strongswan.git
6 years agoSet BUILDDIR to $TESTDIR/build
Reto Buerki [Fri, 7 Dec 2012 13:22:23 +0000 (14:22 +0100)]
Set BUILDDIR to $TESTDIR/build

6 years agoDrop unneeded UMLKERNEL variable
Reto Buerki [Fri, 7 Dec 2012 13:21:18 +0000 (14:21 +0100)]
Drop unneeded UMLKERNEL variable

6 years agoRename UMLTESTDIR variable to TESTDIR
Reto Buerki [Fri, 7 Dec 2012 13:19:11 +0000 (14:19 +0100)]
Rename UMLTESTDIR variable to TESTDIR

6 years agoDrop cecho functions
Reto Buerki [Fri, 7 Dec 2012 11:33:31 +0000 (12:33 +0100)]
Drop cecho functions

6 years agoUse log_action function in do-tests script
Reto Buerki [Fri, 7 Dec 2012 11:31:11 +0000 (12:31 +0100)]
Use log_action function in do-tests script

6 years agoRemove executable bit from testing.conf
Reto Buerki [Fri, 7 Dec 2012 11:00:35 +0000 (12:00 +0100)]
Remove executable bit from testing.conf

6 years agoUse qemu/KVM virtualization instead of UML
Reto Buerki [Fri, 7 Dec 2012 10:48:48 +0000 (11:48 +0100)]
Use qemu/KVM virtualization instead of UML

Guest and network configuration is setup using the libvirt
virtualization API. The [start|stop]_testing scripts have been updated
accordingly.

qemu/KVM does not currently support a hostfs, so the shared build tree
mount has been dropped for now.

6 years agoRename build-umlkernel script to build-guestkernel
Reto Buerki [Fri, 7 Dec 2012 10:33:27 +0000 (11:33 +0100)]
Rename build-umlkernel script to build-guestkernel

6 years agoMove ROOTFSDIR declaration to testing.conf
Reto Buerki [Fri, 7 Dec 2012 08:41:38 +0000 (09:41 +0100)]
Move ROOTFSDIR declaration to testing.conf

6 years agoPrefix all recipes with a number
Reto Buerki [Thu, 6 Dec 2012 18:43:20 +0000 (19:43 +0100)]
Prefix all recipes with a number

6 years agoUse do_on_exit() in build scripts for cleanup
Reto Buerki [Thu, 6 Dec 2012 18:26:48 +0000 (19:26 +0100)]
Use do_on_exit() in build scripts for cleanup

6 years agoProvide do_on_exit() function
Reto Buerki [Thu, 6 Dec 2012 18:17:30 +0000 (19:17 +0100)]
Provide do_on_exit() function

This function allows to register an exit action which executes when the
calling script terminates.

6 years agoImport testing.conf file in function.sh
Reto Buerki [Thu, 6 Dec 2012 18:03:45 +0000 (19:03 +0100)]
Import testing.conf file in function.sh

This is needed to have access to $LOGFILE and possibly other config
settings.

6 years agoDrop build-hostconfig script
Reto Buerki [Thu, 6 Dec 2012 17:26:39 +0000 (18:26 +0100)]
Drop build-hostconfig script

Use processed host configurations directly instead.

6 years agoUpdate build-umlhostfs script to new log format
Reto Buerki [Thu, 6 Dec 2012 16:42:51 +0000 (17:42 +0100)]
Update build-umlhostfs script to new log format

6 years agoUpdate build-umlrootfs script to new log format
Reto Buerki [Thu, 6 Dec 2012 16:32:44 +0000 (17:32 +0100)]
Update build-umlrootfs script to new log format

6 years agoUpdate build-umlkernel script to new log format
Reto Buerki [Thu, 6 Dec 2012 16:02:38 +0000 (17:02 +0100)]
Update build-umlkernel script to new log format

6 years agoUse red color in die() function
Reto Buerki [Thu, 6 Dec 2012 16:00:15 +0000 (17:00 +0100)]
Use red color in die() function

This is the function where red color SHOULD be used.

