Andreas Steffen
f44dbc639b
DBG1 level now shows stepping up through the certifiate hierarchy up to the trust anchor
2007-05-25 08:29:35 +00:00
Andreas Steffen
13b872ebd2
set certinfo status to CERT_UNKNOWN before crl and|or ocsp verification
2007-05-25 08:21:27 +00:00
Martin Willi
1f2a0f8098
removed paranoid module checking
2007-05-25 05:45:41 +00:00
Martin Willi
1fa9bdc4fb
added compatibility names (pluto) for sha2 algorithms (sha2_256, ...)
2007-05-25 05:44:53 +00:00
Martin Willi
16878f6823
support for virtual IP definition on client side:
...
if leftsourceip is defined, it is requested.
server may define rightsourceip=%config to accept any,
or it may overwrite it using rightsourceip.
if server does not return an IP, client enforces its configured leftsourceip.
2007-05-22 13:49:31 +00:00
Andreas Steffen
3388e7674d
fixed nextUpdate and until behaviour in the non-strict case
2007-05-19 19:46:13 +00:00
Andreas Steffen
6e04f25313
support of CA-based ipsec policies
2007-05-18 12:25:37 +00:00
Andreas Steffen
ca78602304
verification of locally loaded peer certificates
2007-05-15 14:51:04 +00:00
Andreas Steffen
2e324229c0
support of multiple certificates with same peer id
2007-05-15 12:46:05 +00:00
Martin Willi
6874bf698c
changing UID/GID after startup of pluto/charon
...
added --with-uid/--with-gid configure option
2007-05-07 12:38:46 +00:00
Martin Willi
a4a3884c83
extended interface_manager (more work needed here)
2007-05-03 14:22:52 +00:00
Martin Willi
0ccb275a93
added more API documentation to backends/interfaces
2007-04-30 10:23:01 +00:00
Martin Willi
a84fb01b96
restructuring of configuration backends
...
added propotypes of new control interfaces (xml & dbus)
introduced loadable:
configuration backends
control interfaces
using pluggable modules as in EAP
2007-04-27 14:25:08 +00:00
Martin Willi
c80e8ba11a
added support for AES-XCBC in kernel using e.g. esp=aes128-aesxcbc (>=linux-2.6.20)
2007-04-23 13:00:20 +00:00
Martin Willi
17712ea866
fixed CHILD_SA proposal selection when not using DH exchange
2007-04-23 12:59:10 +00:00
Andreas Steffen
4841189b72
implementation of strictcrlpolicy=ifuri
2007-04-20 11:12:08 +00:00
Martin Willi
1fd5383e61
added PDF support for CHILD_SAs
...
support for INVALID_KE_PAYLOAD negotiation for rekeying
2007-04-19 08:02:19 +00:00
Andreas Steffen
f880eb2dca
started support of X.509 attribute certificates
2007-04-12 17:49:33 +00:00
Martin Willi
1dad08b035
fixed DPD delay in peer_cfg
2007-04-12 06:20:42 +00:00
Martin Willi
3b138b8422
cleaned up apidoc
...
added some comments
removed configuration.[ch], as it does not make sense like it is
2007-04-11 07:20:39 +00:00
Martin Willi
de55c6895f
accepting stroke initiation by a name of a child_cfg
2007-04-11 05:58:38 +00:00
Andreas Steffen
4876f521d6
best must be initialized to 2*MAX_WILDCARDS+1
2007-04-10 22:35:45 +00:00
Martin Willi
e0fe765152
restructured file layout
...
new configuration structure:
peer_cfg: configuration related to a peer (authenitcation, ...=
ike_cfg: config to use for IKE setup (proposals)
child_Cfg: config for CHILD_SA (proposals, traffic selectors)
a peer_cfg has one ike_cfg and multiple child_cfg's
stroke now uses fixed count of threads
2007-04-10 06:01:03 +00:00
Andreas Steffen
4c56bd64e5
removed list_crls() and list_ocsp() methods
2007-04-06 09:43:20 +00:00
Andreas Steffen
8883eef7b8
support cachecrls=yes
2007-04-05 17:07:14 +00:00
Andreas Steffen
a0eaa59b50
implemented dynamic http-based CRL fetching
2007-04-03 21:11:23 +00:00
Martin Willi
9179ac9667
merged changes from eap-aka trunk
2007-03-28 07:32:54 +00:00
Andreas Steffen
9d9c72e317
is_trusted() adds cert_status to cert_to_be_trusted
2007-03-28 05:38:42 +00:00
Andreas Steffen
1bf8530507
implemented ipsec listocsp function
2007-03-27 04:40:25 +00:00
Martin Willi
ddd1b31595
adjusted rekey-retry delay and jitter
2007-03-21 16:12:16 +00:00
Martin Willi
4315f5c88b
fixed some rekey collision issues
...
