strongswan.git
10 years agoMigrate queued_tasks tasks, to avoid dangling pointers
Thomas Egerer [Tue, 29 Jun 2010 06:53:05 +0000 (08:53 +0200)]
Migrate queued_tasks tasks, to avoid dangling pointers

10 years agoThe signature of keystore_get changed again.
Tobias Brunner [Mon, 28 Jun 2010 15:18:53 +0000 (17:18 +0200)]
The signature of keystore_get changed again.

With Android 2.2 (Froyo) the interface of keystore_get was changed once
again. The change was made to allow the keys to contain \0 characters.

10 years agoCompiler warning fixed.
Tobias Brunner [Thu, 24 Jun 2010 14:23:54 +0000 (16:23 +0200)]
Compiler warning fixed.

10 years agocheck for installed aead algorithms in kernel
Andreas Steffen [Sun, 27 Jun 2010 20:26:00 +0000 (22:26 +0200)]
check for installed aead algorithms in kernel

10 years agoupgraded xfrm.h to linux-2.6.34
Andreas Steffen [Sun, 27 Jun 2010 09:23:35 +0000 (11:23 +0200)]
upgraded xfrm.h to linux-2.6.34

10 years agoShow contents of the CP payload in message_t stringification
Martin Willi [Thu, 24 Jun 2010 13:45:38 +0000 (15:45 +0200)]
Show contents of the CP payload in message_t stringification

10 years agoSupport the subnet attribute in the attr plugin
Martin Willi [Thu, 24 Jun 2010 13:44:28 +0000 (15:44 +0200)]
Support the subnet attribute in the attr plugin

10 years agoIncreased the loglevel for the arguments received via Android control socket.
Tobias Brunner [Thu, 24 Jun 2010 12:44:45 +0000 (14:44 +0200)]
Increased the loglevel for the arguments received via Android control socket.

10 years agoTerminate charon from the Android plugin if the tunnel goes down after it was initiat...
Tobias Brunner [Thu, 24 Jun 2010 12:05:53 +0000 (14:05 +0200)]
Terminate charon from the Android plugin if the tunnel goes down after it was initiated successfully.

10 years agoInitiate the tunnel in the Android plugin asynchronously.
Tobias Brunner [Thu, 24 Jun 2010 12:02:52 +0000 (14:02 +0200)]
Initiate the tunnel in the Android plugin asynchronously.

Also track its initiation using the registered listener.

10 years agoImplement the listener_t interface in the Android plugin to track the status of an SA.
Tobias Brunner [Thu, 24 Jun 2010 12:00:39 +0000 (14:00 +0200)]
Implement the listener_t interface in the Android plugin to track the status of an SA.

10 years agoHelper function added to notify the Android frontend about status changes.
Tobias Brunner [Thu, 24 Jun 2010 11:57:03 +0000 (13:57 +0200)]
Helper function added to notify the Android frontend about status changes.

10 years agoInitiate consumes a child_sa reference, so get an additional one.
Tobias Brunner [Thu, 24 Jun 2010 11:42:57 +0000 (13:42 +0200)]
Initiate consumes a child_sa reference, so get an additional one.

10 years agoUse the same error code constants as in the Java frontend.
Tobias Brunner [Thu, 24 Jun 2010 11:41:07 +0000 (13:41 +0200)]
Use the same error code constants as in the Java frontend.

10 years agoFlush and destroy the send queue before unloading the socket plugins.
Tobias Brunner [Thu, 24 Jun 2010 08:34:48 +0000 (10:34 +0200)]
Flush and destroy the send queue before unloading the socket plugins.

10 years agoSelect subjectAltName address family using address length in openssl plugin
Martin Willi [Thu, 24 Jun 2010 10:00:56 +0000 (12:00 +0200)]
Select subjectAltName address family using address length in openssl plugin

10 years agoSelect subjectAltName address family using address length in x509 plugin
Martin Willi [Thu, 24 Jun 2010 09:59:20 +0000 (11:59 +0200)]
Select subjectAltName address family using address length in x509 plugin

10 years agoDo not install routes in the PF_KEY kernel interface if interface lookup failed.
Tobias Brunner [Wed, 23 Jun 2010 09:19:37 +0000 (11:19 +0200)]
Do not install routes in the PF_KEY kernel interface if interface lookup failed.

10 years agoThe signature of keystore_get was changed with Android 2.x.
Tobias Brunner [Tue, 22 Jun 2010 14:19:55 +0000 (16:19 +0200)]
The signature of keystore_get was changed with Android 2.x.

