strongswan.git
9 years agoFixed leak of a hash when checking out by hash
Martin Willi [Wed, 21 Dec 2011 12:55:30 +0000 (13:55 +0100)]
Fixed leak of a hash when checking out by hash

9 years agoGive a hint that decryption failed if payload length invalid
Martin Willi [Wed, 21 Dec 2011 12:54:40 +0000 (13:54 +0100)]
Give a hint that decryption failed if payload length invalid

9 years agoCast keymat safely, not based on external input
Martin Willi [Wed, 21 Dec 2011 11:39:21 +0000 (12:39 +0100)]
Cast keymat safely, not based on external input

9 years agoAdded a keymat_t version to cast it safely
Martin Willi [Wed, 21 Dec 2011 11:13:43 +0000 (12:13 +0100)]
Added a keymat_t version to cast it safely

9 years agoHandle initiation of not supported IKE versions properly
Martin Willi [Wed, 21 Dec 2011 11:05:34 +0000 (12:05 +0100)]
Handle initiation of not supported IKE versions properly

9 years agoSend a delete for every CHILD_SA before deleting IKE_SA
Martin Willi [Wed, 21 Dec 2011 09:53:05 +0000 (10:53 +0100)]
Send a delete for every CHILD_SA before deleting IKE_SA

9 years agoSet used auth_class in PSKv1 authenticator to comply to constraints
Martin Willi [Tue, 20 Dec 2011 18:20:51 +0000 (19:20 +0100)]
Set used auth_class in PSKv1 authenticator to comply to constraints

9 years agoFixed scheduling of IKEv2 init tasks in a second keyingtry
Martin Willi [Tue, 20 Dec 2011 18:08:29 +0000 (19:08 +0100)]
Fixed scheduling of IKEv2 init tasks in a second keyingtry

9 years agoDon't requeue IKEv1 init tasks if they already exist in a second keyingtry
Martin Willi [Tue, 20 Dec 2011 18:03:12 +0000 (19:03 +0100)]
Don't requeue IKEv1 init tasks if they already exist in a second keyingtry

9 years agoUse IPSEC DOI also for ISAKMP SA deletes.
Tobias Brunner [Tue, 20 Dec 2011 17:49:49 +0000 (18:49 +0100)]
Use IPSEC DOI also for ISAKMP SA deletes.

9 years agoImplemented resetting of IKEv1 task manager, enabling additional keyingtries
Martin Willi [Tue, 20 Dec 2011 17:02:01 +0000 (18:02 +0100)]
Implemented resetting of IKEv1 task manager, enabling additional keyingtries

9 years agoFixed migration of NATD task
Martin Willi [Tue, 20 Dec 2011 17:01:25 +0000 (18:01 +0100)]
Fixed migration of NATD task

9 years agoImplemented migration of quick mode task
Martin Willi [Tue, 20 Dec 2011 17:01:12 +0000 (18:01 +0100)]
Implemented migration of quick mode task

9 years agoImplemented migration of XAuth task
Martin Willi [Tue, 20 Dec 2011 17:00:57 +0000 (18:00 +0100)]
Implemented migration of XAuth task

9 years agoImplemented migration of certificate handling tasks
Martin Willi [Tue, 20 Dec 2011 17:00:03 +0000 (18:00 +0100)]
Implemented migration of certificate handling tasks

9 years agoImplemented migration of Main Mode task
Martin Willi [Tue, 20 Dec 2011 16:59:45 +0000 (17:59 +0100)]
Implemented migration of Main Mode task

9 years agoCheck message version before processing it on an IKE_SA
Martin Willi [Tue, 20 Dec 2011 15:23:12 +0000 (16:23 +0100)]
Check message version before processing it on an IKE_SA

9 years agoFix ike_version_t enum names
Martin Willi [Tue, 20 Dec 2011 15:22:56 +0000 (16:22 +0100)]
Fix ike_version_t enum names

9 years agoAccept NULL as keymat when generating a message
Martin Willi [Tue, 20 Dec 2011 15:07:00 +0000 (16:07 +0100)]
Accept NULL as keymat when generating a message

9 years agoSend correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol
Martin Willi [Tue, 20 Dec 2011 12:19:52 +0000 (13:19 +0100)]
Send correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol

9 years agoDrop IKEv1 main/aggressive modes if peer to aggressive
Martin Willi [Tue, 20 Dec 2011 12:24:43 +0000 (13:24 +0100)]
Drop IKEv1 main/aggressive modes if peer to aggressive