added retry with jitter when rekeying fails
2007-03-21 16:11:14 +00:00
Martin Willi
a1e5881c42
renamed keyingtries attribute
2007-03-20 08:14:18 +00:00
Martin Willi
7cec30ad8d
added AES-192/256 proposals to IKE
2007-03-13 14:55:03 +00:00
Andreas Steffen
db0f828413
results from the single responses is stored in the corresponding certinfo_t structs
2007-03-12 13:42:31 +00:00
Andreas Steffen
7c1b9ab784
moved credential_store.h from charon/config/credentials to libstrongswan
2007-03-09 16:50:19 +00:00
Andreas Steffen
5455cf230f
fixed a certinfo_t memory leak in verify()
2007-03-09 14:59:28 +00:00
Andreas Steffen
1bcb84605f
ocsp signer certificate and ocsp response signature can be verified
2007-03-08 23:29:04 +00:00
Andreas Steffen
162afac75f
fixed call of add_auth_certificate()
2007-03-08 19:44:14 +00:00
Andreas Steffen
33d108de22
generalized get_ca_certificate() to get_auth_certificate(auth_flags)
2007-03-08 18:56:43 +00:00
Andreas Steffen
9f4039755d
support if ocsp signing certificates
2007-03-08 16:46:50 +00:00
Martin Willi
069f01cfef
removed SHA2 kernel proposals from default, the kernel doesn't support them yet
2007-03-08 15:18:51 +00:00
Martin Willi
0cde6c412b
added more debugging output for policy lookup
...
returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE
2007-03-08 14:40:15 +00:00
Martin Willi
9aa20fdae8
added SHA2 MAC and PRF to default proposal
2007-03-08 00:16:33 +00:00
Martin Willi
9de7540eee
fixed traffic selector redundancy removal code (not completely tested)
2007-03-06 20:55:19 +00:00
Andreas Steffen
69351da14d
add crl and ocsp uris to linked list after partial verification
2007-03-06 18:51:56 +00:00
Martin Willi
6e1be42744
some cleanups
...
not assigning %any virtual IPs to peer anymore
2007-03-05 22:07:36 +00:00
Martin Willi
02b3101b67
fixed double free bug
2007-03-05 22:02:14 +00:00
Andreas Steffen
81020aaefd
refactored ca_info_t
2007-03-03 21:08:07 +00:00
Martin Willi
0c8aba6771
added support for 0.0.0.0/0 traffic selectors
...
fixed routing to make correct 0.0.0.0/0 routes
2007-03-01 11:42:08 +00:00
Martin Willi
c60c7694d2
merged tasking branch into trunk
2007-02-28 14:04:36 +00:00
Andreas Steffen
7d119253f6
added support of OCSP accessLocations
2007-02-25 08:14:50 +00:00
Andreas Steffen
b3e4211fc3
full support of ca info records
2007-02-24 23:18:31 +00:00
Andreas Steffen
182d20e94e
support of ca info records
2007-02-23 15:15:31 +00:00
Martin Willi
f27f6296e6
merged EAP framework from branch into trunk
...
includes a lot of other modifications
2007-02-12 15:56:47 +00:00
Andreas Steffen
6fda18d99d
%T requires time_t ptr
2007-02-08 17:59:37 +00:00
Martin Willi
7995489a6d
added support for NULL encryption in ESP
2007-02-08 13:54:42 +00:00
Martin Willi
9425da1816
include NO_EXT_SEQUENCE_NUMBER in default proposal
2007-02-08 13:31:31 +00:00
Martin Willi
21f42524e0
support for transport in create_child_sa
...
