strongswan.git
10 years agotesting: Adding kernel-netlink to pluto.load statements.
Tobias Brunner [Tue, 3 Aug 2010 11:05:33 +0000 (13:05 +0200)]
testing: Adding kernel-netlink to pluto.load statements.

10 years agotesting: Added missing host alice to test.conf.
Tobias Brunner [Tue, 3 Aug 2010 11:30:16 +0000 (13:30 +0200)]
testing: Added missing host alice to test.conf.

10 years agoCharon specific strongswan.conf options generalized.
Tobias Brunner [Tue, 3 Aug 2010 10:23:14 +0000 (12:23 +0200)]
Charon specific strongswan.conf options generalized.

10 years agopluto: Listen for kernel events via libhydra's kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:58:47 +0000 (11:58 +0200)]
pluto: Listen for kernel events via libhydra's kernel interface.

10 years agopluto: Adapted kernel.c to changed kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:53:40 +0000 (11:53 +0200)]
pluto: Adapted kernel.c to changed kernel interface.

10 years agoAdapted child_sa_t to changed kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:50:56 +0000 (11:50 +0200)]
Adapted child_sa_t to changed kernel interface.

10 years agoFixing installation of trap policies (SPI=0) in kernel interface.
Tobias Brunner [Tue, 3 Aug 2010 09:49:28 +0000 (11:49 +0200)]
Fixing installation of trap policies (SPI=0) in kernel interface.

10 years agopluto: Do not close all file descriptors on startup, just redirect stdin, stdout...
Tobias Brunner [Fri, 30 Jul 2010 10:16:24 +0000 (12:16 +0200)]
pluto: Do not close all file descriptors on startup, just redirect stdin, stdout and stderr to /dev/null.

Otherwise the pipe used to synchronize pluto->events with the main
thread would be closed.

10 years agopluto: Added a generic event queue.
Tobias Brunner [Fri, 30 Jul 2010 09:51:15 +0000 (11:51 +0200)]
pluto: Added a generic event queue.

This allows to easily execute arbitrary callbacks in the context of the pluto
main thread (e.g. in order to synchronize with threads from the thread-pool).

10 years agopluto: Fixed the reqid that is passed to the updown script.
Tobias Brunner [Thu, 29 Jul 2010 11:37:39 +0000 (13:37 +0200)]
pluto: Fixed the reqid that is passed to the updown script.

10 years agopluto: Migrated setup_half_ipsec_sa to libhydra's kernel interface.
Tobias Brunner [Thu, 29 Jul 2010 11:36:23 +0000 (13:36 +0200)]
pluto: Migrated setup_half_ipsec_sa to libhydra's kernel interface.

10 years agopluto: Removed unneeded get_proto_reqid.
Tobias Brunner [Thu, 29 Jul 2010 11:33:48 +0000 (13:33 +0200)]
pluto: Removed unneeded get_proto_reqid.

We will use the same reqid for all protocols, as in charon.

10 years agopluto: Added missing return_on in out_sa.
Tobias Brunner [Thu, 29 Jul 2010 10:24:18 +0000 (12:24 +0200)]
pluto: Added missing return_on in out_sa.

10 years agopluto: Use time_monotonic() instead of time() for use time calculation.
Tobias Brunner [Thu, 29 Jul 2010 10:19:48 +0000 (12:19 +0200)]
pluto: Use time_monotonic() instead of time() for use time calculation.

That's because get_sa_info now returns a monotonic timestamp.

10 years agopluto: Removed KLIPS specific code from was_eroute_idle.
Tobias Brunner [Thu, 29 Jul 2010 16:09:44 +0000 (18:09 +0200)]
pluto: Removed KLIPS specific code from was_eroute_idle.

10 years agopluto: Migrated get_sa_info to libhydra's kernel interface.
Tobias Brunner [Thu, 29 Jul 2010 10:19:03 +0000 (12:19 +0200)]
pluto: Migrated get_sa_info to libhydra's kernel interface.

10 years agopluto: Migrated teardown_half_ipsec_sa to libhydra's kernel interface.
Tobias Brunner [Thu, 29 Jul 2010 09:24:46 +0000 (11:24 +0200)]
pluto: Migrated teardown_half_ipsec_sa to libhydra's kernel interface.

10 years agopluto: Adapted sag_eroute to the new signature of eroute_connection.
Tobias Brunner [Thu, 29 Jul 2010 09:01:30 +0000 (11:01 +0200)]
pluto: Adapted sag_eroute to the new signature of eroute_connection.

