strongswan.git
7 years agoRemoved len argument from proposal_get_token()
Tobias Brunner [Thu, 13 Sep 2012 11:39:33 +0000 (13:39 +0200)]
Removed len argument from proposal_get_token()

Also use enumerators instead of lexparser.h to parse proposal strings.

7 years agoMake arguments for enumerator_create_token|directory const
Tobias Brunner [Thu, 13 Sep 2012 10:30:22 +0000 (12:30 +0200)]
Make arguments for enumerator_create_token|directory const

7 years agoMoved proposal_keywords to proposal_keywords_static
Francois ten Krooden [Fri, 24 Aug 2012 12:56:42 +0000 (14:56 +0200)]
Moved proposal_keywords to proposal_keywords_static

Added new proposal keywords with function to reference the static keywords.

7 years agoOption added to enforce a configured destination address for DHCP packets
Tobias Brunner [Thu, 5 Jul 2012 17:06:44 +0000 (19:06 +0200)]
Option added to enforce a configured destination address for DHCP packets

7 years agoversion bump to 5.0.1rc1
Andreas Steffen [Wed, 12 Sep 2012 21:56:12 +0000 (23:56 +0200)]
version bump to 5.0.1rc1

7 years agoAllow calls to set_address() for any host-sized TS, not only dynamic ones
Tobias Brunner [Wed, 12 Sep 2012 16:10:04 +0000 (18:10 +0200)]
Allow calls to set_address() for any host-sized TS, not only dynamic ones

This fixes CHILD_SA updates (e.g. due to MOBIKE), which were broken
since 4cb0783.

7 years agoEnsure traffic selectors are dynamic before calling set_address() when deriving them
Tobias Brunner [Wed, 12 Sep 2012 16:07:41 +0000 (18:07 +0200)]
Ensure traffic selectors are dynamic before calling set_address() when deriving them

7 years agoConsistently log XFRM mark masks with 0 prefix in kernel-netlink plugin
Tobias Brunner [Wed, 12 Sep 2012 15:40:36 +0000 (17:40 +0200)]
Consistently log XFRM mark masks with 0 prefix in kernel-netlink plugin

7 years agostarter: Added --nolog option to suppress logging in starter itself
Tobias Brunner [Wed, 12 Sep 2012 15:11:54 +0000 (17:11 +0200)]
starter: Added --nolog option to suppress logging in starter itself

Fixes #224.

7 years agoUpdates to strongswan.conf(5) man page (added several missing options)
Tobias Brunner [Wed, 12 Sep 2012 14:52:56 +0000 (16:52 +0200)]
Updates to strongswan.conf(5) man page (added several missing options)

7 years agoSome updates to ipsec.conf(5) man page
Tobias Brunner [Wed, 12 Sep 2012 13:44:00 +0000 (15:44 +0200)]
Some updates to ipsec.conf(5) man page

7 years agostarter: Allow %any also for protocol in left|rightprotoport
Tobias Brunner [Wed, 12 Sep 2012 13:31:02 +0000 (15:31 +0200)]
starter: Allow %any also for protocol in left|rightprotoport

7 years agoDon't allow NULL encryption with PEAP
Martin Willi [Thu, 30 Aug 2012 09:13:02 +0000 (11:13 +0200)]
Don't allow NULL encryption with PEAP

7 years agoUse memmove on overlapping regions, and operate with correct sizeof()
Martin Willi [Thu, 30 Aug 2012 09:46:14 +0000 (11:46 +0200)]
Use memmove on overlapping regions, and operate with correct sizeof()

7 years agoWhitespace cleanups in tls_eap
Martin Willi [Thu, 30 Aug 2012 09:14:01 +0000 (11:14 +0200)]
Whitespace cleanups in tls_eap

7 years agoUse uintptr_t in mem pool to avoid compiler warning if sizeof(void*) != sizeof(int)
Martin Willi [Wed, 12 Sep 2012 10:02:11 +0000 (12:02 +0200)]
Use uintptr_t in mem pool to avoid compiler warning if sizeof(void*) != sizeof(int)

