strongswan.git
8 years agoImplemented Traffic Flow Confidentiality padding in kernel_interface
Martin Willi [Tue, 30 Nov 2010 16:17:30 +0000 (16:17 +0000)]
Implemented Traffic Flow Confidentiality padding in kernel_interface

8 years agoversion bump to 4.5.1dr4
Andreas Steffen [Sun, 19 Dec 2010 08:46:59 +0000 (09:46 +0100)]
version bump to 4.5.1dr4

8 years agocast enumerated algorithm type as int
Andreas Steffen [Sat, 18 Dec 2010 19:24:53 +0000 (20:24 +0100)]
cast enumerated algorithm type as int

8 years agoupdated NEWS with new ipsec listalgs feature
Andreas Steffen [Sat, 18 Dec 2010 15:44:29 +0000 (16:44 +0100)]
updated NEWS with new ipsec listalgs feature

8 years agotrace back crypto algorithms to the plugins that registered them
Andreas Steffen [Sat, 18 Dec 2010 15:31:01 +0000 (16:31 +0100)]
trace back crypto algorithms to the plugins that registered them

8 years agoAdded news about changes regarding strongswan.conf.
Tobias Brunner [Fri, 17 Dec 2010 16:32:14 +0000 (17:32 +0100)]
Added news about changes regarding strongswan.conf.

8 years agoMoved "Reading values" section, typo fixed.
Tobias Brunner [Fri, 17 Dec 2010 16:31:42 +0000 (17:31 +0100)]
Moved "Reading values" section, typo fixed.

8 years agoversion bump to 4.5.1dr3
Andreas Steffen [Wed, 15 Dec 2010 07:56:32 +0000 (08:56 +0100)]
version bump to 4.5.1dr3

8 years agoInstall selectors on transport mode IPsec SAs.
Jiri Bohac [Mon, 13 Dec 2010 14:28:40 +0000 (15:28 +0100)]
Install selectors on transport mode IPsec SAs.

This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:

  - IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
    of the set of traffic selectors
  - IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector

When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid.  Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA.  Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.

8 years agoincrease sleep time in mediation scenarios
Andreas Steffen [Sun, 12 Dec 2010 20:54:44 +0000 (21:54 +0100)]
increase sleep time in mediation scenarios

8 years agofixed bug in mem_cred.c:add_crl()
Andreas Steffen [Sun, 12 Dec 2010 20:34:27 +0000 (21:34 +0100)]
fixed bug in mem_cred.c:add_crl()

8 years agoreverted Connection ID to capital letters
Andreas Steffen [Sun, 12 Dec 2010 11:55:14 +0000 (12:55 +0100)]
reverted Connection ID to capital letters

8 years agofixed a bug in enum_from_name() function
Andreas Steffen [Sun, 12 Dec 2010 11:54:36 +0000 (12:54 +0100)]
fixed a bug in enum_from_name() function

8 years agoreorganized ikev2/rw-eap-tnc scenarios
Andreas Steffen [Sun, 12 Dec 2010 11:51:14 +0000 (12:51 +0100)]
reorganized ikev2/rw-eap-tnc scenarios

8 years agoadded the ikev2/rw-eap-tnc-20 scenario
Andreas Steffen [Sun, 12 Dec 2010 09:47:16 +0000 (10:47 +0100)]
added the ikev2/rw-eap-tnc-20 scenario

8 years agoNEWS for the 4.5.1dr2 release
Andreas Steffen [Sun, 12 Dec 2010 09:46:43 +0000 (10:46 +0100)]
NEWS for the 4.5.1dr2 release

8 years agosome more cosmetics
Andreas Steffen [Sun, 12 Dec 2010 09:19:54 +0000 (10:19 +0100)]
some more cosmetics

8 years agofinal cosmetics in PB-TNC debug output
Andreas Steffen [Sun, 12 Dec 2010 09:17:43 +0000 (10:17 +0100)]
final cosmetics in PB-TNC debug output

8 years agoimplemented PB-TNC message parsing checks
Andreas Steffen [Sat, 11 Dec 2010 23:42:31 +0000 (00:42 +0100)]
implemented PB-TNC message parsing checks