9 years agoAdded description for the xauth-eap plugin
Martin Willi [Tue, 20 Dec 2011 10:25:25 +0000 (11:25 +0100)]
Added description for the xauth-eap plugin

9 years agoCheck if a config has been selected before narrowing selectors in quick mode
Martin Willi [Tue, 20 Dec 2011 10:15:15 +0000 (11:15 +0100)]
Check if a config has been selected before narrowing selectors in quick mode

9 years agoAdded an XAuth plugin that forwards authentication to EAP methods
Martin Willi [Mon, 19 Dec 2011 19:21:02 +0000 (20:21 +0100)]
Added an XAuth plugin that forwards authentication to EAP methods

9 years agoAdded a flag to register local credential sets exclusively, disabling all others
Martin Willi [Mon, 19 Dec 2011 19:22:18 +0000 (20:22 +0100)]
Added a flag to register local credential sets exclusively, disabling all others

9 years agoAdded missing XAuth plugin feature enum names
Martin Willi [Mon, 19 Dec 2011 17:55:41 +0000 (18:55 +0100)]
Added missing XAuth plugin feature enum names

9 years agoAdded a TODO for creating IKE_SAs with unsupported protocol version
Martin Willi [Mon, 19 Dec 2011 14:50:31 +0000 (15:50 +0100)]
Added a TODO for creating IKE_SAs with unsupported protocol version

9 years agoDon't accept IKEv2 packets if IKEv2 disabled
Martin Willi [Mon, 19 Dec 2011 14:45:03 +0000 (15:45 +0100)]
Don't accept IKEv2 packets if IKEv2 disabled

9 years agoDon't include ikev1/ikev2 subfolders in build when using --disable-ikev1/ikev2
Martin Willi [Mon, 19 Dec 2011 14:28:55 +0000 (15:28 +0100)]
Don't include ikev1/ikev2 subfolders in build when using --disable-ikev1/ikev2

9 years agoMoved eap/xauth classes out of protocol specific subdirectories
Martin Willi [Mon, 19 Dec 2011 14:22:50 +0000 (15:22 +0100)]
Moved eap/xauth classes out of protocol specific subdirectories

9 years agoRemoved obsolete task header inclusion in IKE_SA
Martin Willi [Mon, 19 Dec 2011 14:20:36 +0000 (15:20 +0100)]
Removed obsolete task header inclusion in IKE_SA

9 years agoMoved MOBIKE task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 14:04:28 +0000 (15:04 +0100)]
Moved MOBIKE task creation to protocol specific task manager

9 years agoCheck in task manager if we have to requeue IKE tasks in a non-first keyingtry
Martin Willi [Mon, 19 Dec 2011 13:46:56 +0000 (14:46 +0100)]
Check in task manager if we have to requeue IKE tasks in a non-first keyingtry

9 years agoMoved IKE_SA reauth task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:39:05 +0000 (14:39 +0100)]
Moved IKE_SA reauth task creation to protocol specific task manager

9 years agoMoved IKE_SA rekey task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:35:14 +0000 (14:35 +0100)]
Moved IKE_SA rekey task creation to protocol specific task manager

9 years agoMoved IKE_SA delete task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:29:57 +0000 (14:29 +0100)]
Moved IKE_SA delete task creation to protocol specific task manager

9 years agoMoved CHILD_SA delete task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:25:14 +0000 (14:25 +0100)]
Moved CHILD_SA delete task creation to protocol specific task manager

9 years agoMoved CHILD_SA rekey task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:20:33 +0000 (14:20 +0100)]
Moved CHILD_SA rekey task creation to protocol specific task manager

9 years agoMoved CHILD_SA initiate task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:15:21 +0000 (14:15 +0100)]
Moved CHILD_SA initiate task creation to protocol specific task manager

9 years agoMoved IKE_SA initiate task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:15:02 +0000 (14:15 +0100)]
Moved IKE_SA initiate task creation to protocol specific task manager

9 years agoMoved liveness checking task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 12:49:09 +0000 (13:49 +0100)]
Moved liveness checking task creation to protocol specific task manager

9 years agoFactories honor charon IKEv1/IKEv2 protocol support flags
Martin Willi [Mon, 19 Dec 2011 12:32:41 +0000 (13:32 +0100)]
Factories honor charon IKEv1/IKEv2 protocol support flags

