strongswan.git
10 years agoAdding OpenSSL HMAC signer functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:46:21 +0000 (13:46 -0700)]
Adding OpenSSL HMAC signer functions to openssl plugin

10 years agoAdding OpenSSL HMAC pseudo random functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:43:47 +0000 (13:43 -0700)]
Adding OpenSSL HMAC pseudo random functions to openssl plugin

10 years agoAdding OpenSSL random number functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:39:37 +0000 (13:39 -0700)]
Adding OpenSSL random number functions to openssl plugin

10 years agoFixed IPv6 source address lookup
Tobias Brunner [Mon, 18 Jun 2012 10:01:10 +0000 (12:01 +0200)]
Fixed IPv6 source address lookup

Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
IPv6 routes we didn't use NLM_F_DUMP to get all routes.
Still routes installed with policies are installed also for IPv6.
So since only one route is returned without DUMP, and we ignore
all routes from our own routing table, no source address was found
during roaming if DST of the installed route included the IKE peer.

With newer kernels we can now use DUMP as we did for IPv4 already,
for older kernels we do so if our own routes are installed in a
separate routing table, otherwise we still use GET.

10 years agoupdated default configuration of UML hosts to 5.0.0
Andreas Steffen [Mon, 25 Jun 2012 11:04:55 +0000 (13:04 +0200)]
updated default configuration of UML hosts to 5.0.0

10 years agoadded charon.cisco_unity to strongswan.conf.5 man page
Andreas Steffen [Mon, 25 Jun 2012 09:47:40 +0000 (11:47 +0200)]
added charon.cisco_unity to strongswan.conf.5 man page

10 years agosupport Cisco Unity VID
Andreas Steffen [Mon, 25 Jun 2012 09:00:12 +0000 (11:00 +0200)]
support Cisco Unity VID

10 years agoEnable xauth-generic by default but don't build it if IKEv1 is disabled
Tobias Brunner [Mon, 25 Jun 2012 09:07:49 +0000 (11:07 +0200)]
Enable xauth-generic by default but don't build it if IKEv1 is disabled

10 years agoRemove CREDITS from distribution
Tobias Brunner [Mon, 25 Jun 2012 09:07:35 +0000 (11:07 +0200)]
Remove CREDITS from distribution

10 years agoThe AUTHORS file is required by automake
Tobias Brunner [Mon, 25 Jun 2012 08:59:27 +0000 (10:59 +0200)]
The AUTHORS file is required by automake

10 years agoLICENSE file updated
Tobias Brunner [Thu, 21 Jun 2012 16:14:43 +0000 (18:14 +0200)]
LICENSE file updated

10 years agoldaphost and ldapbase ca section keywords are deprecated
Tobias Brunner [Thu, 21 Jun 2012 16:04:18 +0000 (18:04 +0200)]
ldaphost and ldapbase ca section keywords are deprecated

10 years agoRemoved pluto-specifics from ipsec script
Tobias Brunner [Thu, 21 Jun 2012 15:58:59 +0000 (17:58 +0200)]
Removed pluto-specifics from ipsec script

10 years agoREADME file cleaned up and updated
Tobias Brunner [Thu, 21 Jun 2012 15:55:08 +0000 (17:55 +0200)]
README file cleaned up and updated

10 years agoEnforce uniqueids=keep based on XAuth identity
Martin Willi [Thu, 14 Jun 2012 13:25:11 +0000 (15:25 +0200)]
Enforce uniqueids=keep based on XAuth identity

10 years agoDon't send XAUTH_OK if a hook prevents SA to establish
Martin Willi [Thu, 14 Jun 2012 13:23:57 +0000 (15:23 +0200)]
Don't send XAUTH_OK if a hook prevents SA to establish

10 years agoEnforce uniqueids=keep only for non-XAuth Main/Agressive Modes
Martin Willi [Thu, 14 Jun 2012 13:08:37 +0000 (15:08 +0200)]
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes

10 years agoShow EAP/XAuth identity in "ipsec status", if available
Martin Willi [Thu, 14 Jun 2012 13:07:44 +0000 (15:07 +0200)]
Show EAP/XAuth identity in "ipsec status", if available

10 years agoUse XAuth/EAP remote identity for uniqueness check
Martin Willi [Thu, 14 Jun 2012 12:47:40 +0000 (14:47 +0200)]
Use XAuth/EAP remote identity for uniqueness check

10 years agoAdd missing XAuth name variable when complaining about missing XAuth backend
Martin Willi [Mon, 25 Jun 2012 08:09:27 +0000 (10:09 +0200)]
Add missing XAuth name variable when complaining about missing XAuth backend

