Commit Graph

232 Commits

Author SHA1 Message Date
Andreas Steffen f44dbc639b DBG1 level now shows stepping up through the certifiate hierarchy up to the trust anchor 2007-05-25 08:29:35 +00:00
Andreas Steffen 13b872ebd2 set certinfo status to CERT_UNKNOWN before crl and|or ocsp verification 2007-05-25 08:21:27 +00:00
Martin Willi 1f2a0f8098 removed paranoid module checking 2007-05-25 05:45:41 +00:00
Martin Willi 1fa9bdc4fb added compatibility names (pluto) for sha2 algorithms (sha2_256, ...) 2007-05-25 05:44:53 +00:00
Martin Willi 16878f6823 support for virtual IP definition on client side:
if leftsourceip is defined, it is requested.
  server may define rightsourceip=%config to accept any,
  or it may overwrite it using rightsourceip.
  if server does not return an IP, client enforces its configured leftsourceip.
2007-05-22 13:49:31 +00:00
Andreas Steffen 3388e7674d fixed nextUpdate and until behaviour in the non-strict case 2007-05-19 19:46:13 +00:00
Andreas Steffen 6e04f25313 support of CA-based ipsec policies 2007-05-18 12:25:37 +00:00
Andreas Steffen ca78602304 verification of locally loaded peer certificates 2007-05-15 14:51:04 +00:00
Andreas Steffen 2e324229c0 support of multiple certificates with same peer id 2007-05-15 12:46:05 +00:00
Martin Willi 6874bf698c changing UID/GID after startup of pluto/charon
added --with-uid/--with-gid configure option
2007-05-07 12:38:46 +00:00
Martin Willi a4a3884c83 extended interface_manager (more work needed here) 2007-05-03 14:22:52 +00:00
Martin Willi 0ccb275a93 added more API documentation to backends/interfaces 2007-04-30 10:23:01 +00:00
Martin Willi a84fb01b96 restructuring of configuration backends
added propotypes of new control interfaces (xml & dbus)
introduced loadable:
  configuration backends
  control interfaces
using pluggable modules as in EAP
2007-04-27 14:25:08 +00:00
Martin Willi c80e8ba11a added support for AES-XCBC in kernel using e.g. esp=aes128-aesxcbc (>=linux-2.6.20) 2007-04-23 13:00:20 +00:00
Martin Willi 17712ea866 fixed CHILD_SA proposal selection when not using DH exchange 2007-04-23 12:59:10 +00:00
Andreas Steffen 4841189b72 implementation of strictcrlpolicy=ifuri 2007-04-20 11:12:08 +00:00
Martin Willi 1fd5383e61 added PDF support for CHILD_SAs
support for INVALID_KE_PAYLOAD negotiation for rekeying
2007-04-19 08:02:19 +00:00
Andreas Steffen f880eb2dca started support of X.509 attribute certificates 2007-04-12 17:49:33 +00:00
Martin Willi 1dad08b035 fixed DPD delay in peer_cfg 2007-04-12 06:20:42 +00:00
Martin Willi 3b138b8422 cleaned up apidoc
added some comments
removed configuration.[ch], as it does not make sense like it is
2007-04-11 07:20:39 +00:00
Martin Willi de55c6895f accepting stroke initiation by a name of a child_cfg 2007-04-11 05:58:38 +00:00
Andreas Steffen 4876f521d6 best must be initialized to 2*MAX_WILDCARDS+1 2007-04-10 22:35:45 +00:00
Martin Willi e0fe765152 restructured file layout
new configuration structure:
  peer_cfg: configuration related to a peer (authenitcation, ...=
  ike_cfg: config to use for IKE setup (proposals)
  child_Cfg: config for CHILD_SA (proposals, traffic selectors)
  a peer_cfg has one ike_cfg and multiple child_cfg's
stroke now uses fixed count of threads
2007-04-10 06:01:03 +00:00
Andreas Steffen 4c56bd64e5 removed list_crls() and list_ocsp() methods 2007-04-06 09:43:20 +00:00
Andreas Steffen 8883eef7b8 support cachecrls=yes 2007-04-05 17:07:14 +00:00
Andreas Steffen a0eaa59b50 implemented dynamic http-based CRL fetching 2007-04-03 21:11:23 +00:00
