of both SQL backends
Tobias Brunner [Fri, 28 Sep 2012 13:10:29 +0000 (15:10 +0200)]
Properly cleanup varargs in enumerators of both SQL backends

7 years agoAllow replay windows smaller than the default of 32
Tobias Brunner [Thu, 27 Sep 2012 10:25:43 +0000 (12:25 +0200)]
Allow replay windows smaller than the default of 32

7 years agoProperly initialize cached address map in kernel-pfroute plugin
Tobias Brunner [Thu, 27 Sep 2012 10:42:48 +0000 (12:42 +0200)]
Properly initialize cached address map in kernel-pfroute plugin

7 years agoClarified error message if enabling UDP decapsulation fails
Tobias Brunner [Thu, 27 Sep 2012 08:49:17 +0000 (10:49 +0200)]
Clarified error message if enabling UDP decapsulation fails

7 years agoFixed compilation of kernel-pfroute plugin
Tobias Brunner [Thu, 27 Sep 2012 07:03:04 +0000 (09:03 +0200)]
Fixed compilation of kernel-pfroute plugin

7 years agoAdded description for flush_auth_cfg and acct_port plus some minor editorial changes
Tobias Brunner [Tue, 25 Sep 2012 10:22:05 +0000 (12:22 +0200)]
Added description for flush_auth_cfg and acct_port plus some minor editorial changes

7 years agoIKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled
Tobias Brunner [Tue, 25 Sep 2012 07:31:47 +0000 (09:31 +0200)]
IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled

Fixes #229.

7 years agoNew Android release after fixing private key issues on Jelly Bean
Tobias Brunner [Mon, 24 Sep 2012 15:13:23 +0000 (17:13 +0200)]
New Android release after fixing private key issues on Jelly Bean

7 years agoandroid: Leak the private key reference on Jelly Bean to avoid a bug in the framework
Tobias Brunner [Mon, 24 Sep 2012 14:56:37 +0000 (16:56 +0200)]
android: Leak the private key reference on Jelly Bean to avoid a bug in the framework

A bug in the framework on Android Jelly Bean causes a SIGSEGV when the private
key object returned from KeyChain.getPrivateKey is garbage collected.
Leaking the global reference to that object prevents the garbage
collection and thereby the crash.

7 years agoandroid: Added a global variable to check the current SDK version
Tobias Brunner [Mon, 24 Sep 2012 14:54:38 +0000 (16:54 +0200)]
android: Added a global variable to check the current SDK version

7 years agoDon't check interface of inbound message if interfaces are not filtered
Tobias Brunner [Sun, 23 Sep 2012 07:14:26 +0000 (09:14 +0200)]
Don't check interface of inbound message if interfaces are not filtered

We don't have a proper kernel-net interface on Android yet, so the check
for a usable interface does not work there.

7 years agoandroid: Load the private key and certificates separately in android_creds_t
Tobias Brunner [Sun, 23 Sep 2012 07:02:58 +0000 (09:02 +0200)]
android: Load the private key and certificates separately in android_creds_t

7 years agoandroid: Added a method to get the user's private key via JNI
Tobias Brunner [Sun, 23 Sep 2012 07:00:34 +0000 (09:00 +0200)]
android: Added a method to get the user's private key via JNI

7 years agoandroid: Added a JNI backed private key implementation
Tobias Brunner [Sun, 23 Sep 2012 06:58:37 +0000 (08:58 +0200)]
android: Added a JNI backed private key implementation

This is required because private keys are provided by an OpenSSL engine
in Jelly Bean, which makes them inaccessible directly via getEncoding.

