]>
git.ipfire.org Git - thirdparty/strongswan.git/log
Tobias Brunner [Sat, 14 Jul 2012 09:47:06 +0000 (11:47 +0200)]
Fixed ip_packet_t if IPv6 is not available
Tobias Brunner [Fri, 13 Jul 2012 14:12:29 +0000 (16:12 +0200)]
Added utility class to create TUN devices
Currently works only on Linux.
Tobias Brunner [Fri, 13 Jul 2012 13:34:51 +0000 (15:34 +0200)]
Added IPsec processor which is responsible for handling in- and outbound packets
Two callbacks can be registered that get called when new inbound plaintext and
outbound ESP packets have been processed. Inbound ESP and outbound plaintext
packets can be queued for processing with two other methods.
Tobias Brunner [Fri, 13 Jul 2012 13:23:00 +0000 (15:23 +0200)]
Represent the payload of an ESP packet as ip_packet_t instead of a chunk_t
Tobias Brunner [Fri, 13 Jul 2012 13:18:07 +0000 (15:18 +0200)]
IPsec policies can be looked up based on an IP packet
Tobias Brunner [Fri, 13 Jul 2012 13:05:27 +0000 (15:05 +0200)]
ip_packet_t parses the header of IP packets
Tobias Brunner [Fri, 13 Jul 2012 12:41:45 +0000 (14:41 +0200)]
Order IPsec policies by a pseudo-priority based on the traffic selectors
This allows a simple lookup, i.e. just use the first policy that matches
a given IP packet.
Tobias Brunner [Fri, 13 Jul 2012 12:32:03 +0000 (14:32 +0200)]
Implemented a checkout/checkin mechanism for IPsec SAs
SAs can only be checked out by a single thread and all other threads
block until the SA is checked in again.
Tobias Brunner [Fri, 13 Jul 2012 12:27:41 +0000 (14:27 +0200)]
IPsec policy manager added
This version only provides the very simplest management functions.
Tobias Brunner [Fri, 13 Jul 2012 12:17:03 +0000 (14:17 +0200)]
Method added to easily compare IPsec policies
Tobias Brunner [Fri, 13 Jul 2012 12:05:52 +0000 (14:05 +0200)]
Class representing an IPsec policy added
Tobias Brunner [Fri, 13 Jul 2012 11:54:29 +0000 (13:54 +0200)]
Schedule and relay expiration events for created IPsec SAs
Tobias Brunner [Fri, 13 Jul 2012 11:32:27 +0000 (13:32 +0200)]
Added class to relay IPsec events (like expiration) to listeners
Currently, only expiration of IPsec SAs is supported. Later other events
for e.g. acquires or changed NAT endpoints could be added.
Tobias Brunner [Fri, 13 Jul 2012 11:21:45 +0000 (13:21 +0200)]
Added IPsec SA manager
Tobias Brunner [Fri, 13 Jul 2012 09:21:25 +0000 (11:21 +0200)]
Add methods to easily compare IPsec SAs
Tobias Brunner [Fri, 13 Jul 2012 09:06:35 +0000 (11:06 +0200)]
Class representing an IPsec SA added
The IPsec SA also manages the respective ESP context.
Tobias Brunner [Fri, 13 Jul 2012 09:02:08 +0000 (11:02 +0200)]
Moved types used by kernel_ipsec_t interface (and libipsec) to libstrongswan
This avoids a dependency of libipsec to libhydra.
Tobias Brunner [Thu, 12 Jul 2012 14:56:35 +0000 (16:56 +0200)]
Use a CALLBACK feature to create charon's sender and receiver
Tobias Brunner [Tue, 10 Jul 2012 08:17:21 +0000 (10:17 +0200)]
Added a simple blocking queue around linked_list_t
Tobias Brunner [Sat, 7 Jul 2012 11:31:07 +0000 (13:31 +0200)]
esp_packet_t implements packet_t interface
This should allow to avoid unnecessary cloning of packet data.
Tobias Brunner [Sat, 7 Jul 2012 10:46:28 +0000 (12:46 +0200)]
Extended constructor for packet_t added (takes src, dst and data)
Tobias Brunner [Fri, 6 Jul 2012 14:40:46 +0000 (16:40 +0200)]
Moved packet_t to libstrongswan
Tobias Brunner [Thu, 5 Jul 2012 13:46:54 +0000 (15:46 +0200)]
Headers from libhydra (kernel interface related) are required in libipsec
Tobias Brunner [Thu, 5 Jul 2012 11:56:24 +0000 (13:56 +0200)]
ESP packet wrapper added, handles encryption/decryption/verification etc.
