Noel Kuntze
e9a55abce4
forecast: Restrict strncpy() call
...
Closes strongswan/strongswan#331 .
2021-05-04 14:48:53 +02:00
Tobias Brunner
875813c055
save-keys: Fix length of AES-GCM with 12-byte ICV
2021-02-23 17:28:46 +01:00
Michał Skalski
b6b8880340
save-keys: Add support for full-length HMAC-SHA256 for ESP
...
Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted. The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
2021-02-23 17:28:46 +01:00
Michał Skalski
c632aa7b31
kernel-netlink: Add support for full-length HMAC-SHA2 algorithms
2021-02-23 17:28:46 +01:00
Tobias Brunner
11a4687930
libtls: Add control flags and replace GENERIC_NULLOK purpose with one
2021-02-18 15:10:29 +01:00
Tobias Brunner
ff672c785b
dhcp: Properly initialize struct when binding to interface
2021-02-16 15:22:18 +01:00
Tobias Brunner
20dfbcad08
ha: Register new IKE_SAs before calling inherit_post()
2021-02-12 15:49:08 +01:00
Tobias Brunner
663969ddf7
libtls: Make min/max TLS version configurable
...
Except for the tls_test tool, the versions now default to those
configured in strongswan.conf.
2021-02-12 14:35:23 +01:00
Tobias Brunner
a7f2818832
tls-socket: Allow configuring both minimum and maximum TLS versions
2021-02-12 11:45:44 +01:00
Tobias Brunner
4525233b1e
vici: Fix refcount for CA certificates when reloading authority sections
...
Fixes: 3c5e7eaa88
("vici: Keep track of all CA certificates in vici_authority_t")
2021-01-27 16:50:17 +01:00
Dan James
95a0d800c9
farp: Add support for macOS and FreeBSD
...
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
Closes strongswan/strongswan#189.
References #3498 .
2021-01-22 10:44:05 +01:00
Tobias Brunner
bd9b50dcd3
load-tester: Correctly encode serial of generated client certificates
...
The previous approach would lead to additional zero prefixes in the
encoding of the serial (which is a positive integer, not an arbitrary
blob).
Fixes #3667 .
2021-01-18 17:44:59 +01:00
Tobias Brunner
2610cd7928
vici: Decode error messages in Python bindings
...
Otherwise we might end up with b'<errmsg>' in the output.
2021-01-18 17:39:15 +01:00
Tobias Brunner
d79cefc3fc
vici: Expose ike-update event
2021-01-18 11:34:40 +01:00
Tobias Brunner
08a3ee0cce
bus: Change ike_update() signature and only call it once
...
This avoids multiple events when both addresses change (e.g. switching
address families).
2021-01-18 11:34:40 +01:00
Tobias Brunner
9248f636b0
kernel-netlink: Make sure we successfully opened a Netlink socket
...
This is in addition to the fix in the destructor in 991e9e5dc9
.
2020-12-03 08:34:18 +01:00
Tobias Brunner
ce433c9b29
kernel-wfp: Declare constants explicitly as extern
...
Newer compilers otherwise complain that there are multiple definitions
of these (in header and .c file).
2020-11-13 16:38:17 +01:00
Tobias Brunner
991e9e5dc9
kernel-netlink: Only attempt to remove routing rule if we have a socket
2020-11-04 10:06:46 +01:00
Tobias Brunner
a6f0e19bf5
Fixed some typos, courtesy of codespell
2020-11-04 10:06:46 +01:00
Tobias Brunner
ef636316d2
vici: Send all queued messages during shutdown
...
This ensures that e.g. ike/child-updown messages are sent that were
queued but couldn't be sent (even the job to enable to on_write() callback
requires a worker thread that's not around anymore during shutdown).
References #3602 .
2020-10-30 09:58:42 +01:00
Tobias Brunner
a689e358e5
kernel-netlink: Ignore deprecated candidate source addresses
...
The currently used address may get deprecated e.g. if an IPv6 prefix changes.
In this case we should switch to another address.
Fixes #3511 .
2020-10-29 09:46:14 +01:00
Tobias Brunner
2eb43ca405
kernel-netlink: Update cached address flags
...
Note that manually adding an IPv6 address without disabling duplicate
address detection (DAD, e.g. via `nodad` when using iproute2) will cause
a roam event due to a flag change after about 1-2 seconds (TENTATIVE is
removed). If this is a problem, we might have to ignore addresses with
TENTATIVE flag when we receive a RTM_NEWADDR message until that flag is
eventually removed.
Fixes #3511 .
2020-10-29 09:46:14 +01:00
Tobias Brunner
f3f93cade9
load-tester: Also request a virtual IPv6 address
...
Fixes #3595 .
2020-10-27 16:40:38 +01:00
Tobias Brunner
1d232d4954
load-tester: Use appropriate family to request addresses from source IP pools
...
Looks like this wasn't necessary before 40e9089889
("Strictly enforce
address family match while acquiring mem_pool IPs").
Fixes #3595 .
2020-10-27 16:40:05 +01:00
Tobias Brunner
6839256773
vici: Support all defined key types
...
References #3586 .
