strongswan.git
9 years agoAdding support for AES GMAC (RFC4543).
Tobias Brunner [Tue, 1 Dec 2009 17:17:37 +0000 (18:17 +0100)]
Adding support for AES GMAC (RFC4543).

9 years agoDo not build own authentication data before we've verified others, we need the other... 4.3.6
Martin Willi [Tue, 9 Feb 2010 15:11:07 +0000 (16:11 +0100)]
Do not build own authentication data before we've verified others, we need the other identity in EAP

9 years agohash-and-url avoids IP fragementation, cert and crl fetch based on IPv6
Andreas Steffen [Sat, 6 Feb 2010 11:34:41 +0000 (12:34 +0100)]
hash-and-url avoids IP fragementation, cert and crl fetch based on IPv6

9 years agogenerated hash-and-url files for rfc3779 certs
Andreas Steffen [Sat, 6 Feb 2010 10:41:44 +0000 (11:41 +0100)]
generated hash-and-url files for rfc3779 certs

9 years agohash-and-url avoids IP fragementation, cert and crl fetch based on IPv6
Andreas Steffen [Sat, 6 Feb 2010 10:39:33 +0000 (11:39 +0100)]
hash-and-url avoids IP fragementation, cert and crl fetch based on IPv6

9 years agohash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6
Andreas Steffen [Fri, 5 Feb 2010 19:39:13 +0000 (20:39 +0100)]
hash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6

9 years agoIPv6 fragment and http access are not needed in PSK scenario
Andreas Steffen [Fri, 5 Feb 2010 19:27:03 +0000 (20:27 +0100)]
IPv6 fragment and http access are not needed in PSK scenario

9 years agohash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6
Andreas Steffen [Fri, 5 Feb 2010 19:15:00 +0000 (20:15 +0100)]
hash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6

9 years agoIncreased the buffer for netlink responses.
Tobias Brunner [Fri, 5 Feb 2010 19:02:39 +0000 (20:02 +0100)]
Increased the buffer for netlink responses.

If an error occurs while manipulating policies in the kernel, the
original netlink request gets attached to the response.

Prior to Linux 2.6.32 the size in the netlink header of the response was
wrong.

9 years agoIPv6 frag netfilter rule not needed anymore
Andreas Steffen [Fri, 5 Feb 2010 19:04:01 +0000 (20:04 +0100)]
IPv6 frag netfilter rule not needed anymore

9 years agohash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6
Andreas Steffen [Fri, 5 Feb 2010 18:58:42 +0000 (19:58 +0100)]
hash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6

9 years agoinitialize variables to avoid compiler warning
Andreas Steffen [Fri, 5 Feb 2010 11:34:37 +0000 (12:34 +0100)]
initialize variables to avoid compiler warning

9 years agoUse destination address of ppp interfaces as nexthop in starters default route lookup
Martin Willi [Fri, 5 Feb 2010 08:25:00 +0000 (08:25 +0000)]
Use destination address of ppp interfaces as nexthop in starters default route lookup

9 years agoinit_fetch() changed to fetch_initialize()
Andreas Steffen [Fri, 5 Feb 2010 05:17:02 +0000 (06:17 +0100)]
init_fetch() changed to fetch_initialize()

9 years agouse static IPsec policy netfilter rules in MOBIKE scenarios
Andreas Steffen [Thu, 4 Feb 2010 09:05:44 +0000 (10:05 +0100)]
use static IPsec policy netfilter rules in MOBIKE scenarios

9 years agoremove any charon.pid files remaining at the end of each scenario
Andreas Steffen [Thu, 4 Feb 2010 07:53:52 +0000 (08:53 +0100)]
remove any charon.pid files remaining at the end of each scenario

9 years agoIPSEC_ROUTING_TABLE is now called routing_table
Andreas Steffen [Wed, 3 Feb 2010 18:32:50 +0000 (19:32 +0100)]
IPSEC_ROUTING_TABLE is now called routing_table

9 years agodifferentiate between executed and displayed iptables commands
Andreas Steffen [Wed, 3 Feb 2010 18:21:55 +0000 (19:21 +0100)]
differentiate between executed and displayed iptables commands

9 years agoUse child_updown hook in updown plugin, fixes doubled invocation of down script
Martin Willi [Wed, 3 Feb 2010 10:04:18 +0000 (11:04 +0100)]
Use child_updown hook in updown plugin, fixes doubled invocation of down script

9 years agoadded ikev2/inactivity-timeout scenario
Andreas Steffen [Wed, 3 Feb 2010 09:28:30 +0000 (10:28 +0100)]
added ikev2/inactivity-timeout scenario

9 years agorenamed init_fetch() to fetch_initialize()
Andreas Steffen [Tue, 2 Feb 2010 18:44:34 +0000 (19:44 +0100)]
renamed init_fetch() to fetch_initialize()

9 years agoSome whitespace and code cleanups concerning the mediation extension.
Tobias Brunner [Tue, 15 Sep 2009 11:13:25 +0000 (13:13 +0200)]
Some whitespace and code cleanups concerning the mediation extension.

