865fd804ee
eap-dynamic: Publish the get_auth() method of the wrapped EAP method
...
Fixes #2238 .
2017-02-07 10:52:24 +01:00
124a1eb8cf
pkcs11: Fix documentation of load_certs option
...
This option is actually module-specific.
2017-02-06 11:18:47 +01:00
2f95c55271
ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards
...
Such an identity won't equal an actual peer's identity resulting in
sending an INITIAL_CONTACT notify even if there might be an existing
IKE_SA.
2017-02-06 11:16:53 +01:00
22f13dcecd
proposal: Copy SPI and proposal number from correct proposal in select()
...
If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.
Fixes #2190 .
2017-02-06 11:14:31 +01:00
b062d3cc44
kernel-netlink: Set NODAD flag for virtual IPv6 addresses
...
The Optimistic Duplicate Address Detection (DAD) seems to fail in some
cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable.
Fixes #2183 .
2017-02-06 11:10:44 +01:00
7a40162cb7
kernel-netlink: Prefer matching label when selecting IPv6 source addresses
...
This implements rule 6 of RFC 6724 using the default priority table,
so that e.g. global addresses are preferred over ULAs (which also have
global scope) when the destination is a global address.
Fixes #2138 .
2017-02-06 11:06:22 +01:00
965daa1df3
kernel-netlink: Use correct 4 byte alignment for AH with IPv4
...
By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4. For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.
2017-01-25 17:51:35 +01:00
8a91729dfe
kernel-netlink: Allow change of Netlink socket receive buffer size
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-01-25 17:42:38 +01:00
4ae2209e3d
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
...
Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.
Fixes #2212 .
2017-01-25 17:30:57 +01:00
da565d9832
kernel-pfroute: Don't set a gateway if it is of a different address family than the destination
2017-01-25 17:29:44 +01:00
896d729a60
libipsec: Add support for AES and Camellia in CCM mode
...
Fixes #2172 .
2017-01-25 17:26:45 +01:00
1da567734f
libipsec: Fix Windows build via MinGW
...
Fixes #2118 .
2017-01-25 17:12:30 +01:00
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
014737dd54
init: Let systemd restart daemons if they get terminated unexpectedly
...
Fixes #2205 .
2017-01-25 15:10:57 +01:00
262bff8bd0
init: Depend on network-online.target instead of network.target in systemd units
...
This makes sure the network is "up" before connections are
loaded/initiated.
Fixes #2205 .
2017-01-25 15:10:50 +01:00
68d97ac541
Merge branch 'charon-systemd-reload-loggers'
...
Allows reloading strongswan.conf, the loggers, and the plugins in
charon-systemd by sending a SIGHUP (as already supported by charon).
Loggers are now also reloaded by VICI's `reload-settings` command (works
with both daemons).
Fixes #2222 .
2017-01-25 15:03:01 +01:00
83bf6db303
vici: Reload loggers after reloading strongswan.conf via reload-setting command
2017-01-25 14:58:12 +01:00
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
ff22d53ba9
charon-systemd: Handle SIGHUP the same way charon does
...
That is, reload strongswan.conf, the loggers and the plugins.
2017-01-25 14:58:05 +01:00
4e382f5ffc
ha: Fix assignment of IP addresses if multiple pools are defined
...
Fixes #2146 .
2017-01-25 12:28:34 +01:00
0e3c8cc4a2
ha: Delete passive IKE_SA on other node after half-open timeout
...
Fixes #1192 .
2017-01-25 12:27:21 +01:00
7085ca68d6
kernel-netlink: Return const pointer from lookup_algorithm()
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-01-23 18:53:58 +01:00
343a5e9f26
Merge branch 'android-import'
...
Adds a VPN profile import feature.
2017-01-20 11:55:48 +01:00
7b73cf4aa9
android: New release after adding profile import functionality
2017-01-20 11:53:43 +01:00
66bf2b788c
android: Handle profile file names with dots in them
2017-01-20 11:44:17 +01:00
9c79af8c38
android: Handle errors when fetching profile in more detail
2017-01-20 11:44:16 +01:00
3107634e30
android: Add activity to import VPN profiles from JSON-encoded files
...
