strongswan.git
10 years agofixed memory leak
Andreas Steffen [Thu, 9 Sep 2010 19:38:22 +0000 (21:38 +0200)]
fixed memory leak

10 years agoCompare subject against all key identifiers in has_subject()
Martin Willi [Thu, 9 Sep 2010 15:40:16 +0000 (17:40 +0200)]
Compare subject against all key identifiers in has_subject()

10 years agohas_subject() now resolves ID_KEY_IDs
Andreas Steffen [Thu, 9 Sep 2010 15:14:06 +0000 (17:14 +0200)]
has_subject() now resolves ID_KEY_IDs

10 years agoDo not change cipherspec while we have buffered handshake fragments pending
Martin Willi [Thu, 9 Sep 2010 12:27:41 +0000 (14:27 +0200)]
Do not change cipherspec while we have buffered handshake fragments pending

10 years agoadded ikev1/net2net-same-nets scenario
Andreas Steffen [Thu, 9 Sep 2010 11:37:22 +0000 (13:37 +0200)]
added ikev1/net2net-same-nets scenario

10 years agoConditional exclusion of tls_test script completed.
Tobias Brunner [Thu, 9 Sep 2010 11:19:51 +0000 (13:19 +0200)]
Conditional exclusion of tls_test script completed.

10 years agoFixed typo.
Tobias Brunner [Thu, 9 Sep 2010 11:19:22 +0000 (13:19 +0200)]
Fixed typo.

10 years agodebug output of inbound and outbound TNCCS batches
Andreas Steffen [Thu, 9 Sep 2010 09:14:48 +0000 (11:14 +0200)]
debug output of inbound and outbound TNCCS batches

10 years agosupport non EAP-TTLS conformant RADIUS-type attribute segmentation
Andreas Steffen [Thu, 9 Sep 2010 09:13:48 +0000 (11:13 +0200)]
support non EAP-TTLS conformant RADIUS-type attribute segmentation

10 years agoFixed copy/paste error.
Tobias Brunner [Thu, 9 Sep 2010 08:10:43 +0000 (10:10 +0200)]
Fixed copy/paste error.

10 years agoadded explanatory comments
Andreas Steffen [Thu, 9 Sep 2010 06:57:13 +0000 (08:57 +0200)]
added explanatory comments

10 years agosend well-formed TNCCS-Batch
Andreas Steffen [Wed, 8 Sep 2010 11:44:34 +0000 (13:44 +0200)]
send well-formed TNCCS-Batch

10 years agomax max_message_count configurable and move it into tls_eap_t
Andreas Steffen [Wed, 8 Sep 2010 10:58:40 +0000 (12:58 +0200)]
max max_message_count configurable and move it into tls_eap_t

10 years agohandle TLS_PURPOSE_EAP_TNC
Andreas Steffen [Wed, 8 Sep 2010 10:11:44 +0000 (12:11 +0200)]
handle TLS_PURPOSE_EAP_TNC

10 years agoAdded a simple led plugin to control Linux LEDs based on IKE activity
Martin Willi [Wed, 8 Sep 2010 09:59:00 +0000 (11:59 +0200)]
Added a simple led plugin to control Linux LEDs based on IKE activity

10 years agomoved tls_t existance test into tls_eap_create() again
Andreas Steffen [Wed, 8 Sep 2010 09:09:11 +0000 (11:09 +0200)]
moved tls_t existance test into tls_eap_create() again

10 years agogeneralized tls_eap_t to support EAP_TNC wrapping the TNC_IF_TNCCS protocol
Andreas Steffen [Wed, 8 Sep 2010 09:01:47 +0000 (11:01 +0200)]
generalized tls_eap_t to support EAP_TNC wrapping the TNC_IF_TNCCS protocol

10 years agoRead the compression type byte for EC groups, only
Martin Willi [Wed, 8 Sep 2010 08:32:55 +0000 (10:32 +0200)]
Read the compression type byte for EC groups, only

10 years agoadded non-standard SERPENT and TWOFISH support to kernel_netlink plugin
Andreas Steffen [Wed, 8 Sep 2010 05:22:31 +0000 (07:22 +0200)]
added non-standard SERPENT and TWOFISH support to kernel_netlink plugin

10 years agoadded openssl-ikev2/rw-eap-tls-only scenario
Andreas Steffen [Tue, 7 Sep 2010 15:14:32 +0000 (17:14 +0200)]
added openssl-ikev2/rw-eap-tls-only scenario

