strongswan.git
8 years agoeliminate unneeded private variable
Andreas Steffen [Wed, 14 Mar 2012 20:38:30 +0000 (21:38 +0100)]
eliminate unneeded private variable

8 years agoadded tnc/tnccs-20-pdp scenario
Andreas Steffen [Wed, 14 Mar 2012 07:47:12 +0000 (08:47 +0100)]
added tnc/tnccs-20-pdp scenario

8 years agoedited description of tnc/tnccs-11-radius scenario
Andreas Steffen [Wed, 14 Mar 2012 07:46:52 +0000 (08:46 +0100)]
edited description of tnc/tnccs-11-radius scenario

8 years agouse MAX_RADIUS_ATTRIBUTE_SIZE constant from radius_message header file
Andreas Steffen [Wed, 14 Mar 2012 06:51:56 +0000 (07:51 +0100)]
use MAX_RADIUS_ATTRIBUTE_SIZE constant from radius_message header file

8 years agoversion bump to 4.6.3dr1
Andreas Steffen [Wed, 14 Mar 2012 06:45:35 +0000 (07:45 +0100)]
version bump to 4.6.3dr1

8 years agomake the mppe salt unique
Andreas Steffen [Wed, 14 Mar 2012 06:31:19 +0000 (07:31 +0100)]
make the mppe salt unique

8 years agostraightene radius_mppe header file
Andreas Steffen [Wed, 14 Mar 2012 05:52:26 +0000 (06:52 +0100)]
straightene radius_mppe header file

8 years agoimplemented MS_MPPE encryption
Andreas Steffen [Tue, 13 Mar 2012 22:26:15 +0000 (23:26 +0100)]
implemented MS_MPPE encryption

8 years agouse predefined Microsoft PEN
Andreas Steffen [Tue, 13 Mar 2012 18:23:35 +0000 (19:23 +0100)]
use predefined Microsoft PEN

8 years agouse MAX_RADIUS_ATTRIBUTE_SIZE constant
Andreas Steffen [Tue, 13 Mar 2012 17:06:56 +0000 (18:06 +0100)]
use MAX_RADIUS_ATTRIBUTE_SIZE constant

8 years agouse RADIUS_TUNNEL_TYPE_ESP defined in header file
Andreas Steffen [Tue, 13 Mar 2012 16:00:37 +0000 (17:00 +0100)]
use RADIUS_TUNNEL_TYPE_ESP defined in header file

8 years agoimplemented RADIUS Filter-ID attribute
Andreas Steffen [Tue, 13 Mar 2012 15:26:10 +0000 (16:26 +0100)]
implemented RADIUS Filter-ID attribute

8 years agoremoved double library entry
Andreas Steffen [Mon, 12 Mar 2012 07:56:48 +0000 (08:56 +0100)]
removed double library entry

8 years agoadapted debug output
Andreas Steffen [Fri, 9 Mar 2012 16:41:04 +0000 (17:41 +0100)]
adapted debug output

8 years agokeep a list of RADIUS connections with EAP method states
Andreas Steffen [Fri, 9 Mar 2012 16:38:06 +0000 (17:38 +0100)]
keep a list of RADIUS connections with EAP method states

8 years agoapply maximum RADIUS attribute size to outbound EAP messages
Andreas Steffen [Fri, 9 Mar 2012 09:20:44 +0000 (10:20 +0100)]
apply maximum RADIUS attribute size to outbound EAP messages

8 years agoread PDP server name from strongswan.conf
Andreas Steffen [Fri, 9 Mar 2012 08:28:51 +0000 (09:28 +0100)]
read PDP server name from strongswan.conf

8 years agodefine MAX_RADIUS_ATTRIBUTE_SIZE
Andreas Steffen [Fri, 9 Mar 2012 07:48:46 +0000 (08:48 +0100)]
define MAX_RADIUS_ATTRIBUTE_SIZE

8 years agodefine peer and server identities
Andreas Steffen [Thu, 8 Mar 2012 22:19:13 +0000 (23:19 +0100)]
define peer and server identities

8 years agoadded EAP_SUCCESS/FAILURE message to RADIUS Accept/Reject
Andreas Steffen [Thu, 8 Mar 2012 21:37:09 +0000 (22:37 +0100)]
added EAP_SUCCESS/FAILURE message to RADIUS Accept/Reject

8 years agoadded msg_auth flag in radius_message_t sign() method
Andreas Steffen [Thu, 8 Mar 2012 21:36:06 +0000 (22:36 +0100)]
added msg_auth flag in radius_message_t sign() method