10 years agoremoved AUTHORS and CREDITS
Andreas Steffen [Mon, 25 Jun 2012 06:45:10 +0000 (08:45 +0200)]
removed AUTHORS and CREDITS

10 years agosome copyright additions
Andreas Steffen [Sat, 23 Jun 2012 10:09:29 +0000 (12:09 +0200)]
some copyright additions

10 years agoupdate copyright
Andreas Steffen [Sat, 23 Jun 2012 09:57:42 +0000 (11:57 +0200)]
update copyright

10 years agoversion bump to 5.0.0
Andreas Steffen [Sat, 23 Jun 2012 09:32:54 +0000 (11:32 +0200)]
version bump to 5.0.0

10 years agoFix SIGSEGV if kernel install fails during Quick Mode as responder.
Tobias Brunner [Thu, 7 Jun 2012 12:59:20 +0000 (14:59 +0200)]
Fix SIGSEGV if kernel install fails during Quick Mode as responder.

10 years agoadapted description to IKEv2
Andreas Steffen [Fri, 22 Jun 2012 07:53:25 +0000 (09:53 +0200)]
adapted description to IKEv2

10 years agoFixed compile error because of charon->name in certexpire plugin.
Tobias Brunner [Thu, 21 Jun 2012 11:59:18 +0000 (13:59 +0200)]
Fixed compile error because of charon->name in certexpire plugin.

10 years agofixed typo
Andreas Steffen [Wed, 20 Jun 2012 09:15:09 +0000 (11:15 +0200)]
fixed typo

10 years agoadded ipv6/rw-ip6-in-ip4-ikev1 scenario
Andreas Steffen [Wed, 20 Jun 2012 09:13:20 +0000 (11:13 +0200)]
added ipv6/rw-ip6-in-ip4-ikev1 scenario

10 years agoadded ipv6/rw-ip6-in-ip4-ikev2 scenario
Andreas Steffen [Wed, 20 Jun 2012 09:03:51 +0000 (11:03 +0200)]
added ipv6/rw-ip6-in-ip4-ikev2 scenario

10 years agoSelect requested virtual IP family based on remote TS, if no local TS available
Martin Willi [Wed, 20 Jun 2012 08:01:05 +0000 (10:01 +0200)]
Select requested virtual IP family based on remote TS, if no local TS available

10 years agoupgraded UML options to 5.0.0
Andreas Steffen [Tue, 19 Jun 2012 17:34:26 +0000 (19:34 +0200)]
upgraded UML options to 5.0.0

10 years agoDoxygen fix in PKCS#7 wrapper
Tobias Brunner [Tue, 19 Jun 2012 11:32:24 +0000 (13:32 +0200)]
Doxygen fix in PKCS#7 wrapper

10 years agosleep one second more
Andreas Steffen [Tue, 19 Jun 2012 04:18:05 +0000 (06:18 +0200)]
sleep one second more

10 years agouse socket-default in scenario
Andreas Steffen [Tue, 19 Jun 2012 04:17:37 +0000 (06:17 +0200)]
use socket-default in scenario

10 years agoadded ikev1/xauth-id-rsa-hybrid scenario
Andreas Steffen [Mon, 18 Jun 2012 20:51:50 +0000 (22:51 +0200)]
added ikev1/xauth-id-rsa-hybrid scenario

10 years agoadded ikev1/xauth-id-rsa-aggressive scenario
Andreas Steffen [Mon, 18 Jun 2012 20:30:26 +0000 (22:30 +0200)]
added ikev1/xauth-id-rsa-aggressive scenario

10 years agoadded secret as valid authby argument
Andreas Steffen [Mon, 18 Jun 2012 20:11:18 +0000 (22:11 +0200)]
added secret as valid authby argument

10 years agorsasig is not recognized as authentication method
Andreas Steffen [Mon, 18 Jun 2012 20:03:36 +0000 (22:03 +0200)]
rsasig is not recognized as authentication method

10 years agoenable potentially unsafe aggressive mode
Andreas Steffen [Mon, 18 Jun 2012 19:34:48 +0000 (21:34 +0200)]
enable potentially unsafe aggressive mode

10 years agochange ikev1/xauth scenarios to modern notation
Andreas Steffen [Mon, 18 Jun 2012 19:22:01 +0000 (21:22 +0200)]
change ikev1/xauth scenarios to modern notation

10 years agotesting: List IPv6 routing table in IPv6 test cases.
Tobias Brunner [Fri, 15 Jun 2012 13:19:23 +0000 (15:19 +0200)]
testing: List IPv6 routing table in IPv6 test cases.

