strongswan.git
8 years agoDon't requeue IKEv1 init tasks if they already exist in a second keyingtry
Martin Willi [Tue, 20 Dec 2011 18:03:12 +0000 (19:03 +0100)]
Don't requeue IKEv1 init tasks if they already exist in a second keyingtry

8 years agoUse IPSEC DOI also for ISAKMP SA deletes.
Tobias Brunner [Tue, 20 Dec 2011 17:49:49 +0000 (18:49 +0100)]
Use IPSEC DOI also for ISAKMP SA deletes.

8 years agoImplemented resetting of IKEv1 task manager, enabling additional keyingtries
Martin Willi [Tue, 20 Dec 2011 17:02:01 +0000 (18:02 +0100)]
Implemented resetting of IKEv1 task manager, enabling additional keyingtries

8 years agoFixed migration of NATD task
Martin Willi [Tue, 20 Dec 2011 17:01:25 +0000 (18:01 +0100)]
Fixed migration of NATD task

8 years agoImplemented migration of quick mode task
Martin Willi [Tue, 20 Dec 2011 17:01:12 +0000 (18:01 +0100)]
Implemented migration of quick mode task

8 years agoImplemented migration of XAuth task
Martin Willi [Tue, 20 Dec 2011 17:00:57 +0000 (18:00 +0100)]
Implemented migration of XAuth task

8 years agoImplemented migration of certificate handling tasks
Martin Willi [Tue, 20 Dec 2011 17:00:03 +0000 (18:00 +0100)]
Implemented migration of certificate handling tasks

8 years agoImplemented migration of Main Mode task
Martin Willi [Tue, 20 Dec 2011 16:59:45 +0000 (17:59 +0100)]
Implemented migration of Main Mode task

8 years agoCheck message version before processing it on an IKE_SA
Martin Willi [Tue, 20 Dec 2011 15:23:12 +0000 (16:23 +0100)]
Check message version before processing it on an IKE_SA

8 years agoFix ike_version_t enum names
Martin Willi [Tue, 20 Dec 2011 15:22:56 +0000 (16:22 +0100)]
Fix ike_version_t enum names

8 years agoAccept NULL as keymat when generating a message
Martin Willi [Tue, 20 Dec 2011 15:07:00 +0000 (16:07 +0100)]
Accept NULL as keymat when generating a message

8 years agoSend correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol
Martin Willi [Tue, 20 Dec 2011 12:19:52 +0000 (13:19 +0100)]
Send correct INVALID_MAJOR_VERSION when receiving packet with unsupported protocol

8 years agoDrop IKEv1 main/aggressive modes if peer to aggressive
Martin Willi [Tue, 20 Dec 2011 12:24:43 +0000 (13:24 +0100)]
Drop IKEv1 main/aggressive modes if peer to aggressive

8 years agoAdded description for the xauth-eap plugin
Martin Willi [Tue, 20 Dec 2011 10:25:25 +0000 (11:25 +0100)]
Added description for the xauth-eap plugin

8 years agoCheck if a config has been selected before narrowing selectors in quick mode
Martin Willi [Tue, 20 Dec 2011 10:15:15 +0000 (11:15 +0100)]
Check if a config has been selected before narrowing selectors in quick mode

8 years agoAdded an XAuth plugin that forwards authentication to EAP methods
Martin Willi [Mon, 19 Dec 2011 19:21:02 +0000 (20:21 +0100)]
Added an XAuth plugin that forwards authentication to EAP methods

8 years agoAdded a flag to register local credential sets exclusively, disabling all others
Martin Willi [Mon, 19 Dec 2011 19:22:18 +0000 (20:22 +0100)]
Added a flag to register local credential sets exclusively, disabling all others

8 years agoAdded missing XAuth plugin feature enum names
Martin Willi [Mon, 19 Dec 2011 17:55:41 +0000 (18:55 +0100)]
Added missing XAuth plugin feature enum names

8 years agoAdded a TODO for creating IKE_SAs with unsupported protocol version
Martin Willi [Mon, 19 Dec 2011 14:50:31 +0000 (15:50 +0100)]
Added a TODO for creating IKE_SAs with unsupported protocol version

8 years agoDon't accept IKEv2 packets if IKEv2 disabled
Martin Willi [Mon, 19 Dec 2011 14:45:03 +0000 (15:45 +0100)]
Don't accept IKEv2 packets if IKEv2 disabled

