Commit Graph

201 Commits

Author SHA1 Message Date
René Fischer 4261fcedec botan: Use strongSwan's RNG interface in Botan plugin
This allows using rng_t implementations provided by other plugins to
serve as RNG for Botan.

Closes strongswan/strongswan#192.
2021-02-15 09:27:51 +01:00
Pascal Knecht e3757300eb tls-crypto: Add signature scheme config file filter
And add signature scheme unit tests.
2021-02-12 14:35:23 +01:00
Pascal Knecht e5b6565730 tls-crypto: Rename DH group/key exchange method config option
TLS key exchange methods are now configured with `ke_group`.
2021-02-12 14:35:23 +01:00
Tobias Brunner a60e248b0d libtls: Increase default min version to 1.2
The older versions are generally considered deprecated (there is an
Internet-Draft that aims to do that formally).
2021-02-12 14:35:23 +01:00
Shmulik Ladkani a4a128bd2f tls-server: Optionally omit CAs in CertificateRequest messages
Usually, the DNs of all loaded CA certificates are included in the
CertificateRequest messages sent by the server.

Alas, certain EAP-TLS clients fail to process this message if the
list is too long, returning the fatal TLS alert 'illegal parameter'.

This new option allows configuring whether CAs are included or an
empty list is sent (TLS 1.2), or the certificate_authorities extension
is omitted (TLS 1.3).  The list only serves as hint/constraint
for clients during certificate selection, they still have to provide
a certificate but are free to select any one they have available.

Closes strongswan/strongswan#187.
2021-02-12 14:35:23 +01:00
Tobias Brunner 92aef122c3 libtls: Reduce default max version to 1.2
Using TLS 1.3 with various EAP methods is not yet fully standardized, so we
don't enable it by default yet.
2021-02-12 14:35:23 +01:00
Tobias Brunner 663969ddf7 libtls: Make min/max TLS version configurable
Except for the tls_test tool, the versions now default to those
configured in strongswan.conf.
2021-02-12 14:35:23 +01:00
Tobias Brunner 86fb24c2c5 Remove the ecp_x_coordinate_only option
This was for compatibility with very old releases and only complicates
things unnecessarily nowadays.
2021-01-20 17:53:35 +01:00
Andreas Steffen 9b4a2322d6 libimcv: Evaluate IMA SHA-256 measurements 2021-01-08 11:00:15 +01:00
Tobias Brunner f3f93cade9 load-tester: Also request a virtual IPv6 address
Fixes #3595.
2020-10-27 16:40:38 +01:00
Tobias Brunner b422f16d10 sys-logger: Optionally log the level of each message
Fixes #3509.
2020-10-27 10:42:49 +01:00
Tobias Brunner a3f5e38b7f file-logger: Optionally log the level of each message
Fixes #3509.
2020-10-27 10:42:39 +01:00
Andreas Steffen 3ef5b23903 pts: Variable size PCR banks 2020-10-07 16:54:32 +02:00
Noel Kuntze d1d5659ead ike-vendor: Add option to send Cisco FLexVPN vendor ID
A new global option enables sending this vendor ID to prevent Cisco
devices from narrowing the initiator's local traffic selector to the
requested virtual IP, so e.g. 0.0.0.0/0 can be used instead.

This has been tested with a "tunnel mode ipsec ipv4" Cisco template but
should also work for GRE encapsulation.

Closes strongswan/strongswan#180.
2020-09-10 12:01:44 +02:00
Tobias Brunner 6524bd3cd5 ike: Optionally use DPD to check if the current path still works
We could maybe check the duration of the last stale condition or when
the last packet was sent as filter to avoid unnecessary updates.
2020-06-02 14:07:06 +02:00
Tobias Brunner 0d4a5f6af6 ike: Add an option to trigger a DPD instead of a NAT keepalive
This is useful on Android where the app might not be able to send
keep-alives if the device is asleep for a while.  If the NAT mapping
has been deleted in the mean time, the NAT-D payloads allow detecting
this and connectivity can be restored by doing a MOBIKE update or
recreating the SA if the peer already deleted it because the client
wasn't reachable.
2020-06-02 14:07:06 +02:00
Tobias Brunner 066fa42fcb ike-auth: Add option to use EAP-only authentication without notify
Some peers apparently don't send the notify and still expect to
authenticate with EAP-only authentication.  This option allows forcing
the configured use of EAP-only authentication in that scenario.
2020-05-07 15:05:55 +02:00
Thomas Egerer 05e373aeb0 ike: Optionally allow private algorithms for IKE/CHILD_SAs
Charon refuses to make use of algorithms IDs from the private space
for unknown peer implementations [1]. If you chose to ignore and violate
that section of the RFC since you *know* your peers *must* support those
private IDs, there's no way to disable that behavior.

With this commit a strongswan.conf option is introduced which allows to
deliberately ignore parts of section 3.12 from the standard.

