strongswan.git
10 years agoAdded an option to rename the ipsec script during installation
Tobias Brunner [Tue, 19 Jun 2012 15:12:53 +0000 (17:12 +0200)]
Added an option to rename the ipsec script during installation

Also rename the man page and adjust all references in the script, the
man page and other files.

Closes #194.

10 years agoRemoved -o argument when creating .../ipsec.d with install
Tobias Brunner [Tue, 19 Jun 2012 15:26:54 +0000 (17:26 +0200)]
Removed -o argument when creating .../ipsec.d with install

This should have been removed with 2b52d5cb41.

10 years agoUpdated ipsec script man page after removing pluto
Tobias Brunner [Tue, 19 Jun 2012 14:09:50 +0000 (16:09 +0200)]
Updated ipsec script man page after removing pluto

10 years agoUse mac_t and PRF and signer wrappers in cmac plugin
Tobias Brunner [Mon, 25 Jun 2012 11:00:57 +0000 (13:00 +0200)]
Use mac_t and PRF and signer wrappers in cmac plugin

10 years agoUse mac_t and PRF and signer wrappers in xcbc plugin
Tobias Brunner [Mon, 25 Jun 2012 10:50:55 +0000 (12:50 +0200)]
Use mac_t and PRF and signer wrappers in xcbc plugin

10 years agoMake the hmac_t interface a generic interface for message authentication codes
Tobias Brunner [Mon, 25 Jun 2012 09:37:04 +0000 (11:37 +0200)]
Make the hmac_t interface a generic interface for message authentication codes

10 years agoSimplified creation of PRFs and signers in openssl and hmac plugins
Tobias Brunner [Fri, 22 Jun 2012 09:30:46 +0000 (11:30 +0200)]
Simplified creation of PRFs and signers in openssl and hmac plugins

10 years agoFunction to convert PRFs to hash algorithms added
Tobias Brunner [Fri, 22 Jun 2012 09:28:43 +0000 (11:28 +0200)]
Function to convert PRFs to hash algorithms added

10 years agohasher_algorithm_from_integrity() optionally returns truncation length
Tobias Brunner [Fri, 22 Jun 2012 09:28:10 +0000 (11:28 +0200)]
hasher_algorithm_from_integrity() optionally returns truncation length

10 years agoUse simple wrappers for HMAC based PRF and signer in openssl plugin
Tobias Brunner [Fri, 22 Jun 2012 08:52:20 +0000 (10:52 +0200)]
Use simple wrappers for HMAC based PRF and signer in openssl plugin

10 years agoUse simple wrappers for HMAC based PRF and signer in hmac plugin
Tobias Brunner [Fri, 22 Jun 2012 08:38:37 +0000 (10:38 +0200)]
Use simple wrappers for HMAC based PRF and signer in hmac plugin

10 years agoSimple wrappers for HMAC based prf_t and signer_t implementations added
Tobias Brunner [Fri, 22 Jun 2012 07:39:09 +0000 (09:39 +0200)]
Simple wrappers for HMAC based prf_t and signer_t implementations added

10 years agoRefactored OpenSSL based HMAC implementation
Tobias Brunner [Thu, 21 Jun 2012 11:10:26 +0000 (13:10 +0200)]
Refactored OpenSSL based HMAC implementation

10 years agoAdding OpenSSL HMAC signer functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:46:21 +0000 (13:46 -0700)]
Adding OpenSSL HMAC signer functions to openssl plugin

10 years agoAdding OpenSSL HMAC pseudo random functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:43:47 +0000 (13:43 -0700)]
Adding OpenSSL HMAC pseudo random functions to openssl plugin

10 years agoAdding OpenSSL random number functions to openssl plugin
Aleksandr Grinberg [Wed, 20 Jun 2012 20:39:37 +0000 (13:39 -0700)]
Adding OpenSSL random number functions to openssl plugin

10 years agoFixed IPv6 source address lookup
Tobias Brunner [Mon, 18 Jun 2012 10:01:10 +0000 (12:01 +0200)]
Fixed IPv6 source address lookup

Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
IPv6 routes we didn't use NLM_F_DUMP to get all routes.
Still routes installed with policies are installed also for IPv6.
So since only one route is returned without DUMP, and we ignore
all routes from our own routing table, no source address was found
during roaming if DST of the installed route included the IKE peer.

With newer kernels we can now use DUMP as we did for IPv4 already,
for older kernels we do so if our own routes are installed in a
separate routing table, otherwise we still use GET.

