strongswan.git
7 years agoRenamed radius_server to radius_config, as some real RADIUS server functionality...
Martin Willi [Mon, 5 Mar 2012 17:31:30 +0000 (18:31 +0100)]
Renamed radius_server to radius_config, as some real RADIUS server functionality is coming

7 years agoPrefer EAP-Identity to read radattr RADIUS attribute file
Martin Willi [Mon, 5 Mar 2012 16:57:16 +0000 (17:57 +0100)]
Prefer EAP-Identity to read radattr RADIUS attribute file

7 years agoInvoke ike_updown hook on authentication failure not before response sent
Martin Willi [Wed, 29 Feb 2012 09:10:45 +0000 (10:10 +0100)]
Invoke ike_updown hook on authentication failure not before response sent

7 years agoBuild libradius if radattr plugin is enabled
Martin Willi [Mon, 27 Feb 2012 15:39:48 +0000 (16:39 +0100)]
Build libradius if radattr plugin is enabled

7 years agoInject RADIUS attribute in radattr plugin read from an identity specific file
Martin Willi [Mon, 27 Feb 2012 15:33:18 +0000 (16:33 +0100)]
Inject RADIUS attribute in radattr plugin read from an identity specific file

7 years agoAdded a radattr plugin that prints any received RADIUS notify to console
Martin Willi [Mon, 27 Feb 2012 14:41:53 +0000 (15:41 +0100)]
Added a radattr plugin that prints any received RADIUS notify to console

7 years agoMoved generic RADIUS protocol support to a dedicated libradius
Martin Willi [Mon, 27 Feb 2012 14:18:58 +0000 (15:18 +0100)]
Moved generic RADIUS protocol support to a dedicated libradius

7 years agoRemoved libcharon dependencies from generic RADIUS protocol support
Martin Willi [Mon, 27 Feb 2012 13:49:22 +0000 (14:49 +0100)]
Removed libcharon dependencies from generic RADIUS protocol support

7 years agoForward specifcied RADIUS attributes between AAA backend and client
Martin Willi [Fri, 24 Feb 2012 15:41:10 +0000 (16:41 +0100)]
Forward specifcied RADIUS attributes between AAA backend and client

7 years agoDefined a private status notify to transport arbitrary RADIUS attributes
Martin Willi [Fri, 24 Feb 2012 12:37:00 +0000 (13:37 +0100)]
Defined a private status notify to transport arbitrary RADIUS attributes

7 years agoImplemented RADIUS DAE response retransmission
Martin Willi [Wed, 22 Feb 2012 16:01:13 +0000 (17:01 +0100)]
Implemented RADIUS DAE response retransmission

7 years agoBe a little more verbose before starting IKE_SA reauthentication
Martin Willi [Wed, 22 Feb 2012 15:16:15 +0000 (16:16 +0100)]
Be a little more verbose before starting IKE_SA reauthentication

7 years agoProcess RADIUS DAE CoA updates, updating lifetimes
Martin Willi [Wed, 22 Feb 2012 15:10:38 +0000 (16:10 +0100)]
Process RADIUS DAE CoA updates, updating lifetimes

7 years agoSend an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively
Martin Willi [Wed, 22 Feb 2012 15:07:31 +0000 (16:07 +0100)]
Send an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively

7 years agoUse faster ike_sa_id and a delete job to handle RADIUS DAE Delete-Request
Martin Willi [Wed, 22 Feb 2012 14:07:02 +0000 (15:07 +0100)]
Use faster ike_sa_id and a delete job to handle RADIUS DAE Delete-Request

7 years agoRefactored RADIUS DAE IKE_SA lookup
Martin Willi [Wed, 22 Feb 2012 13:56:02 +0000 (14:56 +0100)]
Refactored RADIUS DAE IKE_SA lookup

7 years agoPass RADIUS DAE client address a host_t instead of sockaddr struct
Martin Willi [Wed, 22 Feb 2012 13:44:24 +0000 (14:44 +0100)]
Pass RADIUS DAE client address a host_t instead of sockaddr struct