6 years agoMove execute wrappers to function.sh file
Reto Buerki [Thu, 6 Dec 2012 15:58:37 +0000 (16:58 +0100)]
Move execute wrappers to function.sh file

6 years agoUse log_action, log_status in build-baseimage script
Reto Buerki [Thu, 6 Dec 2012 15:25:13 +0000 (16:25 +0100)]
Use log_action, log_status in build-baseimage script

6 years agoProvide log_action and log_status functions
Reto Buerki [Thu, 6 Dec 2012 14:48:14 +0000 (15:48 +0100)]
Provide log_action and log_status functions

These two functions are used to log action descriptions and the
corresponding command exit status in a consistent way.

6 years agoAdd chroot() helper function
Reto Buerki [Thu, 6 Dec 2012 13:39:51 +0000 (14:39 +0100)]
Add chroot() helper function

6 years agoUse execute wrapper to disable root password
Reto Buerki [Thu, 6 Dec 2012 10:54:27 +0000 (11:54 +0100)]
Use execute wrapper to disable root password

6 years agoSimplify test starting and stopping logic
Reto Buerki [Thu, 6 Dec 2012 10:27:06 +0000 (11:27 +0100)]
Simplify test starting and stopping logic

Reduce the coupling of the different scripts.

make-testing  : Build the testing environment
start-testing : Start switches and guests
do-tests      : Run tests
stop-testing  : Stop switches and guests

6 years agoUse key(and password-)less SSH authentication
Tobias Brunner [Wed, 5 Dec 2012 17:53:20 +0000 (18:53 +0100)]
Use key(and password-)less SSH authentication

6 years agoAdjust strongSwan version handling in HTML output
Reto Buerki [Tue, 4 Dec 2012 17:46:21 +0000 (18:46 +0100)]
Adjust strongSwan version handling in HTML output

6 years agoPatch AVP parsing in EAP-TTLS module in FreeRADIUS
Tobias Brunner [Tue, 4 Dec 2012 17:43:30 +0000 (18:43 +0100)]
Patch AVP parsing in EAP-TTLS module in FreeRADIUS

6 years agoAdd recipes for libtnc and TNC@FHH
Tobias Brunner [Tue, 4 Dec 2012 17:39:00 +0000 (18:39 +0100)]
Add recipes for libtnc and TNC@FHH

6 years agoCopy and display host specific tcpdump.log files
Tobias Brunner [Wed, 28 Nov 2012 15:19:48 +0000 (16:19 +0100)]
Copy and display host specific tcpdump.log files

6 years agoDrop SHAREDTREE in favor of mounting the compile dir
Tobias Brunner [Wed, 28 Nov 2012 15:10:22 +0000 (16:10 +0100)]
Drop SHAREDTREE in favor of mounting the compile dir

6 years agoPatch EAP-SIM module in FreeRADIUS
Tobias Brunner [Wed, 28 Nov 2012 15:07:42 +0000 (16:07 +0100)]
Patch EAP-SIM module in FreeRADIUS

6 years agoDon't generate do-tests
Tobias Brunner [Wed, 28 Nov 2012 15:03:52 +0000 (16:03 +0100)]
Don't generate do-tests

6 years agoAdapt test configurations
Reto Buerki [Mon, 19 Nov 2012 16:30:58 +0000 (17:30 +0100)]
Adapt test configurations

Adapt test configurations to the new Debian-based system.

6 years agoReseed rdrand after every 128bit sample only
Martin Willi [Tue, 15 Jan 2013 12:27:35 +0000 (13:27 +0100)]
Reseed rdrand after every 128bit sample only

6 years agoversion bump to 5.0.2rc1
Andreas Steffen [Tue, 15 Jan 2013 01:41:22 +0000 (02:41 +0100)]
version bump to 5.0.2rc1

6 years agoandroid: Properly escape apostrophes in Ukrainian translation 5.0.2dr4
Tobias Brunner [Mon, 14 Jan 2013 16:23:52 +0000 (17:23 +0100)]
android: Properly escape apostrophes in Ukrainian translation

6 years agoandroid: Implement kernel_net_t.get_interface via JNI
Tobias Brunner [Mon, 14 Jan 2013 16:21:54 +0000 (17:21 +0100)]
android: Implement kernel_net_t.get_interface via JNI

This is now required to properly accept/install a virtual IP address.