10 years agoNLM_F_DUMP includes NLM_F_ROOT.
Tobias Brunner [Fri, 15 Jun 2012 10:50:30 +0000 (12:50 +0200)]
NLM_F_DUMP includes NLM_F_ROOT.

10 years agoDon't create roam jobs based on cached/cloned routes.
Tobias Brunner [Fri, 15 Jun 2012 10:27:26 +0000 (12:27 +0200)]
Don't create roam jobs based on cached/cloned routes.

10 years agoDon't compare ports when comparing cached routes.
Tobias Brunner [Fri, 15 Jun 2012 09:43:21 +0000 (11:43 +0200)]
Don't compare ports when comparing cached routes.

At least src_ip has a port set sometimes.

10 years agostarter: Fixed parsing of %defaultroute.
Tobias Brunner [Fri, 15 Jun 2012 08:32:15 +0000 (10:32 +0200)]
starter: Fixed parsing of %defaultroute.

10 years agoAdopt children as XAuth initiator (which is IKE responder)
Martin Willi [Thu, 14 Jun 2012 12:46:48 +0000 (14:46 +0200)]
Adopt children as XAuth initiator (which is IKE responder)

10 years agoAdded 5.0 NEWS about IKEv1 in charon
Martin Willi [Thu, 14 Jun 2012 08:57:29 +0000 (10:57 +0200)]
Added 5.0 NEWS about IKEv1 in charon

10 years agoPrint the kind of *Swan during starter startup
Martin Willi [Wed, 13 Jun 2012 10:18:25 +0000 (12:18 +0200)]
Print the kind of *Swan during starter startup

10 years agoShow what kind of *Swan we run in "ipsec status"
Martin Willi [Wed, 13 Jun 2012 10:11:55 +0000 (12:11 +0200)]
Show what kind of *Swan we run in "ipsec status"

10 years agoRequire a scary option to respond to Aggressive Mode PSK requests
Martin Willi [Wed, 13 Jun 2012 07:32:28 +0000 (09:32 +0200)]
Require a scary option to respond to Aggressive Mode PSK requests

While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.

10 years agothanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet
Andreas Steffen [Thu, 14 Jun 2012 05:55:12 +0000 (07:55 +0200)]
thanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet

10 years agoremoved plutostart parameter
Andreas Steffen [Wed, 13 Jun 2012 19:19:05 +0000 (21:19 +0200)]
removed plutostart parameter

10 years agoscepclient: Fixed Makefile after removing enable-smartcard configure option.
Tobias Brunner [Wed, 13 Jun 2012 13:08:14 +0000 (15:08 +0200)]
scepclient: Fixed Makefile after removing enable-smartcard configure option.

10 years agoUse proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.
Tobias Brunner [Wed, 13 Jun 2012 13:02:10 +0000 (15:02 +0200)]
Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.

10 years agoSome updates to the INSTALL document.
Tobias Brunner [Wed, 13 Jun 2012 10:24:23 +0000 (12:24 +0200)]
Some updates to the INSTALL document.

10 years agoRemoved remaining pluto related configure options.
Tobias Brunner [Wed, 13 Jun 2012 09:33:32 +0000 (11:33 +0200)]
Removed remaining pluto related configure options.

10 years agostarter: Print additional help texts for selected deprecated keywords.
Tobias Brunner [Tue, 12 Jun 2012 11:59:05 +0000 (13:59 +0200)]
starter: Print additional help texts for selected deprecated keywords.

10 years agostarter: Improved how deprecated keywords are handled.
Tobias Brunner [Tue, 12 Jun 2012 11:57:47 +0000 (13:57 +0200)]
starter: Improved how deprecated keywords are handled.

We only throw a warning now instead of rejecting the config.

10 years agoRevert "starter: Don't treat unsupported keywords as fatal errors just report them."
Tobias Brunner [Tue, 12 Jun 2012 09:42:00 +0000 (11:42 +0200)]
Revert "starter: Don't treat unsupported keywords as fatal errors just report them."

This reverts commit e55876a657ae9d4bbf14320e5a14f86cc5c31c7f.

