strongswan.git
8 years agoAdded a getter for CHILD_SA marks
Martin Willi [Wed, 21 Mar 2012 15:54:24 +0000 (16:54 +0100)]
Added a getter for CHILD_SA marks

8 years agoDefine a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid
Martin Willi [Wed, 21 Mar 2012 14:41:45 +0000 (15:41 +0100)]
Define a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid

8 years agoReply with received configuration payload identifier in Mode Config
Martin Willi [Tue, 20 Mar 2012 17:06:29 +0000 (18:06 +0100)]
Reply with received configuration payload identifier in Mode Config

8 years agoMerge branch 'ikev1-clean' into ikev1-master
Martin Willi [Tue, 20 Mar 2012 16:56:18 +0000 (17:56 +0100)]
Merge branch 'ikev1-clean' into ikev1-master

Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h

Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.

8 years agoProperly handle retransmitted initial IKE messages.
Tobias Brunner [Thu, 8 Mar 2012 14:23:20 +0000 (15:23 +0100)]
Properly handle retransmitted initial IKE messages.

This change allows to properly handle retransmits of initial IKE
messages when we've already processed them (i.e. our response is now resent
immediately).

8 years agoImplemented table of init hashes without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 16:37:38 +0000 (17:37 +0100)]
Implemented table of init hashes without linked_list_t.

8 years agoImplemented table of connected peers without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 16:24:44 +0000 (17:24 +0100)]
Implemented table of connected peers without linked_list_t.

8 years agoImplemented table of half open IKE_SAs without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 15:34:45 +0000 (16:34 +0100)]
Implemented table of half open IKE_SAs without linked_list_t.

8 years agoDon't use linked_list_t for buckets in main IKE_SA hash table.
Tobias Brunner [Thu, 1 Mar 2012 11:51:34 +0000 (12:51 +0100)]
Don't use linked_list_t for buckets in main IKE_SA hash table.

8 years agoFixed deadlock if checkin_and_destroy is called during shutdown.
Tobias Brunner [Thu, 1 Mar 2012 11:52:17 +0000 (12:52 +0100)]
Fixed deadlock if checkin_and_destroy is called during shutdown.

8 years agoDo not clone hashes of initial IKE messages when storing them in the hash table.
Tobias Brunner [Thu, 1 Mar 2012 17:07:48 +0000 (18:07 +0100)]
Do not clone hashes of initial IKE messages when storing them in the hash table.

8 years agoStore IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.
Tobias Brunner [Wed, 29 Feb 2012 17:17:50 +0000 (18:17 +0100)]
Store IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.

For IKEv1 the previous behavior of always using the initiator's SPI as
key is maintained.

8 years agoAdded separate hashtable for hashes of initial IKE messages.
Tobias Brunner [Wed, 29 Feb 2012 17:15:42 +0000 (18:15 +0100)]
Added separate hashtable for hashes of initial IKE messages.

This does not require us to do a lookup for an SA by SPI first.

8 years agochunk_equals_ptr added to compare chunks given as pointers.
Tobias Brunner [Wed, 29 Feb 2012 17:06:49 +0000 (18:06 +0100)]
chunk_equals_ptr added to compare chunks given as pointers.

8 years agoStore the major IKE version on ike_sa_id_t.
Tobias Brunner [Wed, 29 Feb 2012 13:47:09 +0000 (14:47 +0100)]
Store the major IKE version on ike_sa_id_t.

8 years agoImplemented handling of UNITY_LOAD_BALANCE as reauthentication.
Tobias Brunner [Fri, 2 Mar 2012 18:17:13 +0000 (19:17 +0100)]
Implemented handling of UNITY_LOAD_BALANCE as reauthentication.

8 years agoCheck if we actually have a packet before retransmitting it
Martin Willi [Tue, 21 Feb 2012 09:23:20 +0000 (10:23 +0100)]
Check if we actually have a packet before retransmitting it

8 years agoUse a single set of FDs for all random plugin RNG instances
Martin Willi [Tue, 21 Feb 2012 09:22:48 +0000 (10:22 +0100)]
Use a single set of FDs for all random plugin RNG instances

8 years agoParse IKEv1 Cisco Load Balancing notify (can't act on it yet).
Tobias Brunner [Fri, 3 Feb 2012 11:58:11 +0000 (12:58 +0100)]
Parse IKEv1 Cisco Load Balancing notify (can't act on it yet).

