strongswan.git
10 years agoLink libcharon to checksum_builder in order to get rid of the fake symbols.
Tobias Brunner [Wed, 24 Mar 2010 16:54:07 +0000 (17:54 +0100)]
Link libcharon to checksum_builder in order to get rid of the fake symbols.

10 years agoFixed some Doxygen warnings.
Tobias Brunner [Wed, 24 Mar 2010 14:45:06 +0000 (15:45 +0100)]
Fixed some Doxygen warnings.

10 years agoFixed compiler warning.
Tobias Brunner [Wed, 24 Mar 2010 11:03:08 +0000 (12:03 +0100)]
Fixed compiler warning.

10 years agoFixed ipsec pool --batch command
Heiko Hund [Tue, 23 Mar 2010 21:30:01 +0000 (22:30 +0100)]
Fixed ipsec pool --batch command

--batch mode has shown to be buggy in very obscure ways in the first real
life tests. For example a batch file

       --del pool1
       --replace pool2 --addresses file1

returned the error "/usr/libexec/ipsec/pool: unrecognized option '--lace'"
which was gone after moving the --del behind --replace. With the patch
from below applied everything works like a charm. From the info on the
man page it seem to be unrelated to this problem, though:

       A program that scans multiple  argument  vectors,  or
       rescans  the same vector more than once, and wants to
       make use of GNU extensions such as '+' and '-' at the
       start   of   optstring,   or  changes  the  value  of
       POSIXLY_CORRECT  between  scans,  must   reinitialize
       getopt()  by  resetting  optind to 0, rather than the
       traditional value of 1.  (Resetting to 0  forces  the
       invocation of an internal initialization routine that
       rechecks POSIXLY_CORRECT and checks  for  GNU  exten-
       sions in optstring.)

Signed-off-by: Heiko Hund <hhund@astaro.com>
10 years agoUse vstr/gmp as shared libraries in the Android build.
Tobias Brunner [Tue, 23 Mar 2010 10:39:58 +0000 (11:39 +0100)]
Use vstr/gmp as shared libraries in the Android build.

10 years agoMissed to include charon's Android.mk in the distribution.
Tobias Brunner [Mon, 22 Mar 2010 10:32:20 +0000 (11:32 +0100)]
Missed to include charon's Android.mk in the distribution.

10 years agoAdded charon to .gitignore
Martin Willi [Fri, 19 Mar 2010 16:17:54 +0000 (17:17 +0100)]
Added charon to .gitignore

10 years agoDo not indent the source file lists in Android.mk files so we can easily compare...
Tobias Brunner [Tue, 16 Mar 2010 16:31:13 +0000 (17:31 +0100)]
Do not indent the source file lists in Android.mk files so we can easily compare them to the lists in the Makefile.am files.

10 years agoUse wildcards to gather plugin source files.
Tobias Brunner [Tue, 16 Mar 2010 16:20:03 +0000 (17:20 +0100)]
Use wildcards to gather plugin source files.

10 years agoAdding support for the build of libcharon (and charon) on Android.
Tobias Brunner [Tue, 16 Mar 2010 16:18:58 +0000 (17:18 +0100)]
Adding support for the build of libcharon (and charon) on Android.

10 years agoDo not link libcharon to libstrongswan.
Tobias Brunner [Tue, 16 Mar 2010 10:06:39 +0000 (11:06 +0100)]
Do not link libcharon to libstrongswan.

Linking to libstrongswan breaks the integrity-tests because libtool
relinks libcharon to libstrongswan on install, thus changing the
checksum.

10 years agoExplicitly link charon to libstrongswan.
Tobias Brunner [Tue, 16 Mar 2010 10:05:01 +0000 (11:05 +0100)]
Explicitly link charon to libstrongswan.

Also fixed the reference to the pthread library.

10 years agoDon't indirectly link dependent libraries.
Gerd von Egidy [Sun, 14 Mar 2010 21:01:17 +0000 (22:01 +0100)]
Don't indirectly link dependent libraries.

The default behaviour for ld allows users to 'indirectly' link to required
objects/libraries through intermediate objects/libraries. While this is
convenient, it can also be dangerous because it makes your program's
dependencies tied to the dependencies of other objects.

Beginning with Fedora 13 this will be changed and you need to explicitly
link all dependent libraries.