10 years agoAvoid a segmentation fault if opening the Android control socket failed.
Tobias Brunner [Tue, 22 Jun 2010 14:18:22 +0000 (16:18 +0200)]
Avoid a segmentation fault if opening the Android control socket failed.

10 years agoOpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.
Tobias Brunner [Tue, 22 Jun 2010 14:15:10 +0000 (16:15 +0200)]
OpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.

Unfortunately, opensslconf.h was not changed accordingly.

10 years agoAllow to enable the kernel-pfkey plugin via Android.mk.
Tobias Brunner [Tue, 22 Jun 2010 14:14:14 +0000 (16:14 +0200)]
Allow to enable the kernel-pfkey plugin via Android.mk.

10 years agoFixing the PF_KEY kernel interface on Android.
Tobias Brunner [Tue, 22 Jun 2010 14:04:13 +0000 (16:04 +0200)]
Fixing the PF_KEY kernel interface on Android.

In Android's in.h IPPROTO_COMP is not #defined but just an enum member.

10 years agoFixing compilation of the OpenSSL plugin if ENGINE support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:33:21 +0000 (11:33 +0200)]
Fixing compilation of the OpenSSL plugin if ENGINE support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_ENGINE.

10 years agoFixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:28:50 +0000 (11:28 +0200)]
Fixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_EC.

10 years agoIgnore IKEv2 packets in pluto with any minor version
Martin Willi [Tue, 22 Jun 2010 07:16:04 +0000 (09:16 +0200)]
Ignore IKEv2 packets in pluto with any minor version

10 years agoAccept IKE packets with any minor version in RAW socket
Martin Willi [Tue, 22 Jun 2010 07:03:41 +0000 (09:03 +0200)]
Accept IKE packets with any minor version in RAW socket

10 years agoFixed plugin checks in Android.mk files.
Tobias Brunner [Thu, 17 Jun 2010 16:09:34 +0000 (18:09 +0200)]
Fixed plugin checks in Android.mk files.

10 years agoDon't fail with an error if an attribute that is to be deleted does not exist
Heiko Hund [Fri, 18 Jun 2010 03:01:06 +0000 (05:01 +0200)]
Don't fail with an error if an attribute that is to be deleted does not exist

10 years agoFixed compiler warning.
Tobias Brunner [Mon, 7 Jun 2010 13:33:25 +0000 (15:33 +0200)]
Fixed compiler warning.

10 years agoUse vpn.dns* to store DNS servers (Android manages net.dns* using these).
Tobias Brunner [Tue, 11 May 2010 16:31:24 +0000 (18:31 +0200)]
Use vpn.dns* to store DNS servers (Android manages net.dns* using these).

10 years agoAdding an interface that interacts with the Android Settings frontend.
Tobias Brunner [Tue, 4 May 2010 16:26:07 +0000 (18:26 +0200)]
Adding an interface that interacts with the Android Settings frontend.

10 years agoAdding an Android specific credential set.
Tobias Brunner [Tue, 4 May 2010 16:18:51 +0000 (18:18 +0200)]
Adding an Android specific credential set.

10 years agoAdding an Android specific logger.
Tobias Brunner [Tue, 4 May 2010 16:13:27 +0000 (18:13 +0200)]
Adding an Android specific logger.

10 years agoAdding support for the native Linux capabilities interface.
Tobias Brunner [Tue, 15 Jun 2010 17:40:44 +0000 (19:40 +0200)]
Adding support for the native Linux capabilities interface.

Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.

10 years agoExplicitly refer to LIBCAP in Makefiles.
Tobias Brunner [Tue, 15 Jun 2010 17:10:23 +0000 (19:10 +0200)]
Explicitly refer to LIBCAP in Makefiles.

10 years agoRun as vpn user on Android.
Tobias Brunner [Tue, 4 May 2010 15:05:12 +0000 (17:05 +0200)]
Run as vpn user on Android.

10 years agoTruncate the PID file so that even if we fail to unlink it, the daemon can be restart...
Tobias Brunner [Tue, 15 Jun 2010 17:53:47 +0000 (19:53 +0200)]
Truncate the PID file so that even if we fail to unlink it, the daemon can be restarted properly.

10 years agoExplicitly include stdint.h for UINT64_MAX.
Tobias Brunner [Tue, 15 Jun 2010 08:57:12 +0000 (10:57 +0200)]
Explicitly include stdint.h for UINT64_MAX.

