Martin Willi
35b6e2301f
fixed crash if crl fetching fails
2008-03-28 12:00:51 +00:00
Martin Willi
d55fa9aff7
reentrant save cert_cache
2008-03-28 08:38:51 +00:00
Martin Willi
ac1fefc2de
caching of CRLs
2008-03-28 08:14:47 +00:00
Martin Willi
d20e5c6ab5
replaced get_public() by create_public_enumerator() to try multiple public keys for signature verification
2008-03-27 19:07:23 +00:00
Martin Willi
0d30ba3343
use trusted self-signed root CA certificates as trust anchor only
2008-03-27 13:38:02 +00:00
Tobias Brunner
e74bc8e51d
changed external interface to the mediation extension.
2008-03-27 12:31:35 +00:00
Tobias Brunner
b42421a04c
corrected ME_ENDPOINT length check
2008-03-27 12:29:51 +00:00
Martin Willi
52a61742e7
reusing generic shared_key_t implementation in med_db
2008-03-27 11:45:49 +00:00
Tobias Brunner
54150b3f13
checking the size of ME_* notify payloads
2008-03-27 10:17:29 +00:00
Tobias Brunner
b0dee635d2
replaced the COOKIE notify payload in connectivity checks with a ME_CONNECTAUTH notify payload
2008-03-27 09:54:09 +00:00
Martin Willi
f957f7dfb3
implemented cert cache flushing, ipsec purgeocsp
2008-03-27 06:37:29 +00:00
Andreas Steffen
d61bd27a9a
fixed plugin/stroke Makefile
2008-03-26 20:24:55 +00:00
Tobias Brunner
dc04b7c743
mediation extension adapted to the naming convention of the current version of the draft. note: the external interface (config, autotools) has not yet been changed
2008-03-26 18:40:19 +00:00
Martin Willi
685232670a
added uptime statistics to statusall
2008-03-26 16:13:14 +00:00
Martin Willi
7b88a983d8
caching of ocsp responses (experimental), no crl caching yet
2008-03-26 15:21:50 +00:00
Martin Willi
391abda082
fixed compile error if --enable-p2p is set
2008-03-26 14:45:24 +00:00
Martin Willi
e37f7715bf
fixed rightca= constraint checking
...
implemented rightca= for intermediate CAs we do not have the certificate at config load
2008-03-26 12:23:46 +00:00
Martin Willi
2d84da89b9
fixed auth_info_t.equals()
2008-03-26 10:58:19 +00:00
Martin Willi
0b14fdb92b
splitted stroke plugin to several files:
...
socket: reads messages from socket, dispatching
config: process add/del conn, serves configs through backend_t
control: controlling of the daemon (up/down/route/...(
cred: credential loading, serves creds through credential_set_t
ca: ca sections from ipsec.conf, serves cdp's through credential_set_t
list: log status information to stroke console (status/statusall/list*)
shared_key: shared key implementation for keys read from ipsec.secrets
plugin: registers stroke plugin and starts socket w/ thread
2008-03-26 10:10:40 +00:00
Martin Willi
3c7e72f5b0
added equals() method to peer_cfg, ike_cfg, proposals, auth_info
...
allows easier merging of ipsec.conf connections
replaced some iterators through enumerators
made proposals algorithm_t private using enumerator
2008-03-26 10:06:45 +00:00
Andreas Steffen
26930a8c3e
certificate factory can load certs from file
2008-03-25 22:28:27 +00:00
Andreas Steffen
3e6ee16478
defined *_create_from_file() constructors in libstrongswan/credentials/certificates
2008-03-25 10:12:45 +00:00
Andreas Steffen
36617c1ad5
shortened debug output
2008-03-21 20:36:19 +00:00
Andreas Steffen
02fd225ea5
detect trusted self-signed before trust chain verification
2008-03-21 19:10:55 +00:00
Andreas Steffen
112482d3f4
optimized debug output of credential_manager.c
2008-03-21 09:28:25 +00:00
Andreas Steffen
25c9637222
modified debug text
2008-03-20 15:22:26 +00:00
Martin Willi
dfd5cdcb88
cert_cache_t caches subject-issuer relations and subject certificates
...
ocsp/crl do not benefit yet due missing lookup function
2008-03-20 14:31:36 +00:00
Martin Willi
fe8f7626d1
fallback to random end entity certificate if trustchain building fails
2008-03-20 13:14:55 +00:00
Martin Willi
629e55434a
2008-03-20 11:38:51 +00:00
Martin Willi
36524c4844
added support for certificate requests for not yet known CAs
2008-03-20 10:09:56 +00:00
Martin Willi
9be0dc922e
fixed verification of preinstalled certificates
2008-03-20 09:30:02 +00:00
Martin Willi
44ab7c85d7
more trustchain verification improvements
...
