strongswan.git
7 years agoProperly initialize optional subject in PEM builder.
Tobias Brunner [Mon, 30 Apr 2012 08:48:57 +0000 (10:48 +0200)]
Properly initialize optional subject in PEM builder.

7 years agoTypo fixed.
Tobias Brunner [Mon, 30 Apr 2012 08:47:42 +0000 (10:47 +0200)]
Typo fixed.

7 years agoversion bump to 4.6.3
Andreas Steffen [Mon, 30 Apr 2012 07:48:21 +0000 (09:48 +0200)]
version bump to 4.6.3

7 years agooutput validity of raw public key if available
Andreas Steffen [Mon, 30 Apr 2012 07:47:34 +0000 (09:47 +0200)]
output validity of raw public key if available

7 years agoikev2/net2net-pubkey scenario does not need dnskey plugin
Andreas Steffen [Mon, 30 Apr 2012 05:02:08 +0000 (07:02 +0200)]
ikev2/net2net-pubkey scenario does not need dnskey plugin

7 years agoadded ikev2/net2net-pubkey scenario
Andreas Steffen [Sun, 29 Apr 2012 22:33:18 +0000 (00:33 +0200)]
added ikev2/net2net-pubkey scenario

7 years agoadded ikev2/net2net-rsa scenario
Andreas Steffen [Sun, 29 Apr 2012 22:32:58 +0000 (00:32 +0200)]
added ikev2/net2net-rsa scenario

7 years agoadded support for raw RSA public keys to stroke
Andreas Steffen [Sun, 29 Apr 2012 22:31:42 +0000 (00:31 +0200)]
added support for raw RSA public keys to stroke

7 years agoadded ikev2/rw-eap-md5-id-prompt scenario
Andreas Steffen [Sun, 29 Apr 2012 17:10:25 +0000 (19:10 +0200)]
added ikev2/rw-eap-md5-id-prompt scenario

7 years agoFixed null-pointer dereference in smp plugin.
Tobias Brunner [Thu, 26 Apr 2012 06:50:39 +0000 (08:50 +0200)]
Fixed null-pointer dereference in smp plugin.

7 years agoCERT_TRUSTED_PUBKEY stores notBefore, notAfter and subject information
Andreas Steffen [Wed, 25 Apr 2012 18:53:08 +0000 (20:53 +0200)]
CERT_TRUSTED_PUBKEY stores notBefore, notAfter and subject information

7 years agopluto: Fix for null-terminated XAuth secrets (as sent by Android 4).
Tobias Brunner [Tue, 24 Apr 2012 07:25:38 +0000 (09:25 +0200)]
pluto: Fix for null-terminated XAuth secrets (as sent by Android 4).

7 years agoactivated cmac plugin in UML test suites
Andreas Steffen [Sun, 22 Apr 2012 20:22:25 +0000 (22:22 +0200)]
activated cmac plugin in UML test suites

7 years agoisolate a TNC client if an error occurs
Andreas Steffen [Sun, 22 Apr 2012 18:24:59 +0000 (20:24 +0200)]
isolate a TNC client if an error occurs

7 years agoversion bump to 4.6.3rc2
Andreas Steffen [Sun, 22 Apr 2012 15:41:20 +0000 (17:41 +0200)]
version bump to 4.6.3rc2

7 years agoexit if TBOOT dummy measurements are not defined
Andreas Steffen [Sun, 22 Apr 2012 15:40:59 +0000 (17:40 +0200)]
exit if TBOOT dummy measurements are not defined

7 years agoOption added to set identifier for syslog(3) logging.
Tobias Brunner [Fri, 20 Apr 2012 07:21:03 +0000 (09:21 +0200)]
Option added to set identifier for syslog(3) logging.

This identifier is added to each log message by syslog.

