5 years agoeap-radius: Fix creation of host_t objects based on Framed-IPv6-Address attributes
Tobias Brunner [Fri, 28 Aug 2015 14:51:05 +0000 (16:51 +0200)]
eap-radius: Fix creation of host_t objects based on Framed-IPv6-Address attributes

Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes").
References #1001.

5 years agoconf: Add documentation for new osx-attr option
Tobias Brunner [Fri, 28 Aug 2015 13:49:58 +0000 (15:49 +0200)]
conf: Add documentation for new osx-attr option

5 years agopki: Add new type options to --issue command usage output
Tobias Brunner [Thu, 27 Aug 2015 15:53:43 +0000 (17:53 +0200)]
pki: Add new type options to --issue command usage output

5 years agoconf: Fix declaration of default values for imc-hcd options
Tobias Brunner [Thu, 27 Aug 2015 14:59:12 +0000 (16:59 +0200)]
conf: Fix declaration of default values for imc-hcd options

5 years agostarter: Remove documentation for starter.load option
Tobias Brunner [Thu, 27 Aug 2015 14:42:09 +0000 (16:42 +0200)]
starter: Remove documentation for starter.load option

5 years agoeap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packet
Tobias Brunner [Thu, 27 Aug 2015 13:15:04 +0000 (15:15 +0200)]
eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packet

5 years agotrap-manager: Cleanup local address in error cases
Tobias Brunner [Thu, 27 Aug 2015 12:45:11 +0000 (14:45 +0200)]
trap-manager: Cleanup local address in error cases

5 years agoimv-os: Properly free strings for invalid input in pacman
Tobias Brunner [Thu, 27 Aug 2015 12:41:13 +0000 (14:41 +0200)]
imv-os: Properly free strings for invalid input in pacman

5 years agoha: Close control FIFO if it is not valid
Tobias Brunner [Thu, 27 Aug 2015 12:31:42 +0000 (14:31 +0200)]
ha: Close control FIFO if it is not valid

5 years agoswanctl: Correctly build man page in out-of-tree builds from the repository
Tobias Brunner [Thu, 27 Aug 2015 10:42:21 +0000 (12:42 +0200)]
swanctl: Correctly build man page in out-of-tree builds from the repository

5 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Thu, 27 Aug 2015 10:06:31 +0000 (12:06 +0200)]
Fixed some typos, courtesy of codespell

5 years agoFix some Doxygen issues
Tobias Brunner [Thu, 27 Aug 2015 10:03:11 +0000 (12:03 +0200)]
Fix some Doxygen issues

5 years agounit-tests: Additional test cases to increase coverage
Tobias Brunner [Tue, 25 Aug 2015 09:29:42 +0000 (11:29 +0200)]
unit-tests: Additional test cases to increase coverage

5 years agotraffic-selector: Use calc_netbits() in RFC 3779 constructor
Tobias Brunner [Tue, 25 Aug 2015 17:13:59 +0000 (19:13 +0200)]
traffic-selector: Use calc_netbits() in RFC 3779 constructor

This properly detects prefixes encoded as ranges.

5 years agoike: Fix half-open count for initiating SAs when initially checked in
Tobias Brunner [Mon, 24 Aug 2015 10:27:34 +0000 (12:27 +0200)]
ike: Fix half-open count for initiating SAs when initially checked in

5 years agoike: Only consider number of half-open SAs as responder when deciding whether COOKIEs...
Tobias Brunner [Mon, 24 Aug 2015 10:18:16 +0000 (12:18 +0200)]
ike: Only consider number of half-open SAs as responder when deciding whether COOKIEs are sent

5 years agoVersion bump to 5.3.3rc1
Andreas Steffen [Tue, 25 Aug 2015 13:09:19 +0000 (15:09 +0200)]
Version bump to 5.3.3rc1

5 years agoAdded some spaces in swanctl.conf
Andreas Steffen [Tue, 25 Aug 2015 13:08:52 +0000 (15:08 +0200)]
Added some spaces in swanctl.conf

5 years agovici: Handle closed sockets in the Ruby gem
Evan Broder [Sat, 22 Aug 2015 23:20:40 +0000 (19:20 -0400)]
vici: Handle closed sockets in the Ruby gem

From recvfrom(2) (which UDPSocket#recv backs into):

  The return value will be 0 when the peer has performed an orderly

(i.e. it will return an empty string)

Previously in this scenario, Vici::Transport#recv_all would spin
forever trying to pull more data off the socket. I'm not entirely
clear what happened that caused strongSwan to shutdown the socket, but
it probably should not cause vici Ruby apps to spin.

