ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,872 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

2201 Commits

Author SHA1 Message Date
Noel Kuntze e9a55abce4 forecast: Restrict strncpy() call 
Closes strongswan/strongswan#331.
 2021-05-04 14:48:53 +02:00
Tobias Brunner 875813c055 save-keys: Fix length of AES-GCM with 12-byte ICV 2021-02-23 17:28:46 +01:00
Michał Skalski b6b8880340 save-keys: Add support for full-length HMAC-SHA256 for ESP 
Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted.  The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
 2021-02-23 17:28:46 +01:00
Michał Skalski c632aa7b31 kernel-netlink: Add support for full-length HMAC-SHA2 algorithms 2021-02-23 17:28:46 +01:00
Tobias Brunner 11a4687930 libtls: Add control flags and replace GENERIC_NULLOK purpose with one 2021-02-18 15:10:29 +01:00
Tobias Brunner ff672c785b dhcp: Properly initialize struct when binding to interface 2021-02-16 15:22:18 +01:00
Tobias Brunner 20dfbcad08 ha: Register new IKE_SAs before calling inherit_post() 2021-02-12 15:49:08 +01:00
Tobias Brunner 663969ddf7 libtls: Make min/max TLS version configurable 
Except for the tls_test tool, the versions now default to those
configured in strongswan.conf.
 2021-02-12 14:35:23 +01:00
Tobias Brunner a7f2818832 tls-socket: Allow configuring both minimum and maximum TLS versions 2021-02-12 11:45:44 +01:00
Tobias Brunner 4525233b1e vici: Fix refcount for CA certificates when reloading authority sections 
Fixes: 3c5e7eaa88 ("vici: Keep track of all CA certificates in vici_authority_t")
 2021-01-27 16:50:17 +01:00
Dan James 95a0d800c9 farp: Add support for macOS and FreeBSD 
Co-authored-by: Tobias Brunner <tobias@strongswan.org>

Closes strongswan/strongswan#189.
References #3498.
 2021-01-22 10:44:05 +01:00
Tobias Brunner bd9b50dcd3 load-tester: Correctly encode serial of generated client certificates 
The previous approach would lead to additional zero prefixes in the
encoding of the serial (which is a positive integer, not an arbitrary
blob).

Fixes #3667.
 2021-01-18 17:44:59 +01:00
Tobias Brunner 2610cd7928 vici: Decode error messages in Python bindings 
Otherwise we might end up with b'<errmsg>' in the output.
 2021-01-18 17:39:15 +01:00
Tobias Brunner d79cefc3fc vici: Expose ike-update event 2021-01-18 11:34:40 +01:00
Tobias Brunner 08a3ee0cce bus: Change ike_update() signature and only call it once 
This avoids multiple events when both addresses change (e.g. switching
address families).
 2021-01-18 11:34:40 +01:00
Tobias Brunner 9248f636b0 kernel-netlink: Make sure we successfully opened a Netlink socket 
This is in addition to the fix in the destructor in 991e9e5dc9.
 2020-12-03 08:34:18 +01:00
Tobias Brunner ce433c9b29 kernel-wfp: Declare constants explicitly as extern 
Newer compilers otherwise complain that there are multiple definitions
of these (in header and .c file).
 2020-11-13 16:38:17 +01:00
Tobias Brunner 991e9e5dc9 kernel-netlink: Only attempt to remove routing rule if we have a socket 2020-11-04 10:06:46 +01:00
Tobias Brunner a6f0e19bf5 Fixed some typos, courtesy of codespell 2020-11-04 10:06:46 +01:00
Tobias Brunner ef636316d2 vici: Send all queued messages during shutdown 
This ensures that e.g. ike/child-updown messages are sent that were
queued but couldn't be sent (even the job to enable to on_write() callback
requires a worker thread that's not around anymore during shutdown).

References #3602.
 2020-10-30 09:58:42 +01:00
Tobias Brunner a689e358e5 kernel-netlink: Ignore deprecated candidate source addresses 
The currently used address may get deprecated e.g. if an IPv6 prefix changes.
In this case we should switch to another address.

Fixes #3511.
 2020-10-29 09:46:14 +01:00
Tobias Brunner 2eb43ca405 kernel-netlink: Update cached address flags 
Note that manually adding an IPv6 address without disabling duplicate
address detection (DAD, e.g. via `nodad` when using iproute2) will cause
a roam event due to a flag change after about 1-2 seconds (TENTATIVE is
removed).  If this is a problem, we might have to ignore addresses with
TENTATIVE flag when we receive a RTM_NEWADDR message until that flag is
eventually removed.

Fixes #3511.
 2020-10-29 09:46:14 +01:00
Tobias Brunner f3f93cade9 load-tester: Also request a virtual IPv6 address 
Fixes #3595.
 2020-10-27 16:40:38 +01:00
Tobias Brunner 1d232d4954 load-tester: Use appropriate family to request addresses from source IP pools 
Looks like this wasn't necessary before 40e9089889 ("Strictly enforce
address family match while acquiring mem_pool IPs").

