0f018a7324
Show some uname() info in "ipsec statusall"
2012-06-28 11:56:40 +02:00
dc6d259635
Show remote EAP/XAuth identity in "statusall" on a separate line
2012-06-27 11:42:00 +02:00
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
dd1381e7d3
Show EAP/XAuth identity in "ipsec status", if available
2012-06-25 10:18:35 +02:00
e2dd114f37
Select requested virtual IP family based on remote TS, if no local TS available
2012-06-20 10:02:01 +02:00
137035cc78
Show what kind of *Swan we run in "ipsec status"
2012-06-14 10:25:48 +02:00
e35bbb9740
Added signature scheme options left/rightauth
2012-06-12 15:01:39 +02:00
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
21043198ff
Show expiration time of rekeyed CHILD_SAs in statusall
2012-06-05 10:29:43 +02:00
2ac996cb71
list IKEv1 Aggressive Mode in ipsec statusall
2012-05-23 11:12:27 +02:00
5c162dd944
List registered nonce generators in statusall output.
2012-05-18 08:15:41 +02:00
80c5b17d1a
make IKEv1 DPD timeout configurable in charon
2012-05-17 19:49:22 +02:00
1e26235a0d
fixed feature dependencies for CERT_TRUSTED_PUBKEY
2012-05-05 08:54:36 +02:00
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
2ee11fd42d
display (soft) same as (not loaded)
2012-05-03 11:54:56 +02:00
493c468d4d
charon is now an IKE daemon
2012-05-03 11:49:30 +02:00
c9931135d1
stroke plugin sdepends on building CERT_ANY certificates
2012-05-03 11:07:21 +02:00
ead92870b8
Loggers specify what log messages they want to receive during registration.
...
This also allows us to generate the log message only once for all
loggers that need it (avoids calls to custom printf specifier callbacks).
To update the log levels loggers can simply be registered again.
2012-05-02 14:45:38 +02:00
daab152afa
Add plugin features support to stroke plugin
2012-05-02 14:05:52 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
552557a65d
add AUTH_RULE_SUBJECT_CERT for raw public keys
2012-04-30 13:40:48 +02:00
3577ec76a5
output validity of raw public key if available
2012-04-30 09:47:34 +02:00
5f1931ada1
added support for raw RSA public keys to stroke
2012-04-30 00:31:42 +02:00
7e84c4275c
Removed auth_cfg_t.replace_value() and replaced usages with add().
...
replace_value() was used to replace identities. Since for these the latest is
now returned by get(), adding the new identity with add() is sufficient.
2012-04-18 18:50:14 +02:00
80067cf9e6
Store password with remote ID to tie it stronger to a specific connection.
2012-04-18 13:32:49 +02:00
9f1b303afc
Added stroke user-creds command, to set username/password for a connection.
2012-04-17 14:20:58 +02:00
7b00fdeb84
Added method to add additional shared secrets to stroke_cred_t.
2012-04-17 14:20:58 +02:00
4c31657d2c
Typo fixed.
2012-04-17 14:20:58 +02:00
4626e49ad9
remove leading zero in ASN.1 encoded serial numbers
2012-04-05 09:04:11 +02:00
320fd5fe62
moved chunk_skip_zero to chunk.h
2012-04-03 14:12:50 +02:00
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
5aef6bd0f3
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()
2012-03-20 17:31:39 +01:00
c791def8c1
Added support for authby/xauth_server legacy options
2012-03-20 17:31:38 +01:00
5763367cac
Show IKE version in ipsec statusall
2012-03-20 17:31:37 +01:00
e129168ba6
Added a "aggressive" ipsec.conf connection option
2012-03-20 17:31:34 +01:00
5ce59d4c06
Added an aggressive mode peer_cfg option
2012-03-20 17:31:34 +01:00
747f837cce
Added a flag to register local credential sets exclusively, disabling all others
2012-03-20 17:31:28 +01:00
ac009df132
Pass IKE version to peer config enumerator, filter configs
2012-03-20 17:31:25 +01:00
d94c923648
Support an "any" IKE version for both IKEv1 or IKEv2
2012-03-20 17:31:25 +01:00
f29a4f1c64
Added support for iKEIntermediate X.509 extended key usage flag.
...
Mac OS X requires server certificates to have this flag set.
2012-03-20 17:31:24 +01:00
5f6a37eb9b
Be a little more verbose about XAuth configs in ipsec statusall
2012-03-20 17:31:23 +01:00
21a4fc832e
Pass ipsec.conf xauth_identity option via stroke to charon configurations
2012-03-20 17:31:23 +01:00
0a43f4b6c4
Log configured IKE version in stroke plugin.