10 years agoupdated default configuration of UML hosts to 5.0.0
Andreas Steffen [Mon, 25 Jun 2012 11:04:55 +0000 (13:04 +0200)]
updated default configuration of UML hosts to 5.0.0

10 years agoadded charon.cisco_unity to strongswan.conf.5 man page
Andreas Steffen [Mon, 25 Jun 2012 09:47:40 +0000 (11:47 +0200)]
added charon.cisco_unity to strongswan.conf.5 man page

10 years agosupport Cisco Unity VID
Andreas Steffen [Mon, 25 Jun 2012 09:00:12 +0000 (11:00 +0200)]
support Cisco Unity VID

10 years agoEnable xauth-generic by default but don't build it if IKEv1 is disabled
Tobias Brunner [Mon, 25 Jun 2012 09:07:49 +0000 (11:07 +0200)]
Enable xauth-generic by default but don't build it if IKEv1 is disabled

10 years agoRemove CREDITS from distribution
Tobias Brunner [Mon, 25 Jun 2012 09:07:35 +0000 (11:07 +0200)]
Remove CREDITS from distribution

10 years agoThe AUTHORS file is required by automake
Tobias Brunner [Mon, 25 Jun 2012 08:59:27 +0000 (10:59 +0200)]
The AUTHORS file is required by automake

10 years agoLICENSE file updated
Tobias Brunner [Thu, 21 Jun 2012 16:14:43 +0000 (18:14 +0200)]
LICENSE file updated

10 years agoldaphost and ldapbase ca section keywords are deprecated
Tobias Brunner [Thu, 21 Jun 2012 16:04:18 +0000 (18:04 +0200)]
ldaphost and ldapbase ca section keywords are deprecated

10 years agoRemoved pluto-specifics from ipsec script
Tobias Brunner [Thu, 21 Jun 2012 15:58:59 +0000 (17:58 +0200)]
Removed pluto-specifics from ipsec script

10 years agoREADME file cleaned up and updated
Tobias Brunner [Thu, 21 Jun 2012 15:55:08 +0000 (17:55 +0200)]
README file cleaned up and updated

10 years agoEnforce uniqueids=keep based on XAuth identity
Martin Willi [Thu, 14 Jun 2012 13:25:11 +0000 (15:25 +0200)]
Enforce uniqueids=keep based on XAuth identity

10 years agoDon't send XAUTH_OK if a hook prevents SA to establish
Martin Willi [Thu, 14 Jun 2012 13:23:57 +0000 (15:23 +0200)]
Don't send XAUTH_OK if a hook prevents SA to establish

10 years agoEnforce uniqueids=keep only for non-XAuth Main/Agressive Modes
Martin Willi [Thu, 14 Jun 2012 13:08:37 +0000 (15:08 +0200)]
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes

10 years agoShow EAP/XAuth identity in "ipsec status", if available
Martin Willi [Thu, 14 Jun 2012 13:07:44 +0000 (15:07 +0200)]
Show EAP/XAuth identity in "ipsec status", if available

10 years agoUse XAuth/EAP remote identity for uniqueness check
Martin Willi [Thu, 14 Jun 2012 12:47:40 +0000 (14:47 +0200)]
Use XAuth/EAP remote identity for uniqueness check

10 years agoAdd missing XAuth name variable when complaining about missing XAuth backend
Martin Willi [Mon, 25 Jun 2012 08:09:27 +0000 (10:09 +0200)]
Add missing XAuth name variable when complaining about missing XAuth backend

10 years agoremoved AUTHORS and CREDITS
Andreas Steffen [Mon, 25 Jun 2012 06:45:10 +0000 (08:45 +0200)]
removed AUTHORS and CREDITS

10 years agosome copyright additions
Andreas Steffen [Sat, 23 Jun 2012 10:09:29 +0000 (12:09 +0200)]
some copyright additions

10 years agoupdate copyright
Andreas Steffen [Sat, 23 Jun 2012 09:57:42 +0000 (11:57 +0200)]
update copyright

10 years agoversion bump to 5.0.0
Andreas Steffen [Sat, 23 Jun 2012 09:32:54 +0000 (11:32 +0200)]
version bump to 5.0.0

10 years agoFix SIGSEGV if kernel install fails during Quick Mode as responder.
Tobias Brunner [Thu, 7 Jun 2012 12:59:20 +0000 (14:59 +0200)]
Fix SIGSEGV if kernel install fails during Quick Mode as responder.

10 years agoadapted description to IKEv2
Andreas Steffen [Fri, 22 Jun 2012 07:53:25 +0000 (09:53 +0200)]
adapted description to IKEv2

10 years agoFixed compile error because of charon->name in certexpire plugin.
Tobias Brunner [Thu, 21 Jun 2012 11:59:18 +0000 (13:59 +0200)]
Fixed compile error because of charon->name in certexpire plugin.

