Commit Graph

17872 Commits

Author SHA1 Message Date
Tobias Brunner cd7b80e869 github: Make LGTM project ID configurable via environment variable 2021-05-05 18:09:44 +02:00
Noel Kuntze f830e71457 github: Fail sonarcloud test if required environment variables aren't set
Closes strongswan/strongswan#330.
2021-05-05 18:10:03 +02:00
Tobias Brunner c603704bb3 github: Always upload lint results from Android build 2021-05-05 18:09:44 +02:00
Tobias Brunner 742e0f213c github: Fix build on Ubuntu 20.04 and add a job for 18.04
The nm test can only be done on Ubuntu 18.04 as the required libraries
are not available on newer systems.

Switch to pip3 to install tox (the only Python dependency we use).

Closes strongswan/strongswan#327.
2021-05-05 18:09:44 +02:00
Tobias Brunner eca1b81682 github: Fix installation of Python dependencies 2021-05-05 18:08:20 +02:00
Tobias Brunner 6405653da2 android: Avoid lint errors when determining column indices
The lint version used on our GitHub build hosts reported these errors:

Error: Value must be ≥ 0 [Range]
        db.update(TABLE_VPNPROFILE, values, KEY_ID + " = " + cursor.getLong(cursor.getColumnIndex(KEY_ID)), null);

