Martin Willi
63b0bc9c2d
Invoke missing message() hook for incoming responses
2010-02-17 18:23:14 +01:00
Andreas Steffen
b65d7f8a15
version bump to 4.4.0
2010-02-15 20:58:41 +01:00
Tobias Brunner
38da64fe12
Detect windows hosts to add specific workarounds.
2010-02-12 10:57:39 +01:00
Tobias Brunner
71baf5a8f0
Adding support for AES GMAC (RFC4543).
2010-02-12 10:57:39 +01:00
Martin Willi
2aa553d773
Do not build own authentication data before we've verified others, we need the other identity in EAP
2010-02-09 16:11:07 +01:00
Andreas Steffen
2d07095e01
hash-and-url avoids IP fragementation, cert and crl fetch based on IPv6
2010-02-06 12:34:41 +01:00
Andreas Steffen
dd0b1b9a16
generated hash-and-url files for rfc3779 certs
2010-02-06 11:41:44 +01:00
Andreas Steffen
76fe5500c4
hash-and-url avoids IP fragementation, cert and crl fetch based on IPv6
2010-02-06 11:39:33 +01:00
Andreas Steffen
5094bfd85f
hash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6
2010-02-05 20:39:13 +01:00
Andreas Steffen
61d7ff0c19
IPv6 fragment and http access are not needed in PSK scenario
2010-02-05 20:27:03 +01:00
Andreas Steffen
699c47a9be
hash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6
2010-02-05 20:16:26 +01:00
Tobias Brunner
3cc0cc4332
Increased the buffer for netlink responses.
...
If an error occurs while manipulating policies in the kernel, the
original netlink request gets attached to the response.
Prior to Linux 2.6.32 the size in the netlink header of the response was
wrong.
2010-02-05 20:10:54 +01:00
Andreas Steffen
1f2da75069
IPv6 frag netfilter rule not needed anymore
2010-02-05 20:04:01 +01:00
Andreas Steffen
563a177830
hash-and-url avoids IP fragmentation, cert and crl fetch based on IPv6
2010-02-05 19:58:42 +01:00
Andreas Steffen
b917f49684
initialize variables to avoid compiler warning
2010-02-05 12:34:37 +01:00
Martin Willi
313a53d4fc
Use destination address of ppp interfaces as nexthop in starters default route lookup
2010-02-05 09:28:31 +01:00
Andreas Steffen
6c9c0baee9
init_fetch() changed to fetch_initialize()
2010-02-05 06:17:02 +01:00
Andreas Steffen
52719d719c
use static IPsec policy netfilter rules in MOBIKE scenarios
2010-02-04 10:05:44 +01:00
Andreas Steffen
8501181925
remove any charon.pid files remaining at the end of each scenario
2010-02-04 08:53:52 +01:00
Andreas Steffen
00eb9267ad
IPSEC_ROUTING_TABLE is now called routing_table
2010-02-03 19:32:50 +01:00
Andreas Steffen
ec37b04732
differentiate between executed and displayed iptables commands
2010-02-03 19:21:55 +01:00
Martin Willi
7481f964ae
Use child_updown hook in updown plugin, fixes doubled invocation of down script
2010-02-03 11:07:53 +01:00
Andreas Steffen
0d8bdf24ff
added ikev2/inactivity-timeout scenario
2010-02-03 10:28:30 +01:00
Andreas Steffen
889ff9389b
renamed init_fetch() to fetch_initialize()
2010-02-02 19:44:34 +01:00
Tobias Brunner
41faec0791
Some whitespace and code cleanups concerning the mediation extension.
2010-02-02 15:53:22 +01:00
Tobias Brunner
dc5969242f
Join pluto's fetching thread instead of detaching it in order to avoid that the leak-detective reports a memleak.
2010-02-02 15:23:39 +01:00
Andreas Steffen
b7fd2ea76c
corrected captions
2010-02-01 12:44:44 +01:00
Andreas Steffen
bf1e0df7c5
warn if loaded local certificate is invalid
2010-02-01 12:29:32 +01:00
Martin Willi
909c0c3d63
Updated NEWS about per-connection inactivity timeout
2010-01-27 16:08:06 +01:00
Martin Willi
8015c91cb9
Added a ipsec.conf "inactivity" option to configure inactivity timeout for CHILD_SAs
2010-01-27 16:05:11 +01:00
Martin Willi
71da001753
Made inactivity_timeout a per CHILD_SA config option
2010-01-27 15:47:08 +01:00
Martin Willi
db05341916
Refactored EAP payload, avoid unaligned word access
2010-01-21 14:43:07 +01:00
Martin Willi
23d2bf84a3
Added a METHOD2() macro that implements a method for two different interfaces
2010-01-21 14:42:08 +01:00
Martin Willi
47498044c3
Support RADIUS messages up to 4096 bytes, RADIUS EAP-Message fragmentation
2010-01-19 16:47:21 +01:00
Martin Willi
7eab4a1be6
Support TLS client authentication Extended Key Usage in x509 generation
2010-01-14 12:00:43 +01:00
Tobias Brunner
776f59f7be
Block the signals before the call to sigwait.
2010-01-12 11:52:03 +01:00
Martin Willi
aa9eeb5deb
Support for closing CHILD/IKE_SA if a CHILD_SA is inactive.
2010-01-12 10:23:42 +01:00
Martin Willi
bc6ff2fc99
Added strongswan.conf options to configure retransmission timeouts
2010-01-11 16:42:12 +01:00
Martin Willi
527f7f9b1c
Added a "double" getter to libstrongswan settings
2010-01-11 16:39:28 +01:00
Martin Willi
dbee988e28
Cast unaligned memcpy() args to char*, avoids over-optimization on ARM
...
See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3934.html
2010-01-11 15:35:41 +01:00
Andreas Steffen
8fb389b299
added ikev2/rw-eap-sim-only-radius scenario
2010-01-11 11:20:45 +01:00
Andreas Steffen
b979032088
log EAP-only authentication proposal
2010-01-11 11:17:40 +01:00
Andreas Steffen
87eb27681a
send strongSwan Vendor ID in ikev2/alg-sha256-96 scenario
2010-01-11 00:54:33 +01:00
Andreas Steffen
dd37fa8620
pluto and charon are using the same strongSwan Vendor ID
2010-01-11 00:43:46 +01:00
Martin Willi
aca9f9ab5a
Added NEWS about mutual EAP-only authentication
2010-01-07 16:16:22 +01:00
Martin Willi
34948b9971
EAP-MSCHAPv2 is indeed mutual, but is prone to MITM dictionary attacks
2010-01-07 15:56:11 +01:00
Martin Willi
f34702ff3f
Support EAP-only authentication for mutual and key deriving EAP methods
2010-01-07 15:51:30 +01:00
Martin Willi
12fca6cc9f
Indicate and dected support for EAP-only authentication
2010-01-07 14:30:28 +01:00
Martin Willi
cdad91de49
Added NEWS for the new Vendor ID requirement for private use allocations
2010-01-07 11:14:33 +01:00
Martin Willi
023fd8f135
Match to private use algorithms only if we know we are talking to strongSwan
2010-01-07 11:07:53 +01:00