strongswan.git
12 months agotnc-pdp: Don't use comma to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:57:43 +0000 (16:57 +0200)]
tnc-pdp: Don't use comma to separate statements

12 months agoreceiver: Don't use commas to separate statements
Tobias Brunner [Mon, 17 Sep 2018 14:56:25 +0000 (16:56 +0200)]
receiver: Don't use commas to separate statements

Maybe was in the INIT statement at some point.

12 months agomanager: Restore direct return if database URI is not defined
Tobias Brunner [Mon, 17 Sep 2018 14:30:51 +0000 (16:30 +0200)]
manager: Restore direct return if database URI is not defined

There was an exit anyway because storage_create() returns NULL if the
database can't be created.

12 months agoimv-os-agent: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:44:47 +0000 (16:44 +0200)]
imv-os-agent: Remove useless assignment

`eval` will never be TNC_IMV_EVALUATION_RESULT_DONT_KNOW so we can
remove the if statement too.

12 months agopts: Remove commented call of inexistent function
Tobias Brunner [Mon, 17 Sep 2018 14:43:32 +0000 (16:43 +0200)]
pts: Remove commented call of inexistent function

12 months agocounters: Fix exit status in error case
Tobias Brunner [Mon, 17 Sep 2018 14:13:22 +0000 (16:13 +0200)]
counters: Fix exit status in error case

12 months agosigncrl: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:11:05 +0000 (16:11 +0200)]
signcrl: Remove useless assignment

12 months agoasn1: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:07:59 +0000 (16:07 +0200)]
asn1: Remove useless assignment

12 months agomode-config: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:02:24 +0000 (16:02 +0200)]
mode-config: Remove useless assignment

12 months agokeymat_v1: Remove useless assignment
Tobias Brunner [Mon, 17 Sep 2018 14:00:11 +0000 (16:00 +0200)]
keymat_v1: Remove useless assignment

12 months agokernel-netlink: Check return value of both halfs when installing default route in...
Tobias Brunner [Mon, 17 Sep 2018 13:56:48 +0000 (15:56 +0200)]
kernel-netlink: Check return value of both halfs when installing default route in main table

12 months agobotan: Fix leak if hasher initialization fails
Tobias Brunner [Mon, 17 Sep 2018 15:59:55 +0000 (17:59 +0200)]
botan: Fix leak if hasher initialization fails

12 months agobotan: Share code to generate RSA EMSA PSS signature identifier strings
Tobias Brunner [Mon, 17 Sep 2018 10:57:25 +0000 (12:57 +0200)]
botan: Share code to generate RSA EMSA PSS signature identifier strings

12 months agobotan: Remove unnecessary nested blocks and simplify keyid allocation
Tobias Brunner [Mon, 17 Sep 2018 10:33:09 +0000 (12:33 +0200)]
botan: Remove unnecessary nested blocks and simplify keyid allocation

12 months agodaemon: Remove redundant assignment to time_format
Tobias Brunner [Fri, 14 Sep 2018 14:10:46 +0000 (16:10 +0200)]
daemon: Remove redundant assignment to time_format

12 months agoVersion bump to 5.7.0rc1 5.7.0rc1
Andreas Steffen [Sun, 16 Sep 2018 07:30:09 +0000 (09:30 +0200)]
Version bump to 5.7.0rc1

12 months agotesting: Extended Botan scenarios
Andreas Steffen [Wed, 12 Sep 2018 15:21:21 +0000 (17:21 +0200)]
testing: Extended Botan scenarios

12 months agoNEWS: Added some news for 5.7.0
Tobias Brunner [Wed, 12 Sep 2018 16:41:53 +0000 (18:41 +0200)]
NEWS: Added some news for 5.7.0

12 months agotravis: Silence `git checkout` for Botan
Tobias Brunner [Wed, 12 Sep 2018 15:18:15 +0000 (17:18 +0200)]
travis: Silence `git checkout` for Botan

12 months agoMerge branch 'botan-plugin'
Tobias Brunner [Wed, 12 Sep 2018 14:25:07 +0000 (16:25 +0200)]
Merge branch 'botan-plugin'

Adds a wrapper plugin for the Botan crypto library.