[1] http://tools.ietf.org/html/rfc7296#section-3.12

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2020-03-06 11:15:15 +01:00
Josh Soref b3ab7a48cc Spelling fixes
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
2020-02-11 18:23:07 +01:00
Tobias Brunner 48017a2740 conf: Complete ordering functions for ConfigOption class 2020-01-29 13:31:42 +01:00
Thomas Egerer a605452c03 kernel-netlink: Check for offloading support in constructor
This avoids races that could potentially occur when doing the check during
SA installation.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2019-11-26 11:00:28 +01:00
Tobias Brunner eea58222d5 conf: Replace deprecated OptionParser with ArgumentParser 2019-11-12 10:58:07 +01:00
Tobias Brunner 9f12b8a61c kernel-netlink: Enumerate temporary IPv6 addresses according to config
This way we announce only permanent addresses via MOBIKE by default, and
temporary ones if the option is enabled.
2019-10-22 14:14:44 +02:00
Andreas Steffen 6d3a743d90 ntru: Replaced ntru_drbg by drbg 2019-10-16 16:46:24 +02:00
Andreas Steffen 737375a2d2 drbg: Implemented NIST SP-800-90A DRBG 2019-10-16 16:46:24 +02:00
Tobias Brunner a9fcf28007 conf: Fix typo in documentation of charon.rdn_matching
Fixes #3165.
2019-09-03 10:26:29 +02:00
Tobias Brunner 770f4ccee1 identification: Optionally match RDNs in any order and accept missing RDNs 2019-08-26 11:15:53 +02:00
Tobias Brunner b9949e98c2 Some whitespace fixes
Didn't change some of the larger testing scripts that use an inconsistent
indentation style.
2019-08-22 15:18:06 +02:00
Tobias Brunner d3329ee540 wolfssl: Fixes, code style changes and some refactorings
The main fixes are

 * the generation of fingerprints for RSA, ECDSA, and EdDSA
 * the encoding of ECDSA private keys
 * calculating p and q for RSA private keys
 * deriving the public key for raw Ed25519 private keys

Also, instead of numeric literals for buffer lengths ASN.1 related
constants are used.
2019-04-24 12:26:08 +02:00
Tobias Brunner 62d43ea694 ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm
Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.

Closes strongswan/strongswan#134.
2019-04-11 09:51:02 +02:00
Tobias Brunner d49ad922c1 conf: Use actually configured path for strongswan.conf
References #2984.
2019-03-27 10:07:16 +01:00
Andreas Steffen 526c5abd0f tpm: Check FIPS-140-2 and FIPS-186-4 compliance 2018-10-26 09:55:07 +02:00
Tobias Brunner 784d96e031 Fixed some typos, courtesy of codespell 2018-09-17 18:51:44 +02:00
Tobias Brunner bd61236b4a conf: Document new filelog configuration 2018-09-12 11:42:38 +02:00
Tobias Brunner 71dca60c31 settings: Don't allow dots in section/key names anymore
This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`.  Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.
2018-09-11 18:30:18 +02:00
Andreas Steffen f649a13cc6 imc-swima: Support subscriptions 2018-07-29 10:37:36 +02:00
Andreas Steffen b9d6b3c3e2 libtpmss: Configure TCTI device options 2018-07-20 19:19:24 +02:00
Andreas Steffen e74e920bbc libtpmtss: Support for TSS2 v2 libraries 2018-07-19 12:40:42 +02:00
Tobias Brunner a4617539a2 conf: Fix bench_time documentation 2018-07-09 18:10:07 +02:00
Tobias Brunner 707b70725a dhcp: Only use DHCP server port if explicitly configured
If a DHCP server is running on the same host it isn't necessary to
bind the server port and might even cause conflicts.
2018-07-02 11:39:22 +02:00
Tobias Brunner b9745618cd daemon: Allow configuration of logfile path as value
Some characters are not allowed in section names, this way they can
still be used in paths of log files.
2018-06-27 14:19:35 +02:00
Tobias Brunner 61c3870bef conf: Document reference syntax 2018-06-27 14:19:35 +02:00
Tobias Brunner 57447015db eap-radius: Document station_id_with_port option 2018-06-25 10:42:17 +02:00
Andreas Steffen a31f9b7691 libimcv: Removed TCG SWID IMC/IMV support 2018-06-12 21:47:39 +02:00
Tobias Brunner 89bd016ef4 Fixed some typos, courtesy of codespell 2018-05-23 16:33:02 +02:00
Tobias Brunner 7b660944b6 dhcp: Only send client identifier if identity_lease is enabled
The client identifier serves as unique identifier just like a unique MAC
address would, so even with identity_leases disabled some DHCP servers
might assign unique leases per identity.
2018-05-18 18:04:01 +02:00
Tobias Brunner e811659323 kernel-pfkey: Add option to install routes via internal interface
On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.
2018-03-21 10:37:49 +01:00
Tobias Brunner 1da1ba01c4 save-keys: Add options to enable saving IKE and/or ESP keys 2018-02-15 23:03:29 +01:00
Codrut Cristian Grosu 88e151d10d save-keys: Store derived CHILD_SA keys in Wireshark format 2018-02-15 23:03:29 +01:00
Codrut Cristian Grosu 4be7db5f60 save-keys: Store derived IKE_SA keys in Wireshark format
The path has to be set first, otherwise, nothing is done.
2018-02-15 23:03:29 +01:00