Tobias Brunner
896d729a60
libipsec: Add support for AES and Camellia in CCM mode
...
Fixes #2172 .
2017-01-25 17:26:45 +01:00
Tobias Brunner
1da567734f
libipsec: Fix Windows build via MinGW
...
Fixes #2118 .
2017-01-25 17:12:30 +01:00
Tobias Brunner
69b58e347e
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
...
Otherwise, we'd end up with an empty TS list, which is not valid.
Because end->tohost is set to !end->subnets in starter the removed branch was
never used.
2017-01-25 16:56:28 +01:00
Tobias Brunner
014737dd54
init: Let systemd restart daemons if they get terminated unexpectedly
...
Fixes #2205 .
2017-01-25 15:10:57 +01:00
Tobias Brunner
262bff8bd0
init: Depend on network-online.target instead of network.target in systemd units
...
This makes sure the network is "up" before connections are
loaded/initiated.
Fixes #2205 .
2017-01-25 15:10:50 +01:00
Tobias Brunner
68d97ac541
Merge branch 'charon-systemd-reload-loggers'
...
Allows reloading strongswan.conf, the loggers, and the plugins in
charon-systemd by sending a SIGHUP (as already supported by charon).
Loggers are now also reloaded by VICI's `reload-settings` command (works
with both daemons).
Fixes #2222 .
2017-01-25 15:03:01 +01:00
Tobias Brunner
83bf6db303
vici: Reload loggers after reloading strongswan.conf via reload-setting command
2017-01-25 14:58:12 +01:00
Tobias Brunner
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
Tobias Brunner
ff22d53ba9
charon-systemd: Handle SIGHUP the same way charon does
...
That is, reload strongswan.conf, the loggers and the plugins.
2017-01-25 14:58:05 +01:00
Tobias Brunner
4e382f5ffc
ha: Fix assignment of IP addresses if multiple pools are defined
...
Fixes #2146 .
2017-01-25 12:28:34 +01:00
Tobias Brunner
0e3c8cc4a2
ha: Delete passive IKE_SA on other node after half-open timeout
...
Fixes #1192 .
2017-01-25 12:27:21 +01:00
Thomas Egerer
7085ca68d6
kernel-netlink: Return const pointer from lookup_algorithm()
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-01-23 18:53:58 +01:00
Tobias Brunner
343a5e9f26
Merge branch 'android-import'
...
Adds a VPN profile import feature.
2017-01-20 11:55:48 +01:00
Tobias Brunner
7b73cf4aa9
android: New release after adding profile import functionality
2017-01-20 11:53:43 +01:00
Tobias Brunner
66bf2b788c
android: Handle profile file names with dots in them
2017-01-20 11:44:17 +01:00
Tobias Brunner
9c79af8c38
android: Handle errors when fetching profile in more detail
2017-01-20 11:44:16 +01:00
Tobias Brunner
3107634e30
android: Add activity to import VPN profiles from JSON-encoded files
...
The file format is documented on the wiki.
URLs to .sswan files may be intercepted and downloaded files with a media
type of application/vnd.strongswan.profile may also be opened (the file
extension doesn't matter in that case). Whether downloaded files for which
the media type is not correct but the extension is .sswan can be opened
depends on the app that issues the Intent. For instance, from the default
Downloads app it won't work due to the content:// URLs that do not contain
the file name but when opening the downloaded file from within Chrome's
Downloads view it works as these Intents use file:// URLs, which contain
the complete file name (the latter requires a new permission).
2017-01-20 11:44:07 +01:00
Tobias Brunner
cf6110f152
android: Use a local broadcast to notify about profile changes
...
This allows other components to modify the profiles and notify about
changes.
2017-01-20 11:01:32 +01:00
Tobias Brunner
c4ab9af74e
android: Add a UUID property to the VPN profiles
...
All new or edited profiles get a random UUID. We currently don't
enforce one, though. Later we might change that and use the UUID as
primary key.
2017-01-20 11:01:32 +01:00
Tobias Brunner
a4c7778086
Merge branch 'ipsec-commands'
...
Fixes an issue with the ipsec script when used with sudo.
I'd usually rebase this but the commit ID was already referenced
elsewhere.
2017-01-19 18:40:00 +01:00
Tobias Brunner
2ec6372f5a
ipsec: Only allow specific commands to be executed via ipsec script
...
The previous fallback allowed running any executable as root if executing
ipsec via sudo was allowed, by using e.g. `sudo ipsec ../../../bin/sh`.
2017-01-18 16:15:48 +01:00
Tobias Brunner
1c27cf3bc8
bliss: Increase timeout for sampler unit test
...
