Tobias Brunner
865fd804ee
eap-dynamic: Publish the get_auth() method of the wrapped EAP method
...
Fixes #2238 .
2017-02-07 10:52:24 +01:00
Tobias Brunner
124a1eb8cf
pkcs11: Fix documentation of load_certs option
...
This option is actually module-specific.
2017-02-06 11:18:47 +01:00
Tobias Brunner
2f95c55271
ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards
...
Such an identity won't equal an actual peer's identity resulting in
sending an INITIAL_CONTACT notify even if there might be an existing
IKE_SA.
2017-02-06 11:16:53 +01:00
Tobias Brunner
22f13dcecd
proposal: Copy SPI and proposal number from correct proposal in select()
...
If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.
Fixes #2190 .
2017-02-06 11:14:31 +01:00
Tobias Brunner
b062d3cc44
kernel-netlink: Set NODAD flag for virtual IPv6 addresses
...
The Optimistic Duplicate Address Detection (DAD) seems to fail in some
cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable.
Fixes #2183 .
2017-02-06 11:10:44 +01:00
Tobias Brunner
7a40162cb7
kernel-netlink: Prefer matching label when selecting IPv6 source addresses
...
This implements rule 6 of RFC 6724 using the default priority table,
so that e.g. global addresses are preferred over ULAs (which also have
global scope) when the destination is a global address.
Fixes #2138 .
2017-02-06 11:06:22 +01:00
Tobias Brunner
965daa1df3
kernel-netlink: Use correct 4 byte alignment for AH with IPv4
...
By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4. For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.
2017-01-25 17:51:35 +01:00
Thomas Egerer
8a91729dfe
kernel-netlink: Allow change of Netlink socket receive buffer size
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-01-25 17:42:38 +01:00
Tobias Brunner
4ae2209e3d
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
...
Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.
Fixes #2212 .
2017-01-25 17:30:57 +01:00
Tobias Brunner
da565d9832
kernel-pfroute: Don't set a gateway if it is of a different address family than the destination
2017-01-25 17:29:44 +01:00
Tobias Brunner
896d729a60
libipsec: Add support for AES and Camellia in CCM mode
...
Fixes #2172 .
2017-01-25 17:26:45 +01:00
Tobias Brunner
1da567734f
libipsec: Fix Windows build via MinGW
...
Fixes #2118 .
2017-01-25 17:12:30 +01:00
Tobias Brunner
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
Tobias Brunner
014737dd54
init: Let systemd restart daemons if they get terminated unexpectedly
...
Fixes #2205 .
2017-01-25 15:10:57 +01:00
Tobias Brunner
262bff8bd0
init: Depend on network-online.target instead of network.target in systemd units
...
This makes sure the network is "up" before connections are
loaded/initiated.
Fixes #2205 .
2017-01-25 15:10:50 +01:00
Tobias Brunner
68d97ac541
Merge branch 'charon-systemd-reload-loggers'
...
Allows reloading strongswan.conf, the loggers, and the plugins in
charon-systemd by sending a SIGHUP (as already supported by charon).
Loggers are now also reloaded by VICI's `reload-settings` command (works
with both daemons).
Fixes #2222 .
2017-01-25 15:03:01 +01:00
Tobias Brunner
83bf6db303
vici: Reload loggers after reloading strongswan.conf via reload-setting command
2017-01-25 14:58:12 +01:00
Tobias Brunner
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
Tobias Brunner
ff22d53ba9
charon-systemd: Handle SIGHUP the same way charon does
...
That is, reload strongswan.conf, the loggers and the plugins.
2017-01-25 14:58:05 +01:00
Tobias Brunner
4e382f5ffc
ha: Fix assignment of IP addresses if multiple pools are defined
...
Fixes #2146 .
2017-01-25 12:28:34 +01:00
Tobias Brunner
0e3c8cc4a2
ha: Delete passive IKE_SA on other node after half-open timeout
...
Fixes #1192 .
2017-01-25 12:27:21 +01:00
Thomas Egerer
7085ca68d6
kernel-netlink: Return const pointer from lookup_algorithm()
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-01-23 18:53:58 +01:00
Tobias Brunner
343a5e9f26
Merge branch 'android-import'
...
Adds a VPN profile import feature.
2017-01-20 11:55:48 +01:00
Tobias Brunner
7b73cf4aa9
android: New release after adding profile import functionality
2017-01-20 11:53:43 +01:00
Tobias Brunner
66bf2b788c
android: Handle profile file names with dots in them
2017-01-20 11:44:17 +01:00
Tobias Brunner
9c79af8c38
android: Handle errors when fetching profile in more detail
2017-01-20 11:44:16 +01:00
Tobias Brunner
3107634e30
android: Add activity to import VPN profiles from JSON-encoded files
...
