strongswan.git
10 years agoAdded NEWS about --signcrl and PEM support in pki utility
Martin Willi [Tue, 13 Jul 2010 12:18:19 +0000 (14:18 +0200)]
Added NEWS about --signcrl and PEM support in pki utility

10 years agoAdded pki PEM encoding support for certificates, CRLs and PKCS10 requests
Martin Willi [Tue, 13 Jul 2010 12:14:39 +0000 (14:14 +0200)]
Added pki PEM encoding support for certificates, CRLs and PKCS10 requests

10 years agoAdded support for Certificate, CRL and PKCS10 encoding to PEM plugin
Martin Willi [Tue, 13 Jul 2010 11:53:33 +0000 (13:53 +0200)]
Added support for Certificate, CRL and PKCS10 encoding to PEM plugin

10 years agoSupport different encoding types in certificate.get_encoding()
Martin Willi [Tue, 13 Jul 2010 11:34:04 +0000 (13:34 +0200)]
Support different encoding types in certificate.get_encoding()

10 years agoRenamed key_encod{ing,der}_t and constants, prepare for generic credential encoding
Martin Willi [Tue, 13 Jul 2010 09:28:04 +0000 (11:28 +0200)]
Renamed key_encod{ing,der}_t and constants, prepare for generic credential encoding

10 years agoMoved keys/key_encoding.[ch] to cred_encoding.[ch]
Martin Willi [Tue, 13 Jul 2010 09:01:08 +0000 (11:01 +0200)]
Moved keys/key_encoding.[ch] to cred_encoding.[ch]

10 years agoFixed doxygen group of cert_validator interface
Martin Willi [Tue, 13 Jul 2010 08:42:02 +0000 (10:42 +0200)]
Fixed doxygen group of cert_validator interface

10 years agoAdded NEWS for revocation/addrblock plugin
Martin Willi [Tue, 13 Jul 2010 07:34:57 +0000 (09:34 +0200)]
Added NEWS for revocation/addrblock plugin

10 years agoAdded addrblock plugin to RFC3779 test cases
Martin Willi [Tue, 13 Jul 2010 07:29:57 +0000 (09:29 +0200)]
Added addrblock plugin to RFC3779 test cases

10 years agoAdded revocation plugin to ikev2 crl/ocsp test cases
Martin Willi [Tue, 13 Jul 2010 07:28:44 +0000 (09:28 +0200)]
Added revocation plugin to ikev2 crl/ocsp test cases

10 years agoMoved X509 ipAddrBlock checking to the addrblock plugin
Martin Willi [Tue, 13 Jul 2010 07:19:39 +0000 (09:19 +0200)]
Moved X509 ipAddrBlock checking to the addrblock plugin

10 years agoAdded a hook to narrow traffic selectors for CHILD_SAs
Martin Willi [Tue, 13 Jul 2010 06:39:19 +0000 (08:39 +0200)]
Added a hook to narrow traffic selectors for CHILD_SAs

10 years agoMoved bus_t to METHOD/INIT macros
Martin Willi [Mon, 12 Jul 2010 14:25:56 +0000 (16:25 +0200)]
Moved bus_t to METHOD/INIT macros

10 years agoMoved addrblock plugin to libcharon
Martin Willi [Mon, 12 Jul 2010 13:57:25 +0000 (15:57 +0200)]
Moved addrblock plugin to libcharon

10 years agoMoved CRL/OCSP checking to a dedicated plugin called revocation
Martin Willi [Mon, 5 Jul 2010 13:26:35 +0000 (15:26 +0200)]
Moved CRL/OCSP checking to a dedicated plugin called revocation

10 years agoMade some useful methods in the credential manager public
Martin Willi [Mon, 5 Jul 2010 13:24:19 +0000 (15:24 +0200)]
Made some useful methods in the credential manager public

10 years agoMoved X509 addrBlock validation to a separate addrblock plugin
Martin Willi [Mon, 5 Jul 2010 12:36:05 +0000 (14:36 +0200)]
Moved X509 addrBlock validation to a separate addrblock plugin

10 years agoAdded a certificate validation hook to the credential manager
Martin Willi [Mon, 5 Jul 2010 12:21:09 +0000 (14:21 +0200)]
Added a certificate validation hook to the credential manager

10 years agoMigrated credential manager to INIT/METHOD macros
Martin Willi [Mon, 5 Jul 2010 10:51:17 +0000 (12:51 +0200)]
Migrated credential manager to INIT/METHOD macros

