a7fb418edd
EAP-MSCHAPv2 can use stored NT hashes in addition to plaintext passwords
2010-03-17 18:50:53 +01:00
d266e8953e
lookup exclusion for several arbitrary routing tables
2010-03-17 10:08:02 +01:00
551b02029e
Do not hardcode the path to the strongSwan sources.
2010-03-05 14:47:08 +01:00
ea2f2c4b90
Fixing a bug on platforms where size_t is unsigned.
2010-03-03 17:35:19 +01:00
a5a4b6c9d1
Added charon.send/receive_delay options to simulate different RTTs
2010-03-03 15:59:29 +01:00
24f058ac74
Migrated receiver_t to METHOD/INIT macros
2010-03-03 15:52:20 +01:00
eb1aa4c537
Migrated sender_t to METHOD/INIT macros
2010-03-03 15:46:53 +01:00
aa59a7f241
Check if we are not using a vendor EAP method in EAP_IDENTITY comparison.
...
Bug reported by Ingo Kubbilun with a patch from Reinhard Pfau, secunet AG.
2010-03-03 12:28:38 +01:00
1be3298807
Adding Android.mk files to build charon and libstrongswan with the Android build system.
2010-03-03 10:18:46 +01:00
afb364fff9
Reverting eba28948a5 which was only necessary when cross-compiling the plugins for Android 2.0.
...
With the coming monolithic build using Android.mk files this won't be
necessary anymore.
2010-03-02 12:03:44 +01:00
4e657051f7
Streamlined the source file list formatting in plugin makefiles.
2010-03-02 10:40:50 +01:00
6ec60bb92b
Link all enabled libstrongswan plugins into the library, link all enabled charon plugins into libcharon.
2010-03-02 10:38:52 +01:00
9ce567f895
Changed plugin constructors from plugin_create to plugin_name_plugin_create.
2010-03-02 09:10:26 +01:00
6cc13cd9c5
Removing the plugin constructor declarations from the header files.
2010-03-02 09:10:19 +01:00
5acb97cebb
Link libstrongswan to the new plugins, too
2010-02-26 11:49:04 +01:00
f16ca9e89c
Add support for dynamic ports in load tester
2010-02-26 11:44:34 +01:00
347488bd67
Process ike_vendor task before ike_init, fixes support for private algs in IKE
2010-02-26 11:44:34 +01:00
ed5fc4cafe
Use message instead of attributes in hook
2010-02-26 11:44:34 +01:00
b3b74e479b
Set UDP encapsulation option on all sockets
2010-02-26 11:44:34 +01:00
9cb2360e4f
Added locking to dynamic socket list
2010-02-26 11:44:34 +01:00
af2c43fdc7
Include ports in ike_cfg equality check
2010-02-26 11:44:34 +01:00
9ed1bb4842
Added an initiator-only socket implementation which binds ports on demand
2010-02-26 11:44:34 +01:00
40706b6027
Removed obsolete daemon kill
2010-02-26 11:44:34 +01:00
d6a27ec64e
Do not kill daemon, just not use pluggable kernel interface if initialization failed
2010-02-26 11:44:33 +01:00
54f818590e
Pass sockets to bypass to kernel interface, allowing us to register them dynamically
2010-02-26 11:44:33 +01:00
3e631491a0
Migrated kernel_klips_ipsec to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
44791b75f5
Migrated kernel_pfkey_ipsec to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
98ed9c6cf2
Migrated kernel_netlink_ipsec to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
2d49f74e28
Migrated kernel_interface wrapper to METHOD/INIT macros
2010-02-26 11:44:33 +01:00
667b73721a
Added left-/rightikeport ipsec.conf options to use custom IKE ports
2010-02-26 11:44:33 +01:00
cc2eaddee4
Use src/dst ports as configured in ike_cfg
2010-02-26 11:44:33 +01:00
4e18490ea8
Store custom IKE src/dst ports on ike_cfg
2010-02-26 11:44:33 +01:00
deac3a0a5d
Migrated ike_cfg_t to METHOD/INIT macros
2010-02-26 11:44:32 +01:00
147dd96376
Migrated packet_t to METHOD/INIT macros
2010-02-26 11:44:32 +01:00
dab0560497
Moved socket and socket-raw implementations to plugins
2010-02-26 11:44:32 +01:00
eba28948a5
Link all plugins to libstrongswan.