should fix crl-revoked and two-certs scenarios
2008-03-20 09:27:57 +00:00
Martin Willi
48acfe98ae
refactored trustchain verification, this should fix #33
...
moved auth_info/ocsp_response credset wrapper to separate files
2008-03-19 17:54:54 +00:00
Andreas Steffen
84d8ff64cd
increased debug level in trust chain verification for auditing purposes
2008-03-19 17:04:09 +00:00
Martin Willi
cfede7f6e2
The introduced SHA1_NOFINAL hasher was not sufficient for EAP-AKA,
...
as it requires to XOR the key into the hashers state.
A new SHA1 based keyed hash function, implemented as PRF, enables EAP-AKA
and the FIPS-PRF function to properly use the existing SHA1 implementation.
2008-03-19 14:02:52 +00:00
Andreas Steffen
c912c3d382
log nextUpdate of crls and ocsp responses
2008-03-19 13:11:29 +00:00
Andreas Steffen
2590faa330
fixed stupid bug in fetch_ocsp()
2008-03-19 12:36:15 +00:00
Andreas Steffen
ae8715f956
attempt to achieve consistent debugging output
2008-03-19 12:06:38 +00:00
Martin Willi
d3a6993777
fixed shared key lookup in stroke
2008-03-19 10:24:51 +00:00
Martin Willi
3c448f019b
fixed peer_cfg lookup when omitting IDr
2008-03-19 10:08:59 +00:00
Martin Willi
081ae2eb61
fixed CRL check return value on revoked certificates
...
fixed possible refcounting bugs
generic return_null() implementation
2008-03-19 09:44:47 +00:00
Martin Willi
a40708e511
fixed compiler warning
2008-03-18 14:06:11 +00:00
Martin Willi
bed94c8aeb
added generic payload order rules for notifies
2008-03-18 12:45:23 +00:00
Martin Willi
7162be5772
fixed ike_cfg lookup in stroke
2008-03-18 12:40:41 +00:00
Martin Willi
4bfa63ed25
added false positive signature check
2008-03-18 12:25:39 +00:00
Martin Willi
18be601fcd
added missing test case file ([3607])
2008-03-18 12:16:36 +00:00
Martin Willi
d7c529f5a6
creating public key from RSA private key
...
RSA key generation and signature test
2008-03-18 12:13:51 +00:00
Andreas Steffen
8d49b51f8b
made is_newer() a certificate_t method
2008-03-18 10:36:08 +00:00
Martin Willi
50045c3b14
better normalized tables for SQL plugin (IDs)
2008-03-18 09:07:04 +00:00
Martin Willi
34e281ed32
enforcing x509_flags on certificate construction
2008-03-17 08:06:49 +00:00
Martin Willi
933f80c391
logging to SQL database
2008-03-15 14:17:09 +00:00
Martin Willi
72d68379dc
correctly unregister IKE_SA at the bus
2008-03-15 14:08:43 +00:00
Martin Willi
8d04f78d07
removed X509_PEER flag; flags are meant to read cert, not to store additional state in cert
...
removed x509_t.set_flags for the reason above
implemented a simple, generic shared_key_t
2008-03-14 15:11:29 +00:00
Martin Willi
39ea88f694
credential lookup in mysql/sqlite database
2008-03-14 15:06:42 +00:00
Martin Willi
9c410a8806
refactored buggy trustchain building, fixed refcount bug
2008-03-14 15:04:16 +00:00
Martin Willi
8f1596d606
SQL schema for MySQL and SQLite, test data
2008-03-14 07:39:01 +00:00
Tobias Brunner
df3462ddbe
two small fixes
2008-03-13 15:03:06 +00:00
Martin Willi
e42db695e2
fixed apidoc grouping
2008-03-13 14:53:57 +00:00
Martin Willi
419ee1072e
added NetworkManager prototype DBUS policy, applet config
2008-03-13 14:41:27 +00:00
Martin Willi
2d94fdfab7
added old and unmaintained prototype of NetworkManager applet and authenticator
2008-03-13 14:37:11 +00:00
Martin Willi
552cc11b1f
merged the modularization branch (credentials) back to trunk
2008-03-13 14:14:44 +00:00
Andreas Steffen
b48bdac20b
improved P2P_NAT debugging
2008-02-27 20:30:39 +00:00
Tobias Brunner
fb7e7dc484
refactored connect_manager_t to use the find functions on linked lists
2008-02-14 13:42:36 +00:00
Martin Willi
5bbac9ffff
split connections with different virtual IPs in different peer_cfgs
...