2012-03-20 17:31:20 +01:00
cbda13f6fe
Accept a xauth backend name appended to left/rightauth
2012-03-20 17:31:15 +01:00
96c9159d96
Use a second authentication config to configure XAUTH authentication
2012-03-20 17:31:15 +01:00
b4e815354c
Map auth_class to auth method and IKEv1 proposal attribute
2012-03-20 17:30:53 +01:00
23f4e4b42d
IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.
2012-03-20 17:30:49 +01:00
cf1772f685
Do not ignore configs for IKEv1 in charon anymore
2012-03-20 17:30:43 +01:00
f7a8fcedc0
Use enum to define IKE version on peer_cfg_t.
...
Replaced all those magic numbers.
2012-03-20 17:30:41 +01:00
bc403eb1e5
Fixed crash and locking issues while unrouting connections via stroke
2012-03-13 10:56:22 +01:00
9ec66bc1a5
Added an option to load CA certificates without CA basic constraint.
...
Enabling this option treats all certificates in ipsec.d/cacerts and
ipsec.conf ca sections as CA certificates even if they do not contain a
CA basic constraint.
2012-02-01 14:34:52 +01:00
f1ba06c1c6
Cache list of plugin names to further simplify its usage.
...
Also helpful for ipsec statusall to avoid having to enumerate plugins.
2012-01-19 12:37:42 +01:00
576298a3ef
Simplified logging of list of loaded plugins.
2012-01-19 11:56:03 +01:00
7c0c2349a9
Make number of concurrently handled stroke messages configurable.
2011-12-29 18:41:39 +01:00
8ff513a863
Limit the number of concurrently handled stroke messages.
...
This avoids clogging the thread pool with potentially blocking jobs.
2011-12-29 18:39:34 +01:00
b46a5cd4ef
Fixed check for log groups when debug_t is unsigned.
...
The range and signedness of enum types is up to the compiler.
2011-11-25 09:48:32 +01:00
b21cfa93f8
Cosmetics
2011-10-26 10:32:54 +02:00
2d2ffa58f6
Added a listplugins stroke command to show plugin features
2011-10-14 10:05:44 +02:00
fa7c8338ca
Plugin enumerator enumerates over loaded features, too
2011-10-14 10:05:44 +02:00
9cd7f384ba
Include library.h in plugin.h
2011-10-14 10:04:45 +02:00
f7ce74983d
Removed unneeded include.
...
This is not available on Android and redirects to <fcntl.h> on Ubuntu.
2011-10-11 16:30:20 +02:00
d3bd67239f
Added fallback to ipsec.secrets parser if glob(3) is not available.
2011-10-11 16:30:20 +02:00
673ce4da9b
Migrated stroke_cred_t to INIT/METHOD macros.
2011-10-03 19:04:19 +02:00
0d430d4f54
Migrated stroke_socket_t to INIT/METHOD macros.
2011-10-03 18:56:21 +02:00
8e3f14baab
bus->listen() and the controller wrappers accept a timeout to wait for callbacks
2011-08-26 10:44:25 +02:00
d33f6f7dba
fixed esn type
2011-07-20 23:11:19 +02:00
6101ee9b06
added log and status output for ESN
2011-07-16 11:09:38 +02:00
47daa0e6fe
Replaced more complex iterator usages.
2011-07-06 09:43:45 +02:00
4bbce1ef37
Replaced ike_sa_t.create_child_sa_iterator with enumerator.
...
This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.
2011-07-06 09:43:45 +02:00
f87991704e
implemented PASS and DROP shunt policies
2011-06-28 19:42:54 +02:00
876961cf0e
Properly print time differences.
...
time_t is not necessarily of type int.
2011-06-07 17:52:34 +02:00
1b185ea490
Use proper printf specifiers to print u_int64_t and uintptr_t.
2011-06-07 17:30:57 +02:00
cb7a9862c6
Fix compilation with GCC 4.6.
2011-06-07 15:45:18 +02:00
f34ebc845b
Add a closeaction ipsec.conf keyword to configure close action
2011-06-07 12:07:21 +02:00
14bf2f689d
Use CRITICAL job priority class for long running dispatcher jobs
2011-05-16 15:24:15 +02:00
4cf6f101d8
Show total and half-open SA count in statusall
2011-05-16 15:24:15 +02:00
c726b1a6a5
Show how many threads are active in each class in statusall
2011-05-16 15:24:14 +02:00
a694b481ee
Added a statusallnb stroke command to show status non-blocking
2011-05-16 15:24:14 +02:00
69c3eca0e9
Added a non-blocking, skipping variant of IKE_SA enumerator
2011-05-16 15:24:13 +02:00
c73d4f53f5
Processor job scheduling respects job priority classes
2011-05-16 15:24:13 +02:00
dfe9bad981
Added a stroke memusage command to show memory usage
2011-05-16 15:22:21 +02:00
4778655726
Cast size_t len arguments to %.*s to int
2011-04-20 13:08:32 +02:00
dd0696ec8e
Use strncpy when reading smartcard keyids from ipsec.secrets.