Fixes #275.

6 years agoandroid: Moved chunk_from_byte_array and byte_array_from_chunk helper functions
Tobias Brunner [Mon, 14 Jan 2013 16:18:35 +0000 (17:18 +0100)]
android: Moved chunk_from_byte_array and byte_array_from_chunk helper functions

6 years agoandroid: Set OPENSSL_NO_CMS in Android.mk as it is not set in opensslconf.h on Android
Tobias Brunner [Mon, 14 Jan 2013 16:16:18 +0000 (17:16 +0100)]
android: Set OPENSSL_NO_CMS in Android.mk as it is not set in opensslconf.h on Android

6 years agoProperly send IKEv1 packets if no ike_cfg is known yet
Tobias Brunner [Mon, 14 Jan 2013 11:11:24 +0000 (12:11 +0100)]
Properly send IKEv1 packets if no ike_cfg is known yet

This applies for error notifies.

6 years agoDon't handle right=%any6 as "loose" identity, but as %any
Martin Willi [Mon, 14 Jan 2013 09:33:14 +0000 (10:33 +0100)]
Don't handle right=%any6 as "loose" identity, but as %any

6 years agoRespect given address family when resolving "%any"
Martin Willi [Mon, 14 Jan 2013 09:26:12 +0000 (10:26 +0100)]
Respect given address family when resolving "%any"

6 years agoAndroid.mk of libstrongswan updated
Tobias Brunner [Mon, 14 Jan 2013 08:16:33 +0000 (09:16 +0100)]
Android.mk of libstrongswan updated

6 years agoMerge branch 'ikev1-fragmentation'
Tobias Brunner [Sat, 12 Jan 2013 10:58:26 +0000 (11:58 +0100)]
Merge branch 'ikev1-fragmentation'

This adds support for the proprietary IKEv1 fragmentation extension.

Conflicts:
NEWS

6 years agoNEWS for fragmentation extension added
Tobias Brunner [Sat, 12 Jan 2013 10:51:35 +0000 (11:51 +0100)]
NEWS for fragmentation extension added

Conflicts:
NEWS

6 years agoAdded an option to configure the maximum size of a fragment
Tobias Brunner [Sat, 12 Jan 2013 10:48:32 +0000 (11:48 +0100)]
Added an option to configure the maximum size of a fragment

6 years agoProperly detect fragmentation capabilities
Tobias Brunner [Sat, 12 Jan 2013 10:39:03 +0000 (11:39 +0100)]
Properly detect fragmentation capabilities

Cisco sends 0xc0000000 so we check that part of the VID separately.

6 years agoAdded an option that allows to force IKEv1 fragmentation
Tobias Brunner [Mon, 24 Dec 2012 11:59:30 +0000 (12:59 +0100)]
Added an option that allows to force IKEv1 fragmentation

6 years agoDon't use bio_writer_t.skip() to write length field when appending more data
Martin Willi [Fri, 11 Jan 2013 13:45:32 +0000 (14:45 +0100)]
Don't use bio_writer_t.skip() to write length field when appending more data

If the writer reallocates its buffer, the length pointer might not be valid
anymore, or even worse, point to an arbitrary allocation.