7 years agoDocumentation about some time values clarified
Tobias Brunner [Mon, 24 Sep 2012 14:02:03 +0000 (16:02 +0200)]
Documentation about some time values clarified

7 years agoremoved ikev2/dynamic-responder scenario
Andreas Steffen [Sat, 22 Sep 2012 15:50:50 +0000 (17:50 +0200)]
removed ikev2/dynamic-responder scenario

7 years agoMake sure the if_name member of cached route entries is initialized to NULL
Tobias Brunner [Sat, 22 Sep 2012 06:23:56 +0000 (08:23 +0200)]
Make sure the if_name member of cached route entries is initialized to NULL

7 years agodo not enable integrity and crypto tests in ikev1/rw-cert-unity scenario
Andreas Steffen [Fri, 21 Sep 2012 19:25:56 +0000 (21:25 +0200)]
do not enable integrity and crypto tests in ikev1/rw-cert-unity scenario

7 years agoNEWS about kernel interface changes
Tobias Brunner [Fri, 21 Sep 2012 06:41:41 +0000 (08:41 +0200)]
NEWS about kernel interface changes

7 years agoProperly handle thread cancelation in rwlock_condvar_t
Tobias Brunner [Fri, 21 Sep 2012 05:58:37 +0000 (07:58 +0200)]
Properly handle thread cancelation in rwlock_condvar_t

7 years agoUse an rwlock in kernel-pfroute too
Tobias Brunner [Fri, 21 Sep 2012 06:06:40 +0000 (08:06 +0200)]
Use an rwlock in kernel-pfroute too

7 years agoUse rwlock and rwlock_condvar to increase concurrency in kernel-netlink plugin
Tobias Brunner [Thu, 20 Sep 2012 16:21:42 +0000 (18:21 +0200)]
Use rwlock and rwlock_condvar to increase concurrency in kernel-netlink plugin

7 years agoUse a separate mutex for cached routes in kernel-netlink plugin
Tobias Brunner [Thu, 20 Sep 2012 16:06:01 +0000 (18:06 +0200)]
Use a separate mutex for cached routes in kernel-netlink plugin

7 years agoAdded a condvar implementation that works with rwlock_t
Tobias Brunner [Thu, 20 Sep 2012 15:56:20 +0000 (17:56 +0200)]
Added a condvar implementation that works with rwlock_t

7 years agoUse a lock to safely check and update the time for the next roam event
Tobias Brunner [Thu, 20 Sep 2012 09:58:52 +0000 (11:58 +0200)]
Use a lock to safely check and update the time for the next roam event

7 years agoAdded an option to configure the interface on which virtual IP addresses are installed
Tobias Brunner [Thu, 20 Sep 2012 09:07:15 +0000 (11:07 +0200)]
Added an option to configure the interface on which virtual IP addresses are installed

7 years agoChanged how kernel-netlink handles virtual IP addresses
Tobias Brunner [Wed, 19 Sep 2012 17:10:23 +0000 (19:10 +0200)]
Changed how kernel-netlink handles virtual IP addresses

Also tried to avoid the use of enumerators.

7 years agoMade IP address enumeration more flexible
Tobias Brunner [Mon, 17 Sep 2012 17:04:51 +0000 (19:04 +0200)]
Made IP address enumeration more flexible

Also added an option to enumerate addresses on ignored interfaces.

7 years agoAvoid calculating the hash if hashtable is empty
Tobias Brunner [Fri, 21 Sep 2012 06:49:59 +0000 (08:49 +0200)]
Avoid calculating the hash if hashtable is empty

7 years agoUse a hashtable to quickly check for usable IP addresses/interfaces
Tobias Brunner [Mon, 17 Sep 2012 16:09:51 +0000 (18:09 +0200)]
Use a hashtable to quickly check for usable IP addresses/interfaces

7 years agoDrop packets received on ignored interfaces
Tobias Brunner [Fri, 14 Sep 2012 14:43:54 +0000 (16:43 +0200)]
Drop packets received on ignored interfaces

7 years agoFilter ignored interfaces in kernel interfaces (for events, address enumeration,...
Tobias Brunner [Fri, 14 Sep 2012 14:43:08 +0000 (16:43 +0200)]
Filter ignored interfaces in kernel interfaces (for events, address enumeration, etc.)