Closes strongswan/strongswan#109.

12 months agotravis: Use a fix revision for Botan and speed up subsequent builds via ccache
Tobias Brunner [Wed, 12 Sep 2018 13:51:08 +0000 (15:51 +0200)]
travis: Use a fix revision for Botan and speed up subsequent builds via ccache

12 months agotravis: Use amalgamation build for Botan and build outside our source tree
Tobias Brunner [Wed, 12 Sep 2018 11:12:44 +0000 (13:12 +0200)]
travis: Use amalgamation build for Botan and build outside our source tree

This merges all source files into botan_all.cpp, which reduces the build
time by almost 50%. Building outside the strongSwan tree avoids analyzing
Botan with sonarqube.

12 months agogcrypt: Make generic DH constructor static
Tobias Brunner [Wed, 12 Sep 2018 10:56:11 +0000 (12:56 +0200)]
gcrypt: Make generic DH constructor static

12 months agotravis: Build botan plugin also in the tests that build everything
Tobias Brunner [Wed, 12 Sep 2018 10:05:14 +0000 (12:05 +0200)]
travis: Build botan plugin also in the tests that build everything

12 months agotravis: Only add the sonarcloud addon for that build
Tobias Brunner [Wed, 12 Sep 2018 10:02:41 +0000 (12:02 +0200)]
travis: Only add the sonarcloud addon for that build

12 months agotesting: Added botan/rw-cert scenario
Andreas Steffen [Wed, 5 Sep 2018 06:07:06 +0000 (08:07 +0200)]
testing: Added botan/rw-cert scenario

12 months agotesting: Enable Botan and the plugin
Tobias Brunner [Thu, 30 Aug 2018 15:47:43 +0000 (17:47 +0200)]
testing: Enable Botan and the plugin

ldconfig is required, otherwise the library won't be found by
strongSwan in the same session.

Should later be changed to 2.8.0 or a newer stable release.

12 months agobotan: Add support for X25519
Tobias Brunner [Tue, 11 Sep 2018 09:05:21 +0000 (11:05 +0200)]
botan: Add support for X25519

12 months agobotan: Simplify DH/ECDH key derivation
Tobias Brunner [Tue, 11 Sep 2018 08:58:42 +0000 (10:58 +0200)]
botan: Simplify DH/ECDH key derivation

12 months agotest-vectors: Add the actual test vector from RFC 8031 for x25519
Tobias Brunner [Tue, 11 Sep 2018 08:32:50 +0000 (10:32 +0200)]
test-vectors: Add the actual test vector from RFC 8031 for x25519

The existing test vector is from RFC 8037.

12 months agoike-init: Fix leak if KE payload creation fails
Tobias Brunner [Thu, 30 Aug 2018 12:48:34 +0000 (14:48 +0200)]
ike-init: Fix leak if KE payload creation fails

12 months agoleak-detective: Add an option to ignore frees of unknown memory blocks
Tobias Brunner [Wed, 8 Aug 2018 15:06:15 +0000 (17:06 +0200)]
leak-detective: Add an option to ignore frees of unknown memory blocks

This also changes how unknown/corrupted memory is handled in the free()
and realloc() hooks in general.

Incorporates changes provided by Thomas Egerer who ran into a similar
issue.

12 months agotravis: Add Botan build
Tobias Brunner [Wed, 8 Aug 2018 09:35:46 +0000 (11:35 +0200)]
travis: Add Botan build

We build Botan directly from the master branch until 2.8.0 is released.

12 months agoleak-detective: Whitelist some Botan functions
Tobias Brunner [Wed, 8 Aug 2018 09:41:36 +0000 (11:41 +0200)]
leak-detective: Whitelist some Botan functions

Due to the mangled C++ function names it's tricky to be more specific.  The
"leaked" allocations are from a static hashtable containing EC groups.

There is another leak caused by the locking allocator singleton
(triggered by the first function that uses it, usually initialization of
 a cipher, but could be a hasher in other test runners), but we can avoid
that with a Botan config option.

