strongswan.git
9 years agoAdded PKCS#11 token plugin stub
Martin Willi [Tue, 13 Jul 2010 15:34:34 +0000 (17:34 +0200)]
Added PKCS#11 token plugin stub

9 years agoadded ikev2/rw-eap-tls-only scenario
Andreas Steffen [Wed, 4 Aug 2010 06:36:27 +0000 (08:36 +0200)]
added ikev2/rw-eap-tls-only scenario

9 years ago--enable eap-tls and --disable-load-warning in uml build
Andreas Steffen [Wed, 4 Aug 2010 05:47:08 +0000 (07:47 +0200)]
--enable eap-tls and --disable-load-warning in uml build

9 years agotest_cert adapted to extended signature of get_encoding().
Tobias Brunner [Tue, 3 Aug 2010 16:59:27 +0000 (18:59 +0200)]
test_cert adapted to extended signature of get_encoding().

9 years agoFixed compiler warnings.
Tobias Brunner [Tue, 3 Aug 2010 16:59:12 +0000 (18:59 +0200)]
Fixed compiler warnings.

9 years agoMoved TLS stack to its own library
Martin Willi [Tue, 3 Aug 2010 13:17:40 +0000 (15:17 +0200)]
Moved TLS stack to its own library

9 years agoMoved eap-tls plugin to libcharon, updated to 4.4.1 APIs
Martin Willi [Fri, 19 Mar 2010 17:55:23 +0000 (18:55 +0100)]
Moved eap-tls plugin to libcharon, updated to 4.4.1 APIs

9 years agoImplemented EAP-TLS server functionality
Martin Willi [Tue, 9 Feb 2010 17:19:25 +0000 (18:19 +0100)]
Implemented EAP-TLS server functionality

9 years agoTLS stack keeps a copy of server/peer identities
Martin Willi [Tue, 9 Feb 2010 13:57:50 +0000 (14:57 +0100)]
TLS stack keeps a copy of server/peer identities

9 years agoLimit the number of EAP-TLS packets allowed
Martin Willi [Tue, 9 Feb 2010 11:53:42 +0000 (12:53 +0100)]
Limit the number of EAP-TLS packets allowed

9 years agoUse stricter state handling while processing TLS messages
Martin Willi [Tue, 9 Feb 2010 11:37:29 +0000 (12:37 +0100)]
Use stricter state handling while processing TLS messages

9 years agoCleaned up the public TLS interface
Martin Willi [Fri, 5 Feb 2010 13:39:19 +0000 (13:39 +0000)]
Cleaned up the public TLS interface

9 years agoRefactored common used operations into TLS crypto helper
Martin Willi [Fri, 5 Feb 2010 13:25:38 +0000 (14:25 +0100)]
Refactored common used operations into TLS crypto helper

9 years agoProperly send empty EAP-TLS messages
Martin Willi [Fri, 5 Feb 2010 11:30:01 +0000 (11:30 +0000)]
Properly send empty EAP-TLS messages

9 years agoDerive MSK for EAP-TLS authentication
Martin Willi [Fri, 5 Feb 2010 11:28:48 +0000 (11:28 +0000)]
Derive MSK for EAP-TLS authentication

9 years agoVerify Server Finished message
Martin Willi [Fri, 5 Feb 2010 11:27:52 +0000 (11:27 +0000)]
Verify Server Finished message

9 years agoImplemented input record decryption and verification
Martin Willi [Fri, 5 Feb 2010 10:50:29 +0000 (10:50 +0000)]
Implemented input record decryption and verification

9 years agoImplemented key derivation, output record signing and encryption
Martin Willi [Thu, 4 Feb 2010 17:18:10 +0000 (18:18 +0100)]
Implemented key derivation, output record signing and encryption

9 years agoDerive master secret, create Finished message
Martin Willi [Thu, 4 Feb 2010 10:17:48 +0000 (11:17 +0100)]
Derive master secret, create Finished message

9 years agoImplemented the TLS specific PRF in its TLSv1.0 and TLSv1.2 variants
Martin Willi [Thu, 4 Feb 2010 09:08:07 +0000 (10:08 +0100)]
Implemented the TLS specific PRF in its TLSv1.0 and TLSv1.2 variants

