Martin Willi
0f018a7324
Show some uname() info in "ipsec statusall"
2012-06-28 11:56:40 +02:00
Martin Willi
dc6d259635
Show remote EAP/XAuth identity in "statusall" on a separate line
2012-06-27 11:42:00 +02:00
Tobias Brunner
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
Martin Willi
dd1381e7d3
Show EAP/XAuth identity in "ipsec status", if available
2012-06-25 10:18:35 +02:00
Martin Willi
e2dd114f37
Select requested virtual IP family based on remote TS, if no local TS available
2012-06-20 10:02:01 +02:00
Martin Willi
137035cc78
Show what kind of *Swan we run in "ipsec status"
2012-06-14 10:25:48 +02:00
Martin Willi
e35bbb9740
Added signature scheme options left/rightauth
2012-06-12 15:01:39 +02:00
Martin Willi
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Martin Willi
21043198ff
Show expiration time of rekeyed CHILD_SAs in statusall
2012-06-05 10:29:43 +02:00
Andreas Steffen
2ac996cb71
list IKEv1 Aggressive Mode in ipsec statusall
2012-05-23 11:12:27 +02:00
Tobias Brunner
5c162dd944
List registered nonce generators in statusall output.
2012-05-18 08:15:41 +02:00
Andreas Steffen
80c5b17d1a
make IKEv1 DPD timeout configurable in charon
2012-05-17 19:49:22 +02:00
Andreas Steffen
1e26235a0d
fixed feature dependencies for CERT_TRUSTED_PUBKEY
2012-05-05 08:54:36 +02:00
Tobias Brunner
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
Andreas Steffen
2ee11fd42d
display (soft) same as (not loaded)
2012-05-03 11:54:56 +02:00
Andreas Steffen
493c468d4d
charon is now an IKE daemon
2012-05-03 11:49:30 +02:00
Martin Willi
c9931135d1
stroke plugin sdepends on building CERT_ANY certificates
2012-05-03 11:07:21 +02:00
Tobias Brunner
ead92870b8
Loggers specify what log messages they want to receive during registration.
...
This also allows us to generate the log message only once for all
loggers that need it (avoids calls to custom printf specifier callbacks).
To update the log levels loggers can simply be registered again.
2012-05-02 14:45:38 +02:00
Martin Willi
daab152afa
Add plugin features support to stroke plugin
2012-05-02 14:05:52 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Andreas Steffen
552557a65d
add AUTH_RULE_SUBJECT_CERT for raw public keys
2012-04-30 13:40:48 +02:00
Andreas Steffen
3577ec76a5
output validity of raw public key if available
2012-04-30 09:47:34 +02:00
Andreas Steffen
5f1931ada1
added support for raw RSA public keys to stroke
2012-04-30 00:31:42 +02:00
Tobias Brunner
7e84c4275c
Removed auth_cfg_t.replace_value() and replaced usages with add().
...
replace_value() was used to replace identities. Since for these the latest is
now returned by get(), adding the new identity with add() is sufficient.
2012-04-18 18:50:14 +02:00
Tobias Brunner
80067cf9e6
Store password with remote ID to tie it stronger to a specific connection.
2012-04-18 13:32:49 +02:00
Tobias Brunner
9f1b303afc
Added stroke user-creds command, to set username/password for a connection.
2012-04-17 14:20:58 +02:00
Tobias Brunner
7b00fdeb84
Added method to add additional shared secrets to stroke_cred_t.
2012-04-17 14:20:58 +02:00
Tobias Brunner
4c31657d2c
Typo fixed.
2012-04-17 14:20:58 +02:00
Andreas Steffen
4626e49ad9
remove leading zero in ASN.1 encoded serial numbers
2012-04-05 09:04:11 +02:00
Andreas Steffen
320fd5fe62
moved chunk_skip_zero to chunk.h
2012-04-03 14:12:50 +02:00
Martin Willi
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
Martin Willi
5aef6bd0f3
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()
2012-03-20 17:31:39 +01:00
Martin Willi
c791def8c1
Added support for authby/xauth_server legacy options
2012-03-20 17:31:38 +01:00
Martin Willi
5763367cac
Show IKE version in ipsec statusall
2012-03-20 17:31:37 +01:00
Martin Willi
e129168ba6
Added a "aggressive" ipsec.conf connection option
2012-03-20 17:31:34 +01:00
Martin Willi
5ce59d4c06
Added an aggressive mode peer_cfg option
2012-03-20 17:31:34 +01:00
Martin Willi
747f837cce
Added a flag to register local credential sets exclusively, disabling all others
2012-03-20 17:31:28 +01:00
Martin Willi
ac009df132
Pass IKE version to peer config enumerator, filter configs
2012-03-20 17:31:25 +01:00
Martin Willi
d94c923648
Support an "any" IKE version for both IKEv1 or IKEv2
2012-03-20 17:31:25 +01:00
Tobias Brunner
f29a4f1c64
Added support for iKEIntermediate X.509 extended key usage flag.