More details can be found here:
http://fedoraproject.org/wiki/UnderstandingDSOLinkChange

This patch fixes all such cases in strongSwan.

10 years agoMake integrity tests compatible with libcharon.
Tobias Brunner [Fri, 12 Mar 2010 16:20:36 +0000 (17:20 +0100)]
Make integrity tests compatible with libcharon.

This does currently not work because libtool relinks libcharon on
install, thus changing the checksum.

10 years agoReplacing the original charon with a small wrapper around libcharon.
Tobias Brunner [Fri, 12 Mar 2010 16:12:05 +0000 (17:12 +0100)]
Replacing the original charon with a small wrapper around libcharon.

10 years agoConvert charon into libcharon.
Tobias Brunner [Fri, 12 Mar 2010 15:56:54 +0000 (16:56 +0100)]
Convert charon into libcharon.

10 years agoMoving charon to libcharon.
Tobias Brunner [Fri, 12 Mar 2010 15:45:46 +0000 (16:45 +0100)]
Moving charon to libcharon.

10 years agoRemoved strayed code fragment
Martin Willi [Fri, 19 Mar 2010 09:25:12 +0000 (10:25 +0100)]
Removed strayed code fragment

10 years agoipsec pool --batch command
Heiko Hund [Tue, 16 Mar 2010 20:11:52 +0000 (21:11 +0100)]
ipsec pool --batch command

Introduce the --batch command which reads several ipsec pool commands
and their arguments from a file or STDIN. Useful if you need to run
serveral commands atomically from a configuration daemon or likewise.

Signed-off-by: Heiko Hund <hhund@astaro.com>
10 years agoipsec pool error return status
Heiko Hund [Tue, 16 Mar 2010 20:11:51 +0000 (21:11 +0100)]
ipsec pool error return status

Fix the error return status of the ipsec pool command. Also make --del for
attributes succeed if no --server option was given.

Signed-off-by: Heiko Hund <hhund@astaro.com>
10 years agoipsec pool --replace command
Heiko Hund [Tue, 16 Mar 2010 20:11:50 +0000 (21:11 +0100)]
ipsec pool --replace command

Introduce the pool --replace command as an alternative to --add. Also change
the current behavior of allowing duplicate pool names so that, --add with
an existing name fails and --replace removes the existing pool before
adding the new one.

Signed-off-by: Heiko Hund <hhund@astaro.com>
10 years ago--addresses option for ipsec pool --add command
Heiko Hund [Tue, 16 Mar 2010 20:11:49 +0000 (21:11 +0100)]
--addresses option for ipsec pool --add command

Introduce the --addresses option for --add that can be used to add a pool
containing non-contiguous addresses. Additionally it allows to preclaim
certain addresses for certain roadwarrior IDs. See the second chunk of
the patch for a more detailed description.

Signed-off-by: Heiko Hund <hhund@astaro.com>
10 years agoIntroduced ipsec.conf NTLM keyword for NT hashes
Martin Willi [Wed, 17 Mar 2010 17:48:25 +0000 (18:48 +0100)]
Introduced ipsec.conf NTLM keyword for NT hashes

10 years agoEAP-MSCHAPv2 can use stored NT hashes in addition to plaintext passwords
Martin Willi [Wed, 17 Mar 2010 15:58:22 +0000 (16:58 +0100)]
EAP-MSCHAPv2 can use stored NT hashes in addition to plaintext passwords

10 years agolookup exclusion for several arbitrary routing tables
Thomas Egerer [Fri, 12 Mar 2010 08:37:51 +0000 (09:37 +0100)]
lookup exclusion for several arbitrary routing tables

10 years agoFixing a compiler warning when building with -Wextra.
Tobias Brunner [Tue, 16 Mar 2010 11:42:58 +0000 (12:42 +0100)]
Fixing a compiler warning when building with -Wextra.

10 years agosetting the two most significant bits assures an RSA modulus of maximum bit size
Andreas Steffen [Mon, 15 Mar 2010 14:13:26 +0000 (15:13 +0100)]
setting the two most significant bits assures an RSA modulus of maximum bit size

10 years agowe don't accept a serial number with leading zeroes
Andreas Steffen [Sun, 14 Mar 2010 18:41:40 +0000 (19:41 +0100)]
we don't accept a serial number with leading zeroes

10 years agoReordered the name and sname construction.
Tobias Brunner [Tue, 9 Mar 2010 08:01:28 +0000 (09:01 +0100)]
Reordered the name and sname construction.

