strongswan.git
8 years agoversion bump to 4.6.3rc1
Andreas Steffen [Thu, 5 Apr 2012 07:11:47 +0000 (09:11 +0200)]
version bump to 4.6.3rc1

8 years agoremove leading zero in ASN.1 encoded serial numbers
Andreas Steffen [Thu, 5 Apr 2012 07:04:11 +0000 (09:04 +0200)]
remove leading zero in ASN.1 encoded serial numbers

8 years agoASN.1 two's complement encoding prevents overflow in CRL serial number
Andreas Steffen [Wed, 4 Apr 2012 09:29:00 +0000 (11:29 +0200)]
ASN.1 two's complement encoding prevents overflow in CRL serial number

8 years agoMake AES-CMAC actually usable for IKEv2.
Tobias Brunner [Wed, 4 Apr 2012 08:51:46 +0000 (10:51 +0200)]
Make AES-CMAC actually usable for IKEv2.

8 years agoAdded another bunch of commonly used IKEv1 NATT vendor IDs
Martin Willi [Wed, 4 Apr 2012 08:31:57 +0000 (10:31 +0200)]
Added another bunch of commonly used IKEv1 NATT vendor IDs

8 years agorepresent 0 as a single byte
Andreas Steffen [Tue, 3 Apr 2012 12:19:37 +0000 (14:19 +0200)]
represent 0 as a single byte

8 years agomoved chunk_skip_zero to chunk.h
Andreas Steffen [Tue, 3 Apr 2012 12:12:50 +0000 (14:12 +0200)]
moved chunk_skip_zero to chunk.h

8 years agoadded IKEv2 Generic Secure Password Authentication Method
Andreas Steffen [Tue, 3 Apr 2012 10:49:05 +0000 (12:49 +0200)]
added IKEv2 Generic Secure Password Authentication Method

8 years agoadded IKEv2 Generic Secure Password Authentication Method
Andreas Steffen [Tue, 3 Apr 2012 10:48:48 +0000 (12:48 +0200)]
added IKEv2 Generic Secure Password Authentication Method

8 years agoadded GSPM IKEv2 payload
Andreas Steffen [Tue, 3 Apr 2012 10:21:39 +0000 (12:21 +0200)]
added GSPM IKEv2 payload

8 years agofixed typo
Andreas Steffen [Tue, 3 Apr 2012 10:07:13 +0000 (12:07 +0200)]
fixed typo

8 years agoDoxygen fixes.
Tobias Brunner [Tue, 3 Apr 2012 08:56:47 +0000 (10:56 +0200)]
Doxygen fixes.

8 years agoAdded NEWS about cmac plugin.
Tobias Brunner [Tue, 3 Apr 2012 08:48:03 +0000 (10:48 +0200)]
Added NEWS about cmac plugin.

8 years agoAdded test vectors for AES-CMAC.
Tobias Brunner [Tue, 3 Apr 2012 08:45:09 +0000 (10:45 +0200)]
Added test vectors for AES-CMAC.

8 years agoImplemented AES-CMAC based PRF and signer.
Tobias Brunner [Tue, 3 Apr 2012 08:40:47 +0000 (10:40 +0200)]
Implemented AES-CMAC based PRF and signer.

The cmac plugin implements AES-CMAC as defined in RFC 4493 and the
signer and PRF based on it as defined in RFC 4494 and RFC 4615,
respectively.

8 years agoFixed GNU license header in hmac and xcbc plugins.
Tobias Brunner [Tue, 3 Apr 2012 08:33:59 +0000 (10:33 +0200)]
Fixed GNU license header in hmac and xcbc plugins.

8 years agoMore detailed NEWS about RADIUS extensions
Martin Willi [Mon, 2 Apr 2012 11:58:21 +0000 (13:58 +0200)]
More detailed NEWS about RADIUS extensions

8 years agoupdated supported EAP methods
Andreas Steffen [Fri, 30 Mar 2012 09:15:10 +0000 (11:15 +0200)]
updated supported EAP methods

8 years agoAdd support for dnQualifier in DNs.
Tobias Brunner [Thu, 29 Mar 2012 08:01:55 +0000 (10:01 +0200)]
Add support for dnQualifier in DNs.

8 years agoremove leading zeros in ASN.1 encoded serial numbers
Andreas Steffen [Tue, 27 Mar 2012 13:05:36 +0000 (15:05 +0200)]
remove leading zeros in ASN.1 encoded serial numbers

8 years agoAdded NEWS about resolvconf support.
Tobias Brunner [Tue, 27 Mar 2012 07:47:38 +0000 (09:47 +0200)]
Added NEWS about resolvconf support.

