71da001753
Made inactivity_timeout a per CHILD_SA config option
2010-01-27 15:47:08 +01:00
db05341916
Refactored EAP payload, avoid unaligned word access
2010-01-21 14:43:07 +01:00
47498044c3
Support RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation
2010-01-19 16:47:21 +01:00
7eab4a1be6
Support TLS client authentication Extended Key Usage in x509 generation
2010-01-14 12:00:43 +01:00
776f59f7be
Block the signals before the call to sigwait.
2010-01-12 11:52:03 +01:00
aa9eeb5deb
Support for closing CHILD/IKE_SA if a CHILD_SA is inactive.
2010-01-12 10:23:42 +01:00
bc6ff2fc99
Added strongswan.conf options to configure retransmission timeouts
2010-01-11 16:42:12 +01:00
b979032088
log EAP-only authentication proposal
2010-01-11 11:17:40 +01:00
34948b9971
EAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks
2010-01-07 15:56:11 +01:00
f34702ff3f
Support EAP-only authentication for mutual and key deriving EAP methods
2010-01-07 15:51:30 +01:00
12fca6cc9f
Indicate and dected support for EAP-only authentication
2010-01-07 14:30:28 +01:00
023fd8f135
Match to private use algorithms only if we know we are talking to strongSwan
2010-01-07 11:07:53 +01:00
b3349c5694
Interpret private use BEET mode notify only if we know we are talking to strongSwan
2010-01-07 09:37:38 +00:00
a5a0bcaa04
Add an option to send a vendor ID, allows us to properly support private extensions
2010-01-07 09:37:27 +00:00
7eaec999ca
make error message about missing MD4 hasher more explicit
2009-12-30 23:32:03 +01:00
83c282ebb4
differentiate EAP method initialization errors
2009-12-30 21:34:59 +01:00
d002c62347
enforce RFC 3779 address constraints on traffic selectors
2009-12-25 11:20:58 +01:00
ff4d4aa99a
Adapted the load_tester kernel-interface to the changes introduced in 6ec949e02.
2009-12-23 17:15:28 +01:00
cb186f9922
Added some IPv6 tweaks for Android.
...
Android 1.6 does not yet support the Advanced Sockets API for IPv6 as defined in
RFC 3542. Also, in6addr_any is missing.
2009-12-23 17:03:42 +01:00
a37cf4580a
Semicolon removed.
2009-12-23 17:03:42 +01:00
3f490ff978
According to the man page (and the header files in Android) prctl takes a total of 5 arguments.
2009-12-23 17:03:42 +01:00
01e606546c
Cache queue locking in credential manager corrected.
2009-12-23 17:03:41 +01:00
47e98cda5f
Join worker threads when destroying the processor.
2009-12-23 17:03:41 +01:00
b97cc0ab3f
Callback job refactored and fixed.
2009-12-23 17:03:41 +01:00
89ec5bef08
Whitespace cleanup.
2009-12-23 17:03:41 +01:00
4a5a5dd290
Using the thread wrapper in charon, libstrongswan and their plugins.
2009-12-23 17:03:41 +01:00
070ac5b0b7
Check if libpthread is required or not.
2009-12-23 17:02:26 +01:00
eba64cef41
Separated the public interfaces of the threading primitives.
2009-12-23 17:01:53 +01:00
14f7091280
Moved mutex.c to a separate folder in order to cleanly wrap other threading primitives (and utils/mutex.h is now threading.h).
2009-12-23 17:00:58 +01:00
32d8f44229
verify RFC3779 IP address blocks along X.509 certificate trust chain
2009-12-23 14:21:31 +01:00
1125a0be81
moved traffic_selectors from charon to libstrongswan
2009-12-20 14:57:38 +01:00
9789d3a9b9
fixed updown plugin for mixed IPv4/IPv6 tunnels
2009-12-17 17:32:55 +01:00
6ec949e022
Fixed BEET mode by installing SAs with negotiated address in traffic selector
2009-12-17 10:52:07 +01:00
a461e20dd8
provide attributes from SQL database
2009-12-16 12:31:41 +01:00
fc85786921
Install v6 routes via outgoing interface for now
2009-12-14 14:44:24 +01:00
4b615edab4
some code optimizations
2009-12-09 00:24:42 +01:00
89d236f0da
Support "_" and "-" variants of NetworkManager pkg-config packages
2009-12-08 14:36:22 +01:00
88dbccc842
Remove generated config.h.in from source tree
2009-12-08 14:36:21 +01:00
268911a5cc
The attribute manager was moved from daemon_t to libstrongswan.
