strongswan.git
10 years agoAllow to enable the kernel-pfkey plugin via Android.mk.
Tobias Brunner [Tue, 22 Jun 2010 14:14:14 +0000 (16:14 +0200)]
Allow to enable the kernel-pfkey plugin via Android.mk.

10 years agoFixing the PF_KEY kernel interface on Android.
Tobias Brunner [Tue, 22 Jun 2010 14:04:13 +0000 (16:04 +0200)]
Fixing the PF_KEY kernel interface on Android.

In Android's in.h IPPROTO_COMP is not #defined but just an enum member.

10 years agoFixing compilation of the OpenSSL plugin if ENGINE support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:33:21 +0000 (11:33 +0200)]
Fixing compilation of the OpenSSL plugin if ENGINE support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_ENGINE.

10 years agoFixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:28:50 +0000 (11:28 +0200)]
Fixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_EC.

10 years agoIgnore IKEv2 packets in pluto with any minor version
Martin Willi [Tue, 22 Jun 2010 07:16:04 +0000 (09:16 +0200)]
Ignore IKEv2 packets in pluto with any minor version

10 years agoAccept IKE packets with any minor version in RAW socket
Martin Willi [Tue, 22 Jun 2010 07:03:41 +0000 (09:03 +0200)]
Accept IKE packets with any minor version in RAW socket

10 years agoFixed plugin checks in Android.mk files.
Tobias Brunner [Thu, 17 Jun 2010 16:09:34 +0000 (18:09 +0200)]
Fixed plugin checks in Android.mk files.

10 years agoDon't fail with an error if an attribute that is to be deleted does not exist
Heiko Hund [Fri, 18 Jun 2010 03:01:06 +0000 (05:01 +0200)]
Don't fail with an error if an attribute that is to be deleted does not exist

10 years agoFixed compiler warning.
Tobias Brunner [Mon, 7 Jun 2010 13:33:25 +0000 (15:33 +0200)]
Fixed compiler warning.

10 years agoUse vpn.dns* to store DNS servers (Android manages net.dns* using these).
Tobias Brunner [Tue, 11 May 2010 16:31:24 +0000 (18:31 +0200)]
Use vpn.dns* to store DNS servers (Android manages net.dns* using these).

10 years agoAdding an interface that interacts with the Android Settings frontend.
Tobias Brunner [Tue, 4 May 2010 16:26:07 +0000 (18:26 +0200)]
Adding an interface that interacts with the Android Settings frontend.

10 years agoAdding an Android specific credential set.
Tobias Brunner [Tue, 4 May 2010 16:18:51 +0000 (18:18 +0200)]
Adding an Android specific credential set.

10 years agoAdding an Android specific logger.
Tobias Brunner [Tue, 4 May 2010 16:13:27 +0000 (18:13 +0200)]
Adding an Android specific logger.

10 years agoAdding support for the native Linux capabilities interface.
Tobias Brunner [Tue, 15 Jun 2010 17:40:44 +0000 (19:40 +0200)]
Adding support for the native Linux capabilities interface.

Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.

10 years agoExplicitly refer to LIBCAP in Makefiles.
Tobias Brunner [Tue, 15 Jun 2010 17:10:23 +0000 (19:10 +0200)]
Explicitly refer to LIBCAP in Makefiles.

10 years agoRun as vpn user on Android.
Tobias Brunner [Tue, 4 May 2010 15:05:12 +0000 (17:05 +0200)]
Run as vpn user on Android.

10 years agoTruncate the PID file so that even if we fail to unlink it, the daemon can be restart...
Tobias Brunner [Tue, 15 Jun 2010 17:53:47 +0000 (19:53 +0200)]
Truncate the PID file so that even if we fail to unlink it, the daemon can be restarted properly.

10 years agoExplicitly include stdint.h for UINT64_MAX.
Tobias Brunner [Tue, 15 Jun 2010 08:57:12 +0000 (10:57 +0200)]
Explicitly include stdint.h for UINT64_MAX.

This is required on FreeBSD 8.

10 years agoCheck for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
Tobias Brunner [Tue, 15 Jun 2010 08:07:43 +0000 (10:07 +0200)]
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.

FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.

10 years agoSet the ports of all hosts installed via the PF_KEY kernel interface to zero.
Tobias Brunner [Fri, 14 May 2010 13:25:59 +0000 (15:25 +0200)]
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.

