strongswan.git
7 years agoAlso build charon's IKEv1 implementation on Android
Tobias Brunner [Fri, 22 Jun 2012 11:33:38 +0000 (13:33 +0200)]
Also build charon's IKEv1 implementation on Android

7 years agoBuild nonce plugin on Android
Tobias Brunner [Fri, 22 Jun 2012 11:32:07 +0000 (13:32 +0200)]
Build nonce plugin on Android

7 years agoMissing source file added to libcharon's Android.mk
Tobias Brunner [Fri, 22 Jun 2012 11:31:14 +0000 (13:31 +0200)]
Missing source file added to libcharon's Android.mk

7 years agoscepclient: Added support to build it on Android
Tobias Brunner [Thu, 14 Jun 2012 16:35:58 +0000 (18:35 +0200)]
scepclient: Added support to build it on Android

7 years agoAdded support for the curl plugin on Android
Tobias Brunner [Thu, 14 Jun 2012 16:20:35 +0000 (18:20 +0200)]
Added support for the curl plugin on Android

7 years agoAvoid SIGSEGV during shutdown if charon is not started as root
Tobias Brunner [Mon, 25 Jun 2012 17:00:00 +0000 (19:00 +0200)]
Avoid SIGSEGV during shutdown if charon is not started as root

7 years agoNEWS about thread pool updates added
Tobias Brunner [Mon, 25 Jun 2012 16:01:23 +0000 (18:01 +0200)]
NEWS about thread pool updates added

7 years agoMake rescheduling a job more predictable
Tobias Brunner [Thu, 21 Jun 2012 08:10:25 +0000 (10:10 +0200)]
Make rescheduling a job more predictable

This avoids race conditions between calls to cancel() and jobs that like
to be rescheduled.  If jobs were able to reschedule themselves it would
theoretically be possible that two worker threads have the same job
assigned (the one currently executing the job and the one executing the
same but rescheduled job if it already is time to execute it), this means
that cancel() could be called twice for that job.

Creating a new job based on the current one and reschedule that is also
OK, but rescheduling itself is more efficient for jobs that need to be
executed often.

7 years agoCentralized thread cancellation in processor_t
Tobias Brunner [Tue, 19 Jun 2012 11:29:09 +0000 (13:29 +0200)]
Centralized thread cancellation in processor_t

This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.

callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t.  The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.

7 years agoGive processor_t more control over the lifecycle of a job
Tobias Brunner [Tue, 19 Jun 2012 08:45:17 +0000 (10:45 +0200)]
Give processor_t more control over the lifecycle of a job

Jobs are now destroyed by the processor, but they are allowed to
reschedule themselves.  That is, parts of the reschedule functionality
already provided by callback_job_t is moved to the processor.  Not yet
fully supported is JOB_REQUEUE_DIRECT and canceling jobs.

Note: job_t.destroy() is now called not only for queued jobs but also
after execution or cancellation of jobs.  job_t.status can be used to
decide what to do in said method.

7 years agoAdded a method to plugin_loader_t to add 'static' plugin features
Tobias Brunner [Wed, 20 Jun 2012 09:47:58 +0000 (11:47 +0200)]
Added a method to plugin_loader_t to add 'static' plugin features

This allows daemons and other components to register plugin features
like those provided by plugins (following the same lifecycle).

The added features are internally handled like they were added by a
plugin.

7 years agoMake sure that all features of critical plugins are loaded
Tobias Brunner [Wed, 20 Jun 2012 09:34:46 +0000 (11:34 +0200)]
Make sure that all features of critical plugins are loaded

7 years agoAdded an option to rename the ipsec script during installation
Tobias Brunner [Tue, 19 Jun 2012 15:12:53 +0000 (17:12 +0200)]
Added an option to rename the ipsec script during installation

Also rename the man page and adjust all references in the script, the
man page and other files.

Closes #194.

