strongswan.git
7 years agoRemove obsolete pluto smartcard syntax in ipsec.secrets.5
Martin Willi [Wed, 17 Oct 2012 13:53:44 +0000 (15:53 +0200)]
Remove obsolete pluto smartcard syntax in ipsec.secrets.5

7 years agoUpdated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
Martin Willi [Wed, 17 Oct 2012 13:50:01 +0000 (15:50 +0200)]
Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards

7 years agoAdd a strongswan.conf option to disable loading of all certificates from a pkcs11...
Martin Willi [Wed, 17 Oct 2012 13:55:42 +0000 (15:55 +0200)]
Add a strongswan.conf option to disable loading of all certificates from a pkcs11 module

7 years agoSupport loading cacert certificates in ipsec.conf ca sections from smartcard
Martin Willi [Wed, 17 Oct 2012 13:55:36 +0000 (15:55 +0200)]
Support loading cacert certificates in ipsec.conf ca sections from smartcard

7 years agoRefactored stroke smartcard token parsing, support module and slot in leftcert option
Martin Willi [Wed, 17 Oct 2012 13:36:45 +0000 (15:36 +0200)]
Refactored stroke smartcard token parsing, support module and slot in leftcert option

7 years agoExplicit pkcs11 certificate loading can enforce a module and a slot
Martin Willi [Wed, 17 Oct 2012 12:21:06 +0000 (14:21 +0200)]
Explicit pkcs11 certificate loading can enforce a module and a slot

7 years agoBe less verbose if loading PKCS#11 certificate fails
Martin Willi [Mon, 15 Oct 2012 16:26:26 +0000 (18:26 +0200)]
Be less verbose if loading PKCS#11 certificate fails

7 years agoAdd leftcert ipsec.conf.5 documentation about smartcard certificates
Martin Willi [Mon, 15 Oct 2012 16:14:03 +0000 (18:14 +0200)]
Add leftcert ipsec.conf.5 documentation about smartcard certificates

7 years agoLoad ipsec.conf %smartcard leftcerts with pkcs11 builder
Martin Willi [Mon, 15 Oct 2012 15:54:00 +0000 (17:54 +0200)]
Load ipsec.conf %smartcard leftcerts with pkcs11 builder

7 years agoAdd a builder to load specific pkcs11 certificates by keyid
Martin Willi [Mon, 15 Oct 2012 15:53:21 +0000 (17:53 +0200)]
Add a builder to load specific pkcs11 certificates by keyid

7 years agoIf no pkcs11 public key for a private key found, search for a certificate
Martin Willi [Mon, 15 Oct 2012 12:05:14 +0000 (14:05 +0200)]
If no pkcs11 public key for a private key found, search for a certificate

7 years agoMove pkcs11 public key lookup function declaration to header file
Martin Willi [Mon, 15 Oct 2012 12:04:42 +0000 (14:04 +0200)]
Move pkcs11 public key lookup function declaration to header file

7 years agoAdd NEWS about proposals with PRFs different from integrity protection algorithms
Martin Willi [Wed, 24 Oct 2012 09:52:59 +0000 (11:52 +0200)]
Add NEWS about proposals with PRFs different from integrity protection algorithms

7 years agoAdd ipsec.conf.5 documentation for explicit PRFs in IKE proposals
Martin Willi [Wed, 10 Oct 2012 12:17:43 +0000 (14:17 +0200)]
Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals

7 years agoOnly add an implicit PRF based on the MAC alg if no PRF given in proposal
Martin Willi [Wed, 10 Oct 2012 11:36:16 +0000 (13:36 +0200)]
Only add an implicit PRF based on the MAC alg if no PRF given in proposal

7 years agoAdd proposal keywords to explicitly specify PRF algorithms
Martin Willi [Wed, 10 Oct 2012 11:35:37 +0000 (13:35 +0200)]
Add proposal keywords to explicitly specify PRF algorithms