10 years agorefer to correct PLUTO_XAUTH_ID variable
Andreas Steffen [Wed, 9 Jun 2010 13:21:26 +0000 (15:21 +0200)]
refer to correct PLUTO_XAUTH_ID variable

10 years agorename environment variable to PLUTO_XAUTH_ID
Andreas Steffen [Tue, 8 Jun 2010 21:18:51 +0000 (23:18 +0200)]
rename environment variable to PLUTO_XAUTH_ID

10 years agodo not destroy xauth_id if phase2 equals phase1 connection
Andreas Steffen [Tue, 8 Jun 2010 21:18:00 +0000 (23:18 +0200)]
do not destroy xauth_id if phase2 equals phase1 connection

10 years agomake an optional XAUTH user ID available in the updown script
Andreas Steffen [Tue, 8 Jun 2010 15:50:22 +0000 (17:50 +0200)]
make an optional XAUTH user ID available in the updown script

10 years agoinherit XAUTH identities in Phase 2
Heiko Hund [Tue, 8 Jun 2010 10:15:42 +0000 (12:15 +0200)]
inherit XAUTH identities in Phase 2

10 years agoAdding a basic unit test for hashtable_t.
Tobias Brunner [Mon, 7 Jun 2010 14:39:49 +0000 (16:39 +0200)]
Adding a basic unit test for hashtable_t.

10 years agoAdding a remove_at method to the hash table.
Tobias Brunner [Mon, 7 Jun 2010 14:36:26 +0000 (16:36 +0200)]
Adding a remove_at method to the hash table.

This allows to remove key-value pairs while enumerating them.

10 years agoMigrated hashtable_t to INIT/METHOD macros.
Tobias Brunner [Mon, 7 Jun 2010 13:50:41 +0000 (15:50 +0200)]
Migrated hashtable_t to INIT/METHOD macros.

10 years agoAdd extra information in debug output for IKE_SA check{out, in}
Thomas Egerer [Sun, 6 Jun 2010 20:50:29 +0000 (22:50 +0200)]
Add extra information in debug output for IKE_SA check{out, in}

This output helps tracing checkout and checkin of IKE_SAs when there is
more than one IKE_SAs with the same name. I also added the type of
in-air-exchange to the debug output issued by the task_manager in case
a task initiation is delayed, came in handy for me.

10 years agotraffic_selector_t is gone into libstrongswan, migrate printf hook registration,...
Martin Willi [Mon, 7 Jun 2010 13:06:09 +0000 (15:06 +0200)]
traffic_selector_t is gone into libstrongswan, migrate printf hook registration, too.

10 years agoFlush auth configs, create new keymat during SA reset
Martin Willi [Mon, 7 Jun 2010 12:59:39 +0000 (14:59 +0200)]
Flush auth configs, create new keymat during SA reset

10 years agoRecreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
Martin Willi [Mon, 7 Jun 2010 12:58:57 +0000 (14:58 +0200)]
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH

10 years agoReacquire keymat from new IKE_SA during task migration
Martin Willi [Mon, 7 Jun 2010 12:56:24 +0000 (14:56 +0200)]
Reacquire keymat from new IKE_SA during task migration

10 years agoFlush certificate cache on CA delete
Martin Willi [Mon, 7 Jun 2010 11:51:18 +0000 (13:51 +0200)]
Flush certificate cache on CA delete

10 years agoLog non-empty task queues in statusall
Martin Willi [Mon, 7 Jun 2010 09:59:37 +0000 (11:59 +0200)]
Log non-empty task queues in statusall

10 years agoWrap task enumerator in ike_sa
Martin Willi [Mon, 7 Jun 2010 09:37:55 +0000 (11:37 +0200)]
Wrap task enumerator in ike_sa

10 years agoMigrated ike_sa_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 09:30:27 +0000 (09:30 +0000)]
Migrated ike_sa_t to INIT/METHOD macros

10 years agoAdded support for task enumeration in task_manager_t
Martin Willi [Mon, 7 Jun 2010 08:45:25 +0000 (10:45 +0200)]
Added support for task enumeration in task_manager_t

10 years agoMigrated task_manager_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 08:37:00 +0000 (10:37 +0200)]
Migrated task_manager_t to INIT/METHOD macros

10 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:49:01 +0000 (13:49 +0200)]
use --addattr

10 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:47:23 +0000 (13:47 +0200)]
use --addattr

10 years agoadded ikev2/nat-virtual-ip scenario
Andreas Steffen [Sat, 5 Jun 2010 11:42:28 +0000 (13:42 +0200)]
added ikev2/nat-virtual-ip scenario