The file format is documented on the wiki.
URLs to .sswan files may be intercepted and downloaded files with a media
type of application/vnd.strongswan.profile may also be opened (the file
extension doesn't matter in that case). Whether downloaded files for which
the media type is not correct but the extension is .sswan can be opened
depends on the app that issues the Intent. For instance, from the default
Downloads app it won't work due to the content:// URLs that do not contain
the file name but when opening the downloaded file from within Chrome's
Downloads view it works as these Intents use file:// URLs, which contain
the complete file name (the latter requires a new permission).
2017-01-20 11:44:07 +01:00
Tobias Brunner
cf6110f152
android: Use a local broadcast to notify about profile changes
...
This allows other components to modify the profiles and notify about
changes.
2017-01-20 11:01:32 +01:00
Tobias Brunner
c4ab9af74e
android: Add a UUID property to the VPN profiles
...
All new or edited profiles get a random UUID. We currently don't
enforce one, though. Later we might change that and use the UUID as
primary key.
2017-01-20 11:01:32 +01:00
Tobias Brunner
a4c7778086
Merge branch 'ipsec-commands'
...
Fixes an issue with the ipsec script when used with sudo.
I'd usually rebase this but the commit ID was already referenced
elsewhere.
2017-01-19 18:40:00 +01:00
Tobias Brunner
2ec6372f5a
ipsec: Only allow specific commands to be executed via ipsec script
...
The previous fallback allowed running any executable as root if executing
ipsec via sudo was allowed, by using e.g. `sudo ipsec ../../../bin/sh`.
2017-01-18 16:15:48 +01:00
Tobias Brunner
1c27cf3bc8
bliss: Increase timeout for sampler unit test
...
Fixes #2204 .
2017-01-16 11:28:10 +01:00
Tobias Brunner
410bdaf654
android: Include ref10 subdirectory for curve25519 plugin
...
Fixes #2201 .
2017-01-16 11:19:35 +01:00
Andreas Steffen
9ad147ac63
Version bump to 5.5.2dr4
2017-01-02 15:46:27 +01:00
Andreas Steffen
bda3a573f4
Merge branch 'disable_ocsp'
2017-01-02 14:35:39 +01:00
Andreas Steffen
91a4a4aa83
testing: Added swanctl/ocsp-disabled scenario
2017-01-02 14:34:39 +01:00
Andreas Steffen
db0953d41f
testing: Added swanctl/ocsp-signer-cert scenario
2017-01-02 14:34:18 +01:00
Andreas Steffen
e3f63c6469
revocation: OCSP and/or CRL fetching can be disabled
2016-12-30 18:12:53 +01:00
Andreas Steffen
08253bbba3
testing: Convert swanctl scenarios to curve-25519
2016-12-30 16:22:12 +01:00
Andreas Steffen
65797c9faf
Version bump to 5.5.2dr3 and Linux kernel 4.9
2016-12-17 18:10:13 +01:00
Andreas Steffen
470e61ae77
testing: strongTNC does not come with django.db any more
2016-12-17 18:09:20 +01:00
Andreas Steffen
3c1e5ad6ce
testing: Added ikev2/net2net-ed25519 scenario
2016-12-17 18:07:29 +01:00
Andreas Steffen
bd2f2b11fc
stroke: Load general PKCS#8 private keys
2016-12-17 18:06:11 +01:00
Andreas Steffen
9da89eeb4f
Merge branch 'Ed25519'
2016-12-16 12:24:54 +01:00
Andreas Steffen
4f19112b1f
Moved Ed25519 tests to libstrongswan
2016-12-14 11:57:36 +01:00
Weilu Jia
351179d4dc
vici: Check for closed connection in Python bindings
...
The Python VICI library does not check if the socket is closed.
If the daemon closes the connection, _recvall() spins forever.
Closes strongswan/strongswan#56 .
2016-12-14 11:35:31 +01:00
Andreas Steffen
e9c2b6658b
unit-tests: Completed coverage of hasher, crypter and libnttfft
2016-12-14 11:15:48 +01:00
Andreas Steffen
94ae1ac18e
Added swanctl/net2net-ed2559 scenario and needed Ed25519 certificates
2016-12-14 11:15:48 +01:00
Andreas Steffen
f2eb367adc
Implemented EdDSA for IKEv2 using a pro forma Identity hash function
2016-12-14 11:15:48 +01:00
Andreas Steffen
d47ad3d67e
Added Ed25519 ref10 implementation from libsodium
2016-12-14 11:15:47 +01:00