respect different peer_cfg's when initiating a CHILD_SA within an existing IKE_SA
2008-02-05 12:39:30 +00:00
Andreas Steffen
663fedbe44
implemented IKEV2 EAP-SIM server and client test module that use triplets stored in a file. For details see the scenario 'ikev2/rw-eap-sim-rsa'
2008-02-04 14:52:06 +00:00
Martin Willi
3b1692c058
use identifiers in EAP_SUCCESS/EAP_FAILURE payloads
2008-02-04 11:43:10 +00:00
Andreas Steffen
071e037124
next_payload must be of type u_int8_t
2008-02-01 00:07:56 +00:00
Andreas Steffen
b0e40caafb
NAT-T conditions were not inherited during IKE_SA rekeying
2008-01-29 01:41:47 +00:00
Martin Willi
3a36ce1164
added missing hasher include
2008-01-03 10:42:21 +00:00
Martin Willi
b8461a37db
fixed EAP-MD5 to accept Name attribute in challenge
2007-12-18 10:44:44 +00:00
Martin Willi
0f806802ae
implemented Expanded EAP types to support vendor specific methods
2007-12-13 17:31:21 +00:00
Martin Willi
3243ac6d5e
fixed actual ID length when AT_IDENTITY gets padded
2007-12-13 14:39:38 +00:00
Martin Willi
26e2467692
ported EAP-AKA branch into trunk
2007-12-13 10:54:29 +00:00
Martin Willi
4b403e7672
merged EAP-MD5 into trunk
2007-12-12 14:29:10 +00:00
Martin Willi
f9d80d53c3
accept unknown attributes in config payloads
2007-12-09 19:43:41 +00:00
Martin Willi
3895125275
removed c++ style comments
...
fixed compiler warnings
2007-12-04 10:48:27 +00:00
Martin Willi
b8249ff5ed
fixed mobike/auth_lifetime in conjunction with p2p-natt
2007-12-04 10:05:36 +00:00
Andreas Steffen
addc4b3ce4
removed redundant server reflexive endpoint debug message
2007-12-04 00:45:00 +00:00
Andreas Steffen
3af513753a
improved P2P_ENDPOINT debugging
2007-12-03 23:06:17 +00:00
Martin Willi
cbfb2aff50
added more ./configure build options for
...
EAP-Identity module
ipsec tools (openac, scepclient)
optional charon/pluto build
charon stroke interface
2007-12-03 14:47:15 +00:00
Martin Willi
7805ad302d
moved AUTH_LIFETIME handling in its own task (cleaner separation, proper payload order)
2007-12-03 10:52:18 +00:00
Martin Willi
8e78e43220
added a "libcharon-" prefix to plugins to avoid conflicts
2007-12-03 09:03:22 +00:00
Martin Willi
733f336ad3
socket_t implementation withouth raw sockets
...
--disable-raw-socket configure option
prevents charon/pluto to run in parallel
2007-11-26 11:20:00 +00:00
Tobias Brunner
17d6e9aa00
improving [3361]: moved one of the added return values
2007-11-22 11:22:33 +00:00
Andreas Steffen
f210387a6b
added two return statements comitted by Marius Tomaschewski
2007-11-21 23:42:27 +00:00
Martin Willi
ee61471113
implemented RFC4478 (repeated authentication)
...
