6 years agoike: Don't send NAT keepalives if we have no path to the other peer
Tobias Brunner [Mon, 16 Nov 2015 16:01:46 +0000 (17:01 +0100)]
ike: Don't send NAT keepalives if we have no path to the other peer

If there is no path to the other peer there is no point in trying to
send a NAT keepalive.

If the condition changes back and forth within the keepalive interval there
is a chance that multiple jobs get queued.

6 years agovici: Provide ports of local and remote IKE endpoints
Tobias Brunner [Tue, 19 Jan 2016 12:34:11 +0000 (13:34 +0100)]
vici: Provide ports of local and remote IKE endpoints

6 years agoduplicheck: Include required headers for FreeBSD
Denis Volpato Martins [Thu, 25 Feb 2016 13:52:59 +0000 (10:52 -0300)]
duplicheck: Include required headers for FreeBSD

Closes strongswan/strongswan#34.

6 years agocharon: Add custom logger to daemon
Thomas Egerer [Mon, 1 Feb 2016 13:52:49 +0000 (14:52 +0100)]
charon: Add custom logger to daemon

This logger can be used to easily register custom logging instances
using __attribute__((constructor)) benefiting from the global reload
mechanism (with reset of log levels).

Note that this is not intended to be used from plugins, which are loaded
after loggers have already been initialized.

Signed-off-by: Thomas Egerer <>
6 years agovici: Correctly document 'up' key for updown events
Tobias Brunner [Wed, 3 Feb 2016 15:33:24 +0000 (16:33 +0100)]
vici: Correctly document 'up' key for updown events

Instead of sending 'no' it is omitted when an SA goes down.

6 years agoikev2: Use config value for sending of vendor IDs
Thomas Egerer [Tue, 2 Feb 2016 16:01:50 +0000 (17:01 +0100)]
ikev2: Use config value for sending of vendor IDs

Signed-off-by: Thomas Egerer <>
6 years agoswanctl: Fix minor typos in documentation
Chris Patterson [Fri, 26 Feb 2016 14:32:39 +0000 (09:32 -0500)]
swanctl: Fix minor typos in documentation

"UPD" should be "UDP".

Signed-off-by: Chris Patterson <>
6 years agotesting: Added swanctl/shunt-policies-nat-rw
Andreas Steffen [Sun, 28 Feb 2016 21:25:50 +0000 (22:25 +0100)]
testing: Added swanctl/shunt-policies-nat-rw

6 years agotesting: Some minor fixes in test scenarios
Andreas Steffen [Sun, 28 Feb 2016 21:25:21 +0000 (22:25 +0100)]
testing: Some minor fixes in test scenarios

6 years agoVersion bump to 5.4.0dr7 5.4.0dr7
Andreas Steffen [Sun, 28 Feb 2016 14:56:06 +0000 (15:56 +0100)]
Version bump to 5.4.0dr7

6 years agotesting: Added swanctl/protoport-dual scenario
Andreas Steffen [Sun, 28 Feb 2016 13:33:48 +0000 (14:33 +0100)]
testing: Added swanctl/protoport-dual scenario

6 years agotesting: converted af-alg scenarios to swanctl
Andreas Steffen [Fri, 26 Feb 2016 12:31:36 +0000 (13:31 +0100)]
testing: converted af-alg scenarios to swanctl

6 years agotesting: Use absolute path to the _updown script in SQL scenarios
Tobias Brunner [Wed, 17 Feb 2016 10:55:45 +0000 (11:55 +0100)]
testing: Use absolute path to the _updown script in SQL scenarios

/usr/local/sbin is not included in PATH set by the charon init script and
since the ipsec script is obsolete when using swanctl it makes sense to
change this anyway.

6 years agoike-sa-manager: Store a reference to the thread that checked out an IKE_SA
Tobias Brunner [Wed, 10 Feb 2016 15:41:52 +0000 (16:41 +0100)]
ike-sa-manager: Store a reference to the thread that checked out an IKE_SA

This could be helpful when debugging deadlocks that manifest around
wait_for_entry(), as it helps identifying other involved threads (the
thread object is seen in the thread_main() call in each thread's backtrace).

