strongswan.git
6 years agoutils: Add utility function to calculate padding length
Tobias Brunner [Fri, 11 Oct 2013 23:01:06 +0000 (01:01 +0200)]
utils: Add utility function to calculate padding length

6 years agostroke: Reuse reqids of established CHILD_SAs when routing connections
Tobias Brunner [Thu, 19 Sep 2013 08:59:20 +0000 (10:59 +0200)]
stroke: Reuse reqids of established CHILD_SAs when routing connections

6 years agotrap-manager: Make sure a config is not trapped twice
Tobias Brunner [Thu, 19 Sep 2013 08:53:05 +0000 (10:53 +0200)]
trap-manager: Make sure a config is not trapped twice

6 years agoDoxygen fixes
Tobias Brunner [Tue, 15 Oct 2013 09:16:09 +0000 (11:16 +0200)]
Doxygen fixes

6 years agoSet recommendation in the case of PCR measurement failures
Andreas Steffen [Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)]
Set recommendation in the case of PCR measurement failures

6 years agoAdd linux/fip_rules.h to include files
Andreas Steffen [Sun, 13 Oct 2013 18:51:10 +0000 (20:51 +0200)]
Add linux/fip_rules.h to include files

6 years agoRevert refactoring which broke CentOS build
Andreas Steffen [Sun, 13 Oct 2013 17:56:04 +0000 (19:56 +0200)]
Revert refactoring which broke CentOS build

6 years agoIncrease debug level in libipsec/rw-suite-b scenario
Andreas Steffen [Fri, 11 Oct 2013 19:34:59 +0000 (21:34 +0200)]
Increase debug level in libipsec/rw-suite-b scenario

6 years agoUse bold font to display key size
Andreas Steffen [Fri, 11 Oct 2013 19:23:10 +0000 (21:23 +0200)]
Use bold font to display key size

6 years agoAdded swid_directory option
Andreas Steffen [Fri, 11 Oct 2013 18:59:24 +0000 (20:59 +0200)]
Added swid_directory option

6 years agoAdded tnc/tnccs-11-supplicant scenario
Andreas Steffen [Fri, 11 Oct 2013 18:18:59 +0000 (20:18 +0200)]
Added tnc/tnccs-11-supplicant scenario

6 years agoDefine aaa.strongswan.org in /etc/hosts
Andreas Steffen [Fri, 11 Oct 2013 18:16:59 +0000 (20:16 +0200)]
Define aaa.strongswan.org in /etc/hosts

6 years agotesting: Add libipsec/host2host-cert scenario
Tobias Brunner [Fri, 11 Oct 2013 16:04:48 +0000 (18:04 +0200)]
testing: Add libipsec/host2host-cert scenario

6 years agochecksum: The pool utility was moved to its own directory
Tobias Brunner [Fri, 11 Oct 2013 15:33:19 +0000 (17:33 +0200)]
checksum: The pool utility was moved to its own directory

6 years agoccm: Add missing comma in get_iv_gen method signature
Tobias Brunner [Fri, 11 Oct 2013 15:26:57 +0000 (17:26 +0200)]
ccm: Add missing comma in get_iv_gen method signature

6 years agoiv-gen: Add missing header files to Makefile.am
Tobias Brunner [Fri, 11 Oct 2013 15:22:30 +0000 (17:22 +0200)]
iv-gen: Add missing header files to Makefile.am

6 years agoNEWS: Updates for the recent merges
Tobias Brunner [Fri, 11 Oct 2013 14:20:41 +0000 (16:20 +0200)]
NEWS: Updates for the recent merges

6 years agoMerge branch 'iv-gen'
Tobias Brunner [Fri, 11 Oct 2013 13:55:49 +0000 (15:55 +0200)]
Merge branch 'iv-gen'

Modularizes the generation of initialization vectors, which allows to use
different methods depending on the algorithms.  For instance for AES-GCM
sequential IVs are now used instead of the earlier random IVs, which are
still used for other algorithms e.g. AES-CBC.