7 years agoRemoved -o argument when creating .../ipsec.d with install
Tobias Brunner [Tue, 19 Jun 2012 15:26:54 +0000 (17:26 +0200)]
Removed -o argument when creating .../ipsec.d with install

This should have been removed with 2b52d5cb41.

7 years agoUpdated ipsec script man page after removing pluto
Tobias Brunner [Tue, 19 Jun 2012 14:09:50 +0000 (16:09 +0200)]
Updated ipsec script man page after removing pluto

7 years agoUse mac_t and PRF and signer wrappers in cmac plugin
Tobias Brunner [Mon, 25 Jun 2012 11:00:57 +0000 (13:00 +0200)]
Use mac_t and PRF and signer wrappers in cmac plugin

7 years agoUse mac_t and PRF and signer wrappers in xcbc plugin
Tobias Brunner [Mon, 25 Jun 2012 10:50:55 +0000 (12:50 +0200)]
Use mac_t and PRF and signer wrappers in xcbc plugin

7 years agoMake the hmac_t interface a generic interface for message authentication codes
Tobias Brunner [Mon, 25 Jun 2012 09:37:04 +0000 (11:37 +0200)]
Make the hmac_t interface a generic interface for message authentication codes

7 years agoSimplified creation of PRFs and signers in openssl and hmac plugins
Tobias Brunner [Fri, 22 Jun 2012 09:30:46 +0000 (11:30 +0200)]
Simplified creation of PRFs and signers in openssl and hmac plugins

7 years agoFunction to convert PRFs to hash algorithms added
Tobias Brunner [Fri, 22 Jun 2012 09:28:43 +0000 (11:28 +0200)]
Function to convert PRFs to hash algorithms added

7 years agohasher_algorithm_from_integrity() optionally returns truncation length
Tobias Brunner [Fri, 22 Jun 2012 09:28:10 +0000 (11:28 +0200)]
hasher_algorithm_from_integrity() optionally returns truncation length

7 years agoUse simple wrappers for HMAC based PRF and signer in openssl plugin
Tobias Brunner [Fri, 22 Jun 2012 08:52:20 +0000 (10:52 +0200)]
Use simple wrappers for HMAC based PRF and signer in openssl plugin

7 years agoUse simple wrappers for HMAC based PRF and signer in hmac plugin
Tobias Brunner [Fri, 22 Jun 2012 08:38:37 +0000 (10:38 +0200)]
Use simple wrappers for HMAC based PRF and signer in hmac plugin

7 years agoSimple wrappers for HMAC based prf_t and signer_t implementations added
Tobias Brunner [Fri, 22 Jun 2012 07:39:09 +0000 (09:39 +0200)]
Simple wrappers for HMAC based prf_t and signer_t implementations added

7 years agoRefactored OpenSSL based HMAC implementation
Tobias Brunner [Thu, 21 Jun 2012 11:10:26 +0000 (13:10 +0200)]
Refactored OpenSSL based HMAC implementation

7 years agoAdding OpenSSL HMAC signer functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:46:21 +0000 (13:46 -0700)]
Adding OpenSSL HMAC signer functions to openssl plugin

7 years agoAdding OpenSSL HMAC pseudo random functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:43:47 +0000 (13:43 -0700)]
Adding OpenSSL HMAC pseudo random functions to openssl plugin

7 years agoAdding OpenSSL random number functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:39:37 +0000 (13:39 -0700)]
Adding OpenSSL random number functions to openssl plugin

7 years agoFixed IPv6 source address lookup
Tobias Brunner [Mon, 18 Jun 2012 10:01:10 +0000 (12:01 +0200)]
Fixed IPv6 source address lookup

Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
IPv6 routes we didn't use NLM_F_DUMP to get all routes.
Still routes installed with policies are installed also for IPv6.
So since only one route is returned without DUMP, and we ignore
all routes from our own routing table, no source address was found
during roaming if DST of the installed route included the IKE peer.