10 years agoMoved credential manager to libstrongswan
Martin Willi [Mon, 5 Jul 2010 09:54:25 +0000 (11:54 +0200)]
Moved credential manager to libstrongswan

10 years agoMove pathlen constraint checking to X509 specific checks
Martin Willi [Mon, 5 Jul 2010 07:36:30 +0000 (09:36 +0200)]
Move pathlen constraint checking to X509 specific checks

10 years agoCharon uses a generic trunstchain length limit, not only for X509 certificates
Martin Willi [Fri, 2 Jul 2010 08:29:36 +0000 (10:29 +0200)]
Charon uses a generic trunstchain length limit, not only for X509 certificates

10 years agoCombined the OCSP/CRL options to a signle Online check option
Martin Willi [Fri, 2 Jul 2010 07:58:59 +0000 (09:58 +0200)]
Combined the OCSP/CRL options to a signle Online check option

10 years agoadded mark, mark_in, and mark_out to the ipsec.conf.5 man page
Andreas Steffen [Tue, 13 Jul 2010 07:15:53 +0000 (09:15 +0200)]
added mark, mark_in, and mark_out to the ipsec.conf.5 man page

10 years agowe need some ordering
Andreas Steffen [Mon, 12 Jul 2010 20:44:27 +0000 (22:44 +0200)]
we need some ordering

10 years agochanged ordering of statusattr output
Andreas Steffen [Mon, 12 Jul 2010 20:38:18 +0000 (22:38 +0200)]
changed ordering of statusattr output

10 years agoupdated ikev2/ip-two-pools-db scenario to support pool and identity based dns attributes
Andreas Steffen [Mon, 12 Jul 2010 18:54:40 +0000 (20:54 +0200)]
updated ikev2/ip-two-pools-db scenario to support pool and identity based dns attributes

10 years agofixed alignment of caption
Andreas Steffen [Mon, 12 Jul 2010 18:48:14 +0000 (20:48 +0200)]
fixed alignment of caption

10 years agoupdated SQL templates to support attribute pool and identity parameters
Andreas Steffen [Mon, 12 Jul 2010 18:28:24 +0000 (20:28 +0200)]
updated SQL templates to support attribute pool and identity parameters

10 years agooutput identities correctly
Andreas Steffen [Mon, 12 Jul 2010 18:26:17 +0000 (20:26 +0200)]
output identities correctly

10 years agoadded second example scenario
Andreas Steffen [Mon, 12 Jul 2010 12:22:32 +0000 (14:22 +0200)]
added second example scenario

10 years agoapidoc is actually a directory not a file.
Tobias Brunner [Mon, 12 Jul 2010 13:28:55 +0000 (15:28 +0200)]
apidoc is actually a directory not a file.

10 years agoAdded missing pool parameter in DHCP attribute provider.
Tobias Brunner [Mon, 12 Jul 2010 10:27:49 +0000 (12:27 +0200)]
Added missing pool parameter in DHCP attribute provider.

10 years agoDo not interpret long class attributes (such as from NPS) as group
Martin Willi [Fri, 9 Jul 2010 11:53:43 +0000 (13:53 +0200)]
Do not interpret long class attributes (such as from NPS) as group

10 years agoGroup membership constraint is fulfilled if subject is member in one of the groups
Martin Willi [Fri, 9 Jul 2010 11:51:58 +0000 (13:51 +0200)]
Group membership constraint is fulfilled if subject is member in one of the groups

10 years agoAdded support for named attribute groups
Heiko Hund [Wed, 7 Jul 2010 14:45:36 +0000 (16:45 +0200)]
Added support for named attribute groups

Add the possibility to group attributes by a name and assign these
groups to connections. This allows a more granular configuration of
which client will receive what atrributes.

10 years agotransport reqid, mark_in and mark_out in whack message
Andreas Steffen [Fri, 9 Jul 2010 10:19:39 +0000 (12:19 +0200)]
transport reqid, mark_in and mark_out in whack message

10 years agoadded ikev2/net2net-psk-dscp2 DiffServ scenario
Andreas Steffen [Fri, 9 Jul 2010 09:55:01 +0000 (11:55 +0200)]
added ikev2/net2net-psk-dscp2 DiffServ scenario

10 years agoadded ikev2/nat-two-rw-mark-in-out scenario
Andreas Steffen [Fri, 9 Jul 2010 07:36:03 +0000 (09:36 +0200)]
added ikev2/nat-two-rw-mark-in-out scenario

10 years agosome changes to the ikev2/nat-two-rw-mark scenario
Andreas Steffen [Fri, 9 Jul 2010 07:35:02 +0000 (09:35 +0200)]
some changes to the ikev2/nat-two-rw-mark scenario