10 years agoFixed a bug in pluto's x509 handling.
Tobias Brunner [Fri, 12 Mar 2010 16:27:05 +0000 (17:27 +0100)]
Fixed a bug in pluto's x509 handling.

This bug would have lead to a segmentation fault, if no public key could
have been extracted from a certificate.

10 years agodeleted old strongSwan VIDs
Andreas Steffen [Fri, 12 Mar 2010 02:29:18 +0000 (03:29 +0100)]
deleted old strongSwan VIDs

10 years agoenable build of socket-default plugin
Andreas Steffen [Thu, 11 Mar 2010 20:53:18 +0000 (21:53 +0100)]
enable build of socket-default plugin

10 years agomixed IKEv1/IKEv2 scenarios require socket-raw
Andreas Steffen [Thu, 11 Mar 2010 20:32:36 +0000 (21:32 +0100)]
mixed IKEv1/IKEv2 scenarios require socket-raw

10 years agoAdded a very minimalistic SMTP client to send mails via a local Exim
Martin Willi [Thu, 11 Mar 2010 09:51:16 +0000 (10:51 +0100)]
Added a very minimalistic SMTP client to send mails via a local Exim

10 years agoDo not disable the default-socket if it was enabled explicitly
Martin Willi [Thu, 11 Mar 2010 07:52:48 +0000 (08:52 +0100)]
Do not disable the default-socket if it was enabled explicitly

10 years agoSet a xy_given variable for a --enable/disable-xy option
Martin Willi [Thu, 11 Mar 2010 07:50:12 +0000 (08:50 +0100)]
Set a xy_given variable for a --enable/disable-xy option

This additional variable allows a check if an option was
explicitly given or implicitly set using the default.

10 years agoAdd a getter for the HTTP referer
Martin Willi [Tue, 9 Mar 2010 14:03:57 +0000 (15:03 +0100)]
Add a getter for the HTTP referer

10 years agofix 64bit issue with time_t from database
Andreas Steffen [Wed, 10 Mar 2010 09:46:49 +0000 (10:46 +0100)]
fix 64bit issue with time_t from database

10 years agoAdding socket-default to the plugin list in all test cases.
Tobias Brunner [Tue, 9 Mar 2010 16:41:40 +0000 (17:41 +0100)]
Adding socket-default to the plugin list in all test cases.

10 years agoProvide the Diffie Hellman parameters from a central location, so that we do not...
Tobias Brunner [Tue, 9 Mar 2010 16:15:16 +0000 (17:15 +0100)]
Provide the Diffie Hellman parameters from a central location, so that we do not have to replicate them in every plugin that implements the DH interface.

The main reason for this change is that Android's libcrypto does not
include the get_rfcX_prime_Y functions by default.  Therefore we would
have had to replicate the primes a third time.

10 years agoAdding the OpenSSL plugin to the Android build.
Tobias Brunner [Mon, 8 Mar 2010 16:18:47 +0000 (17:18 +0100)]
Adding the OpenSSL plugin to the Android build.

10 years agoFixing integrity tests after renaming the plugin constructors.
Tobias Brunner [Mon, 8 Mar 2010 14:33:42 +0000 (15:33 +0100)]
Fixing integrity tests after renaming the plugin constructors.

10 years agoAdding a helper function that translates single characters in a string.
Tobias Brunner [Mon, 8 Mar 2010 14:26:09 +0000 (15:26 +0100)]
Adding a helper function that translates single characters in a string.

10 years agoReplaced the deprecated RSA_generate_key with RSA_generate_key_ex.
Tobias Brunner [Mon, 8 Mar 2010 12:59:26 +0000 (13:59 +0100)]
Replaced the deprecated RSA_generate_key with RSA_generate_key_ex.