10 years agopluto: Migrated raw_eroute to libhydra's kernel interface.
Tobias Brunner [Thu, 29 Jul 2010 08:41:36 +0000 (10:41 +0200)]
pluto: Migrated raw_eroute to libhydra's kernel interface.

This introduces a new struct to pass the protocol information like spis.
Also adapted eroute_connection and the simple calls of raw_eroute to
the new signature.

10 years agopluto: Added a function to create a traffic_selector_t from an ip_subnet.
Tobias Brunner [Thu, 29 Jul 2010 08:46:45 +0000 (10:46 +0200)]
pluto: Added a function to create a traffic_selector_t from an ip_subnet.

10 years agopluto: Migrated update_ipsec_sa to libhydra's kernel interface.
Tobias Brunner [Tue, 27 Jul 2010 17:13:51 +0000 (19:13 +0200)]
pluto: Migrated update_ipsec_sa to libhydra's kernel interface.

10 years agopluto: Functions to convert IKEv1 ESP algos to IKEv2 identifiers added.
Tobias Brunner [Tue, 27 Jul 2010 16:05:38 +0000 (18:05 +0200)]
pluto: Functions to convert IKEv1 ESP algos to IKEv2 identifiers added.

10 years agopluto: Refactored IKEv2/IKEv1 crypto algorithm conversion functions.
Tobias Brunner [Tue, 27 Jul 2010 16:01:40 +0000 (18:01 +0200)]
pluto: Refactored IKEv2/IKEv1 crypto algorithm conversion functions.

10 years agoDo not overwrite the original mode when installing policies.
Tobias Brunner [Tue, 27 Jul 2010 15:38:03 +0000 (17:38 +0200)]
Do not overwrite the original mode when installing policies.

The mode is later used to decide if a route has to be installed.

10 years agopluto: Removed KLIPS specific algorithm detection.
Tobias Brunner [Mon, 26 Jul 2010 08:41:18 +0000 (10:41 +0200)]
pluto: Removed KLIPS specific algorithm detection.

10 years agopluto: Removed KLIPS specific bare shunt scanning.
Tobias Brunner [Tue, 20 Jul 2010 11:25:29 +0000 (13:25 +0200)]
pluto: Removed KLIPS specific bare shunt scanning.

10 years agoAdded support for different policy types in kernel_netlink plugin.
Tobias Brunner [Mon, 19 Jul 2010 16:50:19 +0000 (18:50 +0200)]
Added support for different policy types in kernel_netlink plugin.

10 years agoAdded an option to specify the type of a policy to kernel_ipsec.add_policy.
Tobias Brunner [Mon, 19 Jul 2010 16:38:29 +0000 (18:38 +0200)]
Added an option to specify the type of a policy to kernel_ipsec.add_policy.

This will later allow us to support pluto's passthrough and drop
policies in charon.

10 years agopluto: Migrated get_my_cpi to libhydra's kernel interface.
Tobias Brunner [Mon, 19 Jul 2010 08:19:29 +0000 (10:19 +0200)]
pluto: Migrated get_my_cpi to libhydra's kernel interface.

10 years agopluto: Migrated get_ipsec_spi to libhydra's kernel interface.
Tobias Brunner [Thu, 15 Jul 2010 12:10:25 +0000 (14:10 +0200)]
pluto: Migrated get_ipsec_spi to libhydra's kernel interface.

10 years agoAdded support for combined IPComp/ESP/AH policies in kernel_netlink plugin.
Tobias Brunner [Mon, 19 Jul 2010 10:31:39 +0000 (12:31 +0200)]
Added support for combined IPComp/ESP/AH policies in kernel_netlink plugin.

10 years agoReplaced the protocol argument in add_policy with an optional SPI for an AH SA.
Tobias Brunner [Mon, 19 Jul 2010 09:25:47 +0000 (11:25 +0200)]
Replaced the protocol argument in add_policy with an optional SPI for an AH SA.

10 years agoInitialize the thread pool in pluto.
Tobias Brunner [Tue, 13 Jul 2010 11:18:04 +0000 (13:18 +0200)]
Initialize the thread pool in pluto.

10 years agoRefer to scheduler and processor via lib and not hydra.
Tobias Brunner [Thu, 15 Jul 2010 12:49:41 +0000 (14:49 +0200)]
Refer to scheduler and processor via lib and not hydra.

10 years agoMoved scheduler and thread pool to libstrongswan.
Tobias Brunner [Thu, 15 Jul 2010 12:26:19 +0000 (14:26 +0200)]
Moved scheduler and thread pool to libstrongswan.

10 years agoMoved all kernel plugins to libhydra.
Tobias Brunner [Mon, 12 Jul 2010 16:10:16 +0000 (18:10 +0200)]
Moved all kernel plugins to libhydra.