2010-02-25 13:51:05 +01:00
608af0a445
Avoid a race condition that could lead to a segmentation fault.
...
Let's assume the callback function of a callback job returns
JOB_REQUEUE_FAIR in one call and JOB_REQUEUE_NONE in the next. Before
this fix, the thread executing the callback job would requeue the job
before unregistering itself. If there was a context switch right after
the job got requeued, and if the thread that requeued the job never got
resumed until a second thread executed the job and, due to the return
value of JOB_REQUEUE_NONE, destroyed it, then when the first thread
eventually got resumed and tried to lock the mutex to unregister itself
the pointer wouldn't be valid anymore, thus resulting in a segmentation fault.
2010-02-25 09:26:16 +01:00
7d3a830a71
Updated debian package for NetworkManager-strongswan-1.1.2
2010-02-18 09:51:45 +01:00
e159cd1d1a
Version bump and NEWS for NetworkManager-strongswan-1.1.2 release
2010-02-18 09:51:44 +01:00
0209179a30
Updated german translation
2010-02-18 09:51:40 +01:00
7613a68f33
Tooltips are translatable
2010-02-18 09:20:13 +01:00
d178eee895
Newer glade requires explicit vertical vboxes
2010-02-18 09:03:17 +01:00
71070c88b7
Fixed lost renaimings in android plugin
2010-02-18 08:31:10 +01:00
55699f037f
Added Android plugin, currently provides DNS handling on Android
2010-02-17 18:24:11 +01:00
63b0bc9c2d
Invoke missing message() hook for incoming responses
2010-02-17 18:23:14 +01:00
71baf5a8f0
Adding support for AES GMAC (RFC4543).
2010-02-12 10:57:39 +01:00
2aa553d773
Do not build own authentication data before we've verified others, we need the other identity in EAP
2010-02-09 16:11:07 +01:00
7481f964ae
Use child_updown hook in updown plugin, fixes doubled invocation of down script
2010-02-03 11:07:53 +01:00
41faec0791
Some whitespace and code cleanups concerning the mediation extension.
2010-02-02 15:53:22 +01:00
8015c91cb9
Added a ipsec.conf "inactivity" option to configure inactivity timeout for CHILD_SAs
2010-01-27 16:05:11 +01:00
71da001753
Made inactivity_timeout a per CHILD_SA config option
2010-01-27 15:47:08 +01:00
db05341916
Refactored EAP payload, avoid unaligned word access
2010-01-21 14:43:07 +01:00
47498044c3
Support RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation
2010-01-19 16:47:21 +01:00
7eab4a1be6
Support TLS client authentication Extended Key Usage in x509 generation
2010-01-14 12:00:43 +01:00
776f59f7be
Block the signals before the call to sigwait.
2010-01-12 11:52:03 +01:00
aa9eeb5deb
Support for closing CHILD/IKE_SA if a CHILD_SA is inactive.
2010-01-12 10:23:42 +01:00
bc6ff2fc99
Added strongswan.conf options to configure retransmission timeouts
2010-01-11 16:42:12 +01:00
b979032088
log EAP-only authentication proposal
2010-01-11 11:17:40 +01:00
34948b9971
EAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks
2010-01-07 15:56:11 +01:00
f34702ff3f
Support EAP-only authentication for mutual and key deriving EAP methods
2010-01-07 15:51:30 +01:00
12fca6cc9f
Indicate and dected support for EAP-only authentication
2010-01-07 14:30:28 +01:00
023fd8f135
Match to private use algorithms only if we know we are talking to strongSwan
2010-01-07 11:07:53 +01:00
b3349c5694
Interpret private use BEET mode notify only if we know we are talking to strongSwan
2010-01-07 09:37:38 +00:00
a5a0bcaa04
Add an option to send a vendor ID, allows us to properly support private extensions
2010-01-07 09:37:27 +00:00
7eaec999ca
make error message about missing MD4 hasher more explicit
2009-12-30 23:32:03 +01:00
83c282ebb4
differentiate EAP method initialization errors
2009-12-30 21:34:59 +01:00
d002c62347
enforce RFC 3779 address constraints on traffic selectors
2009-12-25 11:20:58 +01:00
ff4d4aa99a
Adapted the load_tester kernel-interface to the changes introduced in 6ec949e02.