7 years agoSend RADIUS DAE Disconnect-ACK/NAK on Disconnect-Request
Martin Willi [Wed, 22 Feb 2012 13:23:50 +0000 (14:23 +0100)]
Send RADIUS DAE Disconnect-ACK/NAK on Disconnect-Request

7 years agoSupport signing of RADIUS response messages
Martin Willi [Wed, 22 Feb 2012 13:22:50 +0000 (14:22 +0100)]
Support signing of RADIUS response messages

7 years agoAct on RADIUS DAE Disconnect requests
Martin Willi [Wed, 22 Feb 2012 12:49:06 +0000 (13:49 +0100)]
Act on RADIUS DAE Disconnect requests

7 years agoVerify received RADIUS DAE requests
Martin Willi [Wed, 22 Feb 2012 12:06:58 +0000 (13:06 +0100)]
Verify received RADIUS DAE requests

7 years agoSupport verification of RADIUS request messages
Martin Willi [Wed, 22 Feb 2012 12:06:14 +0000 (13:06 +0100)]
Support verification of RADIUS request messages

7 years agoRename RADIUS message constructors to handle both, requests and responses
Martin Willi [Wed, 22 Feb 2012 11:39:50 +0000 (12:39 +0100)]
Rename RADIUS message constructors to handle both, requests and responses

7 years agoEnable RADIUS DAE listening if configured
Martin Willi [Wed, 22 Feb 2012 09:37:13 +0000 (10:37 +0100)]
Enable RADIUS DAE listening if configured

7 years agoAdded infrastructure to listen to RADIUS Dynamic Authorization Extension requests
Martin Willi [Wed, 22 Feb 2012 09:34:06 +0000 (10:34 +0100)]
Added infrastructure to listen to RADIUS Dynamic Authorization Extension requests

7 years agoAdded Dynamic Authorization Extension RADIUS message codes
Martin Willi [Wed, 22 Feb 2012 09:31:36 +0000 (10:31 +0100)]
Added Dynamic Authorization Extension RADIUS message codes

7 years agoSet IKE_SA lifetime based on RADIUS Session-Timeout attribute
Martin Willi [Tue, 21 Feb 2012 13:06:37 +0000 (14:06 +0100)]
Set IKE_SA lifetime based on RADIUS Session-Timeout attribute

7 years agoSet hard timeouts when setting a lifetime
Martin Willi [Tue, 21 Feb 2012 13:05:57 +0000 (14:05 +0100)]
Set hard timeouts when setting a lifetime

7 years agoFix IKE_SA timeout debug output on 64bit platforms
Martin Willi [Tue, 21 Feb 2012 13:05:11 +0000 (14:05 +0100)]
Fix IKE_SA timeout debug output on 64bit platforms

7 years agomaemo: New upstream release.
Tobias Brunner [Mon, 27 Feb 2012 17:15:51 +0000 (18:15 +0100)]
maemo: New upstream release.

7 years agoAdded support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.
Tobias Brunner [Mon, 27 Feb 2012 13:31:19 +0000 (14:31 +0100)]
Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.

This requires a Linux kernel >= 2.6.33.

7 years agoEncode IPv6 virtual IPs in a Framed-IPv6-Prefix attribute
Martin Willi [Fri, 24 Feb 2012 10:15:11 +0000 (11:15 +0100)]
Encode IPv6 virtual IPs in a Framed-IPv6-Prefix attribute

7 years agoRefactored construction of RADIUS accounting messages
Martin Willi [Fri, 24 Feb 2012 10:12:18 +0000 (11:12 +0100)]
Refactored construction of RADIUS accounting messages

7 years agoInclude port numbers in Calling-Station-Id, too
Martin Willi [Fri, 24 Feb 2012 09:48:54 +0000 (10:48 +0100)]
Include port numbers in Calling-Station-Id, too