9 years agoImplemented sending of Certificate, ClientKeyExchange, CertificateVerify and ChangeCi...
Martin Willi [Wed, 3 Feb 2010 18:53:40 +0000 (19:53 +0100)]
Implemented sending of Certificate, ClientKeyExchange, CertificateVerify and ChangeCipherSpec as peer

9 years agoImplemented a tls_writer class to simplify TLS data generation
Martin Willi [Mon, 1 Feb 2010 14:12:18 +0000 (15:12 +0100)]
Implemented a tls_writer class to simplify TLS data generation

9 years agoImplemented a tls_reader class to simplify TLS data parsing
Martin Willi [Mon, 1 Feb 2010 10:25:44 +0000 (10:25 +0000)]
Implemented a tls_reader class to simplify TLS data parsing

9 years agoProcess ServerHello(Done), Certificate(Request) messages
Martin Willi [Mon, 25 Jan 2010 16:31:55 +0000 (17:31 +0100)]
Process ServerHello(Done), Certificate(Request) messages

9 years agoSend a ClientHello to start TLS negotiation
Martin Willi [Mon, 25 Jan 2010 11:23:59 +0000 (11:23 +0000)]
Send a ClientHello to start TLS negotiation

9 years agoAdded TLS crypto helper, currently supports cipher suite selection
Martin Willi [Mon, 25 Jan 2010 11:21:57 +0000 (11:21 +0000)]
Added TLS crypto helper, currently supports cipher suite selection

9 years agoAdded support for AUTH_HMAC_SHA2_256_256, used in TLS
Martin Willi [Mon, 25 Jan 2010 11:15:05 +0000 (11:15 +0000)]
Added support for AUTH_HMAC_SHA2_256_256, used in TLS

9 years agoAdded stubs for handshake handling, server and peer variants
Martin Willi [Mon, 25 Jan 2010 09:44:35 +0000 (10:44 +0100)]
Added stubs for handshake handling, server and peer variants

9 years agoAccept follow-up fragments with a TLS message length
Martin Willi [Mon, 25 Jan 2010 09:42:44 +0000 (10:42 +0100)]
Accept follow-up fragments with a TLS message length

9 years agoAdded dummy/identity implementations of the different TLS record layers
Martin Willi [Fri, 22 Jan 2010 16:24:17 +0000 (17:24 +0100)]
Added dummy/identity implementations of the different TLS record layers

9 years agoPass TLS records to newly introduced TLS stack
Martin Willi [Fri, 22 Jan 2010 14:35:29 +0000 (15:35 +0100)]
Pass TLS records to newly introduced TLS stack

9 years agoAdded some TLS constants
Martin Willi [Thu, 21 Jan 2010 14:11:38 +0000 (15:11 +0100)]
Added some TLS constants

9 years ago(De-)fragment EAP-TLS packets, pass TLS records to upper layer
Martin Willi [Thu, 21 Jan 2010 13:39:39 +0000 (14:39 +0100)]
(De-)fragment EAP-TLS packets, pass TLS records to upper layer

9 years agoAdded EAP-TLS plugin stub
Martin Willi [Mon, 11 Jan 2010 13:21:58 +0000 (14:21 +0100)]
Added EAP-TLS plugin stub

9 years agoDo not touch child from collision if peer deleted it
Thomas Egerer [Mon, 2 Aug 2010 14:46:29 +0000 (16:46 +0200)]
Do not touch child from collision if peer deleted it

9 years agosubstitute obsolete function calls(bzero/index)
Waldemar Brodkorb [Sun, 1 Aug 2010 19:20:15 +0000 (21:20 +0200)]
substitute obsolete function calls(bzero/index)

9 years agodelete tarball files
Andreas Steffen [Fri, 30 Jul 2010 20:27:41 +0000 (22:27 +0200)]
delete tarball files

9 years agoversion bump to 4.4.2
Andreas Steffen [Fri, 30 Jul 2010 20:26:14 +0000 (22:26 +0200)]
version bump to 4.4.2

9 years agoThe va_list trick does not seem to be portable, revert dots-in-section fix 4.4.1
Martin Willi [Fri, 30 Jul 2010 08:57:59 +0000 (10:57 +0200)]
The va_list trick does not seem to be portable, revert dots-in-section fix

This reverts commit 8f50d06c354cd31fc295afc5598afff4096b5e77.