7 years agoAdded NEWS about lookip plugin
Martin Willi [Wed, 24 Oct 2012 09:47:18 +0000 (11:47 +0200)]
Added NEWS about lookip plugin

7 years agoAdd an interactive mode in lookip tool, demonstrate lasting connections
Martin Willi [Tue, 9 Oct 2012 09:36:17 +0000 (11:36 +0200)]
Add an interactive mode in lookip tool, demonstrate lasting connections

7 years agoSend a lookip NOT_FOUND reply if a lookup yields no results
Martin Willi [Tue, 9 Oct 2012 09:16:07 +0000 (11:16 +0200)]
Send a lookip NOT_FOUND reply if a lookup yields no results

7 years agolookup function of lookip listener returns the number of matches
Martin Willi [Tue, 9 Oct 2012 09:05:19 +0000 (11:05 +0200)]
lookup function of lookip listener returns the number of matches

7 years agoHandle multiple lookip connections using a single FDSET
Martin Willi [Tue, 9 Oct 2012 08:03:15 +0000 (10:03 +0200)]
Handle multiple lookip connections using a single FDSET

7 years agoRenamed list to store listening lookip clients
Martin Willi [Tue, 9 Oct 2012 07:33:15 +0000 (09:33 +0200)]
Renamed list to store listening lookip clients

7 years agoHandle client subscriptions in lookip plugin
Martin Willi [Thu, 4 Oct 2012 14:14:10 +0000 (16:14 +0200)]
Handle client subscriptions in lookip plugin

7 years agoAdd a lookip server side UNIX socket processing LOOKUP and DUMP requests
Martin Willi [Thu, 4 Oct 2012 13:39:26 +0000 (15:39 +0200)]
Add a lookip server side UNIX socket processing LOOKUP and DUMP requests

7 years agoAdd a simple command line utility to query the lookip plugin
Martin Willi [Thu, 4 Oct 2012 12:49:10 +0000 (14:49 +0200)]
Add a simple command line utility to query the lookip plugin

7 years agoDefined on-the-wire format used on lookip socket
Martin Willi [Wed, 3 Oct 2012 16:08:38 +0000 (18:08 +0200)]
Defined on-the-wire format used on lookip socket

7 years agoAdd a lookip function to register virtual IP notification listeners
Martin Willi [Wed, 3 Oct 2012 15:42:19 +0000 (17:42 +0200)]
Add a lookip function to register virtual IP notification listeners

7 years agoAdd a lookup method to lookip plugin, using a callback to invoke
Martin Willi [Wed, 3 Oct 2012 15:13:37 +0000 (17:13 +0200)]
Add a lookup method to lookip plugin, using a callback to invoke

7 years agoAdd a lookip listener that collects the information we are interested in
Martin Willi [Wed, 3 Oct 2012 14:58:37 +0000 (16:58 +0200)]
Add a lookip listener that collects the information we are interested in

7 years agoAdd a lookip plugin stub to lookup connections by virtual IP
Martin Willi [Wed, 3 Oct 2012 14:25:36 +0000 (16:25 +0200)]
Add a lookip plugin stub to lookup connections by virtual IP

7 years agoAdd NEWS about stroke counters
Martin Willi [Wed, 24 Oct 2012 09:38:24 +0000 (11:38 +0200)]
Add NEWS about stroke counters

7 years agoAdd "listcounters" command to ipsec.8 manpage
Martin Willi [Mon, 8 Oct 2012 13:38:02 +0000 (15:38 +0200)]
Add "listcounters" command to ipsec.8 manpage

7 years agoAdd a "ipsec listcounters" command to stroke
Martin Willi [Mon, 8 Oct 2012 10:36:08 +0000 (12:36 +0200)]
Add a "ipsec listcounters" command to stroke

7 years agoAdd a print method for stroke counters
Martin Willi [Mon, 8 Oct 2012 09:59:20 +0000 (11:59 +0200)]
Add a print method for stroke counters