10 years agoconfiguration of different marks for inbound and outbound direction
Andreas Steffen [Fri, 9 Jul 2010 07:06:02 +0000 (09:06 +0200)]
configuration of different marks for inbound and outbound direction

10 years agoThe file logger supports a time prefix using a strftime() format specifier
Martin Willi [Thu, 8 Jul 2010 14:11:55 +0000 (16:11 +0200)]
The file logger supports a time prefix using a strftime() format specifier

10 years agoPrint identity to a lease address on the same line for simpler greping
Martin Willi [Thu, 8 Jul 2010 13:46:44 +0000 (15:46 +0200)]
Print identity to a lease address on the same line for simpler greping

10 years agoImplemented missing bypass_socket() method in load-testers faked kernel interface
Martin Willi [Wed, 7 Jul 2010 08:00:39 +0000 (10:00 +0200)]
Implemented missing bypass_socket() method in load-testers faked kernel interface

10 years agoadded req parameter to ipsec.conf man page
Andreas Steffen [Tue, 6 Jul 2010 18:32:15 +0000 (20:32 +0200)]
added req parameter to ipsec.conf man page

10 years agoShow mallinfo() data in statusall, if available
Martin Willi [Tue, 6 Jul 2010 14:26:59 +0000 (16:26 +0200)]
Show mallinfo() data in statusall, if available

10 years agoAvoid relocking while enumerator is alive
Martin Willi [Tue, 6 Jul 2010 13:44:37 +0000 (15:44 +0200)]
Avoid relocking while enumerator is alive

10 years agoAdded missing markt_t in load tester, also migrated to INIT/METHOD macros.
Tobias Brunner [Tue, 6 Jul 2010 07:29:18 +0000 (09:29 +0200)]
Added missing markt_t in load tester, also migrated to INIT/METHOD macros.

10 years agoSome Doxygen fixes.
Tobias Brunner [Mon, 5 Jul 2010 13:04:30 +0000 (15:04 +0200)]
Some Doxygen fixes.

10 years agoFixed typo.
Tobias Brunner [Mon, 5 Jul 2010 12:53:56 +0000 (14:53 +0200)]
Fixed typo.

10 years agoAdded support for group membership information containted in the RADIUS class attribute
Martin Willi [Mon, 28 Jun 2010 14:12:06 +0000 (16:12 +0200)]
Added support for group membership information containted in the RADIUS class attribute

10 years agoUse the group constraint in a more generic fashion, not only for attribute certificates
Martin Willi [Mon, 28 Jun 2010 13:46:13 +0000 (15:46 +0200)]
Use the group constraint in a more generic fashion, not only for attribute certificates

10 years agoUse the responder side configured EAP-Identity directly, if given
Martin Willi [Mon, 28 Jun 2010 13:45:07 +0000 (15:45 +0200)]
Use the responder side configured EAP-Identity directly, if given

10 years agoCopy EAP specific attributes to auth config only
Martin Willi [Mon, 28 Jun 2010 13:41:48 +0000 (15:41 +0200)]
Copy EAP specific attributes to auth config only

10 years agoDisable EAP-GTC on Android.
Tobias Brunner [Mon, 5 Jul 2010 07:37:49 +0000 (09:37 +0200)]
Disable EAP-GTC on Android.

The EAP-GTC plugin does not compile due to its dependency on PAM.

10 years agoadded IKEv2 xfrm marks support to NEWS
Andreas Steffen [Sat, 3 Jul 2010 20:14:45 +0000 (22:14 +0200)]
added IKEv2 xfrm marks support to NEWS

10 years agoregenerated loop intermediate CA certificates
Andreas Steffen [Sat, 3 Jul 2010 16:18:30 +0000 (18:18 +0200)]
regenerated loop intermediate CA certificates

10 years agoadded ikev2/nat-two-rw-mark scenario
Andreas Steffen [Sat, 3 Jul 2010 11:25:09 +0000 (13:25 +0200)]
added ikev2/nat-two-rw-mark scenario

10 years agosupport of xfrm marks for IKEv2
Andreas Steffen [Fri, 2 Jul 2010 21:45:57 +0000 (23:45 +0200)]
support of xfrm marks for IKEv2

10 years agoRecreate IKE_SA_INIT related tasks only if they have completed
Martin Willi [Wed, 30 Jun 2010 11:48:47 +0000 (13:48 +0200)]
Recreate IKE_SA_INIT related tasks only if they have completed

10 years agoUse enumerator for queued_tasks migration to avoid infinite loop
Thomas Egerer [Wed, 30 Jun 2010 11:10:56 +0000 (13:10 +0200)]
Use enumerator for queued_tasks migration to avoid infinite loop

10 years agoEnabling some EAP plugins on Android.
Tobias Brunner [Wed, 30 Jun 2010 08:02:15 +0000 (10:02 +0200)]
Enabling some EAP plugins on Android.

