Tobias Brunner
48017a2740
conf: Complete ordering functions for ConfigOption class
2020-01-29 13:31:42 +01:00
Thomas Egerer
a605452c03
kernel-netlink: Check for offloading support in constructor
...
This avoids races that could potentially occur when doing the check during
SA installation.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2019-11-26 11:00:28 +01:00
Tobias Brunner
eea58222d5
conf: Replace deprecated OptionParser with ArgumentParser
2019-11-12 10:58:07 +01:00
Tobias Brunner
9f12b8a61c
kernel-netlink: Enumerate temporary IPv6 addresses according to config
...
This way we announce only permanent addresses via MOBIKE by default, and
temporary ones if the option is enabled.
2019-10-22 14:14:44 +02:00
Andreas Steffen
6d3a743d90
ntru: Replaced ntru_drbg by drbg
2019-10-16 16:46:24 +02:00
Andreas Steffen
737375a2d2
drbg: Implemented NIST SP-800-90A DRBG
2019-10-16 16:46:24 +02:00
Tobias Brunner
a9fcf28007
conf: Fix typo in documentation of charon.rdn_matching
...
Fixes #3165 .
2019-09-03 10:26:29 +02:00
Tobias Brunner
770f4ccee1
identification: Optionally match RDNs in any order and accept missing RDNs
2019-08-26 11:15:53 +02:00
Tobias Brunner
b9949e98c2
Some whitespace fixes
...
Didn't change some of the larger testing scripts that use an inconsistent
indentation style.
2019-08-22 15:18:06 +02:00
Tobias Brunner
d3329ee540
wolfssl: Fixes, code style changes and some refactorings
...
The main fixes are
* the generation of fingerprints for RSA, ECDSA, and EdDSA
* the encoding of ECDSA private keys
* calculating p and q for RSA private keys
* deriving the public key for raw Ed25519 private keys
Also, instead of numeric literals for buffer lengths ASN.1 related
constants are used.
2019-04-24 12:26:08 +02:00
Tobias Brunner
62d43ea694
ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm
...
Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.
Closes strongswan/strongswan#134 .
2019-04-11 09:51:02 +02:00
Tobias Brunner
d49ad922c1
conf: Use actually configured path for strongswan.conf
...
References #2984 .
2019-03-27 10:07:16 +01:00
Andreas Steffen
526c5abd0f
tpm: Check FIPS-140-2 and FIPS-186-4 compliance
2018-10-26 09:55:07 +02:00
Tobias Brunner
784d96e031
Fixed some typos, courtesy of codespell
2018-09-17 18:51:44 +02:00
Tobias Brunner
bd61236b4a
conf: Document new filelog configuration
2018-09-12 11:42:38 +02:00
Tobias Brunner
71dca60c31
settings: Don't allow dots in section/key names anymore
...
This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`. Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.
2018-09-11 18:30:18 +02:00
Andreas Steffen
f649a13cc6
imc-swima: Support subscriptions
2018-07-29 10:37:36 +02:00
Andreas Steffen
b9d6b3c3e2
libtpmss: Configure TCTI device options
2018-07-20 19:19:24 +02:00
Andreas Steffen
e74e920bbc
libtpmtss: Support for TSS2 v2 libraries
2018-07-19 12:40:42 +02:00
Tobias Brunner
a4617539a2
conf: Fix bench_time documentation
2018-07-09 18:10:07 +02:00
Tobias Brunner
707b70725a
dhcp: Only use DHCP server port if explicitly configured
...
If a DHCP server is running on the same host it isn't necessary to
bind the server port and might even cause conflicts.
2018-07-02 11:39:22 +02:00
Tobias Brunner
b9745618cd
daemon: Allow configuration of logfile path as value
...
Some characters are not allowed in section names, this way they can
still be used in paths of log files.
2018-06-27 14:19:35 +02:00
Tobias Brunner
61c3870bef
conf: Document reference syntax
2018-06-27 14:19:35 +02:00
Tobias Brunner
57447015db
eap-radius: Document station_id_with_port option
2018-06-25 10:42:17 +02:00
Andreas Steffen
a31f9b7691
libimcv: Removed TCG SWID IMC/IMV support
2018-06-12 21:47:39 +02:00
Tobias Brunner
89bd016ef4
Fixed some typos, courtesy of codespell
2018-05-23 16:33:02 +02:00
Tobias Brunner
7b660944b6
dhcp: Only send client identifier if identity_lease is enabled
...
The client identifier serves as unique identifier just like a unique MAC
address would, so even with identity_leases disabled some DHCP servers
might assign unique leases per identity.