8 years agoDon't include ikev1/ikev2 subfolders in build when using --disable-ikev1/ikev2
Martin Willi [Mon, 19 Dec 2011 14:28:55 +0000 (15:28 +0100)]
Don't include ikev1/ikev2 subfolders in build when using --disable-ikev1/ikev2

8 years agoMoved eap/xauth classes out of protocol specific subdirectories
Martin Willi [Mon, 19 Dec 2011 14:22:50 +0000 (15:22 +0100)]
Moved eap/xauth classes out of protocol specific subdirectories

8 years agoRemoved obsolete task header inclusion in IKE_SA
Martin Willi [Mon, 19 Dec 2011 14:20:36 +0000 (15:20 +0100)]
Removed obsolete task header inclusion in IKE_SA

8 years agoMoved MOBIKE task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 14:04:28 +0000 (15:04 +0100)]
Moved MOBIKE task creation to protocol specific task manager

8 years agoCheck in task manager if we have to requeue IKE tasks in a non-first keyingtry
Martin Willi [Mon, 19 Dec 2011 13:46:56 +0000 (14:46 +0100)]
Check in task manager if we have to requeue IKE tasks in a non-first keyingtry

8 years agoMoved IKE_SA reauth task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:39:05 +0000 (14:39 +0100)]
Moved IKE_SA reauth task creation to protocol specific task manager

8 years agoMoved IKE_SA rekey task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:35:14 +0000 (14:35 +0100)]
Moved IKE_SA rekey task creation to protocol specific task manager

8 years agoMoved IKE_SA delete task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:29:57 +0000 (14:29 +0100)]
Moved IKE_SA delete task creation to protocol specific task manager

8 years agoMoved CHILD_SA delete task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:25:14 +0000 (14:25 +0100)]
Moved CHILD_SA delete task creation to protocol specific task manager

8 years agoMoved CHILD_SA rekey task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:20:33 +0000 (14:20 +0100)]
Moved CHILD_SA rekey task creation to protocol specific task manager

8 years agoMoved CHILD_SA initiate task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:15:21 +0000 (14:15 +0100)]
Moved CHILD_SA initiate task creation to protocol specific task manager

8 years agoMoved IKE_SA initiate task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 13:15:02 +0000 (14:15 +0100)]
Moved IKE_SA initiate task creation to protocol specific task manager

8 years agoMoved liveness checking task creation to protocol specific task manager
Martin Willi [Mon, 19 Dec 2011 12:49:09 +0000 (13:49 +0100)]
Moved liveness checking task creation to protocol specific task manager

8 years agoFactories honor charon IKEv1/IKEv2 protocol support flags
Martin Willi [Mon, 19 Dec 2011 12:32:41 +0000 (13:32 +0100)]
Factories honor charon IKEv1/IKEv2 protocol support flags

8 years agoAdded a --disable-ikev2 option to disable IKEv2 support in charon
Martin Willi [Mon, 19 Dec 2011 12:13:45 +0000 (13:13 +0100)]
Added a --disable-ikev2 option to disable IKEv2 support in charon

8 years agoSeparated libcharon/sa directory with ikev1 and ikev2 subfolders
Martin Willi [Mon, 19 Dec 2011 12:10:29 +0000 (13:10 +0100)]
Separated libcharon/sa directory with ikev1 and ikev2 subfolders

8 years agoRenamed ike_vendor_v1 to isakmp_vendor
Martin Willi [Mon, 19 Dec 2011 10:28:54 +0000 (11:28 +0100)]
Renamed ike_vendor_v1 to isakmp_vendor

8 years agoRenamed ike_natd_v1 to isakmp_natd
Martin Willi [Mon, 19 Dec 2011 10:24:03 +0000 (11:24 +0100)]
Renamed ike_natd_v1 to isakmp_natd

8 years agoRenamed ike_cert_pre_v1 to isakmp_cert_pre
Martin Willi [Mon, 19 Dec 2011 10:17:31 +0000 (11:17 +0100)]
Renamed ike_cert_pre_v1 to isakmp_cert_pre

8 years agoRenamed ike_cert_post_v1 to isakmp_cert_post
Martin Willi [Mon, 19 Dec 2011 10:12:27 +0000 (11:12 +0100)]
Renamed ike_cert_post_v1 to isakmp_cert_post

8 years agoFixed fix for XAuth plugin feature matching
Martin Willi [Mon, 19 Dec 2011 10:33:06 +0000 (11:33 +0100)]
Fixed fix for XAuth plugin feature matching

8 years agoDoxygen fixes
Martin Willi [Mon, 19 Dec 2011 09:27:40 +0000 (10:27 +0100)]
Doxygen fixes

8 years agoRemoved obsolete XAuth job
Martin Willi [Mon, 19 Dec 2011 09:22:47 +0000 (10:22 +0100)]
Removed obsolete XAuth job

8 years agoAlways use a transform number of 1 when encoding a single transform
Martin Willi [Mon, 19 Dec 2011 09:12:52 +0000 (10:12 +0100)]
Always use a transform number of 1 when encoding a single transform

8 years agoAnother set of cleanups in message.c
Martin Willi [Mon, 19 Dec 2011 09:12:33 +0000 (10:12 +0100)]
Another set of cleanups in message.c

8 years agoFix XAuth plugin feature matching
Martin Willi [Mon, 19 Dec 2011 09:10:57 +0000 (10:10 +0100)]
Fix XAuth plugin feature matching

8 years agoInitiate IKE_ANY configurations with IKEv2
Martin Willi [Sat, 17 Dec 2011 13:26:04 +0000 (14:26 +0100)]
Initiate IKE_ANY configurations with IKEv2

8 years agoPass IKE version to peer config enumerator, filter configs
Martin Willi [Sat, 17 Dec 2011 12:31:27 +0000 (13:31 +0100)]
Pass IKE version to peer config enumerator, filter configs

8 years agoSupport an "any" IKE version for both IKEv1 or IKEv2
Martin Willi [Sat, 17 Dec 2011 11:48:14 +0000 (12:48 +0100)]
Support an "any" IKE version for both IKEv1 or IKEv2

8 years agoSome coding style cleanups
Martin Willi [Sat, 17 Dec 2011 11:47:44 +0000 (12:47 +0100)]
Some coding style cleanups

8 years agoFixed notify enum names
Martin Willi [Sat, 17 Dec 2011 11:19:30 +0000 (12:19 +0100)]
Fixed notify enum names

8 years agoAdded support for iKEIntermediate flag to ipsec pki.
Tobias Brunner [Thu, 15 Dec 2011 15:56:07 +0000 (16:56 +0100)]
Added support for iKEIntermediate flag to ipsec pki.

8 years agoAdded support for iKEIntermediate X.509 extended key usage flag.
Tobias Brunner [Thu, 15 Dec 2011 15:54:49 +0000 (16:54 +0100)]
Added support for iKEIntermediate X.509 extended key usage flag.

Mac OS X requires server certificates to have this flag set.

8 years agoSome whitespace fixes.
Tobias Brunner [Thu, 15 Dec 2011 15:51:19 +0000 (16:51 +0100)]
Some whitespace fixes.

8 years agoLog parsed unsigned ints with proper format strings.
Tobias Brunner [Thu, 15 Dec 2011 10:22:31 +0000 (11:22 +0100)]
Log parsed unsigned ints with proper format strings.

8 years agoSend different notifies if quick mode fails
Martin Willi [Thu, 15 Dec 2011 17:35:55 +0000 (18:35 +0100)]
Send different notifies if quick mode fails

8 years agoSupport flushing of task queue after building message in task fails
Martin Willi [Thu, 15 Dec 2011 17:23:28 +0000 (18:23 +0100)]
Support flushing of task queue after building message in task fails

8 years agoConsider notify errors fatal only during main mode
Martin Willi [Thu, 15 Dec 2011 17:11:00 +0000 (18:11 +0100)]
Consider notify errors fatal only during main mode

8 years agoDelete CHILD_SA if installing SA in third message fails
Martin Willi [Thu, 15 Dec 2011 17:04:39 +0000 (18:04 +0100)]
Delete CHILD_SA if installing SA in third message fails

8 years agoAdded a quick_delete task flag to enforce delete, even if CHILD_SA not found
Martin Willi [Thu, 15 Dec 2011 17:03:14 +0000 (18:03 +0100)]
Added a quick_delete task flag to enforce delete, even if CHILD_SA not found

8 years agoSend delete if Main Mode authentication fails as initiator
Martin Willi [Thu, 15 Dec 2011 16:28:58 +0000 (17:28 +0100)]
Send delete if Main Mode authentication fails as initiator

8 years agoSend notifies in all error cases of Main Mode
Martin Willi [Thu, 15 Dec 2011 16:04:45 +0000 (17:04 +0100)]
Send notifies in all error cases of Main Mode

8 years agoAdd some additional IKEv1 notify types
Martin Willi [Thu, 15 Dec 2011 16:04:29 +0000 (17:04 +0100)]
Add some additional IKEv1 notify types

8 years agoDo not trust unprotected INFORMATIONALS, just print that we got one
Martin Willi [Thu, 15 Dec 2011 15:23:47 +0000 (16:23 +0100)]
Do not trust unprotected INFORMATIONALS, just print that we got one

8 years agoUse (as client) and verify (as server) configured XAuth identities
Martin Willi [Thu, 15 Dec 2011 12:15:34 +0000 (13:15 +0100)]
Use (as client) and verify (as server) configured XAuth identities

8 years agoAdded an identity getter to XAuth methods to query the actually used identity
Martin Willi [Thu, 15 Dec 2011 12:14:33 +0000 (13:14 +0100)]
Added an identity getter to XAuth methods to query the actually used identity

8 years agoBe a little more verbose about XAuth configs in ipsec statusall
Martin Willi [Thu, 15 Dec 2011 12:13:30 +0000 (13:13 +0100)]
Be a little more verbose about XAuth configs in ipsec statusall

8 years agoPass ipsec.conf xauth_identity option via stroke to charon configurations
Martin Willi [Thu, 15 Dec 2011 12:12:42 +0000 (13:12 +0100)]
Pass ipsec.conf xauth_identity option via stroke to charon configurations

8 years agoStore Main Mode identity even if XAuth-only is used for authentication
Martin Willi [Thu, 15 Dec 2011 11:28:43 +0000 (12:28 +0100)]
Store Main Mode identity even if XAuth-only is used for authentication

8 years agoAdded an XAUTH identity to use or require for XAuth authentication
Martin Willi [Thu, 15 Dec 2011 10:58:26 +0000 (11:58 +0100)]
Added an XAUTH identity to use or require for XAuth authentication

8 years agoCheck authorization constraints after main mode completed
Martin Willi [Thu, 15 Dec 2011 10:31:02 +0000 (11:31 +0100)]
Check authorization constraints after main mode completed

8 years agoStop checking once a key size constraint is not fulfilled
Martin Willi [Thu, 15 Dec 2011 10:30:22 +0000 (11:30 +0100)]
Stop checking once a key size constraint is not fulfilled

8 years agoSave authentication info collected during main mode authentication
Martin Willi [Thu, 15 Dec 2011 10:01:35 +0000 (11:01 +0100)]
Save authentication info collected during main mode authentication

8 years agoFlush auth configs, if enabled, for both IKEv1 and IKEv2
Martin Willi [Thu, 15 Dec 2011 10:01:06 +0000 (11:01 +0100)]
Flush auth configs, if enabled, for both IKEv1 and IKEv2

8 years agoFixed return value if SIG payload missing
Martin Willi [Thu, 15 Dec 2011 09:01:35 +0000 (10:01 +0100)]
Fixed return value if SIG payload missing

8 years agoShow auth method of config we are looking for in main mode
Martin Willi [Wed, 14 Dec 2011 18:45:30 +0000 (19:45 +0100)]
Show auth method of config we are looking for in main mode

8 years agoFixed IKEv1 prf+ keymat expansion beyond 320 bits
Martin Willi [Wed, 14 Dec 2011 16:34:57 +0000 (17:34 +0100)]
Fixed IKEv1 prf+ keymat expansion beyond 320 bits

8 years agoRemove executable flag from source code files
Martin Willi [Wed, 14 Dec 2011 15:46:29 +0000 (16:46 +0100)]
Remove executable flag from source code files

8 years agoRemoved IKEv1 specific code from child_delete task
Martin Willi [Wed, 14 Dec 2011 15:41:32 +0000 (16:41 +0100)]
Removed IKEv1 specific code from child_delete task

8 years agoUse IKEv1 specific tasks to close Quick Mode SAs
Martin Willi [Wed, 14 Dec 2011 15:39:44 +0000 (16:39 +0100)]
Use IKEv1 specific tasks to close Quick Mode SAs

8 years agoAdded a dedicated IKEv1 task to delete CHILD_SAs
Martin Willi [Wed, 14 Dec 2011 15:33:39 +0000 (16:33 +0100)]
Added a dedicated IKEv1 task to delete CHILD_SAs