7 years agoRemoved auth_cfg_t.replace_value() and replaced usages with add().
Tobias Brunner [Tue, 17 Apr 2012 15:44:10 +0000 (17:44 +0200)]
Removed auth_cfg_t.replace_value() and replaced usages with add().

replace_value() was used to replace identities. Since for these the latest is
now returned by get(), adding the new identity with add() is sufficient.

7 years agoChanged the order and semantics of rules we expect only once in auth_cfg_t.
Tobias Brunner [Tue, 17 Apr 2012 15:37:30 +0000 (17:37 +0200)]
Changed the order and semantics of rules we expect only once in auth_cfg_t.

These rules are now inserted at the front of the internal list, this
allows to retrieve the rule added last with get(). For other rules the
order in which they are added is maintained (this allows to properly
enumerate them).

7 years agoStore password with remote ID to tie it stronger to a specific connection.
Tobias Brunner [Tue, 17 Apr 2012 11:58:18 +0000 (13:58 +0200)]
Store password with remote ID to tie it stronger to a specific connection.

7 years agoAdded stroke user-creds command, to set username/password for a connection.
Tobias Brunner [Tue, 17 Apr 2012 09:18:37 +0000 (11:18 +0200)]
Added stroke user-creds command, to set username/password for a connection.

7 years agoAdded method to add additional shared secrets to stroke_cred_t.
Tobias Brunner [Tue, 17 Apr 2012 09:14:38 +0000 (11:14 +0200)]
Added method to add additional shared secrets to stroke_cred_t.

7 years agoAdditional prompt keyword added to stroke.
Tobias Brunner [Tue, 17 Apr 2012 09:13:44 +0000 (11:13 +0200)]
Additional prompt keyword added to stroke.

7 years agoTypo fixed.
Tobias Brunner [Tue, 17 Apr 2012 09:11:24 +0000 (11:11 +0200)]
Typo fixed.

7 years agoKeep COOKIEs enabled once threshold is hit, until we see no COOKIEs for a few secs
Martin Willi [Tue, 17 Apr 2012 07:36:39 +0000 (09:36 +0200)]
Keep COOKIEs enabled once threshold is hit, until we see no COOKIEs for a few secs

Toggling COOKIEs on/off is problematic: After doing a COOKIE exchange as
initiator, we can't know if the completing IKE_SA_INIT message is to our first
request or the one with the COOKIE. If the responder just enabled/disabled
COOKIEs and packets get retransmitted, both might be true. Avoiding COOKIE
behavior toggling improves the situation, but does not solve the problem during
the initial COOKIE activation.

7 years agoAdded a note about DH/keymat lifecycle for custom implementations
Martin Willi [Mon, 16 Apr 2012 14:57:18 +0000 (16:57 +0200)]
Added a note about DH/keymat lifecycle for custom implementations

7 years agoReuse existing DH value when retrying IKE_SA_INIT with a COOKIE
Martin Willi [Mon, 16 Apr 2012 14:55:14 +0000 (16:55 +0200)]
Reuse existing DH value when retrying IKE_SA_INIT with a COOKIE

7 years agoUse IP address as ID as responder if not configured or no IDr received.
Tobias Brunner [Mon, 16 Apr 2012 09:55:07 +0000 (11:55 +0200)]
Use IP address as ID as responder if not configured or no IDr received.

7 years agoFall back on IP address as IDi if none is configured at all.
Tobias Brunner [Mon, 16 Apr 2012 09:53:06 +0000 (11:53 +0200)]
Fall back on IP address as IDi if none is configured at all.

7 years agoUse auth_cfg_t.replace_value where appropriate.
Tobias Brunner [Fri, 13 Apr 2012 13:47:25 +0000 (15:47 +0200)]
Use auth_cfg_t.replace_value where appropriate.

7 years agoAdded a simple method to replace the value of a rule in auth_cfg_t.
Tobias Brunner [Fri, 13 Apr 2012 13:46:23 +0000 (15:46 +0200)]
Added a simple method to replace the value of a rule in auth_cfg_t.

