strongswan.git
11 years agowe need some ordering
Andreas Steffen [Mon, 12 Jul 2010 20:44:27 +0000 (22:44 +0200)]
we need some ordering

11 years agochanged ordering of statusattr output
Andreas Steffen [Mon, 12 Jul 2010 20:38:18 +0000 (22:38 +0200)]
changed ordering of statusattr output

11 years agoupdated ikev2/ip-two-pools-db scenario to support pool and identity based dns attributes
Andreas Steffen [Mon, 12 Jul 2010 18:54:40 +0000 (20:54 +0200)]
updated ikev2/ip-two-pools-db scenario to support pool and identity based dns attributes

11 years agofixed alignment of caption
Andreas Steffen [Mon, 12 Jul 2010 18:48:14 +0000 (20:48 +0200)]
fixed alignment of caption

11 years agoupdated SQL templates to support attribute pool and identity parameters
Andreas Steffen [Mon, 12 Jul 2010 18:28:24 +0000 (20:28 +0200)]
updated SQL templates to support attribute pool and identity parameters

11 years agooutput identities correctly
Andreas Steffen [Mon, 12 Jul 2010 18:26:17 +0000 (20:26 +0200)]
output identities correctly

11 years agoadded second example scenario
Andreas Steffen [Mon, 12 Jul 2010 12:22:32 +0000 (14:22 +0200)]
added second example scenario

11 years agoapidoc is actually a directory not a file.
Tobias Brunner [Mon, 12 Jul 2010 13:28:55 +0000 (15:28 +0200)]
apidoc is actually a directory not a file.

11 years agoAdded missing pool parameter in DHCP attribute provider.
Tobias Brunner [Mon, 12 Jul 2010 10:27:49 +0000 (12:27 +0200)]
Added missing pool parameter in DHCP attribute provider.

11 years agoDo not interpret long class attributes (such as from NPS) as group
Martin Willi [Fri, 9 Jul 2010 11:53:43 +0000 (13:53 +0200)]
Do not interpret long class attributes (such as from NPS) as group

11 years agoGroup membership constraint is fulfilled if subject is member in one of the groups
Martin Willi [Fri, 9 Jul 2010 11:51:58 +0000 (13:51 +0200)]
Group membership constraint is fulfilled if subject is member in one of the groups

11 years agoAdded support for named attribute groups
Heiko Hund [Wed, 7 Jul 2010 14:45:36 +0000 (16:45 +0200)]
Added support for named attribute groups

Add the possibility to group attributes by a name and assign these
groups to connections. This allows a more granular configuration of
which client will receive what atrributes.

11 years agotransport reqid, mark_in and mark_out in whack message
Andreas Steffen [Fri, 9 Jul 2010 10:19:39 +0000 (12:19 +0200)]
transport reqid, mark_in and mark_out in whack message

11 years agoadded ikev2/net2net-psk-dscp2 DiffServ scenario
Andreas Steffen [Fri, 9 Jul 2010 09:55:01 +0000 (11:55 +0200)]
added ikev2/net2net-psk-dscp2 DiffServ scenario

11 years agoadded ikev2/nat-two-rw-mark-in-out scenario
Andreas Steffen [Fri, 9 Jul 2010 07:36:03 +0000 (09:36 +0200)]
added ikev2/nat-two-rw-mark-in-out scenario

11 years agosome changes to the ikev2/nat-two-rw-mark scenario
Andreas Steffen [Fri, 9 Jul 2010 07:35:02 +0000 (09:35 +0200)]
some changes to the ikev2/nat-two-rw-mark scenario

11 years agoconfiguration of different marks for inbound and outbound direction
Andreas Steffen [Fri, 9 Jul 2010 07:06:02 +0000 (09:06 +0200)]
configuration of different marks for inbound and outbound direction

11 years agoThe file logger supports a time prefix using a strftime() format specifier
Martin Willi [Thu, 8 Jul 2010 14:11:55 +0000 (16:11 +0200)]
The file logger supports a time prefix using a strftime() format specifier

11 years agoPrint identity to a lease address on the same line for simpler greping
Martin Willi [Thu, 8 Jul 2010 13:46:44 +0000 (15:46 +0200)]
Print identity to a lease address on the same line for simpler greping

11 years agoImplemented missing bypass_socket() method in load-testers faked kernel interface
Martin Willi [Wed, 7 Jul 2010 08:00:39 +0000 (10:00 +0200)]
Implemented missing bypass_socket() method in load-testers faked kernel interface