7 years ago%any is never on a local interface
Tobias Brunner [Fri, 14 Sep 2012 14:30:06 +0000 (16:30 +0200)]
%any is never on a local interface

7 years agoAvoid memset in is_anyaddr()
Tobias Brunner [Fri, 14 Sep 2012 14:14:57 +0000 (16:14 +0200)]
Avoid memset in is_anyaddr()

7 years agoMake it easy to check if an address is locally usable via changed get_interface(...
Tobias Brunner [Fri, 14 Sep 2012 14:27:33 +0000 (16:27 +0200)]
Make it easy to check if an address is locally usable via changed get_interface() method

7 years agoDon't ignore loopback devices and allow addresses on them being enumerated
Tobias Brunner [Fri, 14 Sep 2012 13:03:09 +0000 (15:03 +0200)]
Don't ignore loopback devices and allow addresses on them being enumerated

7 years agoAdded options and a lookup function that will allow filtering of network interfaces
Tobias Brunner [Fri, 14 Sep 2012 12:43:17 +0000 (14:43 +0200)]
Added options and a lookup function that will allow filtering of network interfaces

7 years agoMake streq() and strcaseeq() static inline functions so they can be used as callbacks
Tobias Brunner [Fri, 14 Sep 2012 10:06:02 +0000 (12:06 +0200)]
Make streq() and strcaseeq() static inline functions so they can be used as callbacks

7 years agoUse source address in get_nexthop() call
Tobias Brunner [Tue, 18 Sep 2012 15:55:38 +0000 (17:55 +0200)]
Use source address in get_nexthop() call

Otherwise the nexthop returned might belong to a different route than
the one actually used with the current source address.

7 years agoSource address lookup refactored
Tobias Brunner [Wed, 12 Oct 2011 13:52:18 +0000 (15:52 +0200)]
Source address lookup refactored

Routes matching the destination are now first parsed and sorted by network
prefix length.  This list is then used to search for the best route with
a matching preferred source address (if one is specified).  This makes sure
we really check all routes for that address.

7 years agoCheck routes with equal prefix if preferred source is specified
Tobias Brunner [Fri, 30 Sep 2011 15:41:01 +0000 (17:41 +0200)]
Check routes with equal prefix if preferred source is specified

7 years agoTry to find preferred source on interface if returned source does not match
Tobias Brunner [Fri, 9 Sep 2011 14:07:40 +0000 (16:07 +0200)]
Try to find preferred source on interface if returned source does not match

7 years agoTry to keep the given source address when looking up routes
Tobias Brunner [Thu, 1 Sep 2011 09:33:13 +0000 (11:33 +0200)]
Try to keep the given source address when looking up routes

This allows to pin the local end of an IKE_SA to an address that is not the
physical address of an interface.  Without this patch the local address would
change to the physical address when roam events occur.

7 years agoMake sure we propose a dynamic TS if we don't have hosts to derive a TS from
Tobias Brunner [Fri, 21 Sep 2012 16:13:42 +0000 (18:13 +0200)]
Make sure we propose a dynamic TS if we don't have hosts to derive a TS from

7ee37114 removed this behavior.

7 years agoMove rw-eap-dynamic scenario to its proper location
Tobias Brunner [Fri, 21 Sep 2012 07:34:10 +0000 (09:34 +0200)]
Move rw-eap-dynamic scenario to its proper location

7 years agoIn mem_pool, check for an existing ID entry before creating a new one
Martin Willi [Thu, 20 Sep 2012 09:04:55 +0000 (11:04 +0200)]
In mem_pool, check for an existing ID entry before creating a new one

7 years agoMerge branch 'unity'
Martin Willi [Tue, 18 Sep 2012 15:22:30 +0000 (17:22 +0200)]
Merge branch 'unity'

Add Cisco Unity extension support implemented in a dedicated plugin.

7 years agoAdd a simple test case for the unity plugin, featuring both includes and excludes
Martin Willi [Mon, 17 Sep 2012 14:23:10 +0000 (16:23 +0200)]
Add a simple test case for the unity plugin, featuring both includes and excludes

7 years agoBuild unity plugin in strongSwan test suite
Martin Willi [Mon, 17 Sep 2012 13:39:29 +0000 (15:39 +0200)]
Build unity plugin in strongSwan test suite

7 years agoAdd unity plugin NEWS
Martin Willi [Mon, 17 Sep 2012 09:48:31 +0000 (11:48 +0200)]
Add unity plugin NEWS