6 years agoiv_gen: Mask sequential IVs with a random salt
Tobias Brunner [Mon, 5 Aug 2013 14:24:40 +0000 (16:24 +0200)]
iv_gen: Mask sequential IVs with a random salt

This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.

6 years agoiv_gen: Provide external sequence number (IKE, ESP)
Tobias Brunner [Mon, 5 Aug 2013 13:41:45 +0000 (15:41 +0200)]
iv_gen: Provide external sequence number (IKE, ESP)

This prevents duplicate sequential IVs in case of a HA failover.

6 years agoipsec: Use IV generator to encrypt ESP messages
Tobias Brunner [Mon, 5 Aug 2013 12:59:10 +0000 (14:59 +0200)]
ipsec: Use IV generator to encrypt ESP messages

6 years agoikev2: Use IV generator to encrypt encrypted payload
Tobias Brunner [Mon, 5 Aug 2013 12:55:51 +0000 (14:55 +0200)]
ikev2: Use IV generator to encrypt encrypted payload

6 years agoiv_gen: aead_t implementations provide an IV generator
Tobias Brunner [Mon, 5 Aug 2013 12:52:30 +0000 (14:52 +0200)]
iv_gen: aead_t implementations provide an IV generator

6 years agoiv_gen: Add IV generator that allocates IVs sequentially
Tobias Brunner [Mon, 5 Aug 2013 12:43:50 +0000 (14:43 +0200)]
iv_gen: Add IV generator that allocates IVs sequentially

6 years agoiv_gen: Add IV generator that allocates IVs randomly
Tobias Brunner [Mon, 5 Aug 2013 12:19:43 +0000 (14:19 +0200)]
iv_gen: Add IV generator that allocates IVs randomly

Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.

6 years agocrypto: Add generic interface for IV generators
Tobias Brunner [Mon, 5 Aug 2013 12:10:47 +0000 (14:10 +0200)]
crypto: Add generic interface for IV generators

6 years agoapidoc: Move mac_prf to prf Doxygen group
Tobias Brunner [Mon, 5 Aug 2013 12:09:43 +0000 (14:09 +0200)]
apidoc: Move mac_prf to prf Doxygen group

6 years agoMerge branch 'radius-unity'
Tobias Brunner [Fri, 11 Oct 2013 13:52:36 +0000 (15:52 +0200)]
Merge branch 'radius-unity'

Adds support for Cisco Unity specific RADIUS attributes.

References #383.

6 years agoeap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK
Tobias Brunner [Mon, 19 Aug 2013 11:31:55 +0000 (13:31 +0200)]
eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK

6 years agoeap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes
Tobias Brunner [Fri, 16 Aug 2013 13:25:33 +0000 (15:25 +0200)]
eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes

Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).

So if the following attributes would be configured for a RADIUS user

  CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
  CVPN3000-IPSec-Split-Tunneling-Policy := 1

A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.

6 years agoeap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes
Tobias Brunner [Fri, 16 Aug 2013 11:41:22 +0000 (13:41 +0200)]
eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes

The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.

6 years agoMerge branch 'dnscert'
Tobias Brunner [Fri, 11 Oct 2013 13:46:09 +0000 (15:46 +0200)]
Merge branch 'dnscert'

The new dnscert plugin adds support for authentication via CERT resource
records that are protected with DNSSEC.

6 years agotesting: Add ikev2/net2net-dnscert scenario
Tobias Brunner [Thu, 26 Sep 2013 16:28:48 +0000 (18:28 +0200)]
testing: Add ikev2/net2net-dnscert scenario

6 years agotesting: Provide moon's and sun's certificate as CERT RR
Tobias Brunner [Thu, 26 Sep 2013 16:16:10 +0000 (18:16 +0200)]
testing: Provide moon's and sun's certificate as CERT RR

6 years agotesting: Enable dnscert plugin
Tobias Brunner [Thu, 26 Sep 2013 15:01:11 +0000 (17:01 +0200)]
testing: Enable dnscert plugin

6 years agotesting: Load testing.conf.local from the same directory as testing.conf
Tobias Brunner [Thu, 26 Sep 2013 15:00:21 +0000 (17:00 +0200)]
testing: Load testing.conf.local from the same directory as testing.conf

6 years agodnscert: Add DNS CERT support for pubkey authentication
Ruslan N. Marchenko [Fri, 30 Aug 2013 15:51:12 +0000 (17:51 +0200)]
dnscert: Add DNS CERT support for pubkey authentication

Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers.  As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.