Closes strongswan/strongswan#13.

5 years agoMerge branch 'starter-kernel-flush'
Tobias Brunner [Fri, 21 Aug 2015 16:27:12 +0000 (18:27 +0200)]
Merge branch 'starter-kernel-flush'

Removes flushing of the IPsec state in the kernel when starter
terminates.  We can't easily flush only the policies created for
IPsec SAs (and if installpolicies=no is used we don't want to flush
policies anyway).  Also, since existing policies don't cause errors
anymore these aren't really an issue anymore (I think this was one of
the main reasons to flush the state).  This behavior is also specific to
starter, so nothing is flushed when charon is used via systemd/swanctl.
This will also allow us to merge libhydra with libcharon in a future

If the previous behavior is needed it can easily be replicated with some
external tools (we could also write a simple utility that does this).

Additional checks in the test environment make sure that the daemon
cleans up the state properly.

5 years agotesting: Let test scenarios fail if IPsec SAs or policies are not removed
Tobias Brunner [Fri, 21 Aug 2015 12:33:26 +0000 (14:33 +0200)]
testing: Let test scenarios fail if IPsec SAs or policies are not removed

The IKE daemon should delete all installed SAs and policies when
everything works properly, so we fail the test if that's not the case.

5 years agotesting: Flush state and policies before every scenario
Tobias Brunner [Fri, 21 Aug 2015 12:32:29 +0000 (14:32 +0200)]
testing: Flush state and policies before every scenario

Similar to conntrack we make sure we are working on a clean slate.

5 years agostarter: Don't flush SAs in the kernel
Tobias Brunner [Fri, 21 Aug 2015 11:57:00 +0000 (13:57 +0200)]
starter: Don't flush SAs in the kernel

If starter is not used we don't do that either. And this allows us to
move the stuff in libhydra back to libcharon.

5 years agostarter: Don't flush policies in the kernel
Tobias Brunner [Thu, 13 Aug 2015 09:08:41 +0000 (11:08 +0200)]
starter: Don't flush policies in the kernel

We can't control which policies we flush, so if policies are installed
and used outside of strongSwan for other protocols we'd flush them too.
And if installpolicies=no is used we probably shouldn't flush policies
either.  Luckily already existing policies are not treated as fatal
errors anymore, so not flushing policies should not be that much of an
issue (in case of a crash in dynamic setups, e.g. with virtual IPs,
policies could be left behind even after restarting the connections and
properly terminating the daemon).

5 years agokernel-pfkey: Only flush SAs of types we actually manage
Tobias Brunner [Thu, 13 Aug 2015 09:01:50 +0000 (11:01 +0200)]
kernel-pfkey: Only flush SAs of types we actually manage

5 years agokernel-netlink: Only flush SAs of types we actually manage
Tobias Brunner [Thu, 13 Aug 2015 08:34:47 +0000 (10:34 +0200)]
kernel-netlink: Only flush SAs of types we actually manage

5 years agoMerge branch 'init-limits'
Tobias Brunner [Fri, 21 Aug 2015 16:21:24 +0000 (18:21 +0200)]
Merge branch 'init-limits'

IKE_SAs that are initiated are now counted towards the half-open IKE_SAs
limit.  Optionally it is possible to enforce limits towards the number of
half-open IKE_SAs and the job load also when initiating SAs.  This is
currently only possible via VICI.

5 years agovici: Optionally check limits when initiating connections
Tobias Brunner [Thu, 16 Jul 2015 15:56:16 +0000 (17:56 +0200)]
vici: Optionally check limits when initiating connections

If the init-limits parameter is set (disabled by default) init limits
will be checked and might prevent new SAs from getting initiated.

5 years agovici: Add get_bool() convenience getter for VICI messages
Tobias Brunner [Thu, 16 Jul 2015 15:51:40 +0000 (17:51 +0200)]
vici: Add get_bool() convenience getter for VICI messages

5 years agocontroller: Optionally adhere to init limits also when initiating IKE_SAs
Tobias Brunner [Thu, 16 Jul 2015 15:21:54 +0000 (17:21 +0200)]
controller: Optionally adhere to init limits also when initiating IKE_SAs

5 years agoike: Also track initiating IKE_SAs as half-open
Tobias Brunner [Fri, 17 Jul 2015 09:48:53 +0000 (11:48 +0200)]
ike: Also track initiating IKE_SAs as half-open

5 years agostroke: Allow %any as local address
Tobias Brunner [Mon, 3 Aug 2015 17:36:45 +0000 (19:36 +0200)]
stroke: Allow %any as local address

Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).