10 years agoImplemented the PRF_KEYED_SHA1 algorithm in the openssl plugin
Martin Willi [Mon, 8 Mar 2010 11:40:45 +0000 (12:40 +0100)]
Implemented the PRF_KEYED_SHA1 algorithm in the openssl plugin

10 years agoRemoved accidentally commited files from tree, ignore tarballs and patches
Martin Willi [Mon, 8 Mar 2010 08:36:46 +0000 (09:36 +0100)]
Removed accidentally commited files from tree, ignore tarballs and patches

10 years agoremoved unwanted commits
Andreas Steffen [Sun, 7 Mar 2010 20:11:57 +0000 (21:11 +0100)]
removed unwanted commits

10 years agocritical keyUsage extension must be parsed
Andreas Steffen [Sun, 7 Mar 2010 19:51:34 +0000 (20:51 +0100)]
critical keyUsage extension must be parsed

10 years agorecognize strongSwan VID
Andreas Steffen [Sun, 7 Mar 2010 16:52:04 +0000 (17:52 +0100)]
recognize strongSwan VID

10 years agoset Certificate Sign and CRL Sign flags in keyUsage extension if CA is true
Andreas Steffen [Sun, 7 Mar 2010 16:27:53 +0000 (17:27 +0100)]
set Certificate Sign and CRL Sign flags in keyUsage extension if CA is true

10 years agoMake Android.mk depend on configure.in, so it gets rebuilt if the version number...
Tobias Brunner [Fri, 5 Mar 2010 13:57:22 +0000 (14:57 +0100)]
Make Android.mk depend on configure.in, so it gets rebuilt if the version number got changed.

10 years agoparser.l includes y.tab.h, so it must be built first
Tobias Brunner [Fri, 5 Mar 2010 13:24:56 +0000 (14:24 +0100)]
parser.l includes y.tab.h, so it must be built first

10 years agoIgnore the generated y.output.
Tobias Brunner [Fri, 5 Mar 2010 13:19:17 +0000 (14:19 +0100)]
Ignore the generated y.output.

10 years agoDo not hardcode the path to the strongSwan sources.
Tobias Brunner [Fri, 5 Mar 2010 12:32:27 +0000 (13:32 +0100)]
Do not hardcode the path to the strongSwan sources.

10 years agoIgnore the generated Android.mk
Tobias Brunner [Fri, 5 Mar 2010 12:23:43 +0000 (13:23 +0100)]
Ignore the generated Android.mk

10 years agoGenerate the main Android.mk, so the version number is not hardcoded.
Tobias Brunner [Fri, 5 Mar 2010 12:11:58 +0000 (13:11 +0100)]
Generate the main Android.mk, so the version number is not hardcoded.

We include the generated file in the distribution, so users won't
have run configure if they are building for Android.

10 years agoBuild libstrongswan before building any plugins during the non-monolithic build ...
Tobias Brunner [Fri, 5 Mar 2010 10:05:32 +0000 (11:05 +0100)]
Build libstrongswan before building any plugins during the non-monolithic build (as it was before).

10 years agoscepclient still depends on libfreeswan
Martin Willi [Fri, 5 Mar 2010 07:52:09 +0000 (08:52 +0100)]
scepclient still depends on libfreeswan

10 years agoRemove the invalid cast in time() parameter, as reported by Marius Tomaschewski.
Martin Willi [Thu, 4 Mar 2010 07:42:18 +0000 (08:42 +0100)]
Remove the invalid cast in time() parameter, as reported by Marius Tomaschewski.

10 years agoDisabling warnings about arithmethic with void* on Android.
Tobias Brunner [Wed, 3 Mar 2010 16:37:20 +0000 (17:37 +0100)]
Disabling warnings about arithmethic with void* on Android.

10 years agoFixing a bug on platforms where size_t is unsigned.
Tobias Brunner [Wed, 3 Mar 2010 16:35:19 +0000 (17:35 +0100)]
Fixing a bug on platforms where size_t is unsigned.

10 years agoThe parsed timeval is unsigned.
Tobias Brunner [Wed, 3 Mar 2010 16:34:49 +0000 (17:34 +0100)]
The parsed timeval is unsigned.

10 years agoThe return value of snprintf is int not size_t.
Tobias Brunner [Wed, 3 Mar 2010 16:34:06 +0000 (17:34 +0100)]
The return value of snprintf is int not size_t.