7 years agoSupport field with specifiers in %N printf hook
Martin Willi [Mon, 8 Oct 2012 10:35:44 +0000 (12:35 +0200)]
Support field with specifiers in %N printf hook

7 years agoAdd stroke message type counters
Martin Willi [Mon, 8 Oct 2012 09:49:12 +0000 (11:49 +0200)]
Add stroke message type counters

7 years agoAdd stroke counters for invalid IKE messages
Martin Willi [Mon, 8 Oct 2012 09:36:07 +0000 (11:36 +0200)]
Add stroke counters for invalid IKE messages

7 years agoAdd stroke CHILD_SA rekeying counter
Martin Willi [Mon, 8 Oct 2012 09:32:44 +0000 (11:32 +0200)]
Add stroke CHILD_SA rekeying counter

7 years agoAdd stroke IKE rekey counters
Martin Willi [Mon, 8 Oct 2012 09:31:18 +0000 (11:31 +0200)]
Add stroke IKE rekey counters

7 years agoRaise a bus alert when IKE message body parsing fails
Martin Willi [Mon, 8 Oct 2012 09:19:54 +0000 (11:19 +0200)]
Raise a bus alert when IKE message body parsing fails

7 years agoRaise a bus alert when IKE message header parsing fails
Martin Willi [Mon, 8 Oct 2012 09:15:09 +0000 (11:15 +0200)]
Raise a bus alert when IKE message header parsing fails

7 years agoRaise a bus alert when a received message contains unknown SPIs
Martin Willi [Mon, 8 Oct 2012 09:09:31 +0000 (11:09 +0200)]
Raise a bus alert when a received message contains unknown SPIs

7 years agoDefine stroke counter types to implement
Martin Willi [Mon, 8 Oct 2012 09:03:08 +0000 (11:03 +0200)]
Define stroke counter types to implement

7 years agoAdd a stub for IKE event counters in stroke
Martin Willi [Mon, 8 Oct 2012 08:31:36 +0000 (10:31 +0200)]
Add a stub for IKE event counters in stroke

7 years agoAdd a load-tester option to define the IKE version to use for testing
Martin Willi [Wed, 17 Oct 2012 14:13:17 +0000 (16:13 +0200)]
Add a load-tester option to define the IKE version to use for testing

7 years agoRemove peer_cfg IKE version matching, as it is done in ike_cfg matching
Martin Willi [Tue, 16 Oct 2012 13:00:32 +0000 (15:00 +0200)]
Remove peer_cfg IKE version matching, as it is done in ike_cfg matching

7 years agoRespect IKE version while selecting an ike_cfg as responder
Martin Willi [Tue, 16 Oct 2012 12:47:55 +0000 (14:47 +0200)]
Respect IKE version while selecting an ike_cfg as responder

7 years agoRemove version argument on peer_cfg constructor, use ike_cfg version instead
Martin Willi [Tue, 16 Oct 2012 12:31:02 +0000 (14:31 +0200)]
Remove version argument on peer_cfg constructor, use ike_cfg version instead

7 years agoAdd IKE version information to ike_cfg_t
Martin Willi [Tue, 16 Oct 2012 12:24:35 +0000 (14:24 +0200)]
Add IKE version information to ike_cfg_t

7 years agoMove ike_version_t definition from peer_cfg_t to ike_cfg_t
Martin Willi [Tue, 16 Oct 2012 12:21:17 +0000 (14:21 +0200)]
Move ike_version_t definition from peer_cfg_t to ike_cfg_t

7 years agoandroid: Enable ECC in the app as our custom built libcrypto supports it
Tobias Brunner [Tue, 23 Oct 2012 16:13:58 +0000 (18:13 +0200)]
android: Enable ECC in the app as our custom built libcrypto supports it

7 years agoversion bump to 5.0.2dr2
Andreas Steffen [Sat, 20 Oct 2012 08:49:27 +0000 (10:49 +0200)]
version bump to 5.0.2dr2

