Martin Willi
71da001753
Made inactivity_timeout a per CHILD_SA config option
2010-01-27 15:47:08 +01:00
Martin Willi
db05341916
Refactored EAP payload, avoid unaligned word access
2010-01-21 14:43:07 +01:00
Martin Willi
47498044c3
Support RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation
2010-01-19 16:47:21 +01:00
Martin Willi
7eab4a1be6
Support TLS client authentication Extended Key Usage in x509 generation
2010-01-14 12:00:43 +01:00
Tobias Brunner
776f59f7be
Block the signals before the call to sigwait.
2010-01-12 11:52:03 +01:00
Martin Willi
aa9eeb5deb
Support for closing CHILD/IKE_SA if a CHILD_SA is inactive.
2010-01-12 10:23:42 +01:00
Martin Willi
bc6ff2fc99
Added strongswan.conf options to configure retransmission timeouts
2010-01-11 16:42:12 +01:00
Andreas Steffen
b979032088
log EAP-only authentication proposal
2010-01-11 11:17:40 +01:00
Martin Willi
34948b9971
EAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks
2010-01-07 15:56:11 +01:00
Martin Willi
f34702ff3f
Support EAP-only authentication for mutual and key deriving EAP methods
2010-01-07 15:51:30 +01:00
Martin Willi
12fca6cc9f
Indicate and dected support for EAP-only authentication
2010-01-07 14:30:28 +01:00
Martin Willi
023fd8f135
Match to private use algorithms only if we know we are talking to strongSwan
2010-01-07 11:07:53 +01:00
Martin Willi
b3349c5694
Interpret private use BEET mode notify only if we know we are talking to strongSwan
2010-01-07 09:37:38 +00:00
Martin Willi
a5a0bcaa04
Add an option to send a vendor ID, allows us to properly support private extensions
2010-01-07 09:37:27 +00:00
Andreas Steffen
7eaec999ca
make error message about missing MD4 hasher more explicit
2009-12-30 23:32:03 +01:00
Andreas Steffen
83c282ebb4
differentiate EAP method initialization errors
2009-12-30 21:34:59 +01:00
Andreas Steffen
d002c62347
enforce RFC 3779 address constraints on traffic selectors
2009-12-25 11:20:58 +01:00
Tobias Brunner
ff4d4aa99a
Adapted the load_tester kernel-interface to the changes introduced in 6ec949e02
.
2009-12-23 17:15:28 +01:00
Tobias Brunner
cb186f9922
Added some IPv6 tweaks for Android.
...
Android 1.6 does not yet support the Advanced Sockets API for IPv6 as defined in
RFC 3542. Also, in6addr_any is missing.
2009-12-23 17:03:42 +01:00
Tobias Brunner
a37cf4580a
Semicolon removed.
2009-12-23 17:03:42 +01:00
Tobias Brunner
3f490ff978
According to the man page (and the header files in Android) prctl takes a total of 5 arguments.
2009-12-23 17:03:42 +01:00
Tobias Brunner
01e606546c
Cache queue locking in credential manager corrected.
2009-12-23 17:03:41 +01:00
Tobias Brunner
47e98cda5f
Join worker threads when destroying the processor.
2009-12-23 17:03:41 +01:00
Tobias Brunner
b97cc0ab3f
Callback job refactored and fixed.
2009-12-23 17:03:41 +01:00
Tobias Brunner
89ec5bef08
Whitespace cleanup.
2009-12-23 17:03:41 +01:00
Tobias Brunner
4a5a5dd290
Using the thread wrapper in charon, libstrongswan and their plugins.
2009-12-23 17:03:41 +01:00
Tobias Brunner
070ac5b0b7
Check if libpthread is required or not.
2009-12-23 17:02:26 +01:00
Tobias Brunner
eba64cef41
Separated the public interfaces of the threading primitives.
2009-12-23 17:01:53 +01:00
Tobias Brunner
14f7091280
Moved mutex.c to a separate folder in order to cleanly wrap other threading primitives (and utils/mutex.h is now threading.h).
