Martin Willi
08a5a708fc
Include CCM/GCM algorithms in IKEv2 proposals, if supported
2010-08-19 19:05:05 +02:00
Martin Willi
84eb3aa456
Implemented IKEv2 keymat derivation for AEAD algorithms
2010-08-19 19:02:34 +02:00
Martin Willi
9d49f79f55
List registered AEAD algorithms in listalgs
2010-08-19 19:02:34 +02:00
Martin Willi
b519071299
Use AEAD wrapper for encryption payload encryption/decryption
2010-08-19 19:02:33 +02:00
Martin Willi
7fc4b0814f
Make function to test if an encryption algorithm is an AEAD alg public
2010-08-19 19:02:16 +02:00
Martin Willi
92a4540aca
Migrated generator_t to INIT/METHOD macros
2010-08-19 12:35:53 +02:00
Martin Willi
0cca7427c7
Migrated encryption_payload to INIT/METHOD macros
2010-08-19 12:35:53 +02:00
Martin Willi
7c9d8e1476
Migrated message_t to INIT/METHOD macros
2010-08-19 12:35:53 +02:00
Martin Willi
5555b900b2
Migrated keymat to INIT/METHOD macros
2010-08-19 12:35:53 +02:00
Andreas Steffen
1894622df2
added EAP-TTLS debug output
2010-08-18 23:21:00 +02:00
Andreas Steffen
5ae4292cb9
added TLS record debug output
2010-08-18 22:52:42 +02:00
Martin Willi
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
Andreas Steffen
53115857ae
some simplifications using the INIT macro
2010-08-17 20:09:32 +02:00
Andreas Steffen
9ba53310ee
implemented server-initiated phase2 of EAP-TTLS authentication
2010-08-16 18:30:41 +02:00
Andreas Steffen
79f2102cb4
implemented server side support for EAP-TTLS
2010-08-16 16:44:13 +02:00
Andreas Steffen
06a207480e
fixed typo in eap-mschapv2 plugin
2010-08-16 16:44:13 +02:00
Andreas Steffen
b51ac45c48
optional certificate-based peer authentication on TLS server side
2010-08-15 13:02:57 +02:00
Andreas Steffen
16d8b4b6c1
removed some raw EAP debug output
2010-08-14 12:01:45 +02:00
Andreas Steffen
004b226bb8
use EAP plugin for tunneled client authentication
2010-08-14 01:14:28 +02:00
Andreas Steffen
6659c61335
send tunneled EAP Identity response using eap-identity plugin
2010-08-13 22:45:22 +02:00
Andreas Steffen
486893ee52
allow to send an EAP Identity response without matching request
2010-08-13 22:41:00 +02:00
Andreas Steffen
683a912eab
implement AVP EAP message building and processing
2010-08-13 21:21:49 +02:00
Martin Willi
c03b0d7e6b
Added support for Camellia cipher to xcbc
2010-08-13 17:11:54 +02:00
Martin Willi
c7776e0aa8
Support Camellia XCBC algorithms in proposal
2010-08-13 17:11:54 +02:00
Martin Willi
3b77c27a5b
Added Camellia, AES-CTR to default IKE proposal, if supported
2010-08-13 17:11:53 +02:00
Martin Willi
3102d8669d
Use IV length of a crypter instead of block size for IV calculations
2010-08-13 17:11:53 +02:00
Andreas Steffen
71efe40077
Migrated eap_identity plugin to INIT/METHOD macros
2010-08-13 16:57:01 +02:00
Andreas Steffen
a568897011
Migrated eap_md5 plugin to INIT/METHOD macros
2010-08-13 16:33:26 +02:00
Andreas Steffen
45c4021bd0
Migrated eap_authenticator to INIT/METHOD macros
2010-08-13 15:58:53 +02:00
Andreas Steffen
fe6ae23d1f
Migrated eap_manager to INIT/METHOD macros
2010-08-13 15:32:37 +02:00
Andreas Steffen
87799b0c00
moved eap_from_string() fomr libcharon to libstrongswan to make it available in starter
2010-08-13 15:07:53 +02:00
Andreas Steffen
e643da585b
fixed typo
2010-08-13 12:24:54 +02:00
Andreas Steffen
4412ee86c5
recognize eap-ttls method
2010-08-12 23:58:54 +02:00
Andreas Steffen
1327839da8
added generic TLS application data handler and specific EAP-TTLS instantiation
2010-08-12 23:58:54 +02:00
Martin Willi
8f01815143
Build dedicated plugin lists for each strongSwan component
2010-08-12 14:46:57 +02:00
