a69d8dd000
Log group added for applications other than daemons.
2012-06-11 17:09:19 +02:00
25924d3e45
scepclient: Some code cleanup.
2012-06-11 17:09:19 +02:00
07f0abd7ac
Updated PKCS#7 parser/generator in libstrongswan.
...
Added some functionality from pluto's version, updated usage of asn1
and crypto primitives. It does compile but is not really tested yet.
2012-06-11 17:09:19 +02:00
fd03443f42
added missing parameter in get_my_addr() and get_other_addr() calls
2012-06-09 14:06:45 +02:00
1527307ec9
version bump to 5.0.0rc1
2012-06-09 14:05:08 +02:00
47f8ae7cfd
added ikev1/dynamic scenarios using allow-any
2012-06-08 22:54:12 +02:00
7cc65a0376
removed whitespace
2012-06-08 22:34:49 +02:00
d9e1b4c033
added ikev2/dynamic-two-peers scenario
2012-06-08 21:52:20 +02:00
68f3e2462a
added ikev2/dynamic-responder scenario
2012-06-08 21:24:42 +02:00
420e77c2d0
added ikev2/dynamic-initiator scenario
2012-06-08 21:24:41 +02:00
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
e5f0f9ff96
Enforce uniqueness policy in IKEv1 main and aggressive modes
2012-06-08 16:15:22 +02:00
4a10eda1a0
starter: Go back to single threaded mode.
...
Mixing multiple threads and fork(2) wasn't a very good idea it seems.
At least in some environments this caused strange side-effects.
2012-06-08 14:12:07 +02:00
05ca56558c
Disabled listening for kernel events in starter.
2012-06-08 14:12:06 +02:00
82ad53b776
Try to rekey without KE exchange if peer returns INVALID_KE_PAYLOAD(NONE)
...
According to RFC5996, implementations should just ignore the KE payload
if they select a non-PFS proposals. Some implementations don't, but
return MODP_NONE in INVALID_KE_PAYLOAD, hence we accept that, too.
2012-06-08 10:35:02 +02:00
2d4c347af9
While checking for redundant quick modes, compare traffic selectors
...
If a configuration is instanced more than once using narrowing,
we should keep all unique quick modes up during rekeying.
2012-06-08 10:22:03 +02:00
106b938b6b
Store shorter soft lifetime of in- and outbound SAs only
2012-06-08 10:22:03 +02:00
7a5f372c57
Initiate quick mode rekeying with narrowed traffic selectors
2012-06-08 10:22:03 +02:00
d61f2906d4
Use traffic selectors passed to quick mode constructor as initiator
2012-06-08 10:22:03 +02:00
1e24fa4614
Instead of rekeying, delete a quick mode if we have a fresher instance
...
If both peers initiate quick mode rekeying simultaneously, we end up
with duplicate SAs for a configuration. This can't be avoided, nor do
the standards provide an appropriate solution. Instead of closing one
SA immediately, we keep both. But once rekeying triggers, we don't
refresh the SA with the shorter soft lifetime, but delete it.
2012-06-08 10:22:03 +02:00
9e9295ed10
Properly handle empty RDN values in DN strings.
2012-06-07 16:50:11 +02:00
9041c074b3
Properly install policies with ports in PF_KEY kernel interface.
2012-06-07 14:37:00 +02:00
ab24a32edf
As responder, enforce the same configuration while rekeying CHILD_SAs
2012-06-06 16:06:49 +02:00
b200fa573b
starter: Only handle SIGCHLD asynchronously and the rest in pselect(2).
2012-06-06 14:23:25 +02:00
21043198ff
Show expiration time of rekeyed CHILD_SAs in statusall
2012-06-05 10:29:43 +02:00
18a3741042
starter: (De-)Initialize logging when forking.
2012-06-05 09:22:16 +02:00
402ae88af9
starter: Close open file descriptors when forking daemons.
2012-06-04 18:09:56 +02:00
89c97952bd
starter: Changed signal handling now that starter is multi-threaded.
2012-06-04 18:09:56 +02:00
c8f7a114b6
Mark CHILD_SAs used for trap policies to uninstall them properly.
...
If the installation failed the state is not CHILD_ROUTED which means the
wrong priority is used to uninstall the policies. This is a problem for
kernel interfaces that keep track of installed policies as now the proper
policy is not found (if the priority is considered).
2012-06-04 18:04:48 +02:00
93d9a02e9e
NEWS for 4.6.4 added.
2012-05-31 17:40:01 +02:00
79d5c4f06b
Fixed return values of several functions (e.g. return FALSE for pointer types).
2012-05-31 17:39:04 +02:00
060b508e0e
Fix boolean return value if an empty RSA signature is detected in gmp plugin
...
Fixes CVE-2012-2388.
2012-05-31 17:38:59 +02:00
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
eac9d77059
Job added to re-initiate an IKE_SA.
2012-05-30 15:32:52 +02:00
6f948c5c8d
added nonce plugin to gcrypt scenarios
2012-05-30 07:21:03 +02:00
08951eb7a8
upgraded ipv6 scenarios to 5.0.0
2012-05-29 23:40:01 +02:00
53915f14ae
Fix MOBIKE address update if responder address changed.
...
Use the source address of the current MOBIKE message as peer address
instead of assuming the address cached on the IKE_SA is still valid.
2012-05-25 17:05:53 +02:00
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
be982b4c03
enable xauth-eap plugin in UML scenarios
2012-05-25 17:02:39 +02:00
2be46da56d
added nonce plugin in default host configurations
2012-05-25 17:00:03 +02:00
da7a46b73b
upgraded ike scenarios to 5.0.0
2012-05-25 16:58:17 +02:00
d2933125d5
added IKEv1 IPCOMP pluto-charon interoperability scenarios
2012-05-25 12:52:21 +02:00
daab61e51f
Added encapsulation mode transform attribute to IPComp proposal.
2012-05-25 09:26:42 +02:00
b253008544
upgraded ikev1/compress to 5.0.0
2012-05-24 17:36:27 +02:00
18dac73f02
Updated ipsec.conf(5) to reflect changes to IPComp support.
2012-05-24 15:32:28 +02:00
Tobias Brunner