8 years agoFixed transform numbering in IKEv1 proposal.
Tobias Brunner [Fri, 3 Feb 2012 11:56:30 +0000 (12:56 +0100)]
Fixed transform numbering in IKEv1 proposal.

8 years agoCompiler warning fixed.
Tobias Brunner [Fri, 3 Feb 2012 11:56:14 +0000 (12:56 +0100)]
Compiler warning fixed.

8 years agoUse correct enum values to detect three message tasks for retransmission
Martin Willi [Thu, 2 Feb 2012 09:49:19 +0000 (10:49 +0100)]
Use correct enum values to detect three message tasks for retransmission

8 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated

8 years agoFix mapping of IKEv1 encapsulation mode
Martin Willi [Tue, 24 Jan 2012 12:31:37 +0000 (13:31 +0100)]
Fix mapping of IKEv1 encapsulation mode

8 years agoUse UDP encapsulation even in non-NAT situation if initiator requests it
Martin Willi [Mon, 23 Jan 2012 14:11:13 +0000 (15:11 +0100)]
Use UDP encapsulation even in non-NAT situation if initiator requests it

8 years agoUpdated ipsec.conf man page for the use of IKEv1 with pluto
Martin Willi [Mon, 23 Jan 2012 13:35:57 +0000 (14:35 +0100)]
Updated ipsec.conf man page for the use of IKEv1 with pluto

8 years agoSupport inactivity timeout in IKEv1 CHILD_SAs
Martin Willi [Mon, 23 Jan 2012 12:49:56 +0000 (13:49 +0100)]
Support inactivity timeout in IKEv1 CHILD_SAs

8 years agoUse a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher
Martin Willi [Mon, 23 Jan 2012 11:46:46 +0000 (12:46 +0100)]
Use a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher

8 years agoSelect public key auth method by checking what key we have
Martin Willi [Mon, 23 Jan 2012 11:28:55 +0000 (12:28 +0100)]
Select public key auth method by checking what key we have

8 years agoSupport ECDSA signatures in IKEv1 pubkey authenticator
Martin Willi [Mon, 23 Jan 2012 11:27:57 +0000 (12:27 +0100)]
Support ECDSA signatures in IKEv1 pubkey authenticator

8 years agoExchange certificates when using IKEv1 ECDSA authentication
Martin Willi [Mon, 23 Jan 2012 11:26:42 +0000 (12:26 +0100)]
Exchange certificates when using IKEv1 ECDSA authentication

8 years agoAccept NULL auth_cfg_t passed to credential_manager_t.get_private()
Martin Willi [Mon, 23 Jan 2012 11:25:38 +0000 (12:25 +0100)]
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()

8 years agoSupport encoding of IKEv1 ECDSA proposals
Martin Willi [Mon, 23 Jan 2012 11:25:00 +0000 (12:25 +0100)]
Support encoding of IKEv1 ECDSA proposals

8 years agoDropped support of deprecated authby=eap and eap= options
Martin Willi [Fri, 20 Jan 2012 15:03:18 +0000 (16:03 +0100)]
Dropped support of deprecated authby=eap and eap= options

8 years agoAdded support for authby/xauth_server legacy options
Martin Willi [Fri, 20 Jan 2012 14:33:26 +0000 (15:33 +0100)]
Added support for authby/xauth_server legacy options

8 years agoRenamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules
Martin Willi [Fri, 20 Jan 2012 14:00:06 +0000 (15:00 +0100)]
Renamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules

8 years agoUse ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length
Martin Willi [Fri, 20 Jan 2012 13:57:18 +0000 (14:57 +0100)]
Use ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length

8 years agoDon't re-resolve addresses during initiate if they have already been set
Martin Willi [Fri, 20 Jan 2012 12:54:39 +0000 (13:54 +0100)]
Don't re-resolve addresses during initiate if they have already been set

8 years agoAdopt children after syncing a rekeyed IKEv1 SA
Martin Willi [Fri, 20 Jan 2012 12:42:37 +0000 (13:42 +0100)]
Adopt children after syncing a rekeyed IKEv1 SA

8 years agoSynchronize IKEv1 DPD sequence numbers
Martin Willi [Fri, 20 Jan 2012 11:23:46 +0000 (12:23 +0100)]
Synchronize IKEv1 DPD sequence numbers

8 years agoSetting message ID on task manager sets DPD sequence numbers in IKEv1
Martin Willi [Fri, 20 Jan 2012 11:22:56 +0000 (12:22 +0100)]
Setting message ID on task manager sets DPD sequence numbers in IKEv1