9 years agoJoin pluto's fetching thread instead of detaching it in order to avoid that the leak...
Tobias Brunner [Tue, 2 Feb 2010 14:17:09 +0000 (15:17 +0100)]
Join pluto's fetching thread instead of detaching it in order to avoid that the leak-detective reports a memleak.

9 years agocorrected captions
Andreas Steffen [Mon, 1 Feb 2010 11:44:44 +0000 (12:44 +0100)]
corrected captions

9 years agowarn if loaded local certificate is invalid
Andreas Steffen [Mon, 1 Feb 2010 11:29:32 +0000 (12:29 +0100)]
warn if loaded local certificate is invalid

9 years agoUpdated NEWS about per-connection inactivity timeout
Martin Willi [Wed, 27 Jan 2010 15:08:06 +0000 (16:08 +0100)]
Updated NEWS about per-connection inactivity timeout

9 years agoAdded a ipsec.conf "inactivity" option to configure inactivity timeout for CHILD_SAs
Martin Willi [Wed, 27 Jan 2010 15:05:11 +0000 (16:05 +0100)]
Added a ipsec.conf "inactivity" option to configure inactivity timeout for CHILD_SAs

9 years agoMade inactivity_timeout a per CHILD_SA config option
Martin Willi [Wed, 27 Jan 2010 14:47:08 +0000 (15:47 +0100)]
Made inactivity_timeout a per CHILD_SA config option

9 years agoRefactored EAP payload, avoid unaligned word access
Martin Willi [Thu, 21 Jan 2010 13:43:07 +0000 (14:43 +0100)]
Refactored EAP payload, avoid unaligned word access

9 years agoAdded a METHOD2() macro that implements a method for two different interfaces
Martin Willi [Thu, 21 Jan 2010 13:42:08 +0000 (14:42 +0100)]
Added a METHOD2() macro that implements a method for two different interfaces

9 years agoSupport RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation
Martin Willi [Tue, 19 Jan 2010 15:47:21 +0000 (16:47 +0100)]
Support RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation

9 years agoSupport TLS client authentication Extended Key Usage in x509 generation
Martin Willi [Thu, 14 Jan 2010 11:00:43 +0000 (12:00 +0100)]
Support TLS client authentication Extended Key Usage in x509 generation

9 years agoBlock the signals before the call to sigwait.
Tobias Brunner [Tue, 12 Jan 2010 10:52:03 +0000 (11:52 +0100)]
Block the signals before the call to sigwait.

9 years agoSupport for closing CHILD/IKE_SA if a CHILD_SA is inactive.
Martin Willi [Tue, 12 Jan 2010 09:16:34 +0000 (10:16 +0100)]
Support for closing CHILD/IKE_SA if a CHILD_SA is inactive.

9 years agoAdded strongswan.conf options to configure retransmission timeouts
Martin Willi [Mon, 11 Jan 2010 15:42:12 +0000 (16:42 +0100)]
Added strongswan.conf options to configure retransmission timeouts

9 years agoAdded a "double" getter to libstrongswan settings
Martin Willi [Mon, 11 Jan 2010 15:39:28 +0000 (16:39 +0100)]
Added a "double" getter to libstrongswan settings

9 years agoCast unaligned memcpy() args to char*, avoids over-optimization on ARM
Martin Willi [Mon, 11 Jan 2010 14:18:50 +0000 (15:18 +0100)]
Cast unaligned memcpy() args to char*, avoids over-optimization on ARM

See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3934.html

9 years agoadded ikev2/rw-eap-sim-only-radius scenario
Andreas Steffen [Mon, 11 Jan 2010 10:20:45 +0000 (11:20 +0100)]
added ikev2/rw-eap-sim-only-radius scenario

9 years agolog EAP-only authentication proposal
Andreas Steffen [Mon, 11 Jan 2010 10:17:40 +0000 (11:17 +0100)]
log EAP-only authentication proposal