6 years agotesting: Increased ping interval in ikev2/trap-any scenario
Andreas Steffen [Tue, 16 Feb 2016 17:21:19 +0000 (18:21 +0100)]
testing: Increased ping interval in ikev2/trap-any scenario

6 years agoVersion bump to 5.4.0dr6 5.4.0dr6
Andreas Steffen [Tue, 16 Feb 2016 17:17:44 +0000 (18:17 +0100)]
Version bump to 5.4.0dr6

6 years agoCorrected the description of the swanctl/dhcp-dynamic scenario
Andreas Steffen [Tue, 16 Feb 2016 17:17:17 +0000 (18:17 +0100)]
Corrected the description of the swanctl/dhcp-dynamic scenario

6 years agoFix of the mutual TNC measurement use case
Andreas Steffen [Tue, 16 Feb 2016 17:00:27 +0000 (18:00 +0100)]
Fix of the mutual TNC measurement use case

If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.

In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.

The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.

6 years agokernel-netlink: Allow Netlink send buffer size to be configured via compile option
Tobias Brunner [Fri, 12 Feb 2016 14:08:34 +0000 (15:08 +0100)]
kernel-netlink: Allow Netlink send buffer size to be configured via compile option

The receive buffer size can already be changed via strongswan.conf if

6 years agoutils: Add enum name for pseudo log group 'any'
Tobias Brunner [Fri, 5 Feb 2016 14:41:39 +0000 (15:41 +0100)]
utils: Add enum name for pseudo log group 'any'

6 years agolibipsec: Pass the same data to del_policy() as to add_policy()
Tobias Brunner [Thu, 4 Feb 2016 09:57:31 +0000 (10:57 +0100)]
libipsec: Pass the same data to del_policy() as to add_policy()

We already do this for the other kernel interfaces.

Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")

6 years agolibipsec: Don't attempt deletion of any non-IPsec policies
Tobias Brunner [Thu, 4 Feb 2016 09:14:22 +0000 (10:14 +0100)]
libipsec: Don't attempt deletion of any non-IPsec policies

An example are the fallback drop policies installed when updating SAs.
We ignore such policies in add_policy() so there is no point in attempting
to remove them.  Since they use different priorities than regular policies
this did not result in policies getting deleted unintentionally but there
was an irritating log message on level 2 that indicated otherwise.

6 years agotesting: Added swanctl/dhcp-dynamic scenario
Andreas Steffen [Wed, 3 Feb 2016 11:10:59 +0000 (12:10 +0100)]
testing: Added swanctl/dhcp-dynamic scenario

6 years agoikev2: Add debug message about failed IKE authentication
Thomas Egerer [Tue, 2 Feb 2016 15:13:46 +0000 (16:13 +0100)]
ikev2: Add debug message about failed IKE authentication

Signed-off-by: Thomas Egerer <>
6 years agoikev1: Log successful authentication with signature scheme
Thomas Egerer [Mon, 1 Feb 2016 14:33:38 +0000 (15:33 +0100)]
ikev1: Log successful authentication with signature scheme

Output is now identical to that of the IKEv2 pubkey authenticator.

Signed-off-by: Thomas Egerer <>
6 years agopeer-cfg: Set DPD timeout to at least DPD delay
Tobias Brunner [Mon, 1 Feb 2016 14:29:25 +0000 (15:29 +0100)]
peer-cfg: Set DPD timeout to at least DPD delay

If DPD timeout is set but to a value smaller than the DPD delay the code
in task_manager_v1.c:queue_liveliness_check will run into an integer

6 years agoikev1: Always enable charon.reuse_ikesa
Tobias Brunner [Fri, 18 Dec 2015 14:23:30 +0000 (15:23 +0100)]
ikev1: Always enable charon.reuse_ikesa

With IKEv1 we have to reuse IKE_SAs as otherwise the responder might
detect the new SA as reauthentication and will "adopt" the CHILD_SAs of
the original IKE_SA, while the initiator will not do so.  This could
cause CHILD_SA rekeying to fail later.