2009-12-07 16:00:27 +01:00
cd51437e43
Do not execute the callback job if it has been cancelled since registration
2009-12-03 08:00:43 +01:00
c636bc7e17
Cleanup library if daemon initialization fails
2009-12-03 08:00:43 +01:00
376a11db3c
Do not install invalid 0.0.0.0 DNS servers
2009-12-01 15:46:56 +01:00
5b4d0de7d4
Prefer EAP-Identity for provider attribute/address lookup
2009-12-01 14:24:07 +01:00
f6116e61fc
Save EAP-Identity on auth config
2009-12-01 14:24:06 +01:00
44ce749360
Store completed authentication rounds permanently on IKE_SA, with flush option
2009-12-01 11:35:30 +01:00
5b2b4d190a
Removed obsolete and unused [gs]et_eap_identity() methods
2009-11-30 16:59:23 +01:00
5351e51951
Do not propose transport mode as initiator if connection is NATed
2009-11-30 11:32:26 +01:00
bff9f824ed
Verify EAP-SIM/AKA AT_MAC before processing any attributes
2009-11-30 10:00:06 +01:00
b04e72c21c
SIM/AKA/Request/Reauthentication AT_MAC does not include NONCE_S, only the response
2009-11-30 09:27:39 +01:00
8434c88b5e
Extended SIM manager by hooks, currently featuring attribute and key hooks
2009-11-30 09:27:26 +01:00
fb1ae8da52
Added a get_sa() method to the bus, allowing a thread to lookup its IKE_SA
2009-11-30 09:27:14 +01:00
c56d958243
Handle NOT_SUPPORTED or other errors properly in get_quintuplet
2009-11-30 09:26:35 +01:00
2b2c69e992
Use transport mode ESP SA if IPcomp is used, IPcomp already applies outer IP header
2009-11-26 16:03:06 +01:00
6780edc07e
Use full algorithm name for SHA384/512 HMACs
2009-11-26 10:39:26 +01:00
6546482a68
Support the Linux specific SHA256 96 bit truncation HMAC via "sha256_96" keyword
2009-11-26 10:39:25 +01:00
eebfa73fd5
Install SHA256_128 auth algorithm with specified 128 bit truncation
2009-11-26 10:39:25 +01:00
5be75c2cb1
Added support for IPv6 source route installation
2009-11-26 10:31:00 +01:00
387a6e6c32
Check existing path in mobike probing only if we still have a route
2009-11-26 10:30:59 +01:00
4b55cf5d09
put identities in single quotes
2009-11-25 09:02:09 +01:00
653da7c907
added more debugging in configuration attribute handling
2009-11-24 23:17:07 +01:00
227583ba59
updated IKEv2 notification messages assigned by IANA
2009-11-24 09:21:00 +01:00
06f02f993c
Do not recreate existing create_child subtask when retrying with different DH group
2009-11-23 13:50:01 +01:00
0d1d19b99d
Avoid potentially unaligned half-word read
2009-11-23 13:49:19 +01:00
ad78bb13c8
Correctly set host number to zero when computing traffic selector range
2009-11-23 10:34:30 +01:00
dd326c114f
Use abort() instead of raising SIGKILL, gives us proper core dumps if enabled
2009-11-20 14:36:24 +01:00
832f283150
Use status_t return value for get_quintuplet() dummy implementations
2009-11-20 11:02:06 +01:00
80b44cd71a
Message stringification supports more detailed EAP payload information
2009-11-18 10:37:46 +01:00
1427c93fcd
Fixed memleak in attribute handling
2009-11-17 15:55:45 +00:00
d674c2ace0
attr plugin supports any custom attribute type having a v4/v6 IP under the charon.plugins.attr namespace
2009-11-17 15:53:57 +00:00
b5a2055fb1
Give plugins more control of which configuration attributes to request, and pass received attributes back to the requesting handler
2009-11-17 14:51:50 +01:00
e6cf060275
Encrypt payloads with missing rule, fix insertion of non-encrypted payloads
2009-11-12 14:52:12 +00:00
074444972a
Build libsimaka with libtool, as we require a PIC-enabled version
2009-11-12 13:37:07 +00:00
addfeeff9c
Do not complain about missing payload order rules for private use payloads