9 years agosend strongSwan Vendor ID in ikev2/alg-sha256-96 scenario
Andreas Steffen [Sun, 10 Jan 2010 23:54:33 +0000 (00:54 +0100)]
send strongSwan Vendor ID in ikev2/alg-sha256-96 scenario

9 years agopluto and charon are using the same strongSwan Vendor ID
Andreas Steffen [Sun, 10 Jan 2010 23:43:46 +0000 (00:43 +0100)]
pluto and charon are using the same strongSwan Vendor ID

9 years agoAdded NEWS about mutual EAP-only authentication
Martin Willi [Thu, 7 Jan 2010 15:16:22 +0000 (16:16 +0100)]
Added NEWS about mutual EAP-only authentication

9 years agoEAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks
Martin Willi [Thu, 7 Jan 2010 14:56:11 +0000 (15:56 +0100)]
EAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks

9 years agoSupport EAP-only authentication for mutual and key deriving EAP methods
Martin Willi [Thu, 7 Jan 2010 14:51:30 +0000 (15:51 +0100)]
Support EAP-only authentication for mutual and key deriving EAP methods

9 years agoIndicate and dected support for EAP-only authentication
Martin Willi [Thu, 7 Jan 2010 13:30:28 +0000 (14:30 +0100)]
Indicate and dected support for EAP-only authentication

9 years agoAdded NEWS for the new Vendor ID requirement for private use allocations
Martin Willi [Thu, 7 Jan 2010 10:14:33 +0000 (11:14 +0100)]
Added NEWS for the new Vendor ID requirement for private use allocations

9 years agoMatch to private use algorithms only if we know we are talking to strongSwan
Martin Willi [Thu, 7 Jan 2010 10:07:53 +0000 (11:07 +0100)]
Match to private use algorithms only if we know we are talking to strongSwan

9 years agoInterpret private use BEET mode notify only if we know we are talking to strongSwan
Martin Willi [Thu, 7 Jan 2010 09:37:38 +0000 (09:37 +0000)]
Interpret private use BEET mode notify only if we know we are talking to strongSwan

9 years agoAdd an option to send a vendor ID, allows us to properly support private extensions
Martin Willi [Thu, 7 Jan 2010 09:26:58 +0000 (10:26 +0100)]
Add an option to send a vendor ID, allows us to properly support private extensions

9 years agoadded some recent new attributes registered with IANA
Andreas Steffen [Thu, 7 Jan 2010 06:49:16 +0000 (07:49 +0100)]
added some recent new attributes registered with IANA

9 years agoipsec pki --self|issue supports --pathlen option setting a path length constraint
Andreas Steffen [Thu, 31 Dec 2009 14:13:35 +0000 (15:13 +0100)]
ipsec pki --self|issue supports --pathlen option setting a path length constraint

9 years agomake error message about missing MD4 hasher more explicit
Andreas Steffen [Wed, 30 Dec 2009 22:32:03 +0000 (23:32 +0100)]
make error message about missing MD4 hasher more explicit

9 years agodifferentiate EAP method initialization errors
Andreas Steffen [Wed, 30 Dec 2009 20:34:59 +0000 (21:34 +0100)]
differentiate EAP method initialization errors

9 years agoremoved charon-specific load statement in pluto scenario
Andreas Steffen [Sat, 26 Dec 2009 16:13:53 +0000 (17:13 +0100)]
removed charon-specific load statement in pluto scenario

9 years agoPluto's fetcher thread is now created via libstrongswan.
Tobias Brunner [Sat, 26 Dec 2009 14:49:15 +0000 (15:49 +0100)]
Pluto's fetcher thread is now created via libstrongswan.

9 years agoadded RFC 3779 CA
Andreas Steffen [Fri, 25 Dec 2009 10:01:30 +0000 (11:01 +0100)]
added RFC 3779 CA

9 years agoadded three RFC 3779 scenarios
Andreas Steffen [Fri, 25 Dec 2009 09:58:06 +0000 (10:58 +0100)]
added three RFC 3779 scenarios

9 years agoAdded RFC 3779 support to NEWS
Andreas Steffen [Fri, 25 Dec 2009 08:10:44 +0000 (09:10 +0100)]
Added RFC 3779 support to NEWS

9 years agoenforce RFC 3779 address constraints on traffic selectors
Andreas Steffen [Fri, 25 Dec 2009 00:58:20 +0000 (01:58 +0100)]
enforce RFC 3779 address constraints on traffic selectors

9 years agoAdapted the load_tester kernel-interface to the changes introduced in 6ec949e02.
Tobias Brunner [Wed, 23 Dec 2009 16:15:28 +0000 (17:15 +0100)]
Adapted the load_tester kernel-interface to the changes introduced in 6ec949e02.