8 years agoMake resolvconf interface prefix configurable.
Tobias Brunner [Mon, 26 Mar 2012 13:09:21 +0000 (15:09 +0200)]
Make resolvconf interface prefix configurable.

8 years agoAdded support for the resolvconf framework in resolve plugin.
Tobias Brunner [Mon, 26 Mar 2012 13:00:14 +0000 (15:00 +0200)]
Added support for the resolvconf framework in resolve plugin.

If /sbin/resolvconf is found nameservers are not written directly to
/etc/resolv.conf but instead resolvconf is invoked.

8 years agoUse single DBG2 statements in kernel_netlink plugin (i.e. ignore mark.value).
Tobias Brunner [Tue, 27 Mar 2012 08:37:56 +0000 (10:37 +0200)]
Use single DBG2 statements in kernel_netlink plugin (i.e. ignore mark.value).

8 years agoDon't cast second argument of mem_printf_hook (%b) to size_t.
Tobias Brunner [Thu, 22 Mar 2012 15:13:15 +0000 (16:13 +0100)]
Don't cast second argument of mem_printf_hook (%b) to size_t.

Also treat the given number as unsigned int.

Due to the printf hook registration the second argument of
mem_printf_hook (if called via printf etc.) is always of type int*.
Casting this to a size_t pointer and then dereferencing that as int does
not work on big endian machines if int is smaller than size_t (e.g. on ppc64).

In order to make this change work if the argument is of a type larger
than int, size_t for instance, the second argument for %b has to be casted
to (u_)int.

8 years agosmp: Use proper signed type to get return value of read(2).
Tobias Brunner [Thu, 22 Mar 2012 15:11:39 +0000 (16:11 +0100)]
smp: Use proper signed type to get return value of read(2).

8 years agopluto: Use time_monotonic() instead of a custom implementation.
Tobias Brunner [Thu, 22 Mar 2012 13:10:59 +0000 (14:10 +0100)]
pluto: Use time_monotonic() instead of a custom implementation.

8 years agoDon't include individual glib headers in nm plugin.
Tobias Brunner [Mon, 26 Mar 2012 13:23:17 +0000 (15:23 +0200)]
Don't include individual glib headers in nm plugin.

Expections are glib/gi18n.h, glib/gi18n-lib.h, glib/gprintf.h and
glib/gstdio.h.

8 years agoFix null-terminated XAuth passwords, as sent by Android 4
Martin Willi [Thu, 22 Mar 2012 14:01:35 +0000 (15:01 +0100)]
Fix null-terminated XAuth passwords, as sent by Android 4

8 years agoStore authentication info of a XAUTH round on IKE_SA
Martin Willi [Wed, 21 Mar 2012 15:57:06 +0000 (16:57 +0100)]
Store authentication info of a XAUTH round on IKE_SA

8 years agoAdded a getter for CHILD_SA marks
Martin Willi [Wed, 21 Mar 2012 15:54:24 +0000 (16:54 +0100)]
Added a getter for CHILD_SA marks

8 years agoDefine a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid
Martin Willi [Wed, 21 Mar 2012 14:41:45 +0000 (15:41 +0100)]
Define a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid

8 years agofixed parsing of IF-MAP SOAP responses
Andreas Steffen [Wed, 21 Mar 2012 13:25:19 +0000 (14:25 +0100)]
fixed parsing of IF-MAP SOAP responses

8 years agoReply with received configuration payload identifier in Mode Config
Martin Willi [Tue, 20 Mar 2012 17:06:29 +0000 (18:06 +0100)]
Reply with received configuration payload identifier in Mode Config

8 years agoMerge branch 'ikev1-clean' into ikev1-master
Martin Willi [Tue, 20 Mar 2012 16:56:18 +0000 (17:56 +0100)]
Merge branch 'ikev1-clean' into ikev1-master

Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h

Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.

8 years agoProperly handle retransmitted initial IKE messages.
Tobias Brunner [Thu, 8 Mar 2012 14:23:20 +0000 (15:23 +0100)]
Properly handle retransmitted initial IKE messages.

This change allows to properly handle retransmits of initial IKE
messages when we've already processed them (i.e. our response is now resent
immediately).

8 years agoImplemented table of init hashes without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 16:37:38 +0000 (17:37 +0100)]
Implemented table of init hashes without linked_list_t.

8 years agoImplemented table of connected peers without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 16:24:44 +0000 (17:24 +0100)]
Implemented table of connected peers without linked_list_t.