This is required on FreeBSD 8.

10 years agoCheck for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
Tobias Brunner [Tue, 15 Jun 2010 08:07:43 +0000 (10:07 +0200)]
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.

FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.

10 years agoSet the ports of all hosts installed via the PF_KEY kernel interface to zero.
Tobias Brunner [Fri, 14 May 2010 13:25:59 +0000 (15:25 +0200)]
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.

10 years agorefer to correct PLUTO_XAUTH_ID variable
Andreas Steffen [Wed, 9 Jun 2010 13:21:26 +0000 (15:21 +0200)]
refer to correct PLUTO_XAUTH_ID variable

10 years agorename environment variable to PLUTO_XAUTH_ID
Andreas Steffen [Tue, 8 Jun 2010 21:18:51 +0000 (23:18 +0200)]
rename environment variable to PLUTO_XAUTH_ID

10 years agodo not destroy xauth_id if phase2 equals phase1 connection
Andreas Steffen [Tue, 8 Jun 2010 21:18:00 +0000 (23:18 +0200)]
do not destroy xauth_id if phase2 equals phase1 connection

10 years agomake an optional XAUTH user ID available in the updown script
Andreas Steffen [Tue, 8 Jun 2010 15:50:22 +0000 (17:50 +0200)]
make an optional XAUTH user ID available in the updown script

10 years agoinherit XAUTH identities in Phase 2
Heiko Hund [Tue, 8 Jun 2010 10:15:42 +0000 (12:15 +0200)]
inherit XAUTH identities in Phase 2

10 years agoAdding a basic unit test for hashtable_t.
Tobias Brunner [Mon, 7 Jun 2010 14:39:49 +0000 (16:39 +0200)]
Adding a basic unit test for hashtable_t.

10 years agoAdding a remove_at method to the hash table.
Tobias Brunner [Mon, 7 Jun 2010 14:36:26 +0000 (16:36 +0200)]
Adding a remove_at method to the hash table.

This allows to remove key-value pairs while enumerating them.

10 years agoMigrated hashtable_t to INIT/METHOD macros.
Tobias Brunner [Mon, 7 Jun 2010 13:50:41 +0000 (15:50 +0200)]
Migrated hashtable_t to INIT/METHOD macros.

10 years agoAdd extra information in debug output for IKE_SA check{out, in}
Thomas Egerer [Sun, 6 Jun 2010 20:50:29 +0000 (22:50 +0200)]
Add extra information in debug output for IKE_SA check{out, in}

This output helps tracing checkout and checkin of IKE_SAs when there is
more than one IKE_SAs with the same name. I also added the type of
in-air-exchange to the debug output issued by the task_manager in case
a task initiation is delayed, came in handy for me.

10 years agotraffic_selector_t is gone into libstrongswan, migrate printf hook registration,...
Martin Willi [Mon, 7 Jun 2010 13:06:09 +0000 (15:06 +0200)]
traffic_selector_t is gone into libstrongswan, migrate printf hook registration, too.

10 years agoFlush auth configs, create new keymat during SA reset
Martin Willi [Mon, 7 Jun 2010 12:59:39 +0000 (14:59 +0200)]
Flush auth configs, create new keymat during SA reset

10 years agoRecreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
Martin Willi [Mon, 7 Jun 2010 12:58:57 +0000 (14:58 +0200)]
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH

10 years agoReacquire keymat from new IKE_SA during task migration
Martin Willi [Mon, 7 Jun 2010 12:56:24 +0000 (14:56 +0200)]
Reacquire keymat from new IKE_SA during task migration

10 years agoFlush certificate cache on CA delete
Martin Willi [Mon, 7 Jun 2010 11:51:18 +0000 (13:51 +0200)]
Flush certificate cache on CA delete

10 years agoLog non-empty task queues in statusall
Martin Willi [Mon, 7 Jun 2010 09:59:37 +0000 (11:59 +0200)]
Log non-empty task queues in statusall

10 years agoWrap task enumerator in ike_sa
Martin Willi [Mon, 7 Jun 2010 09:37:55 +0000 (11:37 +0200)]
Wrap task enumerator in ike_sa

10 years agoMigrated ike_sa_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 09:30:27 +0000 (09:30 +0000)]
Migrated ike_sa_t to INIT/METHOD macros