7 years agoUpdate ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity
Martin Willi [Mon, 17 Sep 2012 09:43:11 +0000 (11:43 +0200)]
Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity

7 years agoAs Unity responder, don't change the proposed TS at all, racoon doesn't like that
Martin Willi [Mon, 17 Sep 2012 12:30:35 +0000 (14:30 +0200)]
As Unity responder, don't change the proposed TS at all, racoon doesn't like that

7 years agoDon't complain about multiple TS in IKEv1, as it supported with Unity
Martin Willi [Thu, 13 Sep 2012 13:57:39 +0000 (15:57 +0200)]
Don't complain about multiple TS in IKEv1, as it supported with Unity

7 years agoAs initiator, narrow received Unity attributes to configured TS
Martin Willi [Thu, 13 Sep 2012 13:57:06 +0000 (15:57 +0200)]
As initiator, narrow received Unity attributes to configured TS

7 years agoWhen using Unity, bump up remote TS as initiator to 0.0.0.0/0, too
Martin Willi [Thu, 13 Sep 2012 13:38:04 +0000 (15:38 +0200)]
When using Unity, bump up remote TS as initiator to 0.0.0.0/0, too

7 years agoEnable Cisco Unity only if Unity vendor id received
Martin Willi [Thu, 13 Sep 2012 13:09:21 +0000 (15:09 +0200)]
Enable Cisco Unity only if Unity vendor id received

7 years agoExchange 0.0.0.0/0 traffic selectors with Unity, narrowing after exchange
Martin Willi [Tue, 24 Jul 2012 11:23:48 +0000 (13:23 +0200)]
Exchange 0.0.0.0/0 traffic selectors with Unity, narrowing after exchange

7 years agoAdd a Unity attribute provider that adds Split-Includes for TS
Martin Willi [Tue, 24 Jul 2012 10:21:25 +0000 (12:21 +0200)]
Add a Unity attribute provider that adds Split-Includes for TS

7 years agoCheck if subset calculation actually yields a TS in Unity narrowing
Martin Willi [Tue, 24 Jul 2012 10:20:32 +0000 (12:20 +0200)]
Check if subset calculation actually yields a TS in Unity narrowing

7 years agoRequest Unity configuration attributes for IKEv1 only
Martin Willi [Tue, 24 Jul 2012 08:55:46 +0000 (10:55 +0200)]
Request Unity configuration attributes for IKEv1 only

7 years agoAdd Cisco Unity client support for Split-Include and Local-LAN
Martin Willi [Mon, 23 Jul 2012 15:14:47 +0000 (17:14 +0200)]
Add Cisco Unity client support for Split-Include and Local-LAN

7 years agoAdd a road-warrior test case requesting both an IPv4 and an IPv6 virtual address
Martin Willi [Tue, 18 Sep 2012 14:31:15 +0000 (16:31 +0200)]
Add a road-warrior test case requesting both an IPv4 and an IPv6 virtual address

7 years agoDerive a dynamic TS to multiple virtual IPs
Martin Willi [Tue, 18 Sep 2012 10:46:36 +0000 (12:46 +0200)]
Derive a dynamic TS to multiple virtual IPs

7 years agoUse the vararg list constructor in quick mode task
Martin Willi [Tue, 18 Sep 2012 10:44:59 +0000 (12:44 +0200)]
Use the vararg list constructor in quick mode task

7 years agoAdd a linked list constructor taking items from a vararg list
Martin Willi [Tue, 18 Sep 2012 10:43:31 +0000 (12:43 +0200)]
Add a linked list constructor taking items from a vararg list

7 years agoMake stroke user-creds work with XAuth configs
Tobias Brunner [Tue, 18 Sep 2012 14:56:17 +0000 (16:56 +0200)]
Make stroke user-creds work with XAuth configs

7 years agoFix Doxygen comment for proposal_keywords_t
Tobias Brunner [Tue, 18 Sep 2012 14:11:53 +0000 (16:11 +0200)]
Fix Doxygen comment for proposal_keywords_t

Two dots seem to mark the end of a list.

