49032d15be
stroke: stop enumerating IKE_SAs in statusall if output stream gets closed
...
If the output stream is not interested in more information, it can close the
the stream. Checking for stream errors avoids useless enumeration of IKE_SAs,
saving resources. This allows to use "ipsec statusall | head" to monitor the
daemon, or stop enumerating IKE_SAs after a specific entry has been found.
2013-08-23 14:27:17 +02:00
b4b3959b22
stream-service: move CAP_CHOWN check from plugins to service constructor
...
A plugin service can be a TCP socket now, so it does not make much sense
to strictly check for CAP_CHOWN.
2013-07-18 16:00:31 +02:00
065907b99d
stroke: use a stream service to handle stroke requests
2013-07-18 16:00:29 +02:00
dfc9902013
capabilities: Some plugins don't actually require capabilities at runtime
2013-07-18 15:25:35 +02:00
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
553bb78730
child-sa: replace get_traffic_selectors() with create_ts_enumerator()
...
Not directly returning a linked list allows us to change the internals of
the CHILD_SA transparently.
2013-07-17 17:20:18 +02:00
591f923134
stroke: Add certificates extracted from PKCS#12 files to correct credential set
...
Only keys and shared secrets are moved from the temporary credential set after
loading all secrets.
2013-07-15 10:59:13 +02:00
d27f225d9a
Use strpfx() helper where appropriate
2013-07-08 18:49:30 +02:00
4c74fa664b
Reuse reqid for trap policies installed for dpd|closeaction=hold
2013-07-01 09:58:25 +02:00
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
1091edede8
capabilities: CAP_CHOWN might be required by many plugins opening UNIX sockets
...
But as the sockets will be created with the user/group of the running
process this might not be required as no change may be needed.
2013-06-25 17:16:33 +02:00
a2eb581781
capabilities: Move global capabilities_t instance to libstrongswan
2013-06-25 17:16:32 +02:00
483a258ad8
stroke: support %dynamic in left/rightsubnet for dynamic selectors
...
This has the same meaning as omitting left/rightsubnet, i.e. replace it
by the IKE address. Supporting %dynamic allows configurations with multiple
dynamic selectors in a left/rightsubnet, each with potentially different
proto/port selectors.
2013-06-19 16:36:01 +02:00
4a7c29bf02
stroke: support a specific proto/port for each net defined in left/rightsubnet
2013-06-19 16:36:01 +02:00
de2debf8e0
stroke: add exportconn{cert,chain} commands in addition to exportx509
...
The new commands either export a single end entity certificate or the
full trust chain for a specific connection name.
2013-06-19 16:27:19 +02:00
49d7a98f47
Refactored plugin-loader with improved dependency resolution
...
With the new implementation the plugins don't have to be listed in any
special order, dependencies are properly resolved. The order only
matters if two plugins provide the same feature.
2013-06-11 11:18:19 +02:00
6040eff900
stroke: Add second password if provided
2013-05-08 15:02:41 +02:00
1c080407b2
stroke: Fail silently if another builder calls PW callback after giving up
...
Also reduced the number of tries to 3.
2013-05-08 15:02:41 +02:00
4a64c3e9a0
stroke: Cache passwords so the user is not prompted multiple times for the same password
...
To verify/decrypt a PKCS#12 container a password might be needed
multiple times. If it was entered correctly we don't want to bother the
user again with another password prompt.
The passwords for MAC creation and encryption could be different so the
user might be prompted multiple times after all.
2013-05-08 15:02:41 +02:00
e240b03e68
stroke: Fix prompt and error messages in passphrase callback
2013-05-08 15:02:41 +02:00
7971278c92
stroke: Load credentials from PKCS#12 files (P12 token)
2013-05-08 15:02:41 +02:00
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
fa1d3d39dc
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
...
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
2013-05-07 15:38:28 +02:00
c0bbddfa42
Try to load raw keys from ipsec.conf as PKCS#1 blob first
...
The DNSKEY builder is quite eager and parses pretty much anything
as RSA key, so this has to be done before.
2013-05-07 14:08:51 +02:00
7f4f1e8249
List all stroke counters when "all" is given, and report if connection not known
2013-04-03 14:58:08 +02:00
eca499f3d9
Load raw keys before possibly destroying the identity
...
If no identity (or %any) is configured the identification_t object is
destroyed and an invalid object was associated with the created pubkey
certificate.
Actually using %any does not work as the certificate would not match
when the client later provides an identity.
2013-04-01 13:48:34 +02:00
9fa9f68d8d
enforce singular of packets
2013-03-22 21:14:04 +01:00
1a71178940
Avoid a race condition when reloading secrets from ipsec.secrets
...