10 years agoThe x509 plugin is not needed anymore on Android, using OpenSSL.
Tobias Brunner [Wed, 30 Jun 2010 08:01:16 +0000 (10:01 +0200)]
The x509 plugin is not needed anymore on Android, using OpenSSL.

10 years agoCorrect check of traffic selectors before destruction
Thomas Egerer [Mon, 28 Jun 2010 20:18:25 +0000 (22:18 +0200)]
Correct check of traffic selectors before destruction

10 years agoMigrate queued_tasks tasks, to avoid dangling pointers
Thomas Egerer [Tue, 29 Jun 2010 06:53:05 +0000 (08:53 +0200)]
Migrate queued_tasks tasks, to avoid dangling pointers

10 years agoThe signature of keystore_get changed again.
Tobias Brunner [Mon, 28 Jun 2010 15:18:53 +0000 (17:18 +0200)]
The signature of keystore_get changed again.

With Android 2.2 (Froyo) the interface of keystore_get was changed once
again. The change was made to allow the keys to contain \0 characters.

10 years agoCompiler warning fixed.
Tobias Brunner [Thu, 24 Jun 2010 14:23:54 +0000 (16:23 +0200)]
Compiler warning fixed.

10 years agocheck for installed aead algorithms in kernel
Andreas Steffen [Sun, 27 Jun 2010 20:26:00 +0000 (22:26 +0200)]
check for installed aead algorithms in kernel

10 years agoupgraded xfrm.h to linux-2.6.34
Andreas Steffen [Sun, 27 Jun 2010 09:23:35 +0000 (11:23 +0200)]
upgraded xfrm.h to linux-2.6.34

10 years agoShow contents of the CP payload in message_t stringification
Martin Willi [Thu, 24 Jun 2010 13:45:38 +0000 (15:45 +0200)]
Show contents of the CP payload in message_t stringification

10 years agoSupport the subnet attribute in the attr plugin
Martin Willi [Thu, 24 Jun 2010 13:44:28 +0000 (15:44 +0200)]
Support the subnet attribute in the attr plugin

10 years agoIncreased the loglevel for the arguments received via Android control socket.
Tobias Brunner [Thu, 24 Jun 2010 12:44:45 +0000 (14:44 +0200)]
Increased the loglevel for the arguments received via Android control socket.

10 years agoTerminate charon from the Android plugin if the tunnel goes down after it was initiat...
Tobias Brunner [Thu, 24 Jun 2010 12:05:53 +0000 (14:05 +0200)]
Terminate charon from the Android plugin if the tunnel goes down after it was initiated successfully.

10 years agoInitiate the tunnel in the Android plugin asynchronously.
Tobias Brunner [Thu, 24 Jun 2010 12:02:52 +0000 (14:02 +0200)]
Initiate the tunnel in the Android plugin asynchronously.

Also track its initiation using the registered listener.

10 years agoImplement the listener_t interface in the Android plugin to track the status of an SA.
Tobias Brunner [Thu, 24 Jun 2010 12:00:39 +0000 (14:00 +0200)]
Implement the listener_t interface in the Android plugin to track the status of an SA.

10 years agoHelper function added to notify the Android frontend about status changes.
Tobias Brunner [Thu, 24 Jun 2010 11:57:03 +0000 (13:57 +0200)]
Helper function added to notify the Android frontend about status changes.

10 years agoInitiate consumes a child_sa reference, so get an additional one.
Tobias Brunner [Thu, 24 Jun 2010 11:42:57 +0000 (13:42 +0200)]
Initiate consumes a child_sa reference, so get an additional one.

10 years agoUse the same error code constants as in the Java frontend.
Tobias Brunner [Thu, 24 Jun 2010 11:41:07 +0000 (13:41 +0200)]
Use the same error code constants as in the Java frontend.

10 years agoFlush and destroy the send queue before unloading the socket plugins.
Tobias Brunner [Thu, 24 Jun 2010 08:34:48 +0000 (10:34 +0200)]
Flush and destroy the send queue before unloading the socket plugins.