10 years agoadded qcStatements OID
Andreas Steffen [Tue, 7 Sep 2010 09:17:51 +0000 (11:17 +0200)]
added qcStatements OID

10 years agoFixed typos
Martin Willi [Tue, 7 Sep 2010 08:24:40 +0000 (10:24 +0200)]
Fixed typos

10 years agoBuild tls_test script only if TLS stack is enabled
Martin Willi [Tue, 7 Sep 2010 08:21:44 +0000 (10:21 +0200)]
Build tls_test script only if TLS stack is enabled

10 years agoAdded PKCS#11 NEWS
Martin Willi [Tue, 7 Sep 2010 08:21:25 +0000 (10:21 +0200)]
Added PKCS#11 NEWS

10 years agoAdded (EAP-)TLS NEWS
Martin Willi [Tue, 7 Sep 2010 08:10:36 +0000 (10:10 +0200)]
Added (EAP-)TLS NEWS

10 years agoInclude ec_point_format extension in ClientHello
Martin Willi [Mon, 6 Sep 2010 16:51:38 +0000 (18:51 +0200)]
Include ec_point_format extension in ClientHello

10 years agoAdded TLS specific EC point formats
Martin Willi [Mon, 6 Sep 2010 16:42:43 +0000 (18:42 +0200)]
Added TLS specific EC point formats

10 years agoRenamed ecp_format to ansi_format, as point formats in TLS use different identifiers
Martin Willi [Mon, 6 Sep 2010 16:36:27 +0000 (18:36 +0200)]
Renamed ecp_format to ansi_format, as point formats in TLS use different identifiers

10 years agoEnable the random plugin for scripts
Martin Willi [Mon, 6 Sep 2010 16:11:05 +0000 (18:11 +0200)]
Enable the random plugin for scripts

10 years agoAccept TLS records with zero-length plaintext
Martin Willi [Mon, 6 Sep 2010 15:04:59 +0000 (17:04 +0200)]
Accept TLS records with zero-length plaintext

10 years agoAdded strongswan.conf option to filter for specific TLS suites
Martin Willi [Mon, 6 Sep 2010 14:44:47 +0000 (16:44 +0200)]
Added strongswan.conf option to filter for specific TLS suites

10 years agoAdded strongswan.conf options to filter cipher suites by specific algorithms
Martin Willi [Mon, 6 Sep 2010 14:37:45 +0000 (16:37 +0200)]
Added strongswan.conf options to filter cipher suites by specific algorithms

10 years agoRegister missing AUTH_HMAC_SHA384 algorithm without truncation
Martin Willi [Mon, 6 Sep 2010 14:36:16 +0000 (16:36 +0200)]
Register missing AUTH_HMAC_SHA384 algorithm without truncation

10 years agoFixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Martin Willi [Mon, 6 Sep 2010 14:35:53 +0000 (16:35 +0200)]
Fixed key type in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

10 years agoPrepend point format to ECDH public key
Martin Willi [Mon, 6 Sep 2010 13:31:32 +0000 (15:31 +0200)]
Prepend point format to ECDH public key

10 years agoLog the selected (EC)DH group
Martin Willi [Mon, 6 Sep 2010 09:19:47 +0000 (11:19 +0200)]
Log the selected (EC)DH group

10 years agoParse unsupported TLS Hello extensions properly
Martin Willi [Mon, 6 Sep 2010 08:55:15 +0000 (10:55 +0200)]
Parse unsupported TLS Hello extensions properly

10 years agoAdded TLS extension identifiers from RFC 3546
Martin Willi [Mon, 6 Sep 2010 08:54:11 +0000 (10:54 +0200)]
Added TLS extension identifiers from RFC 3546

10 years agoOf course, mark is also supported by pluto.
Tobias Brunner [Mon, 6 Sep 2010 10:04:26 +0000 (12:04 +0200)]
Of course, mark is also supported by pluto.

10 years agomark_in and mark_out are also supported by pluto.
Tobias Brunner [Mon, 6 Sep 2010 09:53:59 +0000 (11:53 +0200)]
mark_in and mark_out are also supported by pluto.