include TRANSPORT/TUNNEL information in statusall
2007-01-08 06:55:50 +00:00
Martin Willi
7652be891c
added support for transport mode and (experimental!) BEET mode
...
support for the type=transport/tunnel parameter in charon
2006-12-21 14:35:17 +00:00
Martin Willi
6fe03b0af0
implemented reauthentication using the new reauth=yes|no parameter
2006-12-19 07:30:07 +00:00
Andreas Steffen
3b62f53fa4
fixed output of proto/port selectors
2006-11-02 07:51:53 +00:00
Andreas Steffen
1f9160614a
cosmetics
2006-11-01 17:28:01 +00:00
Martin Willi
db7ef62494
better split up of library files "types.h" & "definitions.h"
...
centralized all printf specifier character definitions
reuse of arginfo handlers
more cleanups
fixed more AMD64 issues
added DEBUG_LEVEL compile flag to exclude DBGn() statements
2006-10-31 12:27:59 +00:00
Andreas Steffen
29137c0cef
preparations to include certreqs in policy decisions
2006-10-31 07:04:15 +00:00
Martin Willi
382b481795
moved typedefs to beginning of files to solve some include problems
...
splitted authenticator to have a separate implementation for each auth_method_t
using va_copy to clone va_lists, should fix proplems on AMD64
some other cleanups
2006-10-30 14:07:05 +00:00
Andreas Steffen
a702b731cb
support of certreq payload in IKE_AUTH messages
2006-10-28 20:02:26 +00:00
Andreas Steffen
6ae7d265fb
added method get_ca_certificate()
2006-10-28 15:32:30 +00:00
Andreas Steffen
5db5740075
added methods get_my_ca() and get_other_ca()
2006-10-28 15:31:42 +00:00
Andreas Steffen
af6d6bb954
added methods get_my_ca() and get_other_ca()
2006-10-28 15:31:29 +00:00
Martin Willi
b83806d83d
improved signal handling and emitting
2006-10-26 09:46:56 +00:00
Martin Willi
191a26a6a7
removed deprecated iterator methods (has_next & current)
...
added iterator hook to manipulate iterator the clean way
2006-10-24 14:20:45 +00:00
Martin Willi
55bbff11ec
linked list cleanups
...
added list methods invoke(), destroy_offset(), destroy_function()
simplified list destruction when destroying its items
2006-10-24 08:46:17 +00:00
Martin Willi
e706c7f10b
code cleanups in printf handlers
2006-10-20 05:57:25 +00:00
Martin Willi
60356f3375
introduced new logging subsystem using bus:
...
passive listeners can register on the bus
active listeners wait for signals actively
multiplexing allows multiple listeners to receive debug signals
a lot more...
2006-10-18 11:46:13 +00:00
Martin Willi
47f5027807
introduced printf() specifiers for:
...
host_t (%H)
identification_t (%D)
chunk pointers (%B)
memory pointer/length (%b)
added a signaling bus:
receives event and debug messages, sends them to its listeners
stream_logger, sys_logger, file_logger added, listen to bus
some other tweaks here and there
2006-09-27 14:14:44 +00:00
Andreas Steffen
2e5935815d
moved auth_method to policy
2006-09-25 05:52:13 +00:00
Andreas Steffen
54c6c4711f
added hostaccess support; moved auth_method to policy
2006-09-25 05:51:16 +00:00
Andreas Steffen
833a7cbc50
support of encrypted private key files
2006-09-20 05:48:27 +00:00
Martin Willi
b5cac6684d
added copyright notice to sha2_hasher
...
included SHA2 in build process
2006-09-19 14:54:01 +00:00
Martin Willi
462129d332
added support for 3DES encryption algorithm in IKE
2006-09-19 11:18:35 +00:00
Andreas Steffen
43ead00a2f
fixed the ids parsing bug
2006-09-19 06:16:48 +00:00
Martin Willi
e63c4d8b8b
fixed memleak
...
fixed proper handling of id parsing errors
proper return value when no PSK found
2006-09-18 11:39:53 +00:00
Andreas Steffen
e2de376c74
added PSK support
2006-09-18 07:42:57 +00:00
Martin Willi
d7934d0cfc
implemented updown script to handle firewalling
2006-09-12 13:50:14 +00:00
Martin Willi
a095243f60
add priority management for kernel policy
...