12 months agobotan: Adhere to configured DH exponent length
Tobias Brunner [Fri, 10 Aug 2018 15:04:09 +0000 (17:04 +0200)]
botan: Adhere to configured DH exponent length

12 months agobotan: Encode private keys as PKCS#8
Tobias Brunner [Fri, 10 Aug 2018 07:02:26 +0000 (09:02 +0200)]
botan: Encode private keys as PKCS#8

Since we can now parse that encoding directly we can simplify the private
key export and stick to PKCS#8.

12 months agobotan: Load public/private keys generically
Tobias Brunner [Thu, 9 Aug 2018 11:00:50 +0000 (13:00 +0200)]
botan: Load public/private keys generically

Simplifies public key loading and this way unencrypted PKCS#8-encoded
keys can be loaded directly without pkcs8 plugin (code for encrypted
keys could probably later be added, if necessary).

It also simplifies the implementation of private_key_t::get_public_key()
a lot.

12 months agobotan: Encode curve OID and public key in EC private key
Tobias Brunner [Wed, 8 Aug 2018 16:23:11 +0000 (18:23 +0200)]
botan: Encode curve OID and public key in EC private key

Without OID we can't generate an algorithmIdentifier when loading the
key again. And older versions of OpenSSL insist on a public key when
e.g. converting a key to PKCS#8.

Simply unwrapping the ECPrivateKey structure avoids log messages when
parsing other keys in the KEY_ANY case.

12 months agopkcs1: Accept EC private keys without public key but make sure of an OID
Tobias Brunner [Thu, 9 Aug 2018 06:45:48 +0000 (08:45 +0200)]
pkcs1: Accept EC private keys without public key but make sure of an OID

12 months agobotan: Fixes, code style changes plus some refactorings
Tobias Brunner [Mon, 6 Aug 2018 15:46:54 +0000 (17:46 +0200)]
botan: Fixes, code style changes plus some refactorings

Some changes rely on newly added FFI functions in Botan's master
branch.

12 months agobotan: Add MD5 support to Botan hasher
René Korthaus [Fri, 27 Jul 2018 07:33:39 +0000 (09:33 +0200)]
botan: Add MD5 support to Botan hasher

Support MD5 in the Botan plugin if supported by Botan.
MD5 is required for RADIUS and obviously EAP-MD5,
and also for non-PKCS#8 encoded, encrypted private keys.

12 months agounit-tests: Remove 768 bits RSA gen test
René Korthaus [Thu, 26 Jul 2018 09:17:07 +0000 (11:17 +0200)]
unit-tests: Remove 768 bits RSA gen test

Botan only allows RSA generating keys >= 1,024 bits, which makes
the RSA test suite fail. It is questionable whether it makes
sense to test 768 bit RSA keys anymore. They are too weak
from today's perspective anyway.

12 months agobotan: Add Botan plugin to libstrongswan
René Korthaus [Wed, 25 Jul 2018 11:01:19 +0000 (13:01 +0200)]
botan: Add Botan plugin to libstrongswan

12 months agodumm: Remove the Dynamic UML Mesh Modeler framework
Tobias Brunner [Wed, 12 Sep 2018 09:02:32 +0000 (11:02 +0200)]
dumm: Remove the Dynamic UML Mesh Modeler framework

This has been pretty much defunct for several years (requires a
specially patched UML-enabled guest kernel).

12 months agoandroid: Properly set log file path
Tobias Brunner [Wed, 12 Sep 2018 09:44:33 +0000 (11:44 +0200)]
android: Properly set log file path

12 months agoconf: Document new filelog configuration
Tobias Brunner [Wed, 12 Sep 2018 09:42:38 +0000 (11:42 +0200)]
conf: Document new filelog configuration

12 months agolibrary: Return FALSE from library_init() if loaded settings are invalid
Tobias Brunner [Tue, 11 Sep 2018 15:56:38 +0000 (17:56 +0200)]
library: Return FALSE from library_init() if loaded settings are invalid

This way daemons won't start with config files that contain errors.

12 months agosettings: Don't allow dots in section/key names anymore
Tobias Brunner [Thu, 31 May 2018 09:46:29 +0000 (11:46 +0200)]
settings: Don't allow dots in section/key names anymore

This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`.  Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.