7 years agoUse large enough buffers for IPv6 addresses in Calling-Station-Id
Martin Willi [Fri, 24 Feb 2012 09:13:08 +0000 (10:13 +0100)]
Use large enough buffers for IPv6 addresses in Calling-Station-Id

7 years agoSend client external address as Calling-Station-Id in RADIUS accounting
Martin Willi [Fri, 24 Feb 2012 09:04:31 +0000 (10:04 +0100)]
Send client external address as Calling-Station-Id in RADIUS accounting

7 years agoadded missing x character
Andreas Steffen [Tue, 21 Feb 2012 15:29:35 +0000 (16:29 +0100)]
added missing x character

7 years agohandle case where subject = NULL but keyid is set 4.6.2
Andreas Steffen [Mon, 20 Feb 2012 11:12:31 +0000 (12:12 +0100)]
handle case where subject = NULL but keyid is set

7 years agolibtnccs is required by the eap_tnc plugin
Andreas Steffen [Mon, 20 Feb 2012 08:04:02 +0000 (09:04 +0100)]
libtnccs is required by the eap_tnc plugin

7 years agocharon does not depend on libtncif any more but tnc_tnccs does
Andreas Steffen [Mon, 20 Feb 2012 07:00:48 +0000 (08:00 +0100)]
charon does not depend on libtncif any more but tnc_tnccs does

7 years agobuild libstrongswan if libimcv is built
Andreas Steffen [Thu, 16 Feb 2012 22:28:38 +0000 (23:28 +0100)]
build libstrongswan if libimcv is built

7 years agoversion bump to 4.6.2
Andreas Steffen [Wed, 15 Feb 2012 23:10:36 +0000 (00:10 +0100)]
version bump to 4.6.2

7 years agofixed attest sql query in list_measurements()
Andreas Steffen [Wed, 15 Feb 2012 22:13:05 +0000 (23:13 +0100)]
fixed attest sql query in list_measurements()

7 years agoCompiler warnings fixed.
Tobias Brunner [Tue, 14 Feb 2012 15:09:44 +0000 (16:09 +0100)]
Compiler warnings fixed.

7 years agopluto: Print expiry time more properly.
Tobias Brunner [Tue, 14 Feb 2012 08:34:48 +0000 (09:34 +0100)]
pluto: Print expiry time more properly.

7 years agopluto: Drop support for legacy PSK format.
Tobias Brunner [Wed, 8 Feb 2012 12:36:32 +0000 (13:36 +0100)]
pluto: Drop support for legacy PSK format.

Any line in ipsec.secrets starting with " or ' was treated as PSK
without ID selectors by pluto.  This prevented it from supporting DNs
like "C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org" as
ID selectors.

PSKs defined in this legacy format can easily be updated by changing

"thisIsASecret"

into

: PSK "thisIsASecret"

7 years agocompleted imc/imv-attestation settings
Andreas Steffen [Tue, 7 Feb 2012 21:11:51 +0000 (22:11 +0100)]
completed imc/imv-attestation settings

7 years agoadapted debug output check in openssl-ikev2/rw-eap-tls-only scenario
Andreas Steffen [Tue, 7 Feb 2012 19:31:09 +0000 (20:31 +0100)]
adapted debug output check in openssl-ikev2/rw-eap-tls-only scenario

7 years agoDouble check if a cached suite is available, overwrite any old suite state
Martin Willi [Tue, 7 Feb 2012 10:41:56 +0000 (11:41 +0100)]
Double check if a cached suite is available, overwrite any old suite state

7 years agoSome Doxygen fixes.
Tobias Brunner [Tue, 7 Feb 2012 10:20:46 +0000 (11:20 +0100)]
Some Doxygen fixes.