Martin Willi
8bec0f5153
Implemented Smartcard support in NetworkManager frontend
2010-08-11 16:32:04 +02:00
Martin Willi
aea735ef63
Discard a packet that exceeds the receive buffer
2010-08-11 10:52:59 +02:00
Martin Willi
10a2e09b55
Added a strongswan.conf option to change socket receive buffer size
2010-08-11 10:48:17 +02:00
Andreas Steffen
133accfcfd
differentiate between TLS messages and EAP-[T]TLS packets in the debug output
2010-08-10 19:02:05 +02:00
Martin Willi
3d711a68fb
Added a stroke command to export cached x509 certificates to the console
2010-08-10 18:46:30 +02:00
Martin Willi
a944d2092b
Use bits instead of bytes for a private/public key
2010-08-10 18:46:30 +02:00
Martin Willi
33ddaaabec
Added support for different encryption schemes to private/public keys
2010-08-10 18:46:30 +02:00
Andreas Steffen
3810afa9f9
log final TLS acknowledgement packet
2010-08-08 19:14:53 +02:00
Andreas Steffen
ded59df4fc
added level 2 debug info on sent TLS packets
2010-08-07 11:26:04 +02:00
Andreas Steffen
ab47a7924b
log EAP-TTLS version
2010-08-07 11:26:04 +02:00
Andreas Steffen
a622c6d019
fixed typo
2010-08-07 11:26:04 +02:00
Andreas Steffen
a6444fcdd4
EAP-TLS and EAP-TTLS use different constant MSK PRF label
2010-08-07 11:26:04 +02:00
Andreas Steffen
26eb9b2d17
added eap_ttls plugin configuration
2010-08-07 11:26:04 +02:00
Jiri Bohac
30d8e8d04d
fix error-type range in parsing of NOTIFY payloads
2010-08-06 11:47:35 +02:00
Tobias Brunner
edb82ab8ae
Some Doxygen fixes.
2010-08-05 11:53:53 +02:00
Tobias Brunner
744b83c7c9
Fixed loading of secrets with IDs.
...
Since the ID string is manually terminated by a null character, write
permission is required for the mmapped ipsec.secrets.
2010-08-04 16:03:46 +02:00
Tobias Brunner
dca2d89209
Fixed loading of private keys without password.
...
The chunk storing the password was not correctly initialized, resulting
in a segmentation fault when no password was specified in ipsec.secrets.
2010-08-04 14:22:48 +02:00
Tobias Brunner
83628fd600
Accept EAP_ONLY_AUTHENTICATION notifies from any client, now that IANA allocated an ID.
2010-08-04 12:58:53 +02:00
Tobias Brunner
12549bedea
IKEv2 notification types updated.
2010-08-04 10:06:00 +02:00
Martin Willi
65858b83f8
Destroy IKE_SA Managers crypto primitives during flush, the plugins are gone in destroy
2010-08-04 09:26:21 +02:00
Martin Willi
0d08ebe7ac
Pass type of requested key in the callback credential set
2010-08-04 09:26:21 +02:00
Martin Willi
15177f5785
Obseleted BUILD_PASSPHRASE(_CALLBACK) for private key loading, use credential sets
2010-08-04 09:26:21 +02:00
Martin Willi
0556667dca
Use credential sets to load smartcard keys
2010-08-04 09:26:21 +02:00
Martin Willi
62be923683
Implemented a callback based credential set, currently for shared keys only
2010-08-04 09:26:21 +02:00
Martin Willi
9587ece534
mmap() ipsec.secrets instead malloc(), proper error checking
2010-08-04 09:26:21 +02:00
Martin Willi
947298b302
Splitted up the load_secrets() function
2010-08-04 09:26:21 +02:00
Martin Willi
57522106c4
%prompt support for smartcard PIN via "ipsec secrets"
2010-08-04 09:26:20 +02:00
Martin Willi
0b8b664056
Pass the PKCS11 keyid as chunk, not as string
2010-08-04 09:26:20 +02:00
Martin Willi
353d10d590
Reuse generic passphrase build part, not a dedicated PIN part
2010-08-04 09:26:20 +02:00
Martin Willi
3479c27931
Support module names in %smartcard specifier, streamlined smartcard building
2010-08-04 09:26:20 +02:00
Tobias Brunner
f8029ca3f9
test_cert adapted to extended signature of get_encoding().