With newer kernels we can now use DUMP as we did for IPv4 already,
for older kernels we do so if our own routes are installed in a
separate routing table, otherwise we still use GET.

7 years agoupdated default configuration of UML hosts to 5.0.0
Andreas Steffen [Mon, 25 Jun 2012 11:04:55 +0000 (13:04 +0200)]
updated default configuration of UML hosts to 5.0.0

7 years agoadded charon.cisco_unity to strongswan.conf.5 man page
Andreas Steffen [Mon, 25 Jun 2012 09:47:40 +0000 (11:47 +0200)]
added charon.cisco_unity to strongswan.conf.5 man page

7 years agosupport Cisco Unity VID
Andreas Steffen [Mon, 25 Jun 2012 09:00:12 +0000 (11:00 +0200)]
support Cisco Unity VID

7 years agoEnable xauth-generic by default but don't build it if IKEv1 is disabled
Tobias Brunner [Mon, 25 Jun 2012 09:07:49 +0000 (11:07 +0200)]
Enable xauth-generic by default but don't build it if IKEv1 is disabled

7 years agoRemove CREDITS from distribution
Tobias Brunner [Mon, 25 Jun 2012 09:07:35 +0000 (11:07 +0200)]
Remove CREDITS from distribution

7 years agoThe AUTHORS file is required by automake
Tobias Brunner [Mon, 25 Jun 2012 08:59:27 +0000 (10:59 +0200)]
The AUTHORS file is required by automake

7 years agoLICENSE file updated
Tobias Brunner [Thu, 21 Jun 2012 16:14:43 +0000 (18:14 +0200)]
LICENSE file updated

7 years agoldaphost and ldapbase ca section keywords are deprecated
Tobias Brunner [Thu, 21 Jun 2012 16:04:18 +0000 (18:04 +0200)]
ldaphost and ldapbase ca section keywords are deprecated

7 years agoRemoved pluto-specifics from ipsec script
Tobias Brunner [Thu, 21 Jun 2012 15:58:59 +0000 (17:58 +0200)]
Removed pluto-specifics from ipsec script

7 years agoREADME file cleaned up and updated
Tobias Brunner [Thu, 21 Jun 2012 15:55:08 +0000 (17:55 +0200)]
README file cleaned up and updated

7 years agoEnforce uniqueids=keep based on XAuth identity
Martin Willi [Thu, 14 Jun 2012 13:25:11 +0000 (15:25 +0200)]
Enforce uniqueids=keep based on XAuth identity

7 years agoDon't send XAUTH_OK if a hook prevents SA to establish
Martin Willi [Thu, 14 Jun 2012 13:23:57 +0000 (15:23 +0200)]
Don't send XAUTH_OK if a hook prevents SA to establish

7 years agoEnforce uniqueids=keep only for non-XAuth Main/Agressive Modes
Martin Willi [Thu, 14 Jun 2012 13:08:37 +0000 (15:08 +0200)]
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes

7 years agoShow EAP/XAuth identity in "ipsec status", if available
Martin Willi [Thu, 14 Jun 2012 13:07:44 +0000 (15:07 +0200)]
Show EAP/XAuth identity in "ipsec status", if available

7 years agoUse XAuth/EAP remote identity for uniqueness check
Martin Willi [Thu, 14 Jun 2012 12:47:40 +0000 (14:47 +0200)]
Use XAuth/EAP remote identity for uniqueness check

7 years agoAdd missing XAuth name variable when complaining about missing XAuth backend
Martin Willi [Mon, 25 Jun 2012 08:09:27 +0000 (10:09 +0200)]
Add missing XAuth name variable when complaining about missing XAuth backend

7 years agoremoved AUTHORS and CREDITS
Andreas Steffen [Mon, 25 Jun 2012 06:45:10 +0000 (08:45 +0200)]
removed AUTHORS and CREDITS

7 years agosome copyright additions
Andreas Steffen [Sat, 23 Jun 2012 10:09:29 +0000 (12:09 +0200)]
some copyright additions