...
Mac OS X requires server certificates to have this flag set.
2012-03-20 17:31:24 +01:00
Martin Willi
5f6a37eb9b
Be a little more verbose about XAuth configs in ipsec statusall
2012-03-20 17:31:23 +01:00
Martin Willi
21a4fc832e
Pass ipsec.conf xauth_identity option via stroke to charon configurations
2012-03-20 17:31:23 +01:00
Tobias Brunner
0a43f4b6c4
Log configured IKE version in stroke plugin.
2012-03-20 17:31:20 +01:00
Martin Willi
cbda13f6fe
Accept a xauth backend name appended to left/rightauth
2012-03-20 17:31:15 +01:00
Martin Willi
96c9159d96
Use a second authentication config to configure XAUTH authentication
2012-03-20 17:31:15 +01:00
Martin Willi
b4e815354c
Map auth_class to auth method and IKEv1 proposal attribute
2012-03-20 17:30:53 +01:00
Clavister OpenSource
23f4e4b42d
IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.
2012-03-20 17:30:49 +01:00
Martin Willi
cf1772f685
Do not ignore configs for IKEv1 in charon anymore
2012-03-20 17:30:43 +01:00
Tobias Brunner
f7a8fcedc0
Use enum to define IKE version on peer_cfg_t.
...
Replaced all those magic numbers.
2012-03-20 17:30:41 +01:00
Martin Willi
bc403eb1e5
Fixed crash and locking issues while unrouting connections via stroke
2012-03-13 10:56:22 +01:00
Tobias Brunner
9ec66bc1a5
Added an option to load CA certificates without CA basic constraint.
...
Enabling this option treats all certificates in ipsec.d/cacerts and
ipsec.conf ca sections as CA certificates even if they do not contain a
CA basic constraint.
2012-02-01 14:34:52 +01:00
Tobias Brunner
f1ba06c1c6
Cache list of plugin names to further simplify its usage.
...
Also helpful for ipsec statusall to avoid having to enumerate plugins.
2012-01-19 12:37:42 +01:00
Tobias Brunner
576298a3ef
Simplified logging of list of loaded plugins.
2012-01-19 11:56:03 +01:00
Tobias Brunner
7c0c2349a9
Make number of concurrently handled stroke messages configurable.
2011-12-29 18:41:39 +01:00
Tobias Brunner
8ff513a863
Limit the number of concurrently handled stroke messages.
...
This avoids clogging the thread pool with potentially blocking jobs.
2011-12-29 18:39:34 +01:00
Tobias Brunner
b46a5cd4ef
Fixed check for log groups when debug_t is unsigned.
...
The range and signedness of enum types is up to the compiler.
2011-11-25 09:48:32 +01:00
Andreas Steffen
b21cfa93f8
Cosmetics
2011-10-26 10:32:54 +02:00
Martin Willi
2d2ffa58f6
Added a listplugins stroke command to show plugin features
2011-10-14 10:05:44 +02:00
Martin Willi
fa7c8338ca
Plugin enumerator enumerates over loaded features, too
2011-10-14 10:05:44 +02:00
Martin Willi
9cd7f384ba
Include library.h in plugin.h
2011-10-14 10:04:45 +02:00
Tobias Brunner
f7ce74983d
Removed unneeded include.
...
This is not available on Android and redirects to <fcntl.h> on Ubuntu.
2011-10-11 16:30:20 +02:00
Tobias Brunner
d3bd67239f
Added fallback to ipsec.secrets parser if glob(3) is not available.
2011-10-11 16:30:20 +02:00
Tobias Brunner
673ce4da9b
Migrated stroke_cred_t to INIT/METHOD macros.
2011-10-03 19:04:19 +02:00
Tobias Brunner
0d430d4f54
Migrated stroke_socket_t to INIT/METHOD macros.