2010-08-03 19:00:56 +02:00
Tobias Brunner
56bceda7b5
Fixed compiler warnings.
2010-08-03 19:00:46 +02:00
Martin Willi
0f82a47063
Moved TLS stack to its own library
2010-08-03 15:39:26 +02:00
Martin Willi
0b71bc7af0
Moved eap-tls plugin to libcharon, updated to 4.4.1 APIs
2010-08-03 15:39:25 +02:00
Martin Willi
2107953804
Added EAP-TLS plugin stub
2010-08-03 15:39:24 +02:00
Thomas Egerer
86a73f16ab
Do not touch child from collision if peer deleted it
2010-08-03 10:32:38 +02:00
Thomas Egerer
5d2e159b41
Fix segfault on 'ipsec stroke up ]' command
2010-07-29 14:03:11 +02:00
Martin Willi
98d0343870
Implemented a HA enabled in-memory address pool
2010-07-28 10:06:19 +02:00
Martin Willi
7455ab063f
Added a function to segmentate a generic integer
2010-07-28 10:06:19 +02:00
Martin Willi
c03b64a4ac
Reserving does not work, as our pools do not support acquiring arbitrary addresses
...
This reverts commit d1384080b3
.
2010-07-27 12:05:39 +02:00
Martin Willi
7eeb687d59
Flush any remaining cache state if an IKE_SA goes down
2010-07-27 09:18:06 +02:00
Martin Willi
fa4f71c819
Synchronize EAP-Identity of remote peer
2010-07-26 15:10:54 +02:00
Martin Willi
d1384080b3
Reserve virtual IP of passive IKE_SAs in the local pool
2010-07-26 15:01:24 +02:00
Martin Willi
65d15aff73
Added strongswan.conf options for HA heartbeat
2010-07-26 14:30:19 +02:00
Martin Willi
08e266a119
Log CHILD_SA segment responsibility
2010-07-26 13:53:54 +02:00
Martin Willi
3e6736f67e
Pass initiator parameter to distinguish between original and exchange initiator
2010-07-26 13:53:53 +02:00
Martin Willi
b2e447e24a
Pass the CREATE_CHILD_SA initiator flag to the child_keys parameter
2010-07-26 13:53:53 +02:00
Martin Willi
aa334daa9b
Use a sync message cache to resynchronize IKE_SAs without rekeying
2010-07-26 13:53:49 +02:00
Martin Willi
2031002d42
Log received HA message types
2010-07-26 11:33:00 +02:00
Martin Willi
f2eebed2a3
Add enum names for HA message types
2010-07-26 11:33:00 +02:00
Martin Willi
51217527e6
Delay resynchronization request until starter has loaded the configurations
2010-07-26 11:33:00 +02:00
Martin Willi
2cbc48ecab
Replaces in_segment() by a more generic get_segment() function
2010-07-26 11:33:00 +02:00
Martin Willi
ad2488fcdf
Use distinct message types for HA message ID updates
2010-07-26 10:15:17 +02:00
Martin Willi
00c1bd0606
Migrated ha plugin to INIT/METHOD macros
2010-07-26 10:15:17 +02:00
Martin Willi
ce7967c50c
Implemented support for multiple RADIUS servers
2010-07-21 17:25:09 +02:00
Martin Willi
58d2ef6e14
Migrated eap-radius plugin to INIT/METHOD macros
2010-07-21 17:09:27 +02:00
Martin Willi
5b6c220d13
Added log statement if peer requests EAP, but current config does not allow it
2010-07-21 17:09:15 +02:00
Andreas Steffen
ae0e3b03b7
in a ESP_IN_UDP situation make UDP port available in the updown script
2010-07-17 13:27:19 +02:00
Andreas Steffen
14665981a5
make xfrm marks available in the updown scripts
2010-07-17 13:08:50 +02:00
Martin Willi
0406eeaacb
Support different encoding types in certificate.get_encoding()
2010-07-13 13:53:20 +02:00
Martin Willi
da9724e6d0
Renamed key_encod{ing,der}_t and constants, prepare for generic credential encoding
2010-07-13 11:29:35 +02:00
Martin Willi
e57a29c731
Moved X509 ipAddrBlock checking to the addrblock plugin
2010-07-13 10:26:07 +02:00
Martin Willi
be715344c2
Added a hook to narrow traffic selectors for CHILD_SAs