2009-12-23 17:15:28 +01:00
cb186f9922
Added some IPv6 tweaks for Android.
...
Android 1.6 does not yet support the Advanced Sockets API for IPv6 as defined in
RFC 3542. Also, in6addr_any is missing.
2009-12-23 17:03:42 +01:00
a37cf4580a
Semicolon removed.
2009-12-23 17:03:42 +01:00
3f490ff978
According to the man page (and the header files in Android) prctl takes a total of 5 arguments.
2009-12-23 17:03:42 +01:00
01e606546c
Cache queue locking in credential manager corrected.
2009-12-23 17:03:41 +01:00
47e98cda5f
Join worker threads when destroying the processor.
2009-12-23 17:03:41 +01:00
b97cc0ab3f
Callback job refactored and fixed.
2009-12-23 17:03:41 +01:00
89ec5bef08
Whitespace cleanup.
2009-12-23 17:03:41 +01:00
4a5a5dd290
Using the thread wrapper in charon, libstrongswan and their plugins.
2009-12-23 17:03:41 +01:00
070ac5b0b7
Check if libpthread is required or not.
2009-12-23 17:02:26 +01:00
eba64cef41
Separated the public interfaces of the threading primitives.
2009-12-23 17:01:53 +01:00
14f7091280
Moved mutex.c to a separate folder in order to cleanly wrap other threading primitives (and utils/mutex.h is now threading.h).
2009-12-23 17:00:58 +01:00
32d8f44229
verify RFC3779 IP address blocks along X.509 certificate trust chain
2009-12-23 14:21:31 +01:00
1125a0be81
moved traffic_selectors from charon to libstrongswan
2009-12-20 14:57:38 +01:00
9789d3a9b9
fixed updown plugin for mixed IPv4/IPv6 tunnels
2009-12-17 17:32:55 +01:00
6ec949e022
Fixed BEET mode by installing SAs with negotiated address in traffic selector
2009-12-17 10:52:07 +01:00
a461e20dd8
provide attributes from SQL database
2009-12-16 12:31:41 +01:00
fc85786921
Install v6 routes via outgoing interface for now
2009-12-14 14:44:24 +01:00
4b615edab4
some code optimizations
2009-12-09 00:24:42 +01:00
89d236f0da
Support "_" and "-" variants of NetworkManager pkg-config packages
2009-12-08 14:36:22 +01:00
88dbccc842
Remove generated config.h.in from source tree
2009-12-08 14:36:21 +01:00
268911a5cc
The attribute manager was moved from daemon_t to libstrongswan.
2009-12-07 16:00:27 +01:00
cd51437e43
Do not execute the callback job if it has been cancelled since registration
2009-12-03 08:00:43 +01:00
c636bc7e17
Cleanup library if daemon initialization fails
2009-12-03 08:00:43 +01:00
376a11db3c
Do not install invalid 0.0.0.0 DNS servers
2009-12-01 15:46:56 +01:00
5b4d0de7d4
Prefer EAP-Identity for provider attribute/address lookup
2009-12-01 14:24:07 +01:00
f6116e61fc
Save EAP-Identity on auth config
2009-12-01 14:24:06 +01:00
44ce749360
Store completed authentication rounds permanently on IKE_SA, with flush option
2009-12-01 11:35:30 +01:00
5b2b4d190a
Removed obsolete and unused [gs]et_eap_identity() methods
2009-11-30 16:59:23 +01:00
5351e51951
Do not propose transport mode as initiator if connection is NATed
2009-11-30 11:32:26 +01:00
bff9f824ed
Verify EAP-SIM/AKA AT_MAC before processing any attributes
2009-11-30 10:00:06 +01:00
b04e72c21c
SIM/AKA/Request/Reauthentication AT_MAC does not include NONCE_S, only the response
2009-11-30 09:27:39 +01:00
8434c88b5e
Extended SIM manager by hooks, currently featuring attribute and key hooks
2009-11-30 09:27:26 +01:00
fb1ae8da52
Added a get_sa() method to the bus, allowing a thread to lookup its IKE_SA
2009-11-30 09:27:14 +01:00
c56d958243
Handle NOT_SUPPORTED or other errors properly in get_quintuplet
2009-11-30 09:26:35 +01:00
2b2c69e992
Use transport mode ESP SA if IPcomp is used, IPcomp already applies outer IP header
2009-11-26 16:03:06 +01:00
6780edc07e
Use full algorithm name for SHA384/512 HMACs
2009-11-26 10:39:26 +01:00
6546482a68
Support the Linux specific SHA256 96 bit truncation HMAC via "sha256_96" keyword
2009-11-26 10:39:25 +01:00