2009-12-23 17:00:58 +01:00
Andreas Steffen
32d8f44229
verify RFC3779 IP address blocks along X.509 certificate trust chain
2009-12-23 14:21:31 +01:00
Andreas Steffen
1125a0be81
moved traffic_selectors from charon to libstrongswan
2009-12-20 14:57:38 +01:00
Andreas Steffen
9789d3a9b9
fixed updown plugin for mixed IPv4/IPv6 tunnels
2009-12-17 17:32:55 +01:00
Martin Willi
6ec949e022
Fixed BEET mode by installing SAs with negotiated address in traffic selector
2009-12-17 10:52:07 +01:00
Andreas Steffen
a461e20dd8
provide attributes from SQL database
2009-12-16 12:31:41 +01:00
Martin Willi
fc85786921
Install v6 routes via outgoing interface for now
2009-12-14 14:44:24 +01:00
Andreas Steffen
4b615edab4
some code optimizations
2009-12-09 00:24:42 +01:00
Martin Willi
89d236f0da
Support "_" and "-" variants of NetworkManager pkg-config packages
2009-12-08 14:36:22 +01:00
Martin Willi
88dbccc842
Remove generated config.h.in from source tree
2009-12-08 14:36:21 +01:00
Tobias Brunner
268911a5cc
The attribute manager was moved from daemon_t to libstrongswan.
2009-12-07 16:00:27 +01:00
Martin Willi
cd51437e43
Do not execute the callback job if it has been cancelled since registration
2009-12-03 08:00:43 +01:00
Martin Willi
c636bc7e17
Cleanup library if daemon initialization fails
2009-12-03 08:00:43 +01:00
Martin Willi
376a11db3c
Do not install invalid 0.0.0.0 DNS servers
2009-12-01 15:46:56 +01:00
Martin Willi
5b4d0de7d4
Prefer EAP-Identity for provider attribute/address lookup
2009-12-01 14:24:07 +01:00
Martin Willi
f6116e61fc
Save EAP-Identity on auth config
2009-12-01 14:24:06 +01:00
Martin Willi
44ce749360
Store completed authentication rounds permanently on IKE_SA, with flush option
2009-12-01 11:35:30 +01:00
Martin Willi
5b2b4d190a
Removed obsolete and unused [gs]et_eap_identity() methods
2009-11-30 16:59:23 +01:00
Martin Willi
5351e51951
Do not propose transport mode as initiator if connection is NATed
2009-11-30 11:32:26 +01:00
Martin Willi
bff9f824ed
Verify EAP-SIM/AKA AT_MAC before processing any attributes
2009-11-30 10:00:06 +01:00
Martin Willi
b04e72c21c
SIM/AKA/Request/Reauthentication AT_MAC does not include NONCE_S, only the response
2009-11-30 09:27:39 +01:00
Martin Willi
8434c88b5e
Extended SIM manager by hooks, currently featuring attribute and key hooks
2009-11-30 09:27:26 +01:00
Martin Willi
fb1ae8da52
Added a get_sa() method to the bus, allowing a thread to lookup its IKE_SA
2009-11-30 09:27:14 +01:00
Martin Willi
c56d958243
Handle NOT_SUPPORTED or other errors properly in get_quintuplet
2009-11-30 09:26:35 +01:00
Martin Willi
2b2c69e992
Use transport mode ESP SA if IPcomp is used, IPcomp already applies outer IP header
2009-11-26 16:03:06 +01:00
Martin Willi
6780edc07e
Use full algorithm name for SHA384/512 HMACs
2009-11-26 10:39:26 +01:00
Martin Willi
6546482a68
Support the Linux specific SHA256 96 bit truncation HMAC via "sha256_96" keyword
2009-11-26 10:39:25 +01:00
Martin Willi
eebfa73fd5
Install SHA256_128 auth algorithm with specified 128 bit truncation
2009-11-26 10:39:25 +01:00
Martin Willi
5be75c2cb1
Added support for IPv6 source route installation
2009-11-26 10:31:00 +01:00
Martin Willi
387a6e6c32
Check existing path in mobike probing only if we still have a route
2009-11-26 10:30:59 +01:00
Andreas Steffen
4b55cf5d09
put identities in single quotes
2009-11-25 09:02:09 +01:00
Andreas Steffen
653da7c907
added more debugging in configuration attribute handling
2009-11-24 23:17:07 +01:00
Andreas Steffen
227583ba59
updated IKEv2 notification messages assigned by IANA
2009-11-24 09:21:00 +01:00
Martin Willi