5 years agostroke: Add an option to disable side-swapping of configuration options
Tobias Brunner [Mon, 3 Aug 2015 17:26:54 +0000 (19:26 +0200)]
stroke: Add an option to disable side-swapping of configuration options

In some scenarios it might be preferred to ensure left is always local
and no unintended swaps occur.

5 years agoikev1: Assign different job priorities for inbound IKEv1 messages
Tobias Brunner [Fri, 17 Jul 2015 12:08:09 +0000 (14:08 +0200)]
ikev1: Assign different job priorities for inbound IKEv1 messages

5 years agotesting: Fix typo in p2pnat/behind-same-nat scenario
Tobias Brunner [Fri, 21 Aug 2015 15:48:37 +0000 (17:48 +0200)]
testing: Fix typo in p2pnat/behind-same-nat scenario

5 years agochild-rekey: Don't add a REKEY_SA notify if the child-create task is deleting the SA
Tobias Brunner [Wed, 19 Aug 2015 14:16:01 +0000 (16:16 +0200)]
child-rekey: Don't add a REKEY_SA notify if the child-create task is deleting the SA

5 years agochild-create: Cache proposed IPsec protocol
Tobias Brunner [Wed, 19 Aug 2015 13:53:00 +0000 (15:53 +0200)]
child-create: Cache proposed IPsec protocol

This allows us to DELETE CHILD_SAs on failures that occur before we
retrieved the selected proposal.

5 years agochild-create: Don't attempt to delete the SA if we don't have all the information
Tobias Brunner [Wed, 19 Aug 2015 13:08:02 +0000 (15:08 +0200)]
child-create: Don't attempt to delete the SA if we don't have all the information

Since we only support single protocols we could probably guess it and always
send a DELETE.

5 years agochild-rekey: Remove redundant migrate() call for child-create sub-task
Tobias Brunner [Tue, 28 Jul 2015 13:28:33 +0000 (15:28 +0200)]
child-rekey: Remove redundant migrate() call for child-create sub-task

When retrying due to a DH group mismatch this is already done by the
child-create task itself.  And in other cases where the task returns
NEED_MORE we actually will need access to a possible proposal to properly
delete it.

5 years agochild-create: Fix crash when retrying CHILD_SA rekeying due to a DH group mismatch
Tobias Brunner [Tue, 28 Jul 2015 13:10:17 +0000 (15:10 +0200)]
child-create: Fix crash when retrying CHILD_SA rekeying due to a DH group mismatch

If the responder declines our KE payload during a CHILD_SA rekeying migrate()
is called to reuse the child-create task.  But the child-rekey task then
calls the same method again.

Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")

5 years agoauth-cfg: Don't enforce EAP_RADIUS
Tobias Brunner [Fri, 21 Aug 2015 09:40:07 +0000 (11:40 +0200)]
auth-cfg: Don't enforce EAP_RADIUS

Basically the same as e79b0e07e4ab.  EAP_RADIUS is also a virtual method
that will identify itself as a different EAP method later.

5 years agotesting: Add missing sim_files file to ikev2/rw-eap-sim-radius scenario
Tobias Brunner [Fri, 21 Aug 2015 09:37:23 +0000 (11:37 +0200)]
testing: Add missing sim_files file to ikev2/rw-eap-sim-radius scenario

5 years agotesting: alice is RADIUS server in the ikev2/rw-eap-sim-radius scenario
Tobias Brunner [Fri, 21 Aug 2015 09:15:36 +0000 (11:15 +0200)]
testing: alice is RADIUS server in the ikev2/rw-eap-sim-radius scenario

5 years agotesting: Print triplets.dat files of clients in EAP-SIM scenarios
Tobias Brunner [Fri, 21 Aug 2015 09:13:33 +0000 (11:13 +0200)]
testing: Print triplets.dat files of clients in EAP-SIM scenarios

References #1078.