2009-11-12 13:37:06 +00:00
5bfe1b2529
Properly initialize attribute encoding/length values
2009-11-12 13:37:06 +00:00
733538a421
Identation/whitespace cleanups
2009-11-12 13:37:06 +00:00
82713deafd
Simplified vendor ID payload interface
2009-11-12 13:37:06 +00:00
20d144e72f
Invoke message hook before generation, allowing plugins to mangle it
2009-11-12 13:37:06 +00:00
1a86be6e48
Support variable RES length in AKA quintuplets
2009-11-12 10:34:02 +01:00
15b65bf15d
Ported pseudonym/reauth functionality to EAP-AKA
2009-11-12 10:34:01 +01:00
3374cb0f44
Passing other as NULL should not always result in a match if me matches
2009-11-12 10:34:01 +01:00
947b03fd09
Use new identity constructor in EAP-SIM
2009-11-12 10:34:01 +01:00
0109846aa1
Moved card/provider enumeration to SIM manager, providing wrapped functions for both SIM and AKA plugins
2009-11-12 10:34:01 +01:00
eb7bf91e12
Added option to disable identity requests completely (old behavior)
2009-11-12 10:34:01 +01:00
0107f5b687
Fixed replacing existing reauthentication data
2009-11-12 10:34:01 +01:00
2dbac2ab9c
Initiate full authentication if reauthentication identity is unknown
2009-11-12 10:34:01 +01:00
edcb2dd35b
Moved reauth/pseudonym functionality from eap-sim-file to separate plugins, usable by any SIM/AKA backend
2009-11-12 10:34:01 +01:00
acb561373a
eap-sim-file plugin supports volatile in-memory storage of fast reauthentication data
2009-11-12 10:34:01 +01:00
c5ec0f48e7
Initial support for fast reauthentication in EAP-SIM
2009-11-12 10:34:00 +01:00
454b59c5fd
EAP-SIM/AKA crypto helper supports key derivation for fast reauthentication
2009-11-12 10:34:00 +01:00
e1a8729de0
Fallback to permanent identity request if pseudonym mapping failed
2009-11-12 10:34:00 +01:00
c2f8c6a11e
Query triplet/quintuplet functions with permanent identity only,
...
extended sim_provider with a is_pseudonym() function.
2009-11-12 10:34:00 +01:00
2d112ca310
eap-sim-file plugin can store pseudonym information volatile in memory
2009-11-12 10:34:00 +01:00
0328fe940d
Impemented basic pseudonym support in EAP-SIM
2009-11-12 10:34:00 +01:00
0e20893d81
Pass SIM/AKA crypto helper to constructor of message
2009-11-12 10:34:00 +01:00
13f418b442
Added a doxygen group for libsimaka, some cleanups
2009-11-12 10:34:00 +01:00
bcf8a0ff94
Added missing hasher include
2009-11-12 10:33:59 +01:00
4735965fc0
EAP servers check if the received EAP message was expected
2009-11-12 10:33:59 +01:00
02f785b050
Use existing triplet length definitions
2009-11-12 10:33:59 +01:00
aea334ec1c
Splitted EAP-AKA in peer and server implementations, use libsimaka helper library
2009-11-12 10:33:59 +01:00
6d90881573
Proper handling of non-skippable attributes and client error codes in EAP-SIM
2009-11-12 10:33:59 +01:00
e9c03f5243
Use the EAP-SIM/AKA crypto helper in EAP-SIM
2009-11-12 10:33:59 +01:00
ac4dd5439b
Migrated EAP-SIM to libsimaka, separated server/peer implementations
2009-11-12 10:33:58 +01:00
44e8eea17a
sim_provider_t API gained support for pseudonym/fast reauthentication
2009-11-12 10:33:58 +01:00
8f364b5433
sim_card_t API gained support for pseudonym/fast reauthentication
2009-11-12 10:33:58 +01:00
ee8486afdb
adapted log message
2009-11-10 23:55:55 +01:00
cc543182bc
added separating line
2009-11-10 21:50:34 +01:00
67c3875c02
Install bypass policies after creating XFRM netlink socket, loading xfrm_user module
2009-11-09 15:07:00 +01:00
8a650a2bc8
put PGP userid in single quotes
2009-11-08 23:58:41 +01:00
ab5762e32a
list v3 or v4 fingerprint