changed %V printf handler to take a time delta, %#V now takes two arguments
2007-11-20 12:06:40 +00:00
Martin Willi
7b36b734a4
fixed callback_job cancellation for threads waiting in the bus
2007-11-19 12:32:28 +00:00
Martin Willi
729a6ec965
fixed two leaks in stroke_interface
2007-11-19 11:28:11 +00:00
Andreas Steffen
3a19f38d15
handle right=%any case in strongSwan manager
2007-11-17 23:08:16 +00:00
Andreas Steffen
b073aada23
search : delimiter in ipsec.secrets entries from the rear
2007-11-16 20:23:29 +00:00
Martin Willi
e101f162ab
refactored bus and interface to resolve threading issues (WIP)
2007-11-15 18:35:54 +00:00
Martin Willi
5d4aea685f
filtering out IKEv1 configurations for manager
2007-11-15 10:09:14 +00:00
Martin Willi
93fc29c6cf
fixed daemon kill before threads are spawned
2007-11-14 10:12:34 +00:00
Martin Willi
91b16af0fa
fixed NO_PROPOSAL_CHOSEN response on IKE_SA_INIT
2007-11-14 09:41:08 +00:00
Martin Willi
30a68d715b
implemented configuration query and IKE_SA initiation in XML interface
2007-11-13 11:56:52 +00:00
Martin Willi
275cec2eac
implemented IKE/CHILD_SA termination through XML interface
2007-11-12 15:06:04 +00:00
Andreas Steffen
d5da42a9e4
fixed _updown target for ipv6
2007-11-06 13:45:54 +00:00
Martin Willi
00fb758755
adding new virtual ip before deleting old one to keep IP on reauthentication
2007-10-25 07:50:23 +00:00
Martin Willi
bd99d1852a
added vsignal todo
2007-10-25 07:49:32 +00:00
Martin Willi
39a8e5a580
fixed some typos
2007-10-05 09:52:23 +00:00
Martin Willi
1169ab4ec7
removed recursive mutex and __USE_UNIX98, should fix uClibc build
2007-10-05 09:47:55 +00:00
Martin Willi
6705052c2d
fixed bad cast which resulted in a crash on "ipsec update"
2007-10-05 09:13:03 +00:00
Martin Willi
b9bc74979e
fixed sqlite_backend compilation to respect changes from [3238]
2007-10-04 08:18:42 +00:00
Tobias Brunner
d5cc175833
experimental P2P-NAT-T for IKEv2 merged back from branch
2007-10-03 15:10:41 +00:00
Martin Willi
2970674faf
reverted changeset [3215], as we need NULL callback to do asynchronous calls
...
added interface_manager_cb_empty function, which calls synchronous but doesn't do anything
2007-10-03 08:10:03 +00:00
Tobias Brunner
183ddc20a9
typo
2007-10-02 13:56:58 +00:00
Tobias Brunner
9b997daab9
do not attempt to encrypt payloads without crypter or signer (allows to override message rules)
2007-10-02 13:31:12 +00:00
Martin Willi
06d00e4f7b
fixed "ipsec statusall" SPI formatting
2007-10-02 13:11:23 +00:00
Martin Willi
e4c9b92171
fixed sqlite database path
2007-10-02 11:55:19 +00:00
Tobias Brunner
56db479192
ID payload with explicit payload type
2007-10-02 11:55:10 +00:00
Tobias Brunner
1fbcbe32d0
get_first_payload_type for message_t
2007-10-02 11:42:27 +00:00
Tobias Brunner
17e78a0981
dummy callback added to interface manager
2007-10-02 11:33:16 +00:00
Martin Willi
06011f6882
remove control sockets on startup, as we don't have privileges on shutdown
2007-10-02 11:20:07 +00:00
Martin Willi
a3f100fa09
improved debugging code for traffic selector processing
2007-10-02 07:39:56 +00:00
Martin Willi
f53b74c96f
moved force_encap to ike_config, enables responder to enforce udp encapsulation
...
fixed bugs in force_encap code
2007-10-01 16:41:34 +00:00
Martin Willi
011fb1b97e
removed accidentally checked in debugging code
2007-10-01 12:25:26 +00:00
Martin Willi
9dae1bed00
implemented IKEv2 force_encap connection parameter
...
enforces UDP encapsulation by faking NAT detection payloads
to hurdle restrictive firewalls
2007-10-01 12:19:39 +00:00
Martin Willi
92232dab33
fixed stuid()/setgid() and error handling
2007-10-01 09:07:10 +00:00
Martin Willi
f215e91999
implemented more aggressive MOBIKE path probing
...
do not queue more than one MOBIKE task
2007-09-28 08:22:37 +00:00
Martin Willi
052d58feaf
fixed CHILD_SA SPI byte order in XML interface
2007-09-28 07:05:15 +00:00
Martin Willi
055d016b49
changed inheritable capability set to the permitted one to execute firewall script with CAP_NET_ADMIN
2007-09-28 07:04:09 +00:00
Martin Willi
85c6fc0283
reduced debbugging level
2007-09-27 13:09:50 +00:00
Martin Willi
983d7cd292
made add_ip()/del_ip() calls synchron (waiting until kernel event received)
...