8 years agoallow debug of raw RADIUS data
Andreas Steffen [Thu, 8 Mar 2012 20:47:27 +0000 (21:47 +0100)]
allow debug of raw RADIUS data

8 years agosimple RADIUS server example works
Andreas Steffen [Thu, 8 Mar 2012 09:22:56 +0000 (10:22 +0100)]
simple RADIUS server example works

8 years agofirst use of libradius
Andreas Steffen [Thu, 24 Nov 2011 10:02:18 +0000 (11:02 +0100)]
first use of libradius

8 years agocreated libradius shared by eap-radius and tnc-pdp plugins
Andreas Steffen [Fri, 18 Nov 2011 18:42:05 +0000 (19:42 +0100)]
created libradius shared by eap-radius and tnc-pdp plugins

8 years agocreated tnc-pdp policy decision point plugin
Andreas Steffen [Sun, 13 Nov 2011 20:56:47 +0000 (21:56 +0100)]
created tnc-pdp policy decision point plugin

8 years agoFixed crash and locking issues while unrouting connections via stroke
Martin Willi [Tue, 13 Mar 2012 09:55:58 +0000 (10:55 +0100)]
Fixed crash and locking issues while unrouting connections via stroke

8 years agoClear peer addresses during HA update.
Tobias Brunner [Fri, 9 Mar 2012 09:30:37 +0000 (10:30 +0100)]
Clear peer addresses during HA update.

8 years agoSimplified some route lookups now that we store all peer addresses in a list.
Tobias Brunner [Fri, 9 Mar 2012 09:22:21 +0000 (10:22 +0100)]
Simplified some route lookups now that we store all peer addresses in a list.

8 years agoRenamed list of additional peer addresses as it now stores all known addresses.
Tobias Brunner [Fri, 9 Mar 2012 09:15:21 +0000 (10:15 +0100)]
Renamed list of additional peer addresses as it now stores all known addresses.

8 years agoStore the peer's current address as additional known address on the IKE_SA.
Tobias Brunner [Fri, 9 Mar 2012 09:03:08 +0000 (10:03 +0100)]
Store the peer's current address as additional known address on the IKE_SA.

This allows to switch back to the original address after switching to
any of the additional addresses.

8 years agoInclude radattr RADIUS attribute only if an EAP payload is present
Martin Willi [Tue, 6 Mar 2012 10:00:35 +0000 (11:00 +0100)]
Include radattr RADIUS attribute only if an EAP payload is present

8 years agoBy default include radattr RADIUS attribute in any IKE_AUTH exchange
Martin Willi [Tue, 6 Mar 2012 10:00:00 +0000 (11:00 +0100)]
By default include radattr RADIUS attribute in any IKE_AUTH exchange

8 years agofarp plugin sends ARP responses for any tunneled address, not only virtual IPs
Martin Willi [Fri, 10 Feb 2012 15:50:18 +0000 (16:50 +0100)]
farp plugin sends ARP responses for any tunneled address, not only virtual IPs

8 years agoBe less verbose if we don't have a local address for a tunnel
Martin Willi [Mon, 13 Feb 2012 10:41:20 +0000 (11:41 +0100)]
Be less verbose if we don't have a local address for a tunnel

8 years agoRe-resolve hosts on additional keyingtries
Martin Willi [Tue, 14 Feb 2012 10:29:34 +0000 (11:29 +0100)]
Re-resolve hosts on additional keyingtries

8 years agoRenamed radius_server to radius_config, as some real RADIUS server functionality...
Martin Willi [Mon, 5 Mar 2012 17:31:30 +0000 (18:31 +0100)]
Renamed radius_server to radius_config, as some real RADIUS server functionality is coming

8 years agoPrefer EAP-Identity to read radattr RADIUS attribute file
Martin Willi [Mon, 5 Mar 2012 16:57:16 +0000 (17:57 +0100)]
Prefer EAP-Identity to read radattr RADIUS attribute file

8 years agoInvoke ike_updown hook on authentication failure not before response sent
Martin Willi [Wed, 29 Feb 2012 09:10:45 +0000 (10:10 +0100)]
Invoke ike_updown hook on authentication failure not before response sent

8 years agoBuild libradius if radattr plugin is enabled
Martin Willi [Mon, 27 Feb 2012 15:39:48 +0000 (16:39 +0100)]
Build libradius if radattr plugin is enabled