Tobias Brunner [Thu, 5 Jul 2012 11:44:57 +0000 (13:44 +0200)]
Adding class to manage ESP context (crypto, sequence numbers)
Tobias Brunner [Fri, 29 Jun 2012 08:47:20 +0000 (10:47 +0200)]
Added a method to bio_writer_t that allows to skip a number of bytes
A chunk pointing to the skipped bytes is returned, allowing users of
bio_writer_t to write/copy data to the skipped bytes themselves.
Tobias Brunner [Fri, 29 Jun 2012 08:12:27 +0000 (10:12 +0200)]
Added a method to bio_writer_t that allows to extract the internal buffer
Tobias Brunner [Thu, 28 Jun 2012 16:06:31 +0000 (18:06 +0200)]
Added methods to bio_reader_t to read data from end of buffer
Tobias Brunner [Thu, 28 Jun 2012 12:32:52 +0000 (14:32 +0200)]
Increase log verbosity when sending NAT keep-alives
Tobias Brunner [Wed, 27 Jun 2012 11:43:37 +0000 (13:43 +0200)]
Only log the sending of regular packets in sender_t
When sender_t is used to send ESP packets this would otherwise cause an extreme
amount of debug messages.
With this change all messages sent via sender_t.send_no_marker() cause no extra
DBG1 log message, but for debugging purposes the socket plugins do log the same
message again with DBG2 for all packets.
Tobias Brunner [Wed, 8 Aug 2012 13:39:07 +0000 (15:39 +0200)]
Added option to prevent socket-default from setting the source address on outbound packets
Tobias Brunner [Fri, 20 Apr 2012 13:16:51 +0000 (15:16 +0200)]
Allocate UDP ports randomly in Android NDK build.
Tobias Brunner [Fri, 20 Apr 2012 12:58:02 +0000 (14:58 +0200)]
socket-default plugin allocates random ports if configured to 0.
Also added strongswan.conf options to change the ports.
Tobias Brunner [Fri, 20 Apr 2012 08:59:14 +0000 (10:59 +0200)]
Replaced usages of CHARON_*_PORT with calls to get_port().
Tobias Brunner [Fri, 20 Apr 2012 08:38:31 +0000 (10:38 +0200)]
Added get_port() method to socket_t to learn the listening port.
Tobias Brunner [Wed, 28 Mar 2012 13:41:31 +0000 (15:41 +0200)]
Added ESP log group for libipsec log messages.
Tobias Brunner [Fri, 24 Feb 2012 12:09:09 +0000 (13:09 +0100)]
Use send_no_marker to send NAT keepalives.
Tobias Brunner [Fri, 24 Feb 2012 12:04:16 +0000 (13:04 +0100)]
Avoid double-free when prepending Non-ESP marker.
Tobias Brunner [Fri, 24 Feb 2012 12:01:51 +0000 (13:01 +0100)]
Function added to send packets without Non-ESP marker.
Tobias Brunner [Fri, 24 Feb 2012 10:44:05 +0000 (11:44 +0100)]
Avoid unnecessary copy of packet data when removing Non-ESP marker.
Tobias Brunner [Fri, 24 Feb 2012 10:42:32 +0000 (11:42 +0100)]
Added packet_t.skip_bytes method to skip bytes at the start of a packet.
Tobias Brunner [Fri, 24 Feb 2012 10:19:53 +0000 (11:19 +0100)]
Improved how NAT-T keepalives are handled in sockets/receiver.
Tobias Brunner [Fri, 24 Feb 2012 10:07:34 +0000 (11:07 +0100)]
Let kernel interfaces decide how to enable UDP decapsulation of ESP packets.
Tobias Brunner [Thu, 23 Feb 2012 14:36:02 +0000 (15:36 +0100)]
Callback for ESP packets added to receiver.
Tobias Brunner [Thu, 23 Feb 2012 10:51:53 +0000 (11:51 +0100)]
Add Non-ESP marker in sender and not individual socket plugins.
Tobias Brunner [Thu, 23 Feb 2012 10:35:16 +0000 (11:35 +0100)]
Handle Non-ESP marker in receiver and not individual socket plugins.
Tobias Brunner [Wed, 22 Feb 2012 14:36:51 +0000 (15:36 +0100)]
Java code style fixed (analogous to C code).
Tobias Brunner [Wed, 22 Feb 2012 14:36:33 +0000 (15:36 +0100)]
Load libipsec in Android app.
Tobias Brunner [Wed, 22 Feb 2012 14:32:37 +0000 (15:32 +0100)]
Stub library for user space IPsec implementation added.
Tobias Brunner [Wed, 22 Feb 2012 11:05:38 +0000 (12:05 +0100)]
Some NDK build info updated.