06f02f993c
Do not recreate existing create_child subtask when retrying with different DH group
2009-11-23 13:50:01 +01:00
Martin Willi
0d1d19b99d
Avoid potentially unaligned half-word read
2009-11-23 13:49:19 +01:00
Eric Mertens
ad78bb13c8
Correctly set host number to zero when computing traffic selector range
2009-11-23 10:34:30 +01:00
Martin Willi
dd326c114f
Use abort() instead of raising SIGKILL, gives us proper core dumps if enabled
2009-11-20 14:36:24 +01:00
Martin Willi
832f283150
Use status_t return value for get_quintuplet() dummy implementations
2009-11-20 11:02:06 +01:00
Martin Willi
80b44cd71a
Message stringification supports more detailed EAP payload information
2009-11-18 10:37:46 +01:00
Martin Willi
1427c93fcd
Fixed memleak in attribute handling
2009-11-17 15:55:45 +00:00
Martin Willi
d674c2ace0
attr plugin supports any custom attribute type having a v4/v6 IP under the charon.plugins.attr namespace
2009-11-17 15:53:57 +00:00
Martin Willi
b5a2055fb1
Give plugins more control of which configuration attributes to request, and pass received attributes back to the requesting handler
2009-11-17 14:51:50 +01:00
Martin Willi
e6cf060275
Encrypt payloads with missing rule, fix insertion of non-encrypted payloads
2009-11-12 14:52:12 +00:00
Martin Willi
074444972a
Build libsimaka with libtool, as we require a PIC-enabled version
2009-11-12 13:37:07 +00:00
Martin Willi
addfeeff9c
Do not complain about missing payload order rules for private use payloads
2009-11-12 13:37:06 +00:00
Martin Willi
5bfe1b2529
Properly initialize attribute encoding/length values
2009-11-12 13:37:06 +00:00
Martin Willi
733538a421
Identation/whitespace cleanups
2009-11-12 13:37:06 +00:00
Martin Willi
82713deafd
Simplified vendor ID payload interface
2009-11-12 13:37:06 +00:00
Martin Willi
20d144e72f
Invoke message hook before generation, allowing plugins to mangle it
2009-11-12 13:37:06 +00:00
Martin Willi
1a86be6e48
Support variable RES length in AKA quintuplets
2009-11-12 10:34:02 +01:00
Martin Willi
15b65bf15d
Ported pseudonym/reauth functionality to EAP-AKA
2009-11-12 10:34:01 +01:00
Martin Willi
3374cb0f44
Passing other as NULL should not always result in a match if me matches
2009-11-12 10:34:01 +01:00
Martin Willi
947b03fd09
Use new identity constructor in EAP-SIM
2009-11-12 10:34:01 +01:00
Martin Willi
0109846aa1
Moved card/provider enumeration to SIM manager, providing wrapped functions for both SIM and AKA plugins
2009-11-12 10:34:01 +01:00
Martin Willi
eb7bf91e12
Added option to disable identity requests completely (old behavior)
2009-11-12 10:34:01 +01:00
Martin Willi
0107f5b687
Fixed replacing existing reauthentication data
2009-11-12 10:34:01 +01:00
Martin Willi
2dbac2ab9c
Initiate full authentication if reauthentication identity is unknown
2009-11-12 10:34:01 +01:00
Martin Willi
edcb2dd35b
Moved reauth/pseudonym functionality from eap-sim-file to separate plugins, usable by any SIM/AKA backend
2009-11-12 10:34:01 +01:00
Martin Willi
acb561373a
eap-sim-file plugin supports volatile in-memory storage of fast reauthentication data
2009-11-12 10:34:01 +01:00
Martin Willi
c5ec0f48e7
Initial support for fast reauthentication in EAP-SIM
2009-11-12 10:34:00 +01:00
Martin Willi
454b59c5fd
EAP-SIM/AKA crypto helper supports key derivation for fast reauthentication
2009-11-12 10:34:00 +01:00
Martin Willi
e1a8729de0
Fallback to permanent identity request if pseudonym mapping failed
2009-11-12 10:34:00 +01:00
Martin Willi
c2f8c6a11e
Query triplet/quintuplet functions with permanent identity only,
...
extended sim_provider with a is_pseudonym() function.