10 years agoDo not propose (EC)DHE suites if we do not support them
Martin Willi [Fri, 3 Sep 2010 16:24:03 +0000 (18:24 +0200)]
Do not propose (EC)DHE suites if we do not support them

10 years agoOffer only algorithms/suites we have a registered public key backend for
Martin Willi [Fri, 3 Sep 2010 16:11:03 +0000 (18:11 +0200)]
Offer only algorithms/suites we have a registered public key backend for

10 years agoAdded a final flag to builder registration to enumerate the actually supported algorithms
Martin Willi [Fri, 3 Sep 2010 16:09:48 +0000 (18:09 +0200)]
Added a final flag to builder registration to enumerate the actually supported algorithms

10 years agoFixed key type of ECDHE_RSA groups
Martin Willi [Fri, 3 Sep 2010 15:24:39 +0000 (17:24 +0200)]
Fixed key type of ECDHE_RSA groups

10 years agoUse a dynamic curve enumerator to list/convert TLS named curves
Martin Willi [Fri, 3 Sep 2010 15:05:39 +0000 (17:05 +0200)]
Use a dynamic curve enumerator to list/convert TLS named curves

10 years agoUse ECDH group check where appropriate
Martin Willi [Fri, 3 Sep 2010 14:22:49 +0000 (16:22 +0200)]
Use ECDH group check where appropriate

10 years agoAdded a generic function to check if a DH group is an EC group
Martin Willi [Fri, 3 Sep 2010 14:22:10 +0000 (16:22 +0200)]
Added a generic function to check if a DH group is an EC group

10 years agoAdd ECDHE enabled cipher suites, including ECDSA variants
Martin Willi [Fri, 3 Sep 2010 10:54:40 +0000 (12:54 +0200)]
Add ECDHE enabled cipher suites, including ECDSA variants

10 years agoAdded support for a non-truncated SHA384 HMAC variant, as used by TLS
Martin Willi [Fri, 3 Sep 2010 10:51:26 +0000 (12:51 +0200)]
Added support for a non-truncated SHA384 HMAC variant, as used by TLS

10 years agoSelect private key based on received cipher suites
Martin Willi [Fri, 3 Sep 2010 10:50:18 +0000 (12:50 +0200)]
Select private key based on received cipher suites

10 years agoSupport for EC curve Hello extension, EC curve fallback
Martin Willi [Fri, 3 Sep 2010 09:45:55 +0000 (11:45 +0200)]
Support for EC curve Hello extension, EC curve fallback

10 years agoAdded server support for ECDHE key exchange
Martin Willi [Fri, 3 Sep 2010 09:00:37 +0000 (11:00 +0200)]
Added server support for ECDHE key exchange

10 years agoAdded client support for ECDHE key exchange
Martin Willi [Fri, 3 Sep 2010 09:00:07 +0000 (11:00 +0200)]
Added client support for ECDHE key exchange

10 years agoAdded TLS EC curve type and name identifiers
Martin Willi [Fri, 3 Sep 2010 08:59:01 +0000 (10:59 +0200)]
Added TLS EC curve type and name identifiers

10 years agofixed typo
Andreas Steffen [Fri, 3 Sep 2010 11:30:40 +0000 (13:30 +0200)]
fixed typo

10 years agoupdown script variable is called PLUTO_UDP_ENC
Andreas Steffen [Fri, 3 Sep 2010 10:57:16 +0000 (12:57 +0200)]
updown script variable is called PLUTO_UDP_ENC

10 years agoFixed left-/rightnexthop ipsec.conf options.
Tobias Brunner [Fri, 3 Sep 2010 09:44:01 +0000 (11:44 +0200)]
Fixed left-/rightnexthop ipsec.conf options.

10 years agoCheck for queued TLS alerts after each handshake part
Martin Willi [Fri, 3 Sep 2010 07:32:39 +0000 (09:32 +0200)]
Check for queued TLS alerts after each handshake part

10 years agoAdded support for MODP_CUSTOM to gcrypt plugin
Martin Willi [Fri, 3 Sep 2010 07:32:18 +0000 (09:32 +0200)]
Added support for MODP_CUSTOM to gcrypt plugin

10 years agoAdded support for MODP_CUSTOM to openssl plugin
Martin Willi [Fri, 3 Sep 2010 07:31:51 +0000 (09:31 +0200)]
Added support for MODP_CUSTOM to openssl plugin

10 years agoadapted debug options
Andreas Steffen [Fri, 3 Sep 2010 07:29:56 +0000 (09:29 +0200)]
adapted debug options