10 years agofixed typo
Andreas Steffen [Wed, 20 Jun 2012 09:15:09 +0000 (11:15 +0200)]
fixed typo

10 years agoadded ipv6/rw-ip6-in-ip4-ikev1 scenario
Andreas Steffen [Wed, 20 Jun 2012 09:13:20 +0000 (11:13 +0200)]
added ipv6/rw-ip6-in-ip4-ikev1 scenario

10 years agoadded ipv6/rw-ip6-in-ip4-ikev2 scenario
Andreas Steffen [Wed, 20 Jun 2012 09:03:51 +0000 (11:03 +0200)]
added ipv6/rw-ip6-in-ip4-ikev2 scenario

10 years agoSelect requested virtual IP family based on remote TS, if no local TS available
Martin Willi [Wed, 20 Jun 2012 08:01:05 +0000 (10:01 +0200)]
Select requested virtual IP family based on remote TS, if no local TS available

10 years agoupgraded UML options to 5.0.0
Andreas Steffen [Tue, 19 Jun 2012 17:34:26 +0000 (19:34 +0200)]
upgraded UML options to 5.0.0

10 years agoDoxygen fix in PKCS#7 wrapper
Tobias Brunner [Tue, 19 Jun 2012 11:32:24 +0000 (13:32 +0200)]
Doxygen fix in PKCS#7 wrapper

10 years agosleep one second more
Andreas Steffen [Tue, 19 Jun 2012 04:18:05 +0000 (06:18 +0200)]
sleep one second more

10 years agouse socket-default in scenario
Andreas Steffen [Tue, 19 Jun 2012 04:17:37 +0000 (06:17 +0200)]
use socket-default in scenario

10 years agoadded ikev1/xauth-id-rsa-hybrid scenario
Andreas Steffen [Mon, 18 Jun 2012 20:51:50 +0000 (22:51 +0200)]
added ikev1/xauth-id-rsa-hybrid scenario

10 years agoadded ikev1/xauth-id-rsa-aggressive scenario
Andreas Steffen [Mon, 18 Jun 2012 20:30:26 +0000 (22:30 +0200)]
added ikev1/xauth-id-rsa-aggressive scenario

10 years agoadded secret as valid authby argument
Andreas Steffen [Mon, 18 Jun 2012 20:11:18 +0000 (22:11 +0200)]
added secret as valid authby argument

10 years agorsasig is not recognized as authentication method
Andreas Steffen [Mon, 18 Jun 2012 20:03:36 +0000 (22:03 +0200)]
rsasig is not recognized as authentication method

10 years agoenable potentially unsafe aggressive mode
Andreas Steffen [Mon, 18 Jun 2012 19:34:48 +0000 (21:34 +0200)]
enable potentially unsafe aggressive mode

10 years agochange ikev1/xauth scenarios to modern notation
Andreas Steffen [Mon, 18 Jun 2012 19:22:01 +0000 (21:22 +0200)]
change ikev1/xauth scenarios to modern notation

10 years agotesting: List IPv6 routing table in IPv6 test cases.
Tobias Brunner [Fri, 15 Jun 2012 13:19:23 +0000 (15:19 +0200)]
testing: List IPv6 routing table in IPv6 test cases.

10 years agoNLM_F_DUMP includes NLM_F_ROOT.
Tobias Brunner [Fri, 15 Jun 2012 10:50:30 +0000 (12:50 +0200)]
NLM_F_DUMP includes NLM_F_ROOT.

10 years agoDon't create roam jobs based on cached/cloned routes.
Tobias Brunner [Fri, 15 Jun 2012 10:27:26 +0000 (12:27 +0200)]
Don't create roam jobs based on cached/cloned routes.

10 years agoDon't compare ports when comparing cached routes.
Tobias Brunner [Fri, 15 Jun 2012 09:43:21 +0000 (11:43 +0200)]
Don't compare ports when comparing cached routes.

At least src_ip has a port set sometimes.

10 years agostarter: Fixed parsing of %defaultroute.
Tobias Brunner [Fri, 15 Jun 2012 08:32:15 +0000 (10:32 +0200)]
starter: Fixed parsing of %defaultroute.

