strongswan.git
10 years agoversion bump to 4.6.3dr1
Andreas Steffen [Wed, 14 Mar 2012 06:45:35 +0000 (07:45 +0100)]
version bump to 4.6.3dr1

10 years agomake the mppe salt unique
Andreas Steffen [Wed, 14 Mar 2012 06:31:19 +0000 (07:31 +0100)]
make the mppe salt unique

10 years agostraightene radius_mppe header file
Andreas Steffen [Wed, 14 Mar 2012 05:52:26 +0000 (06:52 +0100)]
straightene radius_mppe header file

10 years agoimplemented MS_MPPE encryption
Andreas Steffen [Tue, 13 Mar 2012 22:26:15 +0000 (23:26 +0100)]
implemented MS_MPPE encryption

10 years agouse predefined Microsoft PEN
Andreas Steffen [Tue, 13 Mar 2012 18:23:35 +0000 (19:23 +0100)]
use predefined Microsoft PEN

10 years agouse MAX_RADIUS_ATTRIBUTE_SIZE constant
Andreas Steffen [Tue, 13 Mar 2012 17:06:56 +0000 (18:06 +0100)]
use MAX_RADIUS_ATTRIBUTE_SIZE constant

10 years agouse RADIUS_TUNNEL_TYPE_ESP defined in header file
Andreas Steffen [Tue, 13 Mar 2012 16:00:37 +0000 (17:00 +0100)]
use RADIUS_TUNNEL_TYPE_ESP defined in header file

10 years agoimplemented RADIUS Filter-ID attribute
Andreas Steffen [Tue, 13 Mar 2012 15:26:10 +0000 (16:26 +0100)]
implemented RADIUS Filter-ID attribute

10 years agoremoved double library entry
Andreas Steffen [Mon, 12 Mar 2012 07:56:48 +0000 (08:56 +0100)]
removed double library entry

10 years agoadapted debug output
Andreas Steffen [Fri, 9 Mar 2012 16:41:04 +0000 (17:41 +0100)]
adapted debug output

10 years agokeep a list of RADIUS connections with EAP method states
Andreas Steffen [Fri, 9 Mar 2012 16:38:06 +0000 (17:38 +0100)]
keep a list of RADIUS connections with EAP method states

10 years agoapply maximum RADIUS attribute size to outbound EAP messages
Andreas Steffen [Fri, 9 Mar 2012 09:20:44 +0000 (10:20 +0100)]
apply maximum RADIUS attribute size to outbound EAP messages

10 years agoread PDP server name from strongswan.conf
Andreas Steffen [Fri, 9 Mar 2012 08:28:51 +0000 (09:28 +0100)]
read PDP server name from strongswan.conf

10 years agodefine MAX_RADIUS_ATTRIBUTE_SIZE
Andreas Steffen [Fri, 9 Mar 2012 07:48:46 +0000 (08:48 +0100)]
define MAX_RADIUS_ATTRIBUTE_SIZE

10 years agodefine peer and server identities
Andreas Steffen [Thu, 8 Mar 2012 22:19:13 +0000 (23:19 +0100)]
define peer and server identities

10 years agoadded EAP_SUCCESS/FAILURE message to RADIUS Accept/Reject
Andreas Steffen [Thu, 8 Mar 2012 21:37:09 +0000 (22:37 +0100)]
added EAP_SUCCESS/FAILURE message to RADIUS Accept/Reject

10 years agoadded msg_auth flag in radius_message_t sign() method
Andreas Steffen [Thu, 8 Mar 2012 21:36:06 +0000 (22:36 +0100)]
added msg_auth flag in radius_message_t sign() method

10 years agoallow debug of raw RADIUS data
Andreas Steffen [Thu, 8 Mar 2012 20:47:27 +0000 (21:47 +0100)]
allow debug of raw RADIUS data

10 years agosimple RADIUS server example works
Andreas Steffen [Thu, 8 Mar 2012 09:22:56 +0000 (10:22 +0100)]
simple RADIUS server example works

10 years agofirst use of libradius
Andreas Steffen [Thu, 24 Nov 2011 10:02:18 +0000 (11:02 +0100)]
first use of libradius

10 years agocreated libradius shared by eap-radius and tnc-pdp plugins
Andreas Steffen [Fri, 18 Nov 2011 18:42:05 +0000 (19:42 +0100)]
created libradius shared by eap-radius and tnc-pdp plugins

10 years agocreated tnc-pdp policy decision point plugin
Andreas Steffen [Sun, 13 Nov 2011 20:56:47 +0000 (21:56 +0100)]
created tnc-pdp policy decision point plugin

10 years agoFixed crash and locking issues while unrouting connections via stroke
Martin Willi [Tue, 13 Mar 2012 09:55:58 +0000 (10:55 +0100)]
Fixed crash and locking issues while unrouting connections via stroke

10 years agoClear peer addresses during HA update.
Tobias Brunner [Fri, 9 Mar 2012 09:30:37 +0000 (10:30 +0100)]
Clear peer addresses during HA update.