Martin Willi 9179ac9667 merged changes from eap-aka trunk 2007-03-28 07:32:54 +00:00
Andreas Steffen 9d9c72e317 is_trusted() adds cert_status to cert_to_be_trusted 2007-03-28 05:38:42 +00:00
Andreas Steffen 1bf8530507 implemented ipsec listocsp function 2007-03-27 04:40:25 +00:00
Martin Willi ddd1b31595 adjusted rekey-retry delay and jitter 2007-03-21 16:12:16 +00:00
Martin Willi 4315f5c88b fixed some rekey collision issues
added retry with jitter when rekeying fails
2007-03-21 16:11:14 +00:00
Martin Willi a1e5881c42 renamed keyingtries attribute 2007-03-20 08:14:18 +00:00
Martin Willi 7cec30ad8d added AES-192/256 proposals to IKE 2007-03-13 14:55:03 +00:00
Andreas Steffen db0f828413 results from the single responses is stored in the corresponding certinfo_t structs 2007-03-12 13:42:31 +00:00
Andreas Steffen 7c1b9ab784 moved credential_store.h from charon/config/credentials to libstrongswan 2007-03-09 16:50:19 +00:00
Andreas Steffen 5455cf230f fixed a certinfo_t memory leak in verify() 2007-03-09 14:59:28 +00:00
Andreas Steffen 1bcb84605f ocsp signer certificate and ocsp response signature can be verified 2007-03-08 23:29:04 +00:00
Andreas Steffen 162afac75f fixed call of add_auth_certificate() 2007-03-08 19:44:14 +00:00
Andreas Steffen 33d108de22 generalized get_ca_certificate() to get_auth_certificate(auth_flags) 2007-03-08 18:56:43 +00:00
Andreas Steffen 9f4039755d support if ocsp signing certificates 2007-03-08 16:46:50 +00:00
Martin Willi 069f01cfef removed SHA2 kernel proposals from default, the kernel doesn't support them yet 2007-03-08 15:18:51 +00:00
Martin Willi 0cde6c412b added more debugging output for policy lookup
returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE
2007-03-08 14:40:15 +00:00
Martin Willi 9aa20fdae8 added SHA2 MAC and PRF to default proposal 2007-03-08 00:16:33 +00:00
Martin Willi 9de7540eee fixed traffic selector redundancy removal code (not completely tested) 2007-03-06 20:55:19 +00:00
Andreas Steffen 69351da14d add crl and ocsp uris to linked list after partial verification 2007-03-06 18:51:56 +00:00
Martin Willi 6e1be42744 some cleanups
not assigning %any virtual IPs to peer anymore
2007-03-05 22:07:36 +00:00
Martin Willi 02b3101b67 fixed double free bug 2007-03-05 22:02:14 +00:00
Andreas Steffen 81020aaefd refactored ca_info_t 2007-03-03 21:08:07 +00:00
Martin Willi 0c8aba6771 added support for 0.0.0.0/0 traffic selectors
fixed routing to make correct 0.0.0.0/0 routes
2007-03-01 11:42:08 +00:00
Martin Willi c60c7694d2 merged tasking branch into trunk 2007-02-28 14:04:36 +00:00
Andreas Steffen 7d119253f6 added support of OCSP accessLocations 2007-02-25 08:14:50 +00:00
Andreas Steffen b3e4211fc3 full support of ca info records 2007-02-24 23:18:31 +00:00
Andreas Steffen 182d20e94e support of ca info records 2007-02-23 15:15:31 +00:00
Martin Willi f27f6296e6 merged EAP framework from branch into trunk
includes a lot of other modifications
2007-02-12 15:56:47 +00:00
Andreas Steffen 6fda18d99d %T requires time_t ptr 2007-02-08 17:59:37 +00:00
Martin Willi 7995489a6d added support for NULL encryption in ESP 2007-02-08 13:54:42 +00:00
Martin Willi 9425da1816 include NO_EXT_SEQUENCE_NUMBER in default proposal 2007-02-08 13:31:31 +00:00
Martin Willi 21f42524e0 support for transport in create_child_sa
include TRANSPORT/TUNNEL information in statusall
2007-01-08 06:55:50 +00:00
Martin Willi 7652be891c added support for transport mode and (experimental!) BEET mode
support for the type=transport/tunnel parameter in charon
2006-12-21 14:35:17 +00:00