That's because get*() expect a valid index >= 0 but getColumnIndex()
can return -1 if the column name doesn't exist.
2021-05-05 16:40:14 +02:00
Tobias Brunner f0a20dd2b8 backtrace: The BFD API changed in newer versions 2021-05-05 16:17:54 +02:00
Noel Kuntze 1de13f9037 openssl: Fix OpenSSL version check for EC_POINT_set_affine_coordinates
Fixes: bd323ae6c8 ("openssl: Migrate from deprecated EC_POINT_[set|get]_affine_coordinates_GFp() functions")
Closes strongswan/strongswan#332
2021-05-04 14:51:18 +02:00
Noel Kuntze e9a55abce4 forecast: Restrict strncpy() call
Closes strongswan/strongswan#331.
2021-05-04 14:48:53 +02:00
Tobias Brunner 2b89676157 Merge branch 'doxygen-fixes'
Closes strongswan/strongswan#326.
2021-05-04 14:39:56 +02:00
Noel Kuntze 4886a2c7d8
Doxyfile.in: Remove deprecated variables 2021-04-15 16:13:22 +02:00
Noel Kuntze a11efc5214
doxygen: Fix documentation problems 2021-04-15 00:17:59 +02:00
Andreas Steffen 09df86c033 Version bump to 5.9.3dr1 2021-03-31 09:59:55 +02:00
Andreas Steffen 66ba50b217 testing: Migrated p2pnat/medsrv-psk scenario to vici 2021-03-30 22:12:00 +02:00
Andreas Steffen 03e1272ff2 testing: Migrated p2pnat/behind-same-nat scenario to vici 2021-03-30 22:12:00 +02:00
Andreas Steffen 68154033bb testing: Store mars credentials in the swanctl directory 2021-03-30 22:12:00 +02:00
Andreas Steffen 2cbf7da51a testing: Migrated redirect-active scenario to vici 2021-03-30 22:12:00 +02:00
Andreas Steffen 511b860916 testing: Migrated ha/both-active scenario to vici 2021-03-30 18:57:49 +02:00
Andreas Steffen 5c22e94f0f testing: Migrated ha/active-passive scenario to vici 2021-03-30 18:57:49 +02:00
Andreas Steffen 737f7fce51 testing: Switched PTS measurements to /usr/sbin
Due to Debian 10 linking /bin to /usr/bin which drastically
increased the number of files in /bin, the PTS measurement
was switched to /usr/sbin with a lesser number of files.
2021-03-23 10:54:48 +01:00
Andreas Steffen f412c97648 wolfssl: Support SHAKE_256 2021-03-20 11:19:12 +01:00
Andreas Steffen a91eb3eb96 wolfssl: Support SHA3 2021-03-20 11:15:42 +01:00
Andreas Steffen b57215ba2b wolfssl: Support AES_ECB 2021-03-20 11:15:42 +01:00
Andreas Steffen bd323ae6c8 openssl: Migrate from deprecated EC_POINT_[set|get]_affine_coordinates_GFp() functions 2021-03-19 08:50:27 +01:00
Petr Gotthard c5eac9c390 libcharon: Include libtpmtss in monolithic build 2021-03-17 12:14:47 +01:00
Andreas Steffen 6aef079f59 testing: Bump guest kernel to Linux 5.11 2021-03-07 14:39:44 +01:00
Andreas Steffen 87ba3a424d Version bump to 5.9.2 2021-02-26 11:30:13 +01:00
Tobias Brunner 88c4d8cb22 Merge branch 'sha2-no-trunc'
Closes strongswan/strongswan#215.
2021-02-23 17:30:11 +01:00
Tobias Brunner 875813c055 save-keys: Fix length of AES-GCM with 12-byte ICV 2021-02-23 17:28:46 +01:00
Michał Skalski b6b8880340 save-keys: Add support for full-length HMAC-SHA256 for ESP
Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted.  The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
2021-02-23 17:28:46 +01:00
Michał Skalski c632aa7b31 kernel-netlink: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:28:46 +01:00
Michał Skalski aa6da3700a keymat: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:23:29 +01:00
Michał Skalski 7a8cd5d6d0 af-alg: Fix typo in algorithm mapping for full-size HMAC-SHA-256 2021-02-23 09:25:44 +01:00
Andreas Steffen 356f87355b Version bump to 5.9.2rc2 2021-02-21 10:40:34 +01:00
Andreas Steffen 20c47af319 testing: Use TLS 1.3 in TNC PT-TLS tests 2021-02-21 09:48:34 +01:00
Andreas Steffen 9f55246018 testing: Added mgf1 plugin to load statement 2021-02-19 17:41:44 +01:00
Andreas Steffen 283b352cee Merge branch 'tls-fixes' 2021-02-18 20:28:33 +01:00
Andreas Steffen d08fa4bd0a Version bump to 5.9.2rc1 2021-02-18 20:16:17 +01:00
Tobias Brunner 48f4f9f667 pt-tls-server: Make TLS client authentication optional as appropriate 2021-02-18 15:41:52 +01:00
Tobias Brunner 82116dba66 tls-test: Add option to make client authentication optional 2021-02-18 15:39:35 +01:00
Tobias Brunner 760f3b730f tls-server: Add flag that makes client authentication optional
This allows clients to send an empty certificate payload if the server
sent a certificate request.  If an identity was set previously, it will
be reset so get_peer_id() may be used to check if the client was
authenticated.
2021-02-18 15:35:46 +01:00
Tobias Brunner 11a4687930 libtls: Add control flags and replace GENERIC_NULLOK purpose with one 2021-02-18 15:10:29 +01:00
Tobias Brunner 602947d48a pt-tls-server: Explicitly request client authentication if necessary
The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.
2021-02-18 12:49:54 +01:00
Tobias Brunner 4b7cfb252e tls-server: Use subject DN as peer identity if it was ID_ANY
To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
2021-02-18 12:34:05 +01:00
Tobias Brunner d5606ec350 testing: Adapt some checks as SHA-384 is now preferred for TLS signatures 2021-02-18 12:02:54 +01:00
Tobias Brunner 024120f8ea tls-eap: Only servers conclude EAP method after processing packets
As client with older TLS versions, we have to ack the receipt of the server's
Finished message instead.

Fixes: 083f38259c ("tls-eap: Conclude EAP method also after processing packets")
2021-02-18 12:02:32 +01:00
Stefan Berghofer f7613cb581 ike-sa: Properly set timing info for delete after rekeying
The job is queued properly, yet the timing information is wrong.

Signed-off-by: Stefan Berghofer <stefan.berghofer@secunet.com>

Fixes: ee61471113 ("implemented RFC4478 (repeated authentication)...")
2021-02-18 10:02:55 +01:00
Tobias Brunner d65d4eab73 NEWS: Add news for 5.9.2 2021-02-17 15:24:36 +01:00
Tobias Brunner ff672c785b dhcp: Properly initialize struct when binding to interface 2021-02-16 15:22:18 +01:00
Tobias Brunner fbb70c968b pts: Don't rely on BIOS event buffer to be null terminated 2021-02-16 15:16:25 +01:00