7 years agoikev1 hybrid authentication does not need client certificates
Andreas Steffen [Wed, 12 Sep 2012 10:42:24 +0000 (12:42 +0200)]
ikev1 hybrid authentication does not need client certificates

7 years agocorrected topology in ikev2/rw-radius-accounting scenario
Andreas Steffen [Wed, 12 Sep 2012 10:26:39 +0000 (12:26 +0200)]
corrected topology in ikev2/rw-radius-accounting scenario

7 years agoadded ikev2/rw-eap-dynamic scenario
Andreas Steffen [Wed, 12 Sep 2012 10:15:17 +0000 (12:15 +0200)]
added ikev2/rw-eap-dynamic scenario

7 years agoAlways send a configuration payload in IKEv1 TRANSACTIONs, even if it is empty
Martin Willi [Tue, 11 Sep 2012 15:20:17 +0000 (17:20 +0200)]
Always send a configuration payload in IKEv1 TRANSACTIONs, even if it is empty

7 years agoDon't use host address for dynamic TS in IKEv1 if a virtual IP was expected
Martin Willi [Tue, 11 Sep 2012 10:56:29 +0000 (12:56 +0200)]
Don't use host address for dynamic TS in IKEv1 if a virtual IP was expected

7 years agoDon't use host address for dynamic TS in IKEv2 if a virtual IP was expected
Martin Willi [Tue, 11 Sep 2012 10:38:45 +0000 (12:38 +0200)]
Don't use host address for dynamic TS in IKEv2 if a virtual IP was expected

7 years agoDon't return a subset for a dynamic TS unless set_address has been called
Martin Willi [Tue, 11 Sep 2012 10:46:31 +0000 (12:46 +0200)]
Don't return a subset for a dynamic TS unless set_address has been called

7 years agoSend FAILED_CP_REQUIRED if a configuration payload was expected, but not received
Martin Willi [Tue, 11 Sep 2012 10:20:37 +0000 (12:20 +0200)]
Send FAILED_CP_REQUIRED if a configuration payload was expected, but not received

7 years agoCheck for an existing lease in all stroke pools before creating a new one
Martin Willi [Tue, 11 Sep 2012 09:33:42 +0000 (11:33 +0200)]
Check for an existing lease in all stroke pools before creating a new one

7 years agoPass full pool list to release_address
Martin Willi [Tue, 11 Sep 2012 09:19:56 +0000 (11:19 +0200)]
Pass full pool list to release_address

7 years agoPass the full list of pools to acquire_address, enumerate in providers
Martin Willi [Tue, 11 Sep 2012 08:41:11 +0000 (10:41 +0200)]
Pass the full list of pools to acquire_address, enumerate in providers

If the provider has access to the full pool list, it can enumerate
them twice, for example to search for existing leases first, and
only search for new leases in a second step.

Fixes lease enumeration in attr-sql using multiple pools.

7 years agoAdd a linked list constructor initializing from an enumerator
Martin Willi [Tue, 11 Sep 2012 08:40:10 +0000 (10:40 +0200)]
Add a linked list constructor initializing from an enumerator

7 years agoAdd a responder narrow() hook to change TS in the kernel, but not on the wire
Martin Willi [Tue, 24 Jul 2012 10:40:45 +0000 (12:40 +0200)]
Add a responder narrow() hook to change TS in the kernel, but not on the wire

7 years agoSupport RADIUS accounting when using IKEv1 with xauth-eap and eap-radius
Martin Willi [Tue, 11 Sep 2012 13:21:25 +0000 (15:21 +0200)]
Support RADIUS accounting when using IKEv1 with xauth-eap and eap-radius

7 years agoFix leak while enumerating RADIUS Framed-IPs from IKE_SA
Martin Willi [Tue, 11 Sep 2012 13:20:33 +0000 (15:20 +0200)]
Fix leak while enumerating RADIUS Framed-IPs from IKE_SA

7 years agoAdd uniqueids=never to ignore INITIAL_CONTACT notifies
Tobias Brunner [Mon, 10 Sep 2012 15:24:21 +0000 (17:24 +0200)]
Add uniqueids=never to ignore INITIAL_CONTACT notifies

With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received.  With this new option
it also ignores these notifies.