2009-11-12 10:34:00 +01:00
Martin Willi
2d112ca310
eap-sim-file plugin can store pseudonym information volatile in memory
2009-11-12 10:34:00 +01:00
Martin Willi
0328fe940d
Impemented basic pseudonym support in EAP-SIM
2009-11-12 10:34:00 +01:00
Martin Willi
0e20893d81
Pass SIM/AKA crypto helper to constructor of message
2009-11-12 10:34:00 +01:00
Martin Willi
13f418b442
Added a doxygen group for libsimaka, some cleanups
2009-11-12 10:34:00 +01:00
Martin Willi
bcf8a0ff94
Added missing hasher include
2009-11-12 10:33:59 +01:00
Martin Willi
4735965fc0
EAP servers check if the received EAP message was expected
2009-11-12 10:33:59 +01:00
Martin Willi
02f785b050
Use existing triplet length definitions
2009-11-12 10:33:59 +01:00
Martin Willi
aea334ec1c
Splitted EAP-AKA in peer and server implementations, use libsimaka helper library
2009-11-12 10:33:59 +01:00
Martin Willi
6d90881573
Proper handling of non-skippable attributes and client error codes in EAP-SIM
2009-11-12 10:33:59 +01:00
Martin Willi
e9c03f5243
Use the EAP-SIM/AKA crypto helper in EAP-SIM
2009-11-12 10:33:59 +01:00
Martin Willi
ac4dd5439b
Migrated EAP-SIM to libsimaka, separated server/peer implementations
2009-11-12 10:33:58 +01:00
Martin Willi
44e8eea17a
sim_provider_t API gained support for pseudonym/fast reauthentication
2009-11-12 10:33:58 +01:00
Martin Willi
8f364b5433
sim_card_t API gained support for pseudonym/fast reauthentication
2009-11-12 10:33:58 +01:00
Andreas Steffen
ee8486afdb
adapted log message
2009-11-10 23:55:55 +01:00
Andreas Steffen
cc543182bc
added separating line
2009-11-10 21:50:34 +01:00
Martin Willi
67c3875c02
Install bypass policies after creating XFRM netlink socket, loading xfrm_user module
2009-11-09 15:07:00 +01:00
Andreas Steffen
8a650a2bc8
put PGP userid in single quotes
2009-11-08 23:58:41 +01:00
Andreas Steffen
ab5762e32a
list v3 or v4 fingerprint
2009-11-08 23:21:03 +01:00
Andreas Steffen
9a127590ac
stroke_list supports listing of PGP certificates
2009-11-08 21:01:12 +01:00
Andreas Steffen
4c68a85a75
implemented path length constraint checkinf for IKEv2
2009-11-04 23:37:15 +01:00
Andreas Steffen
fae322219f
output optional pathLenConstraint in ipsec listcacerts
2009-11-04 07:30:07 +01:00
Martin Willi
4a38687ae7
Use XFRM instead of PF_KEY IKE bypass policies in netlink based kernel interface
2009-10-30 11:19:32 +01:00
Martin Willi
140816b055
Query secrets in EAP-MD5 with me/other identities, fixing lookup in NetworkManager
2009-10-26 08:47:40 +01:00
Martin Willi
c5f36782ca
Hand out shared secret of load tester for all identities
2009-10-22 16:44:07 +02:00
Martin Willi
4952dc11da
Fixed all doxygen warnings
2009-10-22 14:34:10 +02:00
Martin Willi
0d73fe88b2
Load-testers PSK is used for all purposes, including EAP authentication
2009-10-20 15:54:13 +02:00
Andreas Steffen
c51b78eb2a
hyphenate eap-radius
2009-10-17 09:23:09 +02:00
Martin Willi
1eab115a8b
Do not null-terminate url in hash-and-url payloads
2009-10-16 09:21:28 +02:00
Andreas Steffen
1310fbd322
moved .gitignore for pool
2009-10-15 14:58:09 +02:00
Martin Willi
f48ceeb1d1
Renamed plugin configuration sections to the actual plugin name
2009-10-15 10:36:17 +02:00
Martin Willi
c4d53fe06b
Streamlined EAP plugins to use a dash between eap-method, as used in all other places
2009-10-15 10:36:17 +02:00
Martin Willi
b76b867c70
Renamed --enable-load-tests to --enable-load-tester, like the plugin itself
2009-10-15 10:36:17 +02:00
Martin Willi
406f335938
Updated configuration directive of resolve plugin, renamed from resolv_conf
2009-10-15 10:14:10 +02:00
Andreas Steffen
270bb348e3
pluto now supports SQL-based virtual IP pools
2009-10-14 14:30:14 +02:00
Martin Willi
bb56e3f962