The file format is documented on the wiki.
URLs to .sswan files may be intercepted and downloaded files with a media
type of application/vnd.strongswan.profile may also be opened (the file
extension doesn't matter in that case). Whether downloaded files for which
the media type is not correct but the extension is .sswan can be opened
depends on the app that issues the Intent. For instance, from the default
Downloads app it won't work due to the content:// URLs that do not contain
the file name but when opening the downloaded file from within Chrome's
Downloads view it works as these Intents use file:// URLs, which contain
the complete file name (the latter requires a new permission).
2017-01-20 11:44:07 +01:00
cf6110f152
android: Use a local broadcast to notify about profile changes
...
This allows other components to modify the profiles and notify about
changes.
2017-01-20 11:01:32 +01:00
c4ab9af74e
android: Add a UUID property to the VPN profiles
...
All new or edited profiles get a random UUID. We currently don't
enforce one, though. Later we might change that and use the UUID as
primary key.
2017-01-20 11:01:32 +01:00
a4c7778086
Merge branch 'ipsec-commands'
...
Fixes an issue with the ipsec script when used with sudo.
I'd usually rebase this but the commit ID was already referenced
elsewhere.
2017-01-19 18:40:00 +01:00
2ec6372f5a
ipsec: Only allow specific commands to be executed via ipsec script
...
The previous fallback allowed running any executable as root if executing
ipsec via sudo was allowed, by using e.g. `sudo ipsec ../../../bin/sh`.
2017-01-18 16:15:48 +01:00
1c27cf3bc8
bliss: Increase timeout for sampler unit test
...
Fixes #2204 .
2017-01-16 11:28:10 +01:00
410bdaf654
android: Include ref10 subdirectory for curve25519 plugin
...
Fixes #2201 .
2017-01-16 11:19:35 +01:00
9ad147ac63
Version bump to 5.5.2dr4
2017-01-02 15:46:27 +01:00
bda3a573f4
Merge branch 'disable_ocsp'
2017-01-02 14:35:39 +01:00
91a4a4aa83
testing: Added swanctl/ocsp-disabled scenario
2017-01-02 14:34:39 +01:00
db0953d41f
testing: Added swanctl/ocsp-signer-cert scenario
2017-01-02 14:34:18 +01:00
e3f63c6469
revocation: OCSP and/or CRL fetching can be disabled
2016-12-30 18:12:53 +01:00
08253bbba3
testing: Convert swanctl scenarios to curve-25519
2016-12-30 16:22:12 +01:00
65797c9faf
Version bump to 5.5.2dr3 and Linux kernel 4.9
2016-12-17 18:10:13 +01:00
470e61ae77
testing: strongTNC does not come with django.db any more
2016-12-17 18:09:20 +01:00
3c1e5ad6ce
testing: Added ikev2/net2net-ed25519 scenario
2016-12-17 18:07:29 +01:00
bd2f2b11fc
stroke: Load general PKCS#8 private keys
2016-12-17 18:06:11 +01:00
9da89eeb4f
Merge branch 'Ed25519'
2016-12-16 12:24:54 +01:00
4f19112b1f
Moved Ed25519 tests to libstrongswan
2016-12-14 11:57:36 +01:00
351179d4dc
vici: Check for closed connection in Python bindings
...
The Python VICI library does not check if the socket is closed.
If the daemon closes the connection, _recvall() spins forever.
Closes strongswan/strongswan#56 .
2016-12-14 11:35:31 +01:00
e9c2b6658b
unit-tests: Completed coverage of hasher, crypter and libnttfft
2016-12-14 11:15:48 +01:00
94ae1ac18e
Added swanctl/net2net-ed2559 scenario and needed Ed25519 certificates
2016-12-14 11:15:48 +01:00
f2eb367adc
Implemented EdDSA for IKEv2 using a pro forma Identity hash function
2016-12-14 11:15:48 +01:00
d47ad3d67e
Added Ed25519 ref10 implementation from libsodium
2016-12-14 11:15:47 +01:00
Tobias Brunner