2009-11-08 23:21:03 +01:00
9a127590ac
stroke_list supports listing of PGP certificates
2009-11-08 21:01:12 +01:00
4c68a85a75
implemented path length constraint checkinf for IKEv2
2009-11-04 23:37:15 +01:00
fae322219f
output optional pathLenConstraint in ipsec listcacerts
2009-11-04 07:30:07 +01:00
4a38687ae7
Use XFRM instead of PF_KEY IKE bypass policies in netlink based kernel interface
2009-10-30 11:19:32 +01:00
140816b055
Query secrets in EAP-MD5 with me/other identities, fixing lookup in NetworkManager
2009-10-26 08:47:40 +01:00
c5f36782ca
Hand out shared secret of load tester for all identities
2009-10-22 16:44:07 +02:00
4952dc11da
Fixed all doxygen warnings
2009-10-22 14:34:10 +02:00
0d73fe88b2
Load-testers PSK is used for all purposes, including EAP authentication
2009-10-20 15:54:13 +02:00
c51b78eb2a
hyphenate eap-radius
2009-10-17 09:23:09 +02:00
1eab115a8b
Do not null-terminate url in hash-and-url payloads
2009-10-16 09:21:28 +02:00
1310fbd322
moved .gitignore for pool
2009-10-15 14:58:09 +02:00
f48ceeb1d1
Renamed plugin configuration sections to the actual plugin name
2009-10-15 10:36:17 +02:00
c4d53fe06b
Streamlined EAP plugins to use a dash between eap-method, as used in all other places
2009-10-15 10:36:17 +02:00
b76b867c70
Renamed --enable-load-tests to --enable-load-tester, like the plugin itself
2009-10-15 10:36:17 +02:00
406f335938
Updated configuration directive of resolve plugin, renamed from resolv_conf
2009-10-15 10:14:10 +02:00
270bb348e3
pluto now supports SQL-based virtual IP pools
2009-10-14 14:30:14 +02:00
bb56e3f962
Improved debugging log in SIM triplet lookup
2009-10-14 09:55:14 +02:00
247794827e
move SQL-based pool functionality to new attr-sql libstrongswan plugin
2009-10-13 17:02:29 +02:00
930443afff
moved attribute_manager to libstrongswan
2009-10-13 13:46:27 +02:00
a2b50c5d60
Fixed assignment of get_triplet() dummy implementation
2009-10-13 11:05:01 +02:00
88eb0a4235
INTERNAL_IP6_NETMASK needed for ModeConfig
2009-10-12 19:45:12 +02:00
073e7dc062
Merged SIM/USIM manager/card/provider, avoids code duplication
2009-10-12 14:40:21 +02:00
f7897b64f6
Added ${shlibs:Depends} dependency to Debian package
2009-10-12 14:06:51 +02:00
3690d31a2a
Added .gitignore for NM Debian package build
2009-10-12 14:06:51 +02:00
68d23d2401
Pass NULL as other identity in EAP-AKA 3GPP2 to find a match with all plugins
2009-10-12 09:51:46 +02:00
9b2942f68d
Stroke plugin interprets NULL identities as ID_ANY in shared key lookup
2009-10-12 09:51:45 +02:00
5d5e2853b6
SIM card interface takes IMSI as parameter (same as in USIM)
2009-10-09 13:02:20 +02:00
31f5280cee
Fixed USIM parameter description
2009-10-09 13:02:20 +02:00
424ddf801c
Do not use monotonic time for AKA sequence numbers, it has an undefined starting point
2009-10-09 13:02:20 +02:00
655728621b
Use constants instead of sizeof(), sizeof() does not work for function arguments
2009-10-09 13:02:20 +02:00
aba93dcc32
Calculate missing CK/IK values in USIM
2009-10-09 13:02:20 +02:00
aca7ba0ffc
Link 3gpp2 EAP-AKA plugin to libgmp
2009-10-09 13:02:20 +02:00
53a16b72ab
Separated 3gpp2 USIM card and provider functionality
2009-10-09 13:02:20 +02:00
0030880c6b
Ported AKA functions to 3gpp2 plugin
2009-10-09 13:02:19 +02:00
4720815774
Added a stub for the EAP-AKA backend implementing the 3GPP2 functions in software
2009-10-09 13:02:19 +02:00
36a3bccfcf
Implemented a manager for USIM cards/providers very similar to the SIM manager
2009-10-09 13:02:19 +02:00
4b1cd5a367
Reenabled acq_expires SA timer using rekey timeout
...