7 years agoAdd random plugin options to strongswan.conf.5
Martin Willi [Mon, 10 Sep 2012 15:07:28 +0000 (17:07 +0200)]
Add random plugin options to strongswan.conf.5

7 years agoAdd strongswan.conf runtime options for /dev/[u]random files
Martin Willi [Mon, 10 Sep 2012 14:47:36 +0000 (16:47 +0200)]
Add strongswan.conf runtime options for /dev/[u]random files

Fixes #221.

7 years agothis is the correct evaltest
Andreas Steffen [Mon, 10 Sep 2012 13:53:03 +0000 (15:53 +0200)]
this is the correct evaltest

7 years agorecovered ikev2/ip-two-pools-mixed evaltest
Andreas Steffen [Mon, 10 Sep 2012 13:46:50 +0000 (15:46 +0200)]
recovered ikev2/ip-two-pools-mixed evaltest

7 years agoadapted ip-pool evaltests
Andreas Steffen [Mon, 10 Sep 2012 13:41:19 +0000 (15:41 +0200)]
adapted ip-pool evaltests

7 years agoUse the proper types for comma separated attributes read from strongswan.conf
Tobias Brunner [Mon, 10 Sep 2012 13:17:17 +0000 (15:17 +0200)]
Use the proper types for comma separated attributes read from strongswan.conf

Attributes of different address families previously were mapped to
the same attribute type (the one derived from the address family of the
first address).

7 years agoPrint the name of mem pools instead of the confusing <base>/<size>
Tobias Brunner [Mon, 10 Sep 2012 10:37:31 +0000 (12:37 +0200)]
Print the name of mem pools instead of the confusing <base>/<size>

7 years agoProperly remove broadcast address from mem pools
Tobias Brunner [Mon, 10 Sep 2012 09:44:18 +0000 (11:44 +0200)]
Properly remove broadcast address from mem pools

7 years agouse base IMC ID if src IMC ID is not supported
Andreas Steffen [Sun, 9 Sep 2012 22:07:54 +0000 (00:07 +0200)]
use base IMC ID if src IMC ID is not supported

7 years agoadded libimcv.assessment_result to strongswan.conf man page
Andreas Steffen [Sun, 9 Sep 2012 21:50:32 +0000 (23:50 +0200)]
added libimcv.assessment_result to strongswan.conf man page

7 years agomake sending of IETF Assessment Result attributes configurable
Andreas Steffen [Sun, 9 Sep 2012 21:24:23 +0000 (23:24 +0200)]
make sending of IETF Assessment Result attributes configurable

7 years agointroduced sending of standard IETF Assessment Result PA-TNC attribute by IMVs
Andreas Steffen [Sun, 9 Sep 2012 03:13:13 +0000 (05:13 +0200)]
introduced sending of standard IETF Assessment Result PA-TNC attribute by IMVs

7 years agoOnly initiate an exchange from send_dpd() if a task was actually queued
Tobias Brunner [Fri, 7 Sep 2012 16:05:22 +0000 (18:05 +0200)]
Only initiate an exchange from send_dpd() if a task was actually queued

Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.

7 years agoandroid: New release after adding certificate authentication and reauth fix
Tobias Brunner [Thu, 6 Sep 2012 12:54:37 +0000 (14:54 +0200)]
android: New release after adding certificate authentication and reauth fix

7 years agoTrigger ike_updown event caused by retransmits only after reestablish() has been...
Tobias Brunner [Wed, 5 Sep 2012 14:03:20 +0000 (16:03 +0200)]
Trigger ike_updown event caused by retransmits only after reestablish() has been called

This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.

7 years agoandroid: Properly handle reauthentication initiated by the client
Tobias Brunner [Wed, 5 Sep 2012 09:36:59 +0000 (11:36 +0200)]
android: Properly handle reauthentication initiated by the client

7 years agoandroid: Create a new VpnService.Builder after VPN has been established
Tobias Brunner [Wed, 5 Sep 2012 09:36:00 +0000 (11:36 +0200)]
android: Create a new VpnService.Builder after VPN has been established

7 years agoAdd ike_reestablish() event that is triggered when an IKE_SA is reestablished
Tobias Brunner [Wed, 5 Sep 2012 09:34:50 +0000 (11:34 +0200)]
Add ike_reestablish() event that is triggered when an IKE_SA is reestablished

This is particularly useful during reauthentication to get the new
IKE_SA.