10 years agoAdd braces around empty body in if statement
Martin Willi [Wed, 3 Mar 2010 15:53:42 +0000 (16:53 +0100)]
Add braces around empty body in if statement

10 years agoAdded charon.send/receive_delay options to simulate different RTTs
Martin Willi [Wed, 3 Mar 2010 14:57:06 +0000 (15:57 +0100)]
Added charon.send/receive_delay options to simulate different RTTs

10 years agoMigrated receiver_t to METHOD/INIT macros
Martin Willi [Wed, 3 Mar 2010 14:51:32 +0000 (15:51 +0100)]
Migrated receiver_t to METHOD/INIT macros

10 years agoMigrated sender_t to METHOD/INIT macros
Martin Willi [Wed, 3 Mar 2010 14:46:53 +0000 (15:46 +0100)]
Migrated sender_t to METHOD/INIT macros

10 years agoCheck if we are not using a vendor EAP method in EAP_IDENTITY comparison.
Martin Willi [Wed, 3 Mar 2010 11:25:27 +0000 (12:25 +0100)]
Check if we are not using a vendor EAP method in EAP_IDENTITY comparison.

Bug reported by Ingo Kubbilun with a patch from Reinhard Pfau, secunet AG.

10 years agoUse "static const", some GCCs don't like "const static"
Martin Willi [Wed, 3 Mar 2010 09:44:01 +0000 (10:44 +0100)]
Use "static const", some GCCs don't like "const static"

10 years agoAdding Android.mk files to build charon and libstrongswan with the Android build...
Tobias Brunner [Wed, 3 Mar 2010 09:18:46 +0000 (10:18 +0100)]
Adding Android.mk files to build charon and libstrongswan with the Android build system.

10 years agoReverting eba28948a584b9d02474cf5d256b04b8d2adbe6a which was only necessary when...
Tobias Brunner [Tue, 2 Mar 2010 11:03:44 +0000 (12:03 +0100)]
Reverting eba28948a584b9d02474cf5d256b04b8d2adbe6a which was only necessary when cross-compiling the plugins for Android 2.0.

With the coming monolithic build using Android.mk files this won't be
necessary anymore.

10 years agoStreamlined the source file list formatting in plugin makefiles.
Tobias Brunner [Tue, 2 Mar 2010 09:32:09 +0000 (10:32 +0100)]
Streamlined the source file list formatting in plugin makefiles.

10 years agoFixing some includes by replacing <> with "".
Tobias Brunner [Mon, 1 Mar 2010 15:03:18 +0000 (16:03 +0100)]
Fixing some includes by replacing <> with "".

I changed only the includes needed to fix the build on Android, which has an utils.h system header file, but we should probably change all the local includes in libstrongswan to "" and relative paths.

10 years agoLink all enabled libstrongswan plugins into the library, link all enabled charon...
Tobias Brunner [Mon, 1 Mar 2010 15:15:08 +0000 (16:15 +0100)]
Link all enabled libstrongswan plugins into the library, link all enabled charon plugins into libcharon.

10 years agoEnabling the plugin loader to be able to load plugins without explicitly loading...
Tobias Brunner [Mon, 1 Mar 2010 15:07:07 +0000 (16:07 +0100)]
Enabling the plugin loader to be able to load plugins without explicitly loading a shared object file first.

10 years agoAdding an option to build libstrongswan and charon monolithically.
Tobias Brunner [Mon, 1 Mar 2010 15:16:55 +0000 (16:16 +0100)]
Adding an option to build libstrongswan and charon monolithically.

10 years agoChanged plugin constructors from plugin_create to plugin_name_plugin_create.
Tobias Brunner [Tue, 23 Feb 2010 15:20:38 +0000 (16:20 +0100)]
Changed plugin constructors from plugin_create to plugin_name_plugin_create.

10 years agoRemoving the plugin constructor declarations from the header files.
Tobias Brunner [Tue, 23 Feb 2010 15:17:48 +0000 (16:17 +0100)]
Removing the plugin constructor declarations from the header files.

