strongswan.git
7 years agoInvoke bus_t.narrow hook in quick mode exchange
Martin Willi [Wed, 18 Jan 2012 12:28:15 +0000 (13:28 +0100)]
Invoke bus_t.narrow hook in quick mode exchange

7 years agoInvoke authorization hooks for IKEv1 connections
Martin Willi [Wed, 18 Jan 2012 12:12:07 +0000 (13:12 +0100)]
Invoke authorization hooks for IKEv1 connections

7 years agoInvoke ike_updown hooks for reauthenticated IKEv1 SAs
Martin Willi [Mon, 16 Jan 2012 15:47:18 +0000 (16:47 +0100)]
Invoke ike_updown hooks for reauthenticated IKEv1 SAs

7 years agoDon't invoke a child_updown hook when a quick mode to delete has been rekeyed
Martin Willi [Mon, 16 Jan 2012 15:18:01 +0000 (16:18 +0100)]
Don't invoke a child_updown hook when a quick mode to delete has been rekeyed

7 years agoInvoke child_rekey hook instead of child_updown when rekeying a quick mode
Martin Willi [Mon, 16 Jan 2012 15:17:27 +0000 (16:17 +0100)]
Invoke child_rekey hook instead of child_updown when rekeying a quick mode

7 years agoDon't invoke updown hook when flushing SAs for IKEv1, tasks will do it
Martin Willi [Mon, 16 Jan 2012 14:57:46 +0000 (15:57 +0100)]
Don't invoke updown hook when flushing SAs for IKEv1, tasks will do it

7 years agoFix "incoming" flag passed to bus_t.message() hook
Martin Willi [Mon, 16 Jan 2012 14:31:53 +0000 (15:31 +0100)]
Fix "incoming" flag passed to bus_t.message() hook

7 years agoContinue with next exchange after sending an INFORMATIONAL
Martin Willi [Fri, 13 Jan 2012 08:27:26 +0000 (09:27 +0100)]
Continue with next exchange after sending an INFORMATIONAL

7 years agoHandle retransmission of DPD exchange, both as initiator and responder
Martin Willi [Tue, 10 Jan 2012 18:13:58 +0000 (19:13 +0100)]
Handle retransmission of DPD exchange, both as initiator and responder

7 years agoDisable DPD checking for peers not supporting it
Martin Willi [Tue, 10 Jan 2012 16:40:07 +0000 (17:40 +0100)]
Disable DPD checking for peers not supporting it

7 years agoAdded missing DPD task name
Martin Willi [Tue, 10 Jan 2012 16:28:25 +0000 (17:28 +0100)]
Added missing DPD task name

7 years agoConfirm message reception time only if DPD sequence number valid
Martin Willi [Tue, 10 Jan 2012 16:26:42 +0000 (17:26 +0100)]
Confirm message reception time only if DPD sequence number valid

7 years agoSimplified DPD handling by using a task for a single message only
Martin Willi [Tue, 10 Jan 2012 16:21:52 +0000 (17:21 +0100)]
Simplified DPD handling by using a task for a single message only

7 years agoAdded missing short enum names for DPD notify types
Martin Willi [Tue, 10 Jan 2012 16:10:22 +0000 (17:10 +0100)]
Added missing short enum names for DPD notify types

7 years agoPrint IKEv1 notify types in message summary
Martin Willi [Tue, 10 Jan 2012 16:09:47 +0000 (17:09 +0100)]
Print IKEv1 notify types in message summary

7 years agoSupport IKEv1 notifies in message_t.get_notify()
Martin Willi [Tue, 10 Jan 2012 16:09:20 +0000 (17:09 +0100)]
Support IKEv1 notifies in message_t.get_notify()

7 years agoCheck if we have an RNG for IKEv1 task manager before using it
Martin Willi [Tue, 10 Jan 2012 15:02:46 +0000 (16:02 +0100)]
Check if we have an RNG for IKEv1 task manager before using it

7 years agoRemove unused DPD sequence number getter on task manager
Martin Willi [Tue, 10 Jan 2012 14:44:17 +0000 (15:44 +0100)]
Remove unused DPD sequence number getter on task manager

7 years agoDon't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
Martin Willi [Tue, 10 Jan 2012 12:32:06 +0000 (13:32 +0100)]
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state

7 years agoSend DPD vendor ID
Clavister OpenSource [Tue, 10 Jan 2012 13:38:01 +0000 (14:38 +0100)]
Send DPD vendor ID

7 years agoIsakmp_dpd task added.
Clavister OpenSource [Tue, 10 Jan 2012 13:37:39 +0000 (14:37 +0100)]
Isakmp_dpd task added.