7 years agoFix TLS EAP-MSK derivation, uses different order of randoms than key expansion
Martin Willi [Tue, 7 Feb 2012 09:50:02 +0000 (10:50 +0100)]
Fix TLS EAP-MSK derivation, uses different order of randoms than key expansion

7 years agoFilter TLS suite MAC by HMAC algorithm, as the hash is not necessarily the same
Martin Willi [Tue, 7 Feb 2012 08:37:51 +0000 (09:37 +0100)]
Filter TLS suite MAC by HMAC algorithm, as the hash is not necessarily the same

7 years agoopen RADIUS accounting port in firewall
Andreas Steffen [Mon, 6 Feb 2012 19:45:21 +0000 (20:45 +0100)]
open RADIUS accounting port in firewall

7 years agoadded ikev2/rw-radius-accounting scenario
Andreas Steffen [Mon, 6 Feb 2012 11:52:48 +0000 (12:52 +0100)]
added ikev2/rw-radius-accounting scenario

7 years agoUpdate usage for all children in RADIUS accounting just before sending Stop
Martin Willi [Mon, 6 Feb 2012 09:26:24 +0000 (10:26 +0100)]
Update usage for all children in RADIUS accounting just before sending Stop

7 years agoCheck if ClusterIP directory could be opened before enumerating it
Martin Willi [Fri, 3 Feb 2012 11:55:55 +0000 (12:55 +0100)]
Check if ClusterIP directory could be opened before enumerating it

7 years agoversion bump to 4.6.2rc1
Andreas Steffen [Sun, 5 Feb 2012 21:24:56 +0000 (22:24 +0100)]
version bump to 4.6.2rc1

7 years agoipsec attest adds and deletes key/component pairs
Andreas Steffen [Sun, 5 Feb 2012 21:23:45 +0000 (22:23 +0100)]
ipsec attest adds and deletes key/component pairs

7 years agocheck if TNC client has a valid and registered AIK
Andreas Steffen [Sun, 5 Feb 2012 18:37:58 +0000 (19:37 +0100)]
check if TNC client has a valid and registered AIK

7 years agoreformulated some NEWS entries
Andreas Steffen [Fri, 3 Feb 2012 15:13:34 +0000 (16:13 +0100)]
reformulated some NEWS entries

7 years agoadded openssl-ikev2/ecdsa-pkcs8 scenario
Andreas Steffen [Fri, 3 Feb 2012 10:44:04 +0000 (11:44 +0100)]
added openssl-ikev2/ecdsa-pkcs8 scenario

7 years agoadded ikev2/rw-pkcs8 scenario
Andreas Steffen [Fri, 3 Feb 2012 10:10:13 +0000 (11:10 +0100)]
added ikev2/rw-pkcs8 scenario

7 years agoversion bump to 4.6.2dr4
Andreas Steffen [Thu, 2 Feb 2012 17:26:12 +0000 (18:26 +0100)]
version bump to 4.6.2dr4

7 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated

7 years agoDon't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
Martin Willi [Tue, 10 Jan 2012 12:32:06 +0000 (13:32 +0100)]
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state

7 years agoMoved and clarified NEWS about PKCS#8 plugin.
Tobias Brunner [Wed, 1 Feb 2012 17:32:28 +0000 (18:32 +0100)]
Moved and clarified NEWS about PKCS#8 plugin.

7 years agoMoved log message for unexpected ASN.1 objects to level 2.
Tobias Brunner [Wed, 1 Feb 2012 17:15:38 +0000 (18:15 +0100)]
Moved log message for unexpected ASN.1 objects to level 2.

This avoids error messages if later builders can successfully decode something.

7 years agoAdded support for PKCS#5 v2 schemes when decrypting PKCS#8 files.
Tobias Brunner [Tue, 31 Jan 2012 17:54:00 +0000 (18:54 +0100)]
Added support for PKCS#5 v2 schemes when decrypting PKCS#8 files.

7 years agoNEWS about pkcs8 plugin added.
Tobias Brunner [Mon, 30 Jan 2012 17:52:47 +0000 (18:52 +0100)]
NEWS about pkcs8 plugin added.