9 years agoFix segfault on 'ipsec stroke up ]' command
Thomas Egerer [Thu, 29 Jul 2010 11:03:01 +0000 (13:03 +0200)]
Fix segfault on 'ipsec stroke up ]' command

9 years agoFixed settings lookup if the section/key contains dots
Martin Willi [Thu, 29 Jul 2010 10:00:21 +0000 (12:00 +0200)]
Fixed settings lookup if the section/key contains dots

9 years agoAdded NEWS for snprintf() fixes
Martin Willi [Wed, 28 Jul 2010 09:06:49 +0000 (11:06 +0200)]
Added NEWS for snprintf() fixes

9 years agoFix use of snprintf() in pluto subjectAltName enumeration
Martin Willi [Fri, 18 Jun 2010 07:15:45 +0000 (09:15 +0200)]
Fix use of snprintf() in pluto subjectAltName enumeration

9 years agoFix use of snprintf() in IETF attributes to string conversion
Martin Willi [Fri, 18 Jun 2010 07:18:49 +0000 (09:18 +0200)]
Fix use of snprintf() in IETF attributes to string conversion

9 years agoFix use of snprintf() in identification DN to ASCII conversion
Martin Willi [Fri, 18 Jun 2010 07:18:27 +0000 (09:18 +0200)]
Fix use of snprintf() in identification DN to ASCII conversion

9 years agoMore NEWS for HA functionality
Martin Willi [Wed, 28 Jul 2010 08:49:58 +0000 (10:49 +0200)]
More NEWS for HA functionality

9 years agoImplemented a HA enabled in-memory address pool
Martin Willi [Wed, 28 Jul 2010 07:51:41 +0000 (09:51 +0200)]
Implemented a HA enabled in-memory address pool

9 years agoAdded a function to segmentate a generic integer
Martin Willi [Wed, 28 Jul 2010 07:43:53 +0000 (09:43 +0200)]
Added a function to segmentate a generic integer

9 years agoadded NETMAP rules for the reverse direction
Andreas Steffen [Tue, 27 Jul 2010 19:16:44 +0000 (21:16 +0200)]
added NETMAP rules for the reverse direction

9 years agofixed description of ikev2/net2net-same-nets scenario
Andreas Steffen [Tue, 27 Jul 2010 18:49:48 +0000 (20:49 +0200)]
fixed description of ikev2/net2net-same-nets scenario

9 years agoReserving does not work, as our pools do not support acquiring arbitrary addresses
Martin Willi [Tue, 27 Jul 2010 10:05:39 +0000 (12:05 +0200)]
Reserving does not work, as our pools do not support acquiring arbitrary addresses

This reverts commit d1384080b3ba74f366eaf8b5f027babca3f5d607.

9 years agoMem pool does not support multiple leases for an identity
Martin Willi [Tue, 27 Jul 2010 07:54:27 +0000 (09:54 +0200)]
Mem pool does not support multiple leases for an identity

9 years agoFlush any remaining cache state if an IKE_SA goes down
Martin Willi [Tue, 27 Jul 2010 07:18:06 +0000 (09:18 +0200)]
Flush any remaining cache state if an IKE_SA goes down

9 years agoAdded NEWS related to HA functionality
Martin Willi [Mon, 26 Jul 2010 13:17:19 +0000 (15:17 +0200)]
Added NEWS related to HA functionality

9 years agoSynchronize EAP-Identity of remote peer
Martin Willi [Mon, 26 Jul 2010 13:10:54 +0000 (15:10 +0200)]
Synchronize EAP-Identity of remote peer

9 years agoReserve virtual IP of passive IKE_SAs in the local pool
Martin Willi [Mon, 26 Jul 2010 13:01:24 +0000 (15:01 +0200)]
Reserve virtual IP of passive IKE_SAs in the local pool

9 years agoAdded strongswan.conf options for HA heartbeat
Martin Willi [Mon, 26 Jul 2010 12:30:19 +0000 (14:30 +0200)]
Added strongswan.conf options for HA heartbeat

9 years agoLog CHILD_SA segment responsibility
Martin Willi [Mon, 26 Jul 2010 11:49:35 +0000 (13:49 +0200)]
Log CHILD_SA segment responsibility

9 years agoPass initiator parameter to distinguish between original and exchange initiator
Martin Willi [Mon, 26 Jul 2010 10:07:38 +0000 (12:07 +0200)]
Pass initiator parameter to distinguish between original and exchange initiator