5 years agoMerge branch 'stroke-ca-sections'
Tobias Brunner [Thu, 20 Aug 2015 17:37:09 +0000 (19:37 +0200)]
Merge branch 'stroke-ca-sections'

This resolves the duplicate CERTREQ issue when certificates in
ipsec.d/cacerts were referenced in ca sections.  It also ensures CA
certificates are reloaded atomically, so there is never a time when
an unchanged CA certificate is not available.

References #842.

5 years agostroke: Change how CA certificates are stored
Tobias Brunner [Thu, 20 Aug 2015 13:29:33 +0000 (15:29 +0200)]
stroke: Change how CA certificates are stored

Since 11c14bd2f5 CA certificates referenced in ca sections were
enumerated by two credential sets if they were also stored in
ipsec.d/cacerts.  This caused duplicate certificate requests to
get sent.  All CA certificates, whether loaded automatically or
via a ca section, are now stored in stroke_ca_t.

Certificates referenced in ca sections are now also reloaded
when `ipsec rereadcacerts` is used.

5 years agostroke: Combine CA certificate load methods
Tobias Brunner [Thu, 20 Aug 2015 08:22:50 +0000 (10:22 +0200)]
stroke: Combine CA certificate load methods

Also use the right credential set for CA cert references loaded from

5 years agostroke: Atomically replace CA and AA certificates when reloading them
Tobias Brunner [Thu, 20 Aug 2015 08:08:08 +0000 (10:08 +0200)]
stroke: Atomically replace CA and AA certificates when reloading them

Previously it was possible that certificates were not found between the
time the credential sets were cleared and the certificates got readded.

5 years agomem-cred: We don't need a write lock when looking for a certificate
Tobias Brunner [Thu, 20 Aug 2015 13:11:02 +0000 (15:11 +0200)]
mem-cred: We don't need a write lock when looking for a certificate

5 years agomem-cred: Add a method to atomically replace all certificates
Tobias Brunner [Thu, 20 Aug 2015 07:39:15 +0000 (09:39 +0200)]
mem-cred: Add a method to atomically replace all certificates

5 years agoikev1: Fix handling of overlapping Quick Mode exchanges
Tobias Brunner [Wed, 19 Aug 2015 13:28:02 +0000 (15:28 +0200)]
ikev1: Fix handling of overlapping Quick Mode exchanges

In some cases the third message of a Quick Mode exchange might arrive
after the first message of a subsequent Quick Mode exchange.  Previously
these messages were handled incorrectly and the second Quick Mode
exchange failed.

Some implementations might even try to establish multiple Quick Modes
simultaneously, which is explicitly allowed in RFC 2409.  We don't fully
support that, though, in particular in case of retransmits.

Fixes #1076.

5 years agokernel-pfkey: Add support for AES-GCM
Tobias Brunner [Wed, 29 Jul 2015 09:23:34 +0000 (11:23 +0200)]
kernel-pfkey: Add support for AES-GCM

The next release of FreeBSD will support this.

While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it.  When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).

5 years agoauth-cfg: Don't enforce EAP_DYNAMIC
Tobias Brunner [Thu, 20 Aug 2015 16:35:23 +0000 (18:35 +0200)]
auth-cfg: Don't enforce EAP_DYNAMIC

We now store the actual method on the auth config, which won't match
anymore if rightauth=eap-dynamic is configured.

5 years agoikev2: Compare initiator flag again, partially reverts 17ec1c74de
Tobias Brunner [Wed, 19 Aug 2015 14:47:45 +0000 (16:47 +0200)]
ikev2: Compare initiator flag again, partially reverts 17ec1c74de

We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.

5 years agoikev2: Drop IKE_SA_INIT messages that don't have the initiator flag set
Tobias Brunner [Wed, 10 Jun 2015 13:53:08 +0000 (15:53 +0200)]
ikev2: Drop IKE_SA_INIT messages that don't have the initiator flag set

While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.

We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since

5 years agoikev1: Pass current auth-cfg when looking for key to determine auth method
Tobias Brunner [Wed, 19 Aug 2015 15:25:30 +0000 (17:25 +0200)]
ikev1: Pass current auth-cfg when looking for key to determine auth method

If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.

Fixes #1077.

5 years agoikev2: Store outer EAP method used to authenticate remote peer in auth-cfg
Tobias Brunner [Mon, 8 Jun 2015 14:52:03 +0000 (16:52 +0200)]
ikev2: Store outer EAP method used to authenticate remote peer in auth-cfg

This allows symmetric configuration of EAP methods (i.e. the same value
in leftauth and rightauth) when mutual EAP-only authentication is used.
Previously the client had to configure rightauth=eap or rightauth=any,
which prevented it from using this same config as responder.