10 years agoremove stray carolReq.pem
Andreas Steffen [Sat, 5 Jun 2010 11:36:39 +0000 (13:36 +0200)]
remove stray carolReq.pem

10 years agoshare pool in ikev1/mode-config-multiple scenario
Andreas Steffen [Sat, 5 Jun 2010 11:17:51 +0000 (13:17 +0200)]
share pool in ikev1/mode-config-multiple scenario

10 years agouse --addattr
Andreas Steffen [Sat, 5 Jun 2010 11:15:03 +0000 (13:15 +0200)]
use --addattr

10 years agoremove stray scenario files
Andreas Steffen [Sat, 5 Jun 2010 11:10:39 +0000 (13:10 +0200)]
remove stray scenario files

10 years agoAccept ARP requests with an ethernet trailer, but trim it
Martin Willi [Wed, 2 Jun 2010 08:05:43 +0000 (10:05 +0200)]
Accept ARP requests with an ethernet trailer, but trim it

10 years agoAdded a EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database
Martin Willi [Wed, 2 Jun 2010 13:55:58 +0000 (15:55 +0200)]
Added a EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database

10 years agofixed configuration attribute type determination
Andreas Steffen [Wed, 2 Jun 2010 09:51:53 +0000 (11:51 +0200)]
fixed configuration attribute type determination

10 years agoDisable close action for a redundant CHILD_SA resulting from a rekey collision
Martin Willi [Wed, 2 Jun 2010 09:43:39 +0000 (11:43 +0200)]
Disable close action for a redundant CHILD_SA resulting from a rekey collision

If a rekey collision is detected, the winning peer of the nonce compare
will delete the redundant CHILD_SA. The other peer should not enforce the
close action on this CHILD, as it would reestablish the redundat CHILD_SA.
Thanks to Thomas Egerer from secunet for pointing this out and the initial
patchset.

10 years agoUse wrapped getters for close/dpd action
Martin Willi [Wed, 2 Jun 2010 09:41:46 +0000 (11:41 +0200)]
Use wrapped getters for close/dpd action

10 years agoWrap getters for dpd/close action into CHILD_SA, allows us to override them
Martin Willi [Wed, 2 Jun 2010 09:40:38 +0000 (11:40 +0200)]
Wrap getters for dpd/close action into CHILD_SA, allows us to override them

10 years agoipsec pool --statusattr [--hexout] outputs attribute values in correct format if...
Andreas Steffen [Tue, 1 Jun 2010 14:47:56 +0000 (16:47 +0200)]
ipsec pool --statusattr [--hexout] outputs attribute values in correct format if known

10 years agoadded unity_def_domain keyword tip ipsec pool
Andreas Steffen [Mon, 31 May 2010 14:46:47 +0000 (16:46 +0200)]
added unity_def_domain keyword tip ipsec pool

10 years agoAdded generated manpages to .gitignore
Martin Willi [Mon, 31 May 2010 11:41:25 +0000 (13:41 +0200)]
Added generated manpages to .gitignore

10 years agoChanged default lifetime of certificates to 3 years
Martin Willi [Mon, 31 May 2010 11:14:36 +0000 (13:14 +0200)]
Changed default lifetime of certificates to 3 years

10 years agoSupport extendedKeyUsage flags in self-signed certificates
Martin Willi [Mon, 31 May 2010 11:12:46 +0000 (13:12 +0200)]
Support extendedKeyUsage flags in self-signed certificates

10 years agoIPSEC_CONFDIR in ipsec script fixed.
Tobias Brunner [Sun, 30 May 2010 11:07:32 +0000 (13:07 +0200)]
IPSEC_CONFDIR in ipsec script fixed.

10 years agoAdding the version number to the most relevant manual pages.
Tobias Brunner [Sun, 30 May 2010 11:03:04 +0000 (13:03 +0200)]
Adding the version number to the most relevant manual pages.

10 years agoUpdated and corrected the ipsec.secrets(5) manual page.
Tobias Brunner [Sun, 30 May 2010 09:51:30 +0000 (11:51 +0200)]
Updated and corrected the ipsec.secrets(5) manual page.

10 years agoUpdated and corrected the ipsec.conf(5) manual page.
Tobias Brunner [Sat, 29 May 2010 19:10:18 +0000 (21:10 +0200)]
Updated and corrected the ipsec.conf(5) manual page.

