874c0bd8b8
Refactored segment enabling/disabling
2010-04-07 13:55:15 +02:00
5d67259042
Use a connected UDP socket
2010-04-07 13:55:15 +02:00
06308d9ede
Removed obsolete socket subclasses
2010-04-07 13:55:15 +02:00
3912fdb1ec
Automatically segment cluster using periodically sent status messages
2010-04-07 13:55:14 +02:00
b7f15be136
Do not enable/disable our own sync tunnel
2010-04-07 13:55:14 +02:00
9fdf5f712e
Enable/disable inactive/active segments only
2010-04-07 13:55:14 +02:00
310498f3de
Deactivate all active segments before shutting down
2010-04-07 13:55:14 +02:00
4e248733a8
HA kernel interface can mangle netfilter rules, currently with iptables invocation
2010-04-07 13:55:14 +02:00
dbc91f7c84
Added support for kernel segment manipulation
2010-04-07 13:55:14 +02:00
6921e8d5a9
Moved segment configuration parsing to ha_sync_plugin
2010-04-07 13:55:14 +02:00
37459ea928
Propagate segment manipulation to cluster node
2010-04-07 13:55:14 +02:00
3d672d4b0a
Segment manipulation in HA sync is thread save
2010-04-07 13:55:14 +02:00
c573b11c55
Passing 0 to segments->(de-)activate enables/disables all segments
2010-04-07 13:55:14 +02:00
7ceaf50b05
separated auto-tunnel functionality from socket
2010-04-07 13:55:13 +02:00
f5632db953
create external fifo socket only if "fifo_interface" option is set
2010-04-07 13:55:13 +02:00
47d365deef
updated linuxdir include variable
2010-04-07 13:55:13 +02:00
724736ff1c
updated HA sync plugin to new lifetime config
2010-04-07 13:55:13 +02:00
f825238594
print "none" if not serving any segments
2010-04-07 13:55:13 +02:00
a33eb8631c
automatically establish a PSK authenticated SA between cluster nodes
2010-04-07 13:55:13 +02:00
80624c79d5
fixed memleak when installing synced virtual IPs
2010-04-07 13:55:13 +02:00
b1d495f469
do not sync CHILD_SAs without an IKE_SA
2010-04-07 13:55:13 +02:00
5b7c0f4409
removed $Id$ from ha plugin
2010-04-07 13:55:13 +02:00
26d08a241a
fixed ike_sa condition/extension parsing
2010-04-07 13:55:12 +02:00
1e977438af
fixed sync of CHILD_SA delete
2010-04-07 13:55:12 +02:00
9ffcbea6f1
added HA resync option to (re-)integrate nodes to a cluster
2010-04-07 13:55:12 +02:00
c81f4fa29d
apply peer config during rekeying
2010-04-07 13:55:12 +02:00
34d240a6e3
manage synced SAs in IKE_SA Manager, tag them with IKE_PASSIVE state
2010-04-07 13:55:12 +02:00
d4113a42e9
support for IKE_SA rekeying sync
2010-04-07 13:55:12 +02:00
aa98188af5
IKE_SA activation/deactivation magic using a fifo socket
2010-04-07 13:55:12 +02:00
c94fe198e9
syncing of complete IKE/CHILD_SAs works
2010-04-07 13:55:11 +02:00
7999be5b0e
pushing basic CHILD_SA sync data to backup node
2010-04-07 13:55:11 +02:00
765935c8f6
basic syncing of IKE_SAs
...
recreating SAs with keymat derivation
2010-04-07 13:55:11 +02:00
190edaf527
added a dispatcher class to receive HA sync messages
...
simple attribute parser enumerator (probably needs a cleaner implementation)
2010-04-07 13:55:11 +02:00
12ec91ba3a
generating basic IKE_SA sync messages
...
pushing to statically configured failover node
2010-04-07 13:55:11 +02:00
e5e91eec29
set up basic infrastructure ha_sync plugin
2010-04-07 13:55:11 +02:00
e16d76f9a4
added child_sa serialization to ha_sync plugin
2010-04-07 13:55:11 +02:00
e67f5136c0
HA sync plugin stub
2010-04-07 13:55:11 +02:00
9ed6341d3f
Adding support for debug groups in libstrongswan's logger.
2010-04-06 12:47:40 +02:00
facf887253
Store the name of the daemon that initialized libhydra to load daemon-specific settings.
2010-04-06 12:47:40 +02:00
a1f90c7a85
Fixed deinit for charon --version.
2010-03-24 18:53:10 +01:00
52bff307e1
Init/deinit libhydra in charon and pluto.