8 years agoInject RADIUS attribute in radattr plugin read from an identity specific file
Martin Willi [Mon, 27 Feb 2012 15:33:18 +0000 (16:33 +0100)]
Inject RADIUS attribute in radattr plugin read from an identity specific file

8 years agoAdded a radattr plugin that prints any received RADIUS notify to console
Martin Willi [Mon, 27 Feb 2012 14:41:53 +0000 (15:41 +0100)]
Added a radattr plugin that prints any received RADIUS notify to console

8 years agoMoved generic RADIUS protocol support to a dedicated libradius
Martin Willi [Mon, 27 Feb 2012 14:18:58 +0000 (15:18 +0100)]
Moved generic RADIUS protocol support to a dedicated libradius

8 years agoRemoved libcharon dependencies from generic RADIUS protocol support
Martin Willi [Mon, 27 Feb 2012 13:49:22 +0000 (14:49 +0100)]
Removed libcharon dependencies from generic RADIUS protocol support

8 years agoForward specifcied RADIUS attributes between AAA backend and client
Martin Willi [Fri, 24 Feb 2012 15:41:10 +0000 (16:41 +0100)]
Forward specifcied RADIUS attributes between AAA backend and client

8 years agoDefined a private status notify to transport arbitrary RADIUS attributes
Martin Willi [Fri, 24 Feb 2012 12:37:00 +0000 (13:37 +0100)]
Defined a private status notify to transport arbitrary RADIUS attributes

8 years agoImplemented RADIUS DAE response retransmission
Martin Willi [Wed, 22 Feb 2012 16:01:13 +0000 (17:01 +0100)]
Implemented RADIUS DAE response retransmission

8 years agoBe a little more verbose before starting IKE_SA reauthentication
Martin Willi [Wed, 22 Feb 2012 15:16:15 +0000 (16:16 +0100)]
Be a little more verbose before starting IKE_SA reauthentication

8 years agoProcess RADIUS DAE CoA updates, updating lifetimes
Martin Willi [Wed, 22 Feb 2012 15:10:38 +0000 (16:10 +0100)]
Process RADIUS DAE CoA updates, updating lifetimes

8 years agoSend an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively
Martin Willi [Wed, 22 Feb 2012 15:07:31 +0000 (16:07 +0100)]
Send an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively

8 years agoUse faster ike_sa_id and a delete job to handle RADIUS DAE Delete-Request
Martin Willi [Wed, 22 Feb 2012 14:07:02 +0000 (15:07 +0100)]
Use faster ike_sa_id and a delete job to handle RADIUS DAE Delete-Request

8 years agoRefactored RADIUS DAE IKE_SA lookup
Martin Willi [Wed, 22 Feb 2012 13:56:02 +0000 (14:56 +0100)]
Refactored RADIUS DAE IKE_SA lookup

8 years agoPass RADIUS DAE client address a host_t instead of sockaddr struct
Martin Willi [Wed, 22 Feb 2012 13:44:24 +0000 (14:44 +0100)]
Pass RADIUS DAE client address a host_t instead of sockaddr struct

8 years agoSend RADIUS DAE Disconnect-ACK/NAK on Disconnect-Request
Martin Willi [Wed, 22 Feb 2012 13:23:50 +0000 (14:23 +0100)]
Send RADIUS DAE Disconnect-ACK/NAK on Disconnect-Request

8 years agoSupport signing of RADIUS response messages
Martin Willi [Wed, 22 Feb 2012 13:22:50 +0000 (14:22 +0100)]
Support signing of RADIUS response messages

8 years agoAct on RADIUS DAE Disconnect requests
Martin Willi [Wed, 22 Feb 2012 12:49:06 +0000 (13:49 +0100)]
Act on RADIUS DAE Disconnect requests

8 years agoVerify received RADIUS DAE requests
Martin Willi [Wed, 22 Feb 2012 12:06:58 +0000 (13:06 +0100)]
Verify received RADIUS DAE requests

8 years agoSupport verification of RADIUS request messages
Martin Willi [Wed, 22 Feb 2012 12:06:14 +0000 (13:06 +0100)]
Support verification of RADIUS request messages

8 years agoRename RADIUS message constructors to handle both, requests and responses
Martin Willi [Wed, 22 Feb 2012 11:39:50 +0000 (12:39 +0100)]
Rename RADIUS message constructors to handle both, requests and responses

8 years agoEnable RADIUS DAE listening if configured
Martin Willi [Wed, 22 Feb 2012 09:37:13 +0000 (10:37 +0100)]
Enable RADIUS DAE listening if configured