The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.

6 years agoipseckey: Properly handle failure to create a certificate
Tobias Brunner [Thu, 29 Aug 2013 13:58:48 +0000 (15:58 +0200)]
ipseckey: Properly handle failure to create a certificate

Also, try the next key (if available) if parsing an IPSECKEY failed.

6 years agoipseckey: Refactor creation of certificate enumerator
Tobias Brunner [Thu, 29 Aug 2013 13:47:05 +0000 (15:47 +0200)]
ipseckey: Refactor creation of certificate enumerator

Reduces nesting and fixes a memory leak (rrsig_enum).

6 years agoipseckey: Depend on plugin features to create public key and certificate objects
Tobias Brunner [Thu, 29 Aug 2013 13:25:23 +0000 (15:25 +0200)]
ipseckey: Depend on plugin features to create public key and certificate objects

6 years agounbound: Add support for DLV (DNSSEC Lookaside Validation)
Tobias Brunner [Thu, 29 Aug 2013 07:04:36 +0000 (09:04 +0200)]
unbound: Add support for DLV (DNSSEC Lookaside Validation)

Fixes #392.

6 years agoMerge branch 'fwmarks'
Tobias Brunner [Fri, 11 Oct 2013 13:33:06 +0000 (15:33 +0200)]
Merge branch 'fwmarks'

Allows setting a mark on outbound packets and the routing rule
installed by charon.  With those settings it is possible to setup
tunnels with kernel-libipsec where the remote peer is part of the remote
traffic selector.

The following example settings in strongswan.conf show how this can be
configured:

charon {
    plugins {
        kernel-netlink {
            fwmark = !0x42
        }
        socket-default {
            fwmark = 0x42
        }
        kernel-libipsec {
            allow_peer_ts = yes
        }
    }
}

To make it work it is necessary to set

  net.ipv4.conf.all.rp_filter

appropriately, otherwise the kernel drops the packets.

References #380.

6 years agokernel-libipsec: Don't ignore policies of type != POLICY_IPSEC
Tobias Brunner [Thu, 10 Oct 2013 13:41:29 +0000 (15:41 +0200)]
kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC

This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).

6 years agokernel-libipsec: Add an option to allow remote TS to match the IKE peer
Tobias Brunner [Tue, 13 Aug 2013 15:10:00 +0000 (17:10 +0200)]
kernel-libipsec: Add an option to allow remote TS to match the IKE peer

Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.

It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.

6 years agosocket-default: Allow setting firewall mark on outbound packets
Tobias Brunner [Tue, 13 Aug 2013 14:58:33 +0000 (16:58 +0200)]
socket-default: Allow setting firewall mark on outbound packets

6 years agokernel-netlink: Allow setting firewall marks on routing rule
Tobias Brunner [Tue, 13 Aug 2013 14:53:06 +0000 (16:53 +0200)]
kernel-netlink: Allow setting firewall marks on routing rule

6 years agoipsec_types: Add utility function to parse mark_t from strings
Tobias Brunner [Tue, 13 Aug 2013 13:15:45 +0000 (15:15 +0200)]
ipsec_types: Add utility function to parse mark_t from strings

6 years agoMerge branch 'database-transactions'
Tobias Brunner [Fri, 11 Oct 2013 13:29:30 +0000 (15:29 +0200)]
Merge branch 'database-transactions'

This adds support for transactions to the database_t interface and the two
current implementations.

The pool utility is also moved to its own directory in src/.