10 years agoAdded support for task enumeration in task_manager_t
Martin Willi [Mon, 7 Jun 2010 08:45:25 +0000 (10:45 +0200)]
Added support for task enumeration in task_manager_t

10 years agoMigrated task_manager_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 08:37:00 +0000 (10:37 +0200)]
Migrated task_manager_t to INIT/METHOD macros

10 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:49:01 +0000 (13:49 +0200)]
use --addattr

10 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:47:23 +0000 (13:47 +0200)]
use --addattr

10 years agoadded ikev2/nat-virtual-ip scenario
Andreas Steffen [Sat, 5 Jun 2010 11:42:28 +0000 (13:42 +0200)]
added ikev2/nat-virtual-ip scenario

10 years agoremove stray carolReq.pem
Andreas Steffen [Sat, 5 Jun 2010 11:36:39 +0000 (13:36 +0200)]
remove stray carolReq.pem

10 years agoshare pool in ikev1/mode-config-multiple scenario
Andreas Steffen [Sat, 5 Jun 2010 11:17:51 +0000 (13:17 +0200)]
share pool in ikev1/mode-config-multiple scenario

10 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:15:03 +0000 (13:15 +0200)]
use --addattr

10 years agoremove stray scenario files
Andreas Steffen [Sat, 5 Jun 2010 11:10:39 +0000 (13:10 +0200)]
remove stray scenario files

10 years agoAccept ARP requests with an ethernet trailer, but trim it
Martin Willi [Wed, 2 Jun 2010 08:05:43 +0000 (10:05 +0200)]
Accept ARP requests with an ethernet trailer, but trim it

10 years agoAdded a EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database
Martin Willi [Wed, 2 Jun 2010 13:55:58 +0000 (15:55 +0200)]
Added a EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database

10 years agofixed configuration attribute type determination
Andreas Steffen [Wed, 2 Jun 2010 09:51:53 +0000 (11:51 +0200)]
fixed configuration attribute type determination

10 years agoDisable close action for a redundant CHILD_SA resulting from a rekey collision
Martin Willi [Wed, 2 Jun 2010 09:43:39 +0000 (11:43 +0200)]
Disable close action for a redundant CHILD_SA resulting from a rekey collision

If a rekey collision is detected, the winning peer of the nonce compare
will delete the redundant CHILD_SA. The other peer should not enforce the
close action on this CHILD, as it would reestablish the redundat CHILD_SA.
Thanks to Thomas Egerer from secunet for pointing this out and the initial
patchset.

10 years agoUse wrapped getters for close/dpd action
Martin Willi [Wed, 2 Jun 2010 09:41:46 +0000 (11:41 +0200)]
Use wrapped getters for close/dpd action

10 years agoWrap getters for dpd/close action into CHILD_SA, allows us to override them
Martin Willi [Wed, 2 Jun 2010 09:40:38 +0000 (11:40 +0200)]
Wrap getters for dpd/close action into CHILD_SA, allows us to override them

10 years agoipsec pool --statusattr [--hexout] outputs attribute values in correct format if...
Andreas Steffen [Tue, 1 Jun 2010 14:47:56 +0000 (16:47 +0200)]
ipsec pool --statusattr [--hexout] outputs attribute values in correct format if known

10 years agoadded unity_def_domain keyword tip ipsec pool
Andreas Steffen [Mon, 31 May 2010 14:46:47 +0000 (16:46 +0200)]
added unity_def_domain keyword tip ipsec pool

10 years agoAdded generated manpages to .gitignore
Martin Willi [Mon, 31 May 2010 11:41:25 +0000 (13:41 +0200)]
Added generated manpages to .gitignore

10 years agoChanged default lifetime of certificates to 3 years
Martin Willi [Mon, 31 May 2010 11:14:36 +0000 (13:14 +0200)]
Changed default lifetime of certificates to 3 years

10 years agoSupport extendedKeyUsage flags in self-signed certificates
Martin Willi [Mon, 31 May 2010 11:12:46 +0000 (13:12 +0200)]
Support extendedKeyUsage flags in self-signed certificates

10 years agoIPSEC_CONFDIR in ipsec script fixed.
Tobias Brunner [Sun, 30 May 2010 11:07:32 +0000 (13:07 +0200)]
IPSEC_CONFDIR in ipsec script fixed.

10 years agoAdding the version number to the most relevant manual pages.
Tobias Brunner [Sun, 30 May 2010 11:03:04 +0000 (13:03 +0200)]
Adding the version number to the most relevant manual pages.