2020-10-27 11:17:21 +01:00
Tobias Brunner
0ce2e00d94
vici: Don't use pytest-pycodestyle with Python 3.5
...
This causes problems due to a deprecation error during the Ubuntu Xenial
build on Travis.
2020-08-17 15:22:34 +02:00
Tobias Brunner
61af9a3478
vici: Fix typos in comments
2020-07-23 14:50:17 +02:00
Tobias Brunner
3c5e7eaa88
vici: Keep track of all CA certificates in vici_authority_t
...
This way we only have one reference for each CA certificate, whether it
is loaded in an authority section, a connection or via load-certs() command.
It also avoids enumerating CA certificates multiple times if they are
loaded in different ways.
2020-07-20 14:05:39 +02:00
Tobias Brunner
d8a2c58229
vici: Make attribute certificates untrusted again
...
Fixes: 334119b843
("Share vici_cert_info.c with vici_cred.c")
2020-07-20 14:05:39 +02:00
Tobias Brunner
6fc1b2c3d3
vici: Clear credential cache when unloading an authority section
2020-07-20 14:05:38 +02:00
Tobias Brunner
46ff268885
vici: Directly provide CA certificates in authority sections
...
With the previous approach, CA certificates that were not re-loaded via
load-cert() (e.g. from tokens or via absolute paths) would not be available
anymore after the clear-creds() command was used. This avoids this
issue, but can cause duplicate CA certificates to get stored and enumerated,
so there might be a scaling factor.
2020-07-20 14:05:38 +02:00
Tobias Brunner
306c0c9f8e
certificate: Extract helper function to filter certificates
2020-07-20 14:05:38 +02:00
Tobias Brunner
736fae4e6c
vici: Store configs in a hashtable
...
This makes updates more efficient if many configs are loaded. Configs
still have to be enumerated to select them.
2020-07-20 13:50:11 +02:00
Tobias Brunner
d9944102f5
hashlist: Move get_match() and sorting into a separate class
...
The main intention here is that we can change the hashtable_t
implementation without being impeded by the special requirements imposed
by get_match() and sorting the keys/items in buckets.
2020-07-20 13:50:11 +02:00
Tobias Brunner
fd94c1301e
kernel-netlink: Ignore preference for temporary addresses for IPv6 VIPs
...
They are not marked as temporary addresses so make sure we always return
them whether temporary addresses are preferred as source addresses or not
as we need to enumerate them when searching for addresses in traffic selectors
to install routes.
Fixes: 9f12b8a61c
("kernel-netlink: Enumerate temporary IPv6 addresses according to config")
2020-07-07 10:01:46 +02:00
Tobias Brunner
feda4a3d37
vici: With start_action=start, terminate IKE_SA without children on unload
...
This includes IKE_SAs in CONNECTING state, which not yet have any
CHILD_SAs.
Closes strongswan/strongswan#175 .
2020-07-01 15:59:41 +02:00
Boris Vanhoof
6870a9b590
eap-radius: Small spelling fix
...
Closes strongswan/strongswan#174 .
2020-06-29 09:44:19 +02:00
Tobias Brunner
33412158f5
ike: Send AEAD ESP default proposal first
...
We generally prefer AEAD nowadays.
References #3461 .
2020-06-12 13:47:13 +02:00
Tobias Brunner
3d92cff726
lookip: Use line buffering for stdout
...
Otherwise, the output is buffered when e.g. piping the output to another
command (or file). And it avoids having to call fflush() in the
interactive mode.
Fixes #3404 .
2020-05-07 15:05:55 +02:00
Thomas Egerer
d2c15b7bf9
vici: Allow maximum vici message size configuration via compile option
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2020-04-14 16:55:49 +02:00
Tobias Brunner
dfd261d2de
kernel-netlink: Extract shared route handling code in net/ipsec
2020-03-10 10:30:39 +01:00
Tobias Brunner
e23708bdf3
kernel-netlink: Don't require an interface name for passthrough policies
2020-03-10 10:26:42 +01:00
Tobias Brunner
b0b6bd2470
kernel-netlink: Allow blank source address in routes for passthrough policies
2020-03-10 10:25:19 +01:00
Noel Kuntze
09f4bccfea
kernel-netlink: Implement passthrough type routes and use them on Linux
...
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.
Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2020-03-10 10:20:58 +01:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
f78dfb7e28
vici: Options are optional in get_pools() of Python bindings
...
Fixes #3319 .
2020-02-03 10:52:31 +01:00
Tobias Brunner
18a3e6d80f
systime-fix: Replace asctime() with thread-safe asctime_r()
...
According to the man page, the buffer should have room for at least
26 characters.
2020-01-28 15:32:43 +01:00
Tobias Brunner
584e8197fe
load-tester: Avoid naming conflict with local certificate variables
2020-01-28 15:32:43 +01:00
Tobias Brunner
f168f5782b
eap-aka-3gpp2: Fix a bunch of typos
2020-01-28 15:32:43 +01:00
Tobias Brunner
378fe7a4bf
eap-aka-3gpp2: Avoid naming conflict with parameters of crypto functions
2020-01-28 15:32:43 +01:00