Fixes #1236.

6 years agoload-tester: Register kernel-ipsec implementation as plugin feature
Tobias Brunner [Mon, 18 Jan 2016 16:03:46 +0000 (17:03 +0100)]
load-tester: Register kernel-ipsec implementation as plugin feature

Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied.

This changed with db61c37690b5 ("kernel-interface: Return bool for
kernel interface registration") as the registration of further
kernel-ipsec implementations now fails and therefore even if other
plugins are loaded the dependency will not be satisfied anymore.

References #953.

6 years agochild-rekey: Suppress updown event when deleting redundant CHILD_SAs
Tobias Brunner [Tue, 15 Dec 2015 16:15:32 +0000 (17:15 +0100)]
child-rekey: Suppress updown event when deleting redundant CHILD_SAs

When handling a rekey collision we might have to delete an already
installed redundant CHILD_SA (or expect the other peer to do so).
We don't want to trigger updown events for these as neither do we do
so for successfully rekeyed CHILD_SAs.

Fixes #853.

6 years agotesting: Don't attempt to start the daemon twice in ha/active-passive scenario
Tobias Brunner [Tue, 26 Jan 2016 10:24:36 +0000 (11:24 +0100)]
testing: Don't attempt to start the daemon twice in ha/active-passive scenario

6 years agoha: Properly sync IKEv1 IV if gateway is initiator
Tobias Brunner [Tue, 26 Jan 2016 10:13:13 +0000 (11:13 +0100)]
ha: Properly sync IKEv1 IV if gateway is initiator

To handle Phase 2 exchanges on the other HA host we need to sync the last
block of the last Phase 1 message (or the last expected IV).  If the
gateway is the initiator of a Main Mode SA the last message is an
inbound message.  When handling such messages the expected IV is not
updated until it is successfully decrypted so we can't sync the IV
when processing the still encrypted (!plain) message.  However, as responder,
i.e. if the last message is an outbound message, the reverse applies, that
is, we get the next IV after successfully encrypting the message, not
while handling the plain message.

Fixes #1267.

6 years agoha: Add DH group to CHILD_ADD message
Tobias Brunner [Tue, 19 Jan 2016 14:00:23 +0000 (15:00 +0100)]
ha: Add DH group to CHILD_ADD message

References #1267.

6 years agoha: Add DH group to IKE_ADD message
Tobias Brunner [Tue, 19 Jan 2016 13:42:17 +0000 (14:42 +0100)]
ha: Add DH group to IKE_ADD message

It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.

Fixes #1267.

6 years agoike-sa-manager: Don't update entries for init messages after unlocking segment
Tobias Brunner [Mon, 18 Jan 2016 16:33:29 +0000 (17:33 +0100)]
ike-sa-manager: Don't update entries for init messages after unlocking segment

If the retransmit of an initial message is processed concurrently with the
original message it might not have been handled as intended as the
thread processing the retransmit might not have seen the correct value
of entry->processing set by the thread handling the original request.

For IKEv1, i.e. without proper message IDs, there might still be races e.g.
when receiving a retransmit of the initial IKE message while processing the
initiator's second request.

Fixes #1269.

6 years agounit-tests: The pseudonym RDN is now recognized, so use something more exotic
Tobias Brunner [Thu, 28 Jan 2016 14:56:49 +0000 (15:56 +0100)]
unit-tests: The pseudonym RDN is now recognized, so use something more exotic

6 years agoVersion bump to 5.4.0dr5 5.4.0dr5
Andreas Steffen [Thu, 28 Jan 2016 08:41:05 +0000 (09:41 +0100)]
Version bump to 5.4.0dr5

6 years agoSupport pseudonym RDN
Andreas Steffen [Wed, 27 Jan 2016 10:38:18 +0000 (11:38 +0100)]
Support pseudonym RDN

6 years agotesting: Added swanctl/config-payload scenario
Andreas Steffen [Thu, 14 Jan 2016 05:31:28 +0000 (06:31 +0100)]
testing: Added swanctl/config-payload scenario