8 years agoUpdate state before triggering DPD, as we cancel it if PASSIVE
Martin Willi [Fri, 20 Jan 2012 11:21:48 +0000 (12:21 +0100)]
Update state before triggering DPD, as we cancel it if PASSIVE

8 years agoSet thread specific SA on bus for each enumerated IKE_SA
Martin Willi [Fri, 20 Jan 2012 11:21:13 +0000 (12:21 +0100)]
Set thread specific SA on bus for each enumerated IKE_SA

8 years agoSync remote virtual IP for IKEv1 SAs
Martin Willi [Fri, 20 Jan 2012 10:36:26 +0000 (11:36 +0100)]
Sync remote virtual IP for IKEv1 SAs

8 years agoSync new IKE_SA condition/extension flags
Martin Willi [Fri, 20 Jan 2012 10:23:27 +0000 (11:23 +0100)]
Sync new IKE_SA condition/extension flags

8 years agoAdded support for Phase1 IV synchronization to HA plugin
Martin Willi [Thu, 19 Jan 2012 15:34:59 +0000 (16:34 +0100)]
Added support for Phase1 IV synchronization to HA plugin

8 years agoInvoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
Martin Willi [Thu, 19 Jan 2012 15:22:25 +0000 (16:22 +0100)]
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted

8 years agoCreate IKEv1 keymat hasher explicitly on sync
Martin Willi [Thu, 19 Jan 2012 14:55:29 +0000 (15:55 +0100)]
Create IKEv1 keymat hasher explicitly on sync

8 years agoClear initiator flag when checking out initial IKEv1 SA from message
Martin Willi [Thu, 19 Jan 2012 14:54:38 +0000 (15:54 +0100)]
Clear initiator flag when checking out initial IKEv1 SA from message

8 years agoAdded support to sync IKEv1 SAs key material in HA plugin
Martin Willi [Thu, 19 Jan 2012 10:11:22 +0000 (11:11 +0100)]
Added support to sync IKEv1 SAs key material in HA plugin

8 years agoPass IKEv1 specific keymat to ike_keys hook
Martin Willi [Wed, 18 Jan 2012 17:34:07 +0000 (18:34 +0100)]
Pass IKEv1 specific keymat to ike_keys hook

8 years agoUse a more complete implementation of a HA specific diffie_hellman_t
Martin Willi [Wed, 18 Jan 2012 17:24:48 +0000 (18:24 +0100)]
Use a more complete implementation of a HA specific diffie_hellman_t

8 years agoShow IKE version in ipsec statusall
Martin Willi [Wed, 18 Jan 2012 16:50:07 +0000 (17:50 +0100)]
Show IKE version in ipsec statusall

8 years agoApply proposal to a HA synced IKE_SA
Martin Willi [Wed, 18 Jan 2012 16:49:52 +0000 (17:49 +0100)]
Apply proposal to a HA synced IKE_SA

8 years agoSet selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
Martin Willi [Wed, 18 Jan 2012 16:42:06 +0000 (17:42 +0100)]
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper

8 years agoUpdated HA plugin to new IKEv2 specific keymat functions
Martin Willi [Wed, 18 Jan 2012 16:24:31 +0000 (17:24 +0100)]
Updated HA plugin to new IKEv2 specific keymat functions

8 years agoGet a reference for the child_cfg passed to child_create_create()
Martin Willi [Wed, 18 Jan 2012 16:24:08 +0000 (17:24 +0100)]
Get a reference for the child_cfg passed to child_create_create()

8 years agoInvoke bus_t.narrow hook in quick mode exchange
Martin Willi [Wed, 18 Jan 2012 12:28:15 +0000 (13:28 +0100)]
Invoke bus_t.narrow hook in quick mode exchange

8 years agoInvoke authorization hooks for IKEv1 connections
Martin Willi [Wed, 18 Jan 2012 12:12:07 +0000 (13:12 +0100)]
Invoke authorization hooks for IKEv1 connections

8 years agoInvoke ike_updown hooks for reauthenticated IKEv1 SAs
Martin Willi [Mon, 16 Jan 2012 15:47:18 +0000 (16:47 +0100)]
Invoke ike_updown hooks for reauthenticated IKEv1 SAs