12 months agoike-auth: Remove unnecessary case statement
Tobias Brunner [Tue, 11 Sep 2018 09:33:05 +0000 (11:33 +0200)]
ike-auth: Remove unnecessary case statement

12 months agovici: Remove unreachable code
Tobias Brunner [Fri, 7 Sep 2018 09:17:06 +0000 (11:17 +0200)]
vici: Remove unreachable code

If list is TRUE any type but VICI_LIST_END and VICI_LIST_ITEM (i.e.
including VICI_END) is already handled in the first block in this
function.

12 months agovici: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:12:24 +0000 (11:12 +0200)]
vici: Lease enumerator is always defined

mem_pool_t always returns an enumerator.

12 months agostroke: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:03:29 +0000 (11:03 +0200)]
stroke: Lease enumerator is always defined

This function is only called for existing pools (under the protection of
a read lock).

12 months agosmp: Remove unreachable initializer
Tobias Brunner [Fri, 7 Sep 2018 08:56:07 +0000 (10:56 +0200)]
smp: Remove unreachable initializer

Execution in this block will start with any of the case statements,
never with the initialization.

12 months agoeap-sim-pcsc: Fix leak in error case
Tobias Brunner [Fri, 7 Sep 2018 08:36:41 +0000 (10:36 +0200)]
eap-sim-pcsc: Fix leak in error case

12 months agotravis: Add sonarcloud build
Tobias Brunner [Mon, 10 Sep 2018 16:46:20 +0000 (18:46 +0200)]
travis: Add sonarcloud build

12 months agotravis: Automatically retry install steps
Tobias Brunner [Mon, 10 Sep 2018 10:22:20 +0000 (12:22 +0200)]
travis: Automatically retry install steps

There occasionally are network issues when fetching from Ubuntu/PPA
repos.  Let's see if this is a possible fix.

12 months agoswanctl: Allow passing a custom config file for each --load* command
Tobias Brunner [Mon, 28 May 2018 15:19:22 +0000 (17:19 +0200)]
swanctl: Allow passing a custom config file for each --load* command

Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.

12 months agoMerge branch 'ikev2-ppk'
Tobias Brunner [Mon, 10 Sep 2018 16:05:12 +0000 (18:05 +0200)]
Merge branch 'ikev2-ppk'

Adds support for Postquantum Preshared Keys for IKEv2.

Fixes #2710.

12 months agotesting: Add some PPK scenarios
Tobias Brunner [Thu, 30 Aug 2018 16:14:06 +0000 (18:14 +0200)]
testing: Add some PPK scenarios

12 months agoswanctl: Report the use of a PPK in --list-sas
Tobias Brunner [Fri, 27 Jul 2018 11:14:40 +0000 (13:14 +0200)]
swanctl: Report the use of a PPK in --list-sas

If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.

12 months agovici: Return PPK state of an IKE_SA
Tobias Brunner [Fri, 27 Jul 2018 10:50:22 +0000 (12:50 +0200)]
vici: Return PPK state of an IKE_SA

12 months agoikev2: Mark IKE_SAs that used PPK during authentication
Tobias Brunner [Fri, 27 Jul 2018 10:14:18 +0000 (12:14 +0200)]
ikev2: Mark IKE_SAs that used PPK during authentication

12 months agoeap-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 09:24:49 +0000 (11:24 +0200)]
eap-authenticator: Add support for authentication with PPK

12 months agopubkey-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 08:49:30 +0000 (10:49 +0200)]
pubkey-authenticator: Add support for authentication with PPK

12 months agopsk-authenticator: Add support for authentication with PPK
Tobias Brunner [Thu, 26 Jul 2018 14:25:02 +0000 (16:25 +0200)]
psk-authenticator: Add support for authentication with PPK

12 months agoike-auth: Add basic PPK support
Tobias Brunner [Thu, 26 Jul 2018 15:28:13 +0000 (17:28 +0200)]
ike-auth: Add basic PPK support

Some of the work will have to be done in the authenticators.