8 years agosome code optimizations
Andreas Steffen [Fri, 10 Dec 2010 23:52:53 +0000 (00:52 +0100)]
some code optimizations

8 years agosupport handshake retry requests
Andreas Steffen [Fri, 10 Dec 2010 22:41:12 +0000 (23:41 +0100)]
support handshake retry requests

8 years agothe PB-TNC protocol is working
Andreas Steffen [Fri, 10 Dec 2010 22:21:13 +0000 (23:21 +0100)]
the PB-TNC protocol is working

8 years agorefactored message handling
Andreas Steffen [Fri, 10 Dec 2010 16:09:21 +0000 (17:09 +0100)]
refactored message handling

8 years agodo not accept results and recommendation messages from clients
Andreas Steffen [Fri, 10 Dec 2010 16:04:11 +0000 (17:04 +0100)]
do not accept results and recommendation messages from clients

8 years agodefined some additional Private Enterprise Numbers
Andreas Steffen [Fri, 10 Dec 2010 13:58:33 +0000 (14:58 +0100)]
defined some additional Private Enterprise Numbers

8 years agodefine pb_tnc_state_machine_t object
Andreas Steffen [Fri, 10 Dec 2010 13:56:40 +0000 (14:56 +0100)]
define pb_tnc_state_machine_t object

8 years agodebug cosmetics
Andreas Steffen [Fri, 10 Dec 2010 10:54:51 +0000 (11:54 +0100)]
debug cosmetics

8 years agoRenamed purgex509/crl to purgecerts/crls to be consistent with list commands
Martin Willi [Fri, 10 Dec 2010 10:16:39 +0000 (11:16 +0100)]
Renamed purgex509/crl to purgecerts/crls to be consistent with list commands

8 years agoimplemented handling of received PB-TNC messages
Andreas Steffen [Fri, 10 Dec 2010 10:16:08 +0000 (11:16 +0100)]
implemented handling of received PB-TNC messages

8 years agoAdded options to flush CRLs/X509 certs from the cert cache
Martin Willi [Thu, 9 Dec 2010 09:06:25 +0000 (10:06 +0100)]
Added options to flush CRLs/X509 certs from the cert cache

8 years agorefactored PB-TNC state machine in receive direction
Andreas Steffen [Thu, 9 Dec 2010 22:38:38 +0000 (23:38 +0100)]
refactored PB-TNC state machine in receive direction

8 years agorefactored PB-TNC state machine in send direction
Andreas Steffen [Thu, 9 Dec 2010 22:18:55 +0000 (23:18 +0100)]
refactored PB-TNC state machine in send direction

8 years agopb_tnc_batch_t class implements parsing and building of PB-TNC batches
Andreas Steffen [Thu, 9 Dec 2010 20:33:12 +0000 (21:33 +0100)]
pb_tnc_batch_t class implements parsing and building of PB-TNC batches

8 years agofixed memory corruption
Andreas Steffen [Wed, 8 Dec 2010 11:12:15 +0000 (12:12 +0100)]
fixed memory corruption

8 years agoNever register IKE_SA during checkout_new, as rekeying keeps it checked out
Martin Willi [Tue, 7 Dec 2010 10:41:41 +0000 (11:41 +0100)]
Never register IKE_SA during checkout_new, as rekeying keeps it checked out

8 years agoInclude the destination net in the policy priority calculation.
Tobias Brunner [Tue, 7 Dec 2010 10:58:09 +0000 (11:58 +0100)]
Include the destination net in the policy priority calculation.

The resulting priorities are as follows:

    IPv6               IPv4
    routed   normal    routed   normal
max 4096(+3) 2048(+3)  4096(+3) 2048(+3)
min 3072     1024      3840     1792

Where min is for a policy between two single hosts and max is
for /0 on both ends (lower priorities are preferred by the kernel).
(+3) applies for cases where no protocol and no ports are defined.