6 years agotesting: Use include statement in swanctl/rw-pubkey-keyid scenario
Andreas Steffen [Thu, 14 Jan 2016 00:44:17 +0000 (01:44 +0100)]
testing: Use include statement in swanctl/rw-pubkey-keyid scenario

6 years agoVersion bump to 5.4.0dr4 5.4.0dr4
Andreas Steffen [Sun, 10 Jan 2016 00:39:08 +0000 (01:39 +0100)]
Version bump to 5.4.0dr4

6 years agovici: Support multiple named raw ublic keys
Andreas Steffen [Sat, 9 Jan 2016 23:12:57 +0000 (00:12 +0100)]
vici: Support multiple named raw ublic keys

6 years agotesting: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario
Andreas Steffen [Tue, 5 Jan 2016 22:54:06 +0000 (23:54 +0100)]
testing: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario

6 years agoswanctl: Load pubkeys with load-creds
Andreas Steffen [Tue, 5 Jan 2016 22:52:55 +0000 (23:52 +0100)]
swanctl: Load pubkeys with load-creds

6 years agotesting: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec
Andreas Steffen [Tue, 5 Jan 2016 04:35:21 +0000 (05:35 +0100)]
testing: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec

6 years agovici: list-cert sends subject, not-before and not-after attributes for pubkeys
Andreas Steffen [Tue, 5 Jan 2016 04:34:12 +0000 (05:34 +0100)]
vici: list-cert sends subject, not-before and not-after attributes for pubkeys

6 years agovici: Support of raw public keys
Andreas Steffen [Mon, 4 Jan 2016 09:34:21 +0000 (10:34 +0100)]
vici: Support of raw public keys

6 years agotesting: Fixed description of swanctl/frags-iv4 scenario
Andreas Steffen [Fri, 8 Jan 2016 23:17:31 +0000 (00:17 +0100)]
testing: Fixed description of swanctl/frags-iv4 scenario

6 years agoswanctl.conf: IKEv2 fragmentation supported
Andreas Steffen [Fri, 8 Jan 2016 23:06:12 +0000 (00:06 +0100)]
swanctl.conf:  IKEv2 fragmentation supported

6 years agoVersion bump to 5.4.0dr3 5.4.0dr3
Andreas Steffen [Sun, 3 Jan 2016 05:28:05 +0000 (06:28 +0100)]
Version bump to 5.4.0dr3

6 years agovici: Enable transport encoding of CERT_TRUSTED_PUBKEY objects
Andreas Steffen [Sun, 3 Jan 2016 02:46:47 +0000 (03:46 +0100)]
vici: Enable transport encoding of CERT_TRUSTED_PUBKEY objects

6 years agotesting: Change sql scenarios to swanctl
Andreas Steffen [Mon, 28 Dec 2015 03:15:27 +0000 (04:15 +0100)]
testing: Change sql scenarios to swanctl

6 years agotesting: Fix some IKEv1 scenarios after listing DH groups for CHILD_SAs
Tobias Brunner [Fri, 18 Dec 2015 14:22:21 +0000 (15:22 +0100)]
testing: Fix some IKEv1 scenarios after listing DH groups for CHILD_SAs

6 years agostroke: List DH groups for CHILD_SA proposals
Tobias Brunner [Fri, 18 Dec 2015 12:51:36 +0000 (13:51 +0100)]
stroke: List DH groups for CHILD_SA proposals

Closes strongswan/strongswan#23.

6 years agovici: Use correct constant when checking for integrity algorithm
Tobias Brunner [Fri, 18 Dec 2015 12:46:24 +0000 (13:46 +0100)]
vici: Use correct constant when checking for integrity algorithm

Currently both have the value 1024 so no real harm done.

6 years agovici: CHILD_SA proposals never contain a PRF
Tobias Brunner [Fri, 18 Dec 2015 12:45:58 +0000 (13:45 +0100)]
vici: CHILD_SA proposals never contain a PRF

6 years Match install used by strongswan.service
Chris Patterson [Fri, 18 Dec 2015 13:31:48 +0000 (08:31 -0500)] Match install used by strongswan.service

Signed-off-by: Chris Patterson <>
Closes strongswan/strongswan#25.