7 years agoupdated NEWS
Andreas Steffen [Fri, 19 Oct 2012 06:52:35 +0000 (08:52 +0200)]
updated NEWS

7 years agoimplemented IETF Numeric Version attribute
Andreas Steffen [Thu, 18 Oct 2012 20:33:26 +0000 (22:33 +0200)]
implemented IETF Numeric Version attribute

7 years agoimplemented IETF Remediation Instructions attribute
Andreas Steffen [Thu, 18 Oct 2012 16:24:04 +0000 (18:24 +0200)]
implemented IETF Remediation Instructions attribute

7 years agoHandle type of first EAP-RADIUS response more sophisticated
Tobias Brunner [Tue, 16 Oct 2012 14:39:49 +0000 (16:39 +0200)]
Handle type of first EAP-RADIUS response more sophisticated

7 years agoStarter ignores non-fatal errors when reloading config
Tobias Brunner [Mon, 8 Oct 2012 09:23:08 +0000 (11:23 +0200)]
Starter ignores non-fatal errors when reloading config

7 years agoStarter unroutes removed or changed connections before loading and routing new ones
Tobias Brunner [Thu, 4 Oct 2012 09:22:44 +0000 (11:22 +0200)]
Starter unroutes removed or changed connections before loading and routing new ones

7 years agoUpdate routed connections in trap manager
Tobias Brunner [Tue, 2 Oct 2012 14:47:43 +0000 (16:47 +0200)]
Update routed connections in trap manager

Before this change, modified configs that have been updated with ipsec reload,
could properly be started manually, but the old config would get used if
triggered via trap policies.

7 years agoReload logger configuration on SIGHUP
Tobias Brunner [Thu, 4 Oct 2012 16:12:20 +0000 (18:12 +0200)]
Reload logger configuration on SIGHUP

Besides changing the configuration this allows to easily rotate log files.

Also moved logger initialization back to daemon_t.

7 years agoMake syslog and file loggers configurable at runtime
Tobias Brunner [Thu, 4 Oct 2012 16:07:42 +0000 (18:07 +0200)]
Make syslog and file loggers configurable at runtime

7 years agoStore loggers in conftest separately, not on charon
Tobias Brunner [Tue, 2 Oct 2012 12:49:26 +0000 (14:49 +0200)]
Store loggers in conftest separately, not on charon

7 years agoAdded an option to reload certificates from PKCS#11 tokens on SIGHUP
Tobias Brunner [Mon, 1 Oct 2012 12:22:54 +0000 (14:22 +0200)]
Added an option to reload certificates from PKCS#11 tokens on SIGHUP

7 years agoCopy the name of pkcs11_library_t objects
Tobias Brunner [Mon, 8 Oct 2012 09:15:35 +0000 (11:15 +0200)]
Copy the name of pkcs11_library_t objects

Strings returned by settings_t.create_section_enumerator will be freed
when the config is reloaded.

7 years agoNew Android release after adding MOBIKE support
Tobias Brunner [Thu, 18 Oct 2012 12:03:38 +0000 (14:03 +0200)]
New Android release after adding MOBIKE support

7 years agoMerge branch 'android-mobility'
Tobias Brunner [Thu, 18 Oct 2012 10:28:14 +0000 (12:28 +0200)]
Merge branch 'android-mobility'

This brings support for MOBIKE to the Android app.  The app also tries
to keep the connection up as long as possible.

DNS queries are now handled by a new class that uses independent threads to
resolve them, this allows to cancel them e.g. if no network connectivity is
available (otherwise the app would block until the DNS query returns).