With the previous implementation that cleared the secrets in the active
credential set and then loaded the secrets, IKE SA establishment would
fail (as initiator or responder) if secrets are concurrently reloaded
and the required secret was not yet loaded.
2013-03-20 15:27:34 +01:00
824864f4e0
Don't try to mmap() empty ipsec.secret files
2013-03-19 13:46:16 +01:00
41131528a9
In stroke counters, check if we have an IKE_SA before getting the name from it
...
Fixes a segfault when receiving an invalid IKE SPI, where we don't have an
IKE_SA for the raised alert.
2013-03-19 11:20:35 +01:00
6cf79c1e9d
Algorithms are not really specific to an IKE version
...
But not all of them can be used with IKEv1.
Fixes #314 .
2013-03-18 12:20:47 +01:00
d29246cabe
Merge branch 'radius-ext'
...
Bring some extensions to eap-radius, namely a virtual IP address provider based
on received Framed-IPs, forwarding of Cisco Unity banners, Interim Accounting
updates and the reporting of sent/received packets.
2013-03-18 10:13:36 +01:00
048872f2f7
Merge branch 'stroke-counters'
...
Extend stroke counters functionality by connection specific counters, and
a resetcounters command to reset the global or connection counters.
2013-03-18 10:12:22 +01:00
e85c0f6b84
Merge branch 'stroke-timeout'
...
Add a strongswan.conf timeout option for stroke control commands.
2013-03-18 10:11:46 +01:00
cf729248b2
Add a "resetcounters" command to ipsec, clearing global or connection counters
2013-03-15 10:55:22 +01:00
d022322bed
Add connection name specific stroke counters
2013-03-15 10:41:04 +01:00
d28391a244
Report the number of processed packets in "ipsec statusall"
2013-03-14 14:20:54 +01:00
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
5807f9cfcd
Add a stroke command timeout option, and report status of completed command
2013-03-07 11:59:30 +01:00
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
cd41b951ee
Pass complete port range over stroke interface for more flexibility
2013-02-21 11:52:33 +01:00
a1db77de7c
Use a complete port range in traffic_selector_create_from_{subnet,cidr}
2013-02-21 11:52:33 +01:00
e212033ef2
Merge branch 'ike-dscp'
2013-02-14 17:11:35 +01:00
96a2d2077b
Fix 'stroke loglevel any'
...
Before b46a5cd4
2013-02-13 12:18:20 +01:00
7fbe516f88
Add a ikedscp ipsec.conf option to set DSCP value on outgoing IKE packets
2013-02-06 15:36:36 +01:00
306a269e34
Add a DSCP configuration value to IKE configs
2013-02-06 15:20:32 +01:00
9ccfeb8ca1
Use proper buffer sizes for parse_smartcard()
2013-01-24 23:35:42 +01:00
78af36db50
Load multiple comma seperarated certificates in the leftcert option
2013-01-18 09:33:15 +01:00
c4a49008e8
Don't handle right=%any6 as "loose" identity, but as %any
2013-01-14 10:33:14 +01:00
21235e1ec2
Merge branch 'ikev1-fragmentation'
...
This adds support for the proprietary IKEv1 fragmentation extension.
Conflicts:
NEWS
2013-01-12 11:58:26 +01:00
10eee5fcba
Fixed some typos in comments
2013-01-11 10:21:51 +01:00
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
1efd6c6f2a
Make use of new CIDR string ts constructor where appropriate
2012-10-24 13:25:08 +02:00
4ce55ffb0b
Use explicit, larger buffer sizes for smartcard keyids and modules
2012-10-24 13:07:53 +02:00
794d713dca
Support loading cacert certificates in ipsec.conf ca sections from smartcard
2012-10-24 13:07:53 +02:00
2abe404927
Refactored stroke smartcard token parsing, support module and slot in leftcert option
2012-10-24 13:07:53 +02:00
9687cb5100
Load ipsec.conf %smartcard leftcerts with pkcs11 builder
2012-10-24 13:07:52 +02:00
0c4b9f7cda
Add a "ipsec listcounters" command to stroke
2012-10-24 11:34:31 +02:00
f9332e0a8b
Add a print method for stroke counters
2012-10-24 11:34:31 +02:00
fc4d1568d1
Add stroke message type counters
2012-10-24 11:34:30 +02:00
5715af7508
Add stroke counters for invalid IKE messages
2012-10-24 11:34:30 +02:00
81e0e10344
Add stroke CHILD_SA rekeying counter
2012-10-24 11:34:30 +02:00
a32a8d4a67
Add stroke IKE rekey counters
2012-10-24 11:34:30 +02:00
47904e3c74
Define stroke counter types to implement
2012-10-24 11:34:11 +02:00
8554895b95
Add a stub for IKE event counters in stroke
2012-10-24 11:34:11 +02:00
1fdd62ffce
Remove version argument on peer_cfg constructor, use ike_cfg version instead
2012-10-24 10:19:33 +02:00
9fc7cc6f9b
Add IKE version information to ike_cfg_t
2012-10-24 10:18:35 +02:00
3555bacac7
Reload logger configuration on SIGHUP
...