6 years agoconfigure: Support systemd >= 209
Chris Patterson [Fri, 18 Dec 2015 13:27:57 +0000 (08:27 -0500)]
configure: Support systemd >= 209

libsystemd-journal and libsystemd-daemon are now just
part of libsystemd.

Keep original systemd checks as a fallback.

Updates charon-systemd/ accordingly.

Tested on:
- debian wheezy (systemd v44)
- ubuntu 15.10 (systemd v255).

Signed-off-by: Chris Patterson <>
Closes strongswan/strongswan#24.

6 years agovici: allow legacy shortcuts in cert queries
Andreas Steffen [Sat, 19 Dec 2015 09:30:17 +0000 (10:30 +0100)]
vici: allow legacy shortcuts in cert queries

6 years agoVersion bump to 5.4.0dr2 5.4.0dr2
Andreas Steffen [Fri, 18 Dec 2015 14:25:50 +0000 (15:25 +0100)]
Version bump to 5.4.0dr2

6 years agotesting: Fixed description in swanctl/rw-ntru-bliss scenario
Andreas Steffen [Fri, 18 Dec 2015 14:24:59 +0000 (15:24 +0100)]
testing: Fixed description in swanctl/rw-ntru-bliss scenario

6 years agotesting: swanctl is enabled by default
Andreas Steffen [Fri, 18 Dec 2015 14:22:29 +0000 (15:22 +0100)]
testing:  swanctl is enabled by default

6 years agoUse 128 bit security in README.pod examples
Andreas Steffen [Fri, 18 Dec 2015 14:08:33 +0000 (15:08 +0100)]
Use 128 bit security in README.pod examples

6 years agoImprovements to the VICI Perl bindings by Andreas Hofmeister
Andreas Hofmeister [Fri, 18 Dec 2015 13:17:57 +0000 (14:17 +0100)]
Improvements to the VICI Perl bindings by Andreas Hofmeister

-, which was implemented as a source filter, has been deprecated in
  Perl 5.10 and was later removed from the core modules in Perl 5.14 or so.

  Unfortunately, its replacement, the given/when/default construct, has since
  been downgraded to "experimental" status because of problems with the underlying
  "smart-match" operator.

  Thus, as of Perl 5.22, Perl still has no actually usable "switch"-like construct.

  So just use boring, old and ugly "if/elsif/else" constructs instead, which are
  compatible with almost any Perl version.

- None of the Perl modules here does anything that would require "AutoLoader".

- "Exporter" can be used to export plain functions into another modules name
  space. But the things that were exported here are meant to be called as
  methods.  In this case, it is neither necessary nor advisable to export those

  Just export nothing (the POD documentation already said so).

- It is usually the calling script that enables (or does not enable) warnings
  globally. When a module says "use warnings;" however, the caller looses control
  over what warnings should be enabled in that module.

6 years agoconfigure: Enable vici plugin and swanctl by default
Andreas Steffen [Thu, 17 Dec 2015 16:48:09 +0000 (17:48 +0100)]
configure: Enable vici plugin and swanctl by default

6 years agotesting: Added swanctl/rw-ntru-bliss scenario
Andreas Steffen [Thu, 17 Dec 2015 14:45:35 +0000 (15:45 +0100)]
testing: Added swanctl/rw-ntru-bliss scenario

6 years agoApply pubkey and signature constraints in vici plugin
Andreas Steffen [Thu, 17 Dec 2015 12:41:19 +0000 (13:41 +0100)]
Apply pubkey and signature constraints in vici plugin

6 years ago128 bit default security strength for IKE and ESP algorithms
Andreas Steffen [Wed, 16 Dec 2015 06:32:36 +0000 (07:32 +0100)]
128 bit default security strength for IKE and ESP algorithms

The default ESP cipher suite is now
and requires SHA-2 HMAC support in the Linux kernel (correctly implemented
since 2.6.33).

The default IKE cipher suite is now
if the openssl plugin is loaded or
if ECC is not available.

The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been
deprecated and ENCR_CHACHA20_POLY1305 has been added to the default
IKE AEAD algorithms.