7 years agoUse a shortcut to resolve numeric IP addresses (no need for separate threads)
Tobias Brunner [Thu, 18 Oct 2012 07:10:18 +0000 (09:10 +0200)]
Use a shortcut to resolve numeric IP addresses (no need for separate threads)

7 years agoUse native threads in host resolver so that it works even if processor has no threads
Tobias Brunner [Thu, 18 Oct 2012 08:47:51 +0000 (10:47 +0200)]
Use native threads in host resolver so that it works even if processor has no threads

7 years agoTerminate unused resolver threads after a timeout
Tobias Brunner [Thu, 18 Oct 2012 06:46:24 +0000 (08:46 +0200)]
Terminate unused resolver threads after a timeout

7 years agoOnly create more threads if needed in host_resolver_t
Tobias Brunner [Wed, 17 Oct 2012 16:04:33 +0000 (18:04 +0200)]
Only create more threads if needed in host_resolver_t

7 years agoUse a helper function to add milliseconds to timeval structs
Tobias Brunner [Tue, 16 Oct 2012 10:38:54 +0000 (12:38 +0200)]
Use a helper function to add milliseconds to timeval structs

7 years agoandroid: Ignore if peer is unreachable when reestablishing an SA
Tobias Brunner [Tue, 16 Oct 2012 11:41:02 +0000 (13:41 +0200)]
android: Ignore if peer is unreachable when reestablishing an SA

7 years agoandroid: Use a shorter timeout for retransmits
Tobias Brunner [Tue, 16 Oct 2012 10:05:50 +0000 (12:05 +0200)]
android: Use a shorter timeout for retransmits

7 years agoandroid: Use keyingtries=%forever and dpd|closeaction=restart
Tobias Brunner [Tue, 16 Oct 2012 09:50:53 +0000 (11:50 +0200)]
android: Use keyingtries=%forever and dpd|closeaction=restart

We also ignore the CHILD_SA_DOWN event.

This should allow us to keep the connection up as long as the user does
not manually disconnect.

7 years agoResolve hosts by DNS name in separate threads so we can cancel them
Tobias Brunner [Tue, 16 Oct 2012 08:57:02 +0000 (10:57 +0200)]
Resolve hosts by DNS name in separate threads so we can cancel them

getaddrinfo(3) may block a long time so proper termination of the daemon may
block if DNS servers are not reachable.

getaddrinfo(3) is an optional cancellation point in posix threads so it
might still block a shutdown but at least on Android (with the signal based
pthread_cancel implementation) it works, on Linux starter will kill charon
anyway after a while.

7 years agono need to include pa_tnc_msg.h
Andreas Steffen [Thu, 18 Oct 2012 05:00:32 +0000 (07:00 +0200)]
no need to include pa_tnc_msg.h

7 years agorefactored PA-TNC message handling by IMVs
Andreas Steffen [Wed, 17 Oct 2012 21:15:14 +0000 (23:15 +0200)]
refactored PA-TNC message handling by IMVs

7 years agorefactored PA-TNC message handling by IMCs
Andreas Steffen [Wed, 17 Oct 2012 07:58:00 +0000 (09:58 +0200)]
refactored PA-TNC message handling by IMCs

7 years agoincreased IMC/IMV debug level to 3
Andreas Steffen [Wed, 17 Oct 2012 07:45:19 +0000 (09:45 +0200)]
increased IMC/IMV debug level to 3

7 years agoremoved unused variable
Andreas Steffen [Tue, 16 Oct 2012 13:17:39 +0000 (15:17 +0200)]
removed unused variable

7 years agoandroid: Handle unreachable peers via alert
Tobias Brunner [Mon, 15 Oct 2012 12:50:22 +0000 (14:50 +0200)]
android: Handle unreachable peers via alert

7 years agoAdded a new alert that is raised if peer does not respond to initial IKE message
Tobias Brunner [Mon, 15 Oct 2012 11:12:43 +0000 (13:12 +0200)]
Added a new alert that is raised if peer does not respond to initial IKE message

7 years agoandroid: Use 0.0.0.0/0 as local traffic selector
Tobias Brunner [Mon, 15 Oct 2012 09:02:18 +0000 (11:02 +0200)]
android: Use 0.0.0.0/0 as local traffic selector

This is helpful if the responder also wants to tunnel e.g. multicast
packages.