eebfa73fd5
Install SHA256_128 auth algorithm with specified 128 bit truncation
2009-11-26 10:39:25 +01:00
5be75c2cb1
Added support for IPv6 source route installation
2009-11-26 10:31:00 +01:00
387a6e6c32
Check existing path in mobike probing only if we still have a route
2009-11-26 10:30:59 +01:00
4b55cf5d09
put identities in single quotes
2009-11-25 09:02:09 +01:00
653da7c907
added more debugging in configuration attribute handling
2009-11-24 23:17:07 +01:00
227583ba59
updated IKEv2 notification messages assigned by IANA
2009-11-24 09:21:00 +01:00
06f02f993c
Do not recreate existing create_child subtask when retrying with different DH group
2009-11-23 13:50:01 +01:00
0d1d19b99d
Avoid potentially unaligned half-word read
2009-11-23 13:49:19 +01:00
ad78bb13c8
Correctly set host number to zero when computing traffic selector range
2009-11-23 10:34:30 +01:00
dd326c114f
Use abort() instead of raising SIGKILL, gives us proper core dumps if enabled
2009-11-20 14:36:24 +01:00
832f283150
Use status_t return value for get_quintuplet() dummy implementations
2009-11-20 11:02:06 +01:00
80b44cd71a
Message stringification supports more detailed EAP payload information
2009-11-18 10:37:46 +01:00
1427c93fcd
Fixed memleak in attribute handling
2009-11-17 15:55:45 +00:00
d674c2ace0
attr plugin supports any custom attribute type having a v4/v6 IP under the charon.plugins.attr namespace
2009-11-17 15:53:57 +00:00
b5a2055fb1
Give plugins more control of which configuration attributes to request, and pass received attributes back to the requesting handler
2009-11-17 14:51:50 +01:00
e6cf060275
Encrypt payloads with missing rule, fix insertion of non-encrypted payloads
2009-11-12 14:52:12 +00:00
074444972a
Build libsimaka with libtool, as we require a PIC-enabled version
2009-11-12 13:37:07 +00:00
addfeeff9c
Do not complain about missing payload order rules for private use payloads
2009-11-12 13:37:06 +00:00
5bfe1b2529
Properly initialize attribute encoding/length values
2009-11-12 13:37:06 +00:00
733538a421
Identation/whitespace cleanups
2009-11-12 13:37:06 +00:00
82713deafd
Simplified vendor ID payload interface
2009-11-12 13:37:06 +00:00
20d144e72f
Invoke message hook before generation, allowing plugins to mangle it
2009-11-12 13:37:06 +00:00
1a86be6e48
Support variable RES length in AKA quintuplets
2009-11-12 10:34:02 +01:00
15b65bf15d
Ported pseudonym/reauth functionality to EAP-AKA
2009-11-12 10:34:01 +01:00
3374cb0f44
Passing other as NULL should not always result in a match if me matches
2009-11-12 10:34:01 +01:00
947b03fd09
Use new identity constructor in EAP-SIM
2009-11-12 10:34:01 +01:00
0109846aa1
Moved card/provider enumeration to SIM manager, providing wrapped functions for both SIM and AKA plugins
2009-11-12 10:34:01 +01:00
eb7bf91e12
Added option to disable identity requests completely (old behavior)
2009-11-12 10:34:01 +01:00
0107f5b687
Fixed replacing existing reauthentication data
2009-11-12 10:34:01 +01:00
2dbac2ab9c
Initiate full authentication if reauthentication identity is unknown
2009-11-12 10:34:01 +01:00
edcb2dd35b
Moved reauth/pseudonym functionality from eap-sim-file to separate plugins, usable by any SIM/AKA backend
2009-11-12 10:34:01 +01:00
acb561373a
eap-sim-file plugin supports volatile in-memory storage of fast reauthentication data
2009-11-12 10:34:01 +01:00
c5ec0f48e7
Initial support for fast reauthentication in EAP-SIM
2009-11-12 10:34:00 +01:00
454b59c5fd
EAP-SIM/AKA crypto helper supports key derivation for fast reauthentication
2009-11-12 10:34:00 +01:00
e1a8729de0
Fallback to permanent identity request if pseudonym mapping failed
2009-11-12 10:34:00 +01:00
c2f8c6a11e
Query triplet/quintuplet functions with permanent identity only,
...