Tobias Brunner [Wed, 22 Feb 2012 10:40:43 +0000 (11:40 +0100)]
Changed minimal SDK/API level to 14.
Tobias Brunner [Fri, 17 Feb 2012 16:16:07 +0000 (17:16 +0100)]
Added android.net.VpnService wrapper around charon (loaded via JNI).
Tobias Brunner [Fri, 17 Feb 2012 15:59:23 +0000 (16:59 +0100)]
Added Android shell app created with Android SDK.
Tobias Brunner [Fri, 17 Feb 2012 14:40:57 +0000 (15:40 +0100)]
Android.mk for NDK build added.
Tobias Brunner [Fri, 17 Feb 2012 14:39:25 +0000 (15:39 +0100)]
Extracted some parts from Android.mk.in which can be used for NDK builds.
Tobias Brunner [Thu, 16 Feb 2012 17:41:10 +0000 (18:41 +0100)]
Use filter instead of findstring to check for enabled plugins in Android.mk.
findstring is not prefix-safe (i.e. android matches android-log). On
the other hand filter matches words separated by whitespace and if no
wildcard (%) is used the full word has to match.
Tobias Brunner [Thu, 16 Feb 2012 17:17:09 +0000 (18:17 +0100)]
Moved Android specific logger to separate plugin.
This is mainly because the other parts of the existing android plugin
can not be built in the NDK (access to keystore and system properties are
not part of the stable NDK libraries).
Tobias Brunner [Thu, 16 Feb 2012 16:13:37 +0000 (17:13 +0100)]
Link android plugin against liblog in the NDK.
Doesn't seem to hurt the build within the source tree.
Tobias Brunner [Mon, 13 Feb 2012 17:04:04 +0000 (18:04 +0100)]
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
Tobias Brunner [Fri, 10 Feb 2012 13:51:18 +0000 (14:51 +0100)]
Make path to Android OpenSSL headers configurable.
Tobias Brunner [Fri, 10 Feb 2012 13:16:54 +0000 (14:16 +0100)]
Don't require STRONGSWAN_CONF to be defined.
Tobias Brunner [Fri, 10 Feb 2012 13:11:19 +0000 (14:11 +0100)]
Don't require PLUGINDIR to be defined.
If it is not available, we just load monolithically built plugins.
Martin Willi [Wed, 8 Aug 2012 12:54:03 +0000 (14:54 +0200)]
Remove queued IKEv1 message before processing it
Avoids destruction or processing of a queued message in
recursive process_message() call.
Tobias Brunner [Thu, 2 Aug 2012 14:16:58 +0000 (16:16 +0200)]
Include src address in hash of initial message for Main Mode
If two initiators use the same SPI and also use the same SA proposal the
hash for the initial message would be exactly the same. For IKEv2 and
Aggressive Mode that's not a problem as these messages include random
data (Ni, KEi payloads).
Andreas Steffen [Tue, 7 Aug 2012 13:05:59 +0000 (15:05 +0200)]
implemented deletion of product_file database entries
Adrian-Ken Rueegsegger [Mon, 6 Aug 2012 09:12:25 +0000 (11:12 +0200)]
Add DH group 15 (MODP-3072) to IKE proposal
Martin Willi [Fri, 3 Aug 2012 13:25:17 +0000 (15:25 +0200)]
PEM loading soft-depends on MD5 only, as unencrypted files don't need MD5
Fixes #211.
Martin Willi [Fri, 3 Aug 2012 11:11:45 +0000 (13:11 +0200)]
Rebuild charon after running ./configure to reflect plugin changes
Martin Willi [Fri, 3 Aug 2012 11:07:19 +0000 (13:07 +0200)]
Block XAuth transaction on established IKE_SAs, but allow Mode Config
Tobias Brunner [Fri, 3 Aug 2012 09:23:17 +0000 (11:23 +0200)]
Implemented recursive mutex without thread-specific counter
Tobias Brunner [Fri, 3 Aug 2012 08:47:33 +0000 (10:47 +0200)]
Use a single thread-specific value for our custom rwlock_t implementation
The pthread implementation on Android currently only supports 64
different thread-specific values per process, which we hit easily when
every rwlock_t requires one.
Martin Willi [Fri, 3 Aug 2012 08:50:21 +0000 (10:50 +0200)]
Fix linking of addrblock plugin when building monolithic
Fixes #212.