Fixes #3595.
 2020-10-27 16:40:05 +01:00
Tobias Brunner 6839256773 vici: Support all defined key types 
References #3586.
 2020-10-27 11:17:21 +01:00
Tobias Brunner 0ce2e00d94 vici: Don't use pytest-pycodestyle with Python 3.5 
This causes problems due to a deprecation error during the Ubuntu Xenial
build on Travis.
 2020-08-17 15:22:34 +02:00
Tobias Brunner 61af9a3478 vici: Fix typos in comments 2020-07-23 14:50:17 +02:00
Tobias Brunner 3c5e7eaa88 vici: Keep track of all CA certificates in vici_authority_t 
This way we only have one reference for each CA certificate, whether it
is loaded in an authority section, a connection or via load-certs() command.
It also avoids enumerating CA certificates multiple times if they are
loaded in different ways.
 2020-07-20 14:05:39 +02:00
Tobias Brunner d8a2c58229 vici: Make attribute certificates untrusted again 
Fixes: 334119b843 ("Share vici_cert_info.c with vici_cred.c")
 2020-07-20 14:05:39 +02:00
Tobias Brunner 6fc1b2c3d3 vici: Clear credential cache when unloading an authority section 2020-07-20 14:05:38 +02:00
Tobias Brunner 46ff268885 vici: Directly provide CA certificates in authority sections 
With the previous approach, CA certificates that were not re-loaded via
load-cert() (e.g. from tokens or via absolute paths) would not be available
anymore after the clear-creds() command was used.  This avoids this
issue, but can cause duplicate CA certificates to get stored and enumerated,
so there might be a scaling factor.
 2020-07-20 14:05:38 +02:00
Tobias Brunner 306c0c9f8e certificate: Extract helper function to filter certificates 2020-07-20 14:05:38 +02:00
Tobias Brunner 736fae4e6c vici: Store configs in a hashtable 
This makes updates more efficient if many configs are loaded. Configs
still have to be enumerated to select them.
 2020-07-20 13:50:11 +02:00
Tobias Brunner d9944102f5 hashlist: Move get_match() and sorting into a separate class 
The main intention here is that we can change the hashtable_t
implementation without being impeded by the special requirements imposed
by get_match() and sorting the keys/items in buckets.
 2020-07-20 13:50:11 +02:00
Tobias Brunner fd94c1301e kernel-netlink: Ignore preference for temporary addresses for IPv6 VIPs 
They are not marked as temporary addresses so make sure we always return
them whether temporary addresses are preferred as source addresses or not
as we need to enumerate them when searching for addresses in traffic selectors
to install routes.

Fixes: 9f12b8a61c ("kernel-netlink: Enumerate temporary IPv6 addresses according to config")
 2020-07-07 10:01:46 +02:00
Tobias Brunner feda4a3d37 vici: With start_action=start, terminate IKE_SA without children on unload 
This includes IKE_SAs in CONNECTING state, which not yet have any
CHILD_SAs.

Closes strongswan/strongswan#175.
 2020-07-01 15:59:41 +02:00
Boris Vanhoof 6870a9b590 eap-radius: Small spelling fix 
Closes strongswan/strongswan#174.
 2020-06-29 09:44:19 +02:00
Tobias Brunner 33412158f5 ike: Send AEAD ESP default proposal first 
We generally prefer AEAD nowadays.

References #3461.
 2020-06-12 13:47:13 +02:00
Tobias Brunner 3d92cff726 lookip: Use line buffering for stdout 
Otherwise, the output is buffered when e.g. piping the output to another
command (or file).  And it avoids having to call fflush() in the
interactive mode.

Fixes #3404.
 2020-05-07 15:05:55 +02:00
Thomas Egerer d2c15b7bf9 vici: Allow maximum vici message size configuration via compile option 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2020-04-14 16:55:49 +02:00
Tobias Brunner dfd261d2de kernel-netlink: Extract shared route handling code in net/ipsec 2020-03-10 10:30:39 +01:00
Tobias Brunner e23708bdf3 kernel-netlink: Don't require an interface name for passthrough policies 2020-03-10 10:26:42 +01:00
Tobias Brunner b0b6bd2470 kernel-netlink: Allow blank source address in routes for passthrough policies 2020-03-10 10:25:19 +01:00
Noel Kuntze 09f4bccfea kernel-netlink: Implement passthrough type routes and use them on Linux 
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.

Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.

Co-authored-by: Tobias Brunner <tobias@strongswan.org>
 2020-03-10 10:20:58 +01:00
Josh Soref b3ab7a48cc Spelling fixes 
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
 2020-02-11 18:23:07 +01:00
Tobias Brunner f78dfb7e28 vici: Options are optional in get_pools() of Python bindings 
Fixes #3319.
 2020-02-03 10:52:31 +01:00
Tobias Brunner 18a3e6d80f systime-fix: Replace asctime() with thread-safe asctime_r() 
According to the man page, the buffer should have room for at least
26 characters.
 2020-01-28 15:32:43 +01:00
Tobias Brunner 584e8197fe load-tester: Avoid naming conflict with local certificate variables 2020-01-28 15:32:43 +01:00
Tobias Brunner f168f5782b eap-aka-3gpp2: Fix a bunch of typos 2020-01-28 15:32:43 +01:00
Tobias Brunner 378fe7a4bf eap-aka-3gpp2: Avoid naming conflict with parameters of crypto functions 2020-01-28 15:32:43 +01:00