strongswan.git
8 years agoCheck if we actually have a packet before retransmitting it
Martin Willi [Tue, 21 Feb 2012 09:23:20 +0000 (10:23 +0100)]
Check if we actually have a packet before retransmitting it

8 years agoUse a single set of FDs for all random plugin RNG instances
Martin Willi [Tue, 21 Feb 2012 09:22:48 +0000 (10:22 +0100)]
Use a single set of FDs for all random plugin RNG instances

8 years agoParse IKEv1 Cisco Load Balancing notify (can't act on it yet).
Tobias Brunner [Fri, 3 Feb 2012 11:58:11 +0000 (12:58 +0100)]
Parse IKEv1 Cisco Load Balancing notify (can't act on it yet).

8 years agoFixed transform numbering in IKEv1 proposal.
Tobias Brunner [Fri, 3 Feb 2012 11:56:30 +0000 (12:56 +0100)]
Fixed transform numbering in IKEv1 proposal.

8 years agoCompiler warning fixed.
Tobias Brunner [Fri, 3 Feb 2012 11:56:14 +0000 (12:56 +0100)]
Compiler warning fixed.

8 years agoUse correct enum values to detect three message tasks for retransmission
Martin Willi [Thu, 2 Feb 2012 09:49:19 +0000 (10:49 +0100)]
Use correct enum values to detect three message tasks for retransmission

8 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated

8 years agoFix mapping of IKEv1 encapsulation mode
Martin Willi [Tue, 24 Jan 2012 12:31:37 +0000 (13:31 +0100)]
Fix mapping of IKEv1 encapsulation mode

8 years agoUse UDP encapsulation even in non-NAT situation if initiator requests it
Martin Willi [Mon, 23 Jan 2012 14:11:13 +0000 (15:11 +0100)]
Use UDP encapsulation even in non-NAT situation if initiator requests it

8 years agoUpdated ipsec.conf man page for the use of IKEv1 with pluto
Martin Willi [Mon, 23 Jan 2012 13:35:57 +0000 (14:35 +0100)]
Updated ipsec.conf man page for the use of IKEv1 with pluto

8 years agoSupport inactivity timeout in IKEv1 CHILD_SAs
Martin Willi [Mon, 23 Jan 2012 12:49:56 +0000 (13:49 +0100)]
Support inactivity timeout in IKEv1 CHILD_SAs

8 years agoUse a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher
Martin Willi [Mon, 23 Jan 2012 11:46:46 +0000 (12:46 +0100)]
Use a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher

8 years agoSelect public key auth method by checking what key we have
Martin Willi [Mon, 23 Jan 2012 11:28:55 +0000 (12:28 +0100)]
Select public key auth method by checking what key we have

8 years agoSupport ECDSA signatures in IKEv1 pubkey authenticator
Martin Willi [Mon, 23 Jan 2012 11:27:57 +0000 (12:27 +0100)]
Support ECDSA signatures in IKEv1 pubkey authenticator

8 years agoExchange certificates when using IKEv1 ECDSA authentication
Martin Willi [Mon, 23 Jan 2012 11:26:42 +0000 (12:26 +0100)]
Exchange certificates when using IKEv1 ECDSA authentication

8 years agoAccept NULL auth_cfg_t passed to credential_manager_t.get_private()
Martin Willi [Mon, 23 Jan 2012 11:25:38 +0000 (12:25 +0100)]
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()

8 years agoSupport encoding of IKEv1 ECDSA proposals
Martin Willi [Mon, 23 Jan 2012 11:25:00 +0000 (12:25 +0100)]
Support encoding of IKEv1 ECDSA proposals

8 years agoDropped support of deprecated authby=eap and eap= options
Martin Willi [Fri, 20 Jan 2012 15:03:18 +0000 (16:03 +0100)]
Dropped support of deprecated authby=eap and eap= options

8 years agoAdded support for authby/xauth_server legacy options
Martin Willi [Fri, 20 Jan 2012 14:33:26 +0000 (15:33 +0100)]
Added support for authby/xauth_server legacy options

8 years agoRenamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules
Martin Willi [Fri, 20 Jan 2012 14:00:06 +0000 (15:00 +0100)]
Renamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules

8 years agoUse ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length
Martin Willi [Fri, 20 Jan 2012 13:57:18 +0000 (14:57 +0100)]
Use ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length