2011-04-19 18:00:16 +02:00
c55818ebb0
Added a (not yet implemented) plugin_t method to reload plugin configuration
2011-04-15 10:07:13 +02:00
787b5884aa
Added a get_name() function to plugin_t, create_plugin_enumerator enumerates over plugin_t
2011-04-15 10:07:12 +02:00
b0fd7d1482
Proper cleanup if IDs in ipsec.secrets cannot be parsed.
2011-04-14 18:11:45 +02:00
e51cae33a9
Fix compiler warnings at creation of CRL cache filenames.
...
This was not really a problem because ptr is the first member of a chunk_t
and it contains a null-terminated string at that point. But it's clearer
this way.
2011-04-14 18:10:27 +02:00
aee071ed8b
Fixed check for member of stroke_msg_t in pop_string.
...
Because of the cast to char** the length of the message was multiplied
by sizeof(char*), i.e. 4 or 8 bytes (depending on the architecture) instead
of by 1 (sizeof(char)).
2011-04-13 18:18:03 +02:00
25ed5672a6
initiate or route all child configs if they have different names from their parent peer config
2011-03-04 07:02:31 +01:00
ea1c20d14b
initiate or route child configs which don't have a peer config of the same name
2011-03-01 22:24:19 +01:00
a2ebc1bd69
put DN in double quotes
2011-03-01 22:19:59 +01:00
d390b3b901
[hopefully] fixed pathlen problem on ARM platforms
2011-02-10 15:51:18 +01:00
f04d1c2dfe
replaced ipsec up %startall command by start_action job
2011-02-09 22:27:04 +01:00
44e513a320
Added support for trustchain key strength checking to rightauth option
2011-01-07 15:51:35 +01:00
6367de28ad
Added a left/rightcertpolicy keyword to specify certificatePolicy requirements
2011-01-07 15:51:35 +01:00
2e90006f96
Show base CRL of delta CRLs in listcrls
2011-01-05 16:46:06 +01:00
b3d359e58f
Use a generic getter for all numerical X.509 constraints
2011-01-05 16:46:05 +01:00
5dba5852fc
Slightly renamed X509_NO_PATH_LEN_CONSTRAINT to use it for PolicyConstraints, too
2011-01-05 16:46:02 +01:00
27a66f9393
implemented wrap around of registered IKEv1 algorithm names
2010-12-26 17:11:02 +01:00
16b6606e5f
wrap list of IKEv2 algorithms after 120 characters per line
2010-12-24 17:29:51 +01:00
cb6be85cfe
Migrated stroke_list_t to INIT/METHOD macros
2010-12-24 14:29:09 +01:00
6c302616f1
Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality
2010-12-20 09:45:39 +01:00
37788b1d06
Added a TFC padding option to child_cfg
2010-12-20 09:45:39 +01:00
5932f41fcc
trace back crypto algorithms to the plugins that registered them
2010-12-18 16:31:12 +01:00
cf5866b9c0
Renamed purgex509/crl to purgecerts/crls to be consistent with list commands
2010-12-10 11:21:55 +01:00
6aa144ddb7
Added options to flush CRLs/X509 certs from the cert cache
2010-12-10 09:45:22 +01:00
4332cd7f95
added newline
2010-12-07 09:02:55 +01:00
faccd69068
re-introduced comment
2010-12-07 09:01:28 +01:00
a42aaed64f
Migrated stroke_control_t to INIT/METHOD macros
2010-12-07 08:58:57 +01:00
d31aec9fa7
Migrated stroke_plugin_t to INIT/METHOD macros
2010-12-07 08:01:56 +01:00
5b2d9f24f5
Refactored stroke_cred_t to use mem_cred_t.
2010-12-03 18:00:00 +01:00
413d8fe0e3
Avoid calling globfree twice on failure.