10 years agoMoved ipsec_transform_t to kernel_ipsec.h in libhydra.
Tobias Brunner [Mon, 12 Jul 2010 15:40:37 +0000 (17:40 +0200)]
Moved ipsec_transform_t to kernel_ipsec.h in libhydra.

Because of this libfreeswan, pluto, starter etc. now depend on that
file (and libhydra). This resolved some duplicate declarations.

10 years agoRefer to kernel interface via hydra and not charon.
Tobias Brunner [Mon, 12 Jul 2010 09:14:54 +0000 (11:14 +0200)]
Refer to kernel interface via hydra and not charon.

10 years agoMoved kernel interface to libhydra.
Tobias Brunner [Mon, 12 Jul 2010 08:57:46 +0000 (10:57 +0200)]
Moved kernel interface to libhydra.

10 years agoRemoved references to protocol_id_t from kernel interface.
Tobias Brunner [Mon, 12 Jul 2010 08:35:19 +0000 (10:35 +0200)]
Removed references to protocol_id_t from kernel interface.

Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).

10 years agoMigrated child_sa_t to INIT/METHOD macros.
Tobias Brunner [Mon, 12 Jul 2010 07:38:39 +0000 (09:38 +0200)]
Migrated child_sa_t to INIT/METHOD macros.

10 years agoMoved roam job creation to kernel event handler.
Tobias Brunner [Tue, 6 Jul 2010 14:03:09 +0000 (16:03 +0200)]
Moved roam job creation to kernel event handler.

10 years agoRefer to scheduler via hydra and not charon.
Tobias Brunner [Tue, 6 Jul 2010 11:23:42 +0000 (13:23 +0200)]
Refer to scheduler via hydra and not charon.

10 years agoMoved scheduler_t to libhydra.
Tobias Brunner [Tue, 6 Jul 2010 11:13:39 +0000 (13:13 +0200)]
Moved scheduler_t to libhydra.

10 years agoMoved migrate job creation to kernel event handler.
Tobias Brunner [Tue, 6 Jul 2010 10:46:40 +0000 (12:46 +0200)]
Moved migrate job creation to kernel event handler.

10 years agoMoved update SA job creation to kernel event handler.
Tobias Brunner [Tue, 6 Jul 2010 10:34:15 +0000 (12:34 +0200)]
Moved update SA job creation to kernel event handler.

10 years agoMoved delete/rekey CHILD_SA job creation to kernel event handler.
Tobias Brunner [Tue, 6 Jul 2010 10:09:06 +0000 (12:09 +0200)]
Moved delete/rekey CHILD_SA job creation to kernel event handler.

10 years agoMoved acquire job creation to kernel event handler.
Tobias Brunner [Tue, 6 Jul 2010 09:50:43 +0000 (11:50 +0200)]
Moved acquire job creation to kernel event handler.

10 years agoAdded kernel event handler stub.
Tobias Brunner [Tue, 6 Jul 2010 09:36:58 +0000 (11:36 +0200)]
Added kernel event handler stub.

10 years agoAll kernel listener hooks are optional.
Tobias Brunner [Tue, 6 Jul 2010 14:09:06 +0000 (16:09 +0200)]
All kernel listener hooks are optional.

10 years agoAdded listener handling to kernel interface.
Tobias Brunner [Tue, 6 Jul 2010 11:02:01 +0000 (13:02 +0200)]
Added listener handling to kernel interface.

10 years agoAdded an interface for kernel event listeners.
Tobias Brunner [Tue, 6 Jul 2010 07:28:12 +0000 (09:28 +0200)]
Added an interface for kernel event listeners.

10 years agoSome minor comment fixes.
Tobias Brunner [Tue, 6 Jul 2010 08:48:55 +0000 (10:48 +0200)]
Some minor comment fixes.

10 years agoSome whitespace and code style fixes.
Tobias Brunner [Mon, 5 Jul 2010 16:52:50 +0000 (18:52 +0200)]
Some whitespace and code style fixes.

10 years agoDo not include files from libcharon in libhydra.
Tobias Brunner [Mon, 5 Jul 2010 16:49:41 +0000 (18:49 +0200)]
Do not include files from libcharon in libhydra.

10 years agoMove callback_job_t to libhydra.
Tobias Brunner [Mon, 5 Jul 2010 13:32:54 +0000 (15:32 +0200)]
Move callback_job_t to libhydra.

10 years agoFixing Doxygen groups after moving processor.
Tobias Brunner [Mon, 5 Jul 2010 13:24:58 +0000 (15:24 +0200)]
Fixing Doxygen groups after moving processor.