8 years agoDon't re-resolve addresses during initiate if they have already been set
Martin Willi [Fri, 20 Jan 2012 12:54:39 +0000 (13:54 +0100)]
Don't re-resolve addresses during initiate if they have already been set

8 years agoAdopt children after syncing a rekeyed IKEv1 SA
Martin Willi [Fri, 20 Jan 2012 12:42:37 +0000 (13:42 +0100)]
Adopt children after syncing a rekeyed IKEv1 SA

8 years agoSynchronize IKEv1 DPD sequence numbers
Martin Willi [Fri, 20 Jan 2012 11:23:46 +0000 (12:23 +0100)]
Synchronize IKEv1 DPD sequence numbers

8 years agoSetting message ID on task manager sets DPD sequence numbers in IKEv1
Martin Willi [Fri, 20 Jan 2012 11:22:56 +0000 (12:22 +0100)]
Setting message ID on task manager sets DPD sequence numbers in IKEv1

8 years agoUpdate state before triggering DPD, as we cancel it if PASSIVE
Martin Willi [Fri, 20 Jan 2012 11:21:48 +0000 (12:21 +0100)]
Update state before triggering DPD, as we cancel it if PASSIVE

8 years agoSet thread specific SA on bus for each enumerated IKE_SA
Martin Willi [Fri, 20 Jan 2012 11:21:13 +0000 (12:21 +0100)]
Set thread specific SA on bus for each enumerated IKE_SA

8 years agoSync remote virtual IP for IKEv1 SAs
Martin Willi [Fri, 20 Jan 2012 10:36:26 +0000 (11:36 +0100)]
Sync remote virtual IP for IKEv1 SAs

8 years agoSync new IKE_SA condition/extension flags
Martin Willi [Fri, 20 Jan 2012 10:23:27 +0000 (11:23 +0100)]
Sync new IKE_SA condition/extension flags

8 years agoAdded support for Phase1 IV synchronization to HA plugin
Martin Willi [Thu, 19 Jan 2012 15:34:59 +0000 (16:34 +0100)]
Added support for Phase1 IV synchronization to HA plugin

8 years agoInvoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
Martin Willi [Thu, 19 Jan 2012 15:22:25 +0000 (16:22 +0100)]
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted

8 years agoCreate IKEv1 keymat hasher explicitly on sync
Martin Willi [Thu, 19 Jan 2012 14:55:29 +0000 (15:55 +0100)]
Create IKEv1 keymat hasher explicitly on sync

8 years agoClear initiator flag when checking out initial IKEv1 SA from message
Martin Willi [Thu, 19 Jan 2012 14:54:38 +0000 (15:54 +0100)]
Clear initiator flag when checking out initial IKEv1 SA from message

8 years agoAdded support to sync IKEv1 SAs key material in HA plugin
Martin Willi [Thu, 19 Jan 2012 10:11:22 +0000 (11:11 +0100)]
Added support to sync IKEv1 SAs key material in HA plugin

8 years agoPass IKEv1 specific keymat to ike_keys hook
Martin Willi [Wed, 18 Jan 2012 17:34:07 +0000 (18:34 +0100)]
Pass IKEv1 specific keymat to ike_keys hook

8 years agoUse a more complete implementation of a HA specific diffie_hellman_t
Martin Willi [Wed, 18 Jan 2012 17:24:48 +0000 (18:24 +0100)]
Use a more complete implementation of a HA specific diffie_hellman_t

8 years agoShow IKE version in ipsec statusall
Martin Willi [Wed, 18 Jan 2012 16:50:07 +0000 (17:50 +0100)]
Show IKE version in ipsec statusall

8 years agoApply proposal to a HA synced IKE_SA
Martin Willi [Wed, 18 Jan 2012 16:49:52 +0000 (17:49 +0100)]
Apply proposal to a HA synced IKE_SA

8 years agoSet selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
Martin Willi [Wed, 18 Jan 2012 16:42:06 +0000 (17:42 +0100)]
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper

8 years agoUpdated HA plugin to new IKEv2 specific keymat functions
Martin Willi [Wed, 18 Jan 2012 16:24:31 +0000 (17:24 +0100)]
Updated HA plugin to new IKEv2 specific keymat functions

8 years agoGet a reference for the child_cfg passed to child_create_create()
Martin Willi [Wed, 18 Jan 2012 16:24:08 +0000 (17:24 +0100)]
Get a reference for the child_cfg passed to child_create_create()