7 years agoDPD_R_U_THERE defines added
Clavister OpenSource [Tue, 10 Jan 2012 13:31:51 +0000 (14:31 +0100)]
DPD_R_U_THERE defines added

7 years agoRequest and handle retransmission of a lost third aggressive mode message
Martin Willi [Tue, 10 Jan 2012 10:37:06 +0000 (11:37 +0100)]
Request and handle retransmission of a lost third aggressive mode message

7 years agoStreamlined debug output when initiating IKEv1 IKE_SAs
Martin Willi [Tue, 10 Jan 2012 10:23:04 +0000 (11:23 +0100)]
Streamlined debug output when initiating IKEv1 IKE_SAs

7 years agoAccept unencrypted Aggressive Mode messages.
Tobias Brunner [Tue, 10 Jan 2012 09:58:29 +0000 (10:58 +0100)]
Accept unencrypted Aggressive Mode messages.

Racoon does not encrypt the third message during Aggressive Mode.

7 years agoEnforce encapsulation mode of configuration, in case initiator proposes both
Martin Willi [Mon, 9 Jan 2012 17:12:17 +0000 (18:12 +0100)]
Enforce encapsulation mode of configuration, in case initiator proposes both

7 years agoAdded a "aggressive" ipsec.conf connection option
Martin Willi [Mon, 9 Jan 2012 16:44:43 +0000 (17:44 +0100)]
Added a "aggressive" ipsec.conf connection option

7 years agoHandle aggressive mode task in IKEv1 task manager
Martin Willi [Mon, 9 Jan 2012 16:35:02 +0000 (16:35 +0000)]
Handle aggressive mode task in IKEv1 task manager

7 years agoSelect IKEv1 configurations by main/aggressive mode option
Martin Willi [Mon, 9 Jan 2012 16:33:15 +0000 (16:33 +0000)]
Select IKEv1 configurations by main/aggressive mode option

7 years agoAdded an aggressive mode peer_cfg option
Martin Willi [Mon, 9 Jan 2012 16:32:41 +0000 (16:32 +0000)]
Added an aggressive mode peer_cfg option

7 years agoFix sending of CERTREQ/CERT payloads in aggressive mode
Martin Willi [Mon, 9 Jan 2012 16:10:48 +0000 (17:10 +0100)]
Fix sending of CERTREQ/CERT payloads in aggressive mode

7 years agoEncrypt payloads of third aggressive mode message
Martin Willi [Mon, 9 Jan 2012 16:10:18 +0000 (17:10 +0100)]
Encrypt payloads of third aggressive mode message

7 years agoImplemented aggressive mode using Phase 1 helper class
Martin Willi [Mon, 9 Jan 2012 16:09:38 +0000 (17:09 +0100)]
Implemented aggressive mode using Phase 1 helper class

7 years agoMake use of the new Phase 1 helper class in main mode
Martin Willi [Mon, 9 Jan 2012 16:05:16 +0000 (17:05 +0100)]
Make use of the new Phase 1 helper class in main mode

7 years agoImplemented a common Phase 1 helper class to use by main and aggressive modes
Martin Willi [Mon, 9 Jan 2012 16:04:41 +0000 (17:04 +0100)]
Implemented a common Phase 1 helper class to use by main and aggressive modes

7 years agoFix error handling if no PSK found for main mode
Martin Willi [Mon, 9 Jan 2012 12:41:35 +0000 (13:41 +0100)]
Fix error handling if no PSK found for main mode

7 years agoInstall quick mode CHILD_SAs with negotiated encapsulation mode
Martin Willi [Thu, 5 Jan 2012 14:02:40 +0000 (15:02 +0100)]
Install quick mode CHILD_SAs with negotiated encapsulation mode

7 years agoSupport IKEv1 proposal encodings having both lifebytes and a lifetime
Martin Willi [Wed, 4 Jan 2012 13:43:15 +0000 (14:43 +0100)]
Support IKEv1 proposal encodings having both lifebytes and a lifetime

7 years agoTry to detect reauthentication as responder and adopt children to new SA
Martin Willi [Wed, 4 Jan 2012 16:51:22 +0000 (17:51 +0100)]
Try to detect reauthentication as responder and adopt children to new SA

7 years agoDestroy IKE_SA after reauthentication initiatend and lifetime limit reached
Martin Willi [Wed, 4 Jan 2012 16:50:19 +0000 (17:50 +0100)]
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached

7 years agoAdded an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities
Martin Willi [Tue, 3 Jan 2012 15:23:37 +0000 (16:23 +0100)]
Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities

7 years agoQuery for XAuth identity in get_other_eap_id(), too
Martin Willi [Wed, 4 Jan 2012 16:32:41 +0000 (17:32 +0100)]
Query for XAuth identity in get_other_eap_id(), too

7 years agoSet ISAKMP SA state to rekeying after triggering reauthentication
Martin Willi [Tue, 3 Jan 2012 13:47:44 +0000 (14:47 +0100)]
Set ISAKMP SA state to rekeying after triggering reauthentication

7 years agoInclude peer config overtime in negotiated ISAKMP SA lifetime
Martin Willi [Tue, 3 Jan 2012 12:33:18 +0000 (13:33 +0100)]
Include peer config overtime in negotiated ISAKMP SA lifetime

7 years agoInitiate IKEv1 reauthentication, take over all children
Martin Willi [Tue, 3 Jan 2012 11:00:12 +0000 (12:00 +0100)]
Initiate IKEv1 reauthentication, take over all children

7 years agoEstablish IKE_SA only once as XAuth responder
Martin Willi [Tue, 3 Jan 2012 10:59:21 +0000 (11:59 +0100)]
Establish IKE_SA only once as XAuth responder

7 years agoSupport initiation of childless IKEv1 ISAKMP SAs
Martin Willi [Tue, 3 Jan 2012 10:58:40 +0000 (11:58 +0100)]
Support initiation of childless IKEv1 ISAKMP SAs

7 years agoDon't trigger reauthentication if initiator authenticated using XAuth
Martin Willi [Tue, 3 Jan 2012 10:28:45 +0000 (11:28 +0100)]
Don't trigger reauthentication if initiator authenticated using XAuth

7 years agoSet a condition flag if peer has been authenticated using XAuth
Martin Willi [Tue, 3 Jan 2012 10:27:41 +0000 (11:27 +0100)]
Set a condition flag if peer has been authenticated using XAuth

7 years agoQueue Mode Config tasks after main mode as initiator, not as responder
Martin Willi [Tue, 3 Jan 2012 10:57:35 +0000 (11:57 +0100)]
Queue Mode Config tasks after main mode as initiator, not as responder

7 years agoSetting Mode Cfg identifier for CFG_ACK messages.
Clavister OpenSource [Wed, 28 Dec 2011 23:06:12 +0000 (00:06 +0100)]
Setting Mode Cfg identifier for CFG_ACK messages.

7 years agoAdd functions to set mode cfg identifier
Clavister OpenSource [Wed, 28 Dec 2011 23:05:04 +0000 (00:05 +0100)]
Add functions to set mode cfg identifier

7 years agoTry all matching XAuth secrets we find, not only the first one
Martin Willi [Mon, 2 Jan 2012 15:38:47 +0000 (16:38 +0100)]
Try all matching XAuth secrets we find, not only the first one

7 years agoFixed create_shared_enumerator method description
Martin Willi [Mon, 2 Jan 2012 15:38:30 +0000 (16:38 +0100)]
Fixed create_shared_enumerator method description

7 years agoAs responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying
Martin Willi [Mon, 2 Jan 2012 15:36:39 +0000 (16:36 +0100)]
As responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying

7 years agoReply quick mode with the same SA lifetime that we received
Martin Willi [Mon, 2 Jan 2012 14:49:20 +0000 (15:49 +0100)]
Reply quick mode with the same SA lifetime that we received

7 years agoDo not query CHILD_SA during delete if they already expired
Martin Willi [Mon, 2 Jan 2012 14:40:31 +0000 (15:40 +0100)]
Do not query CHILD_SA during delete if they already expired

7 years agoBe less verbose when deleting SAs triggered by a hard expire
Martin Willi [Mon, 2 Jan 2012 14:39:16 +0000 (15:39 +0100)]
Be less verbose when deleting SAs triggered by a hard expire

7 years agoImplemented CHILD_SA rekeying
Martin Willi [Mon, 2 Jan 2012 13:27:10 +0000 (14:27 +0100)]
Implemented CHILD_SA rekeying

7 years agoDon't return FAILED if a CHILD_SA to delete could not be found
Martin Willi [Mon, 2 Jan 2012 13:26:32 +0000 (14:26 +0100)]
Don't return FAILED if a CHILD_SA to delete could not be found