this should fix MOBIKE route migration with virtual IPs
2007-09-27 12:48:00 +00:00
Tobias Brunner
278396b6da
typos
2007-09-27 10:36:03 +00:00
Martin Willi
c295d0eb4b
refactored strongswan manager
...
removed buggy request parsing code, use ClearSilvers CGI kit instead
fixed CHILD_SA listing in manager (needs better design)
using secure XML communication through unix sockets
removed images with questionable (non-GPL) license
2007-09-26 14:02:21 +00:00
Martin Willi
d9d69536b0
improved MOBIKE roaming between interfaces
2007-09-24 12:15:25 +00:00
Andreas Steffen
b4979ff724
removed some empty lines
2007-09-18 11:23:52 +00:00
Andreas Steffen
cb23c49143
return argument has type size_t
2007-09-18 11:21:55 +00:00
Martin Willi
8f561d4409
prototype implemementation of an sqlite configuration backend
2007-09-18 07:12:21 +00:00
Andreas Steffen
703b4b0332
connection name to IKE_SA initiating
2007-09-15 20:30:04 +00:00
Andreas Steffen
a2ab401c56
put IKE_SA and CHILD_SA names in single quotes
2007-09-15 16:06:58 +00:00
Andreas Steffen
be682af3e8
log name of IKE_SA in state changes
2007-09-15 15:54:51 +00:00
Andreas Steffen
3f4076b7c8
log name of established IKE_SA
2007-09-15 15:54:30 +00:00
Andreas Steffen
21b3099ac4
log name of established CHILD_SA
2007-09-15 15:53:10 +00:00
Andreas Steffen
cf9cec125a
adapted format of IKE SPIs to strongSwan Manager's style
2007-09-15 15:35:02 +00:00
Martin Willi
c01f7bf989
added subnets of CHILD_SAs to xml interface
...
a first design of Managers IKE_SA list page
2007-09-14 14:07:30 +00:00
Andreas Steffen
15a9d460c0
peer_cfg now knows about group memberships
2007-09-13 15:33:17 +00:00
Tobias Brunner
eff806eb5a
added missing 'break' in checkout_by_peer
2007-09-13 13:00:23 +00:00
Martin Willi
6baca3b2f1
fixed 64bit issue with file descriptor
2007-09-13 08:19:15 +00:00
Martin Willi
b8c7453a82
manager can query and list IKE_SA status (no layout yet)
2007-09-13 07:45:04 +00:00
Martin Willi
dd52993068
only switch to port 4500 if we are on 500: fixed reauthentication in NAT
...
scenarios
2007-09-12 11:11:10 +00:00
Andreas Steffen
794d2526b4
removed unused chunk variable
2007-09-12 07:54:56 +00:00
Martin Willi
a8827c9b63
moving virtual IP when interface changes due mobike
2007-09-12 07:36:45 +00:00
Martin Willi
12fa4387c6
fixed NAT detection with mobike
2007-09-12 07:14:05 +00:00
Martin Willi
39cc6d1ad7
fixed shutdown order to prevent crash when kernel interface schedules events
2007-09-12 07:12:25 +00:00
Andreas Steffen
1cb2cb622e
overwrite shared_key with random bytes before freeing it
2007-09-11 21:06:46 +00:00
Andreas Steffen
2f9f5149c4
check hash algorithms used in signatures
2007-09-11 20:10:38 +00:00
Andreas Steffen
c1ff717690
removed rsa_private_key clone() function
2007-09-11 16:26:08 +00:00
Andreas Steffen
f0c156fbc9
replaced get_rsa_private_key() by rsa_signature() in order restrict the distribution of private key material
2007-09-11 10:18:25 +00:00
Andreas Steffen
7bac086733
overwrite storage used for shared secrets with pseudo-random bytes before releasing it
2007-09-10 19:12:01 +00:00
Martin Willi
5474dc6500
implemented routeability checks for mobike (experimental)
2007-09-03 12:37:25 +00:00
Andreas Steffen
f5da63e937
correct debug
2007-09-02 15:59:59 +00:00
Martin Willi
9164e49ac0
added mobike=yes|no connection option
...