6 years agostroke: Fix --utc option for list* commands
Tobias Brunner [Thu, 17 Dec 2015 15:56:20 +0000 (16:56 +0100)]
stroke: Fix --utc option for list* commands

Fixes: dcb168413fa3 ("stroke: Add --daemon option")

6 years agoMerge branch 'command-max-lines'
Tobias Brunner [Wed, 16 Dec 2015 11:28:22 +0000 (12:28 +0100)]
Merge branch 'command-max-lines'

Make sure commands registered in pki and swanctl don't exceed the
maximum number of lines available for their usage summary.

Closes strongswan/strongswan#22.

6 years agoswanctl: Slightly change usage summary for --list-certs
Tobias Brunner [Wed, 16 Dec 2015 11:20:35 +0000 (12:20 +0100)]
swanctl: Slightly change usage summary for --list-certs

6 years agoswanctl: Never print more than MAX_LINES of usage summary
Tobias Brunner [Wed, 16 Dec 2015 10:56:44 +0000 (11:56 +0100)]
swanctl: Never print more than MAX_LINES of usage summary

Print a warning if a registered command exceeds that limit.

6 years agopki: Increase MAX_LINES
Tobias Brunner [Wed, 16 Dec 2015 10:55:14 +0000 (11:55 +0100)]
pki: Increase MAX_LINES

The --issue and --self commands both define 10 lines of usage summary

6 years agopki: Never print more than MAX_LINES of usage summary
Tobias Brunner [Wed, 16 Dec 2015 10:53:01 +0000 (11:53 +0100)]
pki: Never print more than MAX_LINES of usage summary

Print a warning if a registered command exceeds that limit.

6 years agotravis: Enable IPv6 on build hosts
Tobias Brunner [Tue, 15 Dec 2015 09:10:30 +0000 (10:10 +0100)]
travis: Enable IPv6 on build hosts

Since the move to Google Compute Engine (GCE) IPv6 has been disabled
on the build hosts, causing several tests to fail.  Lets try to get at
least local IPv6 connectivity up again.

6 years agolibstrongswan: Updated to current
Tobias Brunner [Mon, 14 Dec 2015 18:05:41 +0000 (19:05 +0100)]
libstrongswan: Updated to current

6 years agoconfigure: Fix typo when enabling CPAN modules as dependency
Tobias Brunner [Mon, 14 Dec 2015 09:45:48 +0000 (10:45 +0100)]
configure: Fix typo when enabling CPAN modules as dependency

Fixes: a17b6d469c10 ("Built the CPAN file structure for the Vici::Session perl module")

6 years ago128 bit default security strength requires 3072 bit prime DH group
Andreas Steffen [Mon, 14 Dec 2015 09:39:40 +0000 (10:39 +0100)]
128 bit default security strength requires 3072 bit prime DH group

6 years agoswanctl --stats lists loaded plugins
Andreas Steffen [Sun, 13 Dec 2015 16:07:28 +0000 (17:07 +0100)]
swanctl --stats lists loaded plugins

6 years agotesting: swanctl/rw-cert scenario tests password-protected RSA key
Andreas Steffen [Sat, 12 Dec 2015 16:12:44 +0000 (17:12 +0100)]
testing: swanctl/rw-cert scenario tests password-protected RSA key

6 years agoUpgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security
Andreas Steffen [Sat, 12 Dec 2015 14:54:48 +0000 (15:54 +0100)]
Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security

6 years agoRefactored certificate management for the vici and stroke interfaces 5.4.0dr1
Andreas Steffen [Fri, 11 Dec 2015 17:24:58 +0000 (18:24 +0100)]
Refactored certificate management for the vici and stroke interfaces

6 years agoModified vici_cert_info class for use with load_creds and vici_cred
Andreas Steffen [Fri, 11 Dec 2015 16:53:40 +0000 (17:53 +0100)]
Modified vici_cert_info class for use with load_creds and vici_cred