2010-07-13 10:26:07 +02:00
Martin Willi
88fa56b1ad
Moved bus_t to METHOD/INIT macros
2010-07-13 10:26:07 +02:00
Martin Willi
1c8c924610
Moved addrblock plugin to libcharon
2010-07-13 10:26:07 +02:00
Martin Willi
2ccc02a4fd
Moved credential manager to libstrongswan
2010-07-13 10:26:07 +02:00
Martin Willi
2ca7db1337
Move pathlen constraint checking to X509 specific checks
2010-07-13 10:26:06 +02:00
Martin Willi
5db798c8e0
Charon uses a generic trunstchain length limit, not only for X509 certificates
2010-07-13 10:26:06 +02:00
Martin Willi
01bb70e4ad
Combined the OCSP/CRL options to a signle Online check option
2010-07-13 10:26:06 +02:00
Andreas Steffen
ab635e029e
updated SQL templates to support attribute pool and identity parameters
2010-07-12 20:28:34 +02:00
Tobias Brunner
af7b34b13b
Added missing pool parameter in DHCP attribute provider.
2010-07-12 12:27:49 +02:00
Martin Willi
52f97c3893
Do not interpret long class attributes (such as from NPS) as group
2010-07-09 13:53:43 +02:00
Martin Willi
cfa1c07604
Group membership constraint is fulfilled if subject is member in one of the groups
2010-07-09 13:51:58 +02:00
Heiko Hund
ec7adea007
Added support for named attribute groups
...
Add the possibility to group attributes by a name and assign these
groups to connections. This allows a more granular configuration of
which client will receive what atrributes.
2010-07-09 13:09:31 +02:00
Andreas Steffen
26c4d0102a
configuration of different marks for inbound and outbound direction
2010-07-09 09:06:07 +02:00
Martin Willi
6f07f5e3d4
The file logger supports a time prefix using a strftime() format specifier
2010-07-08 17:44:19 +02:00
Martin Willi
4cc9afe35f
Print identity to a lease address on the same line for simpler greping
2010-07-08 17:44:19 +02:00
Martin Willi
6c4cd8fa15
Implemented missing bypass_socket() method in load-testers faked kernel interface
2010-07-07 10:01:32 +02:00
Martin Willi
4f99093235
Show mallinfo() data in statusall, if available
2010-07-06 16:28:25 +02:00
Tobias Brunner
f395f28e44
Added missing markt_t in load tester, also migrated to INIT/METHOD macros.
2010-07-06 09:29:18 +02:00
Tobias Brunner
83b23011de
Some Doxygen fixes.
2010-07-05 15:04:30 +02:00
Tobias Brunner
8f7e8e075a
Fixed typo.
2010-07-05 14:53:56 +02:00
Martin Willi
a4c0da1669
Added support for group membership information containted in the RADIUS class attribute
2010-07-05 09:41:04 +02:00
Martin Willi
4172574bfb
Use the group constraint in a more generic fashion, not only for attribute certificates
2010-07-05 09:41:04 +02:00
Martin Willi
53913d764e
Use the responder side configured EAP-Identity directly, if given
2010-07-05 09:41:04 +02:00
Martin Willi
ec6caa1367
Copy EAP specific attributes to auth config only
2010-07-05 09:41:04 +02:00
Andreas Steffen
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
Martin Willi
02571374c4
Recreate IKE_SA_INIT related tasks only if they have completed
2010-06-30 13:48:47 +02:00
Thomas Egerer
31d0efd7e9
Use enumerator for queued_tasks migration to avoid infinite loop
2010-06-30 13:24:43 +02:00
Thomas Egerer
6d61e334f7
Correct check of traffic selectors before destruction
2010-06-29 09:22:50 +02:00
Thomas Egerer
7f1eb89517
Migrate queued_tasks tasks, to avoid dangling pointers
2010-06-29 09:20:05 +02:00
Tobias Brunner
0f21ebc81d
The signature of keystore_get changed again.