yes: include mobike support notifies as initiator
no: only enable mobike as responder when initiator supports it
default: yes
2007-08-29 12:11:25 +00:00
Andreas Steffen
0bc5a23023
renamed integrity check to integrity test
2007-08-29 10:36:08 +00:00
Andreas Steffen
ab13376877
fips_verify_hmac_signature() now returns a boolean status
2007-08-29 09:43:02 +00:00
Andreas Steffen
2fb15ac606
changed interface of fips_verify_hmac_signature
2007-08-29 05:43:45 +00:00
Andreas Steffen
55434a1ba5
started implementation of libstrongswan code integrity check
2007-08-29 00:37:10 +00:00
Martin Willi
98f97433af
rerouting CHILD_SA if its IKE_SA gets deleted
2007-08-27 09:10:12 +00:00
Andreas Steffen
929b9e367a
append new attribute certs at the end
2007-08-14 13:04:36 +00:00
Andreas Steffen
06faefe43d
adding attribute certficates to a chained list
2007-08-14 12:27:02 +00:00
Andreas Steffen
8f687a7591
has_rsa_private_key() must also be protected by keys_mutex
2007-08-10 12:10:36 +00:00
Andreas Steffen
c045d90a8e
corrected debug output
2007-08-10 11:23:45 +00:00
Andreas Steffen
8ff58b051c
ipsec stroke rereadaacerts|rereadacerts supported
2007-08-10 09:17:34 +00:00
Andreas Steffen
84db83336b
support of ipsec rereadsecrets for stroke
2007-08-10 07:16:32 +00:00
Martin Willi
939e93787e
made linked lists invoke() method consistent to clone_*() and destroy_*() methods
2007-08-09 12:43:11 +00:00
Andreas Steffen
037575682a
bug fix in linked_list deletion - instead of acerts destroyed certs twice
2007-08-08 06:02:59 +00:00
Andreas Steffen
f51d505e5e
implemented listing of attribute certificates
2007-08-07 20:32:11 +00:00
Martin Willi
3b574567ea
fixed segfault when sourceip in stroke message is NULL
2007-08-06 12:35:28 +00:00
Martin Willi
9ec19f13f7
allow starter to initiate connections simultaneously (on auto=start)
2007-08-06 07:41:19 +00:00
Tobias Brunner
c019260e01
backports from the p2p-nat-t branch:
...
* double assignment of function ''destroy'' in some jobs
* typos
2007-07-19 14:12:19 +00:00
Martin Willi
ac1557af51
updated XML interface to new schema
2007-07-19 10:57:33 +00:00
Martin Willi
c87395908a
not touching IKE_SA_INIT from ike_mobike_t anymore
2007-07-19 08:08:22 +00:00
Martin Willi
0308865282
fixed compiler warning
2007-07-16 07:10:14 +00:00
Martin Willi
cc68e173fe
fixed payload order (Nonce, KE) for IKE_SA_INIT
2007-07-16 07:01:49 +00:00
Andreas Steffen
db61efdbbb
include default route also in src address evaluation
2007-07-13 09:00:39 +00:00
Andreas Steffen
018219ae3a
include default route with missing dst field into route evaluation
2007-07-13 06:13:14 +00:00
Martin Willi
e5e868e430
doing route lookup in userspace to ignore routes installed by us
2007-07-11 12:37:24 +00:00
Martin Willi
9ba1d73890
using own routing table for installed routes (table 100, prio 100)
2007-07-11 06:55:11 +00:00
Martin Willi
19ff7d2207
added first draft of SMP relax-ng schema
2007-07-06 13:44:43 +00:00
Martin Willi
fa1bd44f23
ignoring unkown crl/ocsp uris
2007-07-04 12:00:33 +00:00
Martin Willi
1b8da84913
using correct nexthop for inserted route
2007-07-04 09:10:13 +00:00
Martin Willi
29100db902
changed mobike behavior to NOT use additional responder addresses until we have path discovery
2007-07-04 07:26:34 +00:00
Martin Willi
419201c15d
fixed responder initiated CHILD_SA rekeying when using virtual IPs
2007-07-04 06:27:33 +00:00
Martin Willi
7b8bae9941
fixed firewall script invocation when interface is not available anymore
2007-07-03 13:49:29 +00:00
Martin Willi
3bc62fe70e
improved MOBIKE:
...
prefer address family already used
do not change address implicit when mobike supported
handle multiple simultaneous roaming requests more properly
proper enabling/disabling of UDP encapsulation
2007-07-03 12:32:38 +00:00
Martin Willi
4979e85871
added message ID to message log
2007-07-03 09:00:16 +00:00
Martin Willi
cba7ba7f9d
show kind of notify contained in messages in log
2007-07-03 08:50:14 +00:00
Andreas Steffen
bcac22f3a6
DBG1 level for 'peer supports MOBIKE' debug message
2007-07-02 20:13:15 +00:00
Andreas Steffen
561f88e306
fixed typo
2007-07-02 20:10:26 +00:00
Martin Willi
3d928c9ffd
fixed mobike address update from and to NAT
2007-07-02 12:55:07 +00:00
Martin Willi
face844a87
proper update of IPsec SA when roaming a host-to-host tunnel
...