9 years agoAdded some IPv6 tweaks for Android.
Tobias Brunner [Wed, 23 Dec 2009 10:30:41 +0000 (11:30 +0100)]
Added some IPv6 tweaks for Android.

Android 1.6 does not yet support the Advanced Sockets API for IPv6 as defined in
RFC 3542. Also, in6addr_any is missing.

9 years agoSemicolon removed.
Tobias Brunner [Tue, 22 Dec 2009 12:59:32 +0000 (13:59 +0100)]
Semicolon removed.

9 years agoAccording to the man page (and the header files in Android) prctl takes a total of...
Tobias Brunner [Tue, 22 Dec 2009 12:36:46 +0000 (13:36 +0100)]
According to the man page (and the header files in Android) prctl takes a total of 5 arguments.

9 years agoAdded a workaround for the missing pthread_cancel on Android.
Tobias Brunner [Tue, 22 Dec 2009 09:51:11 +0000 (10:51 +0100)]
Added a workaround for the missing pthread_cancel on Android.

9 years agoUse pthread_cond_timedwait_monotonic on Android.
Tobias Brunner [Mon, 21 Dec 2009 16:03:33 +0000 (17:03 +0100)]
Use pthread_cond_timedwait_monotonic on Android.

9 years agoCache queue locking in credential manager corrected.
Tobias Brunner [Mon, 21 Dec 2009 13:09:09 +0000 (14:09 +0100)]
Cache queue locking in credential manager corrected.

9 years agoJoin worker threads when destroying the processor.
Tobias Brunner [Mon, 21 Dec 2009 12:42:48 +0000 (13:42 +0100)]
Join worker threads when destroying the processor.

9 years agoCallback job refactored and fixed.
Tobias Brunner [Thu, 17 Dec 2009 17:30:15 +0000 (18:30 +0100)]
Callback job refactored and fixed.

9 years agoWhitespace cleanup.
Tobias Brunner [Thu, 17 Dec 2009 15:00:14 +0000 (16:00 +0100)]
Whitespace cleanup.

9 years agoReadding changes that got lost during refactoring/rebasing.
Tobias Brunner [Thu, 17 Dec 2009 14:58:46 +0000 (15:58 +0100)]
Readding changes that got lost during refactoring/rebasing.

9 years agoUsing the thread wrapper in charon, libstrongswan and their plugins.
Tobias Brunner [Thu, 17 Dec 2009 14:58:12 +0000 (15:58 +0100)]
Using the thread wrapper in charon, libstrongswan and their plugins.

9 years agoAdding an object-oriented wrapper for thread-specific values.
Tobias Brunner [Thu, 17 Dec 2009 14:28:23 +0000 (15:28 +0100)]
Adding an object-oriented wrapper for thread-specific values.

9 years agoAdding an object-oriented wrapper for threads.
Tobias Brunner [Thu, 17 Dec 2009 14:25:37 +0000 (15:25 +0100)]
Adding an object-oriented wrapper for threads.

9 years agoCheck if libpthread is required or not.
Tobias Brunner [Thu, 10 Dec 2009 10:08:01 +0000 (11:08 +0100)]
Check if libpthread is required or not.

9 years agoCheck for pthread_condattr_init added to configure script.
Tobias Brunner [Tue, 8 Dec 2009 17:24:40 +0000 (18:24 +0100)]
Check for pthread_condattr_init added to configure script.

9 years agoGenerating the apidoc in an out-of-tree build fixed.
Tobias Brunner [Tue, 8 Dec 2009 16:06:04 +0000 (17:06 +0100)]
Generating the apidoc in an out-of-tree build fixed.

9 years agoMoved implementation of condvar_t to mutex.c because it requires access to private_mu...
Tobias Brunner [Tue, 8 Dec 2009 16:55:37 +0000 (17:55 +0100)]
Moved implementation of condvar_t to mutex.c because it requires access to private_mutex_t.

9 years agoSeparated the public interfaces of the threading primitives.
Tobias Brunner [Tue, 8 Dec 2009 15:53:01 +0000 (16:53 +0100)]
Separated the public interfaces of the threading primitives.

9 years agoImplemented a read-write lock using only mutex_t and condvar_t (in case the pthread_r...
Tobias Brunner [Tue, 8 Dec 2009 13:06:11 +0000 (14:06 +0100)]
Implemented a read-write lock using only mutex_t and condvar_t (in case the pthread_rwlock_* group of functions is not available).