8 years agoDon't invoke a child_updown hook when a quick mode to delete has been rekeyed
Martin Willi [Mon, 16 Jan 2012 15:18:01 +0000 (16:18 +0100)]
Don't invoke a child_updown hook when a quick mode to delete has been rekeyed

8 years agoInvoke child_rekey hook instead of child_updown when rekeying a quick mode
Martin Willi [Mon, 16 Jan 2012 15:17:27 +0000 (16:17 +0100)]
Invoke child_rekey hook instead of child_updown when rekeying a quick mode

8 years agoDon't invoke updown hook when flushing SAs for IKEv1, tasks will do it
Martin Willi [Mon, 16 Jan 2012 14:57:46 +0000 (15:57 +0100)]
Don't invoke updown hook when flushing SAs for IKEv1, tasks will do it

8 years agoFix "incoming" flag passed to bus_t.message() hook
Martin Willi [Mon, 16 Jan 2012 14:31:53 +0000 (15:31 +0100)]
Fix "incoming" flag passed to bus_t.message() hook

8 years agoContinue with next exchange after sending an INFORMATIONAL
Martin Willi [Fri, 13 Jan 2012 08:27:26 +0000 (09:27 +0100)]
Continue with next exchange after sending an INFORMATIONAL

8 years agoHandle retransmission of DPD exchange, both as initiator and responder
Martin Willi [Tue, 10 Jan 2012 18:13:58 +0000 (19:13 +0100)]
Handle retransmission of DPD exchange, both as initiator and responder

8 years agoDisable DPD checking for peers not supporting it
Martin Willi [Tue, 10 Jan 2012 16:40:07 +0000 (17:40 +0100)]
Disable DPD checking for peers not supporting it

8 years agoAdded missing DPD task name
Martin Willi [Tue, 10 Jan 2012 16:28:25 +0000 (17:28 +0100)]
Added missing DPD task name

8 years agoConfirm message reception time only if DPD sequence number valid
Martin Willi [Tue, 10 Jan 2012 16:26:42 +0000 (17:26 +0100)]
Confirm message reception time only if DPD sequence number valid

8 years agoSimplified DPD handling by using a task for a single message only
Martin Willi [Tue, 10 Jan 2012 16:21:52 +0000 (17:21 +0100)]
Simplified DPD handling by using a task for a single message only

8 years agoAdded missing short enum names for DPD notify types
Martin Willi [Tue, 10 Jan 2012 16:10:22 +0000 (17:10 +0100)]
Added missing short enum names for DPD notify types

8 years agoPrint IKEv1 notify types in message summary
Martin Willi [Tue, 10 Jan 2012 16:09:47 +0000 (17:09 +0100)]
Print IKEv1 notify types in message summary

8 years agoSupport IKEv1 notifies in message_t.get_notify()
Martin Willi [Tue, 10 Jan 2012 16:09:20 +0000 (17:09 +0100)]
Support IKEv1 notifies in message_t.get_notify()

8 years agoCheck if we have an RNG for IKEv1 task manager before using it
Martin Willi [Tue, 10 Jan 2012 15:02:46 +0000 (16:02 +0100)]
Check if we have an RNG for IKEv1 task manager before using it

8 years agoRemove unused DPD sequence number getter on task manager
Martin Willi [Tue, 10 Jan 2012 14:44:17 +0000 (15:44 +0100)]
Remove unused DPD sequence number getter on task manager

8 years agoDon't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
Martin Willi [Tue, 10 Jan 2012 12:32:06 +0000 (13:32 +0100)]
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state

8 years agoSend DPD vendor ID
Clavister OpenSource [Tue, 10 Jan 2012 13:38:01 +0000 (14:38 +0100)]
Send DPD vendor ID

8 years agoIsakmp_dpd task added.
Clavister OpenSource [Tue, 10 Jan 2012 13:37:39 +0000 (14:37 +0100)]
Isakmp_dpd task added.

8 years agoDPD_R_U_THERE defines added
Clavister OpenSource [Tue, 10 Jan 2012 13:31:51 +0000 (14:31 +0100)]
DPD_R_U_THERE defines added

8 years agoRequest and handle retransmission of a lost third aggressive mode message
Martin Willi [Tue, 10 Jan 2012 10:37:06 +0000 (11:37 +0100)]
Request and handle retransmission of a lost third aggressive mode message

8 years agoStreamlined debug output when initiating IKEv1 IKE_SAs
Martin Willi [Tue, 10 Jan 2012 10:23:04 +0000 (11:23 +0100)]
Streamlined debug output when initiating IKEv1 IKE_SAs

8 years agoAccept unencrypted Aggressive Mode messages.
Tobias Brunner [Tue, 10 Jan 2012 09:58:29 +0000 (10:58 +0100)]
Accept unencrypted Aggressive Mode messages.