8 years agoImplemented table of half open IKE_SAs without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 15:34:45 +0000 (16:34 +0100)]
Implemented table of half open IKE_SAs without linked_list_t.

8 years agoDon't use linked_list_t for buckets in main IKE_SA hash table.
Tobias Brunner [Thu, 1 Mar 2012 11:51:34 +0000 (12:51 +0100)]
Don't use linked_list_t for buckets in main IKE_SA hash table.

8 years agoFixed deadlock if checkin_and_destroy is called during shutdown.
Tobias Brunner [Thu, 1 Mar 2012 11:52:17 +0000 (12:52 +0100)]
Fixed deadlock if checkin_and_destroy is called during shutdown.

8 years agoDo not clone hashes of initial IKE messages when storing them in the hash table.
Tobias Brunner [Thu, 1 Mar 2012 17:07:48 +0000 (18:07 +0100)]
Do not clone hashes of initial IKE messages when storing them in the hash table.

8 years agoStore IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.
Tobias Brunner [Wed, 29 Feb 2012 17:17:50 +0000 (18:17 +0100)]
Store IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.

For IKEv1 the previous behavior of always using the initiator's SPI as
key is maintained.

8 years agoAdded separate hashtable for hashes of initial IKE messages.
Tobias Brunner [Wed, 29 Feb 2012 17:15:42 +0000 (18:15 +0100)]
Added separate hashtable for hashes of initial IKE messages.

This does not require us to do a lookup for an SA by SPI first.

8 years agochunk_equals_ptr added to compare chunks given as pointers.
Tobias Brunner [Wed, 29 Feb 2012 17:06:49 +0000 (18:06 +0100)]
chunk_equals_ptr added to compare chunks given as pointers.

8 years agoStore the major IKE version on ike_sa_id_t.
Tobias Brunner [Wed, 29 Feb 2012 13:47:09 +0000 (14:47 +0100)]
Store the major IKE version on ike_sa_id_t.

8 years agoImplemented handling of UNITY_LOAD_BALANCE as reauthentication.
Tobias Brunner [Fri, 2 Mar 2012 18:17:13 +0000 (19:17 +0100)]
Implemented handling of UNITY_LOAD_BALANCE as reauthentication.

8 years agoCheck if we actually have a packet before retransmitting it
Martin Willi [Tue, 21 Feb 2012 09:23:20 +0000 (10:23 +0100)]
Check if we actually have a packet before retransmitting it

8 years agoUse a single set of FDs for all random plugin RNG instances
Martin Willi [Tue, 21 Feb 2012 09:22:48 +0000 (10:22 +0100)]
Use a single set of FDs for all random plugin RNG instances

8 years agoParse IKEv1 Cisco Load Balancing notify (can't act on it yet).
Tobias Brunner [Fri, 3 Feb 2012 11:58:11 +0000 (12:58 +0100)]
Parse IKEv1 Cisco Load Balancing notify (can't act on it yet).

8 years agoFixed transform numbering in IKEv1 proposal.
Tobias Brunner [Fri, 3 Feb 2012 11:56:30 +0000 (12:56 +0100)]
Fixed transform numbering in IKEv1 proposal.

8 years agoCompiler warning fixed.
Tobias Brunner [Fri, 3 Feb 2012 11:56:14 +0000 (12:56 +0100)]
Compiler warning fixed.

8 years agoUse correct enum values to detect three message tasks for retransmission
Martin Willi [Thu, 2 Feb 2012 09:49:19 +0000 (10:49 +0100)]
Use correct enum values to detect three message tasks for retransmission

8 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated

8 years agoFix mapping of IKEv1 encapsulation mode
Martin Willi [Tue, 24 Jan 2012 12:31:37 +0000 (13:31 +0100)]
Fix mapping of IKEv1 encapsulation mode

8 years agoUse UDP encapsulation even in non-NAT situation if initiator requests it
Martin Willi [Mon, 23 Jan 2012 14:11:13 +0000 (15:11 +0100)]
Use UDP encapsulation even in non-NAT situation if initiator requests it

8 years agoUpdated ipsec.conf man page for the use of IKEv1 with pluto
Martin Willi [Mon, 23 Jan 2012 13:35:57 +0000 (14:35 +0100)]
Updated ipsec.conf man page for the use of IKEv1 with pluto

8 years agoSupport inactivity timeout in IKEv1 CHILD_SAs
Martin Willi [Mon, 23 Jan 2012 12:49:56 +0000 (13:49 +0100)]
Support inactivity timeout in IKEv1 CHILD_SAs

8 years agoUse a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher
Martin Willi [Mon, 23 Jan 2012 11:46:46 +0000 (12:46 +0100)]
Use a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher

8 years agoSelect public key auth method by checking what key we have
Martin Willi [Mon, 23 Jan 2012 11:28:55 +0000 (12:28 +0100)]
Select public key auth method by checking what key we have

8 years agoSupport ECDSA signatures in IKEv1 pubkey authenticator
Martin Willi [Mon, 23 Jan 2012 11:27:57 +0000 (12:27 +0100)]
Support ECDSA signatures in IKEv1 pubkey authenticator

8 years agoExchange certificates when using IKEv1 ECDSA authentication
Martin Willi [Mon, 23 Jan 2012 11:26:42 +0000 (12:26 +0100)]
Exchange certificates when using IKEv1 ECDSA authentication

8 years agoAccept NULL auth_cfg_t passed to credential_manager_t.get_private()
Martin Willi [Mon, 23 Jan 2012 11:25:38 +0000 (12:25 +0100)]
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()

8 years agoSupport encoding of IKEv1 ECDSA proposals
Martin Willi [Mon, 23 Jan 2012 11:25:00 +0000 (12:25 +0100)]
Support encoding of IKEv1 ECDSA proposals

8 years agoDropped support of deprecated authby=eap and eap= options
Martin Willi [Fri, 20 Jan 2012 15:03:18 +0000 (16:03 +0100)]
Dropped support of deprecated authby=eap and eap= options

8 years agoAdded support for authby/xauth_server legacy options
Martin Willi [Fri, 20 Jan 2012 14:33:26 +0000 (15:33 +0100)]
Added support for authby/xauth_server legacy options

8 years agoRenamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules
Martin Willi [Fri, 20 Jan 2012 14:00:06 +0000 (15:00 +0100)]
Renamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules

8 years agoUse ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length
Martin Willi [Fri, 20 Jan 2012 13:57:18 +0000 (14:57 +0100)]
Use ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length

8 years agoDon't re-resolve addresses during initiate if they have already been set
Martin Willi [Fri, 20 Jan 2012 12:54:39 +0000 (13:54 +0100)]
Don't re-resolve addresses during initiate if they have already been set

8 years agoAdopt children after syncing a rekeyed IKEv1 SA
Martin Willi [Fri, 20 Jan 2012 12:42:37 +0000 (13:42 +0100)]
Adopt children after syncing a rekeyed IKEv1 SA

8 years agoSynchronize IKEv1 DPD sequence numbers
Martin Willi [Fri, 20 Jan 2012 11:23:46 +0000 (12:23 +0100)]
Synchronize IKEv1 DPD sequence numbers

8 years agoSetting message ID on task manager sets DPD sequence numbers in IKEv1
Martin Willi [Fri, 20 Jan 2012 11:22:56 +0000 (12:22 +0100)]
Setting message ID on task manager sets DPD sequence numbers in IKEv1

8 years agoUpdate state before triggering DPD, as we cancel it if PASSIVE
Martin Willi [Fri, 20 Jan 2012 11:21:48 +0000 (12:21 +0100)]
Update state before triggering DPD, as we cancel it if PASSIVE

8 years agoSet thread specific SA on bus for each enumerated IKE_SA
Martin Willi [Fri, 20 Jan 2012 11:21:13 +0000 (12:21 +0100)]
Set thread specific SA on bus for each enumerated IKE_SA

8 years agoSync remote virtual IP for IKEv1 SAs
Martin Willi [Fri, 20 Jan 2012 10:36:26 +0000 (11:36 +0100)]
Sync remote virtual IP for IKEv1 SAs

8 years agoSync new IKE_SA condition/extension flags
Martin Willi [Fri, 20 Jan 2012 10:23:27 +0000 (11:23 +0100)]
Sync new IKE_SA condition/extension flags

8 years agoAdded support for Phase1 IV synchronization to HA plugin
Martin Willi [Thu, 19 Jan 2012 15:34:59 +0000 (16:34 +0100)]
Added support for Phase1 IV synchronization to HA plugin

8 years agoInvoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
Martin Willi [Thu, 19 Jan 2012 15:22:25 +0000 (16:22 +0100)]
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted

8 years agoCreate IKEv1 keymat hasher explicitly on sync
Martin Willi [Thu, 19 Jan 2012 14:55:29 +0000 (15:55 +0100)]
Create IKEv1 keymat hasher explicitly on sync

8 years agoClear initiator flag when checking out initial IKEv1 SA from message
Martin Willi [Thu, 19 Jan 2012 14:54:38 +0000 (15:54 +0100)]
Clear initiator flag when checking out initial IKEv1 SA from message