8 years agoadded newline
Andreas Steffen [Tue, 7 Dec 2010 08:02:55 +0000 (09:02 +0100)]
added newline

8 years agore-introduced comment
Andreas Steffen [Tue, 7 Dec 2010 08:01:28 +0000 (09:01 +0100)]
re-introduced comment

8 years agoMigrated stroke_control_t to INIT/METHOD macros
Andreas Steffen [Tue, 7 Dec 2010 07:58:57 +0000 (08:58 +0100)]
Migrated stroke_control_t to INIT/METHOD macros

8 years agoMigrated stroke_plugin_t to INIT/METHOD macros
Andreas Steffen [Tue, 7 Dec 2010 07:01:45 +0000 (08:01 +0100)]
Migrated stroke_plugin_t to INIT/METHOD macros

8 years agoGuarantee entry->other is set when calling put_connected_peers
Thomas Egerer [Fri, 3 Dec 2010 08:23:06 +0000 (09:23 +0100)]
Guarantee entry->other is set when calling put_connected_peers

Given the original intent of entry->host, the check for DoS attacks, it
can happen that this value remains NULL when an entry is created. This
is particularly awkward if put_connected_peers is called to check if a
connection to a given peer already exists, since it takes the address
family into consideration (git commit b74219d0) which is gleaned from
entry->host.
This patch guarantees that entry->other is a clone of host before
put_connected_peers is called.

8 years agoadded sql/multi-level-ca scenario
Andreas Steffen [Sun, 5 Dec 2010 20:53:43 +0000 (21:53 +0100)]
added sql/multi-level-ca scenario

8 years agostupid typo
Andreas Steffen [Sun, 5 Dec 2010 14:48:22 +0000 (15:48 +0100)]
stupid typo

8 years agocosmetics
Andreas Steffen [Sun, 5 Dec 2010 14:23:18 +0000 (15:23 +0100)]
cosmetics

8 years agocosmetics
Andreas Steffen [Sun, 5 Dec 2010 14:16:15 +0000 (15:16 +0100)]
cosmetics

8 years agoadded parsing checks
Andreas Steffen [Sun, 5 Dec 2010 14:01:01 +0000 (15:01 +0100)]
added parsing checks

8 years agooutput TLS-independent error messages
Andreas Steffen [Sun, 5 Dec 2010 13:55:18 +0000 (14:55 +0100)]
output TLS-independent error messages

8 years agoadded certificate_authorities and certificate_distribution_points tables
Andreas Steffen [Sun, 5 Dec 2010 10:30:06 +0000 (11:30 +0100)]
added certificate_authorities and certificate_distribution_points tables

8 years agosupport of reqid field in SQL database
Andreas Steffen [Sun, 5 Dec 2010 10:21:40 +0000 (11:21 +0100)]
support of reqid field in SQL database

8 years agofixed pb_reason_string_message_t class
Andreas Steffen [Sun, 5 Dec 2010 10:20:18 +0000 (11:20 +0100)]
fixed pb_reason_string_message_t class

8 years agoMigrated fips_prf plugin to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 19:56:21 +0000 (20:56 +0100)]
Migrated fips_prf plugin to INIT/METHOD macros

8 years agoMigrated md4_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 19:45:49 +0000 (20:45 +0100)]
Migrated md4_plugin_t to INIT/METHOD macros

8 years agoMigrated md5_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 19:43:41 +0000 (20:43 +0100)]
Migrated md5_plugin_t to INIT/METHOD macros

8 years agoMigrated ldap plugin to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 19:15:59 +0000 (20:15 +0100)]
Migrated ldap plugin to INIT/METHOD macros

8 years agoMigrated pubkey_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 14:43:04 +0000 (15:43 +0100)]
Migrated pubkey_plugin_t to INIT/METHOD macros

8 years agoMigrated pkcs1_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 10:43:06 +0000 (11:43 +0100)]
Migrated pkcs1_plugin_t to INIT/METHOD macros

8 years agoMigrated curl_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 10:40:40 +0000 (11:40 +0100)]
Migrated curl_plugin_t to INIT/METHOD macros

8 years agoMigrated random plugin to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 10:37:03 +0000 (11:37 +0100)]
Migrated random plugin to INIT/METHOD macros

8 years agoMigrated sha1_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 10:26:02 +0000 (11:26 +0100)]
Migrated sha1_plugin_t to INIT/METHOD macros

8 years agoMigrated sha2_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 09:48:42 +0000 (10:48 +0100)]
Migrated sha2_plugin_t to INIT/METHOD macros