6 years agoattr-sql: Use a serializable transaction when inserting identities
Tobias Brunner [Thu, 10 Oct 2013 09:02:16 +0000 (11:02 +0200)]
attr-sql: Use a serializable transaction when inserting identities

6 years agodatabase: Add support for serializable transactions
Tobias Brunner [Thu, 10 Oct 2013 08:58:40 +0000 (10:58 +0200)]
database: Add support for serializable transactions

6 years agosql: Don't use MyISAM engine and set collation/charset for all tables
Tobias Brunner [Fri, 6 Sep 2013 12:09:32 +0000 (14:09 +0200)]
sql: Don't use MyISAM engine and set collation/charset for all tables

The MyISAM engine doesn't support transactions.

6 years agopool: Change transaction handling
Tobias Brunner [Fri, 6 Sep 2013 09:29:17 +0000 (11:29 +0200)]
pool: Change transaction handling

6 years agopool: Move the pool utility to its own directory in src
Tobias Brunner [Thu, 5 Sep 2013 16:00:48 +0000 (18:00 +0200)]
pool: Move the pool utility to its own directory in src

6 years agoattr-sql: Handle concurrent insertion of identities
Tobias Brunner [Fri, 13 Sep 2013 11:25:49 +0000 (13:25 +0200)]
attr-sql: Handle concurrent insertion of identities

If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.

We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).

6 years agoattr-sql: Don't use database transactions in create_attribute_enumerator
Tobias Brunner [Thu, 5 Sep 2013 15:03:11 +0000 (17:03 +0200)]
attr-sql: Don't use database transactions in create_attribute_enumerator

There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).

Transactions are more intended to revert multiple changes if anything
fails in the process.

6 years agosqlite: Implement transaction handling
Tobias Brunner [Thu, 5 Sep 2013 14:50:23 +0000 (16:50 +0200)]
sqlite: Implement transaction handling

6 years agomysql: Implement transaction handling
Tobias Brunner [Thu, 5 Sep 2013 14:46:24 +0000 (16:46 +0200)]
mysql: Implement transaction handling

6 years agodatabase: Add interface to handle transactions
Tobias Brunner [Fri, 6 Sep 2013 06:16:39 +0000 (08:16 +0200)]
database: Add interface to handle transactions

6 years agomysql: Ensure connections are properly released in multi-threaded environments
Tobias Brunner [Thu, 5 Sep 2013 13:33:24 +0000 (15:33 +0200)]
mysql: Ensure connections are properly released in multi-threaded environments

6 years agocrypto-factory: Try next available RNG implementation if constructor fails
Tobias Brunner [Thu, 3 Oct 2013 08:24:59 +0000 (10:24 +0200)]
crypto-factory: Try next available RNG implementation if constructor fails

6 years agocrypto-factory: Order entries by algorithm identifier and (optionally) speed
Tobias Brunner [Thu, 3 Oct 2013 08:23:30 +0000 (10:23 +0200)]
crypto-factory: Order entries by algorithm identifier and (optionally) speed

6 years agoRemove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for...
Tobias Brunner [Thu, 3 Oct 2013 08:14:49 +0000 (10:14 +0200)]
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway

6 years agovstr: Forward actual field width
Tobias Brunner [Fri, 11 Oct 2013 11:57:05 +0000 (13:57 +0200)]
vstr: Forward actual field width

fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.

6 years agounit-tests: support testing when leak-detective has not been enabled
Martin Willi [Tue, 25 Jun 2013 15:09:07 +0000 (17:09 +0200)]
unit-tests: support testing when leak-detective has not been enabled

6 years agoNEWS: Updates for the ah, libipsec-usestats and printf-hook merges
Martin Willi [Fri, 11 Oct 2013 09:40:02 +0000 (11:40 +0200)]
NEWS: Updates for the ah, libipsec-usestats and printf-hook merges

6 years agoMerge branch 'printf-hook'
Martin Willi [Fri, 11 Oct 2013 09:12:38 +0000 (11:12 +0200)]
Merge branch 'printf-hook'

Adds a custom printf hook implementation as a fallback if neither the glibc
style hooks nor vstr is available. This can avoid the Vstr dependency on some
systems at the cost of slower and less complete printf functions.