10 years agoSimplified some route lookups now that we store all peer addresses in a list.
Tobias Brunner [Fri, 9 Mar 2012 09:22:21 +0000 (10:22 +0100)]
Simplified some route lookups now that we store all peer addresses in a list.

10 years agoRenamed list of additional peer addresses as it now stores all known addresses.
Tobias Brunner [Fri, 9 Mar 2012 09:15:21 +0000 (10:15 +0100)]
Renamed list of additional peer addresses as it now stores all known addresses.

10 years agoStore the peer's current address as additional known address on the IKE_SA.
Tobias Brunner [Fri, 9 Mar 2012 09:03:08 +0000 (10:03 +0100)]
Store the peer's current address as additional known address on the IKE_SA.

This allows to switch back to the original address after switching to
any of the additional addresses.

10 years agoInclude radattr RADIUS attribute only if an EAP payload is present
Martin Willi [Tue, 6 Mar 2012 10:00:35 +0000 (11:00 +0100)]
Include radattr RADIUS attribute only if an EAP payload is present

10 years agoBy default include radattr RADIUS attribute in any IKE_AUTH exchange
Martin Willi [Tue, 6 Mar 2012 10:00:00 +0000 (11:00 +0100)]
By default include radattr RADIUS attribute in any IKE_AUTH exchange

10 years agofarp plugin sends ARP responses for any tunneled address, not only virtual IPs
Martin Willi [Fri, 10 Feb 2012 15:50:18 +0000 (16:50 +0100)]
farp plugin sends ARP responses for any tunneled address, not only virtual IPs

10 years agoBe less verbose if we don't have a local address for a tunnel
Martin Willi [Mon, 13 Feb 2012 10:41:20 +0000 (11:41 +0100)]
Be less verbose if we don't have a local address for a tunnel

10 years agoRe-resolve hosts on additional keyingtries
Martin Willi [Tue, 14 Feb 2012 10:29:34 +0000 (11:29 +0100)]
Re-resolve hosts on additional keyingtries

10 years agoRenamed radius_server to radius_config, as some real RADIUS server functionality...
Martin Willi [Mon, 5 Mar 2012 17:31:30 +0000 (18:31 +0100)]
Renamed radius_server to radius_config, as some real RADIUS server functionality is coming

10 years agoPrefer EAP-Identity to read radattr RADIUS attribute file
Martin Willi [Mon, 5 Mar 2012 16:57:16 +0000 (17:57 +0100)]
Prefer EAP-Identity to read radattr RADIUS attribute file

10 years agoInvoke ike_updown hook on authentication failure not before response sent
Martin Willi [Wed, 29 Feb 2012 09:10:45 +0000 (10:10 +0100)]
Invoke ike_updown hook on authentication failure not before response sent

10 years agoBuild libradius if radattr plugin is enabled
Martin Willi [Mon, 27 Feb 2012 15:39:48 +0000 (16:39 +0100)]
Build libradius if radattr plugin is enabled

10 years agoInject RADIUS attribute in radattr plugin read from an identity specific file
Martin Willi [Mon, 27 Feb 2012 15:33:18 +0000 (16:33 +0100)]
Inject RADIUS attribute in radattr plugin read from an identity specific file

10 years agoAdded a radattr plugin that prints any received RADIUS notify to console
Martin Willi [Mon, 27 Feb 2012 14:41:53 +0000 (15:41 +0100)]
Added a radattr plugin that prints any received RADIUS notify to console

10 years agoMoved generic RADIUS protocol support to a dedicated libradius
Martin Willi [Mon, 27 Feb 2012 14:18:58 +0000 (15:18 +0100)]
Moved generic RADIUS protocol support to a dedicated libradius

10 years agoRemoved libcharon dependencies from generic RADIUS protocol support
Martin Willi [Mon, 27 Feb 2012 13:49:22 +0000 (14:49 +0100)]
Removed libcharon dependencies from generic RADIUS protocol support