7 years agoAdded support for encrypted PKCS#8 files (for some PKCS#5 v1.5 schemes).
Tobias Brunner [Mon, 30 Jan 2012 17:42:22 +0000 (18:42 +0100)]
Added support for encrypted PKCS#8 files (for some PKCS#5 v1.5 schemes).

7 years agoAdded support to parse PKCS#8 encoded ECDSA private keys.
Tobias Brunner [Wed, 18 Jan 2012 21:33:36 +0000 (22:33 +0100)]
Added support to parse PKCS#8 encoded ECDSA private keys.

7 years agoOpenSSL plugin parses ECDSA private keys with explicitly specified EC parameters.
Tobias Brunner [Wed, 18 Jan 2012 21:29:09 +0000 (22:29 +0100)]
OpenSSL plugin parses ECDSA private keys with explicitly specified EC parameters.

This is needed in case the key itself does not contain the parameters,
which is the case for PKCS#8.

7 years agoAdd builder part for parameters from algorithmIdentifier.
Tobias Brunner [Wed, 18 Jan 2012 21:25:47 +0000 (22:25 +0100)]
Add builder part for parameters from algorithmIdentifier.

7 years agoReturn parsed parameters from algorithmIdentifier if they are an OID (aka EC named...
Tobias Brunner [Wed, 18 Jan 2012 20:28:38 +0000 (21:28 +0100)]
Return parsed parameters from algorithmIdentifier if they are an OID (aka EC named curve).

Explicit EC parameters are not supported with this function, but before this
change no parameters were actually ever returned.

7 years agoParse RSA private keys from PKCS#8 encoded blobs.
Tobias Brunner [Wed, 18 Jan 2012 18:14:56 +0000 (19:14 +0100)]
Parse RSA private keys from PKCS#8 encoded blobs.

7 years agoAdded PKCS#8 stub plugin.
Tobias Brunner [Wed, 18 Jan 2012 18:12:21 +0000 (19:12 +0100)]
Added PKCS#8 stub plugin.

7 years agoAdded an option to load CA certificates without CA basic constraint.
Tobias Brunner [Wed, 1 Feb 2012 13:34:52 +0000 (14:34 +0100)]
Added an option to load CA certificates without CA basic constraint.

Enabling this option treats all certificates in ipsec.d/cacerts and
ipsec.conf ca sections as CA certificates even if they do not contain a
CA basic constraint.

7 years agoAdded TLS session resumption NEWS
Martin Willi [Wed, 1 Feb 2012 11:13:00 +0000 (12:13 +0100)]
Added TLS session resumption NEWS

7 years agoAdded RADIUS accounting NEWS
Martin Willi [Wed, 1 Feb 2012 11:07:32 +0000 (12:07 +0100)]
Added RADIUS accounting NEWS

7 years agoAdded RADIUS accounting option to strongswan.conf manual
Martin Willi [Wed, 1 Feb 2012 10:35:13 +0000 (11:35 +0100)]
Added RADIUS accounting option to strongswan.conf manual

7 years agoSupport RADIUS accounting messages containing Framed-IP and Inbound/Outbound-Octets
Martin Willi [Mon, 30 Jan 2012 18:16:49 +0000 (19:16 +0100)]
Support RADIUS accounting messages containing Framed-IP and Inbound/Outbound-Octets

7 years agoOpen RADIUS accounting sockets to exchange accounting messages
Martin Willi [Mon, 30 Jan 2012 18:15:20 +0000 (19:15 +0100)]
Open RADIUS accounting sockets to exchange accounting messages

7 years agoSupport signing of RADIUS accounting messages
Martin Willi [Mon, 30 Jan 2012 18:13:20 +0000 (19:13 +0100)]
Support signing of RADIUS accounting messages

7 years agoRADIUS message constructor accepts a message code parameter
Martin Willi [Mon, 30 Jan 2012 18:11:08 +0000 (19:11 +0100)]
RADIUS message constructor accepts a message code parameter

7 years agoDisable crypto benchmarking if CLOCK_THREAD_CPUTIME_ID is not available.
Tobias Brunner [Mon, 30 Jan 2012 10:04:55 +0000 (11:04 +0100)]
Disable crypto benchmarking if CLOCK_THREAD_CPUTIME_ID is not available.