Racoon does not encrypt the third message during Aggressive Mode.

8 years agoEnforce encapsulation mode of configuration, in case initiator proposes both
Martin Willi [Mon, 9 Jan 2012 17:12:17 +0000 (18:12 +0100)]
Enforce encapsulation mode of configuration, in case initiator proposes both

8 years agoAdded a "aggressive" ipsec.conf connection option
Martin Willi [Mon, 9 Jan 2012 16:44:43 +0000 (17:44 +0100)]
Added a "aggressive" ipsec.conf connection option

8 years agoHandle aggressive mode task in IKEv1 task manager
Martin Willi [Mon, 9 Jan 2012 16:35:02 +0000 (16:35 +0000)]
Handle aggressive mode task in IKEv1 task manager

8 years agoSelect IKEv1 configurations by main/aggressive mode option
Martin Willi [Mon, 9 Jan 2012 16:33:15 +0000 (16:33 +0000)]
Select IKEv1 configurations by main/aggressive mode option

8 years agoAdded an aggressive mode peer_cfg option
Martin Willi [Mon, 9 Jan 2012 16:32:41 +0000 (16:32 +0000)]
Added an aggressive mode peer_cfg option

8 years agoFix sending of CERTREQ/CERT payloads in aggressive mode
Martin Willi [Mon, 9 Jan 2012 16:10:48 +0000 (17:10 +0100)]
Fix sending of CERTREQ/CERT payloads in aggressive mode

8 years agoEncrypt payloads of third aggressive mode message
Martin Willi [Mon, 9 Jan 2012 16:10:18 +0000 (17:10 +0100)]
Encrypt payloads of third aggressive mode message

8 years agoImplemented aggressive mode using Phase 1 helper class
Martin Willi [Mon, 9 Jan 2012 16:09:38 +0000 (17:09 +0100)]
Implemented aggressive mode using Phase 1 helper class

8 years agoMake use of the new Phase 1 helper class in main mode
Martin Willi [Mon, 9 Jan 2012 16:05:16 +0000 (17:05 +0100)]
Make use of the new Phase 1 helper class in main mode

8 years agoImplemented a common Phase 1 helper class to use by main and aggressive modes
Martin Willi [Mon, 9 Jan 2012 16:04:41 +0000 (17:04 +0100)]
Implemented a common Phase 1 helper class to use by main and aggressive modes

8 years agoFix error handling if no PSK found for main mode
Martin Willi [Mon, 9 Jan 2012 12:41:35 +0000 (13:41 +0100)]
Fix error handling if no PSK found for main mode

8 years agoInstall quick mode CHILD_SAs with negotiated encapsulation mode
Martin Willi [Thu, 5 Jan 2012 14:02:40 +0000 (15:02 +0100)]
Install quick mode CHILD_SAs with negotiated encapsulation mode

8 years agoSupport IKEv1 proposal encodings having both lifebytes and a lifetime
Martin Willi [Wed, 4 Jan 2012 13:43:15 +0000 (14:43 +0100)]
Support IKEv1 proposal encodings having both lifebytes and a lifetime

8 years agoTry to detect reauthentication as responder and adopt children to new SA
Martin Willi [Wed, 4 Jan 2012 16:51:22 +0000 (17:51 +0100)]
Try to detect reauthentication as responder and adopt children to new SA

8 years agoDestroy IKE_SA after reauthentication initiatend and lifetime limit reached
Martin Willi [Wed, 4 Jan 2012 16:50:19 +0000 (17:50 +0100)]
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached

8 years agoAdded an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities
Martin Willi [Tue, 3 Jan 2012 15:23:37 +0000 (16:23 +0100)]
Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities

8 years agoQuery for XAuth identity in get_other_eap_id(), too
Martin Willi [Wed, 4 Jan 2012 16:32:41 +0000 (17:32 +0100)]
Query for XAuth identity in get_other_eap_id(), too

8 years agoSet ISAKMP SA state to rekeying after triggering reauthentication
Martin Willi [Tue, 3 Jan 2012 13:47:44 +0000 (14:47 +0100)]
Set ISAKMP SA state to rekeying after triggering reauthentication