12 months agoike-auth: Replace `== NULL` with `!`
Tobias Brunner [Thu, 26 Jul 2018 15:27:13 +0000 (17:27 +0200)]
ike-auth: Replace `== NULL` with `!`

12 months agoauthenticator: Add optional method to set PPK
Tobias Brunner [Thu, 26 Jul 2018 13:32:10 +0000 (15:32 +0200)]
authenticator: Add optional method to set PPK

12 months agoike-init: Send USE_PPK notify as appropriate
Tobias Brunner [Thu, 26 Jul 2018 13:20:30 +0000 (15:20 +0200)]
ike-init: Send USE_PPK notify as appropriate

12 months agoswanctl: Report PPK configuration in --list-conns
Tobias Brunner [Fri, 27 Jul 2018 10:34:23 +0000 (12:34 +0200)]
swanctl: Report PPK configuration in --list-conns

12 months agovici: Make PPK related options configurable
Tobias Brunner [Thu, 26 Jul 2018 15:57:36 +0000 (17:57 +0200)]
vici: Make PPK related options configurable

12 months agopeer-cfg: Add properties for PPK ID and whether PPK is required
Tobias Brunner [Thu, 26 Jul 2018 13:16:21 +0000 (15:16 +0200)]
peer-cfg: Add properties for PPK ID and whether PPK is required

12 months agoike-sa: Add flag for PPK extension
Tobias Brunner [Thu, 26 Jul 2018 09:47:46 +0000 (11:47 +0200)]
ike-sa: Add flag for PPK extension

12 months agokeymat_v2: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 14:43:01 +0000 (16:43 +0200)]
keymat_v2: Add support for PPKs

12 months agoswanctl: Add support for PPKs
Tobias Brunner [Thu, 26 Jul 2018 15:44:12 +0000 (17:44 +0200)]
swanctl: Add support for PPKs

12 months agovici: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 15:23:12 +0000 (17:23 +0200)]
vici: Add support for PPKs

12 months agoshared-key: Add a new type for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:30:05 +0000 (15:30 +0200)]
shared-key: Add a new type for Postquantum Preshared Keys

Using a separate type allows us to easily check if we have any PPKs
available at all.

12 months agoikev2: Add notify types for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:29:58 +0000 (15:29 +0200)]
ikev2: Add notify types for Postquantum Preshared Keys

12 months agounit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
Tobias Brunner [Thu, 6 Sep 2018 13:17:37 +0000 (15:17 +0200)]
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()

12 months agopeer-cfg: Replace equal child configs with newly added ones
Tobias Brunner [Thu, 6 Sep 2018 13:13:37 +0000 (15:13 +0200)]
peer-cfg: Replace equal child configs with newly added ones

Otherwise, renamed child configs would still be known to the daemon
under their old name.

Fixes #2746.

12 months agocrypto: References to RFCs 8410 and 8420
Andreas Steffen [Tue, 4 Sep 2018 05:24:20 +0000 (07:24 +0200)]
crypto: References to RFCs 8410 and 8420

12 months agoNormalize whitespace in boilerplate files
Tobias Brunner [Fri, 6 Jul 2018 12:07:39 +0000 (14:07 +0200)]
Normalize whitespace in boilerplate files

Now all consistently use 2 or 4 (HACKING) spaces for indentation.

12 months agoREADME: Fix indentation
Tobias Brunner [Fri, 6 Jul 2018 10:09:32 +0000 (12:09 +0200)]
README: Fix indentation

12 months agoinit: Reload configurations/credentials as well during systemctl reload
Martin Willi [Tue, 7 Mar 2017 16:29:45 +0000 (17:29 +0100)]
init: Reload configurations/credentials as well during systemctl reload

12 months agoswanctl: Add --reauth option to --rekey command
Tobias Brunner [Thu, 23 Aug 2018 14:20:06 +0000 (16:20 +0200)]
swanctl: Add --reauth option to --rekey command

12 months agovici: Add option to reauthenticae instead of rekey an IKEv2 SA
Tobias Brunner [Thu, 23 Aug 2018 14:16:47 +0000 (16:16 +0200)]
vici: Add option to reauthenticae instead of rekey an IKEv2 SA

12 months agoMerge branch 'xfrm-set-mark'
Tobias Brunner [Fri, 31 Aug 2018 10:27:40 +0000 (12:27 +0200)]
Merge branch 'xfrm-set-mark'

This adds the ability to configure marks the in- and/or outbound SA
should apply to packets after processing on Linux.  Configuring such a mark
for outbound SAs requires at least a 4.14 kernel.  The ability to set a mask
and configuring a mark/mask for inbound SAs will be added with the upcoming
4.19 kernel.