While not using a SA expiration for allocating SPIs works fine,
the situation is much more problematic for kernel-created temporary
SAs from acquires. If the negotiation of such a CHILD_SA fails,
the created temporary SA can not be deleted.
2009-10-07 13:09:59 +02:00
991f7ccd6c
Catch CHILD_SA state changes during acquire
...
If an acquire fails due to a TS_UNACCEPTABLE or other CHILD_SA only errors,
we have to reset the pending state in the trap manager.
2009-10-07 13:09:59 +02:00
cf85e1319b
streamlined output from get_validity()
2009-10-06 14:22:27 +02:00
0da0f3fc3f
delete group attributes after use
2009-10-05 23:17:36 +02:00
a9fe23cf53
stroke_list outputs group attributes
2009-10-05 23:13:51 +02:00
408e46a324
ipsec pki --issue suports --flag authServer option
2009-10-05 22:44:01 +02:00
6eacaffc72
Cleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads
2009-10-05 14:06:32 +02:00
3b836fc759
Cleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads
2009-10-05 13:32:41 +02:00
f12d8cf719
Do not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts
2009-09-24 14:49:41 +02:00
cf76c42903
Do not create a replacement IKE_SA if we have CHILD_SAs to route only
2009-09-24 14:49:41 +02:00
6e6975395e
Using the correct type for ME_ENDPOINT payloads in connectivity checks.
2009-09-24 11:29:34 +02:00
02bf410aa9
certificate subject DNs are in double quotes
2009-09-23 22:03:52 +02:00
b362cc2382
streamlining of credential loading debug output
2009-09-23 21:55:48 +02:00
0406ed7a16
Fixed a crash in source address lookup
2009-09-23 11:18:30 +02:00
a7f79ee9c1
Define ME for all charon plugins
2009-09-23 11:13:27 +02:00
e20b792108
Correctly handle --enable-mediation option
2009-09-23 10:50:00 +02:00
b262680175
Emit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon
2009-09-22 17:00:00 +02:00
4b15ee8cd9
shortened file loading debug output
2009-09-22 12:33:13 +02:00
f1092e20f4
Fixed encoding of hash-and-url cert payload
2009-09-22 10:07:04 +02:00
cb64b21217
Do not assign SIM version to a volatile buffer on stack
2009-09-22 09:11:35 +02:00
c84b139a87
Credential backends use has_fingerprint() methods to select keys/certificates
2009-09-21 17:03:00 +02:00
fde7f5abf8
Correctly serve certificates if CERT_ANY requested
2009-09-21 15:34:29 +02:00
c6a8990bc5
Enforce a local address of the same family as remote address
2009-09-21 15:30:40 +02:00
c331bce51d
Return certificates of requested kind only
2009-09-21 14:43:57 +02:00
399ce164ad
delete resolv_conf_* files
2009-09-20 21:59:36 +02:00
4819ec6a71
resolv_conf plugin renamed to resolve
2009-09-20 19:06:58 +02:00
c7a64d6f41
Use helper functions to handle (non-)skippable attributes
2009-09-18 15:08:43 +02:00
e466139c91
Clients can handle AKA-Identity requests by sending the full identity
2009-09-18 14:51:35 +02:00
85af7a89c6
nm uses the distributions trusted root CAs if none is explicitly specified
2009-09-18 14:34:27 +02:00
7aa495d9d0
get_private() in listcacerts requires a valid auth cfg
2009-09-17 12:47:03 +02:00
4a03e85b37
Fixed nexthop lookup, used by source route installation
2009-09-16 13:55:32 +02:00
36b7ba5ee3
Use continue to advance to next iteration
2009-09-16 13:32:47 +02:00
b538b606da
Use the default debug hook if possible
2009-09-16 13:16:00 +02:00
e4be5ef8fb
Fall back to default credential set lookup if fingerprint lookup fails
2009-09-15 08:44:10 +02:00
79c6f16212
Implemented support for preinstalled PGP certificates in charon
2009-09-15 08:23:48 +02:00
3b878dae7e
Removed chunk_from_buf() in favor of a simpler chunk_from_chars() macro
2009-09-11 15:39:35 +02:00
356b2b2780
pass NULL to library_init() to load settings from default file
2009-09-10 18:52:42 +02:00
5b03a350fc
use NULL to load plugins from default plugin directory
2009-09-10 18:52:42 +02:00
faa4bd49fb
use sysconfdir, no need for an additional confdir variable
2009-09-07 15:10:30 +02:00
b7b5653386
Use macros to define --with options
2009-09-07 15:00:45 +02:00
8b3b4a244e
Removed trailing whitespaces in configure.in/Makefile.am
2009-09-07 11:48:03 +02:00
0755e98e5c
Cleaned up some code of the mediation extension.