7 years agoLog IP addresses for discarded inbound IPsec packets
Tobias Brunner [Mon, 15 Oct 2012 09:19:34 +0000 (11:19 +0200)]
Log IP addresses for discarded inbound IPsec packets

7 years agoandroid: Bypass/protect previously bypassed sockets if connectivity changes
Tobias Brunner [Thu, 11 Oct 2012 16:48:17 +0000 (18:48 +0200)]
android: Bypass/protect previously bypassed sockets if connectivity changes

7 years agoandroid: Support for IPsec SA update added
Tobias Brunner [Wed, 10 Oct 2012 13:31:24 +0000 (15:31 +0200)]
android: Support for IPsec SA update added

7 years agoUse pointers for lookups in IPsec SA manager
Tobias Brunner [Wed, 10 Oct 2012 17:17:17 +0000 (19:17 +0200)]
Use pointers for lookups in IPsec SA manager

7 years agoIPsec SA manager implements update_sa()
Tobias Brunner [Wed, 10 Oct 2012 13:31:02 +0000 (15:31 +0200)]
IPsec SA manager implements update_sa()

7 years agoSetter for src and destination address of ipsec_sa_t added
Tobias Brunner [Wed, 10 Oct 2012 13:29:25 +0000 (15:29 +0200)]
Setter for src and destination address of ipsec_sa_t added

7 years agoandroid: Trigger roam events in case connectivity changes
Tobias Brunner [Wed, 10 Oct 2012 12:42:12 +0000 (14:42 +0200)]
android: Trigger roam events in case connectivity changes

7 years agoandroid: Register NetworkManager as BroadcastReceiver and relay events via JNI
Tobias Brunner [Wed, 10 Oct 2012 12:14:30 +0000 (14:14 +0200)]
android: Register NetworkManager as BroadcastReceiver and relay events via JNI

7 years agoandroid: Determine source address dynamically
Tobias Brunner [Wed, 10 Oct 2012 10:26:51 +0000 (12:26 +0200)]
android: Determine source address dynamically

7 years agoandroid: Added NetworkManager class which allows to retrieve a local IP address
Tobias Brunner [Wed, 10 Oct 2012 10:10:20 +0000 (12:10 +0200)]
android: Added NetworkManager class which allows to retrieve a local IP address

7 years agoandroid: Increase compile warnings
Tobias Brunner [Wed, 10 Oct 2012 10:11:31 +0000 (12:11 +0200)]
android: Increase compile warnings

7 years agoandroid: Fixed "Configure" button in Android VPN dialog
Tobias Brunner [Wed, 10 Oct 2012 09:56:34 +0000 (11:56 +0200)]
android: Fixed "Configure" button in Android VPN dialog

7 years agoandroid: Don't use the default ESP proposal as it includes unsupported algorithms
Tobias Brunner [Tue, 9 Oct 2012 12:01:33 +0000 (14:01 +0200)]
android: Don't use the default ESP proposal as it includes unsupported algorithms

7 years agoRemove unused this parameter to load_issuer_cert/key(), as it is uninitialized
Martin Willi [Tue, 16 Oct 2012 12:11:14 +0000 (14:11 +0200)]
Remove unused this parameter to load_issuer_cert/key(), as it is uninitialized

7 years agoGenerate a load-tester certificate only for DN or subjectAltName identities
Martin Willi [Mon, 1 Oct 2012 13:38:20 +0000 (15:38 +0200)]
Generate a load-tester certificate only for DN or subjectAltName identities

7 years agoAdd a load-tester initiator_match option to match custom initiator_id
Martin Willi [Mon, 1 Oct 2012 13:14:35 +0000 (15:14 +0200)]
Add a load-tester initiator_match option to match custom initiator_id

7 years agoEncode non-DN load-tester identities as subjectAltNames
Martin Willi [Mon, 1 Oct 2012 13:13:49 +0000 (15:13 +0200)]
Encode non-DN load-tester identities as subjectAltNames