12 months agochild-sa: Use SA matching mark as SA set mark if the latter is %same
Martin Willi [Wed, 9 May 2018 11:40:36 +0000 (13:40 +0200)]
child-sa: Use SA matching mark as SA set mark if the latter is %same

For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.

12 months agoipsec-types: Restrict the use of %unique and other keywords when parsing marks
Martin Willi [Mon, 14 May 2018 11:42:53 +0000 (13:42 +0200)]
ipsec-types: Restrict the use of %unique and other keywords when parsing marks

%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.

12 months agovici: Document kernel requirements for set_mark_in/set_mark_out options
Martin Willi [Mon, 14 May 2018 10:55:27 +0000 (12:55 +0200)]
vici: Document kernel requirements for set_mark_in/set_mark_out options

12 months agovici: Make in-/outbound marks the SA should set configurable
Tobias Brunner [Fri, 20 Apr 2018 12:12:48 +0000 (14:12 +0200)]
vici: Make in-/outbound marks the SA should set configurable

12 months agochild-sa: Configure in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:08:35 +0000 (14:08 +0200)]
child-sa: Configure in-/outbound mark the SA should set

12 months agochild-cfg: Add properties for in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:02:57 +0000 (14:02 +0200)]
child-cfg: Add properties for in-/outbound mark the SA should set

12 months agokernel-netlink: Add support for setting mark/mask an SA should apply to processed...
Tobias Brunner [Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)]
kernel-netlink: Add support for setting mark/mask an SA should apply to processed traffic

12 months agokernel-netlink: Use larger buffer for event messages
Tobias Brunner [Fri, 10 Aug 2018 12:41:16 +0000 (14:41 +0200)]
kernel-netlink: Use larger buffer for event messages

12 months agoikev1: Increase DPD sequence number only after receiving a response
Tobias Brunner [Mon, 6 Aug 2018 15:01:20 +0000 (17:01 +0200)]
ikev1: Increase DPD sequence number only after receiving a response

We don't retransmit DPD requests like we do requests for proper exchanges,
so increasing the number with each sent DPD could result in the peer's state
getting out of sync if DPDs are lost.  Because according to RFC 3706, DPDs
with an unexpected sequence number SHOULD be rejected (it does mention the
possibility of maintaining a window of acceptable numbers, but we currently
don't implement that).  We partially ignore such messages (i.e. we don't
update the expected sequence number and the inbound message stats, so we
might send a DPD when none is required).  However, we always send a response,
so a peer won't really notice this (it also ensures a reply for "retransmits"
caused by this change, i.e. multiple DPDs with the same number - hopefully,
other implementations behave similarly when receiving such messages).

Fixes #2714.

12 months agoRemove ITA references
Tobias Brunner [Fri, 31 Aug 2018 09:11:12 +0000 (11:11 +0200)]
Remove ITA references

12 months agoikev1: Signal IKE_SA connection failure via bus
Tobias Brunner [Thu, 23 Aug 2018 15:54:29 +0000 (17:54 +0200)]
ikev1: Signal IKE_SA connection failure via bus

This is mainly for HA where a passive SA was already created when the
IKE keys were derived.  If e.g. an authentication error occurs later that
SA wouldn't get cleaned up.

12 months agoaggressive-mode: Trigger alerts for authentication failures
Tobias Brunner [Thu, 23 Aug 2018 15:25:08 +0000 (17:25 +0200)]
aggressive-mode: Trigger alerts for authentication failures

12 months agomain-mode: Local identity is always defined
Tobias Brunner [Thu, 23 Aug 2018 15:31:50 +0000 (17:31 +0200)]
main-mode: Local identity is always defined