5 years agoimc: get_default_pwd_status(), as it currently is, works on Windows too
Tobias Brunner [Wed, 19 Aug 2015 10:10:09 +0000 (12:10 +0200)]
imc: get_default_pwd_status(), as it currently is, works on Windows too

This fixes the build on Windows.

5 years agoike: Use the original port when remote resolves to %any
Tobias Brunner [Tue, 18 Aug 2015 15:35:39 +0000 (17:35 +0200)]
ike: Use the original port when remote resolves to %any

When reestablishing the IKE_SA we should still use the original port
when right resolves to %any as some implementations might not like
initial IKE messages on port 4500 (especially for IKEv1).

5 years agotesting: Add ikev2/trap-any scenario
Tobias Brunner [Thu, 16 Jul 2015 10:53:18 +0000 (12:53 +0200)]
testing: Add ikev2/trap-any scenario

5 years agotrap-manager: Enable auto=route with right=%any for transport mode connections
Tobias Brunner [Tue, 30 Oct 2012 08:10:05 +0000 (09:10 +0100)]
trap-manager: Enable auto=route with right=%any for transport mode connections

Fixes #196.

5 years agoVersion bump to 5.3.3dr6 5.3.3dr6
Andreas Steffen [Wed, 19 Aug 2015 05:18:30 +0000 (07:18 +0200)]
Version bump to 5.3.3dr6

5 years agoExtend HCD attribute data for tnc/tnccs-20-hcd-eap scenario
Andreas Steffen [Mon, 17 Aug 2015 15:56:39 +0000 (17:56 +0200)]
Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenario

5 years agoAdded reason string support to HCD IMV
Andreas Steffen [Mon, 17 Aug 2015 15:37:52 +0000 (17:37 +0200)]
Added reason string support to HCD IMV

5 years agoFixed patches format delimited by CR/LF
Andreas Steffen [Tue, 4 Aug 2015 19:43:49 +0000 (21:43 +0200)]
Fixed patches format delimited by CR/LF

5 years agoAdded imc-hcd attributes to strongswan.conf
Andreas Steffen [Mon, 27 Jul 2015 07:43:40 +0000 (09:43 +0200)]
Added imc-hcd attributes to strongswan.conf

5 years agotesting: Added tnc/tnccs-20-hcd-eap scenario
Andreas Steffen [Sun, 26 Jul 2015 09:57:39 +0000 (11:57 +0200)]
testing: Added tnc/tnccs-20-hcd-eap scenario

5 years agoUse PWG HCD PA-TNC subtypes to transport HCD attributes
Andreas Steffen [Sun, 26 Jul 2015 09:41:08 +0000 (11:41 +0200)]
Use PWG HCD PA-TNC subtypes to transport HCD attributes

5 years agoAdd default password determination capability to os_info
Andreas Steffen [Sun, 26 Jul 2015 09:38:06 +0000 (11:38 +0200)]
Add default password determination capability to os_info

5 years agoReintroduced ietf_attr_fwd_enabled()
Andreas Steffen [Fri, 24 Jul 2015 14:49:31 +0000 (16:49 +0200)]
Reintroduced ietf_attr_fwd_enabled()

5 years agoDefined PWG HCD PA-TNC subtypes
Andreas Steffen [Wed, 17 Jun 2015 09:18:37 +0000 (11:18 +0200)]
Defined PWG HCD PA-TNC subtypes

5 years agoAdded os_info support to HCD IMC
Andreas Steffen [Wed, 27 May 2015 08:19:31 +0000 (10:19 +0200)]
Added os_info support to HCD IMC

5 years agoSubscribed Scanner IMC/IMV to IETF_FIREWALL PA subtype
Andreas Steffen [Sun, 24 May 2015 07:36:16 +0000 (09:36 +0200)]
Subscribed Scanner IMC/IMV to IETF_FIREWALL PA subtype

5 years agotesting: enable HCD IMC and IMV
Andreas Steffen [Sun, 24 May 2015 06:56:27 +0000 (08:56 +0200)]
testing: enable HCD IMC and IMV

5 years agoImplemented HCD IMC and IMV
Andreas Steffen [Thu, 21 May 2015 20:01:32 +0000 (22:01 +0200)]
Implemented HCD IMC and IMV