8 years agoAdded infrastructure to listen to RADIUS Dynamic Authorization Extension requests
Martin Willi [Wed, 22 Feb 2012 09:34:06 +0000 (10:34 +0100)]
Added infrastructure to listen to RADIUS Dynamic Authorization Extension requests

8 years agoAdded Dynamic Authorization Extension RADIUS message codes
Martin Willi [Wed, 22 Feb 2012 09:31:36 +0000 (10:31 +0100)]
Added Dynamic Authorization Extension RADIUS message codes

8 years agoSet IKE_SA lifetime based on RADIUS Session-Timeout attribute
Martin Willi [Tue, 21 Feb 2012 13:06:37 +0000 (14:06 +0100)]
Set IKE_SA lifetime based on RADIUS Session-Timeout attribute

8 years agoSet hard timeouts when setting a lifetime
Martin Willi [Tue, 21 Feb 2012 13:05:57 +0000 (14:05 +0100)]
Set hard timeouts when setting a lifetime

8 years agoFix IKE_SA timeout debug output on 64bit platforms
Martin Willi [Tue, 21 Feb 2012 13:05:11 +0000 (14:05 +0100)]
Fix IKE_SA timeout debug output on 64bit platforms

8 years agomaemo: New upstream release.
Tobias Brunner [Mon, 27 Feb 2012 17:15:51 +0000 (18:15 +0100)]
maemo: New upstream release.

8 years agoAdded support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.
Tobias Brunner [Mon, 27 Feb 2012 13:31:19 +0000 (14:31 +0100)]
Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.

This requires a Linux kernel >= 2.6.33.

8 years agoEncode IPv6 virtual IPs in a Framed-IPv6-Prefix attribute
Martin Willi [Fri, 24 Feb 2012 10:15:11 +0000 (11:15 +0100)]
Encode IPv6 virtual IPs in a Framed-IPv6-Prefix attribute

8 years agoRefactored construction of RADIUS accounting messages
Martin Willi [Fri, 24 Feb 2012 10:12:18 +0000 (11:12 +0100)]
Refactored construction of RADIUS accounting messages

8 years agoInclude port numbers in Calling-Station-Id, too
Martin Willi [Fri, 24 Feb 2012 09:48:54 +0000 (10:48 +0100)]
Include port numbers in Calling-Station-Id, too

8 years agoUse large enough buffers for IPv6 addresses in Calling-Station-Id
Martin Willi [Fri, 24 Feb 2012 09:13:08 +0000 (10:13 +0100)]
Use large enough buffers for IPv6 addresses in Calling-Station-Id

8 years agoSend client external address as Calling-Station-Id in RADIUS accounting
Martin Willi [Fri, 24 Feb 2012 09:04:31 +0000 (10:04 +0100)]
Send client external address as Calling-Station-Id in RADIUS accounting

8 years agoadded missing x character
Andreas Steffen [Tue, 21 Feb 2012 15:29:35 +0000 (16:29 +0100)]
added missing x character

8 years agohandle case where subject = NULL but keyid is set 4.6.2
Andreas Steffen [Mon, 20 Feb 2012 11:12:31 +0000 (12:12 +0100)]
handle case where subject = NULL but keyid is set

8 years agolibtnccs is required by the eap_tnc plugin
Andreas Steffen [Mon, 20 Feb 2012 08:04:02 +0000 (09:04 +0100)]
libtnccs is required by the eap_tnc plugin

8 years agocharon does not depend on libtncif any more but tnc_tnccs does
Andreas Steffen [Mon, 20 Feb 2012 07:00:48 +0000 (08:00 +0100)]
charon does not depend on libtncif any more but tnc_tnccs does

8 years agobuild libstrongswan if libimcv is built
Andreas Steffen [Thu, 16 Feb 2012 22:28:38 +0000 (23:28 +0100)]
build libstrongswan if libimcv is built

8 years agoversion bump to 4.6.2
Andreas Steffen [Wed, 15 Feb 2012 23:10:36 +0000 (00:10 +0100)]
version bump to 4.6.2

8 years agofixed attest sql query in list_measurements()
Andreas Steffen [Wed, 15 Feb 2012 22:13:05 +0000 (23:13 +0100)]
fixed attest sql query in list_measurements()

8 years agoCompiler warnings fixed.
Tobias Brunner [Tue, 14 Feb 2012 15:09:44 +0000 (16:09 +0100)]
Compiler warnings fixed.