8 years agoMigrated mysql plugin to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 09:38:35 +0000 (10:38 +0100)]
Migrated mysql plugin to INIT/METHOD macros

8 years agouse private destroy() function
Andreas Steffen [Sat, 4 Dec 2010 09:28:30 +0000 (10:28 +0100)]
use private destroy() function

8 years agoMigrated sqlite plugin to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 09:20:33 +0000 (10:20 +0100)]
Migrated sqlite plugin to INIT/METHOD macros

8 years agoMigrated test_vectors_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 09:10:37 +0000 (10:10 +0100)]
Migrated test_vectors_plugin_t to INIT/METHOD macros

8 years agoMigrated x509_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 09:07:56 +0000 (10:07 +0100)]
Migrated x509_plugin_t to INIT/METHOD macros

8 years agoMigrated pgp_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 08:30:25 +0000 (09:30 +0100)]
Migrated pgp_plugin_t to INIT/METHOD macros

8 years agoMigrated pem_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 08:25:22 +0000 (09:25 +0100)]
Migrated pem_plugin_t to INIT/METHOD macros

8 years agoMigrated dnskey_plugin_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 08:20:53 +0000 (09:20 +0100)]
Migrated dnskey_plugin_t to INIT/METHOD macros

8 years agoMigrated options_t to INIT/METHOD macros
Andreas Steffen [Sat, 4 Dec 2010 07:21:21 +0000 (08:21 +0100)]
Migrated options_t to INIT/METHOD macros

8 years agoCDP enumerator added to SQL plugin.
Tobias Brunner [Tue, 30 Nov 2010 17:44:55 +0000 (18:44 +0100)]
CDP enumerator added to SQL plugin.

8 years agoTables added for CAs and CDPs.
Tobias Brunner [Tue, 30 Nov 2010 17:43:50 +0000 (18:43 +0100)]
Tables added for CAs and CDPs.

8 years agoMigrated sql_cred_t to INIT/METHOD macros.
Tobias Brunner [Tue, 30 Nov 2010 15:12:08 +0000 (16:12 +0100)]
Migrated sql_cred_t to INIT/METHOD macros.

8 years agoInsert certificates and secrets at the front of the lists.
Tobias Brunner [Mon, 22 Nov 2010 12:31:07 +0000 (13:31 +0100)]
Insert certificates and secrets at the front of the lists.

As the lookup is also from front to back, certificates added later are
now found first, which is useful in case of e.g. "reread cacerts".

8 years agoRefactored stroke_cred_t to use mem_cred_t.
Tobias Brunner [Fri, 19 Nov 2010 16:37:11 +0000 (17:37 +0100)]
Refactored stroke_cred_t to use mem_cred_t.

8 years agoFunction add_crl added to mem_cred_t.
Tobias Brunner [Fri, 19 Nov 2010 16:28:46 +0000 (17:28 +0100)]
Function add_crl added to mem_cred_t.

8 years agoFunction added to clear secrets (but not certs) from mem_cred_t.
Tobias Brunner [Fri, 19 Nov 2010 16:28:12 +0000 (17:28 +0100)]
Function added to clear secrets (but not certs) from mem_cred_t.

8 years agoAlternative to mem_cred_t.add_cert added, which returns the certificate.
Tobias Brunner [Fri, 19 Nov 2010 16:26:33 +0000 (17:26 +0100)]
Alternative to mem_cred_t.add_cert added, which returns the certificate.

If the certificate is already cached, the cached version is returned.

8 years agoFunction added to mem_cred_t to add shared secret with a linked list of owners.
Tobias Brunner [Fri, 19 Nov 2010 16:21:00 +0000 (17:21 +0100)]
Function added to mem_cred_t to add shared secret with a linked list of owners.

8 years agoAdded functions to modify/create settings in settings_t.
Tobias Brunner [Thu, 18 Nov 2010 12:59:29 +0000 (13:59 +0100)]
Added functions to modify/create settings in settings_t.

8 years agoAdded an option to create non-existing key/value pairs during search.
Tobias Brunner [Thu, 18 Nov 2010 12:55:44 +0000 (13:55 +0100)]
Added an option to create non-existing key/value pairs during search.