5 years agoDefined HCD PA subtype in PWG namespace
Andreas Steffen [Wed, 20 May 2015 10:26:23 +0000 (12:26 +0200)]
Defined HCD PA subtype in PWG namespace

5 years agoCompleted implementation of PWG HCD attributes
Andreas Steffen [Mon, 18 May 2015 14:40:27 +0000 (16:40 +0200)]
Completed implementation of PWG HCD attributes

5 years agoDefined generic non-nul terminated string PA-TNC attribute
Andreas Steffen [Sun, 17 May 2015 16:16:08 +0000 (18:16 +0200)]
Defined generic non-nul terminated string PA-TNC attribute

5 years agoSupport of HCD Firewall Setting PA-TNC attribute
Andreas Steffen [Sun, 17 May 2015 15:04:46 +0000 (17:04 +0200)]
Support of HCD Firewall Setting PA-TNC attribute

5 years agoDefined generic boolean PA-TNC attribute
Andreas Steffen [Sun, 17 May 2015 06:41:59 +0000 (08:41 +0200)]
Defined generic boolean PA-TNC attribute

5 years agoDefined PWG HCD IF-M attributes
Andreas Steffen [Sat, 16 May 2015 20:44:40 +0000 (22:44 +0200)]
Defined PWG HCD IF-M attributes

5 years agoFixed the implemention of the IF-M segmentation protocol
Andreas Steffen [Tue, 18 Aug 2015 18:25:26 +0000 (20:25 +0200)]
Fixed the implemention of the IF-M segmentation protocol

The first segment only fit if the segmentation envelope attribute
was preceded by a Max Attribute Size Response attribute. The
improved implementation fills up the first PA-TNC message with
the first segment up to the maximum message size.

5 years agokernel-netlink: Avoid route dump if routing rule excludes traffic with a certain...
Tobias Brunner [Wed, 5 Aug 2015 14:51:38 +0000 (16:51 +0200)]
kernel-netlink: Avoid route dump if routing rule excludes traffic with a certain mark

If the routing rule we use to direct traffic to our own routing table
excludes traffic with a certain mark (fwmark = !<mark>) we can simplify
the route lookup and avoid dumping all routes by passing the mark to the
request.  That way our own routes are ignored and we get the preferred
route back without having to dump and analyze all routes, which is quite a
burden on hosts with lots of routes.

5 years agoinclude: Update (rt)netlink.h to the latest UAPI version
Tobias Brunner [Wed, 5 Aug 2015 14:46:37 +0000 (16:46 +0200)]
include: Update (rt)netlink.h to the latest UAPI version

5 years agosql: Also do a reversed ID match
Tobias Brunner [Mon, 27 Jul 2015 17:16:08 +0000 (19:16 +0200)]
sql: Also do a reversed ID match

This is required for the case where IDr is not sent (i.e. is %any).
The backend manager does the same.

Fixes #1044.

5 years agoha: Recreate the control FIFO if the file exists but is not a FIFO
Tobias Brunner [Thu, 13 Aug 2015 12:37:15 +0000 (14:37 +0200)]
ha: Recreate the control FIFO if the file exists but is not a FIFO

This may happen if something like `echo ... > /path/to/fifo` is used
before the plugin was able to create the FIFO. In that case we'd end
up in a loop always reading the same values from the static file.

5 years agoikev1: Assume a default key length of 128-bit for AES-CBC
Tobias Brunner [Thu, 13 Aug 2015 16:54:34 +0000 (18:54 +0200)]
ikev1: Assume a default key length of 128-bit for AES-CBC

Some implementations don't send a Key Length attribute for AES-128.
This was allowed for IKE in early drafts of RFC 3602, however, some
implementations also seem to do it for ESP, where it never was allowed.
And the final version of RFC 3602 demands a Key Length attribute for both
phases so they shouldn't do it anymore anyway.

Fixes #1064.

5 years agoauth-cfg: Matching one CA should be enough, similar to peer certificates
Tobias Brunner [Mon, 3 Aug 2015 11:55:36 +0000 (13:55 +0200)]
auth-cfg: Matching one CA should be enough, similar to peer certificates

Not sure if defining multiple CA constraints and enforcing _all_ of them,
i.e. the previous behavior, makes even sense.  To ensure a very specific
chain it should be enough to define the last intermediate CA.  On the
other hand, the ability to define multiple CAs could simplify configuration.

