Andreas Steffen
76cbf1df34
testing: Added swanctl/rw-ntru-bliss scenario
2015-12-17 17:49:48 +01:00
Andreas Steffen
cc874350b8
Apply pubkey and signature constraints in vici plugin
2015-12-17 17:49:48 +01:00
Andreas Steffen
a78e1c3b11
128 bit default security strength for IKE and ESP algorithms
...
The default ESP cipher suite is now
AES_CBC-128/HMAC_SHA2_256_128
and requires SHA-2 HMAC support in the Linux kernel (correctly implemented
since 2.6.33).
The default IKE cipher suite is now
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
if the openssl plugin is loaded or
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
if ECC is not available.
The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been
deprecated and ENCR_CHACHA20_POLY1305 has been added to the default
IKE AEAD algorithms.
2015-12-17 17:49:48 +01:00
Tobias Brunner
1c3aa9bfc8
stroke: Fix --utc option for list* commands
...
Fixes: dcb168413f
("stroke: Add --daemon option")
2015-12-17 16:56:20 +01:00
Tobias Brunner
891e9e95ea
Merge branch 'command-max-lines'
...
Make sure commands registered in pki and swanctl don't exceed the
maximum number of lines available for their usage summary.
Closes strongswan/strongswan#22 .
2015-12-16 12:28:22 +01:00
Tobias Brunner
3f2c305226
swanctl: Slightly change usage summary for --list-certs
2015-12-16 12:20:35 +01:00
Tobias Brunner
b0f00b2a3c
swanctl: Never print more than MAX_LINES of usage summary
...
Print a warning if a registered command exceeds that limit.
2015-12-16 12:09:20 +01:00
Tobias Brunner
50e190e8ad
pki: Increase MAX_LINES
...
The --issue and --self commands both define 10 lines of usage summary
text.
2015-12-16 12:09:18 +01:00
Tobias Brunner
8ea64a78d6
pki: Never print more than MAX_LINES of usage summary
...
Print a warning if a registered command exceeds that limit.
2015-12-16 12:07:13 +01:00
Tobias Brunner
bf5754adcd
travis: Enable IPv6 on build hosts
...
Since the move to Google Compute Engine (GCE) IPv6 has been disabled
on the build hosts, causing several tests to fail. Lets try to get at
least local IPv6 connectivity up again.
2015-12-15 15:03:47 +01:00
Tobias Brunner
0f13f719e1
libstrongswan: Updated Android.mk to current Makefile.am
2015-12-14 19:05:41 +01:00
Tobias Brunner
020d8c8f26
configure: Fix typo when enabling CPAN modules as dependency
...
Fixes: a17b6d469c
("Built the CPAN file structure for the Vici::Session perl module")
2015-12-14 11:49:51 +01:00
Andreas Steffen
5e2b740a00
128 bit default security strength requires 3072 bit prime DH group
2015-12-14 10:39:40 +01:00
Andreas Steffen
47e5640378
swanctl --stats lists loaded plugins
2015-12-13 17:07:28 +01:00
Andreas Steffen
36b6d400d2
testing: swanctl/rw-cert scenario tests password-protected RSA key
2015-12-12 17:12:44 +01:00
Andreas Steffen
4f7f2538c4
Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security
2015-12-12 15:54:48 +01:00
Andreas Steffen
02d431022c
Refactored certificate management for the vici and stroke interfaces
2015-12-12 00:19:24 +01:00
Andreas Steffen
4df09fe563
Modified vici_cert_info class for use with load_creds and vici_cred
2015-12-11 22:14:38 +01:00
Andreas Steffen
9dd8bfb2ce
Changed some certificate_type_names and added x509_flag_names
2015-12-11 18:26:55 +01:00
Andreas Steffen
44d3b02b57
Removed VICI protocol versioning
2015-12-11 18:26:55 +01:00
Andreas Steffen
b6dba6db74
Use of certificate_printer by swanctl --list-certs command
2015-12-11 18:26:55 +01:00
Andreas Steffen
334119b843
Share vici_cert_info.c with vici_cred.c
2015-12-11 18:26:55 +01:00
Andreas Steffen
ef43df6cbe
Allow msSmartcardLogon EKU to be built
2015-12-11 18:26:54 +01:00
Andreas Steffen
fad851e2d3
Use VICI 2.0 protocol version for certificate queries
2015-12-11 18:26:54 +01:00
Andreas Steffen
5d909303d8
Sort certificate types during enumeration
2015-12-11 18:26:54 +01:00
Andreas Steffen
75749971e1
Define VICI protocol versions
2015-12-11 18:26:54 +01:00
Andreas Steffen
6789d79d46
testing: Added swanctl --list-algs output
2015-12-11 18:26:54 +01:00
Andreas Steffen
6aa7703122
testing: Converted tnc scenarios to swanctl
2015-12-11 18:26:54 +01:00
Tobias Brunner
74270c8c86
vici: Don't report memory usage via leak-detective
...