7 years agoNew Android release after fixing IDr problems
Tobias Brunner [Tue, 18 Sep 2012 13:29:29 +0000 (15:29 +0200)]
New Android release after fixing IDr problems

7 years agoUse random ports in NetworkManager backend
Tobias Brunner [Tue, 18 Sep 2012 12:57:05 +0000 (14:57 +0200)]
Use random ports in NetworkManager backend

7 years agoFix equality comparison of auth_cfg_t
Tobias Brunner [Tue, 18 Sep 2012 10:47:17 +0000 (12:47 +0200)]
Fix equality comparison of auth_cfg_t

We previously only confirmed that rules contained in the first config are also
contained in the second, but since the number of rules does not have to
be equal, it might be that the second config contains rules that the
first one doesn't.

7 years agoSet AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>
Tobias Brunner [Tue, 18 Sep 2012 09:45:12 +0000 (11:45 +0200)]
Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>

7 years agoUse AUTH_RULE_IDENTITY_LOOSE in NetworkManager backend
Tobias Brunner [Tue, 18 Sep 2012 12:39:45 +0000 (14:39 +0200)]
Use AUTH_RULE_IDENTITY_LOOSE in NetworkManager backend

7 years agoandroid: Use AUTH_RULE_IDENTITY_LOOSE
Tobias Brunner [Tue, 18 Sep 2012 09:21:49 +0000 (11:21 +0200)]
android: Use AUTH_RULE_IDENTITY_LOOSE

7 years agoAdd AUTH_RULE_IDENTITY_LOOSE which allows to use IDr loosely as initiator
Tobias Brunner [Tue, 18 Sep 2012 09:16:10 +0000 (11:16 +0200)]
Add AUTH_RULE_IDENTITY_LOOSE which allows to use IDr loosely as initiator

If it is set on an auth config IDr will not be sent, and later the configured
identity will not only be checked against the returned IDr, but also
against other identities contained in the responder's certificate.

7 years agoNew Android release after fixing Unicode conversion bug
Tobias Brunner [Mon, 17 Sep 2012 08:55:10 +0000 (10:55 +0200)]
New Android release after fixing Unicode conversion bug

7 years agoandroid: Fix conversion of actual Unicode strings (i.e. bytes!=chars)
Tobias Brunner [Mon, 17 Sep 2012 08:30:39 +0000 (10:30 +0200)]
android: Fix conversion of actual Unicode strings (i.e. bytes!=chars)

7 years agoRemoved the unneeded socket-raw plugin
Tobias Brunner [Fri, 14 Sep 2012 12:10:14 +0000 (14:10 +0200)]
Removed the unneeded socket-raw plugin

7 years agoChange traffic selectors during Quick Mode in case of a NAT in transport mode
Tobias Brunner [Fri, 14 Sep 2012 07:07:21 +0000 (09:07 +0200)]
Change traffic selectors during Quick Mode in case of a NAT in transport mode

Windows 7 sends its internal address as TSi.  While we don't support the
NAT-T drafts as used by Windows XP it is interesting to note that the
client there omits the TSi payload which then would automatically get set
to the public IP address of the client.

Fixes #220.

7 years agoMerge branch 'custom-crypto'
Tobias Brunner [Thu, 13 Sep 2012 13:50:52 +0000 (15:50 +0200)]
Merge branch 'custom-crypto'

This provides plugins with an interface to register keywords for
proposals (e.g. when parsing the esp and ike options from ipsec.conf)
and the possibility to register identifiers for kernel algorithms.

It is based on patches contributed by Nanoteq Pty Ltd.

7 years agoAdded algorithm lookup via kernel_interface_t to the various kernel interfaces
Tobias Brunner [Thu, 13 Sep 2012 13:22:37 +0000 (15:22 +0200)]
Added algorithm lookup via kernel_interface_t to the various kernel interfaces

7 years agoAdded possibility to register custom kernel algorithms to kernel interface
Tobias Brunner [Thu, 13 Sep 2012 12:36:04 +0000 (14:36 +0200)]
Added possibility to register custom kernel algorithms to kernel interface

7 years agoAdded possibility to register custom proposal keywords
Tobias Brunner [Thu, 13 Sep 2012 12:22:08 +0000 (14:22 +0200)]
Added possibility to register custom proposal keywords

Keyword lookup and registration are handled via the new lib->proposal object.