6 years agoChanged some certificate_type_names and added x509_flag_names
Andreas Steffen [Wed, 9 Dec 2015 21:33:57 +0000 (22:33 +0100)]
Changed some certificate_type_names and added x509_flag_names

6 years agoRemoved VICI protocol versioning
Andreas Steffen [Wed, 9 Dec 2015 19:39:59 +0000 (20:39 +0100)]
Removed VICI protocol versioning

6 years agoUse of certificate_printer by swanctl --list-certs command
Andreas Steffen [Mon, 7 Dec 2015 20:24:27 +0000 (21:24 +0100)]
Use of certificate_printer by swanctl --list-certs command

6 years agoShare vici_cert_info.c with vici_cred.c
Andreas Steffen [Sat, 5 Dec 2015 22:15:47 +0000 (23:15 +0100)]
Share vici_cert_info.c with vici_cred.c

6 years agoAllow msSmartcardLogon EKU to be built
Andreas Steffen [Fri, 4 Dec 2015 05:55:33 +0000 (06:55 +0100)]
Allow msSmartcardLogon EKU to be built

6 years agoUse VICI 2.0 protocol version for certificate queries
Andreas Steffen [Thu, 3 Dec 2015 10:20:04 +0000 (11:20 +0100)]
Use VICI 2.0 protocol version for certificate queries

6 years agoSort certificate types during enumeration
Andreas Steffen [Thu, 3 Dec 2015 09:23:42 +0000 (10:23 +0100)]
Sort certificate types during enumeration

6 years agoDefine VICI protocol versions
Andreas Steffen [Thu, 3 Dec 2015 09:22:06 +0000 (10:22 +0100)]
Define VICI protocol versions

6 years agotesting: Added swanctl --list-algs output
Andreas Steffen [Tue, 1 Dec 2015 21:26:03 +0000 (22:26 +0100)]
testing: Added swanctl --list-algs output

6 years agotesting: Converted tnc scenarios to swanctl
Andreas Steffen [Mon, 23 Nov 2015 20:35:16 +0000 (21:35 +0100)]
testing: Converted tnc scenarios to swanctl

6 years agovici: Don't report memory usage via leak-detective
Tobias Brunner [Thu, 19 Nov 2015 16:56:06 +0000 (17:56 +0100)]
vici: Don't report memory usage via leak-detective

This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.

6 years agotesting: Use expect-connection in swanctl scenarios
Tobias Brunner [Thu, 19 Nov 2015 16:53:31 +0000 (17:53 +0100)]
testing: Use expect-connection in swanctl scenarios

Only in net2net-start do we have to use `sleep` to ensure the SA is
up when the tests are running.

6 years agotesting: The expect-connection helper may use swanctl to check for connections
Tobias Brunner [Thu, 19 Nov 2015 16:49:20 +0000 (17:49 +0100)]
testing: The expect-connection helper may use swanctl to check for connections

Depending on the plugin configuration in the test scenario either
`ipsec statusall` or `swanctl --list-conns` is used to check for a named

6 years agoPrint OCSP single responses
Andreas Steffen [Tue, 8 Dec 2015 20:25:37 +0000 (21:25 +0100)]
Print OCSP single responses

6 years agoStandardized printing of certificate information
Andreas Steffen [Sun, 6 Dec 2015 12:28:03 +0000 (13:28 +0100)]
Standardized printing of certificate information

The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.

6 years agoimv-attestation: Fix memory leaks when creating functional components
Tobias Brunner [Fri, 11 Dec 2015 14:18:38 +0000 (15:18 +0100)]
imv-attestation: Fix memory leaks when creating functional components

6 years agoipsec: Fix stop command on systems where sleep(1) only supports integers
Tobias Brunner [Thu, 10 Dec 2015 10:46:21 +0000 (11:46 +0100)]
ipsec: Fix stop command on systems where sleep(1) only supports integers

Fixes #1231.

6 years agoMerge branch 'vici-undo-on-unload'
Martin Willi [Mon, 7 Dec 2015 09:29:57 +0000 (10:29 +0100)]
Merge branch 'vici-undo-on-unload'

Undo start actions when unloading connections, and add some misc fixes and
extensions to vici connection handling.