10 years agoNEWS about specifying trustchain HASH algorithm requirements
Martin Willi [Tue, 12 Jun 2012 12:43:55 +0000 (14:43 +0200)]
NEWS about specifying trustchain HASH algorithm requirements

10 years agoAdd documentation for signature hash algorithm enforcing to man ipsec.conf
Martin Willi [Mon, 11 Jun 2012 13:48:03 +0000 (15:48 +0200)]
Add documentation for signature hash algorithm enforcing to man ipsec.conf

10 years agoAdded signature scheme options left/rightauth
Martin Willi [Fri, 8 Jun 2012 15:04:14 +0000 (17:04 +0200)]
Added signature scheme options left/rightauth

10 years agoSupport multiple different public key strength types in constraints
Martin Willi [Tue, 12 Jun 2012 12:19:11 +0000 (14:19 +0200)]
Support multiple different public key strength types in constraints

10 years agoAdd signature schemes to auth_cfg during trustchain validation
Martin Willi [Mon, 11 Jun 2012 12:52:37 +0000 (14:52 +0200)]
Add signature schemes to auth_cfg during trustchain validation

10 years agocertificate_t->issued_by takes an argument to receive signature scheme
Martin Willi [Mon, 11 Jun 2012 12:33:34 +0000 (14:33 +0200)]
certificate_t->issued_by takes an argument to receive signature scheme

10 years agoDefine auth_cfg rules for signature schemes
Martin Willi [Fri, 8 Jun 2012 14:47:08 +0000 (16:47 +0200)]
Define auth_cfg rules for signature schemes

10 years agostarter: Fixed parsing of left|right=%any.
Tobias Brunner [Tue, 12 Jun 2012 08:12:53 +0000 (10:12 +0200)]
starter: Fixed parsing of left|right=%any.

10 years agodeleted IKEv1 charon-pluto interoperability scenarios
Andreas Steffen [Tue, 12 Jun 2012 08:00:21 +0000 (10:00 +0200)]
deleted IKEv1 charon-pluto interoperability scenarios

10 years agostarter: Fix comparison of connections.
Tobias Brunner [Wed, 16 May 2012 15:18:27 +0000 (17:18 +0200)]
starter: Fix comparison of connections.

10 years agostarter: Removed all unsupported keywords.
Tobias Brunner [Wed, 16 May 2012 14:56:49 +0000 (16:56 +0200)]
starter: Removed all unsupported keywords.

10 years agostarter: Don't treat unsupported keywords as fatal errors just report them.
Tobias Brunner [Wed, 16 May 2012 14:25:32 +0000 (16:25 +0200)]
starter: Don't treat unsupported keywords as fatal errors just report them.

10 years agoBye bye Pluto!
Tobias Brunner [Tue, 15 May 2012 14:59:00 +0000 (16:59 +0200)]
Bye bye Pluto!

Charon will take over IKEv1 duties from here.  This also removes
libfreeswan and whack.

10 years ago_copyright: Replicate copyright text here instead of calling libfreeswan.
Tobias Brunner [Tue, 15 May 2012 15:12:59 +0000 (17:12 +0200)]
_copyright: Replicate copyright text here instead of calling libfreeswan.

10 years agostarter: Remove all ties to pluto/libfreeswan.
Tobias Brunner [Tue, 15 May 2012 14:37:02 +0000 (16:37 +0200)]
starter: Remove all ties to pluto/libfreeswan.

Moved some types/constants in the process.

10 years agostarter: Use custom type for SA specific options (flags).
Tobias Brunner [Tue, 15 May 2012 14:31:46 +0000 (16:31 +0200)]
starter: Use custom type for SA specific options (flags).

10 years agostarter: Parse left|rightprotoport directly in confread.c.
Tobias Brunner [Tue, 15 May 2012 14:20:15 +0000 (16:20 +0200)]
starter: Parse left|rightprotoport directly in confread.c.

10 years agostarter: No special handling for left|rightsubnet, just pass it on as string.
Tobias Brunner [Tue, 15 May 2012 13:10:23 +0000 (15:10 +0200)]
starter: No special handling for left|rightsubnet, just pass it on as string.

10 years agostarter: Use host_t to parse left|rightsourceip.
Tobias Brunner [Tue, 15 May 2012 13:04:11 +0000 (15:04 +0200)]
starter: Use host_t to parse left|rightsourceip.

Also for the yet unused natip option.

10 years agostarter: Remove left|rightsubnetwithin option (charon narrows left|rightsubnet down...
Tobias Brunner [Tue, 15 May 2012 13:00:15 +0000 (15:00 +0200)]
starter: Remove left|rightsubnetwithin option (charon narrows left|rightsubnet down accordingly).

10 years agostarter: Don't resolve any addresses in starter.
Tobias Brunner [Tue, 15 May 2012 11:51:59 +0000 (13:51 +0200)]
starter: Don't resolve any addresses in starter.

Also removed remains of some unknown iface option.

10 years agostarter: Removed pfs and pfsgroup options (handled via esp option).
Tobias Brunner [Tue, 15 May 2012 11:26:49 +0000 (13:26 +0200)]
starter: Removed pfs and pfsgroup options (handled via esp option).