9 years agoAdded a --disable-ikev2 option to disable IKEv2 support in charon
Martin Willi [Mon, 19 Dec 2011 12:13:45 +0000 (13:13 +0100)]
Added a --disable-ikev2 option to disable IKEv2 support in charon

9 years agoSeparated libcharon/sa directory with ikev1 and ikev2 subfolders
Martin Willi [Mon, 19 Dec 2011 12:10:29 +0000 (13:10 +0100)]
Separated libcharon/sa directory with ikev1 and ikev2 subfolders

9 years agoRenamed ike_vendor_v1 to isakmp_vendor
Martin Willi [Mon, 19 Dec 2011 10:28:54 +0000 (11:28 +0100)]
Renamed ike_vendor_v1 to isakmp_vendor

9 years agoRenamed ike_natd_v1 to isakmp_natd
Martin Willi [Mon, 19 Dec 2011 10:24:03 +0000 (11:24 +0100)]
Renamed ike_natd_v1 to isakmp_natd

9 years agoRenamed ike_cert_pre_v1 to isakmp_cert_pre
Martin Willi [Mon, 19 Dec 2011 10:17:31 +0000 (11:17 +0100)]
Renamed ike_cert_pre_v1 to isakmp_cert_pre

9 years agoRenamed ike_cert_post_v1 to isakmp_cert_post
Martin Willi [Mon, 19 Dec 2011 10:12:27 +0000 (11:12 +0100)]
Renamed ike_cert_post_v1 to isakmp_cert_post

9 years agoFixed fix for XAuth plugin feature matching
Martin Willi [Mon, 19 Dec 2011 10:33:06 +0000 (11:33 +0100)]
Fixed fix for XAuth plugin feature matching

9 years agoDoxygen fixes
Martin Willi [Mon, 19 Dec 2011 09:27:40 +0000 (10:27 +0100)]
Doxygen fixes

9 years agoRemoved obsolete XAuth job
Martin Willi [Mon, 19 Dec 2011 09:22:47 +0000 (10:22 +0100)]
Removed obsolete XAuth job

9 years agoAlways use a transform number of 1 when encoding a single transform
Martin Willi [Mon, 19 Dec 2011 09:12:52 +0000 (10:12 +0100)]
Always use a transform number of 1 when encoding a single transform

9 years agoAnother set of cleanups in message.c
Martin Willi [Mon, 19 Dec 2011 09:12:33 +0000 (10:12 +0100)]
Another set of cleanups in message.c

9 years agoFix XAuth plugin feature matching
Martin Willi [Mon, 19 Dec 2011 09:10:57 +0000 (10:10 +0100)]
Fix XAuth plugin feature matching

9 years agoInitiate IKE_ANY configurations with IKEv2
Martin Willi [Sat, 17 Dec 2011 13:26:04 +0000 (14:26 +0100)]
Initiate IKE_ANY configurations with IKEv2

9 years agoPass IKE version to peer config enumerator, filter configs
Martin Willi [Sat, 17 Dec 2011 12:31:27 +0000 (13:31 +0100)]
Pass IKE version to peer config enumerator, filter configs

9 years agoSupport an "any" IKE version for both IKEv1 or IKEv2
Martin Willi [Sat, 17 Dec 2011 11:48:14 +0000 (12:48 +0100)]
Support an "any" IKE version for both IKEv1 or IKEv2

9 years agoSome coding style cleanups
Martin Willi [Sat, 17 Dec 2011 11:47:44 +0000 (12:47 +0100)]
Some coding style cleanups

9 years agoFixed notify enum names
Martin Willi [Sat, 17 Dec 2011 11:19:30 +0000 (12:19 +0100)]
Fixed notify enum names

9 years agoAdded support for iKEIntermediate flag to ipsec pki.
Tobias Brunner [Thu, 15 Dec 2011 15:56:07 +0000 (16:56 +0100)]
Added support for iKEIntermediate flag to ipsec pki.

9 years agoAdded support for iKEIntermediate X.509 extended key usage flag.
Tobias Brunner [Thu, 15 Dec 2011 15:54:49 +0000 (16:54 +0100)]
Added support for iKEIntermediate X.509 extended key usage flag.

Mac OS X requires server certificates to have this flag set.