6 years agoAdd rdrand NEWS
Martin Willi [Fri, 11 Jan 2013 09:48:57 +0000 (10:48 +0100)]
Add rdrand NEWS

6 years agoUse raw opcodes for rdrand to build with older binutils
Martin Willi [Fri, 4 Jan 2013 15:34:56 +0000 (16:34 +0100)]
Use raw opcodes for rdrand to build with older binutils

6 years agoProvide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES
Martin Willi [Fri, 4 Jan 2013 16:34:07 +0000 (17:34 +0100)]
Provide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES

6 years agoProvide RNG_STRONG quality in rdrand by forcing PRNG reseed after every sample
Martin Willi [Fri, 4 Jan 2013 15:07:31 +0000 (16:07 +0100)]
Provide RNG_STRONG quality in rdrand by forcing PRNG reseed after every sample

6 years agoProvide RNG_WEAK quality random generator in rdrand
Martin Willi [Fri, 4 Jan 2013 14:33:10 +0000 (15:33 +0100)]
Provide RNG_WEAK quality random generator in rdrand

6 years agoAdd a rdrand plugin stub detecting availability of RDRAND instructions
Martin Willi [Fri, 4 Jan 2013 13:33:45 +0000 (14:33 +0100)]
Add a rdrand plugin stub detecting availability of RDRAND instructions

6 years agoAdd NEWS about improved Windows IKEv1 compatibility
Martin Willi [Fri, 11 Jan 2013 09:31:25 +0000 (10:31 +0100)]
Add NEWS about improved Windows IKEv1 compatibility

6 years agoStreamline debug output when receiving intermediate CA certificates in IKEv1
Martin Willi [Fri, 11 Jan 2013 09:24:23 +0000 (10:24 +0100)]
Streamline debug output when receiving intermediate CA certificates in IKEv1

6 years agoRefactored IKEv2 cert/certreq payload processing to multiple functions
Martin Willi [Fri, 11 Jan 2013 09:20:06 +0000 (10:20 +0100)]
Refactored IKEv2 cert/certreq payload processing to multiple functions

6 years agoRefactored IKEv1 cert payload processing to multiple functions
Martin Willi [Fri, 11 Jan 2013 09:19:12 +0000 (10:19 +0100)]
Refactored IKEv1 cert payload processing to multiple functions

6 years agoIKEv1 support for PKCS#7 wrapped certificates
Volker Rümelin [Thu, 10 Jan 2013 20:27:20 +0000 (21:27 +0100)]
IKEv1 support for PKCS#7 wrapped certificates

6 years agoFixed some typos in comments
Volker Rümelin [Thu, 10 Jan 2013 20:24:37 +0000 (21:24 +0100)]
Fixed some typos in comments

6 years agoFixed some typos in Ukrainian translation
Pavel Kopchyk [Wed, 9 Jan 2013 04:30:55 +0000 (05:30 +0100)]
Fixed some typos in Ukrainian translation

6 years agoconftest: Add support for time_format and ike_name options in log sections
Thomas Klute [Fri, 4 Jan 2013 12:47:15 +0000 (13:47 +0100)]
conftest: Add support for time_format and ike_name options in log sections

Both options are well supported for normal operation but were completely
ignored by conftest, which used hard coded defaults. File options are
still missing but could be added in a similar way.

6 years agoconftest: Fix log level settings for stdout
Thomas Klute [Thu, 3 Jan 2013 15:03:44 +0000 (16:03 +0100)]
conftest: Fix log level settings for stdout

This patch fixes bug #272 ("conftest ignores log settings for stdout").
http://wiki.strongswan.org/issues/272

According to the documentation of add_logger in src/libcharon/bus/bus.h,
the relevant log levels of a logger are registered with the logging
subsystem when adding the logger. If the log levels change later, the
logger must be re-added to propagate the new settings. In conftest.c,
the stdout logger is initialized and added before reading the logging
settings, but wasn't re-added after reading the settings.

6 years agoconftest: Make outgoing sequence number set by reset_seq configurable
Thomas Klute [Wed, 19 Dec 2012 13:14:55 +0000 (14:14 +0100)]
conftest: Make outgoing sequence number set by reset_seq configurable

This is useful for certain test cases. Passing the sequence number to
the callback requires a new struct that contains both the number and the
xfrm_usersa_id. The new configuration parameter is called oseq in
accordance with the kernel name, see the comment in the reset_cb
callback function for details.