This can currently only be used with swanctl/VICI based configs as `rightca`
only takes a single DN.

5 years agovici: Add option to disable policy installation for CHILD_SAs
Tobias Brunner [Wed, 5 Aug 2015 09:01:10 +0000 (11:01 +0200)]
vici: Add option to disable policy installation for CHILD_SAs

5 years agochild-sa: Fix refcounting of allocated reqids
Tobias Brunner [Fri, 31 Jul 2015 14:51:35 +0000 (16:51 +0200)]
child-sa: Fix refcounting of allocated reqids

During a rekeying we want to reuse the current reqid, but if the new SA
does not allocate it via kernel-interface the state there will disappear
when the old SA is destroyed after the rekeying.  When the IKE_SA is
later reauthenticated with make-before-break reauthentication the new
CHILD_SAs there will get new reqids as no existing state is found in the
kernel-interface, breaking policy installation in the kernel.

Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")

5 years agoidentification: Remove unused ID_USER_ID type
Tobias Brunner [Fri, 31 Jul 2015 15:14:44 +0000 (17:14 +0200)]
identification: Remove unused ID_USER_ID type

5 years agoman: Clarify identity parsing and identity type prefixes
Tobias Brunner [Mon, 20 Jul 2015 13:27:57 +0000 (15:27 +0200)]
man: Clarify identity parsing and identity type prefixes

References #1028.

5 years agopki: Add --dn command to extract the subject DN of a certificate
Tobias Brunner [Thu, 6 Aug 2015 16:04:38 +0000 (18:04 +0200)]
pki: Add --dn command to extract the subject DN of a certificate

5 years agoscripts: Add script to extract the ASN.1 subject DN from a certificate
Tobias Brunner [Fri, 17 Jul 2015 09:46:16 +0000 (11:46 +0200)]
scripts: Add script to extract the ASN.1 subject DN from a certificate

This can be useful if the subject DN has to be configured with the
asn1dn: prefix in ipsec.conf (e.g. because the actual encoding can't be
created by strongSwan's string parser/encoder).

5 years agoplugin-feature: Add vendor specific EAP method registration macros
Tobias Brunner [Thu, 25 Jun 2015 15:41:09 +0000 (17:41 +0200)]
plugin-feature: Add vendor specific EAP method registration macros

Vendor specific EAP methods may be registered with:

    PLUGIN_CALLBACK(eap_method_register, <constructor>),
        PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>),

Same for client implementations via EAP_PEER_VENDOR.

References #969.

5 years agoeap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in accounting messages
Tobias Brunner [Mon, 29 Jun 2015 08:43:19 +0000 (10:43 +0200)]
eap-radius: Use Framed-IPv6-Address attributes to send IPv6 VIPs in accounting messages

This attribute is more appropriate for single IPv6 virtual IPs than the
Framed-IPv6-Prefix attribute.

Fixes #1001.

5 years agoeap-radius: Add support for some basic IPv6-specific RADIUS attributes
Tobias Brunner [Mon, 22 Jun 2015 09:36:15 +0000 (11:36 +0200)]
eap-radius: Add support for some basic IPv6-specific RADIUS attributes

These are defined in RFC 6911.

Fixes #1001.

5 years agoutils: Check for dirfd(3)
Tobias Brunner [Tue, 4 Aug 2015 17:17:37 +0000 (19:17 +0200)]
utils: Check for dirfd(3)

Not all POSIX compatible systems might provide it yet.  If not, we close
the lowest FD to close and hope it gets reused by opendir().

5 years agoutils: Directly use syscall() to close open FDs in closefrom()
Tobias Brunner [Thu, 11 Jun 2015 10:19:56 +0000 (12:19 +0200)]
utils: Directly use syscall() to close open FDs in closefrom()

This avoids any allocations, since calling malloc() after fork() is
potentially unsafe.

Fixes #990.

5 years agoutils: Don't use directory enumerator to close open FDs in closefrom()
Tobias Brunner [Tue, 4 Aug 2015 12:43:26 +0000 (14:43 +0200)]
utils: Don't use directory enumerator to close open FDs in closefrom()

Calling malloc() after fork() is potentially unsafe, so we should avoid
it if possible.  opendir() will still require an allocation but that's
less than the variant using the enumerator wrapper, thus, decreasing
the conflict potential.  This way we can also avoid closing the
FD for the enumerated directory itself.

References #990.