9 years agoSome whitespace fixes.
Tobias Brunner [Thu, 15 Dec 2011 15:51:19 +0000 (16:51 +0100)]
Some whitespace fixes.

9 years agoLog parsed unsigned ints with proper format strings.
Tobias Brunner [Thu, 15 Dec 2011 10:22:31 +0000 (11:22 +0100)]
Log parsed unsigned ints with proper format strings.

9 years agoSend different notifies if quick mode fails
Martin Willi [Thu, 15 Dec 2011 17:35:55 +0000 (18:35 +0100)]
Send different notifies if quick mode fails

9 years agoSupport flushing of task queue after building message in task fails
Martin Willi [Thu, 15 Dec 2011 17:23:28 +0000 (18:23 +0100)]
Support flushing of task queue after building message in task fails

9 years agoConsider notify errors fatal only during main mode
Martin Willi [Thu, 15 Dec 2011 17:11:00 +0000 (18:11 +0100)]
Consider notify errors fatal only during main mode

9 years agoDelete CHILD_SA if installing SA in third message fails
Martin Willi [Thu, 15 Dec 2011 17:04:39 +0000 (18:04 +0100)]
Delete CHILD_SA if installing SA in third message fails

9 years agoAdded a quick_delete task flag to enforce delete, even if CHILD_SA not found
Martin Willi [Thu, 15 Dec 2011 17:03:14 +0000 (18:03 +0100)]
Added a quick_delete task flag to enforce delete, even if CHILD_SA not found

9 years agoSend delete if Main Mode authentication fails as initiator
Martin Willi [Thu, 15 Dec 2011 16:28:58 +0000 (17:28 +0100)]
Send delete if Main Mode authentication fails as initiator

9 years agoSend notifies in all error cases of Main Mode
Martin Willi [Thu, 15 Dec 2011 16:04:45 +0000 (17:04 +0100)]
Send notifies in all error cases of Main Mode

9 years agoAdd some additional IKEv1 notify types
Martin Willi [Thu, 15 Dec 2011 16:04:29 +0000 (17:04 +0100)]
Add some additional IKEv1 notify types

9 years agoDo not trust unprotected INFORMATIONALS, just print that we got one
Martin Willi [Thu, 15 Dec 2011 15:23:47 +0000 (16:23 +0100)]
Do not trust unprotected INFORMATIONALS, just print that we got one

9 years agoUse (as client) and verify (as server) configured XAuth identities
Martin Willi [Thu, 15 Dec 2011 12:15:34 +0000 (13:15 +0100)]
Use (as client) and verify (as server) configured XAuth identities

9 years agoAdded an identity getter to XAuth methods to query the actually used identity
Martin Willi [Thu, 15 Dec 2011 12:14:33 +0000 (13:14 +0100)]
Added an identity getter to XAuth methods to query the actually used identity

9 years agoBe a little more verbose about XAuth configs in ipsec statusall
Martin Willi [Thu, 15 Dec 2011 12:13:30 +0000 (13:13 +0100)]
Be a little more verbose about XAuth configs in ipsec statusall

9 years agoPass ipsec.conf xauth_identity option via stroke to charon configurations
Martin Willi [Thu, 15 Dec 2011 12:12:42 +0000 (13:12 +0100)]
Pass ipsec.conf xauth_identity option via stroke to charon configurations

9 years agoStore Main Mode identity even if XAuth-only is used for authentication
Martin Willi [Thu, 15 Dec 2011 11:28:43 +0000 (12:28 +0100)]
Store Main Mode identity even if XAuth-only is used for authentication

9 years agoAdded an XAUTH identity to use or require for XAuth authentication
Martin Willi [Thu, 15 Dec 2011 10:58:26 +0000 (11:58 +0100)]
Added an XAUTH identity to use or require for XAuth authentication

9 years agoCheck authorization constraints after main mode completed
Martin Willi [Thu, 15 Dec 2011 10:31:02 +0000 (11:31 +0100)]
Check authorization constraints after main mode completed

9 years agoStop checking once a key size constraint is not fulfilled
Martin Willi [Thu, 15 Dec 2011 10:30:22 +0000 (11:30 +0100)]
Stop checking once a key size constraint is not fulfilled

9 years agoSave authentication info collected during main mode authentication
Martin Willi [Thu, 15 Dec 2011 10:01:35 +0000 (11:01 +0100)]
Save authentication info collected during main mode authentication