8 years agoInvoke bus_t.narrow hook in quick mode exchange
Martin Willi [Wed, 18 Jan 2012 12:28:15 +0000 (13:28 +0100)]
Invoke bus_t.narrow hook in quick mode exchange

8 years agoInvoke authorization hooks for IKEv1 connections
Martin Willi [Wed, 18 Jan 2012 12:12:07 +0000 (13:12 +0100)]
Invoke authorization hooks for IKEv1 connections

8 years agoInvoke ike_updown hooks for reauthenticated IKEv1 SAs
Martin Willi [Mon, 16 Jan 2012 15:47:18 +0000 (16:47 +0100)]
Invoke ike_updown hooks for reauthenticated IKEv1 SAs

8 years agoDon't invoke a child_updown hook when a quick mode to delete has been rekeyed
Martin Willi [Mon, 16 Jan 2012 15:18:01 +0000 (16:18 +0100)]
Don't invoke a child_updown hook when a quick mode to delete has been rekeyed

8 years agoInvoke child_rekey hook instead of child_updown when rekeying a quick mode
Martin Willi [Mon, 16 Jan 2012 15:17:27 +0000 (16:17 +0100)]
Invoke child_rekey hook instead of child_updown when rekeying a quick mode

8 years agoDon't invoke updown hook when flushing SAs for IKEv1, tasks will do it
Martin Willi [Mon, 16 Jan 2012 14:57:46 +0000 (15:57 +0100)]
Don't invoke updown hook when flushing SAs for IKEv1, tasks will do it

8 years agoFix "incoming" flag passed to bus_t.message() hook
Martin Willi [Mon, 16 Jan 2012 14:31:53 +0000 (15:31 +0100)]
Fix "incoming" flag passed to bus_t.message() hook

8 years agoContinue with next exchange after sending an INFORMATIONAL
Martin Willi [Fri, 13 Jan 2012 08:27:26 +0000 (09:27 +0100)]
Continue with next exchange after sending an INFORMATIONAL

8 years agoHandle retransmission of DPD exchange, both as initiator and responder
Martin Willi [Tue, 10 Jan 2012 18:13:58 +0000 (19:13 +0100)]
Handle retransmission of DPD exchange, both as initiator and responder

8 years agoDisable DPD checking for peers not supporting it
Martin Willi [Tue, 10 Jan 2012 16:40:07 +0000 (17:40 +0100)]
Disable DPD checking for peers not supporting it

8 years agoAdded missing DPD task name
Martin Willi [Tue, 10 Jan 2012 16:28:25 +0000 (17:28 +0100)]
Added missing DPD task name

8 years agoConfirm message reception time only if DPD sequence number valid
Martin Willi [Tue, 10 Jan 2012 16:26:42 +0000 (17:26 +0100)]
Confirm message reception time only if DPD sequence number valid

8 years agoSimplified DPD handling by using a task for a single message only
Martin Willi [Tue, 10 Jan 2012 16:21:52 +0000 (17:21 +0100)]
Simplified DPD handling by using a task for a single message only

8 years agoAdded missing short enum names for DPD notify types
Martin Willi [Tue, 10 Jan 2012 16:10:22 +0000 (17:10 +0100)]
Added missing short enum names for DPD notify types

8 years agoPrint IKEv1 notify types in message summary
Martin Willi [Tue, 10 Jan 2012 16:09:47 +0000 (17:09 +0100)]
Print IKEv1 notify types in message summary

8 years agoSupport IKEv1 notifies in message_t.get_notify()
Martin Willi [Tue, 10 Jan 2012 16:09:20 +0000 (17:09 +0100)]
Support IKEv1 notifies in message_t.get_notify()

8 years agoCheck if we have an RNG for IKEv1 task manager before using it
Martin Willi [Tue, 10 Jan 2012 15:02:46 +0000 (16:02 +0100)]
Check if we have an RNG for IKEv1 task manager before using it

8 years agoRemove unused DPD sequence number getter on task manager
Martin Willi [Tue, 10 Jan 2012 14:44:17 +0000 (15:44 +0100)]
Remove unused DPD sequence number getter on task manager

8 years agoDon't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
Martin Willi [Tue, 10 Jan 2012 12:32:06 +0000 (13:32 +0100)]
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state

8 years agoSend DPD vendor ID
Clavister OpenSource [Tue, 10 Jan 2012 13:38:01 +0000 (14:38 +0100)]
Send DPD vendor ID

8 years agoIsakmp_dpd task added.
Clavister OpenSource [Tue, 10 Jan 2012 13:37:39 +0000 (14:37 +0100)]
Isakmp_dpd task added.