Improved debugging log in SIM triplet lookup
2009-10-14 09:55:14 +02:00
Andreas Steffen
247794827e
move SQL-based pool functionality to new attr-sql libstrongswan plugin
2009-10-13 17:02:29 +02:00
Andreas Steffen
930443afff
moved attribute_manager to libstrongswan
2009-10-13 13:46:27 +02:00
Martin Willi
a2b50c5d60
Fixed assignment of get_triplet() dummy implementation
2009-10-13 11:05:01 +02:00
Andreas Steffen
88eb0a4235
INTERNAL_IP6_NETMASK needed for ModeConfig
2009-10-12 19:45:12 +02:00
Martin Willi
073e7dc062
Merged SIM/USIM manager/card/provider, avoids code duplication
2009-10-12 14:40:21 +02:00
Martin Willi
f7897b64f6
Added ${shlibs:Depends} dependency to Debian package
2009-10-12 14:06:51 +02:00
Martin Willi
3690d31a2a
Added .gitignore for NM Debian package build
2009-10-12 14:06:51 +02:00
Martin Willi
68d23d2401
Pass NULL as other identity in EAP-AKA 3GPP2 to find a match with all plugins
2009-10-12 09:51:46 +02:00
Martin Willi
9b2942f68d
Stroke plugin interprets NULL identities as ID_ANY in shared key lookup
2009-10-12 09:51:45 +02:00
Martin Willi
5d5e2853b6
SIM card interface takes IMSI as parameter (same as in USIM)
2009-10-09 13:02:20 +02:00
Martin Willi
31f5280cee
Fixed USIM parameter description
2009-10-09 13:02:20 +02:00
Martin Willi
424ddf801c
Do not use monotonic time for AKA sequence numbers, it has an undefined starting point
2009-10-09 13:02:20 +02:00
Martin Willi
655728621b
Use constants instead of sizeof(), sizeof() does not work for function arguments
2009-10-09 13:02:20 +02:00
Martin Willi
aba93dcc32
Calculate missing CK/IK values in USIM
2009-10-09 13:02:20 +02:00
Martin Willi
aca7ba0ffc
Link 3gpp2 EAP-AKA plugin to libgmp
2009-10-09 13:02:20 +02:00
Martin Willi
53a16b72ab
Separated 3gpp2 USIM card and provider functionality
2009-10-09 13:02:20 +02:00
Martin Willi
0030880c6b
Ported AKA functions to 3gpp2 plugin
2009-10-09 13:02:19 +02:00
Martin Willi
4720815774
Added a stub for the EAP-AKA backend implementing the 3GPP2 functions in software
2009-10-09 13:02:19 +02:00
Martin Willi
36a3bccfcf
Implemented a manager for USIM cards/providers very similar to the SIM manager
2009-10-09 13:02:19 +02:00
Martin Willi
4b1cd5a367
Reenabled acq_expires SA timer using rekey timeout
...
While not using a SA expiration for allocating SPIs works fine,
the situation is much more problematic for kernel-created temporary
SAs from acquires. If the negotiation of such a CHILD_SA fails,
the created temporary SA can not be deleted.
2009-10-07 13:09:59 +02:00
Martin Willi
991f7ccd6c
Catch CHILD_SA state changes during acquire
...
If an acquire fails due to a TS_UNACCEPTABLE or other CHILD_SA only errors,
we have to reset the pending state in the trap manager.
2009-10-07 13:09:59 +02:00
Andreas Steffen
cf85e1319b
streamlined output from get_validity()
2009-10-06 14:22:27 +02:00
Andreas Steffen
0da0f3fc3f
delete group attributes after use
2009-10-05 23:17:36 +02:00
Andreas Steffen
a9fe23cf53
stroke_list outputs group attributes
2009-10-05 23:13:51 +02:00
Andreas Steffen
408e46a324
ipsec pki --issue suports --flag authServer option
2009-10-05 22:44:01 +02:00
Martin Willi
6eacaffc72
Cleaned up EAP-AKA en/decoding, eliminated unaligned half-word reads
2009-10-05 14:06:32 +02:00
Martin Willi
3b836fc759
Cleaned up EAP-SIM en/decoding, eliminated unaligned half-word reads
2009-10-05 13:32:41 +02:00
Martin Willi
f12d8cf719
Do not increase the invalid-KE/Cookie retry counter for additional keyingtry attempts
2009-09-24 14:49:41 +02:00
Martin Willi
cf76c42903
Do not create a replacement IKE_SA if we have CHILD_SAs to route only
2009-09-24 14:49:41 +02:00
Tobias Brunner
6e6975395e
Using the correct type for ME_ENDPOINT payloads in connectivity checks.