9 years agoThreading primitives separated.
Tobias Brunner [Mon, 7 Dec 2009 16:26:39 +0000 (17:26 +0100)]
Threading primitives separated.

9 years agoMoved mutex.c to a separate folder in order to cleanly wrap other threading primitive...
Tobias Brunner [Mon, 7 Dec 2009 14:56:04 +0000 (15:56 +0100)]
Moved mutex.c to a separate folder in order to cleanly wrap other threading primitives (and utils/mutex.h is now threading.h).

9 years agoverify RFC3779 IP address blocks along X.509 certificate trust chain
Andreas Steffen [Wed, 23 Dec 2009 13:17:28 +0000 (14:17 +0100)]
verify RFC3779 IP address blocks along X.509 certificate trust chain

9 years agoFixed untoh32 function
Martin Willi [Wed, 23 Dec 2009 12:08:42 +0000 (13:08 +0100)]
Fixed untoh32 function

9 years agodo not recalculate netbits for true subnets
Andreas Steffen [Tue, 22 Dec 2009 16:07:08 +0000 (17:07 +0100)]
do not recalculate netbits for true subnets

9 years agoX509_IP_ADDR_BLOCKS flag signals the presence of an ipAddrBlock certificate extension
Andreas Steffen [Tue, 22 Dec 2009 12:18:27 +0000 (13:18 +0100)]
X509_IP_ADDR_BLOCKS flag signals the presence of an ipAddrBlock certificate extension

9 years agoadded create_ipAddrBlock_enumerator() method to x509_t
Andreas Steffen [Tue, 22 Dec 2009 10:58:30 +0000 (11:58 +0100)]
added create_ipAddrBlock_enumerator() method to x509_t

9 years agocosmetics
Andreas Steffen [Tue, 22 Dec 2009 08:53:53 +0000 (09:53 +0100)]
cosmetics

9 years agofixed IPv6 bug in calc_range()
Andreas Steffen [Mon, 21 Dec 2009 23:49:23 +0000 (00:49 +0100)]
fixed IPv6 bug in calc_range()

9 years agofixed initialization of netbits
Andreas Steffen [Mon, 21 Dec 2009 22:03:14 +0000 (23:03 +0100)]
fixed initialization of netbits

9 years agofixed distribution list
Andreas Steffen [Mon, 21 Dec 2009 21:28:08 +0000 (22:28 +0100)]
fixed distribution list

9 years agotraffic_selector supports RFC 3779 address range format
Andreas Steffen [Mon, 21 Dec 2009 20:28:45 +0000 (21:28 +0100)]
traffic_selector supports RFC 3779 address range format

9 years agoMigrated identification_t to INIT/METHOD macros
Martin Willi [Mon, 21 Dec 2009 14:23:34 +0000 (15:23 +0100)]
Migrated identification_t to INIT/METHOD macros

9 years agothis->type is set by traffic_selector_create()
Andreas Steffen [Sun, 20 Dec 2009 19:01:18 +0000 (20:01 +0100)]
this->type is set by traffic_selector_create()

9 years agoparse RFC 3779 addressFamily
Andreas Steffen [Sun, 20 Dec 2009 18:26:28 +0000 (19:26 +0100)]
parse RFC 3779 addressFamily

9 years agoplugin name is x509
Andreas Steffen [Sun, 20 Dec 2009 15:01:35 +0000 (16:01 +0100)]
plugin name is x509

9 years agodiscard certificate with unknown critical extensions
Andreas Steffen [Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)]
discard certificate with unknown critical extensions

9 years agouse traffic_selector_t object to represent ipAddrBlocks
Andreas Steffen [Sun, 20 Dec 2009 14:15:02 +0000 (15:15 +0100)]
use traffic_selector_t object to represent ipAddrBlocks

9 years agomoved traffic_selectors from charon to libstrongswan
Andreas Steffen [Sun, 20 Dec 2009 13:57:38 +0000 (14:57 +0100)]
moved traffic_selectors from charon to libstrongswan

9 years agofirewall-enabled ipv6/net2net-ip6-in-ip4-ikev2 scenario
Andreas Steffen [Thu, 17 Dec 2009 18:43:33 +0000 (19:43 +0100)]
firewall-enabled ipv6/net2net-ip6-in-ip4-ikev2 scenario

9 years agofirewall-enabled ipv6/net2net-ip4-in-ip6-ikev2 scenario
Andreas Steffen [Thu, 17 Dec 2009 17:50:45 +0000 (18:50 +0100)]
firewall-enabled ipv6/net2net-ip4-in-ip6-ikev2 scenario