2011-10-03 18:56:21 +02:00
Martin Willi
8e3f14baab
bus->listen() and the controller wrappers accept a timeout to wait for callbacks
2011-08-26 10:44:25 +02:00
Andreas Steffen
d33f6f7dba
fixed esn type
2011-07-20 23:11:19 +02:00
Andreas Steffen
6101ee9b06
added log and status output for ESN
2011-07-16 11:09:38 +02:00
Tobias Brunner
47daa0e6fe
Replaced more complex iterator usages.
2011-07-06 09:43:45 +02:00
Tobias Brunner
4bbce1ef37
Replaced ike_sa_t.create_child_sa_iterator with enumerator.
...
This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.
2011-07-06 09:43:45 +02:00
Andreas Steffen
f87991704e
implemented PASS and DROP shunt policies
2011-06-28 19:42:54 +02:00
Tobias Brunner
876961cf0e
Properly print time differences.
...
time_t is not necessarily of type int.
2011-06-07 17:52:34 +02:00
Tobias Brunner
1b185ea490
Use proper printf specifiers to print u_int64_t and uintptr_t.
2011-06-07 17:30:57 +02:00
Laurent Bigonville
cb7a9862c6
Fix compilation with GCC 4.6.
2011-06-07 15:45:18 +02:00
Martin Willi
f34ebc845b
Add a closeaction ipsec.conf keyword to configure close action
2011-06-07 12:07:21 +02:00
Martin Willi
14bf2f689d
Use CRITICAL job priority class for long running dispatcher jobs
2011-05-16 15:24:15 +02:00
Martin Willi
4cf6f101d8
Show total and half-open SA count in statusall
2011-05-16 15:24:15 +02:00
Martin Willi
c726b1a6a5
Show how many threads are active in each class in statusall
2011-05-16 15:24:14 +02:00
Martin Willi
a694b481ee
Added a statusallnb stroke command to show status non-blocking
2011-05-16 15:24:14 +02:00
Martin Willi
69c3eca0e9
Added a non-blocking, skipping variant of IKE_SA enumerator
2011-05-16 15:24:13 +02:00
Martin Willi
c73d4f53f5
Processor job scheduling respects job priority classes
2011-05-16 15:24:13 +02:00
Martin Willi
dfe9bad981
Added a stroke memusage command to show memory usage
2011-05-16 15:22:21 +02:00
Martin Willi
4778655726
Cast size_t len arguments to %.*s to int
2011-04-20 13:08:32 +02:00
Tobias Brunner
dd0696ec8e
Use strncpy when reading smartcard keyids from ipsec.secrets.
2011-04-19 18:00:16 +02:00
Martin Willi
c55818ebb0
Added a (not yet implemented) plugin_t method to reload plugin configuration
2011-04-15 10:07:13 +02:00
Martin Willi
787b5884aa
Added a get_name() function to plugin_t, create_plugin_enumerator enumerates over plugin_t
2011-04-15 10:07:12 +02:00
Tobias Brunner
b0fd7d1482
Proper cleanup if IDs in ipsec.secrets cannot be parsed.
2011-04-14 18:11:45 +02:00
Tobias Brunner
e51cae33a9
Fix compiler warnings at creation of CRL cache filenames.
...
This was not really a problem because ptr is the first member of a chunk_t
and it contains a null-terminated string at that point. But it's clearer
this way.
2011-04-14 18:10:27 +02:00
Tobias Brunner
aee071ed8b
Fixed check for member of stroke_msg_t in pop_string.
...
Because of the cast to char** the length of the message was multiplied
by sizeof(char*), i.e. 4 or 8 bytes (depending on the architecture) instead
of by 1 (sizeof(char)).