7 years agoAdd a new condition to mark IKE_SAs that are currently being reauthenticated
Tobias Brunner [Thu, 6 Sep 2012 09:23:11 +0000 (11:23 +0200)]
Add a new condition to mark IKE_SAs that are currently being reauthenticated

7 years agostarter: Load config again when restarting charon
Tobias Brunner [Wed, 5 Sep 2012 14:43:34 +0000 (16:43 +0200)]
starter: Load config again when restarting charon

This got lost in 041e763b.

7 years agoClear virtual IPs before storing assigned ones on the IKE_SA
Tobias Brunner [Wed, 5 Sep 2012 11:16:31 +0000 (13:16 +0200)]
Clear virtual IPs before storing assigned ones on the IKE_SA

Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.

7 years agoIn mode_config, destroy temporary pool list instead of the virtual IP list twice
Martin Willi [Wed, 5 Sep 2012 12:18:52 +0000 (14:18 +0200)]
In mode_config, destroy temporary pool list instead of the virtual IP list twice

7 years agoMerge branch 'android-client-cert'
Tobias Brunner [Tue, 4 Sep 2012 11:57:05 +0000 (13:57 +0200)]
Merge branch 'android-client-cert'

Introduces IKEv2 client certificate authentication for the Android App.

7 years agoandroid: Native parts handle ikev2-cert VPN type
Tobias Brunner [Tue, 28 Aug 2012 15:11:55 +0000 (17:11 +0200)]
android: Native parts handle ikev2-cert VPN type

7 years agoandroid: android_creds_t can provide a user's private key and certificate
Tobias Brunner [Tue, 28 Aug 2012 15:05:14 +0000 (17:05 +0200)]
android: android_creds_t can provide a user's private key and certificate

7 years agoandroid: Added JNI method to retrieve user certificate and private key
Tobias Brunner [Tue, 28 Aug 2012 15:02:53 +0000 (17:02 +0200)]
android: Added JNI method to retrieve user certificate and private key

To simplify things the private key, the user certificate and the CA
certificates are all put into the same list.

7 years agoandroid: Don't show the password dialog if not required
Tobias Brunner [Tue, 28 Aug 2012 15:01:37 +0000 (17:01 +0200)]
android: Don't show the password dialog if not required

7 years agoandroid: Enable pkcs8 plugin
Tobias Brunner [Tue, 28 Aug 2012 14:45:46 +0000 (16:45 +0200)]
android: Enable pkcs8 plugin

7 years agoandroid: Pass the type of VPN to the native parts
Tobias Brunner [Tue, 28 Aug 2012 13:32:14 +0000 (15:32 +0200)]
android: Pass the type of VPN to the native parts

7 years agoandroid: Make sure NULL jstrings are converted properly
Tobias Brunner [Tue, 28 Aug 2012 13:29:35 +0000 (15:29 +0200)]
android: Make sure NULL jstrings are converted properly

7 years agoandroid: Display the selected certificate alias in the profile list
Tobias Brunner [Tue, 28 Aug 2012 12:47:00 +0000 (14:47 +0200)]
android: Display the selected certificate alias in the profile list

7 years agoandroid: Allow configuration of a user certificate
Tobias Brunner [Tue, 28 Aug 2012 12:09:18 +0000 (14:09 +0200)]
android: Allow configuration of a user certificate

7 years agoandroid: Remove NOT NULL constraint from username column
Tobias Brunner [Tue, 28 Aug 2012 10:41:56 +0000 (12:41 +0200)]
android: Remove NOT NULL constraint from username column

7 years agoandroid: Separate view added to select certificates
Tobias Brunner [Mon, 27 Aug 2012 15:58:09 +0000 (17:58 +0200)]
android: Separate view added to select certificates

7 years agoandroid: Don't try to load the profile with ID 0
Tobias Brunner [Mon, 27 Aug 2012 14:53:07 +0000 (16:53 +0200)]
android: Don't try to load the profile with ID 0

7 years agoandroid: Spinner added to select the VPN type
Tobias Brunner [Mon, 27 Aug 2012 14:51:41 +0000 (16:51 +0200)]
android: Spinner added to select the VPN type

7 years agoMerge branch 'multi-vip'
Martin Willi [Fri, 31 Aug 2012 10:55:56 +0000 (12:55 +0200)]
Merge branch 'multi-vip'

Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.