Martin Willi 6fe03b0af0 implemented reauthentication using the new reauth=yes|no parameter 2006-12-19 07:30:07 +00:00
Andreas Steffen 3b62f53fa4 fixed output of proto/port selectors 2006-11-02 07:51:53 +00:00
Andreas Steffen 1f9160614a cosmetics 2006-11-01 17:28:01 +00:00
Martin Willi db7ef62494 better split up of library files "types.h" & "definitions.h"
centralized all printf specifier character definitions
reuse of arginfo handlers
more cleanups
fixed more AMD64 issues
added DEBUG_LEVEL compile flag to exclude DBGn() statements
2006-10-31 12:27:59 +00:00
Andreas Steffen 29137c0cef preparations to include certreqs in policy decisions 2006-10-31 07:04:15 +00:00
Martin Willi 382b481795 moved typedefs to beginning of files to solve some include problems
splitted authenticator to have a separate implementation for each auth_method_t
using va_copy to clone va_lists, should fix proplems on AMD64
some other cleanups
2006-10-30 14:07:05 +00:00
Andreas Steffen a702b731cb support of certreq payload in IKE_AUTH messages 2006-10-28 20:02:26 +00:00
Andreas Steffen 6ae7d265fb added method get_ca_certificate() 2006-10-28 15:32:30 +00:00
Andreas Steffen 5db5740075 added methods get_my_ca() and get_other_ca() 2006-10-28 15:31:42 +00:00
Andreas Steffen af6d6bb954 added methods get_my_ca() and get_other_ca() 2006-10-28 15:31:29 +00:00
Martin Willi b83806d83d improved signal handling and emitting 2006-10-26 09:46:56 +00:00
Martin Willi 191a26a6a7 removed deprecated iterator methods (has_next & current)
added iterator hook to manipulate iterator the clean way
2006-10-24 14:20:45 +00:00
Martin Willi 55bbff11ec linked list cleanups
added list methods invoke(), destroy_offset(), destroy_function()
simplified list destruction when destroying its items
2006-10-24 08:46:17 +00:00
Martin Willi e706c7f10b code cleanups in printf handlers 2006-10-20 05:57:25 +00:00
Martin Willi 60356f3375 introduced new logging subsystem using bus:
passive listeners can register on the bus
  active listeners wait for signals actively
  multiplexing allows multiple listeners to receive debug signals
  a lot more...
2006-10-18 11:46:13 +00:00
Martin Willi 47f5027807 introduced printf() specifiers for:
host_t (%H)
  identification_t (%D)
  chunk pointers (%B)
  memory pointer/length (%b)
added a signaling bus:
  receives event and debug messages, sends them to its listeners
  stream_logger, sys_logger, file_logger added, listen to bus
some other tweaks here and there
2006-09-27 14:14:44 +00:00
Andreas Steffen 2e5935815d moved auth_method to policy 2006-09-25 05:52:13 +00:00
Andreas Steffen 54c6c4711f added hostaccess support; moved auth_method to policy 2006-09-25 05:51:16 +00:00
Andreas Steffen 833a7cbc50 support of encrypted private key files 2006-09-20 05:48:27 +00:00
Martin Willi b5cac6684d added copyright notice to sha2_hasher
included SHA2 in build process
2006-09-19 14:54:01 +00:00
Martin Willi 462129d332 added support for 3DES encryption algorithm in IKE 2006-09-19 11:18:35 +00:00
Andreas Steffen 43ead00a2f fixed the ids parsing bug 2006-09-19 06:16:48 +00:00
Martin Willi e63c4d8b8b fixed memleak
fixed proper handling of id parsing errors
proper return value when no PSK found
2006-09-18 11:39:53 +00:00
Andreas Steffen e2de376c74 added PSK support 2006-09-18 07:42:57 +00:00
Martin Willi d7934d0cfc implemented updown script to handle firewalling 2006-09-12 13:50:14 +00:00
Martin Willi a095243f60 add priority management for kernel policy
let ROUTED policies installed, until manuall removed
introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