7 years agoSupport installing of quick mode SAs with a specific reqid
Martin Willi [Mon, 2 Jan 2012 12:36:10 +0000 (13:36 +0100)]
Support installing of quick mode SAs with a specific reqid

7 years agoDouble check that we could select a TS as quick mode responder
Martin Willi [Thu, 22 Dec 2011 12:26:38 +0000 (13:26 +0100)]
Double check that we could select a TS as quick mode responder

7 years agoImplemented responder retransmission, currently enabled for quick mode only
Martin Willi [Wed, 21 Dec 2011 16:08:08 +0000 (17:08 +0100)]
Implemented responder retransmission, currently enabled for quick mode only

7 years agoQueue IKEv1 INFORMATIONALS with higher priority to process notifies first
Martin Willi [Wed, 21 Dec 2011 14:02:02 +0000 (15:02 +0100)]
Queue IKEv1 INFORMATIONALS with higher priority to process notifies first

7 years agoAccept IKEv1 INVALID_KE_INFORMATION notifies without data
Martin Willi [Wed, 21 Dec 2011 14:01:29 +0000 (15:01 +0100)]
Accept IKEv1 INVALID_KE_INFORMATION notifies without data

7 years agoDon't process notifies in quick mode task when we get an INFORMATIONAL
Martin Willi [Wed, 21 Dec 2011 13:39:05 +0000 (14:39 +0100)]
Don't process notifies in quick mode task when we get an INFORMATIONAL

7 years agoAlways queue a new passive task when receiving an IKEv1 INFORMATIONAL
Martin Willi [Wed, 21 Dec 2011 13:38:36 +0000 (14:38 +0100)]
Always queue a new passive task when receiving an IKEv1 INFORMATIONAL

7 years agoIKEv1 ATTRIBUTES_NOT_SUPPORTED error notify added.
Tobias Brunner [Wed, 21 Dec 2011 12:46:47 +0000 (13:46 +0100)]
IKEv1 ATTRIBUTES_NOT_SUPPORTED error notify added.

7 years agoFixed leak of a hash when checking out by hash
Martin Willi [Wed, 21 Dec 2011 12:55:30 +0000 (13:55 +0100)]
Fixed leak of a hash when checking out by hash

7 years agoGive a hint that decryption failed if payload length invalid
Martin Willi [Wed, 21 Dec 2011 12:54:40 +0000 (13:54 +0100)]
Give a hint that decryption failed if payload length invalid

7 years agoCast keymat safely, not based on external input
Martin Willi [Wed, 21 Dec 2011 11:39:21 +0000 (12:39 +0100)]
Cast keymat safely, not based on external input

7 years agoAdded a keymat_t version to cast it safely
Martin Willi [Wed, 21 Dec 2011 11:13:43 +0000 (12:13 +0100)]
Added a keymat_t version to cast it safely

7 years agoHandle initiation of not supported IKE versions properly
Martin Willi [Wed, 21 Dec 2011 11:05:34 +0000 (12:05 +0100)]
Handle initiation of not supported IKE versions properly

7 years agoSend a delete for every CHILD_SA before deleting IKE_SA
Martin Willi [Wed, 21 Dec 2011 09:53:05 +0000 (10:53 +0100)]
Send a delete for every CHILD_SA before deleting IKE_SA

7 years agoSet used auth_class in PSKv1 authenticator to comply to constraints
Martin Willi [Tue, 20 Dec 2011 18:20:51 +0000 (19:20 +0100)]
Set used auth_class in PSKv1 authenticator to comply to constraints

7 years agoFixed scheduling of IKEv2 init tasks in a second keyingtry
Martin Willi [Tue, 20 Dec 2011 18:08:29 +0000 (19:08 +0100)]
Fixed scheduling of IKEv2 init tasks in a second keyingtry

7 years agoDon't requeue IKEv1 init tasks if they already exist in a second keyingtry
Martin Willi [Tue, 20 Dec 2011 18:03:12 +0000 (19:03 +0100)]
Don't requeue IKEv1 init tasks if they already exist in a second keyingtry

7 years agoUse IPSEC DOI also for ISAKMP SA deletes.
Tobias Brunner [Tue, 20 Dec 2011 17:49:49 +0000 (18:49 +0100)]
Use IPSEC DOI also for ISAKMP SA deletes.