6 years agoprintf-hook-builtin: Print NaN/Infinity floating point values as such
Martin Willi [Fri, 27 Sep 2013 16:16:46 +0000 (18:16 +0200)]
printf-hook-builtin: Print NaN/Infinity floating point values as such

6 years agoprintf-hook-builtin: Correctly round up floating point values
Martin Willi [Fri, 27 Sep 2013 14:13:14 +0000 (16:13 +0200)]
printf-hook-builtin: Correctly round up floating point values

6 years agoprintf-hook-builtin: Add some preliminary floating point support
Martin Willi [Fri, 11 Oct 2013 08:55:05 +0000 (10:55 +0200)]
printf-hook-builtin: Add some preliminary floating point support

This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.

6 years agoprintf-hook-builtin: Support GNU %m specifier
Martin Willi [Fri, 27 Sep 2013 09:16:11 +0000 (11:16 +0200)]
printf-hook-builtin: Support GNU %m specifier

6 years agoprintf-hook-builtin: Add a new "builtin" backend using its own printf() routines
Martin Willi [Fri, 11 Oct 2013 09:06:02 +0000 (11:06 +0200)]
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines

Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.

6 years agoprintf-hook: Add some basic printf() string/integer test functions
Martin Willi [Fri, 27 Sep 2013 10:19:11 +0000 (12:19 +0200)]
printf-hook: Add some basic printf() string/integer test functions

6 years agoprintf-hook: Move glibc/vstr printf hook backends to separate files
Martin Willi [Fri, 27 Sep 2013 15:30:17 +0000 (17:30 +0200)]
printf-hook: Move glibc/vstr printf hook backends to separate files

6 years agoMerge branch 'libipsec-usestats'
Martin Willi [Fri, 11 Oct 2013 08:24:27 +0000 (10:24 +0200)]
Merge branch 'libipsec-usestats'

Brings SA usage statistics and volume based expiration to libipsec and the
associated kernel-libipsec plugin. Additionally removes any ESPv3 style TFC
padding found in incoming packets.

6 years agolibipsec: Enforce byte/packet lifetimes on SAs
Martin Willi [Mon, 30 Sep 2013 13:47:27 +0000 (15:47 +0200)]
libipsec: Enforce byte/packet lifetimes on SAs

6 years agokernel-libipsec: Support ESPv3 TFC padding
Martin Willi [Mon, 23 Sep 2013 14:26:11 +0000 (16:26 +0200)]
kernel-libipsec: Support ESPv3 TFC padding

6 years agolibipsec: remove extra RFC4303 TFC padding appended to inner payload
Martin Willi [Mon, 23 Sep 2013 14:23:54 +0000 (16:23 +0200)]
libipsec: remove extra RFC4303 TFC padding appended to inner payload

6 years agokernel-libipsec: Support query_sa() to report usage statistics
Martin Willi [Mon, 23 Sep 2013 10:46:43 +0000 (12:46 +0200)]
kernel-libipsec: Support query_sa() to report usage statistics

6 years agolibipsec: Support usage statistics and query_sa() on IPsec SAs
Martin Willi [Mon, 23 Sep 2013 10:10:07 +0000 (12:10 +0200)]
libipsec: Support usage statistics and query_sa() on IPsec SAs

6 years agokernel: Use a time_t to report use time in query_policy()
Martin Willi [Mon, 23 Sep 2013 10:35:33 +0000 (12:35 +0200)]
kernel: Use a time_t to report use time in query_policy()

6 years agokernel: Use a time_t to report use time in query_sa()
Martin Willi [Mon, 23 Sep 2013 10:28:13 +0000 (12:28 +0200)]
kernel: Use a time_t to report use time in query_sa()

6 years agoMerge branch 'ah'
Martin Willi [Fri, 11 Oct 2013 08:15:43 +0000 (10:15 +0200)]
Merge branch 'ah'

Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.