ike_sa_manager cleanups
2006-09-08 13:10:52 +00:00
Martin Willi 1239c6f40b implemented handling of dpdaction and dpddelay ipsec.conf parameters 2006-09-08 06:12:02 +00:00
Martin Willi a655f5c09c reuse reqid when a ROUTED child_sa gets INSTALLED
fixed a bug in retransmission code
added support for the "keyingtries" ipsec.conf parameter
added support for the "dpddelay" ipsec.conf parameter
done some work for "dpdaction" behavior
some other cleanups and fixes
2006-09-05 14:07:25 +00:00
Martin Willi 48d9883a3e initial support for IPv6 (more testing needed)
socket works (without v6 filter)
  traffic selector handle IPv4/v4 cleanly
    improvements in traffic selector code
  kernel interface accepts v6 traffic selectors and hosts
  host_t class has full IPv6 support
2006-08-30 17:12:56 +00:00
Martin Willi fa8d578d94 fixed crash bug when doing "ipsec down" with an unknown connection 2006-08-25 09:19:42 +00:00
Martin Willi f698448ea3 implemented proper refcounting using atomic operations 2006-07-28 09:45:18 +00:00
Martin Willi fe04e93a8b implemented IKE_SA rekeying
uses ikelifetime, rekeymargin and rekeyfuzz config settings
	no handling of simultaneus exchanges yet!
2006-07-27 12:18:40 +00:00
Martin Willi 45f76a7ddd added possibility to route CHILD_SAs, without to set them up
support for auto=route parameter
	support for ipsec route and ipsec unroute
	initiating of CHILD and/or IKE_SAs based on kernel acquires
2006-07-21 13:31:53 +00:00
Martin Willi 8dfbe71b34 introduced refcounting on policy and connections
aren't stored in the IKE_SA anymore, they are queried on the fly
	are immutable now, allows it to share them
policy selection based on traffic selectors, leads to valid lookup results
	rekeying queries the policy based on its traffic selectors
2006-07-20 10:09:32 +00:00
Martin Willi 92ee45a0ee cleanups in kernel interface code
added proper traffic selector to string conversion
some cleanups here & there
2006-07-18 12:53:54 +00:00
Andreas Steffen c361cc8c51 identification_t.matches() supports multiple wildcard counts 2006-07-11 06:12:45 +00:00
Martin Willi c71d53ba4e updated copyright information 2006-07-07 08:49:06 +00:00
Martin Willi d109b48968 added support for leftprotoport and rightprotoport 2006-07-05 13:13:07 +00:00
Martin Willi 3dd3c5f39e redesigned IKE_SA using a transaction mechanism:
removed old state machine
  reimplemented IKE_SA setup and delete
  implemented dead peer detection
  implemented keep-alives
  a lot of fixes
  no rekeying yet
2006-07-05 10:53:20 +00:00
Andreas Steffen a642cbe3ae log entries start with lowcercase character 2006-07-04 06:11:35 +00:00
Andreas Steffen 971218c3ae support of cert payloads 2006-07-03 06:27:45 +00:00
Andreas Steffen 6f74bfd6ac added X.509 trust chain verification 2006-06-27 08:48:28 +00:00
Martin Willi 2f89902d07 applied new changes from NATT team
DPD only done when no IPsec and IKE traffic processed
	minor changes here and there
2006-06-23 14:02:30 +00:00
Martin Willi 1396815afb first merge of NATT code 2006-06-22 06:36:28 +00:00
Martin Willi aed58dcc93 readded local_credential_store
added sendcert policy to connection
some other cleanups
2006-06-20 08:43:57 +00:00
Andreas Steffen 21b433c641 implemented rereadcrls rereadcacerts 2006-06-20 06:05:01 +00:00
Andreas Steffen db959e6ea3 removed local_credential_store 2006-06-20 05:57:52 +00:00
Andreas Steffen 21e7a724d0 added crl support 2006-06-16 05:55:30 +00:00
Martin Willi 147fe5095d fixed aes code, we support now aes128, aes192, aes256 in IKE 2006-06-15 13:14:09 +00:00