2010-03-24 18:53:10 +01:00
39856897e6
Link pluto and charon to libhydra, fixes monolithic build.
2010-03-24 18:53:10 +01:00
c92c94542a
Missed to include charon's Android.mk in the distribution.
2010-03-22 11:32:20 +01:00
6150efa885
Added charon to .gitignore
2010-03-19 17:17:54 +01:00
d92b337fe9
Do not indent the source file lists in Android.mk files so we can easily compare them to the lists in the Makefile.am files.
2010-03-19 13:34:53 +01:00
52c7257366
Adding support for the build of libcharon (and charon) on Android.
2010-03-19 13:34:53 +01:00
ef87a61efd
Explicitly link charon to libstrongswan.
...
Also fixed the reference to the pthread library.
2010-03-19 13:34:53 +01:00
349fa52852
Replacing the original charon with a small wrapper around libcharon.
2010-03-19 13:34:52 +01:00
08c5572602
Moving charon to libcharon.
2010-03-19 13:34:52 +01:00
f0da32c58d
Introduced ipsec.conf NTLM keyword for NT hashes
2010-03-17 18:51:00 +01:00
a7fb418edd
EAP-MSCHAPv2 can use stored NT hashes in addition to plaintext passwords
2010-03-17 18:50:53 +01:00
d266e8953e
lookup exclusion for several arbitrary routing tables
2010-03-17 10:08:02 +01:00
551b02029e
Do not hardcode the path to the strongSwan sources.
2010-03-05 14:47:08 +01:00
ea2f2c4b90
Fixing a bug on platforms where size_t is unsigned.
2010-03-03 17:35:19 +01:00
a5a4b6c9d1
Added charon.send/receive_delay options to simulate different RTTs
2010-03-03 15:59:29 +01:00
24f058ac74
Migrated receiver_t to METHOD/INIT macros
2010-03-03 15:52:20 +01:00
eb1aa4c537
Migrated sender_t to METHOD/INIT macros
2010-03-03 15:46:53 +01:00
aa59a7f241
Check if we are not using a vendor EAP method in EAP_IDENTITY comparison.
...
Bug reported by Ingo Kubbilun with a patch from Reinhard Pfau, secunet AG.
2010-03-03 12:28:38 +01:00
1be3298807
Adding Android.mk files to build charon and libstrongswan with the Android build system.
2010-03-03 10:18:46 +01:00
afb364fff9
Reverting eba28948a5 which was only necessary when cross-compiling the plugins for Android 2.0.
...
With the coming monolithic build using Android.mk files this won't be
necessary anymore.
2010-03-02 12:03:44 +01:00
4e657051f7
Streamlined the source file list formatting in plugin makefiles.
2010-03-02 10:40:50 +01:00
6ec60bb92b
Link all enabled libstrongswan plugins into the library, link all enabled charon plugins into libcharon.
2010-03-02 10:38:52 +01:00
9ce567f895
Changed plugin constructors from plugin_create to plugin_name_plugin_create.
2010-03-02 09:10:26 +01:00
6cc13cd9c5
Removing the plugin constructor declarations from the header files.
2010-03-02 09:10:19 +01:00
5acb97cebb
Link libstrongswan to the new plugins, too
2010-02-26 11:49:04 +01:00
f16ca9e89c
Add support for dynamic ports in load tester
2010-02-26 11:44:34 +01:00
347488bd67
Process ike_vendor task before ike_init, fixes support for private algs in IKE
2010-02-26 11:44:34 +01:00
ed5fc4cafe
Use message instead of attributes in hook
2010-02-26 11:44:34 +01:00
b3b74e479b
Set UDP encapsulation option on all sockets
2010-02-26 11:44:34 +01:00
9cb2360e4f
Added locking to dynamic socket list
2010-02-26 11:44:34 +01:00
af2c43fdc7
Include ports in ike_cfg equality check
2010-02-26 11:44:34 +01:00
9ed1bb4842
Added an initiator-only socket implementation which binds ports on demand
2010-02-26 11:44:34 +01:00
40706b6027
Removed obsolete daemon kill
2010-02-26 11:44:34 +01:00
d6a27ec64e
Do not kill daemon, just not use pluggable kernel interface if initialization failed
2010-02-26 11:44:33 +01:00
54f818590e
Pass sockets to bypass to kernel interface, allowing us to register them dynamically
2010-02-26 11:44:33 +01:00
3e631491a0
Migrated kernel_klips_ipsec to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
44791b75f5
Migrated kernel_pfkey_ipsec to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
98ed9c6cf2
Migrated kernel_netlink_ipsec to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
2d49f74e28
Migrated kernel_interface wrapper to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
667b73721a
Added left-/rightikeport ipsec.conf options to use custom IKE ports
2010-02-26 11:44:33 +01:00
cc2eaddee4
Use src/dst ports as configured in ike_cfg
2010-02-26 11:44:33 +01:00
4e18490ea8
Store custom IKE src/dst ports on ike_cfg
2010-02-26 11:44:33 +01:00
deac3a0a5d
Migrated ike_cfg_t to METHOD/INIT macros
2010-02-26 11:44:32 +01:00
147dd96376
Migrated packet_t to METHOD/INIT macros
2010-02-26 11:44:32 +01:00
dab0560497
Moved socket and socket-raw implementations to plugins
2010-02-26 11:44:32 +01:00
eba28948a5
Link all plugins to libstrongswan.