6 years agoipsec.conf: Add a description for the new 'ah' keyword.
Martin Willi [Thu, 10 Oct 2013 16:09:57 +0000 (18:09 +0200)]
ipsec.conf: Add a description for the new 'ah' keyword.

6 years agotesting: Add an IKEv1 host2host AH transport mode test case
Martin Willi [Wed, 9 Oct 2013 14:10:33 +0000 (16:10 +0200)]
testing: Add an IKEv1 host2host AH transport mode test case

6 years agotesting: Add an IKEv1 net2net AH test case
Martin Willi [Wed, 9 Oct 2013 14:10:08 +0000 (16:10 +0200)]
testing: Add an IKEv1 net2net AH test case

6 years agotesting: Add an IKEv2 host2host AH transport mode test case
Martin Willi [Wed, 9 Oct 2013 13:20:22 +0000 (15:20 +0200)]
testing: Add an IKEv2 host2host AH transport mode test case

6 years agotesting: Add an IKEv2 net2net AH test case
Martin Willi [Wed, 9 Oct 2013 13:10:40 +0000 (15:10 +0200)]
testing: Add an IKEv2 net2net AH test case

6 years agotesting: Allow AH packets in default INPUT/OUTPUT chains
Martin Willi [Wed, 9 Oct 2013 13:05:46 +0000 (15:05 +0200)]
testing: Allow AH packets in default INPUT/OUTPUT chains

6 years agoupdown: Install forwarding rules with the actually used protocol
Martin Willi [Wed, 9 Oct 2013 12:48:50 +0000 (14:48 +0200)]
updown: Install forwarding rules with the actually used protocol

6 years agoupdown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
Martin Willi [Wed, 9 Oct 2013 12:48:25 +0000 (14:48 +0200)]
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'

6 years agostarter: Reject connections having both 'ah' and 'esp' keywords set
Martin Willi [Wed, 9 Oct 2013 12:09:08 +0000 (14:09 +0200)]
starter: Reject connections having both 'ah' and 'esp' keywords set

We currently don't support mixed proposals or bundles, so don't create the
illusion we would.

6 years agoike: Define keylength for aescmac algorithm
Martin Willi [Fri, 21 Jun 2013 14:01:03 +0000 (16:01 +0200)]
ike: Define keylength for aescmac algorithm

6 years agoikev1: Support parsing of AH+IPComp proposals
Martin Willi [Fri, 21 Jun 2013 14:00:22 +0000 (16:00 +0200)]
ikev1: Support parsing of AH+IPComp proposals

6 years agostarter: Remove obsolete 'auth' option
Martin Willi [Thu, 20 Jun 2013 15:10:13 +0000 (17:10 +0200)]
starter: Remove obsolete 'auth' option

6 years agoikev1: Accept more than two certificate payloads
Martin Willi [Thu, 20 Jun 2013 15:07:27 +0000 (17:07 +0200)]
ikev1: Accept more than two certificate payloads

6 years agoikev1: Support en-/decoding of SA payloads with AH algorithms
Martin Willi [Thu, 20 Jun 2013 15:06:46 +0000 (17:06 +0200)]
ikev1: Support en-/decoding of SA payloads with AH algorithms

6 years agokernel-handler: Whitespace cleanups
Martin Willi [Thu, 20 Jun 2013 14:16:39 +0000 (16:16 +0200)]
kernel-handler: Whitespace cleanups

6 years agostroke: List proposals in statusall without leading '/' in AH SAs
Martin Willi [Thu, 20 Jun 2013 14:16:06 +0000 (16:16 +0200)]
stroke: List proposals in statusall without leading '/' in AH SAs

6 years agoikev1: Delete quick modes with the negotiated SA protocol
Martin Willi [Thu, 20 Jun 2013 14:15:31 +0000 (16:15 +0200)]
ikev1: Delete quick modes with the negotiated SA protocol

6 years agotrap-manager: Install trap with SA protocol of the first configured proposal
Martin Willi [Thu, 20 Jun 2013 14:14:52 +0000 (16:14 +0200)]
trap-manager: Install trap with SA protocol of the first configured proposal