7 years agoupdate copyright
Andreas Steffen [Sat, 23 Jun 2012 09:57:42 +0000 (11:57 +0200)]
update copyright

7 years agoversion bump to 5.0.0
Andreas Steffen [Sat, 23 Jun 2012 09:32:54 +0000 (11:32 +0200)]
version bump to 5.0.0

7 years agoFix SIGSEGV if kernel install fails during Quick Mode as responder.
Tobias Brunner [Thu, 7 Jun 2012 12:59:20 +0000 (14:59 +0200)]
Fix SIGSEGV if kernel install fails during Quick Mode as responder.

7 years agoadapted description to IKEv2
Andreas Steffen [Fri, 22 Jun 2012 07:53:25 +0000 (09:53 +0200)]
adapted description to IKEv2

7 years agoFixed compile error because of charon->name in certexpire plugin.
Tobias Brunner [Thu, 21 Jun 2012 11:59:18 +0000 (13:59 +0200)]
Fixed compile error because of charon->name in certexpire plugin.

7 years agofixed typo
Andreas Steffen [Wed, 20 Jun 2012 09:15:09 +0000 (11:15 +0200)]
fixed typo

7 years agoadded ipv6/rw-ip6-in-ip4-ikev1 scenario
Andreas Steffen [Wed, 20 Jun 2012 09:13:20 +0000 (11:13 +0200)]
added ipv6/rw-ip6-in-ip4-ikev1 scenario

7 years agoadded ipv6/rw-ip6-in-ip4-ikev2 scenario
Andreas Steffen [Wed, 20 Jun 2012 09:03:51 +0000 (11:03 +0200)]
added ipv6/rw-ip6-in-ip4-ikev2 scenario

7 years agoSelect requested virtual IP family based on remote TS, if no local TS available
Martin Willi [Wed, 20 Jun 2012 08:01:05 +0000 (10:01 +0200)]
Select requested virtual IP family based on remote TS, if no local TS available

7 years agoupgraded UML options to 5.0.0
Andreas Steffen [Tue, 19 Jun 2012 17:34:26 +0000 (19:34 +0200)]
upgraded UML options to 5.0.0

7 years agoDoxygen fix in PKCS#7 wrapper
Tobias Brunner [Tue, 19 Jun 2012 11:32:24 +0000 (13:32 +0200)]
Doxygen fix in PKCS#7 wrapper

7 years agosleep one second more
Andreas Steffen [Tue, 19 Jun 2012 04:18:05 +0000 (06:18 +0200)]
sleep one second more

7 years agouse socket-default in scenario
Andreas Steffen [Tue, 19 Jun 2012 04:17:37 +0000 (06:17 +0200)]
use socket-default in scenario

7 years agoadded ikev1/xauth-id-rsa-hybrid scenario
Andreas Steffen [Mon, 18 Jun 2012 20:51:50 +0000 (22:51 +0200)]
added ikev1/xauth-id-rsa-hybrid scenario

7 years agoadded ikev1/xauth-id-rsa-aggressive scenario
Andreas Steffen [Mon, 18 Jun 2012 20:30:26 +0000 (22:30 +0200)]
added ikev1/xauth-id-rsa-aggressive scenario

7 years agoadded secret as valid authby argument
Andreas Steffen [Mon, 18 Jun 2012 20:11:18 +0000 (22:11 +0200)]
added secret as valid authby argument

7 years agorsasig is not recognized as authentication method
Andreas Steffen [Mon, 18 Jun 2012 20:03:36 +0000 (22:03 +0200)]
rsasig is not recognized as authentication method

7 years agoenable potentially unsafe aggressive mode
Andreas Steffen [Mon, 18 Jun 2012 19:34:48 +0000 (21:34 +0200)]
enable potentially unsafe aggressive mode

7 years agochange ikev1/xauth scenarios to modern notation
Andreas Steffen [Mon, 18 Jun 2012 19:22:01 +0000 (21:22 +0200)]
change ikev1/xauth scenarios to modern notation

7 years agotesting: List IPv6 routing table in IPv6 test cases.
Tobias Brunner [Fri, 15 Jun 2012 13:19:23 +0000 (15:19 +0200)]
testing: List IPv6 routing table in IPv6 test cases.