2010-12-03 17:38:36 +01:00
c616d84c3f
start and route connections defined in an SQL database via start_action field and ipsec up %startall command
2010-11-28 11:57:49 +01:00
a9ac8c51ea
Migrated stroke_config_t to INIT/METHOD macros
2010-11-27 01:12:58 +01:00
a5ffb559d2
Migrated stroke_cat_t to INIT/METHOD macros
2010-11-27 00:49:15 +01:00
851d60484e
Added a stroke rekey command to trigger IKE/CHILD_SA rekeying manually
2010-11-03 15:12:05 +01:00
9b9352c83b
fixed 64 bit printf() issue
2010-10-24 20:30:19 +02:00
80f86acccb
show validity of OCSP responses
2010-09-10 22:26:03 +02:00
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
bbdc85b66e
Respect key types in stroke key/certificate backend
2010-09-02 13:07:23 +02:00
33b1a2567f
Load a left/rightcert2 for EAP-TLS even if no left/rightauth2 is defined
2010-08-31 18:10:23 +02:00
64d7b0733f
Added support for the ipsec.conf aaa_identity keyword
2010-08-31 17:52:52 +02:00
835ec23aff
Use enum mappings to resolve debug group
2010-08-23 09:47:04 +02:00
9d49f79f55
List registered AEAD algorithms in listalgs
2010-08-19 19:02:34 +02:00
3d711a68fb
Added a stroke command to export cached x509 certificates to the console
2010-08-10 18:46:30 +02:00
a944d2092b
Use bits instead of bytes for a private/public key
2010-08-10 18:46:30 +02:00
744b83c7c9
Fixed loading of secrets with IDs.
...
Since the ID string is manually terminated by a null character, write
permission is required for the mmapped ipsec.secrets.
2010-08-04 16:03:46 +02:00
dca2d89209
Fixed loading of private keys without password.
...
The chunk storing the password was not correctly initialized, resulting
in a segmentation fault when no password was specified in ipsec.secrets.
2010-08-04 14:22:48 +02:00
0d08ebe7ac
Pass type of requested key in the callback credential set
2010-08-04 09:26:21 +02:00
15177f5785
Obseleted BUILD_PASSPHRASE(_CALLBACK) for private key loading, use credential sets
2010-08-04 09:26:21 +02:00
0556667dca
Use credential sets to load smartcard keys
2010-08-04 09:26:21 +02:00
62be923683
Implemented a callback based credential set, currently for shared keys only
2010-08-04 09:26:21 +02:00
9587ece534
mmap() ipsec.secrets instead malloc(), proper error checking
2010-08-04 09:26:21 +02:00
947298b302
Splitted up the load_secrets() function
2010-08-04 09:26:21 +02:00
57522106c4
%prompt support for smartcard PIN via "ipsec secrets"
2010-08-04 09:26:20 +02:00
0b8b664056
Pass the PKCS11 keyid as chunk, not as string
2010-08-04 09:26:20 +02:00
353d10d590
Reuse generic passphrase build part, not a dedicated PIN part
2010-08-04 09:26:20 +02:00
3479c27931
Support module names in %smartcard specifier, streamlined smartcard building
2010-08-04 09:26:20 +02:00
5d2e159b41
Fix segfault on 'ipsec stroke up ]' command
2010-07-29 14:03:11 +02:00
0406eeaacb
Support different encoding types in certificate.get_encoding()
2010-07-13 13:53:20 +02:00
da9724e6d0
Renamed key_encod{ing,der}_t and constants, prepare for generic credential encoding
2010-07-13 11:29:35 +02:00
2ccc02a4fd
Moved credential manager to libstrongswan
2010-07-13 10:26:07 +02:00
26c4d0102a
configuration of different marks for inbound and outbound direction
2010-07-09 09:06:07 +02:00
4f99093235
Show mallinfo() data in statusall, if available
2010-07-06 16:28:25 +02:00
4172574bfb
Use the group constraint in a more generic fashion, not only for attribute certificates
2010-07-05 09:41:04 +02:00
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
d5ad6eb1e0
Flush certificate cache on CA delete
2010-06-07 13:51:18 +02:00
a3ffa9edfd
Log non-empty task queues in statusall
2010-06-07 11:59:37 +02:00
8029e5efd2
Added generic implementations for crl_is_newer/certificate_is_newer
2010-05-21 16:25:51 +02:00
277fcf9f86
Add reqid field and getter function to child_cfg_t.
2010-05-04 14:38:34 +02:00
c9235353f8
Use a read-write lock in stroke_attribute to increase concurrency.
2010-04-06 12:47:39 +02:00
8c9f5bad8b
Migrated stroke_attribute_t to METHOD/INIT macros.
2010-04-06 12:47:38 +02:00
ac5fb545c5
Extracted in-memory IP address pool from stroke plugin to libhydra.
2010-04-06 12:47:38 +02:00
89bf11d204
Respect line with in Makefile.am's, other cosmetics
2010-03-25 14:54:56 +01:00
58f86d0f0f
Changed all usages of lib->attributes to hydra->attributes.
2010-03-24 18:54:26 +01:00
bd3f8ea30b
Convert charon into libcharon.
2010-03-19 13:34:52 +01:00
08c5572602
Moving charon to libcharon.
2010-03-19 13:34:52 +01:00
Martin Willi