extended sim_provider with a is_pseudonym() function.
2009-11-12 10:34:00 +01:00
2d112ca310
eap-sim-file plugin can store pseudonym information volatile in memory
2009-11-12 10:34:00 +01:00
0328fe940d
Impemented basic pseudonym support in EAP-SIM
2009-11-12 10:34:00 +01:00
0e20893d81
Pass SIM/AKA crypto helper to constructor of message
2009-11-12 10:34:00 +01:00
13f418b442
Added a doxygen group for libsimaka, some cleanups
2009-11-12 10:34:00 +01:00
bcf8a0ff94
Added missing hasher include
2009-11-12 10:33:59 +01:00
4735965fc0
EAP servers check if the received EAP message was expected
2009-11-12 10:33:59 +01:00
02f785b050
Use existing triplet length definitions
2009-11-12 10:33:59 +01:00
aea334ec1c
Splitted EAP-AKA in peer and server implementations, use libsimaka helper library
2009-11-12 10:33:59 +01:00
6d90881573
Proper handling of non-skippable attributes and client error codes in EAP-SIM
2009-11-12 10:33:59 +01:00
e9c03f5243
Use the EAP-SIM/AKA crypto helper in EAP-SIM
2009-11-12 10:33:59 +01:00
ac4dd5439b
Migrated EAP-SIM to libsimaka, separated server/peer implementations
2009-11-12 10:33:58 +01:00
44e8eea17a
sim_provider_t API gained support for pseudonym/fast reauthentication
2009-11-12 10:33:58 +01:00
8f364b5433
sim_card_t API gained support for pseudonym/fast reauthentication
2009-11-12 10:33:58 +01:00
ee8486afdb
adapted log message
2009-11-10 23:55:55 +01:00
cc543182bc
added separating line
2009-11-10 21:50:34 +01:00
67c3875c02
Install bypass policies after creating XFRM netlink socket, loading xfrm_user module
2009-11-09 15:07:00 +01:00
8a650a2bc8
put PGP userid in single quotes
2009-11-08 23:58:41 +01:00
ab5762e32a
list v3 or v4 fingerprint
2009-11-08 23:21:03 +01:00
9a127590ac
stroke_list supports listing of PGP certificates
2009-11-08 21:01:12 +01:00
4c68a85a75
implemented path length constraint checkinf for IKEv2
2009-11-04 23:37:15 +01:00
fae322219f
output optional pathLenConstraint in ipsec listcacerts
2009-11-04 07:30:07 +01:00
4a38687ae7
Use XFRM instead of PF_KEY IKE bypass policies in netlink based kernel interface
2009-10-30 11:19:32 +01:00
140816b055
Query secrets in EAP-MD5 with me/other identities, fixing lookup in NetworkManager
2009-10-26 08:47:40 +01:00
c5f36782ca
Hand out shared secret of load tester for all identities
2009-10-22 16:44:07 +02:00
4952dc11da
Fixed all doxygen warnings
2009-10-22 14:34:10 +02:00
0d73fe88b2
Load-testers PSK is used for all purposes, including EAP authentication
2009-10-20 15:54:13 +02:00
c51b78eb2a
hyphenate eap-radius
2009-10-17 09:23:09 +02:00
1eab115a8b
Do not null-terminate url in hash-and-url payloads
2009-10-16 09:21:28 +02:00
1310fbd322
moved .gitignore for pool
2009-10-15 14:58:09 +02:00
f48ceeb1d1
Renamed plugin configuration sections to the actual plugin name
2009-10-15 10:36:17 +02:00
c4d53fe06b
Streamlined EAP plugins to use a dash between eap-method, as used in all other places
2009-10-15 10:36:17 +02:00
b76b867c70