10 years agoUpdated and corrected the ipsec.secrets(5) manual page.
Tobias Brunner [Sun, 30 May 2010 09:51:30 +0000 (11:51 +0200)]
Updated and corrected the ipsec.secrets(5) manual page.

10 years agoUpdated and corrected the ipsec.conf(5) manual page.
Tobias Brunner [Sat, 29 May 2010 19:10:18 +0000 (21:10 +0200)]
Updated and corrected the ipsec.conf(5) manual page.

10 years agoUpdated and corrected the ipsec(8) manual page.
Tobias Brunner [Sat, 29 May 2010 15:34:00 +0000 (17:34 +0200)]
Updated and corrected the ipsec(8) manual page.

10 years agoadded --leases command line option to synopsis
Andreas Steffen [Sat, 29 May 2010 11:29:23 +0000 (13:29 +0200)]
added --leases command line option to synopsis

10 years agoadded --showattr command line option to synopsys
Andreas Steffen [Sat, 29 May 2010 11:23:20 +0000 (13:23 +0200)]
added --showattr command line option to synopsys

10 years agoadded X.509 support by openssl plugin to NEWS
Andreas Steffen [Sat, 29 May 2010 09:22:36 +0000 (11:22 +0200)]
added X.509 support by openssl plugin to NEWS

10 years agoremove x509 plugin from openssl-ikev1 scenarios
Andreas Steffen [Fri, 28 May 2010 21:22:15 +0000 (23:22 +0200)]
remove x509 plugin from openssl-ikev1 scenarios

10 years agoDo not install trap policy if remote host is %any.
Tobias Brunner [Fri, 28 May 2010 13:43:12 +0000 (15:43 +0200)]
Do not install trap policy if remote host is %any.

10 years agobe lenient towards wrong attribute encodings
Andreas Steffen [Fri, 28 May 2010 13:07:09 +0000 (15:07 +0200)]
be lenient towards wrong attribute encodings

10 years agoSend empty SIM/AKA-NOTIFICATION response for non-success codes, too
Martin Willi [Thu, 27 May 2010 13:04:25 +0000 (15:04 +0200)]
Send empty SIM/AKA-NOTIFICATION response for non-success codes, too

10 years agoAdded support for reading raw PUT/POST data from HTTP request
Martin Willi [Thu, 27 May 2010 07:30:14 +0000 (09:30 +0200)]
Added support for reading raw PUT/POST data from HTTP request

10 years agoUnwrap subjectKeyIdentifier from OCTET_STRING
Martin Willi [Wed, 26 May 2010 14:09:50 +0000 (16:09 +0200)]
Unwrap subjectKeyIdentifier from OCTET_STRING

10 years agoremove x509 plugin from remaining openssl-ikev2 scenarios
Andreas Steffen [Tue, 25 May 2010 13:49:58 +0000 (15:49 +0200)]
remove x509 plugin from remaining openssl-ikev2 scenarios

10 years agoopenssl-ikev2/rw-cert scenario doesn't need x509 plugin any more
Andreas Steffen [Tue, 25 May 2010 13:26:46 +0000 (15:26 +0200)]
openssl-ikev2/rw-cert scenario doesn't need x509 plugin any more

10 years agoseveral subnets can be concatenated
Andreas Steffen [Sat, 22 May 2010 20:53:24 +0000 (22:53 +0200)]
several subnets can be concatenated

10 years agoadded --showattr command to usage()
Andreas Steffen [Sat, 22 May 2010 08:46:15 +0000 (10:46 +0200)]
added --showattr command to usage()

10 years agoFixed compiler warning in invocation of crl_is_newer()
Martin Willi [Fri, 21 May 2010 14:41:13 +0000 (16:41 +0200)]
Fixed compiler warning in invocation of crl_is_newer()

10 years agoUse CAs subjectKeyIdentifier as CRLs authorityKeyIdentifier
Martin Willi [Fri, 21 May 2010 14:38:19 +0000 (16:38 +0200)]
Use CAs subjectKeyIdentifier as CRLs authorityKeyIdentifier

10 years agoAdded a --signcrl command to the pki utility
Martin Willi [Fri, 21 May 2010 13:53:31 +0000 (15:53 +0200)]
Added a --signcrl command to the pki utility

10 years agoAdded support for CRL generation to x509 plugin
Martin Willi [Fri, 21 May 2010 13:52:20 +0000 (15:52 +0200)]
Added support for CRL generation to x509 plugin