2009-09-04 15:48:30 +02:00
f4b975a65d
Moved set_state after the DBG0 statement, so that the message gets logged also for mediation connections without CHILD_SA.
2009-09-04 15:13:12 +02:00
7b3814f75d
remove spaces before tabs at the beginning of lines (^( )+\t)
2009-09-04 15:02:11 +02:00
b9b8a98f47
remove spaces within tabs (\t( )+\t)
2009-09-04 15:00:19 +02:00
323f9f990f
replaces four spaces by tabs, where appropriate
2009-09-04 14:50:23 +02:00
7daf5226b7
removed trailing spaces ([[:space:]]+$)
2009-09-04 13:46:09 +02:00
7d1b030446
fixed open failure debug message in load_secrets
2009-09-04 11:52:28 +02:00
dd2b6f3073
fixed memleak in rekey collissions
2009-09-03 18:09:29 +02:00
72e2faf291
Convert empty CREATE_CHILD_SA exchange to an INFORMATIONAL
2009-09-03 17:32:41 +02:00
9beb83868f
Use get_notify() to look up single notifies
2009-09-03 17:32:01 +02:00
d176994235
Use recursive source address lookup if we get a gateway only
2009-09-03 14:46:39 +02:00
dece3d8efc
Fixed load_secrets to acquire/release lock in level 0 only
...
The write_lock call fails with EDEADLK and unlocks in the
next recursion level.
2009-09-03 14:46:36 +02:00
a20e98749a
Simplified the search for ME_CONNECTID notifies.
2009-09-02 17:30:47 +02:00
484a06bce7
Fixed some typos; whitespace cleanup.
2009-09-02 17:30:46 +02:00
5293b02945
Missing commas added.
2009-09-02 17:29:44 +02:00
8fb4edc4ff
handle plugin loading failures
2009-09-01 16:20:45 +02:00
e75f423753
Refactored the lifetime_cfg_t struct to be simpler and more expressive. Initialization is now static.
2009-09-01 12:54:33 +02:00
abff49a7ff
Handling of new lifetime limits added to stroke.
2009-09-01 12:53:44 +02:00
f40c115531
If no inbound CHILD_SA is found, try to find an outbound SA.
...
Due to the new lifetime limits in- and outbound SAs may expire
individually.
2009-09-01 12:53:44 +02:00
1087b9cebb
Set the packet and byte limits in the netlink and pfkey kernel interfaces.
2009-09-01 12:53:44 +02:00
e3c7e72973
Terminology and return value of get_lifetime of child_sa_t corrected.
2009-09-01 12:53:44 +02:00
cb123493d1
child_sa_t adapted to the new lifetime configuration.
2009-09-01 12:53:43 +02:00
888af96343
Adapted the kernel interfaces to the new lifetime configuration.
2009-09-01 12:53:13 +02:00
e0a8a8c3ec
Adapted the config backends to the new lifetime configuration.
2009-09-01 12:50:50 +02:00
caf87c7dcb
child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.
2009-09-01 12:50:50 +02:00
86e4728550
lifetime_cfg_t added to configure lifetime limits of a CHILD_SA.