10 years agorenewed Authorization Authority certificate
Andreas Steffen [Sat, 27 Feb 2010 21:16:36 +0000 (22:16 +0100)]
renewed Authorization Authority certificate

10 years agoNEWS about the android plugin
Martin Willi [Fri, 26 Feb 2010 10:57:59 +0000 (11:57 +0100)]
NEWS about the android plugin

10 years agoNEWS about the dynamic socket implementation
Martin Willi [Fri, 26 Feb 2010 10:52:54 +0000 (11:52 +0100)]
NEWS about the dynamic socket implementation

10 years agoLink libstrongswan to the new plugins, too
Martin Willi [Fri, 26 Feb 2010 10:49:04 +0000 (11:49 +0100)]
Link libstrongswan to the new plugins, too

10 years agoAdd support for dynamic ports in load tester
Martin Willi [Fri, 26 Feb 2010 10:21:01 +0000 (10:21 +0000)]
Add support for dynamic ports in load tester

10 years agoProcess ike_vendor task before ike_init, fixes support for private algs in IKE
Martin Willi [Fri, 26 Feb 2010 10:07:56 +0000 (11:07 +0100)]
Process ike_vendor task before ike_init, fixes support for private algs in IKE

10 years agoUse message instead of attributes in hook
Martin Willi [Fri, 27 Nov 2009 10:14:40 +0000 (11:14 +0100)]
Use message instead of attributes in hook

10 years agoSet UDP encapsulation option on all sockets
Martin Willi [Wed, 24 Feb 2010 14:11:58 +0000 (14:11 +0000)]
Set UDP encapsulation option on all sockets

10 years agoFixed starter left-/rightikeport keyword
Martin Willi [Wed, 24 Feb 2010 13:49:55 +0000 (13:49 +0000)]
Fixed starter left-/rightikeport keyword

10 years agoAdded locking to dynamic socket list
Martin Willi [Wed, 24 Feb 2010 10:45:18 +0000 (11:45 +0100)]
Added locking to dynamic socket list

10 years agoInclude ports in ike_cfg equality check
Martin Willi [Wed, 24 Feb 2010 10:07:47 +0000 (10:07 +0000)]
Include ports in ike_cfg equality check

10 years agoAdded an initiator-only socket implementation which binds ports on demand
Martin Willi [Wed, 24 Feb 2010 09:58:23 +0000 (10:58 +0100)]
Added an initiator-only socket implementation which binds ports on demand

10 years agoRemoved obsolete daemon kill
Martin Willi [Tue, 23 Feb 2010 16:59:52 +0000 (17:59 +0100)]
Removed obsolete daemon kill

10 years agoDo not kill daemon, just not use pluggable kernel interface if initialization failed
Martin Willi [Tue, 23 Feb 2010 16:49:34 +0000 (16:49 +0000)]
Do not kill daemon, just not use pluggable kernel interface if initialization failed

10 years agoPass sockets to bypass to kernel interface, allowing us to register them dynamically
Martin Willi [Tue, 23 Feb 2010 16:28:23 +0000 (16:28 +0000)]
Pass sockets to bypass to kernel interface, allowing us to register them dynamically

10 years agoMigrated kernel_klips_ipsec to METHOD/INIT macros
Martin Willi [Tue, 23 Feb 2010 16:10:29 +0000 (16:10 +0000)]
Migrated kernel_klips_ipsec to METHOD/INIT macros

10 years agoMigrated kernel_pfkey_ipsec to METHOD/INIT macros
Martin Willi [Tue, 23 Feb 2010 16:04:46 +0000 (16:04 +0000)]
Migrated kernel_pfkey_ipsec to METHOD/INIT macros

10 years agoMigrated kernel_netlink_ipsec to METHOD/INIT macros
Martin Willi [Tue, 23 Feb 2010 15:59:25 +0000 (15:59 +0000)]
Migrated kernel_netlink_ipsec to METHOD/INIT macros

10 years agoMigrated kernel_interface wrapper to METHOD/INIT macros
Martin Willi [Tue, 23 Feb 2010 15:34:34 +0000 (16:34 +0100)]
Migrated kernel_interface wrapper to METHOD/INIT macros

10 years agoAdded left-/rightikeport ipsec.conf options to use custom IKE ports
Martin Willi [Mon, 22 Feb 2010 18:26:25 +0000 (19:26 +0100)]
Added left-/rightikeport ipsec.conf options to use custom IKE ports

10 years agoUse src/dst ports as configured in ike_cfg
Martin Willi [Mon, 22 Feb 2010 17:34:11 +0000 (18:34 +0100)]
Use src/dst ports as configured in ike_cfg

10 years agoStore custom IKE src/dst ports on ike_cfg
Martin Willi [Mon, 22 Feb 2010 17:11:42 +0000 (18:11 +0100)]
Store custom IKE src/dst ports on ike_cfg