Martin Willi c095388f7f added support for "ike" and "esp" keywords
fixed bugs in proposal code
algorithm selection for charon works now with ipsec.conf
a lot of other fixes
2006-06-15 11:09:11 +00:00
Martin Willi fa32cd3c47 debug and logging improvements 2006-06-13 10:01:04 +00:00
Andreas Steffen bc35460db7 add_certificate() now returns pointer to added cert 2006-06-12 07:57:14 +00:00
Martin Willi a2a3fb3e25 workaround for peers rekeying at the same time
loading lifetime policies from ipsec.conf
2006-06-12 07:33:20 +00:00
Martin Willi 695723d4e8 old child_sa gets deleted after rekeying
rekeying almost complete, but:
	IKE_SA get in an invalid state when both initiate rekeying at the same time,
2006-06-09 15:12:43 +00:00
Martin Willi b543bef50c improved kernel interface logging 2006-06-09 08:41:41 +00:00
Martin Willi 0bb32cb5f3 fixed clone/destroy behavior when not using CAs 2006-06-09 07:40:40 +00:00
Martin Willi 5c131a016b specifying keysize in bits, as it is required in IKEv2
added generic kernel SA algorithm handling, which brings us:
        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
2006-06-09 07:31:30 +00:00
Andreas Steffen b7f9ca5837 added support for leftsendcert= and left|rightca= parameters 2006-06-09 05:50:41 +00:00
Andreas Steffen ac427e3677 discard cert if CA basic constraints flag is not set and warn if cert is not valide 2006-06-09 05:48:49 +00:00
Martin Willi 5238c9afef fixed compile warnings when using -Wall
further CHILD_SA rekeying work done:
	creation of a new CHILD_SA on a expire from a kernel works
	delete of old CHILD_SA still missing
	some issues when both initiate rekeing
2006-06-08 14:20:05 +00:00
Martin Willi 8d77eddec2 further work for rekeying:
get liftimes from policy
  added new state
  initiation of rekeying done
proposal redone:
  removed support for AH+ESP proposals
2006-06-07 13:26:23 +00:00
Martin Willi 6f2aba1322 - fixed some memleaks/freebugs
- leak detective works almost usable now (?!)
2006-05-31 14:13:26 +00:00
Martin Willi bd72398729 - fixed host-host tunnel traffic selection, host-host works now 2006-05-31 06:52:27 +00:00
Andreas Steffen 6d5e617f7d full support of ikev1 and ikev2 connection flags 2006-05-30 11:10:42 +00:00
Andreas Steffen fa896e9a21 new functions to add certificates and retrieve private and public keys 2006-05-30 07:52:25 +00:00
Andreas Steffen d793980f56 changed log level 2006-05-30 07:50:15 +00:00
Martin Willi 9fe14f4b8a - policies contain a connections name now
- used for initiate and delete
- connections won't get initiated twice anymore
- deleting of connections is now possible, which allows us to use
  ipsec update and ipsec reload
2006-05-29 11:09:45 +00:00
Martin Willi 8b5be79d83 - show connection templates in status & statusall
- don't complain on termination of IKEv1 connections
2006-05-23 13:25:57 +00:00
Martin Willi 7ba69503aa - changed config load strategy:
starter loads both connections in charon & pluto,
  charon ignores anything with keyexchange!=ikev2.
  pluto needs the same behavior.
2006-05-23 10:07:02 +00:00
Martin Willi 86a7937b45 - applied patch from andreas, which allows certificate listing via stroke 2006-05-19 06:44:08 +00:00
Martin Willi b5e1560659 - applied andreas's patch
- logger output improvements
  - testin gupdates
  - and a lot more
2006-05-18 06:02:28 +00:00
Martin Willi f2c2d395ff - introduced autotools
- first working version
  - make dist should work
  - things to do:
    - UML testing!
    - more cleanups
2006-05-16 14:24:03 +00:00
Martin Willi b8577029d1 2006-05-10 08:02:49 +00:00