roaming of IPsec SAs using virtual IPs
2007-07-02 09:49:22 +00:00
Martin Willi
0d30da5dfd
updated charons architecture description
2007-06-29 09:21:28 +00:00
Martin Willi
ffbca197c1
fixed dpd=hold when using virtual IPs
2007-06-29 08:03:32 +00:00
Martin Willi
8ba7d34253
removed accidently checked in debbuging code
2007-06-29 07:40:04 +00:00
Martin Willi
c532d6460d
fixed IKE_SA reestablishment after DPD using port 500
2007-06-28 15:24:24 +00:00
Martin Willi
fc2d1c420f
further mobike improvements, regarding to NAT-T
2007-06-27 13:10:55 +00:00
Martin Willi
2b3100b5d0
simple roaming of the client works (not MOBIKE conform yet!)
2007-06-26 13:04:13 +00:00
Martin Willi
4cb9d7a758
further fixed for mobike roaming
2007-06-25 13:26:02 +00:00
Martin Willi
17d92e9732
further MOBIKE stuff:
...
kernel properly reports network reconfiguration and informs all IKE_SAs
MOBIKE in IKE_AUTH: MOBIKE_SUPPORTED notify and address exchange
reestablishment of IKE_SAs on network reconfiguration kinda works
not stable yet!
2007-06-21 15:25:28 +00:00
Martin Willi
6835280041
fixed virtua IP: adding virtual IP to interface address list cache directly
...
corrected debug targets
2007-06-19 06:20:33 +00:00
Martin Willi
3b04350ab2
added extensions management to IKE_SA
...
fixed NATD payload (port) when using route lookup
2007-06-18 10:32:01 +00:00
Martin Willi
7068410b6f
source address lookup in kernel interface
...
use it for NAT detection if no source address known from config
support for %any...%any connections
2007-06-18 07:25:58 +00:00
Martin Willi
209c2e9049
support for left=%any change our address dynamically
2007-06-18 05:57:59 +00:00
Martin Willi
ca68a75eaf
increased receive buffer to handle more interfaces
2007-06-18 05:56:18 +00:00
Martin Willi
08a8f4496f
implemented more flexible iterator hook API
...
kernel interface handles interface changes and updates address list
2007-06-15 13:23:18 +00:00
Martin Willi
02b3ec0a10
implemented address change notification (for MOBIKE)
...
implemented up to date address list cache to list interfaces
2007-06-14 15:16:15 +00:00
Martin Willi
fede28be8b
fixed memleak when initiating to %any
2007-06-14 08:44:19 +00:00
Martin Willi
04f4e82d53
added missing files to the last commit
2007-06-14 08:17:23 +00:00
Martin Willi
26424f03c3
proper reauthentication:
...
IKE_SA is closed completely before the new is initiated,
resolves some issues when a dynamic IP is requested from a pool
2007-06-14 08:13:05 +00:00
Martin Willi
424e0c467e
ported interfaces to new threading functions (incomplete)
2007-06-11 14:24:32 +00:00
Martin Willi
432b298e40
documentation fixes and updates
2007-06-11 12:11:41 +00:00
Martin Willi
9fe1a1ca76
introduced callback_job:
...
simple asynchronous method invocation
use daemons thread pool for all threads
proper cancellation and cleanups
cancellation mechanism to dynamically unload multithreaded code
unified event_queue and scheduler => scheduler
unified job_queue and thread_pool => processor
removed job_type_t, not really needed
fixes here, there and everywhere
2007-06-11 10:57:19 +00:00
Andreas Steffen
ad8c6c60dc
moved assignment of CERT_UNKNOWN
2007-05-25 14:04:39 +00:00
Andreas Steffen
3f9834a491
log trust pathlen
2007-05-25 11:41:06 +00:00
Andreas Steffen
89eeedc243
included a certificate label in the is_trusted() method
2007-05-25 11:10:35 +00:00
Andreas Steffen
f44dbc639b
DBG1 level now shows stepping up through the certifiate hierarchy up to the trust anchor
2007-05-25 08:29:35 +00:00
Andreas Steffen
13b872ebd2
set certinfo status to CERT_UNKNOWN before crl and|or ocsp verification
2007-05-25 08:21:27 +00:00
Martin Willi
1f2a0f8098
removed paranoid module checking
2007-05-25 05:45:41 +00:00
Martin Willi
1fa9bdc4fb
added compatibility names (pluto) for sha2 algorithms (sha2_256, ...)