6 years agoInclude opensslconf.h before checking its defines
Martin Willi [Thu, 3 Jan 2013 10:12:05 +0000 (11:12 +0100)]
Include opensslconf.h before checking its defines

6 years agoDon't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined
Martin Willi [Thu, 3 Jan 2013 10:05:49 +0000 (11:05 +0100)]
Don't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined

6 years agomake pacman.sh run under cron
Andreas Steffen [Wed, 26 Dec 2012 08:28:17 +0000 (09:28 +0100)]
make pacman.sh run under cron

6 years agoUse a connection specific option to en-/disable IKEv1 fragmentation
Tobias Brunner [Mon, 24 Dec 2012 11:28:01 +0000 (12:28 +0100)]
Use a connection specific option to en-/disable IKEv1 fragmentation

6 years agoInclude source port in init hash for fragmented messages
Tobias Brunner [Fri, 21 Dec 2012 17:40:23 +0000 (18:40 +0100)]
Include source port in init hash for fragmented messages

6 years agoAdd an option to en-/disable IKE fragmentation
Tobias Brunner [Fri, 21 Dec 2012 17:27:02 +0000 (18:27 +0100)]
Add an option to en-/disable IKE fragmentation

Fragments are always accepted but will not be sent if disabled.  The
vendor ID is only sent if the option is enabled.

6 years agoSplit larger messages into fragments if IKE fragmentation is supported by peer
Tobias Brunner [Fri, 21 Dec 2012 17:25:06 +0000 (18:25 +0100)]
Split larger messages into fragments if IKE fragmentation is supported by peer

6 years agoLog message size for in- and outbound IKE messages
Tobias Brunner [Fri, 21 Dec 2012 16:49:45 +0000 (17:49 +0100)]
Log message size for in- and outbound IKE messages

6 years agoAdd support to create IKE fragments
Tobias Brunner [Thu, 20 Dec 2012 15:04:38 +0000 (16:04 +0100)]
Add support to create IKE fragments

All fragments currently use the same fragment ID (1) as that's what
other implementations are doing.

6 years agoLog added NAT-T vendor IDs
Tobias Brunner [Wed, 19 Dec 2012 13:07:06 +0000 (14:07 +0100)]
Log added NAT-T vendor IDs

6 years agoDetect a peer's support for IKE fragmentation
Tobias Brunner [Thu, 20 Dec 2012 11:16:08 +0000 (12:16 +0100)]
Detect a peer's support for IKE fragmentation

Fragments are accepted even if this vendor ID is not seen.

6 years agoMap fragmented initial initial Main or Aggressive Mode messages to the same IKE_SA
Tobias Brunner [Thu, 20 Dec 2012 11:14:25 +0000 (12:14 +0100)]
Map fragmented initial initial Main or Aggressive Mode messages to the same IKE_SA

6 years agoAllow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
Tobias Brunner [Thu, 20 Dec 2012 10:55:33 +0000 (11:55 +0100)]
Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments

Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.

6 years agoDon't handle fragmented messages larger than charon.max_packet
Tobias Brunner [Wed, 12 Dec 2012 17:29:31 +0000 (18:29 +0100)]
Don't handle fragmented messages larger than charon.max_packet

6 years agoDon't update an IKE_SA-entry's cached message ID when handling fragments
Tobias Brunner [Wed, 12 Dec 2012 17:23:11 +0000 (18:23 +0100)]
Don't update an IKE_SA-entry's cached message ID when handling fragments

6 years agoStore inbound IKE fragments and reassemble the message when all fragments are received
Tobias Brunner [Wed, 12 Dec 2012 17:22:32 +0000 (18:22 +0100)]
Store inbound IKE fragments and reassemble the message when all fragments are received

6 years agodeleted newly constructed attributes in send_assessment
Andreas Steffen [Mon, 24 Dec 2012 11:06:07 +0000 (12:06 +0100)]
deleted newly constructed attributes in send_assessment

6 years agoAdded Russian and Ukrainian strings for Android client
Dmitry Korzhevin [Mon, 24 Dec 2012 10:44:28 +0000 (11:44 +0100)]
Added Russian and Ukrainian strings for Android client

6 years agoAdd message rules to properly handle IKE fragments
Tobias Brunner [Fri, 21 Dec 2012 15:40:58 +0000 (16:40 +0100)]
Add message rules to properly handle IKE fragments

These are sent in unencrypted messages and are the only payload
contained in such messages.