7 years agoFixed IDi in case neither left nor leftid is configured.
Tobias Brunner [Wed, 4 Apr 2012 09:46:59 +0000 (11:46 +0200)]
Fixed IDi in case neither left nor leftid is configured.

7 years agofixed parsing of port ranges in Scanner IMV
Andreas Steffen [Sun, 15 Apr 2012 21:39:27 +0000 (23:39 +0200)]
fixed parsing of port ranges in Scanner IMV

7 years agoTypo fixed in NEWS.
Tobias Brunner [Sat, 14 Apr 2012 06:40:27 +0000 (08:40 +0200)]
Typo fixed in NEWS.

7 years agoDon't invoke child_updown hook twice as responder
Martin Willi [Wed, 11 Apr 2012 15:43:30 +0000 (17:43 +0200)]
Don't invoke child_updown hook twice as responder

7 years agoAccept zero-length certificate request payloads
Martin Willi [Tue, 3 Apr 2012 06:35:25 +0000 (08:35 +0200)]
Accept zero-length certificate request payloads

7 years agoProperly initialize src in ike_sa_t.is_any_path_valid().
Tobias Brunner [Fri, 6 Apr 2012 08:53:47 +0000 (10:53 +0200)]
Properly initialize src in ike_sa_t.is_any_path_valid().

7 years agochecksum need a libradius_init() symbol
Andreas Steffen [Thu, 5 Apr 2012 14:52:37 +0000 (16:52 +0200)]
checksum need a libradius_init() symbol

7 years agoversion bump to 4.6.3rc1
Andreas Steffen [Thu, 5 Apr 2012 07:11:47 +0000 (09:11 +0200)]
version bump to 4.6.3rc1

7 years agoremove leading zero in ASN.1 encoded serial numbers
Andreas Steffen [Thu, 5 Apr 2012 07:04:11 +0000 (09:04 +0200)]
remove leading zero in ASN.1 encoded serial numbers

8 years agoASN.1 two's complement encoding prevents overflow in CRL serial number
Andreas Steffen [Wed, 4 Apr 2012 09:29:00 +0000 (11:29 +0200)]
ASN.1 two's complement encoding prevents overflow in CRL serial number

8 years agoMake AES-CMAC actually usable for IKEv2.
Tobias Brunner [Wed, 4 Apr 2012 08:51:46 +0000 (10:51 +0200)]
Make AES-CMAC actually usable for IKEv2.

8 years agorepresent 0 as a single byte
Andreas Steffen [Tue, 3 Apr 2012 12:19:37 +0000 (14:19 +0200)]
represent 0 as a single byte

8 years agomoved chunk_skip_zero to chunk.h
Andreas Steffen [Tue, 3 Apr 2012 12:12:50 +0000 (14:12 +0200)]
moved chunk_skip_zero to chunk.h

8 years agoadded IKEv2 Generic Secure Password Authentication Method
Andreas Steffen [Tue, 3 Apr 2012 10:49:05 +0000 (12:49 +0200)]
added IKEv2 Generic Secure Password Authentication Method

8 years agoadded IKEv2 Generic Secure Password Authentication Method
Andreas Steffen [Tue, 3 Apr 2012 10:48:48 +0000 (12:48 +0200)]
added IKEv2 Generic Secure Password Authentication Method

8 years agoadded GSPM IKEv2 payload
Andreas Steffen [Tue, 3 Apr 2012 10:21:39 +0000 (12:21 +0200)]
added GSPM IKEv2 payload

8 years agofixed typo
Andreas Steffen [Tue, 3 Apr 2012 10:07:13 +0000 (12:07 +0200)]
fixed typo

8 years agoDoxygen fixes.
Tobias Brunner [Tue, 3 Apr 2012 08:56:47 +0000 (10:56 +0200)]
Doxygen fixes.