8 years agoDPD_R_U_THERE defines added
Clavister OpenSource [Tue, 10 Jan 2012 13:31:51 +0000 (14:31 +0100)]
DPD_R_U_THERE defines added

8 years agoRequest and handle retransmission of a lost third aggressive mode message
Martin Willi [Tue, 10 Jan 2012 10:37:06 +0000 (11:37 +0100)]
Request and handle retransmission of a lost third aggressive mode message

8 years agoStreamlined debug output when initiating IKEv1 IKE_SAs
Martin Willi [Tue, 10 Jan 2012 10:23:04 +0000 (11:23 +0100)]
Streamlined debug output when initiating IKEv1 IKE_SAs

8 years agoAccept unencrypted Aggressive Mode messages.
Tobias Brunner [Tue, 10 Jan 2012 09:58:29 +0000 (10:58 +0100)]
Accept unencrypted Aggressive Mode messages.

Racoon does not encrypt the third message during Aggressive Mode.

8 years agoEnforce encapsulation mode of configuration, in case initiator proposes both
Martin Willi [Mon, 9 Jan 2012 17:12:17 +0000 (18:12 +0100)]
Enforce encapsulation mode of configuration, in case initiator proposes both

8 years agoAdded a "aggressive" ipsec.conf connection option
Martin Willi [Mon, 9 Jan 2012 16:44:43 +0000 (17:44 +0100)]
Added a "aggressive" ipsec.conf connection option

8 years agoHandle aggressive mode task in IKEv1 task manager
Martin Willi [Mon, 9 Jan 2012 16:35:02 +0000 (16:35 +0000)]
Handle aggressive mode task in IKEv1 task manager

8 years agoSelect IKEv1 configurations by main/aggressive mode option
Martin Willi [Mon, 9 Jan 2012 16:33:15 +0000 (16:33 +0000)]
Select IKEv1 configurations by main/aggressive mode option

8 years agoAdded an aggressive mode peer_cfg option
Martin Willi [Mon, 9 Jan 2012 16:32:41 +0000 (16:32 +0000)]
Added an aggressive mode peer_cfg option

8 years agoFix sending of CERTREQ/CERT payloads in aggressive mode
Martin Willi [Mon, 9 Jan 2012 16:10:48 +0000 (17:10 +0100)]
Fix sending of CERTREQ/CERT payloads in aggressive mode

8 years agoEncrypt payloads of third aggressive mode message
Martin Willi [Mon, 9 Jan 2012 16:10:18 +0000 (17:10 +0100)]
Encrypt payloads of third aggressive mode message

8 years agoImplemented aggressive mode using Phase 1 helper class
Martin Willi [Mon, 9 Jan 2012 16:09:38 +0000 (17:09 +0100)]
Implemented aggressive mode using Phase 1 helper class

8 years agoMake use of the new Phase 1 helper class in main mode
Martin Willi [Mon, 9 Jan 2012 16:05:16 +0000 (17:05 +0100)]
Make use of the new Phase 1 helper class in main mode

8 years agoImplemented a common Phase 1 helper class to use by main and aggressive modes
Martin Willi [Mon, 9 Jan 2012 16:04:41 +0000 (17:04 +0100)]
Implemented a common Phase 1 helper class to use by main and aggressive modes

8 years agoFix error handling if no PSK found for main mode
Martin Willi [Mon, 9 Jan 2012 12:41:35 +0000 (13:41 +0100)]
Fix error handling if no PSK found for main mode

8 years agoInstall quick mode CHILD_SAs with negotiated encapsulation mode
Martin Willi [Thu, 5 Jan 2012 14:02:40 +0000 (15:02 +0100)]
Install quick mode CHILD_SAs with negotiated encapsulation mode

8 years agoSupport IKEv1 proposal encodings having both lifebytes and a lifetime
Martin Willi [Wed, 4 Jan 2012 13:43:15 +0000 (14:43 +0100)]
Support IKEv1 proposal encodings having both lifebytes and a lifetime

8 years agoTry to detect reauthentication as responder and adopt children to new SA
Martin Willi [Wed, 4 Jan 2012 16:51:22 +0000 (17:51 +0100)]
Try to detect reauthentication as responder and adopt children to new SA