2018-05-18 18:04:01 +02:00
Tobias Brunner
e811659323
kernel-pfkey: Add option to install routes via internal interface
...
On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.
2018-03-21 10:37:49 +01:00
Tobias Brunner
1da1ba01c4
save-keys: Add options to enable saving IKE and/or ESP keys
2018-02-15 23:03:29 +01:00
Codrut Cristian Grosu
88e151d10d
save-keys: Store derived CHILD_SA keys in Wireshark format
2018-02-15 23:03:29 +01:00
Codrut Cristian Grosu
4be7db5f60
save-keys: Store derived IKE_SA keys in Wireshark format
...
The path has to be set first, otherwise, nothing is done.
2018-02-15 23:03:29 +01:00
Codrut Cristian Grosu
345cd4684c
save-keys: Add save-keys plugin
...
This plugin will export IKE_SA and CHILD_SA secret keys in the format used
by Wireshark.
It has to be loaded explicitly.
2018-02-15 23:03:29 +01:00
Tobias Brunner
ce048c30ff
ha: Double receive buffer size for HA messages and make it configurable
...
With IKEv1 we transmit both public DH factors (used to derive the initial
IV) besides the shared secret. So these messages could get significantly
larger than 1024 bytes, depending on the DH group (modp2048 just about
fits into it). The new default of 2048 bytes should be fine up to modp4096
and for larger groups the buffer size may be increased (an error is
logged should this happen).
2018-02-14 14:52:18 +01:00
Tobias Brunner
2db6d5b8b3
Fixed some typos, courtesy of codespell
2018-02-13 12:19:54 +01:00
Tobias Brunner
4664992f7d
kernel-netlink: Optionally trigger roam events on routing rule changes
...
This can be useful if routing rules (instead of e.g. route metrics) are used
to switch from one to another interface (i.e. from one to another
routing table). Since we currently don't evaluate routing rules when
doing the route lookup this is only useful if the kernel-based route
lookup is used.
Resolves strongswan/strongswan#88 .
2018-02-09 15:51:28 +01:00
Andreas Steffen
acfd590ab6
imc-os: Derive device ID from private key bound to smartcard or TPM
2017-12-10 11:51:50 +01:00
Tobias Brunner
7f1d944bc9
The pacman tool got replaced by the sec-updater tool
2017-11-15 12:18:17 +01:00
Tobias Brunner
851e51d1cf
sec-updater: Fix typo in documentation
2017-11-15 12:10:33 +01:00
Tobias Brunner
6f97c0d50b
ikev2: Enumerate RSA/PSS schemes and use them if enabled
2017-11-08 16:48:10 +01:00
Tobias Brunner
c81b87ac26
systime-fix: Add timeout option to stop waiting for valid system time
...
A certificate check is forced once the timeout is reached even if the
system time appears to be invalid.
2017-11-08 16:20:35 +01:00
Tobias Brunner
655924074b
eap-radius: Optionally send Class attributes in RADIUS accounting messages
...
If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.
Fixes #2451 .
2017-11-02 09:57:05 +01:00
Andreas Steffen
8aad7ffb11
sec-updater: Import SWID tags of updated packages
...
sec-updater downloads the deb package files from security updates from
a given linux repository and uses the swid_generator command to
derive a SWID tag. The SWID tag is then imported into strongTNC
using the manage.py importswid command.
2017-09-09 20:23:19 +02:00
Andreas Steffen
e658fd475a
sw-collector: Moved info class to libimcv
2017-08-09 13:28:00 +02:00
Tobias Brunner
e66c3d41bc
conf: Descriptions of several settings updated
2017-08-08 17:28:01 +02:00
Tobias Brunner
ca280574ba
Fixed some typos, courtesy of codespell
2017-08-07 17:22:01 +02:00
Tobias Brunner
00498d78a8
conf: Match more characters in _ and **
...
\w does not match e.g. / but \S does.
2017-08-07 14:22:27 +02:00
Andreas Steffen
88501a64ca
swid-gen: Share SWID generator between sw-collector, imc-swima and imc-swid
2017-08-04 19:15:26 +02:00
Andreas Steffen
073c179a88
sw-collector: Added --full option
2017-08-03 09:02:54 +02:00
Tobias Brunner
4272a3e9d7
swanctl: Read default socket from swanctl.socket option
...
Also read from swanctl.plugins.vici.socket so we get
libstrongswan.plugins.vici.socket if it is defined.
Fixes #2372 .
2017-07-27 13:22:57 +02:00
Tobias Brunner
fb8c9b3d08
conf: Add support to generate include statements in .conf files
2017-07-27 13:19:38 +02:00