9 years agoPass the CREATE_CHILD_SA initiator flag to the child_keys parameter
Martin Willi [Mon, 26 Jul 2010 10:05:04 +0000 (12:05 +0200)]
Pass the CREATE_CHILD_SA initiator flag to the child_keys parameter

9 years agoUse a sync message cache to resynchronize IKE_SAs without rekeying
Martin Willi [Thu, 22 Jul 2010 16:54:35 +0000 (18:54 +0200)]
Use a sync message cache to resynchronize IKE_SAs without rekeying

9 years agoLog received HA message types
Martin Willi [Thu, 22 Jul 2010 13:56:11 +0000 (15:56 +0200)]
Log received HA message types

9 years agoAdd enum names for HA message types
Martin Willi [Thu, 22 Jul 2010 13:55:08 +0000 (15:55 +0200)]
Add enum names for HA message types

9 years agoDelay resynchronization request until starter has loaded the configurations
Martin Willi [Thu, 22 Jul 2010 13:52:18 +0000 (13:52 +0000)]
Delay resynchronization request until starter has loaded the configurations

9 years agoReplaces in_segment() by a more generic get_segment() function
Martin Willi [Thu, 22 Jul 2010 12:38:05 +0000 (14:38 +0200)]
Replaces in_segment() by a more generic get_segment() function

9 years agoUse distinct message types for HA message ID updates
Martin Willi [Thu, 22 Jul 2010 11:20:18 +0000 (13:20 +0200)]
Use distinct message types for HA message ID updates

9 years agoMigrated ha plugin to INIT/METHOD macros
Martin Willi [Thu, 22 Jul 2010 09:42:22 +0000 (11:42 +0200)]
Migrated ha plugin to INIT/METHOD macros

9 years agoadded net2net-same-nets
Andreas Steffen [Sun, 25 Jul 2010 09:56:33 +0000 (11:56 +0200)]
added net2net-same-nets

9 years agoAdded NEWS for the eap-simaka-sql plugin
Martin Willi [Fri, 23 Jul 2010 14:02:28 +0000 (16:02 +0200)]
Added NEWS for the eap-simaka-sql plugin

9 years agoNEWS cosmetics
Andreas Steffen [Wed, 21 Jul 2010 19:43:43 +0000 (21:43 +0200)]
NEWS cosmetics

9 years agoMultiple RADIUS server NEWS
Martin Willi [Wed, 21 Jul 2010 15:27:06 +0000 (17:27 +0200)]
Multiple RADIUS server NEWS

9 years agoImplemented support for multiple RADIUS servers
Martin Willi [Wed, 21 Jul 2010 15:06:00 +0000 (17:06 +0200)]
Implemented support for multiple RADIUS servers

9 years agoMigrated eap-radius plugin to INIT/METHOD macros
Martin Willi [Wed, 21 Jul 2010 07:15:32 +0000 (09:15 +0200)]
Migrated eap-radius plugin to INIT/METHOD macros

9 years agoAdded log statement if peer requests EAP, but current config does not allow it
Martin Willi [Wed, 21 Jul 2010 12:55:51 +0000 (14:55 +0200)]
Added log statement if peer requests EAP, but current config does not allow it

9 years agoremove the private updown scripts after use
Andreas Steffen [Sat, 17 Jul 2010 21:25:15 +0000 (23:25 +0200)]
remove the private updown scripts after use

9 years agominor fixes in the ikev2/rw-mark-in-out scenarios
Andreas Steffen [Sat, 17 Jul 2010 15:36:04 +0000 (17:36 +0200)]
minor fixes in the ikev2/rw-mark-in-out scenarios

9 years agoupdated NEWS
Andreas Steffen [Sat, 17 Jul 2010 15:25:01 +0000 (17:25 +0200)]
updated NEWS

9 years agosome reformulations
Andreas Steffen [Sat, 17 Jul 2010 15:19:26 +0000 (17:19 +0200)]
some reformulations

9 years agothe ikev2/nat-two-rw-mark and ikev2/rw-mark-in-out scenarios use the PLUTO_MARK_IN...
Andreas Steffen [Sat, 17 Jul 2010 14:32:47 +0000 (16:32 +0200)]
the ikev2/nat-two-rw-mark and ikev2/rw-mark-in-out scenarios use the PLUTO_MARK_IN and PLUTO_ESP_ENC variables in the mark_update script