10 years agoadapted debug options
Andreas Steffen [Fri, 3 Sep 2010 07:27:16 +0000 (09:27 +0200)]
adapted debug options

10 years agoremoved redundant debug output
Andreas Steffen [Thu, 2 Sep 2010 20:19:25 +0000 (22:19 +0200)]
removed redundant debug output

10 years agoversion bump to 4.5.0dr2
Andreas Steffen [Thu, 2 Sep 2010 20:18:52 +0000 (22:18 +0200)]
version bump to 4.5.0dr2

10 years agooptimized FreeRadius scenarios for debug output
Andreas Steffen [Thu, 2 Sep 2010 12:37:27 +0000 (14:37 +0200)]
optimized FreeRadius scenarios for debug output

10 years agoadded ikev2/rw-eap-tnc-radius scenario
Andreas Steffen [Thu, 2 Sep 2010 12:36:52 +0000 (14:36 +0200)]
added ikev2/rw-eap-tnc-radius scenario

10 years agoadded radius init script mit increased debugging
Andreas Steffen [Thu, 2 Sep 2010 11:19:24 +0000 (13:19 +0200)]
added radius init script mit increased debugging

10 years agodisplay configuration and log of FreeRadius servers
Andreas Steffen [Thu, 2 Sep 2010 11:15:49 +0000 (13:15 +0200)]
display configuration and log of FreeRadius servers

10 years agoAdd DHE enabled RSA variants to the supported TLS suites
Martin Willi [Thu, 2 Sep 2010 17:27:37 +0000 (19:27 +0200)]
Add DHE enabled RSA variants to the supported TLS suites

10 years agoAdded TLS server side support for DHE suites
Martin Willi [Thu, 2 Sep 2010 17:27:13 +0000 (19:27 +0200)]
Added TLS server side support for DHE suites

10 years agoAdded TLS client side support for DHE suites
Martin Willi [Thu, 2 Sep 2010 17:26:19 +0000 (19:26 +0200)]
Added TLS client side support for DHE suites

10 years agoStore a MODP group we use for each TLS suite
Martin Willi [Thu, 2 Sep 2010 17:24:56 +0000 (19:24 +0200)]
Store a MODP group we use for each TLS suite

10 years agoAdded support for MODP_CUSTOM to gmp plugin
Martin Willi [Thu, 2 Sep 2010 17:23:37 +0000 (19:23 +0200)]
Added support for MODP_CUSTOM to gmp plugin

10 years agoAdded a MODP_CUSTOM DH group which takes g and p as constructor arguments
Martin Willi [Thu, 2 Sep 2010 17:06:34 +0000 (19:06 +0200)]
Added a MODP_CUSTOM DH group which takes g and p as constructor arguments

10 years agoImplemented "signature algorithm" hello extension
Martin Willi [Thu, 2 Sep 2010 17:19:17 +0000 (19:19 +0200)]
Implemented "signature algorithm" hello extension

10 years agoAdded TLS extension identifiers
Martin Willi [Thu, 2 Sep 2010 17:07:45 +0000 (19:07 +0200)]
Added TLS extension identifiers

10 years agoAdded generic TLS data sign/verify, hash/sig algorithm construction
Martin Willi [Thu, 2 Sep 2010 17:15:16 +0000 (19:15 +0200)]
Added generic TLS data sign/verify, hash/sig algorithm construction

10 years agoContinue with a randomized premaster if decryption failed / version mismatches
Martin Willi [Thu, 2 Sep 2010 12:48:30 +0000 (14:48 +0200)]
Continue with a randomized premaster if decryption failed / version mismatches

10 years agopluto: Removed unused lifetime from raw_eroute.
Tobias Brunner [Thu, 2 Sep 2010 16:59:53 +0000 (18:59 +0200)]
pluto: Removed unused lifetime from raw_eroute.

10 years agopluto: Added support for statically configured reqids.
Tobias Brunner [Thu, 2 Sep 2010 14:05:21 +0000 (16:05 +0200)]
pluto: Added support for statically configured reqids.

10 years agotesting: Added ikev1 xfrm mark scenarios.
Tobias Brunner [Mon, 30 Aug 2010 08:04:16 +0000 (10:04 +0200)]
testing: Added ikev1 xfrm mark scenarios.

10 years agopluto: Make marks available in updown script.
Tobias Brunner [Mon, 30 Aug 2010 08:01:37 +0000 (10:01 +0200)]
pluto: Make marks available in updown script.