Fixes #2204 .
2017-01-16 11:28:10 +01:00
Tobias Brunner
410bdaf654
android: Include ref10 subdirectory for curve25519 plugin
...
Fixes #2201 .
2017-01-16 11:19:35 +01:00
Andreas Steffen
9ad147ac63
Version bump to 5.5.2dr4
2017-01-02 15:46:27 +01:00
Andreas Steffen
bda3a573f4
Merge branch 'disable_ocsp'
2017-01-02 14:35:39 +01:00
Andreas Steffen
91a4a4aa83
testing: Added swanctl/ocsp-disabled scenario
2017-01-02 14:34:39 +01:00
Andreas Steffen
db0953d41f
testing: Added swanctl/ocsp-signer-cert scenario
2017-01-02 14:34:18 +01:00
Andreas Steffen
e3f63c6469
revocation: OCSP and/or CRL fetching can be disabled
2016-12-30 18:12:53 +01:00
Andreas Steffen
08253bbba3
testing: Convert swanctl scenarios to curve-25519
2016-12-30 16:22:12 +01:00
Andreas Steffen
65797c9faf
Version bump to 5.5.2dr3 and Linux kernel 4.9
2016-12-17 18:10:13 +01:00
Andreas Steffen
470e61ae77
testing: strongTNC does not come with django.db any more
2016-12-17 18:09:20 +01:00
Andreas Steffen
3c1e5ad6ce
testing: Added ikev2/net2net-ed25519 scenario
2016-12-17 18:07:29 +01:00
Andreas Steffen
bd2f2b11fc
stroke: Load general PKCS#8 private keys
2016-12-17 18:06:11 +01:00
Andreas Steffen
9da89eeb4f
Merge branch 'Ed25519'
2016-12-16 12:24:54 +01:00
Andreas Steffen
4f19112b1f
Moved Ed25519 tests to libstrongswan
2016-12-14 11:57:36 +01:00
Weilu Jia
351179d4dc
vici: Check for closed connection in Python bindings
...
The Python VICI library does not check if the socket is closed.
If the daemon closes the connection, _recvall() spins forever.
Closes strongswan/strongswan#56 .
2016-12-14 11:35:31 +01:00
Andreas Steffen
e9c2b6658b
unit-tests: Completed coverage of hasher, crypter and libnttfft
2016-12-14 11:15:48 +01:00
Andreas Steffen
94ae1ac18e
Added swanctl/net2net-ed2559 scenario and needed Ed25519 certificates
2016-12-14 11:15:48 +01:00
Andreas Steffen
f2eb367adc
Implemented EdDSA for IKEv2 using a pro forma Identity hash function
2016-12-14 11:15:48 +01:00
Andreas Steffen
d47ad3d67e
Added Ed25519 ref10 implementation from libsodium
2016-12-14 11:15:47 +01:00
Andreas Steffen
35bc60cc68
Added support of EdDSA signatures
2016-12-14 11:15:47 +01:00
Tobias Brunner
564a199674
kernel-netlink: Add support for AES-CMAC-96 (RFC 4494)
...
The kernel apparently supports this since 3.10.
2016-12-12 11:43:06 +01:00
Tobias Brunner
8c859e86d6
android: New release after re-adding support for ECC Brainpool curves
2016-12-10 12:28:09 +01:00
Tobias Brunner
f20b3f7b2c
openssl: BoringSSL doesn't provide curve data for ECC Brainpool curves
2016-12-10 12:27:47 +01:00
Tobias Brunner
aae9a9e678
android: New release after fixing libtpmtss issue
2016-12-09 11:18:17 +01:00
Tobias Brunner
9920824e70
android: Make sure libtpmtss is loaded on older systems
...
On newer Android systems this seems to happen automatically (or does at
least not cause crashes if the library is not loaded).
2016-12-09 11:16:42 +01:00
Tobias Brunner
708f9c7f65
android: New release after adding notification
2016-12-08 17:37:21 +01:00
Tobias Brunner
7e1c840753
Merge branch 'android-updates'
...
Adds a permanent notification while connected (or connecting), which
allows running as a foreground service, which in turn should prevent
Android from terminating the service when low on memory.
Also adds support for ChaCha20/Poly1305 AEAD and Curve25519 DH.
2016-12-08 17:33:11 +01:00
Tobias Brunner
3e85b5a492
android: Ensure that the certificates are loaded when accessing them via JNI
2016-12-08 17:14:49 +01:00
Tobias Brunner
85059424a7
android: Add a public notification
2016-12-08 17:14:49 +01:00