7 years agoNLM_F_DUMP includes NLM_F_ROOT.
Tobias Brunner [Fri, 15 Jun 2012 10:50:30 +0000 (12:50 +0200)]
NLM_F_DUMP includes NLM_F_ROOT.

7 years agoDon't create roam jobs based on cached/cloned routes.
Tobias Brunner [Fri, 15 Jun 2012 10:27:26 +0000 (12:27 +0200)]
Don't create roam jobs based on cached/cloned routes.

7 years agoDon't compare ports when comparing cached routes.
Tobias Brunner [Fri, 15 Jun 2012 09:43:21 +0000 (11:43 +0200)]
Don't compare ports when comparing cached routes.

At least src_ip has a port set sometimes.

7 years agostarter: Fixed parsing of %defaultroute.
Tobias Brunner [Fri, 15 Jun 2012 08:32:15 +0000 (10:32 +0200)]
starter: Fixed parsing of %defaultroute.

7 years agoAdopt children as XAuth initiator (which is IKE responder)
Martin Willi [Thu, 14 Jun 2012 12:46:48 +0000 (14:46 +0200)]
Adopt children as XAuth initiator (which is IKE responder)

7 years agoAdded 5.0 NEWS about IKEv1 in charon
Martin Willi [Thu, 14 Jun 2012 08:57:29 +0000 (10:57 +0200)]
Added 5.0 NEWS about IKEv1 in charon

7 years agoPrint the kind of *Swan during starter startup
Martin Willi [Wed, 13 Jun 2012 10:18:25 +0000 (12:18 +0200)]
Print the kind of *Swan during starter startup

7 years agoShow what kind of *Swan we run in "ipsec status"
Martin Willi [Wed, 13 Jun 2012 10:11:55 +0000 (12:11 +0200)]
Show what kind of *Swan we run in "ipsec status"

7 years agoRequire a scary option to respond to Aggressive Mode PSK requests
Martin Willi [Wed, 13 Jun 2012 07:32:28 +0000 (09:32 +0200)]
Require a scary option to respond to Aggressive Mode PSK requests

While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.

7 years agothanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet
Andreas Steffen [Thu, 14 Jun 2012 05:55:12 +0000 (07:55 +0200)]
thanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet

7 years agoremoved plutostart parameter
Andreas Steffen [Wed, 13 Jun 2012 19:19:05 +0000 (21:19 +0200)]
removed plutostart parameter

7 years agoscepclient: Fixed Makefile after removing enable-smartcard configure option.
Tobias Brunner [Wed, 13 Jun 2012 13:08:14 +0000 (15:08 +0200)]
scepclient: Fixed Makefile after removing enable-smartcard configure option.

7 years agoUse proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.
Tobias Brunner [Wed, 13 Jun 2012 13:02:10 +0000 (15:02 +0200)]
Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.

7 years agoSome updates to the INSTALL document.
Tobias Brunner [Wed, 13 Jun 2012 10:24:23 +0000 (12:24 +0200)]
Some updates to the INSTALL document.

7 years agoRemoved remaining pluto related configure options.
Tobias Brunner [Wed, 13 Jun 2012 09:33:32 +0000 (11:33 +0200)]
Removed remaining pluto related configure options.

7 years agostarter: Print additional help texts for selected deprecated keywords.
Tobias Brunner [Tue, 12 Jun 2012 11:59:05 +0000 (13:59 +0200)]
starter: Print additional help texts for selected deprecated keywords.

7 years agostarter: Improved how deprecated keywords are handled.
Tobias Brunner [Tue, 12 Jun 2012 11:57:47 +0000 (13:57 +0200)]
starter: Improved how deprecated keywords are handled.