9 years agoFlush auth configs, if enabled, for both IKEv1 and IKEv2
Martin Willi [Thu, 15 Dec 2011 10:01:06 +0000 (11:01 +0100)]
Flush auth configs, if enabled, for both IKEv1 and IKEv2

9 years agoFixed return value if SIG payload missing
Martin Willi [Thu, 15 Dec 2011 09:01:35 +0000 (10:01 +0100)]
Fixed return value if SIG payload missing

9 years agoShow auth method of config we are looking for in main mode
Martin Willi [Wed, 14 Dec 2011 18:45:30 +0000 (19:45 +0100)]
Show auth method of config we are looking for in main mode

9 years agoFixed IKEv1 prf+ keymat expansion beyond 320 bits
Martin Willi [Wed, 14 Dec 2011 16:34:57 +0000 (17:34 +0100)]
Fixed IKEv1 prf+ keymat expansion beyond 320 bits

9 years agoRemove executable flag from source code files
Martin Willi [Wed, 14 Dec 2011 15:46:29 +0000 (16:46 +0100)]
Remove executable flag from source code files

9 years agoRemoved IKEv1 specific code from child_delete task
Martin Willi [Wed, 14 Dec 2011 15:41:32 +0000 (16:41 +0100)]
Removed IKEv1 specific code from child_delete task

9 years agoUse IKEv1 specific tasks to close Quick Mode SAs
Martin Willi [Wed, 14 Dec 2011 15:39:44 +0000 (16:39 +0100)]
Use IKEv1 specific tasks to close Quick Mode SAs

9 years agoAdded a dedicated IKEv1 task to delete CHILD_SAs
Martin Willi [Wed, 14 Dec 2011 15:33:39 +0000 (16:33 +0100)]
Added a dedicated IKEv1 task to delete CHILD_SAs

9 years agoClose IKE_SA directly after sending the delete
Martin Willi [Wed, 14 Dec 2011 14:33:06 +0000 (15:33 +0100)]
Close IKE_SA directly after sending the delete

9 years agoRemoved IKEv1 specific code from ike_delete task
Martin Willi [Wed, 14 Dec 2011 14:28:43 +0000 (15:28 +0100)]
Removed IKEv1 specific code from ike_delete task

9 years agoUse the IKEv1 specific delete in IKEv1 SAs
Martin Willi [Wed, 14 Dec 2011 14:27:12 +0000 (15:27 +0100)]
Use the IKEv1 specific delete in IKEv1 SAs

9 years agoAdded a dedicated delete task for IKEv1 IKE_SAs
Martin Willi [Wed, 14 Dec 2011 14:22:39 +0000 (15:22 +0100)]
Added a dedicated delete task for IKEv1 IKE_SAs

9 years agoUse a single task_type_t enum name for ME and non-ME variant
Martin Willi [Wed, 14 Dec 2011 14:21:35 +0000 (15:21 +0100)]
Use a single task_type_t enum name for ME and non-ME variant

9 years agoSend certificates and requests when using Hybrid authentication
Martin Willi [Wed, 14 Dec 2011 09:56:23 +0000 (10:56 +0100)]
Send certificates and requests when using Hybrid authentication

9 years agoLook for an XAuth authentication config both in the first and the second round
Martin Willi [Wed, 14 Dec 2011 08:44:59 +0000 (09:44 +0100)]
Look for an XAuth authentication config both in the first and the second round

9 years agoAdded hybrid authentication support to Main Mode
Martin Willi [Wed, 14 Dec 2011 08:44:39 +0000 (09:44 +0100)]
Added hybrid authentication support to Main Mode

9 years agoSupport encoding of Hybrid initiator authentication method
Martin Willi [Wed, 14 Dec 2011 08:43:44 +0000 (09:43 +0100)]
Support encoding of Hybrid initiator authentication method

9 years agoAdded a IKEv1 hybrid authenticator based on Pubkey/PSK authenticators
Martin Willi [Wed, 14 Dec 2011 08:40:43 +0000 (09:40 +0100)]
Added a IKEv1 hybrid authenticator based on Pubkey/PSK authenticators

9 years agoUse real ID payload to build HASH_I|R for Main Mode authentication.
Tobias Brunner [Tue, 13 Dec 2011 17:56:06 +0000 (18:56 +0100)]
Use real ID payload to build HASH_I|R for Main Mode authentication.

This is required for clients like the iPhone which set the protocol
and/or port fields of the ID payload.