11 years agoadded req parameter to ipsec.conf man page
Andreas Steffen [Tue, 6 Jul 2010 18:32:15 +0000 (20:32 +0200)]
added req parameter to ipsec.conf man page

11 years agoShow mallinfo() data in statusall, if available
Martin Willi [Tue, 6 Jul 2010 14:26:59 +0000 (16:26 +0200)]
Show mallinfo() data in statusall, if available

11 years agoAvoid relocking while enumerator is alive
Martin Willi [Tue, 6 Jul 2010 13:44:37 +0000 (15:44 +0200)]
Avoid relocking while enumerator is alive

11 years agoAdded missing markt_t in load tester, also migrated to INIT/METHOD macros.
Tobias Brunner [Tue, 6 Jul 2010 07:29:18 +0000 (09:29 +0200)]
Added missing markt_t in load tester, also migrated to INIT/METHOD macros.

11 years agoSome Doxygen fixes.
Tobias Brunner [Mon, 5 Jul 2010 13:04:30 +0000 (15:04 +0200)]
Some Doxygen fixes.

11 years agoFixed typo.
Tobias Brunner [Mon, 5 Jul 2010 12:53:56 +0000 (14:53 +0200)]
Fixed typo.

11 years agoAdded support for group membership information containted in the RADIUS class attribute
Martin Willi [Mon, 28 Jun 2010 14:12:06 +0000 (16:12 +0200)]
Added support for group membership information containted in the RADIUS class attribute

11 years agoUse the group constraint in a more generic fashion, not only for attribute certificates
Martin Willi [Mon, 28 Jun 2010 13:46:13 +0000 (15:46 +0200)]
Use the group constraint in a more generic fashion, not only for attribute certificates

11 years agoUse the responder side configured EAP-Identity directly, if given
Martin Willi [Mon, 28 Jun 2010 13:45:07 +0000 (15:45 +0200)]
Use the responder side configured EAP-Identity directly, if given

11 years agoCopy EAP specific attributes to auth config only
Martin Willi [Mon, 28 Jun 2010 13:41:48 +0000 (15:41 +0200)]
Copy EAP specific attributes to auth config only

11 years agoDisable EAP-GTC on Android.
Tobias Brunner [Mon, 5 Jul 2010 07:37:49 +0000 (09:37 +0200)]
Disable EAP-GTC on Android.

The EAP-GTC plugin does not compile due to its dependency on PAM.

11 years agoadded IKEv2 xfrm marks support to NEWS
Andreas Steffen [Sat, 3 Jul 2010 20:14:45 +0000 (22:14 +0200)]
added IKEv2 xfrm marks support to NEWS

11 years agoregenerated loop intermediate CA certificates
Andreas Steffen [Sat, 3 Jul 2010 16:18:30 +0000 (18:18 +0200)]
regenerated loop intermediate CA certificates

11 years agoadded ikev2/nat-two-rw-mark scenario
Andreas Steffen [Sat, 3 Jul 2010 11:25:09 +0000 (13:25 +0200)]
added ikev2/nat-two-rw-mark scenario

11 years agosupport of xfrm marks for IKEv2
Andreas Steffen [Fri, 2 Jul 2010 21:45:57 +0000 (23:45 +0200)]
support of xfrm marks for IKEv2

11 years agoRecreate IKE_SA_INIT related tasks only if they have completed
Martin Willi [Wed, 30 Jun 2010 11:48:47 +0000 (13:48 +0200)]
Recreate IKE_SA_INIT related tasks only if they have completed

11 years agoUse enumerator for queued_tasks migration to avoid infinite loop
Thomas Egerer [Wed, 30 Jun 2010 11:10:56 +0000 (13:10 +0200)]
Use enumerator for queued_tasks migration to avoid infinite loop

11 years agoEnabling some EAP plugins on Android.
Tobias Brunner [Wed, 30 Jun 2010 08:02:15 +0000 (10:02 +0200)]
Enabling some EAP plugins on Android.

11 years agoThe x509 plugin is not needed anymore on Android, using OpenSSL.
Tobias Brunner [Wed, 30 Jun 2010 08:01:16 +0000 (10:01 +0200)]
The x509 plugin is not needed anymore on Android, using OpenSSL.

11 years agoCorrect check of traffic selectors before destruction
Thomas Egerer [Mon, 28 Jun 2010 20:18:25 +0000 (22:18 +0200)]
Correct check of traffic selectors before destruction

11 years agoMigrate queued_tasks tasks, to avoid dangling pointers
Thomas Egerer [Tue, 29 Jun 2010 06:53:05 +0000 (08:53 +0200)]
Migrate queued_tasks tasks, to avoid dangling pointers

11 years agoThe signature of keystore_get changed again.
Tobias Brunner [Mon, 28 Jun 2010 15:18:53 +0000 (17:18 +0200)]
The signature of keystore_get changed again.