10 years agostarter: Store mode of the IPsec SA/policy in a separate member.
Tobias Brunner [Tue, 15 May 2012 11:12:45 +0000 (13:12 +0200)]
starter: Store mode of the IPsec SA/policy in a separate member.

10 years agostarter: Use custom type to mark seen keywords.
Tobias Brunner [Tue, 15 May 2012 08:41:08 +0000 (10:41 +0200)]
starter: Use custom type to mark seen keywords.

10 years agostarter: Remove left|rightnexthop option.
Tobias Brunner [Mon, 14 May 2012 16:27:53 +0000 (18:27 +0200)]
starter: Remove left|rightnexthop option.

Charon does this lookup dynamically.

10 years agoImplement strdupnull() macro as static inline function.
Tobias Brunner [Mon, 14 May 2012 16:04:09 +0000 (18:04 +0200)]
Implement strdupnull() macro as static inline function.

This avoids compiler warnings if the argument is a const char*.

10 years agostarter: Replaced all usages of clone_str() with strdupnull().
Tobias Brunner [Mon, 14 May 2012 15:50:34 +0000 (17:50 +0200)]
starter: Replaced all usages of clone_str() with strdupnull().

10 years agostarter: Parse authby as string.
Tobias Brunner [Mon, 14 May 2012 15:36:46 +0000 (17:36 +0200)]
starter: Parse authby as string.

10 years agostarter: Remove main parts of pluto support (invoke, whack).
Tobias Brunner [Mon, 14 May 2012 15:33:03 +0000 (17:33 +0200)]
starter: Remove main parts of pluto support (invoke, whack).

10 years agostarter: Drop support for %defaultroute.
Tobias Brunner [Mon, 14 May 2012 10:17:50 +0000 (12:17 +0200)]
starter: Drop support for %defaultroute.

10 years agostarter: Migrated logging to libstrongswan.
Tobias Brunner [Mon, 14 May 2012 09:22:57 +0000 (11:22 +0200)]
starter: Migrated logging to libstrongswan.

10 years agostarter: Remove unneeded starter_exec function.
Tobias Brunner [Mon, 14 May 2012 09:01:35 +0000 (11:01 +0200)]
starter: Remove unneeded starter_exec function.

10 years agoscepclient: Option added to read PKCS#10 certificate request from a file.
Tobias Brunner [Fri, 1 Jun 2012 13:25:59 +0000 (15:25 +0200)]
scepclient: Option added to read PKCS#10 certificate request from a file.

10 years agoscepclient: Option added to read self-signed certificate from a file.
Tobias Brunner [Fri, 1 Jun 2012 12:43:12 +0000 (14:43 +0200)]
scepclient: Option added to read self-signed certificate from a file.

10 years agoscepclient: Generate uppercase transaction ID.
Tobias Brunner [Wed, 30 May 2012 13:04:31 +0000 (15:04 +0200)]
scepclient: Generate uppercase transaction ID.

10 years agoscepclient: Use HTTP 1.0 for all requests.
Tobias Brunner [Wed, 30 May 2012 13:02:32 +0000 (15:02 +0200)]
scepclient: Use HTTP 1.0 for all requests.

10 years agoscepclient: Options added to specify digest/signature algorithms.
Tobias Brunner [Wed, 30 May 2012 12:54:51 +0000 (14:54 +0200)]
scepclient: Options added to specify digest/signature algorithms.

Also changed the defaults to DES/MD5 as that's what should be used
if GetCACaps is not used to learn the issuers capabilities.

10 years agoAdded function to convert integrity algorithms to hash algorithms (if based on one).
Tobias Brunner [Wed, 30 May 2012 12:46:24 +0000 (14:46 +0200)]
Added function to convert integrity algorithms to hash algorithms (if based on one).

10 years agoProperly encode 0 in ASN.1.
Tobias Brunner [Sat, 12 May 2012 16:21:32 +0000 (18:21 +0200)]
Properly encode 0 in ASN.1.

According to X.690 an INTEGER object always has at least one content
octet.

10 years agoDon't use chunk_skip() in asn1_length().
Tobias Brunner [Fri, 11 May 2012 14:05:55 +0000 (16:05 +0200)]
Don't use chunk_skip() in asn1_length().

chunk_skip() returns chunk_empty if the length of the chunk is equal to
the number of bytes to skip, this is problematic as asn1_length() modifies
the original chunk.  asn1_parser_t for instance uses the modified chunk to
later calculate the length of the resulting ASN.1 object which produces
incorrect results if it is based on chunk_empty.