10 years agoAdopt children as XAuth initiator (which is IKE responder)
Martin Willi [Thu, 14 Jun 2012 12:46:48 +0000 (14:46 +0200)]
Adopt children as XAuth initiator (which is IKE responder)

10 years agoAdded 5.0 NEWS about IKEv1 in charon
Martin Willi [Thu, 14 Jun 2012 08:57:29 +0000 (10:57 +0200)]
Added 5.0 NEWS about IKEv1 in charon

10 years agoPrint the kind of *Swan during starter startup
Martin Willi [Wed, 13 Jun 2012 10:18:25 +0000 (12:18 +0200)]
Print the kind of *Swan during starter startup

10 years agoShow what kind of *Swan we run in "ipsec status"
Martin Willi [Wed, 13 Jun 2012 10:11:55 +0000 (12:11 +0200)]
Show what kind of *Swan we run in "ipsec status"

10 years agoRequire a scary option to respond to Aggressive Mode PSK requests
Martin Willi [Wed, 13 Jun 2012 07:32:28 +0000 (09:32 +0200)]
Require a scary option to respond to Aggressive Mode PSK requests

While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.

10 years agothanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet
Andreas Steffen [Thu, 14 Jun 2012 05:55:12 +0000 (07:55 +0200)]
thanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet

10 years agoremoved plutostart parameter
Andreas Steffen [Wed, 13 Jun 2012 19:19:05 +0000 (21:19 +0200)]
removed plutostart parameter

10 years agoscepclient: Fixed Makefile after removing enable-smartcard configure option.
Tobias Brunner [Wed, 13 Jun 2012 13:08:14 +0000 (15:08 +0200)]
scepclient: Fixed Makefile after removing enable-smartcard configure option.

10 years agoUse proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.
Tobias Brunner [Wed, 13 Jun 2012 13:02:10 +0000 (15:02 +0200)]
Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.

10 years agoSome updates to the INSTALL document.
Tobias Brunner [Wed, 13 Jun 2012 10:24:23 +0000 (12:24 +0200)]
Some updates to the INSTALL document.

10 years agoRemoved remaining pluto related configure options.
Tobias Brunner [Wed, 13 Jun 2012 09:33:32 +0000 (11:33 +0200)]
Removed remaining pluto related configure options.

10 years agostarter: Print additional help texts for selected deprecated keywords.
Tobias Brunner [Tue, 12 Jun 2012 11:59:05 +0000 (13:59 +0200)]
starter: Print additional help texts for selected deprecated keywords.

10 years agostarter: Improved how deprecated keywords are handled.
Tobias Brunner [Tue, 12 Jun 2012 11:57:47 +0000 (13:57 +0200)]
starter: Improved how deprecated keywords are handled.

We only throw a warning now instead of rejecting the config.

10 years agoRevert "starter: Don't treat unsupported keywords as fatal errors just report them."
Tobias Brunner [Tue, 12 Jun 2012 09:42:00 +0000 (11:42 +0200)]
Revert "starter: Don't treat unsupported keywords as fatal errors just report them."

This reverts commit e55876a657ae9d4bbf14320e5a14f86cc5c31c7f.

10 years agoNEWS about specifying trustchain HASH algorithm requirements
Martin Willi [Tue, 12 Jun 2012 12:43:55 +0000 (14:43 +0200)]
NEWS about specifying trustchain HASH algorithm requirements

10 years agoAdd documentation for signature hash algorithm enforcing to man ipsec.conf
Martin Willi [Mon, 11 Jun 2012 13:48:03 +0000 (15:48 +0200)]
Add documentation for signature hash algorithm enforcing to man ipsec.conf

10 years agoAdded signature scheme options left/rightauth
Martin Willi [Fri, 8 Jun 2012 15:04:14 +0000 (17:04 +0200)]
Added signature scheme options left/rightauth

10 years agoSupport multiple different public key strength types in constraints
Martin Willi [Tue, 12 Jun 2012 12:19:11 +0000 (14:19 +0200)]
Support multiple different public key strength types in constraints

10 years agoAdd signature schemes to auth_cfg during trustchain validation
Martin Willi [Mon, 11 Jun 2012 12:52:37 +0000 (14:52 +0200)]
Add signature schemes to auth_cfg during trustchain validation

10 years agocertificate_t->issued_by takes an argument to receive signature scheme
Martin Willi [Mon, 11 Jun 2012 12:33:34 +0000 (14:33 +0200)]
certificate_t->issued_by takes an argument to receive signature scheme

10 years agoDefine auth_cfg rules for signature schemes
Martin Willi [Fri, 8 Jun 2012 14:47:08 +0000 (16:47 +0200)]
Define auth_cfg rules for signature schemes

10 years agostarter: Fixed parsing of left|right=%any.
Tobias Brunner [Tue, 12 Jun 2012 08:12:53 +0000 (10:12 +0200)]
starter: Fixed parsing of left|right=%any.