8 years agoAdded support to sync IKEv1 SAs key material in HA plugin
Martin Willi [Thu, 19 Jan 2012 10:11:22 +0000 (11:11 +0100)]
Added support to sync IKEv1 SAs key material in HA plugin

8 years agoPass IKEv1 specific keymat to ike_keys hook
Martin Willi [Wed, 18 Jan 2012 17:34:07 +0000 (18:34 +0100)]
Pass IKEv1 specific keymat to ike_keys hook

8 years agoUse a more complete implementation of a HA specific diffie_hellman_t
Martin Willi [Wed, 18 Jan 2012 17:24:48 +0000 (18:24 +0100)]
Use a more complete implementation of a HA specific diffie_hellman_t

8 years agoShow IKE version in ipsec statusall
Martin Willi [Wed, 18 Jan 2012 16:50:07 +0000 (17:50 +0100)]
Show IKE version in ipsec statusall

8 years agoApply proposal to a HA synced IKE_SA
Martin Willi [Wed, 18 Jan 2012 16:49:52 +0000 (17:49 +0100)]
Apply proposal to a HA synced IKE_SA

8 years agoSet selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
Martin Willi [Wed, 18 Jan 2012 16:42:06 +0000 (17:42 +0100)]
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper

8 years agoUpdated HA plugin to new IKEv2 specific keymat functions
Martin Willi [Wed, 18 Jan 2012 16:24:31 +0000 (17:24 +0100)]
Updated HA plugin to new IKEv2 specific keymat functions

8 years agoGet a reference for the child_cfg passed to child_create_create()
Martin Willi [Wed, 18 Jan 2012 16:24:08 +0000 (17:24 +0100)]
Get a reference for the child_cfg passed to child_create_create()

8 years agoInvoke bus_t.narrow hook in quick mode exchange
Martin Willi [Wed, 18 Jan 2012 12:28:15 +0000 (13:28 +0100)]
Invoke bus_t.narrow hook in quick mode exchange

8 years agoInvoke authorization hooks for IKEv1 connections
Martin Willi [Wed, 18 Jan 2012 12:12:07 +0000 (13:12 +0100)]
Invoke authorization hooks for IKEv1 connections

8 years agoInvoke ike_updown hooks for reauthenticated IKEv1 SAs
Martin Willi [Mon, 16 Jan 2012 15:47:18 +0000 (16:47 +0100)]
Invoke ike_updown hooks for reauthenticated IKEv1 SAs

8 years agoDon't invoke a child_updown hook when a quick mode to delete has been rekeyed
Martin Willi [Mon, 16 Jan 2012 15:18:01 +0000 (16:18 +0100)]
Don't invoke a child_updown hook when a quick mode to delete has been rekeyed

8 years agoInvoke child_rekey hook instead of child_updown when rekeying a quick mode
Martin Willi [Mon, 16 Jan 2012 15:17:27 +0000 (16:17 +0100)]
Invoke child_rekey hook instead of child_updown when rekeying a quick mode

8 years agoDon't invoke updown hook when flushing SAs for IKEv1, tasks will do it
Martin Willi [Mon, 16 Jan 2012 14:57:46 +0000 (15:57 +0100)]
Don't invoke updown hook when flushing SAs for IKEv1, tasks will do it

8 years agoFix "incoming" flag passed to bus_t.message() hook
Martin Willi [Mon, 16 Jan 2012 14:31:53 +0000 (15:31 +0100)]
Fix "incoming" flag passed to bus_t.message() hook

8 years agoContinue with next exchange after sending an INFORMATIONAL
Martin Willi [Fri, 13 Jan 2012 08:27:26 +0000 (09:27 +0100)]
Continue with next exchange after sending an INFORMATIONAL

8 years agoHandle retransmission of DPD exchange, both as initiator and responder
Martin Willi [Tue, 10 Jan 2012 18:13:58 +0000 (19:13 +0100)]
Handle retransmission of DPD exchange, both as initiator and responder

8 years agoDisable DPD checking for peers not supporting it
Martin Willi [Tue, 10 Jan 2012 16:40:07 +0000 (17:40 +0100)]
Disable DPD checking for peers not supporting it

8 years agoAdded missing DPD task name
Martin Willi [Tue, 10 Jan 2012 16:28:25 +0000 (17:28 +0100)]
Added missing DPD task name

8 years agoConfirm message reception time only if DPD sequence number valid
Martin Willi [Tue, 10 Jan 2012 16:26:42 +0000 (17:26 +0100)]
Confirm message reception time only if DPD sequence number valid