10 years agoRefer to processor via hydra and not charon.
Tobias Brunner [Mon, 5 Jul 2010 11:52:05 +0000 (13:52 +0200)]
Refer to processor via hydra and not charon.

10 years agoMove processor_t (thread-pool) to libhydra.
Tobias Brunner [Mon, 5 Jul 2010 11:46:04 +0000 (13:46 +0200)]
Move processor_t (thread-pool) to libhydra.

10 years agoSupport different hash/sig algorithms in handshake signing, including ECDSA
Martin Willi [Thu, 2 Sep 2010 08:29:32 +0000 (10:29 +0200)]
Support different hash/sig algorithms in handshake signing, including ECDSA

10 years agoAdded TLS ClientCertificateType identifiers
Martin Willi [Thu, 2 Sep 2010 08:05:11 +0000 (10:05 +0200)]
Added TLS ClientCertificateType identifiers

10 years agoAdded TLS specific Hash and Signature Algorithm identifiers
Martin Willi [Thu, 2 Sep 2010 07:21:45 +0000 (09:21 +0200)]
Added TLS specific Hash and Signature Algorithm identifiers

10 years agoFixed typos in tls_writer method descriptions
Martin Willi [Thu, 2 Sep 2010 08:28:51 +0000 (10:28 +0200)]
Fixed typos in tls_writer method descriptions

10 years agoRespect key types in stroke key/certificate backend
Martin Willi [Thu, 2 Sep 2010 10:37:27 +0000 (12:37 +0200)]
Respect key types in stroke key/certificate backend

10 years agoAdded an enumerator for registered credential builders
Martin Willi [Thu, 2 Sep 2010 07:46:09 +0000 (09:46 +0200)]
Added an enumerator for registered credential builders

10 years agoMigrated credential_factory to INIT/METHOD macros
Martin Willi [Thu, 2 Sep 2010 07:30:48 +0000 (09:30 +0200)]
Migrated credential_factory to INIT/METHOD macros

10 years agoadapted evaltest.dat to new RULE_OCSP_VALIDATION
Andreas Steffen [Wed, 1 Sep 2010 20:22:27 +0000 (22:22 +0200)]
adapted evaltest.dat to new RULE_OCSP_VALIDATION

10 years agocosmetics in debug output
Andreas Steffen [Wed, 1 Sep 2010 12:30:14 +0000 (14:30 +0200)]
cosmetics in debug output

10 years agodefined aaa_identity
Andreas Steffen [Tue, 31 Aug 2010 22:16:19 +0000 (00:16 +0200)]
defined aaa_identity

10 years agoincrease number of message due to large certificate payloads
Andreas Steffen [Tue, 31 Aug 2010 22:11:23 +0000 (00:11 +0200)]
increase number of message due to large certificate payloads

10 years agoclarified debug output
Andreas Steffen [Tue, 31 Aug 2010 21:22:39 +0000 (23:22 +0200)]
clarified debug output

10 years agofixed typo
Andreas Steffen [Tue, 31 Aug 2010 19:42:14 +0000 (21:42 +0200)]
fixed typo

10 years agoDo not process any more TLS handshake messages on fatal alerts
Martin Willi [Tue, 31 Aug 2010 16:08:46 +0000 (18:08 +0200)]
Do not process any more TLS handshake messages on fatal alerts

10 years agoLoad a left/rightcert2 for EAP-TLS even if no left/rightauth2 is defined
Martin Willi [Tue, 31 Aug 2010 16:02:46 +0000 (18:02 +0200)]
Load a left/rightcert2 for EAP-TLS even if no left/rightauth2 is defined

10 years agoStrictly check if the server certificate matches the TLS server identity
Martin Willi [Tue, 31 Aug 2010 16:07:38 +0000 (18:07 +0200)]
Strictly check if the server certificate matches the TLS server identity

10 years agoUse the AAA Identity for EAP authentication, if given
Martin Willi [Tue, 31 Aug 2010 16:06:02 +0000 (18:06 +0200)]
Use the AAA Identity for EAP authentication, if given

10 years agoAdded support for the ipsec.conf aaa_identity keyword
Martin Willi [Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)]
Added support for the ipsec.conf aaa_identity keyword

10 years agoAdded an AAA identity authentication config option
Martin Willi [Tue, 31 Aug 2010 15:26:20 +0000 (17:26 +0200)]
Added an AAA identity authentication config option

10 years agoAdded strongswan.conf options for EAP-TLS/TTLS fragment size
Martin Willi [Tue, 31 Aug 2010 14:10:55 +0000 (16:10 +0200)]
Added strongswan.conf options for EAP-TLS/TTLS fragment size