6 years agoReset the encrypted flag when handling IKE messages that contain a fragment
Tobias Brunner [Wed, 12 Dec 2012 17:18:37 +0000 (18:18 +0100)]
Reset the encrypted flag when handling IKE messages that contain a fragment

Racoon sets the encrypted bit for messages containing a fragment, but these
messages are not really encrypted (the fragmented message is though).

6 years agoPayload added to handle IKE fragments
Tobias Brunner [Wed, 12 Dec 2012 17:16:58 +0000 (18:16 +0100)]
Payload added to handle IKE fragments

6 years agoAdd parantheses to avoid compiler warning
Martin Willi [Fri, 21 Dec 2012 08:48:35 +0000 (09:48 +0100)]
Add parantheses to avoid compiler warning

6 years agoSend empty CDATA batch if TNC client has no data to send
Andreas Steffen [Sun, 23 Dec 2012 21:16:30 +0000 (22:16 +0100)]
Send empty CDATA batch if TNC client has no data to send

6 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Thu, 20 Dec 2012 08:31:38 +0000 (09:31 +0100)]
Fixed some typos, courtesy of codespell

6 years agoRaise an alert if IKE SA is kept
Adrian-Ken Rueegsegger [Wed, 19 Dec 2012 14:48:35 +0000 (15:48 +0100)]
Raise an alert if IKE SA is kept

This alert is raised when the establishment of a child SA fails but the
IKE SA is kept.

6 years agostroke: Drop unneeded [MY|OTHER]_NETBITS
Reto Buerki [Tue, 18 Dec 2012 15:11:19 +0000 (16:11 +0100)]
stroke: Drop unneeded [MY|OTHER]_NETBITS

6 years agostroke: Enable install_policy in add_connection()
Reto Buerki [Wed, 18 Jul 2012 14:19:31 +0000 (16:19 +0200)]
stroke: Enable install_policy in add_connection()

6 years agoAdd support for draft-ietf-ipsec-nat-t-ike-03 and earlier
Volker Rümelin [Sat, 15 Dec 2012 13:11:26 +0000 (14:11 +0100)]
Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier

This adds support for early versions of the draft that eventually
resulted in RFC 3947.

6 years agoNEWS about error-notify
Martin Willi [Wed, 19 Dec 2012 09:43:35 +0000 (10:43 +0100)]
NEWS about error-notify

6 years agoAdd missing error_notify_msg.h to distribution tarball
Martin Willi [Wed, 21 Nov 2012 10:12:53 +0000 (11:12 +0100)]
Add missing error_notify_msg.h to distribution tarball

6 years agoAdd an error-notify sample application to listen to error notifications
Martin Willi [Thu, 8 Nov 2012 10:22:26 +0000 (11:22 +0100)]
Add an error-notify sample application to listen to error notifications

6 years agoAdd an error-notify plugin to send catched alerts to listening applications
Martin Willi [Tue, 6 Nov 2012 15:46:49 +0000 (16:46 +0100)]
Add an error-notify plugin to send catched alerts to listening applications

6 years agoRaise an alert if half-open timeout limit reached
Martin Willi [Tue, 6 Nov 2012 14:26:15 +0000 (15:26 +0100)]
Raise an alert if half-open timeout limit reached

6 years agoRaise an alert if an authorize() hook fails
Martin Willi [Tue, 6 Nov 2012 10:48:58 +0000 (11:48 +0100)]
Raise an alert if an authorize() hook fails

6 years agoRaise an alert if allocating virtual IPs fails
Martin Willi [Tue, 6 Nov 2012 10:43:19 +0000 (11:43 +0100)]
Raise an alert if allocating virtual IPs fails