7 years agoRemoved len argument from proposal_get_token()
Tobias Brunner [Thu, 13 Sep 2012 11:39:33 +0000 (13:39 +0200)]
Removed len argument from proposal_get_token()

Also use enumerators instead of lexparser.h to parse proposal strings.

7 years agoMake arguments for enumerator_create_token|directory const
Tobias Brunner [Thu, 13 Sep 2012 10:30:22 +0000 (12:30 +0200)]
Make arguments for enumerator_create_token|directory const

7 years agoMoved proposal_keywords to proposal_keywords_static
Francois ten Krooden [Fri, 24 Aug 2012 12:56:42 +0000 (14:56 +0200)]
Moved proposal_keywords to proposal_keywords_static

Added new proposal keywords with function to reference the static keywords.

7 years agoOption added to enforce a configured destination address for DHCP packets
Tobias Brunner [Thu, 5 Jul 2012 17:06:44 +0000 (19:06 +0200)]
Option added to enforce a configured destination address for DHCP packets

7 years agoversion bump to 5.0.1rc1
Andreas Steffen [Wed, 12 Sep 2012 21:56:12 +0000 (23:56 +0200)]
version bump to 5.0.1rc1

7 years agoAllow calls to set_address() for any host-sized TS, not only dynamic ones
Tobias Brunner [Wed, 12 Sep 2012 16:10:04 +0000 (18:10 +0200)]
Allow calls to set_address() for any host-sized TS, not only dynamic ones

This fixes CHILD_SA updates (e.g. due to MOBIKE), which were broken
since 4cb0783.

7 years agoEnsure traffic selectors are dynamic before calling set_address() when deriving them
Tobias Brunner [Wed, 12 Sep 2012 16:07:41 +0000 (18:07 +0200)]
Ensure traffic selectors are dynamic before calling set_address() when deriving them

7 years agoConsistently log XFRM mark masks with 0 prefix in kernel-netlink plugin
Tobias Brunner [Wed, 12 Sep 2012 15:40:36 +0000 (17:40 +0200)]
Consistently log XFRM mark masks with 0 prefix in kernel-netlink plugin

7 years agostarter: Added --nolog option to suppress logging in starter itself
Tobias Brunner [Wed, 12 Sep 2012 15:11:54 +0000 (17:11 +0200)]
starter: Added --nolog option to suppress logging in starter itself

Fixes #224.

7 years agoUpdates to strongswan.conf(5) man page (added several missing options)
Tobias Brunner [Wed, 12 Sep 2012 14:52:56 +0000 (16:52 +0200)]
Updates to strongswan.conf(5) man page (added several missing options)

7 years agoSome updates to ipsec.conf(5) man page
Tobias Brunner [Wed, 12 Sep 2012 13:44:00 +0000 (15:44 +0200)]
Some updates to ipsec.conf(5) man page

7 years agostarter: Allow %any also for protocol in left|rightprotoport
Tobias Brunner [Wed, 12 Sep 2012 13:31:02 +0000 (15:31 +0200)]
starter: Allow %any also for protocol in left|rightprotoport

7 years agoDon't allow NULL encryption with PEAP
Martin Willi [Thu, 30 Aug 2012 09:13:02 +0000 (11:13 +0200)]
Don't allow NULL encryption with PEAP

7 years agoUse memmove on overlapping regions, and operate with correct sizeof()
Martin Willi [Thu, 30 Aug 2012 09:46:14 +0000 (11:46 +0200)]
Use memmove on overlapping regions, and operate with correct sizeof()

7 years agoWhitespace cleanups in tls_eap
Martin Willi [Thu, 30 Aug 2012 09:14:01 +0000 (11:14 +0200)]
Whitespace cleanups in tls_eap

7 years agoUse uintptr_t in mem pool to avoid compiler warning if sizeof(void*) != sizeof(int)
Martin Willi [Wed, 12 Sep 2012 10:02:11 +0000 (12:02 +0200)]
Use uintptr_t in mem pool to avoid compiler warning if sizeof(void*) != sizeof(int)