10 years agoUpdated and corrected the ipsec(8) manual page.
Tobias Brunner [Sat, 29 May 2010 15:34:00 +0000 (17:34 +0200)]
Updated and corrected the ipsec(8) manual page.

10 years agoadded --leases command line option to synopsis
Andreas Steffen [Sat, 29 May 2010 11:29:23 +0000 (13:29 +0200)]
added --leases command line option to synopsis

10 years agoadded --showattr command line option to synopsys
Andreas Steffen [Sat, 29 May 2010 11:23:20 +0000 (13:23 +0200)]
added --showattr command line option to synopsys

10 years agoadded X.509 support by openssl plugin to NEWS
Andreas Steffen [Sat, 29 May 2010 09:22:36 +0000 (11:22 +0200)]
added X.509 support by openssl plugin to NEWS

10 years agoremove x509 plugin from openssl-ikev1 scenarios
Andreas Steffen [Fri, 28 May 2010 21:22:15 +0000 (23:22 +0200)]
remove x509 plugin from openssl-ikev1 scenarios

10 years agoDo not install trap policy if remote host is %any.
Tobias Brunner [Fri, 28 May 2010 13:43:12 +0000 (15:43 +0200)]
Do not install trap policy if remote host is %any.

10 years agobe lenient towards wrong attribute encodings
Andreas Steffen [Fri, 28 May 2010 13:07:09 +0000 (15:07 +0200)]
be lenient towards wrong attribute encodings

10 years agoSend empty SIM/AKA-NOTIFICATION response for non-success codes, too
Martin Willi [Thu, 27 May 2010 13:04:25 +0000 (15:04 +0200)]
Send empty SIM/AKA-NOTIFICATION response for non-success codes, too

10 years agoAdded support for reading raw PUT/POST data from HTTP request
Martin Willi [Thu, 27 May 2010 07:30:14 +0000 (09:30 +0200)]
Added support for reading raw PUT/POST data from HTTP request

10 years agoUnwrap subjectKeyIdentifier from OCTET_STRING
Martin Willi [Wed, 26 May 2010 14:09:50 +0000 (16:09 +0200)]
Unwrap subjectKeyIdentifier from OCTET_STRING

10 years agoremove x509 plugin from remaining openssl-ikev2 scenarios
Andreas Steffen [Tue, 25 May 2010 13:49:58 +0000 (15:49 +0200)]
remove x509 plugin from remaining openssl-ikev2 scenarios

10 years agoopenssl-ikev2/rw-cert scenario doesn't need x509 plugin any more
Andreas Steffen [Tue, 25 May 2010 13:26:46 +0000 (15:26 +0200)]
openssl-ikev2/rw-cert scenario doesn't need x509 plugin any more

10 years agoseveral subnets can be concatenated
Andreas Steffen [Sat, 22 May 2010 20:53:24 +0000 (22:53 +0200)]
several subnets can be concatenated

10 years agoadded --showattr command to usage()
Andreas Steffen [Sat, 22 May 2010 08:46:15 +0000 (10:46 +0200)]
added --showattr command to usage()

10 years agoFixed compiler warning in invocation of crl_is_newer()
Martin Willi [Fri, 21 May 2010 14:41:13 +0000 (16:41 +0200)]
Fixed compiler warning in invocation of crl_is_newer()

10 years agoUse CAs subjectKeyIdentifier as CRLs authorityKeyIdentifier
Martin Willi [Fri, 21 May 2010 14:38:19 +0000 (16:38 +0200)]
Use CAs subjectKeyIdentifier as CRLs authorityKeyIdentifier

10 years agoAdded a --signcrl command to the pki utility
Martin Willi [Fri, 21 May 2010 13:53:31 +0000 (15:53 +0200)]
Added a --signcrl command to the pki utility

10 years agoAdded support for CRL generation to x509 plugin
Martin Willi [Fri, 21 May 2010 13:52:20 +0000 (15:52 +0200)]
Added support for CRL generation to x509 plugin

10 years agoRemoved is_newer() from certificate_t, obsoleting all implementations
Martin Willi [Fri, 21 May 2010 07:53:23 +0000 (09:53 +0200)]
Removed is_newer() from certificate_t, obsoleting all implementations

10 years agoAdded generic implementations for crl_is_newer/certificate_is_newer
Martin Willi [Fri, 21 May 2010 07:48:23 +0000 (09:48 +0200)]
Added generic implementations for crl_is_newer/certificate_is_newer

10 years agoMigrated x509_crl_t to INIT/METHOD macros
Martin Willi [Fri, 21 May 2010 07:18:27 +0000 (09:18 +0200)]
Migrated x509_crl_t to INIT/METHOD macros

10 years agoImplemented X.509 CRL reading using OpenSSL
Martin Willi [Thu, 20 May 2010 15:33:52 +0000 (17:33 +0200)]
Implemented X.509 CRL reading using OpenSSL

10 years agoImplemented X.509 certificate reading using OpenSSL
Martin Willi [Thu, 20 May 2010 08:09:04 +0000 (08:09 +0000)]
Implemented X.509 certificate reading using OpenSSL

10 years agooops, removed stray parenthesis
Andreas Steffen [Thu, 20 May 2010 15:38:39 +0000 (17:38 +0200)]
oops, removed stray parenthesis

10 years agoFixed doxygen group
Martin Willi [Thu, 20 May 2010 11:22:13 +0000 (13:22 +0200)]
Fixed doxygen group

10 years agoWhitelist OpenSSLs ERR_put_error() in leak-detective
Martin Willi [Thu, 20 May 2010 07:44:59 +0000 (09:44 +0200)]
Whitelist OpenSSLs ERR_put_error() in leak-detective

As we do not invoke ERR_get/clear_error() in all error cases, the
error codes are not removed from the error queue. But it is save
to whitelist the put function, as it uses a circular buffer that
does not grow beyond ERR_NUM_ERRORS errors (16 by default).

10 years agoAdded a --print command to pki that dumps different credentials
Martin Willi [Thu, 20 May 2010 07:41:47 +0000 (09:41 +0200)]
Added a --print command to pki that dumps different credentials

10 years agoOption to skip slow addr2line resolution in leak-detective
Martin Willi [Wed, 19 May 2010 13:22:12 +0000 (15:22 +0200)]
Option to skip slow addr2line resolution in leak-detective

10 years agorange check for configuration attribute types
Andreas Steffen [Thu, 20 May 2010 15:35:10 +0000 (17:35 +0200)]
range check for configuration attribute types

10 years agoimplement ipsec pool -showattr function
Andreas Steffen [Thu, 20 May 2010 15:24:43 +0000 (17:24 +0200)]
implement ipsec pool -showattr function

10 years agoremoved deprecated use of ipsec pool --attr|del dns|nbns from usage()
Andreas Steffen [Thu, 20 May 2010 14:30:15 +0000 (16:30 +0200)]
removed deprecated use of ipsec pool --attr|del dns|nbns from usage()

10 years agoOnly include C files that start with the plugin name when building for Android.
Tobias Brunner [Thu, 20 May 2010 10:01:12 +0000 (12:01 +0200)]
Only include C files that start with the plugin name when building for Android.

10 years agoadded ipsec pool attribute support to NEWS
Andreas Steffen [Wed, 19 May 2010 19:53:55 +0000 (21:53 +0200)]
added ipsec pool attribute support to NEWS

10 years agomanagement of any attribute by ipsec pool
Andreas Steffen [Wed, 19 May 2010 19:51:21 +0000 (21:51 +0200)]
management of any attribute by ipsec pool

10 years agoupdated ikev1/rw-cert scenario to support xauth integrity test
Andreas Steffen [Wed, 19 May 2010 06:31:39 +0000 (08:31 +0200)]
updated ikev1/rw-cert scenario to support xauth integrity test

10 years agochecksum_builder() needs the pluto symbol
Andreas Steffen [Wed, 19 May 2010 06:02:22 +0000 (08:02 +0200)]
checksum_builder() needs the pluto symbol

10 years agoupdated ikev1/xauth-rsa-mode-config scenario to support xauth plugin
Andreas Steffen [Tue, 18 May 2010 20:57:12 +0000 (22:57 +0200)]
updated ikev1/xauth-rsa-mode-config scenario to support xauth plugin

10 years agoupdated ikev1/xauth-psk-mode-config scenario to support xauth plugin
Andreas Steffen [Tue, 18 May 2010 20:56:42 +0000 (22:56 +0200)]
updated ikev1/xauth-psk-mode-config scenario to support xauth plugin

10 years agoupdated ikev1/xauth-psk-mode-config scenario to support xauth plugin
Andreas Steffen [Tue, 18 May 2010 20:48:37 +0000 (22:48 +0200)]
updated ikev1/xauth-psk-mode-config scenario to support xauth plugin