8 years agoBuild libstrongswan if libfast gets built
Martin Willi [Tue, 24 Jan 2012 17:23:44 +0000 (18:23 +0100)]
Build libstrongswan if libfast gets built

8 years agoCache list of plugin names to further simplify its usage.
Tobias Brunner [Thu, 19 Jan 2012 11:27:56 +0000 (12:27 +0100)]
Cache list of plugin names to further simplify its usage.

Also helpful for ipsec statusall to avoid having to enumerate plugins.

8 years agoLog list of loaded plugins in main PKI help output.
Tobias Brunner [Thu, 19 Jan 2012 10:56:43 +0000 (11:56 +0100)]
Log list of loaded plugins in main PKI help output.

8 years agoSimplified logging of list of loaded plugins.
Tobias Brunner [Thu, 19 Jan 2012 10:53:06 +0000 (11:53 +0100)]
Simplified logging of list of loaded plugins.

8 years agoFunction added to plugin_loader to get a list of the names of loaded plugins.
Tobias Brunner [Thu, 19 Jan 2012 10:51:51 +0000 (11:51 +0100)]
Function added to plugin_loader to get a list of the names of loaded plugins.

8 years agoUse correct time_t variables to store ARG_TIME options
Martin Willi [Wed, 18 Jan 2012 09:31:45 +0000 (10:31 +0100)]
Use correct time_t variables to store ARG_TIME options

8 years agoDestroy active task list before queued tasks
Thomas Egerer [Mon, 16 Jan 2012 16:41:47 +0000 (17:41 +0100)]
Destroy active task list before queued tasks

Since active task's destruction might result in adopting tasks from a
rekeyed ike sa it seems better to first destroy the active task list and
then destroy all queued tasks. This way adoption is possible at all,
while otherwise the queued task list would be empty.

8 years agoVarious style, typo and whitespace corrections
Adrian-Ken Rueegsegger [Fri, 6 Jan 2012 16:37:59 +0000 (17:37 +0100)]
Various style, typo and whitespace corrections

8 years agoStarter depends on whack/stroke on Android.
Tobias Brunner [Thu, 12 Jan 2012 18:16:18 +0000 (19:16 +0100)]
Starter depends on whack/stroke on Android.

With this change whack and stroke get installed automatically if starter is
enabled.

8 years agoAndroid 4 requires LOCAL_MODULE_TAGS to be set for all modules.
Tobias Brunner [Thu, 12 Jan 2012 18:14:11 +0000 (19:14 +0100)]
Android 4 requires LOCAL_MODULE_TAGS to be set for all modules.

Because all packages are now marked as optional executables that are to
be installed on the final system have to be added to PRODUCT_PACKAGES in
build/target/product/core.mk.  Dependencies (such as libraries) are
installed automatically.

8 years agoFixed additional typos in comments and log messages.
Tobias Brunner [Thu, 12 Jan 2012 10:41:34 +0000 (11:41 +0100)]
Fixed additional typos in comments and log messages.

8 years agoFix whitespaces
Adrian-Ken Rueegsegger [Thu, 5 Jan 2012 17:52:36 +0000 (18:52 +0100)]
Fix whitespaces

8 years agoSome documentation corrections
Adrian-Ken Rueegsegger [Wed, 4 Jan 2012 10:11:47 +0000 (11:11 +0100)]
Some documentation corrections

8 years agoFix gettid() on Android, which is defined in unistd.h there.
Tobias Brunner [Thu, 12 Jan 2012 10:08:22 +0000 (11:08 +0100)]
Fix gettid() on Android, which is defined in unistd.h there.

8 years agoUse native gettid() if available (which is the case on Android).
Tobias Brunner [Tue, 10 Jan 2012 17:31:33 +0000 (18:31 +0100)]
Use native gettid() if available (which is the case on Android).