Martin Willi [Thu, 2 Aug 2012 10:50:31 +0000 (12:50 +0200)]
Reject initial exchange messages early once IKE_SA is established
Martin Willi [Thu, 2 Aug 2012 10:23:59 +0000 (12:23 +0200)]
Add some more NEWS about 5.0.1
Martin Willi [Thu, 2 Aug 2012 10:06:51 +0000 (12:06 +0200)]
Move MODP_CUSTOM va_arg fetching out of loop
It seems problematic at least on PPC with gcc 4.3, fixes #208.
Andreas Steffen [Tue, 31 Jul 2012 15:25:07 +0000 (17:25 +0200)]
updated NEWS
Andreas Steffen [Tue, 31 Jul 2012 14:46:40 +0000 (16:46 +0200)]
libimcv requires nonce plugin
Martin Willi [Tue, 31 Jul 2012 11:41:59 +0000 (13:41 +0200)]
Lookup IKEv1 PSK even if the peer identity is not known
Andreas Steffen [Mon, 30 Jul 2012 21:19:25 +0000 (23:19 +0200)]
update state before handling status
Andreas Steffen [Mon, 30 Jul 2012 18:48:05 +0000 (20:48 +0200)]
implemented support if functional sub-components
Andreas Steffen [Mon, 30 Jul 2012 18:44:15 +0000 (20:44 +0200)]
extended and documented ipsec attest
Tobias Brunner [Fri, 27 Jul 2012 12:45:15 +0000 (14:45 +0200)]
Proper fallback if capability dropping is not available
Tobias Brunner [Fri, 27 Jul 2012 11:39:18 +0000 (13:39 +0200)]
The use of $< in Makefiles is not portable
It requires GNU make which is not what most people use on e.g. FreeBSD.
Fixes #205.
Tobias Brunner [Fri, 27 Jul 2012 09:36:59 +0000 (11:36 +0200)]
Include stdint.h for UINTxx_MAX defines
Fixes #205.
Andreas Steffen [Fri, 27 Jul 2012 09:47:09 +0000 (11:47 +0200)]
measure all kernel modules and optimize firefox and thunderbird measurements
Andreas Steffen [Fri, 27 Jul 2012 09:45:56 +0000 (11:45 +0200)]
with --relative --file do not insert absolute filenames into database
Martin Willi [Thu, 26 Jul 2012 13:45:49 +0000 (15:45 +0200)]
Don't include acquiring packet traffic selectors in IKEv1
As we only can negotiate a single TS in IKEv1, don't prepend the
triggering packet TS, as we do in IKEv2. Otherwise we don't establish
the TS of the configuration, but only that of the triggering packet.
Fixes #207.
Martin Willi [Thu, 26 Jul 2012 13:02:37 +0000 (15:02 +0200)]
Implement late peer config switching after XAuth authentication
If additional authentication constraints, such as group membership,
is not fulfilled by an XAuth backend, we search for another
peer configuration that fulfills all constraints, including those
from phase1.
Martin Willi [Thu, 26 Jul 2012 10:40:27 +0000 (12:40 +0200)]
Check if XAuth round complies to configured authentication round
Martin Willi [Thu, 26 Jul 2012 10:39:53 +0000 (12:39 +0200)]
Show which group would be required when failing in constraint check
Martin Willi [Thu, 26 Jul 2012 10:38:34 +0000 (12:38 +0200)]
Don't add ANY identity constraint to auth config, as XAuth rounds don't use one
Martin Willi [Thu, 26 Jul 2012 10:07:48 +0000 (12:07 +0200)]
Merge auth config items added from XAuth backends to IKE_SA
Martin Willi [Thu, 26 Jul 2012 09:49:46 +0000 (11:49 +0200)]
Add an ipsec.conf leftgroups2 parameter for the second authentication round
Andreas Steffen [Mon, 23 Jul 2012 20:19:20 +0000 (22:19 +0200)]
IMA SHA1 file measurement is not needed any more
Andreas Steffen [Mon, 23 Jul 2012 20:17:53 +0000 (22:17 +0200)]
fixed typo
Martin Willi [Mon, 23 Jul 2012 15:13:20 +0000 (17:13 +0200)]
Release leaking child config after uninstalling shunt policy
Andreas Steffen [Mon, 23 Jul 2012 11:04:28 +0000 (13:04 +0200)]
moved PA-TNC message logging to level 1
Andreas Steffen [Mon, 23 Jul 2012 10:51:37 +0000 (12:51 +0200)]
transport IMA file info via PTS Component Evidence Policy URI
Andreas Steffen [Sun, 22 Jul 2012 07:29:39 +0000 (09:29 +0200)]
ipsec attest now deletes file hashes
Andreas Steffen [Sat, 21 Jul 2012 14:43:24 +0000 (16:43 +0200)]
buffer PA-TNC attributes until Generate Attestation Evidence attribute is received