2011-04-13 18:18:03 +02:00
Andreas Steffen
25ed5672a6
initiate or route all child configs if they have different names from their parent peer config
2011-03-04 07:02:31 +01:00
Andreas Steffen
ea1c20d14b
initiate or route child configs which don't have a peer config of the same name
2011-03-01 22:24:19 +01:00
Andreas Steffen
a2ebc1bd69
put DN in double quotes
2011-03-01 22:19:59 +01:00
Andreas Steffen
d390b3b901
[hopefully] fixed pathlen problem on ARM platforms
2011-02-10 15:51:18 +01:00
Andreas Steffen
f04d1c2dfe
replaced ipsec up %startall command by start_action job
2011-02-09 22:27:04 +01:00
Martin Willi
44e513a320
Added support for trustchain key strength checking to rightauth option
2011-01-07 15:51:35 +01:00
Martin Willi
6367de28ad
Added a left/rightcertpolicy keyword to specify certificatePolicy requirements
2011-01-07 15:51:35 +01:00
Martin Willi
2e90006f96
Show base CRL of delta CRLs in listcrls
2011-01-05 16:46:06 +01:00
Martin Willi
b3d359e58f
Use a generic getter for all numerical X.509 constraints
2011-01-05 16:46:05 +01:00
Martin Willi
5dba5852fc
Slightly renamed X509_NO_PATH_LEN_CONSTRAINT to use it for PolicyConstraints, too
2011-01-05 16:46:02 +01:00
Andreas Steffen
27a66f9393
implemented wrap around of registered IKEv1 algorithm names
2010-12-26 17:11:02 +01:00
Andreas Steffen
16b6606e5f
wrap list of IKEv2 algorithms after 120 characters per line
2010-12-24 17:29:51 +01:00
Andreas Steffen
cb6be85cfe
Migrated stroke_list_t to INIT/METHOD macros
2010-12-24 14:29:09 +01:00
Martin Willi
6c302616f1
Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality
2010-12-20 09:45:39 +01:00
Martin Willi
37788b1d06
Added a TFC padding option to child_cfg
2010-12-20 09:45:39 +01:00
Andreas Steffen
5932f41fcc
trace back crypto algorithms to the plugins that registered them
2010-12-18 16:31:12 +01:00
Martin Willi
cf5866b9c0
Renamed purgex509/crl to purgecerts/crls to be consistent with list commands
2010-12-10 11:21:55 +01:00
Martin Willi
6aa144ddb7
Added options to flush CRLs/X509 certs from the cert cache
2010-12-10 09:45:22 +01:00
Andreas Steffen
4332cd7f95
added newline
2010-12-07 09:02:55 +01:00
Andreas Steffen
faccd69068
re-introduced comment
2010-12-07 09:01:28 +01:00
Andreas Steffen
a42aaed64f
Migrated stroke_control_t to INIT/METHOD macros
2010-12-07 08:58:57 +01:00
Andreas Steffen
d31aec9fa7
Migrated stroke_plugin_t to INIT/METHOD macros
2010-12-07 08:01:56 +01:00
Tobias Brunner
5b2d9f24f5
Refactored stroke_cred_t to use mem_cred_t.
2010-12-03 18:00:00 +01:00
Tobias Brunner
413d8fe0e3
Avoid calling globfree twice on failure.
2010-12-03 17:38:36 +01:00
Andreas Steffen
c616d84c3f
start and route connections defined in an SQL database via start_action field and ipsec up %startall command
2010-11-28 11:57:49 +01:00
Andreas Steffen
a9ac8c51ea
Migrated stroke_config_t to INIT/METHOD macros
2010-11-27 01:12:58 +01:00
Andreas Steffen
a5ffb559d2
Migrated stroke_cat_t to INIT/METHOD macros
2010-11-27 00:49:15 +01:00
Martin Willi
851d60484e
Added a stroke rekey command to trigger IKE/CHILD_SA rekeying manually
2010-11-03 15:12:05 +01:00
Andreas Steffen
9b9352c83b
fixed 64 bit printf() issue
2010-10-24 20:30:19 +02:00
Andreas Steffen
80f86acccb
show validity of OCSP responses
2010-09-10 22:26:03 +02:00
Tobias Brunner
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
Tobias Brunner
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
Tobias Brunner
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
Tobias Brunner
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
Martin Willi
bbdc85b66e
Respect key types in stroke key/certificate backend
2010-09-02 13:07:23 +02:00
Martin Willi
33b1a2567f
Load a left/rightcert2 for EAP-TLS even if no left/rightauth2 is defined
2010-08-31 18:10:23 +02:00
Martin Willi
64d7b0733f
Added support for the ipsec.conf aaa_identity keyword
2010-08-31 17:52:52 +02:00
Martin Willi
835ec23aff
Use enum mappings to resolve debug group
2010-08-23 09:47:04 +02:00
Martin Willi
9d49f79f55
List registered AEAD algorithms in listalgs
2010-08-19 19:02:34 +02:00
Martin Willi
3d711a68fb
Added a stroke command to export cached x509 certificates to the console
2010-08-10 18:46:30 +02:00
Martin Willi
a944d2092b
Use bits instead of bytes for a private/public key
2010-08-10 18:46:30 +02:00
Tobias Brunner
744b83c7c9
Fixed loading of secrets with IDs.