10 years agoForward specifcied RADIUS attributes between AAA backend and client
Martin Willi [Fri, 24 Feb 2012 15:41:10 +0000 (16:41 +0100)]
Forward specifcied RADIUS attributes between AAA backend and client

10 years agoDefined a private status notify to transport arbitrary RADIUS attributes
Martin Willi [Fri, 24 Feb 2012 12:37:00 +0000 (13:37 +0100)]
Defined a private status notify to transport arbitrary RADIUS attributes

10 years agoImplemented RADIUS DAE response retransmission
Martin Willi [Wed, 22 Feb 2012 16:01:13 +0000 (17:01 +0100)]
Implemented RADIUS DAE response retransmission

10 years agoBe a little more verbose before starting IKE_SA reauthentication
Martin Willi [Wed, 22 Feb 2012 15:16:15 +0000 (16:16 +0100)]
Be a little more verbose before starting IKE_SA reauthentication

10 years agoProcess RADIUS DAE CoA updates, updating lifetimes
Martin Willi [Wed, 22 Feb 2012 15:10:38 +0000 (16:10 +0100)]
Process RADIUS DAE CoA updates, updating lifetimes

10 years agoSend an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively
Martin Willi [Wed, 22 Feb 2012 15:07:31 +0000 (16:07 +0100)]
Send an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively

10 years agoUse faster ike_sa_id and a delete job to handle RADIUS DAE Delete-Request
Martin Willi [Wed, 22 Feb 2012 14:07:02 +0000 (15:07 +0100)]
Use faster ike_sa_id and a delete job to handle RADIUS DAE Delete-Request

10 years agoRefactored RADIUS DAE IKE_SA lookup
Martin Willi [Wed, 22 Feb 2012 13:56:02 +0000 (14:56 +0100)]
Refactored RADIUS DAE IKE_SA lookup

10 years agoPass RADIUS DAE client address a host_t instead of sockaddr struct
Martin Willi [Wed, 22 Feb 2012 13:44:24 +0000 (14:44 +0100)]
Pass RADIUS DAE client address a host_t instead of sockaddr struct

10 years agoSend RADIUS DAE Disconnect-ACK/NAK on Disconnect-Request
Martin Willi [Wed, 22 Feb 2012 13:23:50 +0000 (14:23 +0100)]
Send RADIUS DAE Disconnect-ACK/NAK on Disconnect-Request

10 years agoSupport signing of RADIUS response messages
Martin Willi [Wed, 22 Feb 2012 13:22:50 +0000 (14:22 +0100)]
Support signing of RADIUS response messages

10 years agoAct on RADIUS DAE Disconnect requests
Martin Willi [Wed, 22 Feb 2012 12:49:06 +0000 (13:49 +0100)]
Act on RADIUS DAE Disconnect requests

10 years agoVerify received RADIUS DAE requests
Martin Willi [Wed, 22 Feb 2012 12:06:58 +0000 (13:06 +0100)]
Verify received RADIUS DAE requests

10 years agoSupport verification of RADIUS request messages
Martin Willi [Wed, 22 Feb 2012 12:06:14 +0000 (13:06 +0100)]
Support verification of RADIUS request messages

10 years agoRename RADIUS message constructors to handle both, requests and responses
Martin Willi [Wed, 22 Feb 2012 11:39:50 +0000 (12:39 +0100)]
Rename RADIUS message constructors to handle both, requests and responses

10 years agoEnable RADIUS DAE listening if configured
Martin Willi [Wed, 22 Feb 2012 09:37:13 +0000 (10:37 +0100)]
Enable RADIUS DAE listening if configured

10 years agoAdded infrastructure to listen to RADIUS Dynamic Authorization Extension requests
Martin Willi [Wed, 22 Feb 2012 09:34:06 +0000 (10:34 +0100)]
Added infrastructure to listen to RADIUS Dynamic Authorization Extension requests

10 years agoAdded Dynamic Authorization Extension RADIUS message codes
Martin Willi [Wed, 22 Feb 2012 09:31:36 +0000 (10:31 +0100)]
Added Dynamic Authorization Extension RADIUS message codes

10 years agoSet IKE_SA lifetime based on RADIUS Session-Timeout attribute
Martin Willi [Tue, 21 Feb 2012 13:06:37 +0000 (14:06 +0100)]
Set IKE_SA lifetime based on RADIUS Session-Timeout attribute

10 years agoSet hard timeouts when setting a lifetime
Martin Willi [Tue, 21 Feb 2012 13:05:57 +0000 (14:05 +0100)]
Set hard timeouts when setting a lifetime

10 years agoFix IKE_SA timeout debug output on 64bit platforms
Martin Willi [Tue, 21 Feb 2012 13:05:11 +0000 (14:05 +0100)]
Fix IKE_SA timeout debug output on 64bit platforms

10 years agomaemo: New upstream release.
Tobias Brunner [Mon, 27 Feb 2012 17:15:51 +0000 (18:15 +0100)]
maemo: New upstream release.