With Android 2.2 (Froyo) the interface of keystore_get was changed once
again. The change was made to allow the keys to contain \0 characters.

11 years agoCompiler warning fixed.
Tobias Brunner [Thu, 24 Jun 2010 14:23:54 +0000 (16:23 +0200)]
Compiler warning fixed.

11 years agocheck for installed aead algorithms in kernel
Andreas Steffen [Sun, 27 Jun 2010 20:26:00 +0000 (22:26 +0200)]
check for installed aead algorithms in kernel

11 years agoupgraded xfrm.h to linux-2.6.34
Andreas Steffen [Sun, 27 Jun 2010 09:23:35 +0000 (11:23 +0200)]
upgraded xfrm.h to linux-2.6.34

11 years agoShow contents of the CP payload in message_t stringification
Martin Willi [Thu, 24 Jun 2010 13:45:38 +0000 (15:45 +0200)]
Show contents of the CP payload in message_t stringification

11 years agoSupport the subnet attribute in the attr plugin
Martin Willi [Thu, 24 Jun 2010 13:44:28 +0000 (15:44 +0200)]
Support the subnet attribute in the attr plugin

11 years agoIncreased the loglevel for the arguments received via Android control socket.
Tobias Brunner [Thu, 24 Jun 2010 12:44:45 +0000 (14:44 +0200)]
Increased the loglevel for the arguments received via Android control socket.

11 years agoTerminate charon from the Android plugin if the tunnel goes down after it was initiat...
Tobias Brunner [Thu, 24 Jun 2010 12:05:53 +0000 (14:05 +0200)]
Terminate charon from the Android plugin if the tunnel goes down after it was initiated successfully.

11 years agoInitiate the tunnel in the Android plugin asynchronously.
Tobias Brunner [Thu, 24 Jun 2010 12:02:52 +0000 (14:02 +0200)]
Initiate the tunnel in the Android plugin asynchronously.

Also track its initiation using the registered listener.

11 years agoImplement the listener_t interface in the Android plugin to track the status of an SA.
Tobias Brunner [Thu, 24 Jun 2010 12:00:39 +0000 (14:00 +0200)]
Implement the listener_t interface in the Android plugin to track the status of an SA.

11 years agoHelper function added to notify the Android frontend about status changes.
Tobias Brunner [Thu, 24 Jun 2010 11:57:03 +0000 (13:57 +0200)]
Helper function added to notify the Android frontend about status changes.

11 years agoInitiate consumes a child_sa reference, so get an additional one.
Tobias Brunner [Thu, 24 Jun 2010 11:42:57 +0000 (13:42 +0200)]
Initiate consumes a child_sa reference, so get an additional one.

11 years agoUse the same error code constants as in the Java frontend.
Tobias Brunner [Thu, 24 Jun 2010 11:41:07 +0000 (13:41 +0200)]
Use the same error code constants as in the Java frontend.

11 years agoFlush and destroy the send queue before unloading the socket plugins.
Tobias Brunner [Thu, 24 Jun 2010 08:34:48 +0000 (10:34 +0200)]
Flush and destroy the send queue before unloading the socket plugins.

11 years agoSelect subjectAltName address family using address length in openssl plugin
Martin Willi [Thu, 24 Jun 2010 10:00:56 +0000 (12:00 +0200)]
Select subjectAltName address family using address length in openssl plugin

11 years agoSelect subjectAltName address family using address length in x509 plugin
Martin Willi [Thu, 24 Jun 2010 09:59:20 +0000 (11:59 +0200)]
Select subjectAltName address family using address length in x509 plugin

11 years agoDo not install routes in the PF_KEY kernel interface if interface lookup failed.
Tobias Brunner [Wed, 23 Jun 2010 09:19:37 +0000 (11:19 +0200)]
Do not install routes in the PF_KEY kernel interface if interface lookup failed.

11 years agoThe signature of keystore_get was changed with Android 2.x.
Tobias Brunner [Tue, 22 Jun 2010 14:19:55 +0000 (16:19 +0200)]
The signature of keystore_get was changed with Android 2.x.

11 years agoAvoid a segmentation fault if opening the Android control socket failed.
Tobias Brunner [Tue, 22 Jun 2010 14:18:22 +0000 (16:18 +0200)]
Avoid a segmentation fault if opening the Android control socket failed.