2009-09-24 11:29:34 +02:00
Andreas Steffen
02bf410aa9
certificate subject DNs are in double quotes
2009-09-23 22:03:52 +02:00
Andreas Steffen
b362cc2382
streamlining of credential loading debug output
2009-09-23 21:55:48 +02:00
Martin Willi
0406ed7a16
Fixed a crash in source address lookup
2009-09-23 11:18:30 +02:00
Martin Willi
a7f79ee9c1
Define ME for all charon plugins
2009-09-23 11:13:27 +02:00
Martin Willi
e20b792108
Correctly handle --enable-mediation option
2009-09-23 10:50:00 +02:00
Martin Willi
b262680175
Emit a ALERT_SHUTDOWN_SIGNAL before shutting down the daemon
2009-09-22 17:00:00 +02:00
Andreas Steffen
4b15ee8cd9
shortened file loading debug output
2009-09-22 12:33:13 +02:00
Martin Willi
f1092e20f4
Fixed encoding of hash-and-url cert payload
2009-09-22 10:07:04 +02:00
Martin Willi
cb64b21217
Do not assign SIM version to a volatile buffer on stack
2009-09-22 09:11:35 +02:00
Martin Willi
c84b139a87
Credential backends use has_fingerprint() methods to select keys/certificates
2009-09-21 17:03:00 +02:00
Martin Willi
fde7f5abf8
Correctly serve certificates if CERT_ANY requested
2009-09-21 15:34:29 +02:00
Martin Willi
c6a8990bc5
Enforce a local address of the same family as remote address
2009-09-21 15:30:40 +02:00
Martin Willi
c331bce51d
Return certificates of requested kind only
2009-09-21 14:43:57 +02:00
Andreas Steffen
399ce164ad
delete resolv_conf_* files
2009-09-20 21:59:36 +02:00
Andreas Steffen
4819ec6a71
resolv_conf plugin renamed to resolve
2009-09-20 19:06:58 +02:00
Martin Willi
c7a64d6f41
Use helper functions to handle (non-)skippable attributes
2009-09-18 15:08:43 +02:00
Martin Willi
e466139c91
Clients can handle AKA-Identity requests by sending the full identity
2009-09-18 14:51:35 +02:00
Martin Willi
85af7a89c6
nm uses the distributions trusted root CAs if none is explicitly specified
2009-09-18 14:34:27 +02:00
Martin Willi
7aa495d9d0
get_private() in listcacerts requires a valid auth cfg
2009-09-17 12:47:03 +02:00
Martin Willi
4a03e85b37
Fixed nexthop lookup, used by source route installation
2009-09-16 13:55:32 +02:00
Martin Willi
36b7ba5ee3
Use continue to advance to next iteration
2009-09-16 13:32:47 +02:00
Martin Willi
b538b606da
Use the default debug hook if possible
2009-09-16 13:16:00 +02:00
Martin Willi
e4be5ef8fb
Fall back to default credential set lookup if fingerprint lookup fails
2009-09-15 08:44:10 +02:00
Martin Willi
79c6f16212
Implemented support for preinstalled PGP certificates in charon
2009-09-15 08:23:48 +02:00
Martin Willi
3b878dae7e
Removed chunk_from_buf() in favor of a simpler chunk_from_chars() macro
2009-09-11 15:39:35 +02:00
Martin Willi
356b2b2780
pass NULL to library_init() to load settings from default file
2009-09-10 18:52:42 +02:00
Martin Willi
5b03a350fc
use NULL to load plugins from default plugin directory
2009-09-10 18:52:42 +02:00
Martin Willi
faa4bd49fb
use sysconfdir, no need for an additional confdir variable
2009-09-07 15:10:30 +02:00
Martin Willi
b7b5653386
Use macros to define --with options
2009-09-07 15:00:45 +02:00
Martin Willi
8b3b4a244e
Removed trailing whitespaces in configure.in/Makefile.am
2009-09-07 11:48:03 +02:00
Tobias Brunner
0755e98e5c
Cleaned up some code of the mediation extension.
2009-09-04 15:48:30 +02:00
Tobias Brunner
f4b975a65d
Moved set_state after the DBG0 statement, so that the message gets logged also for mediation connections without CHILD_SA.