10 years agoAdded support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.
Tobias Brunner [Mon, 27 Feb 2012 13:31:19 +0000 (14:31 +0100)]
Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.

This requires a Linux kernel >= 2.6.33.

10 years agoEncode IPv6 virtual IPs in a Framed-IPv6-Prefix attribute
Martin Willi [Fri, 24 Feb 2012 10:15:11 +0000 (11:15 +0100)]
Encode IPv6 virtual IPs in a Framed-IPv6-Prefix attribute

10 years agoRefactored construction of RADIUS accounting messages
Martin Willi [Fri, 24 Feb 2012 10:12:18 +0000 (11:12 +0100)]
Refactored construction of RADIUS accounting messages

10 years agoInclude port numbers in Calling-Station-Id, too
Martin Willi [Fri, 24 Feb 2012 09:48:54 +0000 (10:48 +0100)]
Include port numbers in Calling-Station-Id, too

10 years agoUse large enough buffers for IPv6 addresses in Calling-Station-Id
Martin Willi [Fri, 24 Feb 2012 09:13:08 +0000 (10:13 +0100)]
Use large enough buffers for IPv6 addresses in Calling-Station-Id

10 years agoSend client external address as Calling-Station-Id in RADIUS accounting
Martin Willi [Fri, 24 Feb 2012 09:04:31 +0000 (10:04 +0100)]
Send client external address as Calling-Station-Id in RADIUS accounting

10 years agoadded missing x character
Andreas Steffen [Tue, 21 Feb 2012 15:29:35 +0000 (16:29 +0100)]
added missing x character

10 years agohandle case where subject = NULL but keyid is set 4.6.2
Andreas Steffen [Mon, 20 Feb 2012 11:12:31 +0000 (12:12 +0100)]
handle case where subject = NULL but keyid is set

10 years agolibtnccs is required by the eap_tnc plugin
Andreas Steffen [Mon, 20 Feb 2012 08:04:02 +0000 (09:04 +0100)]
libtnccs is required by the eap_tnc plugin

10 years agocharon does not depend on libtncif any more but tnc_tnccs does
Andreas Steffen [Mon, 20 Feb 2012 07:00:48 +0000 (08:00 +0100)]
charon does not depend on libtncif any more but tnc_tnccs does

10 years agobuild libstrongswan if libimcv is built
Andreas Steffen [Thu, 16 Feb 2012 22:28:38 +0000 (23:28 +0100)]
build libstrongswan if libimcv is built

10 years agoversion bump to 4.6.2
Andreas Steffen [Wed, 15 Feb 2012 23:10:36 +0000 (00:10 +0100)]
version bump to 4.6.2

10 years agofixed attest sql query in list_measurements()
Andreas Steffen [Wed, 15 Feb 2012 22:13:05 +0000 (23:13 +0100)]
fixed attest sql query in list_measurements()

10 years agoCompiler warnings fixed.
Tobias Brunner [Tue, 14 Feb 2012 15:09:44 +0000 (16:09 +0100)]
Compiler warnings fixed.

10 years agopluto: Print expiry time more properly.
Tobias Brunner [Tue, 14 Feb 2012 08:34:48 +0000 (09:34 +0100)]
pluto: Print expiry time more properly.

10 years agopluto: Drop support for legacy PSK format.
Tobias Brunner [Wed, 8 Feb 2012 12:36:32 +0000 (13:36 +0100)]
pluto: Drop support for legacy PSK format.

Any line in ipsec.secrets starting with " or ' was treated as PSK
without ID selectors by pluto.  This prevented it from supporting DNs
like "C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org" as
ID selectors.