2009-09-01 12:50:50 +02:00
6180a55852
use time_monotonic() instead of time() for statistics and time difference calculations
2009-08-31 18:00:28 +02:00
de5784452b
use time_monotonic() instead of gettimeofday() for time difference calculations
2009-08-31 15:25:03 +02:00
3d5818ec38
use monotonic time source in convar->timed_wait, and in the scheduler using it
2009-08-31 15:13:48 +02:00
8365f7cd81
fixed crash in crl listing
2009-08-31 10:21:38 +02:00
500f515a64
moved chunk_increment() function to libstrongswan
2009-08-26 14:07:26 +02:00
9c3d2b3d60
updated medsrv and test to new fingerprint/encoding API
2009-08-26 11:23:55 +02:00
1cd0d7969a
updated load-tester plugin to new fingerprinting API
2009-08-26 11:23:53 +02:00
8eefe4617f
use only KEY_ID_PUBKEY_SHA1 fingerprint charon internally
2009-08-26 11:23:53 +02:00
87d2026341
updated nm plugin to new fingerprinting API
2009-08-26 11:23:53 +02:00
c5cd195c6c
updated stroke plugin to fingerprinting API
2009-08-26 11:23:53 +02:00
64fdbce4da
updated charon to new fingerprinting API
2009-08-26 11:23:53 +02:00
750bbcf9a8
added support for %prompt-ing private key passhprases in strokes "ipsec secrets"
2009-08-26 11:23:50 +02:00
280469923d
make use of the pem helper plugin to load credentials
2009-08-26 11:23:49 +02:00
469083cc7d
disable lifetimes of allocated SPIs
...
The default lifetime of 30 seconds is too short, as a tunnel
setup may need several minutes if we have high packet loss. Instead
of increasing the value, we disable lifetimes completely, as we handle
the removal of such SAs from userland just fine.
2009-08-25 18:15:25 +02:00
1bc0b4f795
remove incomplete SAs with PROTO_ESP
2009-08-25 18:12:55 +02:00
8a17c1f907
check integrity of pool code file
2009-08-17 15:46:56 +02:00
2f5b1e0eb7
check success of library_init()
2009-08-14 22:13:51 +02:00
26965b4ef3
OpenSolaris needs libsocket and libnsl for socket().
2009-08-14 14:50:53 +02:00
932fdc38de
Enable CMSG headers and macros on OpenSolaris.
2009-08-14 14:50:52 +02:00
8c3627c5ae
Added define to get sigwait with two parameters on OpenSolaris.
2009-08-14 14:50:51 +02:00
a3ccf95f3f
LOG_AUTHPRIV is not defined on OpenSolaris.
2009-08-14 13:37:07 +02:00
3901937d14
OpenSolaris defines MUTEX_DEFAULT therefore we rename the members of the enums mutex/condvar/rwlock_type_t.
2009-08-14 13:30:59 +02:00
8ddcac4c48
prepare CAMELLIA_CCM ESP encryption
2009-08-10 16:30:42 +02:00
dd4c14f37c
set protocol to ESP for policies installed as a trap
2009-08-07 16:05:32 +02:00
4b5b92bfee
%llu correctly prints u_int64_t
2009-08-07 09:50:36 +02:00
4a02deb088
printing u_int64_t caused segfault on 32-bit platforms
2009-08-07 08:47:29 +02:00
99dd42918e
do not set usetime if query_policy() fails
2009-08-07 05:59:09 +02:00
79ff614144
Use LONG_MAX instead of a hard-coded value.
2009-08-06 18:22:01 +02:00
bfca7aa5ed
FreeBSD returns the current policy use time only after specifying a hard lifetime when installing the policy.
2009-08-06 18:14:44 +02:00
c3a78360a8
Fixed a race condition when querying stats of a child_sa in different order.
2009-08-06 16:47:32 +02:00
3646c8a159
abort pluto or charon if initialization fails
2009-08-06 16:32:52 +02:00
dd83c6d490
Don't query the policy usetime if there was no traffic on the SA.
...
This helps in cases where a policy is assigned to more than one SA. That
is, SAs now should have different usetimes even if they use the same policy.
2009-08-06 15:14:54 +02:00
b3f8ea8346
Reverted the interface changes introduced in 3f720dc7.
2009-08-06 13:31:54 +02:00
51c037cc71
added support for ipsec.secrets "include" directive
2009-08-06 11:48:19 +02:00
1e7b4b0028
Reversed the check for udp.h, fixes compilation on Linux.
2009-08-06 10:01:59 +02:00
7da1f4a0ff
Enabling UDP encapsulation via setsockopt fails on Mac OS X (it is also not required as this is done using sysctl).
2009-08-05 12:31:10 +02:00
fcdf491a21
output number of transmitted bytes in closing CHILD_SA statement
2009-08-04 23:08:42 +02:00
524f9ac470
FreeBSD only reports a policy's usetime if a lifetime has been specified when the policy was added (we only specify a lifetime on the SA, not on the policy).
2009-08-04 11:08:58 +02:00
Martin Willi