2009-09-04 15:13:12 +02:00
Martin Willi
7b3814f75d
remove spaces before tabs at the beginning of lines (^( )+\t)
2009-09-04 15:02:11 +02:00
Martin Willi
b9b8a98f47
remove spaces within tabs (\t( )+\t)
2009-09-04 15:00:19 +02:00
Martin Willi
323f9f990f
replaces four spaces by tabs, where appropriate
2009-09-04 14:50:23 +02:00
Martin Willi
7daf5226b7
removed trailing spaces ([[:space:]]+$)
2009-09-04 13:46:09 +02:00
Marius Tomaschewski
7d1b030446
fixed open failure debug message in load_secrets
2009-09-04 11:52:28 +02:00
Martin Willi
dd2b6f3073
fixed memleak in rekey collissions
2009-09-03 18:09:29 +02:00
Martin Willi
72e2faf291
Convert empty CREATE_CHILD_SA exchange to an INFORMATIONAL
2009-09-03 17:32:41 +02:00
Martin Willi
9beb83868f
Use get_notify() to look up single notifies
2009-09-03 17:32:01 +02:00
Martin Willi
d176994235
Use recursive source address lookup if we get a gateway only
2009-09-03 14:46:39 +02:00
Marius Tomaschewski
dece3d8efc
Fixed load_secrets to acquire/release lock in level 0 only
...
The write_lock call fails with EDEADLK and unlocks in the
next recursion level.
2009-09-03 14:46:36 +02:00
Tobias Brunner
a20e98749a
Simplified the search for ME_CONNECTID notifies.
2009-09-02 17:30:47 +02:00
Tobias Brunner
484a06bce7
Fixed some typos; whitespace cleanup.
2009-09-02 17:30:46 +02:00
Tobias Brunner
5293b02945
Missing commas added.
2009-09-02 17:29:44 +02:00
Martin Willi
8fb4edc4ff
handle plugin loading failures
2009-09-01 16:20:45 +02:00
Tobias Brunner
e75f423753
Refactored the lifetime_cfg_t struct to be simpler and more expressive. Initialization is now static.
2009-09-01 12:54:33 +02:00
Tobias Brunner
abff49a7ff
Handling of new lifetime limits added to stroke.
2009-09-01 12:53:44 +02:00
Tobias Brunner
f40c115531
If no inbound CHILD_SA is found, try to find an outbound SA.
...
Due to the new lifetime limits in- and outbound SAs may expire
individually.
2009-09-01 12:53:44 +02:00
Tobias Brunner
1087b9cebb
Set the packet and byte limits in the netlink and pfkey kernel interfaces.
2009-09-01 12:53:44 +02:00
Tobias Brunner
e3c7e72973
Terminology and return value of get_lifetime of child_sa_t corrected.
2009-09-01 12:53:44 +02:00
Tobias Brunner
cb123493d1
child_sa_t adapted to the new lifetime configuration.
2009-09-01 12:53:43 +02:00
Tobias Brunner
888af96343
Adapted the kernel interfaces to the new lifetime configuration.
2009-09-01 12:53:13 +02:00
Tobias Brunner
e0a8a8c3ec
Adapted the config backends to the new lifetime configuration.
2009-09-01 12:50:50 +02:00
Tobias Brunner
caf87c7dcb
child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.
2009-09-01 12:50:50 +02:00
Tobias Brunner
86e4728550
lifetime_cfg_t added to configure lifetime limits of a CHILD_SA.
2009-09-01 12:50:50 +02:00
Martin Willi
6180a55852
use time_monotonic() instead of time() for statistics and time difference calculations
2009-08-31 18:00:28 +02:00
Martin Willi
de5784452b
use time_monotonic() instead of gettimeofday() for time difference calculations
2009-08-31 15:25:03 +02:00
Martin Willi
3d5818ec38
use monotonic time source in convar->timed_wait, and in the scheduler using it
2009-08-31 15:13:48 +02:00
Martin Willi
8365f7cd81
fixed crash in crl listing
2009-08-31 10:21:38 +02:00
Martin Willi
500f515a64
moved chunk_increment() function to libstrongswan
2009-08-26 14:07:26 +02:00
Martin Willi
9c3d2b3d60
updated medsrv and test to new fingerprint/encoding API
2009-08-26 11:23:55 +02:00
Martin Willi
1cd0d7969a
updated load-tester plugin to new fingerprinting API
2009-08-26 11:23:53 +02:00
Martin Willi
8eefe4617f
use only KEY_ID_PUBKEY_SHA1 fingerprint charon internally
2009-08-26 11:23:53 +02:00
Martin Willi
87d2026341
updated nm plugin to new fingerprinting API
2009-08-26 11:23:53 +02:00
Martin Willi
c5cd195c6c
updated stroke plugin to fingerprinting API
2009-08-26 11:23:53 +02:00
Martin Willi
64fdbce4da
updated charon to new fingerprinting API
2009-08-26 11:23:53 +02:00
Martin Willi
750bbcf9a8
added support for %prompt-ing private key passhprases in strokes "ipsec secrets"
2009-08-26 11:23:50 +02:00
Martin Willi
280469923d
make use of the pem helper plugin to load credentials
2009-08-26 11:23:49 +02:00
Martin Willi
469083cc7d
disable lifetimes of allocated SPIs
...