7 years agoMerge branch 'eap-client-select'
Tobias Brunner [Fri, 31 Aug 2012 10:23:38 +0000 (12:23 +0200)]
Merge branch 'eap-client-select'

This brings support for EAP-Nak payloads on the client (to select a
specific or supported method), and the server (via the eap-dynamic
plugin which selects a method supported/requested by the client).

7 years agoNEWS about eap-dynamic plugin added
Tobias Brunner [Fri, 31 Aug 2012 10:16:43 +0000 (12:16 +0200)]
NEWS about eap-dynamic plugin added

7 years agoDocumentation for eap-dynamic added
Tobias Brunner [Thu, 23 Aug 2012 14:21:22 +0000 (16:21 +0200)]
Documentation for eap-dynamic added

7 years agoLog the proper type for virtual EAP methods
Tobias Brunner [Thu, 23 Aug 2012 14:10:47 +0000 (16:10 +0200)]
Log the proper type for virtual EAP methods

7 years agoAdded an option to prefer types sent by peer in eap-dynamic plugin
Tobias Brunner [Thu, 23 Aug 2012 14:02:51 +0000 (16:02 +0200)]
Added an option to prefer types sent by peer in eap-dynamic plugin

7 years agoeap-dynamic plugin handles EAP-Nak messages and selects a method supported by the...
Tobias Brunner [Thu, 23 Aug 2012 13:00:20 +0000 (15:00 +0200)]
eap-dynamic plugin handles EAP-Nak messages and selects a method supported by the peer

7 years agoPreferred EAP methods for eap-dynamic can be configured
Tobias Brunner [Thu, 23 Aug 2012 12:55:33 +0000 (14:55 +0200)]
Preferred EAP methods for eap-dynamic can be configured

7 years agoThe eap-dynamic plugin uses the first supported method as default
Tobias Brunner [Thu, 23 Aug 2012 12:47:27 +0000 (14:47 +0200)]
The eap-dynamic plugin uses the first supported method as default

7 years agoAdded eap-dynamic plugin which can proxy any other EAP method
Tobias Brunner [Thu, 23 Aug 2012 12:42:23 +0000 (14:42 +0200)]
Added eap-dynamic plugin which can proxy any other EAP method

7 years agoUse eap_vendor_type_from_string() in stroke
Tobias Brunner [Thu, 23 Aug 2012 08:16:37 +0000 (10:16 +0200)]
Use eap_vendor_type_from_string() in stroke

7 years agoFunction added that parses EAP method strings ([eap-]type[-vendor])
Tobias Brunner [Thu, 23 Aug 2012 08:00:11 +0000 (10:00 +0200)]
Function added that parses EAP method strings ([eap-]type[-vendor])

7 years agoAdded method to enumerate EAP types contained in an EAP-Nak
Tobias Brunner [Thu, 23 Aug 2012 07:06:47 +0000 (09:06 +0200)]
Added method to enumerate EAP types contained in an EAP-Nak

7 years agoEncode EAP-Naks in expanded format if we got an expanded type request
Tobias Brunner [Thu, 23 Aug 2012 06:36:24 +0000 (08:36 +0200)]
Encode EAP-Naks in expanded format if we got an expanded type request

Since methods defined by the IETF (vendor ID 0) could also be encoded in
expanded type format the previous check was insufficient.