8 years agopluto: Print expiry time more properly.
Tobias Brunner [Tue, 14 Feb 2012 08:34:48 +0000 (09:34 +0100)]
pluto: Print expiry time more properly.

8 years agopluto: Drop support for legacy PSK format.
Tobias Brunner [Wed, 8 Feb 2012 12:36:32 +0000 (13:36 +0100)]
pluto: Drop support for legacy PSK format.

Any line in ipsec.secrets starting with " or ' was treated as PSK
without ID selectors by pluto.  This prevented it from supporting DNs
like "C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org" as
ID selectors.

PSKs defined in this legacy format can easily be updated by changing

"thisIsASecret"

into

: PSK "thisIsASecret"

8 years agocompleted imc/imv-attestation settings
Andreas Steffen [Tue, 7 Feb 2012 21:11:51 +0000 (22:11 +0100)]
completed imc/imv-attestation settings

8 years agoadapted debug output check in openssl-ikev2/rw-eap-tls-only scenario
Andreas Steffen [Tue, 7 Feb 2012 19:31:09 +0000 (20:31 +0100)]
adapted debug output check in openssl-ikev2/rw-eap-tls-only scenario

8 years agoDouble check if a cached suite is available, overwrite any old suite state
Martin Willi [Tue, 7 Feb 2012 10:41:56 +0000 (11:41 +0100)]
Double check if a cached suite is available, overwrite any old suite state

8 years agoSome Doxygen fixes.
Tobias Brunner [Tue, 7 Feb 2012 10:20:46 +0000 (11:20 +0100)]
Some Doxygen fixes.

8 years agoFix TLS EAP-MSK derivation, uses different order of randoms than key expansion
Martin Willi [Tue, 7 Feb 2012 09:50:02 +0000 (10:50 +0100)]
Fix TLS EAP-MSK derivation, uses different order of randoms than key expansion

8 years agoFilter TLS suite MAC by HMAC algorithm, as the hash is not necessarily the same
Martin Willi [Tue, 7 Feb 2012 08:37:51 +0000 (09:37 +0100)]
Filter TLS suite MAC by HMAC algorithm, as the hash is not necessarily the same

8 years agoopen RADIUS accounting port in firewall
Andreas Steffen [Mon, 6 Feb 2012 19:45:21 +0000 (20:45 +0100)]
open RADIUS accounting port in firewall

8 years agoadded ikev2/rw-radius-accounting scenario
Andreas Steffen [Mon, 6 Feb 2012 11:52:48 +0000 (12:52 +0100)]
added ikev2/rw-radius-accounting scenario

8 years agoUpdate usage for all children in RADIUS accounting just before sending Stop
Martin Willi [Mon, 6 Feb 2012 09:26:24 +0000 (10:26 +0100)]
Update usage for all children in RADIUS accounting just before sending Stop

8 years agoCheck if ClusterIP directory could be opened before enumerating it
Martin Willi [Fri, 3 Feb 2012 11:55:55 +0000 (12:55 +0100)]
Check if ClusterIP directory could be opened before enumerating it

8 years agoversion bump to 4.6.2rc1
Andreas Steffen [Sun, 5 Feb 2012 21:24:56 +0000 (22:24 +0100)]
version bump to 4.6.2rc1

8 years agoipsec attest adds and deletes key/component pairs
Andreas Steffen [Sun, 5 Feb 2012 21:23:45 +0000 (22:23 +0100)]
ipsec attest adds and deletes key/component pairs

8 years agocheck if TNC client has a valid and registered AIK
Andreas Steffen [Sun, 5 Feb 2012 18:37:58 +0000 (19:37 +0100)]
check if TNC client has a valid and registered AIK

8 years agoreformulated some NEWS entries
Andreas Steffen [Fri, 3 Feb 2012 15:13:34 +0000 (16:13 +0100)]
reformulated some NEWS entries

8 years agoadded openssl-ikev2/ecdsa-pkcs8 scenario
Andreas Steffen [Fri, 3 Feb 2012 10:44:04 +0000 (11:44 +0100)]
added openssl-ikev2/ecdsa-pkcs8 scenario

8 years agoadded ikev2/rw-pkcs8 scenario
Andreas Steffen [Fri, 3 Feb 2012 10:10:13 +0000 (11:10 +0100)]
added ikev2/rw-pkcs8 scenario

8 years agoversion bump to 4.6.2dr4
Andreas Steffen [Thu, 2 Feb 2012 17:26:12 +0000 (18:26 +0100)]
version bump to 4.6.2dr4

8 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated