strongswan.git
9 years agoFixed typo.
Tobias Brunner [Mon, 5 Jul 2010 12:53:56 +0000 (14:53 +0200)]
Fixed typo.

9 years agoAdded support for group membership information containted in the RADIUS class attribute
Martin Willi [Mon, 28 Jun 2010 14:12:06 +0000 (16:12 +0200)]
Added support for group membership information containted in the RADIUS class attribute

9 years agoUse the group constraint in a more generic fashion, not only for attribute certificates
Martin Willi [Mon, 28 Jun 2010 13:46:13 +0000 (15:46 +0200)]
Use the group constraint in a more generic fashion, not only for attribute certificates

9 years agoUse the responder side configured EAP-Identity directly, if given
Martin Willi [Mon, 28 Jun 2010 13:45:07 +0000 (15:45 +0200)]
Use the responder side configured EAP-Identity directly, if given

9 years agoCopy EAP specific attributes to auth config only
Martin Willi [Mon, 28 Jun 2010 13:41:48 +0000 (15:41 +0200)]
Copy EAP specific attributes to auth config only

9 years agoDisable EAP-GTC on Android.
Tobias Brunner [Mon, 5 Jul 2010 07:37:49 +0000 (09:37 +0200)]
Disable EAP-GTC on Android.

The EAP-GTC plugin does not compile due to its dependency on PAM.

9 years agoadded IKEv2 xfrm marks support to NEWS
Andreas Steffen [Sat, 3 Jul 2010 20:14:45 +0000 (22:14 +0200)]
added IKEv2 xfrm marks support to NEWS

9 years agoregenerated loop intermediate CA certificates
Andreas Steffen [Sat, 3 Jul 2010 16:18:30 +0000 (18:18 +0200)]
regenerated loop intermediate CA certificates

9 years agoadded ikev2/nat-two-rw-mark scenario
Andreas Steffen [Sat, 3 Jul 2010 11:25:09 +0000 (13:25 +0200)]
added ikev2/nat-two-rw-mark scenario

9 years agosupport of xfrm marks for IKEv2
Andreas Steffen [Fri, 2 Jul 2010 21:45:57 +0000 (23:45 +0200)]
support of xfrm marks for IKEv2

9 years agoRecreate IKE_SA_INIT related tasks only if they have completed
Martin Willi [Wed, 30 Jun 2010 11:48:47 +0000 (13:48 +0200)]
Recreate IKE_SA_INIT related tasks only if they have completed

9 years agoUse enumerator for queued_tasks migration to avoid infinite loop
Thomas Egerer [Wed, 30 Jun 2010 11:10:56 +0000 (13:10 +0200)]
Use enumerator for queued_tasks migration to avoid infinite loop

9 years agoEnabling some EAP plugins on Android.
Tobias Brunner [Wed, 30 Jun 2010 08:02:15 +0000 (10:02 +0200)]
Enabling some EAP plugins on Android.

9 years agoThe x509 plugin is not needed anymore on Android, using OpenSSL.
Tobias Brunner [Wed, 30 Jun 2010 08:01:16 +0000 (10:01 +0200)]
The x509 plugin is not needed anymore on Android, using OpenSSL.

9 years agoCorrect check of traffic selectors before destruction
Thomas Egerer [Mon, 28 Jun 2010 20:18:25 +0000 (22:18 +0200)]
Correct check of traffic selectors before destruction

9 years agoMigrate queued_tasks tasks, to avoid dangling pointers
Thomas Egerer [Tue, 29 Jun 2010 06:53:05 +0000 (08:53 +0200)]
Migrate queued_tasks tasks, to avoid dangling pointers

9 years agoThe signature of keystore_get changed again.
Tobias Brunner [Mon, 28 Jun 2010 15:18:53 +0000 (17:18 +0200)]
The signature of keystore_get changed again.

With Android 2.2 (Froyo) the interface of keystore_get was changed once
again. The change was made to allow the keys to contain \0 characters.

9 years agoCompiler warning fixed.
Tobias Brunner [Thu, 24 Jun 2010 14:23:54 +0000 (16:23 +0200)]
Compiler warning fixed.

9 years agocheck for installed aead algorithms in kernel
Andreas Steffen [Sun, 27 Jun 2010 20:26:00 +0000 (22:26 +0200)]
check for installed aead algorithms in kernel

9 years agoupgraded xfrm.h to linux-2.6.34
Andreas Steffen [Sun, 27 Jun 2010 09:23:35 +0000 (11:23 +0200)]
upgraded xfrm.h to linux-2.6.34

9 years agoShow contents of the CP payload in message_t stringification
Martin Willi [Thu, 24 Jun 2010 13:45:38 +0000 (15:45 +0200)]
Show contents of the CP payload in message_t stringification

9 years agoSupport the subnet attribute in the attr plugin
Martin Willi [Thu, 24 Jun 2010 13:44:28 +0000 (15:44 +0200)]
Support the subnet attribute in the attr plugin

9 years agoIncreased the loglevel for the arguments received via Android control socket.
Tobias Brunner [Thu, 24 Jun 2010 12:44:45 +0000 (14:44 +0200)]
Increased the loglevel for the arguments received via Android control socket.

9 years agoTerminate charon from the Android plugin if the tunnel goes down after it was initiat...
Tobias Brunner [Thu, 24 Jun 2010 12:05:53 +0000 (14:05 +0200)]
Terminate charon from the Android plugin if the tunnel goes down after it was initiated successfully.

9 years agoInitiate the tunnel in the Android plugin asynchronously.
Tobias Brunner [Thu, 24 Jun 2010 12:02:52 +0000 (14:02 +0200)]
Initiate the tunnel in the Android plugin asynchronously.

Also track its initiation using the registered listener.

9 years agoImplement the listener_t interface in the Android plugin to track the status of an SA.
Tobias Brunner [Thu, 24 Jun 2010 12:00:39 +0000 (14:00 +0200)]
Implement the listener_t interface in the Android plugin to track the status of an SA.

9 years agoHelper function added to notify the Android frontend about status changes.
Tobias Brunner [Thu, 24 Jun 2010 11:57:03 +0000 (13:57 +0200)]
Helper function added to notify the Android frontend about status changes.

9 years agoInitiate consumes a child_sa reference, so get an additional one.
Tobias Brunner [Thu, 24 Jun 2010 11:42:57 +0000 (13:42 +0200)]
Initiate consumes a child_sa reference, so get an additional one.

9 years agoUse the same error code constants as in the Java frontend.
Tobias Brunner [Thu, 24 Jun 2010 11:41:07 +0000 (13:41 +0200)]
Use the same error code constants as in the Java frontend.

9 years agoFlush and destroy the send queue before unloading the socket plugins.
Tobias Brunner [Thu, 24 Jun 2010 08:34:48 +0000 (10:34 +0200)]
Flush and destroy the send queue before unloading the socket plugins.

9 years agoSelect subjectAltName address family using address length in openssl plugin
Martin Willi [Thu, 24 Jun 2010 10:00:56 +0000 (12:00 +0200)]
Select subjectAltName address family using address length in openssl plugin

9 years agoSelect subjectAltName address family using address length in x509 plugin
Martin Willi [Thu, 24 Jun 2010 09:59:20 +0000 (11:59 +0200)]
Select subjectAltName address family using address length in x509 plugin

9 years agoDo not install routes in the PF_KEY kernel interface if interface lookup failed.
Tobias Brunner [Wed, 23 Jun 2010 09:19:37 +0000 (11:19 +0200)]
Do not install routes in the PF_KEY kernel interface if interface lookup failed.

9 years agoThe signature of keystore_get was changed with Android 2.x.
Tobias Brunner [Tue, 22 Jun 2010 14:19:55 +0000 (16:19 +0200)]
The signature of keystore_get was changed with Android 2.x.

9 years agoAvoid a segmentation fault if opening the Android control socket failed.
Tobias Brunner [Tue, 22 Jun 2010 14:18:22 +0000 (16:18 +0200)]
Avoid a segmentation fault if opening the Android control socket failed.

9 years agoOpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.
Tobias Brunner [Tue, 22 Jun 2010 14:15:10 +0000 (16:15 +0200)]
OpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.

Unfortunately, opensslconf.h was not changed accordingly.

9 years agoAllow to enable the kernel-pfkey plugin via Android.mk.
Tobias Brunner [Tue, 22 Jun 2010 14:14:14 +0000 (16:14 +0200)]
Allow to enable the kernel-pfkey plugin via Android.mk.

9 years agoFixing the PF_KEY kernel interface on Android.
Tobias Brunner [Tue, 22 Jun 2010 14:04:13 +0000 (16:04 +0200)]
Fixing the PF_KEY kernel interface on Android.

In Android's in.h IPPROTO_COMP is not #defined but just an enum member.

9 years agoFixing compilation of the OpenSSL plugin if ENGINE support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:33:21 +0000 (11:33 +0200)]
Fixing compilation of the OpenSSL plugin if ENGINE support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_ENGINE.

9 years agoFixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:28:50 +0000 (11:28 +0200)]
Fixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_EC.

9 years agoIgnore IKEv2 packets in pluto with any minor version
Martin Willi [Tue, 22 Jun 2010 07:16:04 +0000 (09:16 +0200)]
Ignore IKEv2 packets in pluto with any minor version

9 years agoAccept IKE packets with any minor version in RAW socket
Martin Willi [Tue, 22 Jun 2010 07:03:41 +0000 (09:03 +0200)]
Accept IKE packets with any minor version in RAW socket

9 years agoFixed plugin checks in Android.mk files.
Tobias Brunner [Thu, 17 Jun 2010 16:09:34 +0000 (18:09 +0200)]
Fixed plugin checks in Android.mk files.

9 years agoDon't fail with an error if an attribute that is to be deleted does not exist
Heiko Hund [Fri, 18 Jun 2010 03:01:06 +0000 (05:01 +0200)]
Don't fail with an error if an attribute that is to be deleted does not exist

9 years agoFixed compiler warning.
Tobias Brunner [Mon, 7 Jun 2010 13:33:25 +0000 (15:33 +0200)]
Fixed compiler warning.

9 years agoUse vpn.dns* to store DNS servers (Android manages net.dns* using these).
Tobias Brunner [Tue, 11 May 2010 16:31:24 +0000 (18:31 +0200)]
Use vpn.dns* to store DNS servers (Android manages net.dns* using these).

9 years agoAdding an interface that interacts with the Android Settings frontend.
Tobias Brunner [Tue, 4 May 2010 16:26:07 +0000 (18:26 +0200)]
Adding an interface that interacts with the Android Settings frontend.

9 years agoAdding an Android specific credential set.
Tobias Brunner [Tue, 4 May 2010 16:18:51 +0000 (18:18 +0200)]
Adding an Android specific credential set.

9 years agoAdding an Android specific logger.
Tobias Brunner [Tue, 4 May 2010 16:13:27 +0000 (18:13 +0200)]
Adding an Android specific logger.

9 years agoAdding support for the native Linux capabilities interface.
Tobias Brunner [Tue, 15 Jun 2010 17:40:44 +0000 (19:40 +0200)]
Adding support for the native Linux capabilities interface.

Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.

9 years agoExplicitly refer to LIBCAP in Makefiles.
Tobias Brunner [Tue, 15 Jun 2010 17:10:23 +0000 (19:10 +0200)]
Explicitly refer to LIBCAP in Makefiles.

9 years agoRun as vpn user on Android.
Tobias Brunner [Tue, 4 May 2010 15:05:12 +0000 (17:05 +0200)]
Run as vpn user on Android.

9 years agoTruncate the PID file so that even if we fail to unlink it, the daemon can be restart...
Tobias Brunner [Tue, 15 Jun 2010 17:53:47 +0000 (19:53 +0200)]
Truncate the PID file so that even if we fail to unlink it, the daemon can be restarted properly.

9 years agoExplicitly include stdint.h for UINT64_MAX.
Tobias Brunner [Tue, 15 Jun 2010 08:57:12 +0000 (10:57 +0200)]
Explicitly include stdint.h for UINT64_MAX.

This is required on FreeBSD 8.

9 years agoCheck for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
Tobias Brunner [Tue, 15 Jun 2010 08:07:43 +0000 (10:07 +0200)]
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.

FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.

9 years agoSet the ports of all hosts installed via the PF_KEY kernel interface to zero.
Tobias Brunner [Fri, 14 May 2010 13:25:59 +0000 (15:25 +0200)]
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.

9 years agorefer to correct PLUTO_XAUTH_ID variable
Andreas Steffen [Wed, 9 Jun 2010 13:21:26 +0000 (15:21 +0200)]
refer to correct PLUTO_XAUTH_ID variable

9 years agorename environment variable to PLUTO_XAUTH_ID
Andreas Steffen [Tue, 8 Jun 2010 21:18:51 +0000 (23:18 +0200)]
rename environment variable to PLUTO_XAUTH_ID

9 years agodo not destroy xauth_id if phase2 equals phase1 connection
Andreas Steffen [Tue, 8 Jun 2010 21:18:00 +0000 (23:18 +0200)]
do not destroy xauth_id if phase2 equals phase1 connection

9 years agomake an optional XAUTH user ID available in the updown script
Andreas Steffen [Tue, 8 Jun 2010 15:50:22 +0000 (17:50 +0200)]
make an optional XAUTH user ID available in the updown script

9 years agoinherit XAUTH identities in Phase 2
Heiko Hund [Tue, 8 Jun 2010 10:15:42 +0000 (12:15 +0200)]
inherit XAUTH identities in Phase 2

9 years agoAdding a basic unit test for hashtable_t.
Tobias Brunner [Mon, 7 Jun 2010 14:39:49 +0000 (16:39 +0200)]
Adding a basic unit test for hashtable_t.

9 years agoAdding a remove_at method to the hash table.
Tobias Brunner [Mon, 7 Jun 2010 14:36:26 +0000 (16:36 +0200)]
Adding a remove_at method to the hash table.

This allows to remove key-value pairs while enumerating them.

9 years agoMigrated hashtable_t to INIT/METHOD macros.
Tobias Brunner [Mon, 7 Jun 2010 13:50:41 +0000 (15:50 +0200)]
Migrated hashtable_t to INIT/METHOD macros.

9 years agoAdd extra information in debug output for IKE_SA check{out, in}
Thomas Egerer [Sun, 6 Jun 2010 20:50:29 +0000 (22:50 +0200)]
Add extra information in debug output for IKE_SA check{out, in}

This output helps tracing checkout and checkin of IKE_SAs when there is
more than one IKE_SAs with the same name. I also added the type of
in-air-exchange to the debug output issued by the task_manager in case
a task initiation is delayed, came in handy for me.

9 years agotraffic_selector_t is gone into libstrongswan, migrate printf hook registration,...
Martin Willi [Mon, 7 Jun 2010 13:06:09 +0000 (15:06 +0200)]
traffic_selector_t is gone into libstrongswan, migrate printf hook registration, too.

9 years agoFlush auth configs, create new keymat during SA reset
Martin Willi [Mon, 7 Jun 2010 12:59:39 +0000 (14:59 +0200)]
Flush auth configs, create new keymat during SA reset

9 years agoRecreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
Martin Willi [Mon, 7 Jun 2010 12:58:57 +0000 (14:58 +0200)]
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH

9 years agoReacquire keymat from new IKE_SA during task migration
Martin Willi [Mon, 7 Jun 2010 12:56:24 +0000 (14:56 +0200)]
Reacquire keymat from new IKE_SA during task migration

9 years agoFlush certificate cache on CA delete
Martin Willi [Mon, 7 Jun 2010 11:51:18 +0000 (13:51 +0200)]
Flush certificate cache on CA delete

9 years agoLog non-empty task queues in statusall
Martin Willi [Mon, 7 Jun 2010 09:59:37 +0000 (11:59 +0200)]
Log non-empty task queues in statusall

9 years agoWrap task enumerator in ike_sa
Martin Willi [Mon, 7 Jun 2010 09:37:55 +0000 (11:37 +0200)]
Wrap task enumerator in ike_sa

9 years agoMigrated ike_sa_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 09:30:27 +0000 (09:30 +0000)]
Migrated ike_sa_t to INIT/METHOD macros

9 years agoAdded support for task enumeration in task_manager_t
Martin Willi [Mon, 7 Jun 2010 08:45:25 +0000 (10:45 +0200)]
Added support for task enumeration in task_manager_t

9 years agoMigrated task_manager_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 08:37:00 +0000 (10:37 +0200)]
Migrated task_manager_t to INIT/METHOD macros

9 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:49:01 +0000 (13:49 +0200)]
use --addattr

9 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:47:23 +0000 (13:47 +0200)]
use --addattr

9 years agoadded ikev2/nat-virtual-ip scenario
Andreas Steffen [Sat, 5 Jun 2010 11:42:28 +0000 (13:42 +0200)]
added ikev2/nat-virtual-ip scenario

9 years agoremove stray carolReq.pem
Andreas Steffen [Sat, 5 Jun 2010 11:36:39 +0000 (13:36 +0200)]
remove stray carolReq.pem

9 years agoshare pool in ikev1/mode-config-multiple scenario
Andreas Steffen [Sat, 5 Jun 2010 11:17:51 +0000 (13:17 +0200)]
share pool in ikev1/mode-config-multiple scenario

9 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:15:03 +0000 (13:15 +0200)]
use --addattr

9 years agoremove stray scenario files
Andreas Steffen [Sat, 5 Jun 2010 11:10:39 +0000 (13:10 +0200)]
remove stray scenario files

9 years agoAccept ARP requests with an ethernet trailer, but trim it
Martin Willi [Wed, 2 Jun 2010 08:05:43 +0000 (10:05 +0200)]
Accept ARP requests with an ethernet trailer, but trim it

9 years agoAdded a EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database
Martin Willi [Wed, 2 Jun 2010 13:55:58 +0000 (15:55 +0200)]
Added a EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database

9 years agofixed configuration attribute type determination
Andreas Steffen [Wed, 2 Jun 2010 09:51:53 +0000 (11:51 +0200)]
fixed configuration attribute type determination

9 years agoDisable close action for a redundant CHILD_SA resulting from a rekey collision
Martin Willi [Wed, 2 Jun 2010 09:43:39 +0000 (11:43 +0200)]
Disable close action for a redundant CHILD_SA resulting from a rekey collision

If a rekey collision is detected, the winning peer of the nonce compare
will delete the redundant CHILD_SA. The other peer should not enforce the
close action on this CHILD, as it would reestablish the redundat CHILD_SA.
Thanks to Thomas Egerer from secunet for pointing this out and the initial
patchset.

9 years agoUse wrapped getters for close/dpd action
Martin Willi [Wed, 2 Jun 2010 09:41:46 +0000 (11:41 +0200)]
Use wrapped getters for close/dpd action

9 years agoWrap getters for dpd/close action into CHILD_SA, allows us to override them
Martin Willi [Wed, 2 Jun 2010 09:40:38 +0000 (11:40 +0200)]
Wrap getters for dpd/close action into CHILD_SA, allows us to override them

9 years agoipsec pool --statusattr [--hexout] outputs attribute values in correct format if...
Andreas Steffen [Tue, 1 Jun 2010 14:47:56 +0000 (16:47 +0200)]
ipsec pool --statusattr [--hexout] outputs attribute values in correct format if known

9 years agoadded unity_def_domain keyword tip ipsec pool
Andreas Steffen [Mon, 31 May 2010 14:46:47 +0000 (16:46 +0200)]
added unity_def_domain keyword tip ipsec pool

9 years agoAdded generated manpages to .gitignore
Martin Willi [Mon, 31 May 2010 11:41:25 +0000 (13:41 +0200)]
Added generated manpages to .gitignore

9 years agoChanged default lifetime of certificates to 3 years
Martin Willi [Mon, 31 May 2010 11:14:36 +0000 (13:14 +0200)]
Changed default lifetime of certificates to 3 years

9 years agoSupport extendedKeyUsage flags in self-signed certificates
Martin Willi [Mon, 31 May 2010 11:12:46 +0000 (13:12 +0200)]
Support extendedKeyUsage flags in self-signed certificates

9 years agoIPSEC_CONFDIR in ipsec script fixed.
Tobias Brunner [Sun, 30 May 2010 11:07:32 +0000 (13:07 +0200)]
IPSEC_CONFDIR in ipsec script fixed.

9 years agoAdding the version number to the most relevant manual pages.
Tobias Brunner [Sun, 30 May 2010 11:03:04 +0000 (13:03 +0200)]
Adding the version number to the most relevant manual pages.

9 years agoUpdated and corrected the ipsec.secrets(5) manual page.
Tobias Brunner [Sun, 30 May 2010 09:51:30 +0000 (11:51 +0200)]
Updated and corrected the ipsec.secrets(5) manual page.

9 years agoUpdated and corrected the ipsec.conf(5) manual page.
Tobias Brunner [Sat, 29 May 2010 19:10:18 +0000 (21:10 +0200)]
Updated and corrected the ipsec.conf(5) manual page.

9 years agoUpdated and corrected the ipsec(8) manual page.
Tobias Brunner [Sat, 29 May 2010 15:34:00 +0000 (17:34 +0200)]
Updated and corrected the ipsec(8) manual page.

9 years agoadded --leases command line option to synopsis
Andreas Steffen [Sat, 29 May 2010 11:29:23 +0000 (13:29 +0200)]
added --leases command line option to synopsis

9 years agoadded --showattr command line option to synopsys
Andreas Steffen [Sat, 29 May 2010 11:23:20 +0000 (13:23 +0200)]
added --showattr command line option to synopsys