We only throw a warning now instead of rejecting the config.

7 years agoRevert "starter: Don't treat unsupported keywords as fatal errors just report them."
Tobias Brunner [Tue, 12 Jun 2012 09:42:00 +0000 (11:42 +0200)]
Revert "starter: Don't treat unsupported keywords as fatal errors just report them."

This reverts commit e55876a657ae9d4bbf14320e5a14f86cc5c31c7f.

7 years agoNEWS about specifying trustchain HASH algorithm requirements
Martin Willi [Tue, 12 Jun 2012 12:43:55 +0000 (14:43 +0200)]
NEWS about specifying trustchain HASH algorithm requirements

7 years agoAdd documentation for signature hash algorithm enforcing to man ipsec.conf
Martin Willi [Mon, 11 Jun 2012 13:48:03 +0000 (15:48 +0200)]
Add documentation for signature hash algorithm enforcing to man ipsec.conf

7 years agoAdded signature scheme options left/rightauth
Martin Willi [Fri, 8 Jun 2012 15:04:14 +0000 (17:04 +0200)]
Added signature scheme options left/rightauth

7 years agoSupport multiple different public key strength types in constraints
Martin Willi [Tue, 12 Jun 2012 12:19:11 +0000 (14:19 +0200)]
Support multiple different public key strength types in constraints

7 years agoAdd signature schemes to auth_cfg during trustchain validation
Martin Willi [Mon, 11 Jun 2012 12:52:37 +0000 (14:52 +0200)]
Add signature schemes to auth_cfg during trustchain validation

7 years agocertificate_t->issued_by takes an argument to receive signature scheme
Martin Willi [Mon, 11 Jun 2012 12:33:34 +0000 (14:33 +0200)]
certificate_t->issued_by takes an argument to receive signature scheme

7 years agoDefine auth_cfg rules for signature schemes
Martin Willi [Fri, 8 Jun 2012 14:47:08 +0000 (16:47 +0200)]
Define auth_cfg rules for signature schemes

7 years agostarter: Fixed parsing of left|right=%any.
Tobias Brunner [Tue, 12 Jun 2012 08:12:53 +0000 (10:12 +0200)]
starter: Fixed parsing of left|right=%any.

7 years agodeleted IKEv1 charon-pluto interoperability scenarios
Andreas Steffen [Tue, 12 Jun 2012 08:00:21 +0000 (10:00 +0200)]
deleted IKEv1 charon-pluto interoperability scenarios

7 years agostarter: Fix comparison of connections.
Tobias Brunner [Wed, 16 May 2012 15:18:27 +0000 (17:18 +0200)]
starter: Fix comparison of connections.

7 years agostarter: Removed all unsupported keywords.
Tobias Brunner [Wed, 16 May 2012 14:56:49 +0000 (16:56 +0200)]
starter: Removed all unsupported keywords.

7 years agostarter: Don't treat unsupported keywords as fatal errors just report them.
Tobias Brunner [Wed, 16 May 2012 14:25:32 +0000 (16:25 +0200)]
starter: Don't treat unsupported keywords as fatal errors just report them.

7 years agoBye bye Pluto!
Tobias Brunner [Tue, 15 May 2012 14:59:00 +0000 (16:59 +0200)]
Bye bye Pluto!

Charon will take over IKEv1 duties from here.  This also removes
libfreeswan and whack.

7 years ago_copyright: Replicate copyright text here instead of calling libfreeswan.
Tobias Brunner [Tue, 15 May 2012 15:12:59 +0000 (17:12 +0200)]
_copyright: Replicate copyright text here instead of calling libfreeswan.

7 years agostarter: Remove all ties to pluto/libfreeswan.
Tobias Brunner [Tue, 15 May 2012 14:37:02 +0000 (16:37 +0200)]
starter: Remove all ties to pluto/libfreeswan.

Moved some types/constants in the process.