8 years agoAdded NEWS about cmac plugin.
Tobias Brunner [Tue, 3 Apr 2012 08:48:03 +0000 (10:48 +0200)]
Added NEWS about cmac plugin.

8 years agoAdded test vectors for AES-CMAC.
Tobias Brunner [Tue, 3 Apr 2012 08:45:09 +0000 (10:45 +0200)]
Added test vectors for AES-CMAC.

8 years agoImplemented AES-CMAC based PRF and signer.
Tobias Brunner [Tue, 3 Apr 2012 08:40:47 +0000 (10:40 +0200)]
Implemented AES-CMAC based PRF and signer.

The cmac plugin implements AES-CMAC as defined in RFC 4493 and the
signer and PRF based on it as defined in RFC 4494 and RFC 4615,
respectively.

8 years agoFixed GNU license header in hmac and xcbc plugins.
Tobias Brunner [Tue, 3 Apr 2012 08:33:59 +0000 (10:33 +0200)]
Fixed GNU license header in hmac and xcbc plugins.

8 years agoMore detailed NEWS about RADIUS extensions
Martin Willi [Mon, 2 Apr 2012 11:58:21 +0000 (13:58 +0200)]
More detailed NEWS about RADIUS extensions

8 years agoupdated supported EAP methods
Andreas Steffen [Fri, 30 Mar 2012 09:15:10 +0000 (11:15 +0200)]
updated supported EAP methods

8 years agoAdd support for dnQualifier in DNs.
Tobias Brunner [Thu, 29 Mar 2012 08:01:55 +0000 (10:01 +0200)]
Add support for dnQualifier in DNs.

8 years agoremove leading zeros in ASN.1 encoded serial numbers
Andreas Steffen [Tue, 27 Mar 2012 13:05:36 +0000 (15:05 +0200)]
remove leading zeros in ASN.1 encoded serial numbers

8 years agoAdded NEWS about resolvconf support.
Tobias Brunner [Tue, 27 Mar 2012 07:47:38 +0000 (09:47 +0200)]
Added NEWS about resolvconf support.

8 years agoMake resolvconf interface prefix configurable.
Tobias Brunner [Mon, 26 Mar 2012 13:09:21 +0000 (15:09 +0200)]
Make resolvconf interface prefix configurable.

8 years agoAdded support for the resolvconf framework in resolve plugin.
Tobias Brunner [Mon, 26 Mar 2012 13:00:14 +0000 (15:00 +0200)]
Added support for the resolvconf framework in resolve plugin.

If /sbin/resolvconf is found nameservers are not written directly to
/etc/resolv.conf but instead resolvconf is invoked.

8 years agoDon't cast second argument of mem_printf_hook (%b) to size_t.
Tobias Brunner [Thu, 22 Mar 2012 15:13:15 +0000 (16:13 +0100)]
Don't cast second argument of mem_printf_hook (%b) to size_t.

Also treat the given number as unsigned int.

Due to the printf hook registration the second argument of
mem_printf_hook (if called via printf etc.) is always of type int*.
Casting this to a size_t pointer and then dereferencing that as int does
not work on big endian machines if int is smaller than size_t (e.g. on ppc64).

In order to make this change work if the argument is of a type larger
than int, size_t for instance, the second argument for %b has to be casted
to (u_)int.

8 years agosmp: Use proper signed type to get return value of read(2).
Tobias Brunner [Thu, 22 Mar 2012 15:11:39 +0000 (16:11 +0100)]
smp: Use proper signed type to get return value of read(2).

8 years agopluto: Use time_monotonic() instead of a custom implementation.
Tobias Brunner [Thu, 22 Mar 2012 13:10:59 +0000 (14:10 +0100)]
pluto: Use time_monotonic() instead of a custom implementation.

8 years agoDon't include individual glib headers in nm plugin.
Tobias Brunner [Mon, 26 Mar 2012 13:23:17 +0000 (15:23 +0200)]
Don't include individual glib headers in nm plugin.