10 years agodeleted IKEv1 charon-pluto interoperability scenarios
Andreas Steffen [Tue, 12 Jun 2012 08:00:21 +0000 (10:00 +0200)]
deleted IKEv1 charon-pluto interoperability scenarios

10 years agostarter: Fix comparison of connections.
Tobias Brunner [Wed, 16 May 2012 15:18:27 +0000 (17:18 +0200)]
starter: Fix comparison of connections.

10 years agostarter: Removed all unsupported keywords.
Tobias Brunner [Wed, 16 May 2012 14:56:49 +0000 (16:56 +0200)]
starter: Removed all unsupported keywords.

10 years agostarter: Don't treat unsupported keywords as fatal errors just report them.
Tobias Brunner [Wed, 16 May 2012 14:25:32 +0000 (16:25 +0200)]
starter: Don't treat unsupported keywords as fatal errors just report them.

10 years agoBye bye Pluto!
Tobias Brunner [Tue, 15 May 2012 14:59:00 +0000 (16:59 +0200)]
Bye bye Pluto!

Charon will take over IKEv1 duties from here.  This also removes
libfreeswan and whack.

10 years ago_copyright: Replicate copyright text here instead of calling libfreeswan.
Tobias Brunner [Tue, 15 May 2012 15:12:59 +0000 (17:12 +0200)]
_copyright: Replicate copyright text here instead of calling libfreeswan.

10 years agostarter: Remove all ties to pluto/libfreeswan.
Tobias Brunner [Tue, 15 May 2012 14:37:02 +0000 (16:37 +0200)]
starter: Remove all ties to pluto/libfreeswan.

Moved some types/constants in the process.

10 years agostarter: Use custom type for SA specific options (flags).
Tobias Brunner [Tue, 15 May 2012 14:31:46 +0000 (16:31 +0200)]
starter: Use custom type for SA specific options (flags).

10 years agostarter: Parse left|rightprotoport directly in confread.c.
Tobias Brunner [Tue, 15 May 2012 14:20:15 +0000 (16:20 +0200)]
starter: Parse left|rightprotoport directly in confread.c.

10 years agostarter: No special handling for left|rightsubnet, just pass it on as string.
Tobias Brunner [Tue, 15 May 2012 13:10:23 +0000 (15:10 +0200)]
starter: No special handling for left|rightsubnet, just pass it on as string.

10 years agostarter: Use host_t to parse left|rightsourceip.
Tobias Brunner [Tue, 15 May 2012 13:04:11 +0000 (15:04 +0200)]
starter: Use host_t to parse left|rightsourceip.

Also for the yet unused natip option.

10 years agostarter: Remove left|rightsubnetwithin option (charon narrows left|rightsubnet down...
Tobias Brunner [Tue, 15 May 2012 13:00:15 +0000 (15:00 +0200)]
starter: Remove left|rightsubnetwithin option (charon narrows left|rightsubnet down accordingly).

10 years agostarter: Don't resolve any addresses in starter.
Tobias Brunner [Tue, 15 May 2012 11:51:59 +0000 (13:51 +0200)]
starter: Don't resolve any addresses in starter.

Also removed remains of some unknown iface option.

10 years agostarter: Removed pfs and pfsgroup options (handled via esp option).
Tobias Brunner [Tue, 15 May 2012 11:26:49 +0000 (13:26 +0200)]
starter: Removed pfs and pfsgroup options (handled via esp option).

10 years agostarter: Store mode of the IPsec SA/policy in a separate member.
Tobias Brunner [Tue, 15 May 2012 11:12:45 +0000 (13:12 +0200)]
starter: Store mode of the IPsec SA/policy in a separate member.

10 years agostarter: Use custom type to mark seen keywords.
Tobias Brunner [Tue, 15 May 2012 08:41:08 +0000 (10:41 +0200)]
starter: Use custom type to mark seen keywords.

10 years agostarter: Remove left|rightnexthop option.
Tobias Brunner [Mon, 14 May 2012 16:27:53 +0000 (18:27 +0200)]
starter: Remove left|rightnexthop option.

Charon does this lookup dynamically.

10 years agoImplement strdupnull() macro as static inline function.
Tobias Brunner [Mon, 14 May 2012 16:04:09 +0000 (18:04 +0200)]
Implement strdupnull() macro as static inline function.

This avoids compiler warnings if the argument is a const char*.

10 years agostarter: Replaced all usages of clone_str() with strdupnull().
Tobias Brunner [Mon, 14 May 2012 15:50:34 +0000 (17:50 +0200)]
starter: Replaced all usages of clone_str() with strdupnull().