9 years agodocumented the new PLUTO environment variables available in the updown script
Andreas Steffen [Sat, 17 Jul 2010 11:41:40 +0000 (13:41 +0200)]
documented the new PLUTO environment variables available in the updown script

9 years agoin a ESP_IN_UDP situation make UDP port available in the updown script
Andreas Steffen [Sat, 17 Jul 2010 11:27:19 +0000 (13:27 +0200)]
in a ESP_IN_UDP situation make UDP port available in the updown script

9 years agofix html error in scenario description
Andreas Steffen [Sat, 17 Jul 2010 11:09:28 +0000 (13:09 +0200)]
fix html error in scenario description

9 years agomake xfrm marks available in the updown scripts
Andreas Steffen [Sat, 17 Jul 2010 11:08:50 +0000 (13:08 +0200)]
make xfrm marks available in the updown scripts

9 years agocheck for mark changes in ipsec update
Andreas Steffen [Sat, 17 Jul 2010 07:13:48 +0000 (09:13 +0200)]
check for mark changes in ipsec update

9 years agoall x509 based sql scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 21:19:52 +0000 (23:19 +0200)]
all x509 based sql scenarios require the revocation plugin

9 years agoall x509 based pfkey scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 21:17:37 +0000 (23:17 +0200)]
all x509 based pfkey scenarios require the revocation plugin

9 years agoall x509 based p2pnat scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 21:07:12 +0000 (23:07 +0200)]
all x509 based p2pnat scenarios require the revocation plugin

9 years agoall x509 based ipv6/*-ikev2 scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 21:02:17 +0000 (23:02 +0200)]
all x509 based ipv6/*-ikev2 scenarios require the revocation plugin

9 years agoall x509 based ike scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 20:40:20 +0000 (22:40 +0200)]
all x509 based ike scenarios require the revocation plugin

9 years agoall x509 based openssl-ikev2 scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 20:33:05 +0000 (22:33 +0200)]
all x509 based openssl-ikev2 scenarios require the revocation plugin

9 years agoall x509 based gcrypt-ikev2 scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 20:03:16 +0000 (22:03 +0200)]
all x509 based gcrypt-ikev2 scenarios require the revocation plugin

9 years agoall x509 based ikev2 scenarios require the revocation plugin
Andreas Steffen [Thu, 15 Jul 2010 19:39:01 +0000 (21:39 +0200)]
all x509 based ikev2 scenarios require the revocation plugin

9 years agoikev2/net2net-psk-dscp does not need certificate support
Andreas Steffen [Thu, 15 Jul 2010 19:37:45 +0000 (21:37 +0200)]
ikev2/net2net-psk-dscp does not need certificate support

9 years agoadd revocation plugin to ikev2/rw-cert scenario
Andreas Steffen [Thu, 15 Jul 2010 18:03:04 +0000 (20:03 +0200)]
add revocation plugin to ikev2/rw-cert scenario

9 years agoWarn about manual plugin load directives for pluto/charon with --disable-load-warning...
Andreas Steffen [Thu, 15 Jul 2010 04:29:26 +0000 (06:29 +0200)]
Warn about manual plugin load directives for pluto/charon with --disable-load-warning compile option

9 years agoRevert "Warn about manual plugin load directives for pluto/charon"
Martin Willi [Wed, 14 Jul 2010 05:15:56 +0000 (07:15 +0200)]
Revert "Warn about manual plugin load directives for pluto/charon"

This reverts commit 5c46726d0d91db5b1fc4ea53326e73443133f22d.

9 years agoactivate --enable-addrblock configure option in UML scenarios
Andreas Steffen [Tue, 13 Jul 2010 19:04:20 +0000 (21:04 +0200)]
activate --enable-addrblock configure option in UML scenarios

9 years agoWarn about manual plugin load directives for pluto/charon
Martin Willi [Tue, 13 Jul 2010 12:43:45 +0000 (14:43 +0200)]
Warn about manual plugin load directives for pluto/charon

9 years agoRemove plugin load directives from default strongswan.conf
Martin Willi [Tue, 13 Jul 2010 12:28:11 +0000 (14:28 +0200)]
Remove plugin load directives from default strongswan.conf

9 years agoAdded NEWS about --signcrl and PEM support in pki utility
Martin Willi [Tue, 13 Jul 2010 12:18:19 +0000 (14:18 +0200)]
Added NEWS about --signcrl and PEM support in pki utility