7 years agoImplemented resetting of IKEv1 task manager, enabling additional keyingtries
Martin Willi [Tue, 20 Dec 2011 17:02:01 +0000 (18:02 +0100)]
Implemented resetting of IKEv1 task manager, enabling additional keyingtries

7 years agoFixed migration of NATD task
Martin Willi [Tue, 20 Dec 2011 17:01:25 +0000 (18:01 +0100)]
Fixed migration of NATD task

7 years agoImplemented migration of quick mode task
Martin Willi [Tue, 20 Dec 2011 17:01:12 +0000 (18:01 +0100)]
Implemented migration of quick mode task

7 years agoImplemented migration of XAuth task
Martin Willi [Tue, 20 Dec 2011 17:00:57 +0000 (18:00 +0100)]
Implemented migration of XAuth task

7 years agoImplemented migration of certificate handling tasks
Martin Willi [Tue, 20 Dec 2011 17:00:03 +0000 (18:00 +0100)]
Implemented migration of certificate handling tasks

7 years agoImplemented migration of Main Mode task
Martin Willi [Tue, 20 Dec 2011 16:59:45 +0000 (17:59 +0100)]
Implemented migration of Main Mode task

7 years agoCheck message version before processing it on an IKE_SA
Martin Willi [Tue, 20 Dec 2011 15:23:12 +0000 (16:23 +0100)]
Check message version before processing it on an IKE_SA

7 years agoFix ike_version_t enum names
Martin Willi [Tue, 20 Dec 2011 15:22:56 +0000 (16:22 +0100)]
Fix ike_version_t enum names

7 years agoAccept NULL as keymat when generating a message
Martin Willi [Tue, 20 Dec 2011 15:07:00 +0000 (16:07 +0100)]
Accept NULL as keymat when generating a message

7 years agoSend correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol
Martin Willi [Tue, 20 Dec 2011 12:19:52 +0000 (13:19 +0100)]
Send correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol

7 years agoDrop IKEv1 main/aggressive modes if peer to aggressive
Martin Willi [Tue, 20 Dec 2011 12:24:43 +0000 (13:24 +0100)]
Drop IKEv1 main/aggressive modes if peer to aggressive

7 years agoAdded description for the xauth-eap plugin
Martin Willi [Tue, 20 Dec 2011 10:25:25 +0000 (11:25 +0100)]
Added description for the xauth-eap plugin

7 years agoCheck if a config has been selected before narrowing selectors in quick mode
Martin Willi [Tue, 20 Dec 2011 10:15:15 +0000 (11:15 +0100)]
Check if a config has been selected before narrowing selectors in quick mode

7 years agoAdded an XAuth plugin that forwards authentication to EAP methods
Martin Willi [Mon, 19 Dec 2011 19:21:02 +0000 (20:21 +0100)]
Added an XAuth plugin that forwards authentication to EAP methods

7 years agoAdded a flag to register local credential sets exclusively, disabling all others
Martin Willi [Mon, 19 Dec 2011 19:22:18 +0000 (20:22 +0100)]
Added a flag to register local credential sets exclusively, disabling all others

7 years agoAdded missing XAuth plugin feature enum names
Martin Willi [Mon, 19 Dec 2011 17:55:41 +0000 (18:55 +0100)]
Added missing XAuth plugin feature enum names

7 years agoAdded a TODO for creating IKE_SAs with unsupported protocol version
Martin Willi [Mon, 19 Dec 2011 14:50:31 +0000 (15:50 +0100)]
Added a TODO for creating IKE_SAs with unsupported protocol version

7 years agoDon't accept IKEv2 packets if IKEv2 disabled
Martin Willi [Mon, 19 Dec 2011 14:45:03 +0000 (15:45 +0100)]
Don't accept IKEv2 packets if IKEv2 disabled

7 years agoDon't include ikev1/ikev2 subfolders in build when using --disable-ikev1/ikev2
Martin Willi [Mon, 19 Dec 2011 14:28:55 +0000 (15:28 +0100)]
Don't include ikev1/ikev2 subfolders in build when using --disable-ikev1/ikev2

7 years agoMoved eap/xauth classes out of protocol specific subdirectories
Martin Willi [Mon, 19 Dec 2011 14:22:50 +0000 (15:22 +0100)]
Moved eap/xauth classes out of protocol specific subdirectories

7 years agoRemoved obsolete task header inclusion in IKE_SA
Martin Willi [Mon, 19 Dec 2011 14:20:36 +0000 (15:20 +0100)]
Removed obsolete task header inclusion in IKE_SA

7 years agoMoved MOBIKE task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 14:04:28 +0000 (15:04 +0100)]
Moved MOBIKE task creation to protocol specific task manager