PSKs defined in this legacy format can easily be updated by changing

"thisIsASecret"

into

: PSK "thisIsASecret"

10 years agocompleted imc/imv-attestation settings
Andreas Steffen [Tue, 7 Feb 2012 21:11:51 +0000 (22:11 +0100)]
completed imc/imv-attestation settings

10 years agoadapted debug output check in openssl-ikev2/rw-eap-tls-only scenario
Andreas Steffen [Tue, 7 Feb 2012 19:31:09 +0000 (20:31 +0100)]
adapted debug output check in openssl-ikev2/rw-eap-tls-only scenario

10 years agoDouble check if a cached suite is available, overwrite any old suite state
Martin Willi [Tue, 7 Feb 2012 10:41:56 +0000 (11:41 +0100)]
Double check if a cached suite is available, overwrite any old suite state

10 years agoSome Doxygen fixes.
Tobias Brunner [Tue, 7 Feb 2012 10:20:46 +0000 (11:20 +0100)]
Some Doxygen fixes.

10 years agoFix TLS EAP-MSK derivation, uses different order of randoms than key expansion
Martin Willi [Tue, 7 Feb 2012 09:50:02 +0000 (10:50 +0100)]
Fix TLS EAP-MSK derivation, uses different order of randoms than key expansion

10 years agoFilter TLS suite MAC by HMAC algorithm, as the hash is not necessarily the same
Martin Willi [Tue, 7 Feb 2012 08:37:51 +0000 (09:37 +0100)]
Filter TLS suite MAC by HMAC algorithm, as the hash is not necessarily the same

10 years agoopen RADIUS accounting port in firewall
Andreas Steffen [Mon, 6 Feb 2012 19:45:21 +0000 (20:45 +0100)]
open RADIUS accounting port in firewall

10 years agoadded ikev2/rw-radius-accounting scenario
Andreas Steffen [Mon, 6 Feb 2012 11:52:48 +0000 (12:52 +0100)]
added ikev2/rw-radius-accounting scenario

10 years agoUpdate usage for all children in RADIUS accounting just before sending Stop
Martin Willi [Mon, 6 Feb 2012 09:26:24 +0000 (10:26 +0100)]
Update usage for all children in RADIUS accounting just before sending Stop

10 years agoCheck if ClusterIP directory could be opened before enumerating it
Martin Willi [Fri, 3 Feb 2012 11:55:55 +0000 (12:55 +0100)]
Check if ClusterIP directory could be opened before enumerating it

10 years agoversion bump to 4.6.2rc1
Andreas Steffen [Sun, 5 Feb 2012 21:24:56 +0000 (22:24 +0100)]
version bump to 4.6.2rc1

10 years agoipsec attest adds and deletes key/component pairs
Andreas Steffen [Sun, 5 Feb 2012 21:23:45 +0000 (22:23 +0100)]
ipsec attest adds and deletes key/component pairs

10 years agocheck if TNC client has a valid and registered AIK
Andreas Steffen [Sun, 5 Feb 2012 18:37:58 +0000 (19:37 +0100)]
check if TNC client has a valid and registered AIK

10 years agoreformulated some NEWS entries
Andreas Steffen [Fri, 3 Feb 2012 15:13:34 +0000 (16:13 +0100)]
reformulated some NEWS entries

10 years agoadded openssl-ikev2/ecdsa-pkcs8 scenario
Andreas Steffen [Fri, 3 Feb 2012 10:44:04 +0000 (11:44 +0100)]
added openssl-ikev2/ecdsa-pkcs8 scenario

10 years agoadded ikev2/rw-pkcs8 scenario
Andreas Steffen [Fri, 3 Feb 2012 10:10:13 +0000 (11:10 +0100)]
added ikev2/rw-pkcs8 scenario

10 years agoversion bump to 4.6.2dr4
Andreas Steffen [Thu, 2 Feb 2012 17:26:12 +0000 (18:26 +0100)]
version bump to 4.6.2dr4

10 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated

10 years agoDon't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
Martin Willi [Tue, 10 Jan 2012 12:32:06 +0000 (13:32 +0100)]
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state

10 years agoMoved and clarified NEWS about PKCS#8 plugin.
Tobias Brunner [Wed, 1 Feb 2012 17:32:28 +0000 (18:32 +0100)]
Moved and clarified NEWS about PKCS#8 plugin.

10 years agoMoved log message for unexpected ASN.1 objects to level 2.
Tobias Brunner [Wed, 1 Feb 2012 17:15:38 +0000 (18:15 +0100)]
Moved log message for unexpected ASN.1 objects to level 2.

This avoids error messages if later builders can successfully decode something.

10 years agoAdded support for PKCS#5 v2 schemes when decrypting PKCS#8 files.
Tobias Brunner [Tue, 31 Jan 2012 17:54:00 +0000 (18:54 +0100)]
Added support for PKCS#5 v2 schemes when decrypting PKCS#8 files.