let ROUTED policies installed, until manuall removed
introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
ike_sa_manager cleanups
2006-09-08 13:10:52 +00:00
Martin Willi
1239c6f40b
implemented handling of dpdaction and dpddelay ipsec.conf parameters
2006-09-08 06:12:02 +00:00
Martin Willi
a655f5c09c
reuse reqid when a ROUTED child_sa gets INSTALLED
...
fixed a bug in retransmission code
added support for the "keyingtries" ipsec.conf parameter
added support for the "dpddelay" ipsec.conf parameter
done some work for "dpdaction" behavior
some other cleanups and fixes
2006-09-05 14:07:25 +00:00
Martin Willi
48d9883a3e
initial support for IPv6 (more testing needed)
...
socket works (without v6 filter)
traffic selector handle IPv4/v4 cleanly
improvements in traffic selector code
kernel interface accepts v6 traffic selectors and hosts
host_t class has full IPv6 support
2006-08-30 17:12:56 +00:00
Martin Willi
fa8d578d94
fixed crash bug when doing "ipsec down" with an unknown connection
2006-08-25 09:19:42 +00:00
Martin Willi
f698448ea3
implemented proper refcounting using atomic operations
2006-07-28 09:45:18 +00:00
Martin Willi
fe04e93a8b
implemented IKE_SA rekeying
...
uses ikelifetime, rekeymargin and rekeyfuzz config settings
no handling of simultaneus exchanges yet!
2006-07-27 12:18:40 +00:00
Martin Willi
45f76a7ddd
added possibility to route CHILD_SAs, without to set them up
...
support for auto=route parameter
support for ipsec route and ipsec unroute
initiating of CHILD and/or IKE_SAs based on kernel acquires
2006-07-21 13:31:53 +00:00
Martin Willi
8dfbe71b34
introduced refcounting on policy and connections
...
aren't stored in the IKE_SA anymore, they are queried on the fly
are immutable now, allows it to share them
policy selection based on traffic selectors, leads to valid lookup results
rekeying queries the policy based on its traffic selectors
2006-07-20 10:09:32 +00:00
Martin Willi
92ee45a0ee
cleanups in kernel interface code
...
added proper traffic selector to string conversion
some cleanups here & there
2006-07-18 12:53:54 +00:00
Andreas Steffen
c361cc8c51
identification_t.matches() supports multiple wildcard counts
2006-07-11 06:12:45 +00:00
Martin Willi
c71d53ba4e
updated copyright information
2006-07-07 08:49:06 +00:00
Martin Willi
d109b48968
added support for leftprotoport and rightprotoport
2006-07-05 13:13:07 +00:00
Martin Willi
3dd3c5f39e
redesigned IKE_SA using a transaction mechanism:
...
removed old state machine
reimplemented IKE_SA setup and delete
implemented dead peer detection
implemented keep-alives
a lot of fixes
no rekeying yet
2006-07-05 10:53:20 +00:00
Andreas Steffen
a642cbe3ae
log entries start with lowcercase character
2006-07-04 06:11:35 +00:00
Andreas Steffen
971218c3ae
support of cert payloads
2006-07-03 06:27:45 +00:00
Andreas Steffen
6f74bfd6ac
added X.509 trust chain verification
2006-06-27 08:48:28 +00:00
Martin Willi
2f89902d07
applied new changes from NATT team
...
DPD only done when no IPsec and IKE traffic processed
minor changes here and there
2006-06-23 14:02:30 +00:00
Martin Willi
1396815afb
first merge of NATT code
2006-06-22 06:36:28 +00:00
Martin Willi
aed58dcc93
readded local_credential_store
...
added sendcert policy to connection
some other cleanups
2006-06-20 08:43:57 +00:00
Andreas Steffen
21b433c641
implemented rereadcrls rereadcacerts
2006-06-20 06:05:01 +00:00
Andreas Steffen
db959e6ea3
removed local_credential_store
2006-06-20 05:57:52 +00:00
Andreas Steffen
21e7a724d0
added crl support
2006-06-16 05:55:30 +00:00
Martin Willi
147fe5095d
fixed aes code, we support now aes128, aes192, aes256 in IKE
2006-06-15 13:14:09 +00:00
Martin Willi
c095388f7f
added support for "ike" and "esp" keywords
...