...
Since the ID string is manually terminated by a null character, write
permission is required for the mmapped ipsec.secrets.
2010-08-04 16:03:46 +02:00
Tobias Brunner
dca2d89209
Fixed loading of private keys without password.
...
The chunk storing the password was not correctly initialized, resulting
in a segmentation fault when no password was specified in ipsec.secrets.
2010-08-04 14:22:48 +02:00
Martin Willi
0d08ebe7ac
Pass type of requested key in the callback credential set
2010-08-04 09:26:21 +02:00
Martin Willi
15177f5785
Obseleted BUILD_PASSPHRASE(_CALLBACK) for private key loading, use credential sets
2010-08-04 09:26:21 +02:00
Martin Willi
0556667dca
Use credential sets to load smartcard keys
2010-08-04 09:26:21 +02:00
Martin Willi
62be923683
Implemented a callback based credential set, currently for shared keys only
2010-08-04 09:26:21 +02:00
Martin Willi
9587ece534
mmap() ipsec.secrets instead malloc(), proper error checking
2010-08-04 09:26:21 +02:00
Martin Willi
947298b302
Splitted up the load_secrets() function
2010-08-04 09:26:21 +02:00
Martin Willi
57522106c4
%prompt support for smartcard PIN via "ipsec secrets"
2010-08-04 09:26:20 +02:00
Martin Willi
0b8b664056
Pass the PKCS11 keyid as chunk, not as string
2010-08-04 09:26:20 +02:00
Martin Willi
353d10d590
Reuse generic passphrase build part, not a dedicated PIN part
2010-08-04 09:26:20 +02:00
Martin Willi
3479c27931
Support module names in %smartcard specifier, streamlined smartcard building
2010-08-04 09:26:20 +02:00
Thomas Egerer
5d2e159b41
Fix segfault on 'ipsec stroke up ]' command
2010-07-29 14:03:11 +02:00
Martin Willi
0406eeaacb
Support different encoding types in certificate.get_encoding()
2010-07-13 13:53:20 +02:00
Martin Willi
da9724e6d0
Renamed key_encod{ing,der}_t and constants, prepare for generic credential encoding
2010-07-13 11:29:35 +02:00
Martin Willi
2ccc02a4fd
Moved credential manager to libstrongswan
2010-07-13 10:26:07 +02:00
Andreas Steffen
26c4d0102a
configuration of different marks for inbound and outbound direction
2010-07-09 09:06:07 +02:00
Martin Willi
4f99093235
Show mallinfo() data in statusall, if available
2010-07-06 16:28:25 +02:00
Martin Willi
4172574bfb
Use the group constraint in a more generic fashion, not only for attribute certificates
2010-07-05 09:41:04 +02:00
Andreas Steffen
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
Martin Willi
d5ad6eb1e0
Flush certificate cache on CA delete
2010-06-07 13:51:18 +02:00
Martin Willi
a3ffa9edfd
Log non-empty task queues in statusall
2010-06-07 11:59:37 +02:00
Martin Willi
8029e5efd2
Added generic implementations for crl_is_newer/certificate_is_newer
2010-05-21 16:25:51 +02:00
Reto Buerki
277fcf9f86
Add reqid field and getter function to child_cfg_t.
2010-05-04 14:38:34 +02:00
Tobias Brunner
c9235353f8
Use a read-write lock in stroke_attribute to increase concurrency.
2010-04-06 12:47:39 +02:00
Tobias Brunner
8c9f5bad8b
Migrated stroke_attribute_t to METHOD/INIT macros.
2010-04-06 12:47:38 +02:00
Tobias Brunner
ac5fb545c5
Extracted in-memory IP address pool from stroke plugin to libhydra.
2010-04-06 12:47:38 +02:00
Martin Willi
89bf11d204
Respect line with in Makefile.am's, other cosmetics
2010-03-25 14:54:56 +01:00
Tobias Brunner
58f86d0f0f
Changed all usages of lib->attributes to hydra->attributes.
2010-03-24 18:54:26 +01:00
Tobias Brunner
bd3f8ea30b
Convert charon into libcharon.
2010-03-19 13:34:52 +01:00
Tobias Brunner
08c5572602
Moving charon to libcharon.
2010-03-19 13:34:52 +01:00