10 years agoSelect subjectAltName address family using address length in openssl plugin
Martin Willi [Thu, 24 Jun 2010 10:00:56 +0000 (12:00 +0200)]
Select subjectAltName address family using address length in openssl plugin

10 years agoSelect subjectAltName address family using address length in x509 plugin
Martin Willi [Thu, 24 Jun 2010 09:59:20 +0000 (11:59 +0200)]
Select subjectAltName address family using address length in x509 plugin

10 years agoDo not install routes in the PF_KEY kernel interface if interface lookup failed.
Tobias Brunner [Wed, 23 Jun 2010 09:19:37 +0000 (11:19 +0200)]
Do not install routes in the PF_KEY kernel interface if interface lookup failed.

10 years agoThe signature of keystore_get was changed with Android 2.x.
Tobias Brunner [Tue, 22 Jun 2010 14:19:55 +0000 (16:19 +0200)]
The signature of keystore_get was changed with Android 2.x.

10 years agoAvoid a segmentation fault if opening the Android control socket failed.
Tobias Brunner [Tue, 22 Jun 2010 14:18:22 +0000 (16:18 +0200)]
Avoid a segmentation fault if opening the Android control socket failed.

10 years agoOpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.
Tobias Brunner [Tue, 22 Jun 2010 14:15:10 +0000 (16:15 +0200)]
OpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.

Unfortunately, opensslconf.h was not changed accordingly.

10 years agoAllow to enable the kernel-pfkey plugin via Android.mk.
Tobias Brunner [Tue, 22 Jun 2010 14:14:14 +0000 (16:14 +0200)]
Allow to enable the kernel-pfkey plugin via Android.mk.

10 years agoFixing the PF_KEY kernel interface on Android.
Tobias Brunner [Tue, 22 Jun 2010 14:04:13 +0000 (16:04 +0200)]
Fixing the PF_KEY kernel interface on Android.

In Android's in.h IPPROTO_COMP is not #defined but just an enum member.

10 years agoFixing compilation of the OpenSSL plugin if ENGINE support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:33:21 +0000 (11:33 +0200)]
Fixing compilation of the OpenSSL plugin if ENGINE support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_ENGINE.

10 years agoFixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:28:50 +0000 (11:28 +0200)]
Fixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_EC.

10 years agoIgnore IKEv2 packets in pluto with any minor version
Martin Willi [Tue, 22 Jun 2010 07:16:04 +0000 (09:16 +0200)]
Ignore IKEv2 packets in pluto with any minor version

10 years agoAccept IKE packets with any minor version in RAW socket
Martin Willi [Tue, 22 Jun 2010 07:03:41 +0000 (09:03 +0200)]
Accept IKE packets with any minor version in RAW socket

10 years agoFixed plugin checks in Android.mk files.
Tobias Brunner [Thu, 17 Jun 2010 16:09:34 +0000 (18:09 +0200)]
Fixed plugin checks in Android.mk files.

10 years agoDon't fail with an error if an attribute that is to be deleted does not exist
Heiko Hund [Fri, 18 Jun 2010 03:01:06 +0000 (05:01 +0200)]
Don't fail with an error if an attribute that is to be deleted does not exist

10 years agoFixed compiler warning.
Tobias Brunner [Mon, 7 Jun 2010 13:33:25 +0000 (15:33 +0200)]
Fixed compiler warning.

10 years agoUse vpn.dns* to store DNS servers (Android manages net.dns* using these).
Tobias Brunner [Tue, 11 May 2010 16:31:24 +0000 (18:31 +0200)]
Use vpn.dns* to store DNS servers (Android manages net.dns* using these).

10 years agoAdding an interface that interacts with the Android Settings frontend.
Tobias Brunner [Tue, 4 May 2010 16:26:07 +0000 (18:26 +0200)]
Adding an interface that interacts with the Android Settings frontend.

10 years agoAdding an Android specific credential set.
Tobias Brunner [Tue, 4 May 2010 16:18:51 +0000 (18:18 +0200)]
Adding an Android specific credential set.

10 years agoAdding an Android specific logger.
Tobias Brunner [Tue, 4 May 2010 16:13:27 +0000 (18:13 +0200)]
Adding an Android specific logger.

10 years agoAdding support for the native Linux capabilities interface.
Tobias Brunner [Tue, 15 Jun 2010 17:40:44 +0000 (19:40 +0200)]
Adding support for the native Linux capabilities interface.

Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.

10 years agoExplicitly refer to LIBCAP in Makefiles.
Tobias Brunner [Tue, 15 Jun 2010 17:10:23 +0000 (19:10 +0200)]
Explicitly refer to LIBCAP in Makefiles.