7 years agoAllow clients to request a configured EAP method via EAP-Nak
Tobias Brunner [Tue, 21 Aug 2012 15:11:14 +0000 (17:11 +0200)]
Allow clients to request a configured EAP method via EAP-Nak

7 years agoVirtual EAP methods handle EAP-Naks themselves
Tobias Brunner [Tue, 21 Aug 2012 14:57:34 +0000 (16:57 +0200)]
Virtual EAP methods handle EAP-Naks themselves

7 years agoSend EAP-Nak with supported types if requested type is unsupported
Tobias Brunner [Tue, 21 Aug 2012 14:54:21 +0000 (16:54 +0200)]
Send EAP-Nak with supported types if requested type is unsupported

7 years agoFilter invalid EAP authentication types when enumerating them
Tobias Brunner [Wed, 22 Aug 2012 15:01:13 +0000 (17:01 +0200)]
Filter invalid EAP authentication types when enumerating them

Valid authentication types defined by the IETF are 4-253 and 255.

7 years agoMove our pseudo EAP types out of the range of valid EAP methods
Tobias Brunner [Fri, 31 Aug 2012 09:31:48 +0000 (11:31 +0200)]
Move our pseudo EAP types out of the range of valid EAP methods

7 years agoversion bump to 5.0.1dr4
Andreas Steffen [Fri, 31 Aug 2012 00:47:19 +0000 (02:47 +0200)]
version bump to 5.0.1dr4

7 years agoAdded multiple left/rightsourceip NEWS
Martin Willi [Mon, 27 Aug 2012 14:52:22 +0000 (16:52 +0200)]
Added multiple left/rightsourceip NEWS

7 years agoAdded NEWS for left/rightdns options
Martin Willi [Mon, 27 Aug 2012 14:44:35 +0000 (16:44 +0200)]
Added NEWS for left/rightdns options

7 years agoUpdated ipsec.conf.5 with multiple left/rightsourceip support
Martin Willi [Mon, 27 Aug 2012 14:58:10 +0000 (16:58 +0200)]
Updated ipsec.conf.5 with multiple left/rightsourceip support

7 years agoAdded a note to _updown for the new PLUTO_MY_SOURCEIP* variables
Martin Willi [Mon, 27 Aug 2012 14:39:55 +0000 (16:39 +0200)]
Added a note to _updown for the new PLUTO_MY_SOURCEIP* variables

7 years agoBe less verbose if IP allocation for a single pool fails
Martin Willi [Mon, 27 Aug 2012 14:31:38 +0000 (16:31 +0200)]
Be less verbose if IP allocation for a single pool fails

7 years agoDHCP plugin returns virtual IPs for IPv4 requests only
Martin Willi [Mon, 27 Aug 2012 14:26:28 +0000 (16:26 +0200)]
DHCP plugin returns virtual IPs for IPv4 requests only

7 years agoCheck address family in HA virtual IP backend
Martin Willi [Mon, 27 Aug 2012 14:26:01 +0000 (16:26 +0200)]
Check address family in HA virtual IP backend

7 years agoStrictly enforce address family match while acquiring mem_pool IPs
Martin Willi [Mon, 27 Aug 2012 14:24:44 +0000 (16:24 +0200)]
Strictly enforce address family match while acquiring mem_pool IPs

7 years agoDon't parse comma separated pool names in attr-sql
Martin Willi [Mon, 27 Aug 2012 14:01:16 +0000 (16:01 +0200)]
Don't parse comma separated pool names in attr-sql

We now handle multiple pools at a deeper level, making that special
handling obsolete. Comma separated pools are parsed in stroke.

7 years agoHandle comma separated pools as multiple pool names in SQL plugin
Martin Willi [Mon, 27 Aug 2012 14:00:13 +0000 (16:00 +0200)]
Handle comma separated pools as multiple pool names in SQL plugin

7 years agoRequest and acquire multiple virtual IPs in IKEv1 Mode Config
Martin Willi [Mon, 27 Aug 2012 13:42:50 +0000 (15:42 +0200)]
Request and acquire multiple virtual IPs in IKEv1 Mode Config

7 years agoRequest and acquire multiple virtual IPs in IKEv2 configuration payload
Martin Willi [Mon, 27 Aug 2012 13:34:10 +0000 (15:34 +0200)]
Request and acquire multiple virtual IPs in IKEv2 configuration payload