fixed bugs in proposal code
algorithm selection for charon works now with ipsec.conf
a lot of other fixes
2006-06-15 11:09:11 +00:00
Martin Willi
fa32cd3c47
debug and logging improvements
2006-06-13 10:01:04 +00:00
Andreas Steffen
bc35460db7
add_certificate() now returns pointer to added cert
2006-06-12 07:57:14 +00:00
Martin Willi
a2a3fb3e25
workaround for peers rekeying at the same time
...
loading lifetime policies from ipsec.conf
2006-06-12 07:33:20 +00:00
Martin Willi
695723d4e8
old child_sa gets deleted after rekeying
...
rekeying almost complete, but:
IKE_SA get in an invalid state when both initiate rekeying at the same time,
2006-06-09 15:12:43 +00:00
Martin Willi
b543bef50c
improved kernel interface logging
2006-06-09 08:41:41 +00:00
Martin Willi
0bb32cb5f3
fixed clone/destroy behavior when not using CAs
2006-06-09 07:40:40 +00:00
Martin Willi
5c131a016b
specifying keysize in bits, as it is required in IKEv2
...
added generic kernel SA algorithm handling, which brings us:
aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
2006-06-09 07:31:30 +00:00
Andreas Steffen
b7f9ca5837
added support for leftsendcert= and left|rightca= parameters
2006-06-09 05:50:41 +00:00
Andreas Steffen
ac427e3677
discard cert if CA basic constraints flag is not set and warn if cert is not valide
2006-06-09 05:48:49 +00:00
Martin Willi
5238c9afef
fixed compile warnings when using -Wall
...
further CHILD_SA rekeying work done:
creation of a new CHILD_SA on a expire from a kernel works
delete of old CHILD_SA still missing
some issues when both initiate rekeing
2006-06-08 14:20:05 +00:00
Martin Willi
8d77eddec2
further work for rekeying:
...
get liftimes from policy
added new state
initiation of rekeying done
proposal redone:
removed support for AH+ESP proposals
2006-06-07 13:26:23 +00:00
Martin Willi
6f2aba1322
- fixed some memleaks/freebugs
...
- leak detective works almost usable now (?!)
2006-05-31 14:13:26 +00:00
Martin Willi
bd72398729
- fixed host-host tunnel traffic selection, host-host works now
2006-05-31 06:52:27 +00:00
Andreas Steffen
6d5e617f7d
full support of ikev1 and ikev2 connection flags
2006-05-30 11:10:42 +00:00
Andreas Steffen
fa896e9a21
new functions to add certificates and retrieve private and public keys
2006-05-30 07:52:25 +00:00
Andreas Steffen
d793980f56
changed log level
2006-05-30 07:50:15 +00:00
Martin Willi
9fe14f4b8a
- policies contain a connections name now
...
- used for initiate and delete
- connections won't get initiated twice anymore
- deleting of connections is now possible, which allows us to use
ipsec update and ipsec reload
2006-05-29 11:09:45 +00:00
Martin Willi
8b5be79d83
- show connection templates in status & statusall
...
- don't complain on termination of IKEv1 connections
2006-05-23 13:25:57 +00:00
Martin Willi
7ba69503aa
- changed config load strategy:
...
starter loads both connections in charon & pluto,
charon ignores anything with keyexchange!=ikev2.
pluto needs the same behavior.
2006-05-23 10:07:02 +00:00
Martin Willi
86a7937b45
- applied patch from andreas, which allows certificate listing via stroke
2006-05-19 06:44:08 +00:00
Martin Willi
b5e1560659
- applied andreas's patch
...
- logger output improvements
- testin gupdates
- and a lot more
2006-05-18 06:02:28 +00:00
Martin Willi
f2c2d395ff
- introduced autotools
...
- first working version
- make dist should work
- things to do:
- UML testing!
- more cleanups
2006-05-16 14:24:03 +00:00
Martin Willi
b8577029d1
2006-05-10 08:02:49 +00:00