2007-05-25 05:44:53 +00:00
Martin Willi
76042f8471
proper thread cancellation when using the charon->interfaces
2007-05-23 09:08:13 +00:00
Martin Willi
0f6b068259
fixed crash when using 0.0.0.0/0 subnets
2007-05-23 06:33:22 +00:00
Martin Willi
b1450b48a0
removed misleading warning when rekeying
2007-05-23 06:32:41 +00:00
Martin Willi
16878f6823
support for virtual IP definition on client side:
...
if leftsourceip is defined, it is requested.
server may define rightsourceip=%config to accept any,
or it may overwrite it using rightsourceip.
if server does not return an IP, client enforces its configured leftsourceip.
2007-05-22 13:49:31 +00:00
Martin Willi
a06c068191
fixed memleak
2007-05-22 09:38:42 +00:00
Martin Willi
905438735a
using local address as gateway in installed routes
2007-05-22 07:47:16 +00:00
Andreas Steffen
3eb9630071
support of left|rightgroups parameter
2007-05-20 15:38:36 +00:00
Andreas Steffen
3388e7674d
fixed nextUpdate and until behaviour in the non-strict case
2007-05-19 19:46:13 +00:00
Andreas Steffen
6e04f25313
support of CA-based ipsec policies
2007-05-18 12:25:37 +00:00
Andreas Steffen
889c2ded1c
output of eap_type_names requires %N format
2007-05-18 10:14:01 +00:00
Andreas Steffen
ec3c02a303
added set_other_ca() and get_other_ca()
2007-05-17 17:55:29 +00:00
Andreas Steffen
7d26a0ee03
added set_other_ca() and get_other_ca()
2007-05-17 17:55:02 +00:00
Martin Willi
bcd887781a
removed route_job, handled all in interface_manager
2007-05-16 08:49:10 +00:00
Martin Willi
ce27ac8012
routing/unrouting through interface
2007-05-16 08:32:15 +00:00
Andreas Steffen
9b6591e796
authentication failure is handled in ike_auth.c
2007-05-15 19:05:26 +00:00
Andreas Steffen
16c72c0c4f
cosmetics
2007-05-15 19:04:15 +00:00
Andreas Steffen
8a664830d0
cosmetics
2007-05-15 19:03:23 +00:00
Andreas Steffen
df9fbd2c64
adapted authentication failure text to those in the authenticators
2007-05-15 14:52:44 +00:00
Andreas Steffen
ca78602304
verification of locally loaded peer certificates
2007-05-15 14:51:04 +00:00
Andreas Steffen
2e324229c0
support of multiple certificates with same peer id
2007-05-15 12:46:05 +00:00
Andreas Steffen
b17e0db372
cosmetics
2007-05-15 12:45:19 +00:00
Martin Willi
1387e64af1
working dummy for NetworkManager DBUS interface
...
more a tech demo
2007-05-14 13:22:04 +00:00
Martin Willi
a6a039aa10
simplified capability dropping
2007-05-09 13:12:06 +00:00
Martin Willi
3cd3f48428
properly implemented interface_managers initiate, terminte_[ike|child]
...
proper thread release when stroke is CTRL+C'ed
fixed some permission issues
2007-05-09 12:33:08 +00:00
Martin Willi
d08b27799a
properly ignoring signals rised by a thread which is in listening state
2007-05-08 12:58:33 +00:00
Martin Willi
6874bf698c
changing UID/GID after startup of pluto/charon
...
added --with-uid/--with-gid configure option
2007-05-07 12:38:46 +00:00
Martin Willi
a4a3884c83
extended interface_manager (more work needed here)
2007-05-03 14:22:52 +00:00
Martin Willi
586b7474a2
allow to have listening state TRUE while sending singal ourself
2007-05-03 14:22:15 +00:00
Martin Willi
66560f4267
reducing capabilities of the threads to a minimum
...
proper flush of pending packets on daemon shutdown
adding local address as gateway address in dynamic route
2007-05-03 14:21:22 +00:00
Martin Willi
0ccb275a93
added more API documentation to backends/interfaces
2007-04-30 10:23:01 +00:00
Andreas Steffen
9c53c47bde
added interface.h
2007-04-27 21:29:31 +00:00