Expections are glib/gi18n.h, glib/gi18n-lib.h, glib/gprintf.h and
glib/gstdio.h.

8 years agofixed parsing of IF-MAP SOAP responses
Andreas Steffen [Wed, 21 Mar 2012 13:25:19 +0000 (14:25 +0100)]
fixed parsing of IF-MAP SOAP responses

8 years agocorrected description
Andreas Steffen [Sat, 17 Mar 2012 22:22:25 +0000 (23:22 +0100)]
corrected description

8 years agoadded ikev2/esp-alg-sha1-160 scenario
Andreas Steffen [Sat, 17 Mar 2012 22:20:03 +0000 (23:20 +0100)]
added ikev2/esp-alg-sha1-160 scenario

8 years agoadded ikev2/esp-alg-md5-128 scenario
Andreas Steffen [Sat, 17 Mar 2012 21:56:37 +0000 (22:56 +0100)]
added ikev2/esp-alg-md5-128 scenario

8 years agoversion bump to 4.6.3dr2
Andreas Steffen [Fri, 16 Mar 2012 21:21:54 +0000 (22:21 +0100)]
version bump to 4.6.3dr2

8 years agoadded the strongswan.conf options of the tnc-pdp plugin
Andreas Steffen [Fri, 16 Mar 2012 10:14:40 +0000 (11:14 +0100)]
added the strongswan.conf options of the tnc-pdp plugin

8 years agokeep a copy of refreshed carolCert-ocsp.pem
Andreas Steffen [Thu, 15 Mar 2012 06:59:42 +0000 (07:59 +0100)]
keep a copy of refreshed carolCert-ocsp.pem

8 years agorefreshed carolCert-ocsp.pem
Andreas Steffen [Thu, 15 Mar 2012 06:58:35 +0000 (07:58 +0100)]
refreshed carolCert-ocsp.pem

8 years agoeliminate unneeded private variable
Andreas Steffen [Wed, 14 Mar 2012 20:38:30 +0000 (21:38 +0100)]
eliminate unneeded private variable

8 years agoadded tnc/tnccs-20-pdp scenario
Andreas Steffen [Wed, 14 Mar 2012 07:47:12 +0000 (08:47 +0100)]
added tnc/tnccs-20-pdp scenario

8 years agoedited description of tnc/tnccs-11-radius scenario
Andreas Steffen [Wed, 14 Mar 2012 07:46:52 +0000 (08:46 +0100)]
edited description of tnc/tnccs-11-radius scenario

8 years agouse MAX_RADIUS_ATTRIBUTE_SIZE constant from radius_message header file
Andreas Steffen [Wed, 14 Mar 2012 06:51:56 +0000 (07:51 +0100)]
use MAX_RADIUS_ATTRIBUTE_SIZE constant from radius_message header file

8 years agoversion bump to 4.6.3dr1
Andreas Steffen [Wed, 14 Mar 2012 06:45:35 +0000 (07:45 +0100)]
version bump to 4.6.3dr1

8 years agomake the mppe salt unique
Andreas Steffen [Wed, 14 Mar 2012 06:31:19 +0000 (07:31 +0100)]
make the mppe salt unique

8 years agostraightene radius_mppe header file
Andreas Steffen [Wed, 14 Mar 2012 05:52:26 +0000 (06:52 +0100)]
straightene radius_mppe header file

8 years agoimplemented MS_MPPE encryption
Andreas Steffen [Tue, 13 Mar 2012 22:26:15 +0000 (23:26 +0100)]
implemented MS_MPPE encryption

8 years agouse predefined Microsoft PEN
Andreas Steffen [Tue, 13 Mar 2012 18:23:35 +0000 (19:23 +0100)]
use predefined Microsoft PEN

8 years agouse MAX_RADIUS_ATTRIBUTE_SIZE constant
Andreas Steffen [Tue, 13 Mar 2012 17:06:56 +0000 (18:06 +0100)]
use MAX_RADIUS_ATTRIBUTE_SIZE constant