10 years agoSupport processing of partial TLS record headers
Martin Willi [Tue, 31 Aug 2010 08:03:03 +0000 (10:03 +0200)]
Support processing of partial TLS record headers

10 years agoMigrated EAP-TTLS to the generic TLS helper
Martin Willi [Tue, 31 Aug 2010 07:12:40 +0000 (09:12 +0200)]
Migrated EAP-TTLS to the generic TLS helper

10 years agoMigrated EAP-TLS to the generic TLS helper
Martin Willi [Tue, 31 Aug 2010 07:12:20 +0000 (09:12 +0200)]
Migrated EAP-TLS to the generic TLS helper

10 years agoImplemented a generic TLS EAP helper to implement EAP-TLS, TTLS and other variants
Martin Willi [Tue, 31 Aug 2010 07:11:09 +0000 (09:11 +0200)]
Implemented a generic TLS EAP helper to implement EAP-TLS, TTLS and other variants

10 years agoSupport output fragmentation of TLS records
Martin Willi [Tue, 31 Aug 2010 06:57:26 +0000 (08:57 +0200)]
Support output fragmentation of TLS records

10 years agoMoved EAP type/code definitions to a seprate header file in libstrongswan
Martin Willi [Tue, 31 Aug 2010 06:55:48 +0000 (08:55 +0200)]
Moved EAP type/code definitions to a seprate header file in libstrongswan

10 years agoImplemented buffering of partial records in TLS stack
Martin Willi [Thu, 26 Aug 2010 10:27:56 +0000 (12:27 +0200)]
Implemented buffering of partial records in TLS stack

10 years agoLog TLS handshake subtypes as handshakes
Martin Willi [Thu, 26 Aug 2010 10:18:24 +0000 (12:18 +0200)]
Log TLS handshake subtypes as handshakes

10 years agoAdded a TLS debug level option, use debugging hook
Martin Willi [Thu, 26 Aug 2010 10:17:22 +0000 (12:17 +0200)]
Added a TLS debug level option, use debugging hook

10 years agoDo not strdup() zero length strings in identification_create_from_string()
Martin Willi [Tue, 31 Aug 2010 13:34:08 +0000 (15:34 +0200)]
Do not strdup() zero length strings in identification_create_from_string()

10 years agoCorrected some URLs.
Tobias Brunner [Tue, 31 Aug 2010 12:46:53 +0000 (14:46 +0200)]
Corrected some URLs.

10 years agoEnable the generation of unencrypted messages (e.g. ME connectivity checks).
Tobias Brunner [Mon, 30 Aug 2010 15:24:07 +0000 (17:24 +0200)]
Enable the generation of unencrypted messages (e.g. ME connectivity checks).

10 years agofixed typos
Andreas Steffen [Mon, 30 Aug 2010 14:22:33 +0000 (16:22 +0200)]
fixed typos

10 years agofixed copy-and-paste errors
Andreas Steffen [Mon, 30 Aug 2010 13:42:44 +0000 (15:42 +0200)]
fixed copy-and-paste errors

10 years agocreated an eap-tnc method hull
Andreas Steffen [Mon, 30 Aug 2010 13:36:24 +0000 (15:36 +0200)]
created an eap-tnc method hull

10 years agofor the time being assume a single request/response exchange for a given EAP method
Andreas Steffen [Mon, 30 Aug 2010 13:35:13 +0000 (15:35 +0200)]
for the time being assume a single request/response exchange for a given EAP method

10 years agoPort floating patch partially reversed.
Tobias Brunner [Mon, 30 Aug 2010 12:54:31 +0000 (14:54 +0200)]
Port floating patch partially reversed.

If MOBIKE is enabled, we do have to switch to port 4500 with the
IKE_AUTH request, that is, before we know whether the other peer
actually supports MOBIKE or not.

10 years agoSlightly refactored port floating.
Tobias Brunner [Mon, 30 Aug 2010 10:19:37 +0000 (12:19 +0200)]
Slightly refactored port floating.

In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.

10 years agodefined EAP-TNC
Andreas Steffen [Mon, 30 Aug 2010 11:13:39 +0000 (13:13 +0200)]
defined EAP-TNC

10 years agoUnwrap crlNumber INTEGER in openssl CRL parsing
Martin Willi [Mon, 30 Aug 2010 09:22:54 +0000 (11:22 +0200)]
Unwrap crlNumber INTEGER in openssl CRL parsing

10 years agoAdded crl support to pki --print
Martin Willi [Mon, 30 Aug 2010 09:01:18 +0000 (11:01 +0200)]
Added crl support to pki --print