Besides changing the configuration this allows to easily rotate log files.
Also moved logger initialization back to daemon_t.
2012-10-18 14:42:10 +02:00
82f3549fe2
Fix leak of PINs from ipsec.secrets
2012-10-09 11:54:00 +02:00
a05f3b2021
Make sure first argument is an int when using %.*s to print e.g. chunks
2012-09-28 18:01:49 +02:00
4106aea8e4
Made IP address enumeration more flexible
...
Also added an option to enumerate addresses on ignored interfaces.
2012-09-21 18:16:26 +02:00
9ba36c0f7f
Make it easy to check if an address is locally usable via changed get_interface() method
2012-09-21 18:16:26 +02:00
aed33805ce
Don't ignore loopback devices and allow addresses on them being enumerated
2012-09-21 18:16:26 +02:00
8c19323c37
Make stroke user-creds work with XAuth configs
2012-09-18 16:56:17 +02:00
b7a500e985
Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>
2012-09-18 14:40:41 +02:00
1e04488f32
Check for an existing lease in all stroke pools before creating a new one
2012-09-11 16:18:28 +02:00
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
594c58e111
Pass the full list of pools to acquire_address, enumerate in providers
...
If the provider has access to the full pool list, it can enumerate
them twice, for example to search for existing leases first, and
only search for new leases in a second step.
Fixes lease enumeration in attr-sql using multiple pools.
2012-09-11 16:18:28 +02:00
f4cc7ea11b
Add uniqueids=never to ignore INITIAL_CONTACT notifies
...
With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received. With this new option
it also ignores these notifies.
2012-09-10 17:37:18 +02:00
383c174a79
Print the name of mem pools instead of the confusing <base>/<size>
2012-09-10 12:42:09 +02:00
1323dc1138
Merge branch 'multi-vip'
...
Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.
2012-08-31 12:55:56 +02:00
7240914955
Use eap_vendor_type_from_string() in stroke
2012-08-31 11:40:28 +02:00
d55fe264d1
Pass all configured pool names to attribute provider enumerator
2012-08-30 16:43:43 +02:00
feb8550401
Pass a list instead of a single virtual IP to attribute enumerators
2012-08-30 16:43:42 +02:00
96c2b3cf89
Support multiple addresses/pools in left/rightsourceip
2012-08-30 16:43:42 +02:00
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
63e460542c
Add a stroke attribute_handler requesting DNS servers given with leftdns
2012-08-21 09:38:01 +02:00
9937ca069a
Serve ipsec.conf rightdns servers through stroke attribute provider
2012-08-21 09:38:01 +02:00
17319aa28d
Add a left/rightdns keyword to configure connection specific DNS attributes
2012-08-21 09:38:00 +02:00
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
874f7c7e2c
Don't add ANY identity constraint to auth config, as XAuth rounds don't use one
2012-07-26 12:38:34 +02:00
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
8d98f7fef6
Avoid that any % characters (e.g. in %any) are evaluated when logging via stroke
2012-07-12 16:58:00 +02:00
0619ddfaa4
Refactored heavily #ifdefd capability code to its own libstrongswan class
2012-07-04 11:01:40 +02:00
0f018a7324
Show some uname() info in "ipsec statusall"
2012-06-28 11:56:40 +02:00
dc6d259635
Show remote EAP/XAuth identity in "statusall" on a separate line
2012-06-27 11:42:00 +02:00
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
dd1381e7d3
Show EAP/XAuth identity in "ipsec status", if available
2012-06-25 10:18:35 +02:00
e2dd114f37
Select requested virtual IP family based on remote TS, if no local TS available
2012-06-20 10:02:01 +02:00
137035cc78
Show what kind of *Swan we run in "ipsec status"
2012-06-14 10:25:48 +02:00
e35bbb9740
Added signature scheme options left/rightauth
2012-06-12 15:01:39 +02:00
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
21043198ff
Show expiration time of rekeyed CHILD_SAs in statusall
2012-06-05 10:29:43 +02:00
2ac996cb71
list IKEv1 Aggressive Mode in ipsec statusall
2012-05-23 11:12:27 +02:00
5c162dd944
List registered nonce generators in statusall output.