2010-02-25 13:51:05 +01:00
608af0a445
Avoid a race condition that could lead to a segmentation fault.
...
Let's assume the callback function of a callback job returns
JOB_REQUEUE_FAIR in one call and JOB_REQUEUE_NONE in the next. Before
this fix, the thread executing the callback job would requeue the job
before unregistering itself. If there was a context switch right after
the job got requeued, and if the thread that requeued the job never got
resumed until a second thread executed the job and, due to the return
value of JOB_REQUEUE_NONE, destroyed it, then when the first thread
eventually got resumed and tried to lock the mutex to unregister itself
the pointer wouldn't be valid anymore, thus resulting in a segmentation fault.
2010-02-25 09:26:16 +01:00
7d3a830a71
Updated debian package for NetworkManager-strongswan-1.1.2
2010-02-18 09:51:45 +01:00
e159cd1d1a
Version bump and NEWS for NetworkManager-strongswan-1.1.2 release
2010-02-18 09:51:44 +01:00
0209179a30
Updated german translation
2010-02-18 09:51:40 +01:00
7613a68f33
Tooltips are translatable
2010-02-18 09:20:13 +01:00
d178eee895
Newer glade requires explicit vertical vboxes
2010-02-18 09:03:17 +01:00
71070c88b7
Fixed lost renaimings in android plugin
2010-02-18 08:31:10 +01:00
55699f037f
Added Android plugin, currently provides DNS handling on Android
2010-02-17 18:24:11 +01:00
63b0bc9c2d
Invoke missing message() hook for incoming responses
2010-02-17 18:23:14 +01:00
71baf5a8f0
Adding support for AES GMAC (RFC4543).
2010-02-12 10:57:39 +01:00
2aa553d773
Do not build own authentication data before we've verified others, we need the other identity in EAP
2010-02-09 16:11:07 +01:00
7481f964ae
Use child_updown hook in updown plugin, fixes doubled invocation of down script
2010-02-03 11:07:53 +01:00
41faec0791
Some whitespace and code cleanups concerning the mediation extension.
2010-02-02 15:53:22 +01:00
8015c91cb9
Added a ipsec.conf "inactivity" option to configure inactivity timeout for CHILD_SAs
2010-01-27 16:05:11 +01:00
71da001753
Made inactivity_timeout a per CHILD_SA config option
2010-01-27 15:47:08 +01:00
db05341916
Refactored EAP payload, avoid unaligned word access
2010-01-21 14:43:07 +01:00
47498044c3
Support RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation
2010-01-19 16:47:21 +01:00
7eab4a1be6
Support TLS client authentication Extended Key Usage in x509 generation
2010-01-14 12:00:43 +01:00
776f59f7be
Block the signals before the call to sigwait.
2010-01-12 11:52:03 +01:00
aa9eeb5deb
Support for closing CHILD/IKE_SA if a CHILD_SA is inactive.
2010-01-12 10:23:42 +01:00
bc6ff2fc99
Added strongswan.conf options to configure retransmission timeouts
2010-01-11 16:42:12 +01:00
b979032088
log EAP-only authentication proposal
2010-01-11 11:17:40 +01:00
34948b9971
EAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks
2010-01-07 15:56:11 +01:00
f34702ff3f
Support EAP-only authentication for mutual and key deriving EAP methods
2010-01-07 15:51:30 +01:00
12fca6cc9f
Indicate and dected support for EAP-only authentication
2010-01-07 14:30:28 +01:00
023fd8f135
Match to private use algorithms only if we know we are talking to strongSwan
2010-01-07 11:07:53 +01:00
b3349c5694
Interpret private use BEET mode notify only if we know we are talking to strongSwan
2010-01-07 09:37:38 +00:00
a5a0bcaa04
Add an option to send a vendor ID, allows us to properly support private extensions
2010-01-07 09:37:27 +00:00
7eaec999ca
make error message about missing MD4 hasher more explicit
2009-12-30 23:32:03 +01:00
83c282ebb4
differentiate EAP method initialization errors
2009-12-30 21:34:59 +01:00
d002c62347
enforce RFC 3779 address constraints on traffic selectors
2009-12-25 11:20:58 +01:00
ff4d4aa99a
Adapted the load_tester kernel-interface to the changes introduced in 6ec949e02.