The default lifetime of 30 seconds is too short, as a tunnel
setup may need several minutes if we have high packet loss. Instead
of increasing the value, we disable lifetimes completely, as we handle
the removal of such SAs from userland just fine.
2009-08-25 18:15:25 +02:00
Martin Willi
1bc0b4f795
remove incomplete SAs with PROTO_ESP
2009-08-25 18:12:55 +02:00
Andreas Steffen
8a17c1f907
check integrity of pool code file
2009-08-17 15:46:56 +02:00
Andreas Steffen
2f5b1e0eb7
check success of library_init()
2009-08-14 22:13:51 +02:00
Tobias Brunner
26965b4ef3
OpenSolaris needs libsocket and libnsl for socket().
2009-08-14 14:50:53 +02:00
Tobias Brunner
932fdc38de
Enable CMSG headers and macros on OpenSolaris.
2009-08-14 14:50:52 +02:00
Tobias Brunner
8c3627c5ae
Added define to get sigwait with two parameters on OpenSolaris.
2009-08-14 14:50:51 +02:00
Tobias Brunner
a3ccf95f3f
LOG_AUTHPRIV is not defined on OpenSolaris.
2009-08-14 13:37:07 +02:00
Tobias Brunner
3901937d14
OpenSolaris defines MUTEX_DEFAULT therefore we rename the members of the enums mutex/condvar/rwlock_type_t.
2009-08-14 13:30:59 +02:00
Andreas Steffen
8ddcac4c48
prepare CAMELLIA_CCM ESP encryption
2009-08-10 16:30:42 +02:00
Martin Willi
dd4c14f37c
set protocol to ESP for policies installed as a trap
2009-08-07 16:05:32 +02:00
Andreas Steffen
4b5b92bfee
%llu correctly prints u_int64_t
2009-08-07 09:50:36 +02:00
Andreas Steffen
4a02deb088
printing u_int64_t caused segfault on 32-bit platforms
2009-08-07 08:47:29 +02:00
Andreas Steffen
99dd42918e
do not set usetime if query_policy() fails
2009-08-07 05:59:09 +02:00
Tobias Brunner
79ff614144
Use LONG_MAX instead of a hard-coded value.
2009-08-06 18:22:01 +02:00
Tobias Brunner
bfca7aa5ed
FreeBSD returns the current policy use time only after specifying a hard lifetime when installing the policy.
2009-08-06 18:14:44 +02:00
Tobias Brunner
c3a78360a8
Fixed a race condition when querying stats of a child_sa in different order.
2009-08-06 16:47:32 +02:00
Andreas Steffen
3646c8a159
abort pluto or charon if initialization fails
2009-08-06 16:32:52 +02:00
Tobias Brunner
dd83c6d490
Don't query the policy usetime if there was no traffic on the SA.
...
This helps in cases where a policy is assigned to more than one SA. That
is, SAs now should have different usetimes even if they use the same policy.
2009-08-06 15:14:54 +02:00
Tobias Brunner
b3f8ea8346
Reverted the interface changes introduced in 3f720dc7
.
2009-08-06 13:31:54 +02:00
Martin Willi
51c037cc71
added support for ipsec.secrets "include" directive
2009-08-06 11:48:19 +02:00
Tobias Brunner
1e7b4b0028
Reversed the check for udp.h, fixes compilation on Linux.
2009-08-06 10:01:59 +02:00
Tobias Brunner
7da1f4a0ff
Enabling UDP encapsulation via setsockopt fails on Mac OS X (it is also not required as this is done using sysctl).
2009-08-05 12:31:10 +02:00
Andreas Steffen
fcdf491a21
output number of transmitted bytes in closing CHILD_SA statement
2009-08-04 23:08:42 +02:00
Tobias Brunner
524f9ac470
FreeBSD only reports a policy's usetime if a lifetime has been specified when the policy was added (we only specify a lifetime on the SA, not on the policy).
2009-08-04 11:08:58 +02:00