2012-05-18 08:15:41 +02:00
80c5b17d1a
make IKEv1 DPD timeout configurable in charon
2012-05-17 19:49:22 +02:00
1e26235a0d
fixed feature dependencies for CERT_TRUSTED_PUBKEY
2012-05-05 08:54:36 +02:00
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
2ee11fd42d
display (soft) same as (not loaded)
2012-05-03 11:54:56 +02:00
493c468d4d
charon is now an IKE daemon
2012-05-03 11:49:30 +02:00
c9931135d1
stroke plugin sdepends on building CERT_ANY certificates
2012-05-03 11:07:21 +02:00
ead92870b8
Loggers specify what log messages they want to receive during registration.
...
This also allows us to generate the log message only once for all
loggers that need it (avoids calls to custom printf specifier callbacks).
To update the log levels loggers can simply be registered again.
2012-05-02 14:45:38 +02:00
daab152afa
Add plugin features support to stroke plugin
2012-05-02 14:05:52 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
552557a65d
add AUTH_RULE_SUBJECT_CERT for raw public keys
2012-04-30 13:40:48 +02:00
3577ec76a5
output validity of raw public key if available
2012-04-30 09:47:34 +02:00
5f1931ada1
added support for raw RSA public keys to stroke
2012-04-30 00:31:42 +02:00
7e84c4275c
Removed auth_cfg_t.replace_value() and replaced usages with add().
...
replace_value() was used to replace identities. Since for these the latest is
now returned by get(), adding the new identity with add() is sufficient.
2012-04-18 18:50:14 +02:00
80067cf9e6
Store password with remote ID to tie it stronger to a specific connection.
2012-04-18 13:32:49 +02:00
9f1b303afc
Added stroke user-creds command, to set username/password for a connection.
2012-04-17 14:20:58 +02:00
7b00fdeb84
Added method to add additional shared secrets to stroke_cred_t.
2012-04-17 14:20:58 +02:00
4c31657d2c
Typo fixed.
2012-04-17 14:20:58 +02:00
4626e49ad9
remove leading zero in ASN.1 encoded serial numbers
2012-04-05 09:04:11 +02:00
320fd5fe62
moved chunk_skip_zero to chunk.h
2012-04-03 14:12:50 +02:00
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
5aef6bd0f3
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()
2012-03-20 17:31:39 +01:00
c791def8c1
Added support for authby/xauth_server legacy options
2012-03-20 17:31:38 +01:00
5763367cac
Show IKE version in ipsec statusall
2012-03-20 17:31:37 +01:00
e129168ba6
Added a "aggressive" ipsec.conf connection option
2012-03-20 17:31:34 +01:00
5ce59d4c06
Added an aggressive mode peer_cfg option
2012-03-20 17:31:34 +01:00
747f837cce
Added a flag to register local credential sets exclusively, disabling all others
2012-03-20 17:31:28 +01:00
ac009df132
Pass IKE version to peer config enumerator, filter configs
2012-03-20 17:31:25 +01:00
d94c923648
Support an "any" IKE version for both IKEv1 or IKEv2
2012-03-20 17:31:25 +01:00
f29a4f1c64
Added support for iKEIntermediate X.509 extended key usage flag.
...
Mac OS X requires server certificates to have this flag set.
2012-03-20 17:31:24 +01:00
5f6a37eb9b
Be a little more verbose about XAuth configs in ipsec statusall
2012-03-20 17:31:23 +01:00
21a4fc832e
Pass ipsec.conf xauth_identity option via stroke to charon configurations
2012-03-20 17:31:23 +01:00
0a43f4b6c4
Log configured IKE version in stroke plugin.
2012-03-20 17:31:20 +01:00
cbda13f6fe
Accept a xauth backend name appended to left/rightauth
2012-03-20 17:31:15 +01:00
96c9159d96
Use a second authentication config to configure XAUTH authentication
2012-03-20 17:31:15 +01:00
b4e815354c
Map auth_class to auth method and IKEv1 proposal attribute
2012-03-20 17:30:53 +01:00
23f4e4b42d
IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.
2012-03-20 17:30:49 +01:00
cf1772f685
Do not ignore configs for IKEv1 in charon anymore
2012-03-20 17:30:43 +01:00
f7a8fcedc0
Use enum to define IKE version on peer_cfg_t.
...
Replaced all those magic numbers.
2012-03-20 17:30:41 +01:00
bc403eb1e5
Fixed crash and locking issues while unrouting connections via stroke
2012-03-13 10:56:22 +01:00
Martin Willi