This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.
2015-12-11 18:26:53 +01:00
Tobias Brunner
ae37090e65
testing: Use expect-connection in swanctl scenarios
...
Only in net2net-start do we have to use `sleep` to ensure the SA is
up when the tests are running.
2015-12-11 18:26:53 +01:00
Tobias Brunner
b77e25c381
testing: The expect-connection helper may use swanctl to check for connections
...
Depending on the plugin configuration in the test scenario either
`ipsec statusall` or `swanctl --list-conns` is used to check for a named
connection.
2015-12-11 18:26:53 +01:00
Andreas Steffen
fd90f0613c
Print OCSP single responses
2015-12-11 18:26:53 +01:00
Andreas Steffen
3317d0e77b
Standardized printing of certificate information
...
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
2015-12-11 18:26:53 +01:00
Tobias Brunner
36d42daf4d
imv-attestation: Fix memory leaks when creating functional components
2015-12-11 15:18:38 +01:00
Tobias Brunner
7f52715655
ipsec: Fix stop command on systems where sleep(1) only supports integers
...
Fixes #1231 .
2015-12-10 11:46:21 +01:00
Martin Willi
bb723f97c7
Merge branch 'vici-undo-on-unload'
...
Undo start actions when unloading connections, and add some misc fixes and
extensions to vici connection handling.
2015-12-07 10:29:57 +01:00
Martin Willi
1a8a420c1c
vici: Fix documentation about the initiate/terminate timeout
2015-12-07 10:28:45 +01:00
Martin Willi
eaca77d03e
vici: Honor an optionally passed IKE configuration name in initiate/install
...
If two IKE configurations have CHILD configurations with the same name,
we have no control about the CHILD_SA that actually gets controlled. The
new "ike" parameter specifies the peer config name to find the "child" config
under.
2015-12-07 10:28:45 +01:00
Martin Willi
5e79ae2d65
vici: Support completely asynchronous initiating and termination
...
In some situations the vici client is not interested in waiting for a
timeout at all, so don't register a logging callback if the timeout argument
is negative.
2015-12-07 10:28:45 +01:00
Martin Willi
1db918c4f8
vici: Use an empty local auth round if none given
...
While it hardly makes sense to use none for negotiated SAs, it actually does
when installing shunt policies.
2015-12-07 10:05:07 +01:00
Martin Willi
b26ba1b4a4
vici: Limit start action undoing to IKE_SAs using the base peer config name
...
If two peer configs use the same child config names, potentailly delete
the wrong CHILD_SA. Check the peer config name as well to avoid that.
2015-12-07 10:05:07 +01:00
Martin Willi
23b1f71372
vici: Close empty IKE_SAs after undoing CHILD_SA start actions
2015-12-07 10:05:07 +01:00
Martin Willi
2facf18833
vici: Use value based array to store CHILD_SA ids during restart
...
The previous approach stored a pointer to a volatile stack variable, which
works for a single ID, but not for multiple.
2015-12-07 10:05:07 +01:00
Martin Willi
01caed533b
array: Add an insert/create function for value based arrays
2015-12-07 10:05:07 +01:00
Martin Willi
f3b2d4a9d8
vici: Undo start actions when unloading configs
2015-12-07 10:05:07 +01:00
Tobias Brunner
84a3077e78
conf: Add support for escaping dots in section/option names
2015-12-04 18:22:44 +01:00
Tobias Brunner
63a778a25d
vici: Fix clean-local target for Perl bindings if they were not built
...
This is called when running `make distclean` (or indirectly via `make
distcheck`).
2015-12-04 12:10:57 +01:00
Martin Willi
057e6cc524
byteorder: Provide a fallback for le32toh/htole32()
...
Some older toolchains don't provide these macros, so implement them using
the gcc builtins. We also provide 64-bit variants as used by chapoly.
2015-12-04 10:29:09 +01:00
Martin Willi
8fa0c7bc77
byteorder: Add 32-bit unaligned little-endian conversion functions
2015-12-04 10:29:09 +01:00
Martin Willi
9709418871
swanctl: Explicitly link against -lpthread and -ldl if required
...
We already do this for charon, as some toolchains require an explicit
link even if libstrongswan already depends on it.
2015-12-04 08:02:03 +01:00