2009-12-23 17:15:28 +01:00
cb186f9922
Added some IPv6 tweaks for Android.
...
Android 1.6 does not yet support the Advanced Sockets API for IPv6 as defined in
RFC 3542. Also, in6addr_any is missing.
2009-12-23 17:03:42 +01:00
a37cf4580a
Semicolon removed.
2009-12-23 17:03:42 +01:00
3f490ff978
According to the man page (and the header files in Android) prctl takes a total of 5 arguments.
2009-12-23 17:03:42 +01:00
01e606546c
Cache queue locking in credential manager corrected.
2009-12-23 17:03:41 +01:00
47e98cda5f
Join worker threads when destroying the processor.
2009-12-23 17:03:41 +01:00
b97cc0ab3f
Callback job refactored and fixed.
2009-12-23 17:03:41 +01:00
89ec5bef08
Whitespace cleanup.
2009-12-23 17:03:41 +01:00
4a5a5dd290
Using the thread wrapper in charon, libstrongswan and their plugins.
2009-12-23 17:03:41 +01:00
070ac5b0b7
Check if libpthread is required or not.
2009-12-23 17:02:26 +01:00
eba64cef41
Separated the public interfaces of the threading primitives.
2009-12-23 17:01:53 +01:00
14f7091280
Moved mutex.c to a separate folder in order to cleanly wrap other threading primitives (and utils/mutex.h is now threading.h).
2009-12-23 17:00:58 +01:00
32d8f44229
verify RFC3779 IP address blocks along X.509 certificate trust chain
2009-12-23 14:21:31 +01:00
1125a0be81
moved traffic_selectors from charon to libstrongswan
2009-12-20 14:57:38 +01:00
9789d3a9b9
fixed updown plugin for mixed IPv4/IPv6 tunnels
2009-12-17 17:32:55 +01:00
6ec949e022
Fixed BEET mode by installing SAs with negotiated address in traffic selector
2009-12-17 10:52:07 +01:00
a461e20dd8
provide attributes from SQL database
2009-12-16 12:31:41 +01:00
fc85786921
Install v6 routes via outgoing interface for now
2009-12-14 14:44:24 +01:00
4b615edab4
some code optimizations
2009-12-09 00:24:42 +01:00
89d236f0da
Support "_" and "-" variants of NetworkManager pkg-config packages
2009-12-08 14:36:22 +01:00
88dbccc842
Remove generated config.h.in from source tree
2009-12-08 14:36:21 +01:00
268911a5cc
The attribute manager was moved from daemon_t to libstrongswan.
2009-12-07 16:00:27 +01:00
cd51437e43
Do not execute the callback job if it has been cancelled since registration
2009-12-03 08:00:43 +01:00
c636bc7e17
Cleanup library if daemon initialization fails
2009-12-03 08:00:43 +01:00
376a11db3c
Do not install invalid 0.0.0.0 DNS servers
2009-12-01 15:46:56 +01:00
5b4d0de7d4
Prefer EAP-Identity for provider attribute/address lookup
2009-12-01 14:24:07 +01:00
f6116e61fc
Save EAP-Identity on auth config
2009-12-01 14:24:06 +01:00
44ce749360
Store completed authentication rounds permanently on IKE_SA, with flush option
2009-12-01 11:35:30 +01:00
5b2b4d190a
Removed obsolete and unused [gs]et_eap_identity() methods
2009-11-30 16:59:23 +01:00
5351e51951
Do not propose transport mode as initiator if connection is NATed
2009-11-30 11:32:26 +01:00
bff9f824ed
Verify EAP-SIM/AKA AT_MAC before processing any attributes
2009-11-30 10:00:06 +01:00
b04e72c21c
SIM/AKA/Request/Reauthentication AT_MAC does not include NONCE_S, only the response
2009-11-30 09:27:39 +01:00
8434c88b5e
Extended SIM manager by hooks, currently featuring attribute and key hooks
2009-11-30 09:27:26 +01:00
Martin Willi