Renamed --enable-load-tests to --enable-load-tester, like the plugin itself
2009-10-15 10:36:17 +02:00
406f335938
Updated configuration directive of resolve plugin, renamed from resolv_conf
2009-10-15 10:14:10 +02:00
270bb348e3
pluto now supports SQL-based virtual IP pools
2009-10-14 14:30:14 +02:00
bb56e3f962
Improved debugging log in SIM triplet lookup
2009-10-14 09:55:14 +02:00
247794827e
move SQL-based pool functionality to new attr-sql libstrongswan plugin
2009-10-13 17:02:29 +02:00
930443afff
moved attribute_manager to libstrongswan
2009-10-13 13:46:27 +02:00
a2b50c5d60
Fixed assignment of get_triplet() dummy implementation
2009-10-13 11:05:01 +02:00
88eb0a4235
INTERNAL_IP6_NETMASK needed for ModeConfig
2009-10-12 19:45:12 +02:00
073e7dc062
Merged SIM/USIM manager/card/provider, avoids code duplication
2009-10-12 14:40:21 +02:00
f7897b64f6
Added ${shlibs:Depends} dependency to Debian package
2009-10-12 14:06:51 +02:00
3690d31a2a
Added .gitignore for NM Debian package build
2009-10-12 14:06:51 +02:00
68d23d2401
Pass NULL as other identity in EAP-AKA 3GPP2 to find a match with all plugins
2009-10-12 09:51:46 +02:00
9b2942f68d
Stroke plugin interprets NULL identities as ID_ANY in shared key lookup
2009-10-12 09:51:45 +02:00
5d5e2853b6
SIM card interface takes IMSI as parameter (same as in USIM)
2009-10-09 13:02:20 +02:00
31f5280cee
Fixed USIM parameter description
2009-10-09 13:02:20 +02:00
424ddf801c
Do not use monotonic time for AKA sequence numbers, it has an undefined starting point
2009-10-09 13:02:20 +02:00
655728621b
Use constants instead of sizeof(), sizeof() does not work for function arguments
2009-10-09 13:02:20 +02:00
aba93dcc32
Calculate missing CK/IK values in USIM
2009-10-09 13:02:20 +02:00
aca7ba0ffc
Link 3gpp2 EAP-AKA plugin to libgmp
2009-10-09 13:02:20 +02:00
53a16b72ab
Separated 3gpp2 USIM card and provider functionality
2009-10-09 13:02:20 +02:00
0030880c6b
Ported AKA functions to 3gpp2 plugin
2009-10-09 13:02:19 +02:00
4720815774
Added a stub for the EAP-AKA backend implementing the 3GPP2 functions in software
2009-10-09 13:02:19 +02:00
36a3bccfcf
Implemented a manager for USIM cards/providers very similar to the SIM manager
2009-10-09 13:02:19 +02:00
4b1cd5a367
Reenabled acq_expires SA timer using rekey timeout
...
While not using a SA expiration for allocating SPIs works fine,
the situation is much more problematic for kernel-created temporary
SAs from acquires. If the negotiation of such a CHILD_SA fails,
the created temporary SA can not be deleted.
2009-10-07 13:09:59 +02:00
991f7ccd6c
Catch CHILD_SA state changes during acquire
...
If an acquire fails due to a TS_UNACCEPTABLE or other CHILD_SA only errors,
we have to reset the pending state in the trap manager.
2009-10-07 13:09:59 +02:00
cf85e1319b
streamlined output from get_validity()
2009-10-06 14:22:27 +02:00
0da0f3fc3f
delete group attributes after use
2009-10-05 23:17:36 +02:00
a9fe23cf53
stroke_list outputs group attributes
2009-10-05 23:13:51 +02:00
Martin Willi