8 years agouse RADIUS_TUNNEL_TYPE_ESP defined in header file
Andreas Steffen [Tue, 13 Mar 2012 16:00:37 +0000 (17:00 +0100)]
use RADIUS_TUNNEL_TYPE_ESP defined in header file

8 years agoimplemented RADIUS Filter-ID attribute
Andreas Steffen [Tue, 13 Mar 2012 15:26:10 +0000 (16:26 +0100)]
implemented RADIUS Filter-ID attribute

8 years agoremoved double library entry
Andreas Steffen [Mon, 12 Mar 2012 07:56:48 +0000 (08:56 +0100)]
removed double library entry

8 years agoadapted debug output
Andreas Steffen [Fri, 9 Mar 2012 16:41:04 +0000 (17:41 +0100)]
adapted debug output

8 years agokeep a list of RADIUS connections with EAP method states
Andreas Steffen [Fri, 9 Mar 2012 16:38:06 +0000 (17:38 +0100)]
keep a list of RADIUS connections with EAP method states

8 years agoapply maximum RADIUS attribute size to outbound EAP messages
Andreas Steffen [Fri, 9 Mar 2012 09:20:44 +0000 (10:20 +0100)]
apply maximum RADIUS attribute size to outbound EAP messages

8 years agoread PDP server name from strongswan.conf
Andreas Steffen [Fri, 9 Mar 2012 08:28:51 +0000 (09:28 +0100)]
read PDP server name from strongswan.conf

8 years agodefine MAX_RADIUS_ATTRIBUTE_SIZE
Andreas Steffen [Fri, 9 Mar 2012 07:48:46 +0000 (08:48 +0100)]
define MAX_RADIUS_ATTRIBUTE_SIZE

8 years agodefine peer and server identities
Andreas Steffen [Thu, 8 Mar 2012 22:19:13 +0000 (23:19 +0100)]
define peer and server identities

8 years agoadded EAP_SUCCESS/FAILURE message to RADIUS Accept/Reject
Andreas Steffen [Thu, 8 Mar 2012 21:37:09 +0000 (22:37 +0100)]
added EAP_SUCCESS/FAILURE message to RADIUS Accept/Reject

8 years agoadded msg_auth flag in radius_message_t sign() method
Andreas Steffen [Thu, 8 Mar 2012 21:36:06 +0000 (22:36 +0100)]
added msg_auth flag in radius_message_t sign() method

8 years agoallow debug of raw RADIUS data
Andreas Steffen [Thu, 8 Mar 2012 20:47:27 +0000 (21:47 +0100)]
allow debug of raw RADIUS data

8 years agosimple RADIUS server example works
Andreas Steffen [Thu, 8 Mar 2012 09:22:56 +0000 (10:22 +0100)]
simple RADIUS server example works

8 years agofirst use of libradius
Andreas Steffen [Thu, 24 Nov 2011 10:02:18 +0000 (11:02 +0100)]
first use of libradius

8 years agocreated libradius shared by eap-radius and tnc-pdp plugins
Andreas Steffen [Fri, 18 Nov 2011 18:42:05 +0000 (19:42 +0100)]
created libradius shared by eap-radius and tnc-pdp plugins

8 years agocreated tnc-pdp policy decision point plugin
Andreas Steffen [Sun, 13 Nov 2011 20:56:47 +0000 (21:56 +0100)]
created tnc-pdp policy decision point plugin

8 years agoFixed crash and locking issues while unrouting connections via stroke
Martin Willi [Tue, 13 Mar 2012 09:55:58 +0000 (10:55 +0100)]
Fixed crash and locking issues while unrouting connections via stroke

8 years agoClear peer addresses during HA update.
Tobias Brunner [Fri, 9 Mar 2012 09:30:37 +0000 (10:30 +0100)]
Clear peer addresses during HA update.