...
With Android 2.2 (Froyo) the interface of keystore_get was changed once
again. The change was made to allow the keys to contain \0 characters.
2010-06-28 17:18:53 +02:00
Tobias Brunner
6f52d3b077
Compiler warning fixed.
2010-06-28 08:50:30 +02:00
Martin Willi
6a4a47511f
Show contents of the CP payload in message_t stringification
2010-06-24 15:46:28 +02:00
Tobias Brunner
c0914c457b
Increased the loglevel for the arguments received via Android control socket.
2010-06-24 14:46:25 +02:00
Tobias Brunner
e9e2a4fecf
Terminate charon from the Android plugin if the tunnel goes down after it was initiated successfully.
2010-06-24 14:30:06 +02:00
Tobias Brunner
7913a74c36
Initiate the tunnel in the Android plugin asynchronously.
...
Also track its initiation using the registered listener.
2010-06-24 14:30:05 +02:00
Tobias Brunner
8b775e99ea
Implement the listener_t interface in the Android plugin to track the status of an SA.
2010-06-24 14:30:05 +02:00
Tobias Brunner
94ec9adc10
Helper function added to notify the Android frontend about status changes.
2010-06-24 14:30:05 +02:00
Tobias Brunner
024dd37fa0
Initiate consumes a child_sa reference, so get an additional one.
2010-06-24 14:30:05 +02:00
Tobias Brunner
5eb9eeb130
Use the same error code constants as in the Java frontend.
2010-06-24 14:30:05 +02:00
Tobias Brunner
359063caf7
Flush and destroy the send queue before unloading the socket plugins.
2010-06-24 14:30:05 +02:00
Tobias Brunner
9eb7f46b3d
Do not install routes in the PF_KEY kernel interface if interface lookup failed.
2010-06-23 11:43:31 +02:00
Tobias Brunner
a427e98da1
The signature of keystore_get was changed with Android 2.x.
2010-06-22 16:19:55 +02:00
Tobias Brunner
f283520faf
Avoid a segmentation fault if opening the Android control socket failed.
2010-06-22 16:18:22 +02:00
Tobias Brunner
c03ed4835c
Allow to enable the kernel-pfkey plugin via Android.mk.
2010-06-22 16:14:14 +02:00
Tobias Brunner
b7900d3258
Fixing the PF_KEY kernel interface on Android.
...
In Android's in.h IPPROTO_COMP is not #defined but just an enum member.
2010-06-22 16:12:07 +02:00
Martin Willi
169eae5229
Accept IKE packets with any minor version in RAW socket
2010-06-22 11:14:07 +02:00
Tobias Brunner
9b6db5cd2e
Fixed plugin checks in Android.mk files.
2010-06-22 10:40:34 +02:00
Tobias Brunner
499af811c0
Use vpn.dns* to store DNS servers (Android manages net.dns* using these).
2010-06-15 19:58:58 +02:00
Tobias Brunner
be00d219cc
Adding an interface that interacts with the Android Settings frontend.
2010-06-15 19:58:58 +02:00
Tobias Brunner
c373f14947
Adding an Android specific credential set.
2010-06-15 19:58:58 +02:00
Tobias Brunner
51a00fb275
Adding an Android specific logger.
2010-06-15 19:58:58 +02:00
Tobias Brunner
946be4d357
Adding support for the native Linux capabilities interface.
...
Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.
2010-06-15 19:58:30 +02:00
Tobias Brunner
b77e493bea
Explicitly refer to LIBCAP in Makefiles.
2010-06-15 19:57:31 +02:00