8 years agoClose IKE_SA directly after sending the delete
Martin Willi [Wed, 14 Dec 2011 14:33:06 +0000 (15:33 +0100)]
Close IKE_SA directly after sending the delete

8 years agoRemoved IKEv1 specific code from ike_delete task
Martin Willi [Wed, 14 Dec 2011 14:28:43 +0000 (15:28 +0100)]
Removed IKEv1 specific code from ike_delete task

8 years agoUse the IKEv1 specific delete in IKEv1 SAs
Martin Willi [Wed, 14 Dec 2011 14:27:12 +0000 (15:27 +0100)]
Use the IKEv1 specific delete in IKEv1 SAs

8 years agoAdded a dedicated delete task for IKEv1 IKE_SAs
Martin Willi [Wed, 14 Dec 2011 14:22:39 +0000 (15:22 +0100)]
Added a dedicated delete task for IKEv1 IKE_SAs

8 years agoUse a single task_type_t enum name for ME and non-ME variant
Martin Willi [Wed, 14 Dec 2011 14:21:35 +0000 (15:21 +0100)]
Use a single task_type_t enum name for ME and non-ME variant

8 years agoSend certificates and requests when using Hybrid authentication
Martin Willi [Wed, 14 Dec 2011 09:56:23 +0000 (10:56 +0100)]
Send certificates and requests when using Hybrid authentication

8 years agoLook for an XAuth authentication config both in the first and the second round
Martin Willi [Wed, 14 Dec 2011 08:44:59 +0000 (09:44 +0100)]
Look for an XAuth authentication config both in the first and the second round

8 years agoAdded hybrid authentication support to Main Mode
Martin Willi [Wed, 14 Dec 2011 08:44:39 +0000 (09:44 +0100)]
Added hybrid authentication support to Main Mode

8 years agoSupport encoding of Hybrid initiator authentication method
Martin Willi [Wed, 14 Dec 2011 08:43:44 +0000 (09:43 +0100)]
Support encoding of Hybrid initiator authentication method

8 years agoAdded a IKEv1 hybrid authenticator based on Pubkey/PSK authenticators
Martin Willi [Wed, 14 Dec 2011 08:40:43 +0000 (09:40 +0100)]
Added a IKEv1 hybrid authenticator based on Pubkey/PSK authenticators

8 years agoUse real ID payload to build HASH_I|R for Main Mode authentication.
Tobias Brunner [Tue, 13 Dec 2011 17:56:06 +0000 (18:56 +0100)]
Use real ID payload to build HASH_I|R for Main Mode authentication.

This is required for clients like the iPhone which set the protocol
and/or port fields of the ID payload.

8 years agoCreate authenticators right when they are used during Main Mode.
Tobias Brunner [Tue, 13 Dec 2011 17:53:44 +0000 (18:53 +0100)]
Create authenticators right when they are used during Main Mode.

8 years agoAdded method to get encoded version if ID_V1 payload.
Tobias Brunner [Tue, 13 Dec 2011 16:12:23 +0000 (17:12 +0100)]
Added method to get encoded version if ID_V1 payload.

8 years agoIgnore additional TRANSACTION request if we already queued one
Martin Willi [Tue, 13 Dec 2011 15:21:47 +0000 (16:21 +0100)]
Ignore additional TRANSACTION request if we already queued one

8 years agoKeep a history of received response hashes to detect late retransmissions
Martin Willi [Tue, 13 Dec 2011 15:14:17 +0000 (16:14 +0100)]
Keep a history of received response hashes to detect late retransmissions

If we receive an old response and we already sent out the next request,
we must be able to identify that it is not the response to the new
request.

8 years agoNarrow down received and configured traffic selector to a common subset
Martin Willi [Tue, 13 Dec 2011 14:32:53 +0000 (15:32 +0100)]
Narrow down received and configured traffic selector to a common subset

8 years agoDon't send a retransmit for a request we never have sent a response
Martin Willi [Tue, 13 Dec 2011 14:10:26 +0000 (15:10 +0100)]
Don't send a retransmit for a request we never have sent a response

8 years agoPrint unsigned IKEv1 message IDs
Martin Willi [Tue, 13 Dec 2011 13:52:50 +0000 (14:52 +0100)]
Print unsigned IKEv1 message IDs

8 years agoLog selected peer config during Main Mode.
Tobias Brunner [Tue, 13 Dec 2011 12:09:56 +0000 (13:09 +0100)]
Log selected peer config during Main Mode.