8 years agoCompare shorter "boolean" values first.
Tobias Brunner [Thu, 18 Nov 2010 12:47:43 +0000 (13:47 +0100)]
Compare shorter "boolean" values first.

8 years agoHelper functions added to easily convert enumerated values.
Tobias Brunner [Mon, 15 Nov 2010 12:07:10 +0000 (13:07 +0100)]
Helper functions added to easily convert enumerated values.

8 years agoEnsure that sections exist when using load_files_section.
Tobias Brunner [Fri, 12 Nov 2010 16:35:04 +0000 (17:35 +0100)]
Ensure that sections exist when using load_files_section.

8 years agoSkip values and sections without key.
Tobias Brunner [Fri, 12 Nov 2010 14:34:33 +0000 (15:34 +0100)]
Skip values and sections without key.

8 years agoSome refactorings in lookup code in settings_t.
Tobias Brunner [Fri, 12 Nov 2010 13:29:09 +0000 (14:29 +0100)]
Some refactorings in lookup code in settings_t.

8 years agoAdded documentation about new features of settings_t.
Tobias Brunner [Fri, 12 Nov 2010 12:51:28 +0000 (13:51 +0100)]
Added documentation about new features of settings_t.

8 years agoMade settings_t thread-safe.
Tobias Brunner [Fri, 12 Nov 2010 10:55:21 +0000 (11:55 +0100)]
Made settings_t thread-safe.

8 years agoAdded functions to settings_t to load files dynamically at runtime.
Tobias Brunner [Fri, 12 Nov 2010 10:20:29 +0000 (11:20 +0100)]
Added functions to settings_t to load files dynamically at runtime.

8 years agoAllow inclusion of other files in strongswan.conf.
Tobias Brunner [Thu, 11 Nov 2010 15:43:09 +0000 (16:43 +0100)]
Allow inclusion of other files in strongswan.conf.

8 years agoLoading of strongswan.conf refactored to a separate function.
Tobias Brunner [Thu, 11 Nov 2010 15:15:38 +0000 (16:15 +0100)]
Loading of strongswan.conf refactored to a separate function.

8 years agoAllow to replace/extend previously defined values/sections in strongswan.conf.
Tobias Brunner [Thu, 11 Nov 2010 15:02:30 +0000 (16:02 +0100)]
Allow to replace/extend previously defined values/sections in strongswan.conf.

8 years agoDon't create a section in parse_section.
Tobias Brunner [Thu, 11 Nov 2010 14:21:25 +0000 (15:21 +0100)]
Don't create a section in parse_section.

Just add subsections and values to the passed section.

8 years agoRemoved unused static variable "lev".
Tobias Brunner [Thu, 11 Nov 2010 12:04:25 +0000 (13:04 +0100)]
Removed unused static variable "lev".

8 years agoAvoid calling globfree twice on failure.
Tobias Brunner [Thu, 11 Nov 2010 11:52:48 +0000 (12:52 +0100)]
Avoid calling globfree twice on failure.

8 years agoremoved superfluous whitespace
Andreas Steffen [Fri, 3 Dec 2010 10:26:13 +0000 (11:26 +0100)]
removed superfluous whitespace

8 years agoPB-TNC messages implemented
Sansar Choinyambuu [Fri, 3 Dec 2010 09:22:51 +0000 (10:22 +0100)]
PB-TNC messages implemented

8 years agoMigrated asn1_parser_t to INIT/METHOD macros
Andreas Steffen [Thu, 2 Dec 2010 21:12:02 +0000 (22:12 +0100)]
Migrated asn1_parser_t to INIT/METHOD macros

8 years agoMigrated settings_t to INIT/METHOD macros
Andreas Steffen [Thu, 2 Dec 2010 05:25:59 +0000 (06:25 +0100)]
Migrated settings_t to INIT/METHOD macros

8 years agoMigrated printf_hook_t to INIT/METHOD macros
Andreas Steffen [Thu, 2 Dec 2010 05:17:24 +0000 (06:17 +0100)]
Migrated printf_hook_t to INIT/METHOD macros

8 years agoMigrated integrity_checker_t to INIT/METHOD macros
Andreas Steffen [Thu, 2 Dec 2010 05:10:50 +0000 (06:10 +0100)]
Migrated integrity_checker_t to INIT/METHOD macros