10 years agopluto: Fixed comparison of connections, if marks are specified.
Tobias Brunner [Mon, 30 Aug 2010 07:59:25 +0000 (09:59 +0200)]
pluto: Fixed comparison of connections, if marks are specified.

10 years agopluto: Store xfrm marks on connection and use them when installing SAs and policies.
Tobias Brunner [Mon, 30 Aug 2010 07:56:53 +0000 (09:56 +0200)]
pluto: Store xfrm marks on connection and use them when installing SAs and policies.

10 years agostarter: Some whitespace cleanup.
Tobias Brunner [Mon, 30 Aug 2010 06:58:56 +0000 (08:58 +0200)]
starter: Some whitespace cleanup.

10 years agopluto: Added PLUTO_UDP_ENC argument to updown script.
Tobias Brunner [Mon, 30 Aug 2010 06:54:38 +0000 (08:54 +0200)]
pluto: Added PLUTO_UDP_ENC argument to updown script.

This contains the remote UDP port in case of UDP encapsulated ESP.

10 years agopluto: Return value fixed.
Tobias Brunner [Mon, 30 Aug 2010 06:47:13 +0000 (08:47 +0200)]
pluto: Return value fixed.

10 years agopluto: Removed bare shunt table.
Tobias Brunner [Wed, 18 Aug 2010 07:41:04 +0000 (09:41 +0200)]
pluto: Removed bare shunt table.

10 years agoDo not install routes for pluto.
Tobias Brunner [Tue, 17 Aug 2010 07:48:59 +0000 (09:48 +0200)]
Do not install routes for pluto.

There are some incompatibilities with e.g. passthrough policies.
Pluto installs required source routes via updown script.

10 years agopluto: Handle changed NAT mappings via libhydra's kernel interface.
Tobias Brunner [Mon, 16 Aug 2010 17:07:30 +0000 (19:07 +0200)]
pluto: Handle changed NAT mappings via libhydra's kernel interface.

10 years agopluto: Removed no_klips flag (--noklips option).
Tobias Brunner [Mon, 16 Aug 2010 13:53:56 +0000 (15:53 +0200)]
pluto: Removed no_klips flag (--noklips option).

10 years agopluto: Removed references to KLIPS from documentation, log messages and comments.
Tobias Brunner [Mon, 16 Aug 2010 12:32:55 +0000 (14:32 +0200)]
pluto: Removed references to KLIPS from documentation, log messages and comments.

10 years agopluto: Added --debug-kernel as alias for --debug-klips.
Tobias Brunner [Mon, 16 Aug 2010 12:59:23 +0000 (14:59 +0200)]
pluto: Added --debug-kernel as alias for --debug-klips.

10 years agopluto: Replaced DBG_KLIPS with DBG_KERNEL.
Tobias Brunner [Mon, 16 Aug 2010 12:07:09 +0000 (14:07 +0200)]
pluto: Replaced DBG_KLIPS with DBG_KERNEL.

10 years agopluto: Removed the KLIPS preprocessor flag.
Tobias Brunner [Mon, 16 Aug 2010 12:02:25 +0000 (14:02 +0200)]
pluto: Removed the KLIPS preprocessor flag.

10 years agopluto: Removed unneeded kernel abstractions.
Tobias Brunner [Mon, 16 Aug 2010 09:26:31 +0000 (11:26 +0200)]
pluto: Removed unneeded kernel abstractions.

10 years agopluto: Completely removed struct kernel_ops.
Tobias Brunner [Mon, 16 Aug 2010 09:12:57 +0000 (11:12 +0200)]
pluto: Completely removed struct kernel_ops.

10 years agopluto: Refactored PF_KEY capabilities registration.
Tobias Brunner [Mon, 16 Aug 2010 08:33:37 +0000 (10:33 +0200)]
pluto: Refactored PF_KEY capabilities registration.

Although we use the kernel interface from libhydra we still need this to make
the available algorithms known to pluto.

10 years agopluto: Removed unneeded functions from PF_KEY interface.
Tobias Brunner [Wed, 11 Aug 2010 11:51:03 +0000 (13:51 +0200)]
pluto: Removed unneeded functions from PF_KEY interface.

We still use the algorithm registration.

10 years agopluto: Completely removed orphaned_holds.
Tobias Brunner [Tue, 10 Aug 2010 15:36:38 +0000 (17:36 +0200)]
pluto: Completely removed orphaned_holds.