11 years agoOpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.
Tobias Brunner [Tue, 22 Jun 2010 14:15:10 +0000 (16:15 +0200)]
OpenSSL in Android 2.1+ lacks Elliptic Curve and ENGINE support.

Unfortunately, opensslconf.h was not changed accordingly.

11 years agoAllow to enable the kernel-pfkey plugin via Android.mk.
Tobias Brunner [Tue, 22 Jun 2010 14:14:14 +0000 (16:14 +0200)]
Allow to enable the kernel-pfkey plugin via Android.mk.

11 years agoFixing the PF_KEY kernel interface on Android.
Tobias Brunner [Tue, 22 Jun 2010 14:04:13 +0000 (16:04 +0200)]
Fixing the PF_KEY kernel interface on Android.

In Android's in.h IPPROTO_COMP is not #defined but just an enum member.

11 years agoFixing compilation of the OpenSSL plugin if ENGINE support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:33:21 +0000 (11:33 +0200)]
Fixing compilation of the OpenSSL plugin if ENGINE support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_ENGINE.

11 years agoFixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.
Tobias Brunner [Tue, 22 Jun 2010 09:28:50 +0000 (11:28 +0200)]
Fixing compilation of the OpenSSL plugin if Elliptic Curve support is disabled.

That is, enable compilation if OpenSSL was configured with
OPENSSL_NO_EC.

11 years agoIgnore IKEv2 packets in pluto with any minor version
Martin Willi [Tue, 22 Jun 2010 07:16:04 +0000 (09:16 +0200)]
Ignore IKEv2 packets in pluto with any minor version

11 years agoAccept IKE packets with any minor version in RAW socket
Martin Willi [Tue, 22 Jun 2010 07:03:41 +0000 (09:03 +0200)]
Accept IKE packets with any minor version in RAW socket

11 years agoFixed plugin checks in Android.mk files.
Tobias Brunner [Thu, 17 Jun 2010 16:09:34 +0000 (18:09 +0200)]
Fixed plugin checks in Android.mk files.

11 years agoDon't fail with an error if an attribute that is to be deleted does not exist
Heiko Hund [Fri, 18 Jun 2010 03:01:06 +0000 (05:01 +0200)]
Don't fail with an error if an attribute that is to be deleted does not exist

11 years agoFixed compiler warning.
Tobias Brunner [Mon, 7 Jun 2010 13:33:25 +0000 (15:33 +0200)]
Fixed compiler warning.

11 years agoUse vpn.dns* to store DNS servers (Android manages net.dns* using these).
Tobias Brunner [Tue, 11 May 2010 16:31:24 +0000 (18:31 +0200)]
Use vpn.dns* to store DNS servers (Android manages net.dns* using these).

11 years agoAdding an interface that interacts with the Android Settings frontend.
Tobias Brunner [Tue, 4 May 2010 16:26:07 +0000 (18:26 +0200)]
Adding an interface that interacts with the Android Settings frontend.

11 years agoAdding an Android specific credential set.
Tobias Brunner [Tue, 4 May 2010 16:18:51 +0000 (18:18 +0200)]
Adding an Android specific credential set.

11 years agoAdding an Android specific logger.
Tobias Brunner [Tue, 4 May 2010 16:13:27 +0000 (18:13 +0200)]
Adding an Android specific logger.

11 years agoAdding support for the native Linux capabilities interface.
Tobias Brunner [Tue, 15 Jun 2010 17:40:44 +0000 (19:40 +0200)]
Adding support for the native Linux capabilities interface.

Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.

11 years agoExplicitly refer to LIBCAP in Makefiles.
Tobias Brunner [Tue, 15 Jun 2010 17:10:23 +0000 (19:10 +0200)]
Explicitly refer to LIBCAP in Makefiles.

11 years agoRun as vpn user on Android.
Tobias Brunner [Tue, 4 May 2010 15:05:12 +0000 (17:05 +0200)]
Run as vpn user on Android.

11 years agoTruncate the PID file so that even if we fail to unlink it, the daemon can be restart...
Tobias Brunner [Tue, 15 Jun 2010 17:53:47 +0000 (19:53 +0200)]
Truncate the PID file so that even if we fail to unlink it, the daemon can be restarted properly.

11 years agoExplicitly include stdint.h for UINT64_MAX.
Tobias Brunner [Tue, 15 Jun 2010 08:57:12 +0000 (10:57 +0200)]
Explicitly include stdint.h for UINT64_MAX.

This is required on FreeBSD 8.

11 years agoCheck for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
Tobias Brunner [Tue, 15 Jun 2010 08:07:43 +0000 (10:07 +0200)]
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.

FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.

11 years agoSet the ports of all hosts installed via the PF_KEY kernel interface to zero.
Tobias Brunner [Fri, 14 May 2010 13:25:59 +0000 (15:25 +0200)]
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.

11 years agorefer to correct PLUTO_XAUTH_ID variable
Andreas Steffen [Wed, 9 Jun 2010 13:21:26 +0000 (15:21 +0200)]
refer to correct PLUTO_XAUTH_ID variable

11 years agorename environment variable to PLUTO_XAUTH_ID
Andreas Steffen [Tue, 8 Jun 2010 21:18:51 +0000 (23:18 +0200)]
rename environment variable to PLUTO_XAUTH_ID

11 years agodo not destroy xauth_id if phase2 equals phase1 connection
Andreas Steffen [Tue, 8 Jun 2010 21:18:00 +0000 (23:18 +0200)]
do not destroy xauth_id if phase2 equals phase1 connection

11 years agomake an optional XAUTH user ID available in the updown script
Andreas Steffen [Tue, 8 Jun 2010 15:50:22 +0000 (17:50 +0200)]
make an optional XAUTH user ID available in the updown script

11 years agoinherit XAUTH identities in Phase 2
Heiko Hund [Tue, 8 Jun 2010 10:15:42 +0000 (12:15 +0200)]
inherit XAUTH identities in Phase 2

11 years agoAdding a basic unit test for hashtable_t.
Tobias Brunner [Mon, 7 Jun 2010 14:39:49 +0000 (16:39 +0200)]
Adding a basic unit test for hashtable_t.

11 years agoAdding a remove_at method to the hash table.
Tobias Brunner [Mon, 7 Jun 2010 14:36:26 +0000 (16:36 +0200)]
Adding a remove_at method to the hash table.

This allows to remove key-value pairs while enumerating them.

11 years agoMigrated hashtable_t to INIT/METHOD macros.
Tobias Brunner [Mon, 7 Jun 2010 13:50:41 +0000 (15:50 +0200)]
Migrated hashtable_t to INIT/METHOD macros.

11 years agoAdd extra information in debug output for IKE_SA check{out, in}
Thomas Egerer [Sun, 6 Jun 2010 20:50:29 +0000 (22:50 +0200)]
Add extra information in debug output for IKE_SA check{out, in}

This output helps tracing checkout and checkin of IKE_SAs when there is
more than one IKE_SAs with the same name. I also added the type of
in-air-exchange to the debug output issued by the task_manager in case
a task initiation is delayed, came in handy for me.

11 years agotraffic_selector_t is gone into libstrongswan, migrate printf hook registration,...
Martin Willi [Mon, 7 Jun 2010 13:06:09 +0000 (15:06 +0200)]
traffic_selector_t is gone into libstrongswan, migrate printf hook registration, too.

11 years agoFlush auth configs, create new keymat during SA reset
Martin Willi [Mon, 7 Jun 2010 12:59:39 +0000 (14:59 +0200)]
Flush auth configs, create new keymat during SA reset

11 years agoRecreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
Martin Willi [Mon, 7 Jun 2010 12:58:57 +0000 (14:58 +0200)]
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH

11 years agoReacquire keymat from new IKE_SA during task migration
Martin Willi [Mon, 7 Jun 2010 12:56:24 +0000 (14:56 +0200)]
Reacquire keymat from new IKE_SA during task migration

11 years agoFlush certificate cache on CA delete
Martin Willi [Mon, 7 Jun 2010 11:51:18 +0000 (13:51 +0200)]
Flush certificate cache on CA delete

11 years agoLog non-empty task queues in statusall
Martin Willi [Mon, 7 Jun 2010 09:59:37 +0000 (11:59 +0200)]
Log non-empty task queues in statusall

11 years agoWrap task enumerator in ike_sa
Martin Willi [Mon, 7 Jun 2010 09:37:55 +0000 (11:37 +0200)]
Wrap task enumerator in ike_sa

11 years agoMigrated ike_sa_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 09:30:27 +0000 (09:30 +0000)]
Migrated ike_sa_t to INIT/METHOD macros

11 years agoAdded support for task enumeration in task_manager_t
Martin Willi [Mon, 7 Jun 2010 08:45:25 +0000 (10:45 +0200)]
Added support for task enumeration in task_manager_t

11 years agoMigrated task_manager_t to INIT/METHOD macros
Martin Willi [Mon, 7 Jun 2010 08:37:00 +0000 (10:37 +0200)]
Migrated task_manager_t to INIT/METHOD macros