8 years agoDestroy IKE_SA after reauthentication initiatend and lifetime limit reached
Martin Willi [Wed, 4 Jan 2012 16:50:19 +0000 (17:50 +0100)]
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached

8 years agoAdded an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities
Martin Willi [Tue, 3 Jan 2012 15:23:37 +0000 (16:23 +0100)]
Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities

8 years agoQuery for XAuth identity in get_other_eap_id(), too
Martin Willi [Wed, 4 Jan 2012 16:32:41 +0000 (17:32 +0100)]
Query for XAuth identity in get_other_eap_id(), too

8 years agoSet ISAKMP SA state to rekeying after triggering reauthentication
Martin Willi [Tue, 3 Jan 2012 13:47:44 +0000 (14:47 +0100)]
Set ISAKMP SA state to rekeying after triggering reauthentication

8 years agoInclude peer config overtime in negotiated ISAKMP SA lifetime
Martin Willi [Tue, 3 Jan 2012 12:33:18 +0000 (13:33 +0100)]
Include peer config overtime in negotiated ISAKMP SA lifetime

8 years agoInitiate IKEv1 reauthentication, take over all children
Martin Willi [Tue, 3 Jan 2012 11:00:12 +0000 (12:00 +0100)]
Initiate IKEv1 reauthentication, take over all children

8 years agoEstablish IKE_SA only once as XAuth responder
Martin Willi [Tue, 3 Jan 2012 10:59:21 +0000 (11:59 +0100)]
Establish IKE_SA only once as XAuth responder

8 years agoSupport initiation of childless IKEv1 ISAKMP SAs
Martin Willi [Tue, 3 Jan 2012 10:58:40 +0000 (11:58 +0100)]
Support initiation of childless IKEv1 ISAKMP SAs

8 years agoDon't trigger reauthentication if initiator authenticated using XAuth
Martin Willi [Tue, 3 Jan 2012 10:28:45 +0000 (11:28 +0100)]
Don't trigger reauthentication if initiator authenticated using XAuth

8 years agoSet a condition flag if peer has been authenticated using XAuth
Martin Willi [Tue, 3 Jan 2012 10:27:41 +0000 (11:27 +0100)]
Set a condition flag if peer has been authenticated using XAuth

8 years agoQueue Mode Config tasks after main mode as initiator, not as responder
Martin Willi [Tue, 3 Jan 2012 10:57:35 +0000 (11:57 +0100)]
Queue Mode Config tasks after main mode as initiator, not as responder

8 years agoSetting Mode Cfg identifier for CFG_ACK messages.
Clavister OpenSource [Wed, 28 Dec 2011 23:06:12 +0000 (00:06 +0100)]
Setting Mode Cfg identifier for CFG_ACK messages.

8 years agoAdd functions to set mode cfg identifier
Clavister OpenSource [Wed, 28 Dec 2011 23:05:04 +0000 (00:05 +0100)]
Add functions to set mode cfg identifier

8 years agoTry all matching XAuth secrets we find, not only the first one
Martin Willi [Mon, 2 Jan 2012 15:38:47 +0000 (16:38 +0100)]
Try all matching XAuth secrets we find, not only the first one

8 years agoFixed create_shared_enumerator method description
Martin Willi [Mon, 2 Jan 2012 15:38:30 +0000 (16:38 +0100)]
Fixed create_shared_enumerator method description

8 years agoAs responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying
Martin Willi [Mon, 2 Jan 2012 15:36:39 +0000 (16:36 +0100)]
As responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying

8 years agoReply quick mode with the same SA lifetime that we received
Martin Willi [Mon, 2 Jan 2012 14:49:20 +0000 (15:49 +0100)]
Reply quick mode with the same SA lifetime that we received

8 years agoDo not query CHILD_SA during delete if they already expired
Martin Willi [Mon, 2 Jan 2012 14:40:31 +0000 (15:40 +0100)]
Do not query CHILD_SA during delete if they already expired

8 years agoBe less verbose when deleting SAs triggered by a hard expire
Martin Willi [Mon, 2 Jan 2012 14:39:16 +0000 (15:39 +0100)]
Be less verbose when deleting SAs triggered by a hard expire

8 years agoImplemented CHILD_SA rekeying
Martin Willi [Mon, 2 Jan 2012 13:27:10 +0000 (14:27 +0100)]
Implemented CHILD_SA rekeying