strongswan.git
3 years agostroke: List DH groups for CHILD_SA proposals
Tobias Brunner [Fri, 18 Dec 2015 12:51:36 +0000 (13:51 +0100)]
stroke: List DH groups for CHILD_SA proposals

Closes strongswan/strongswan#23.

3 years agovici: Use correct constant when checking for integrity algorithm
Tobias Brunner [Fri, 18 Dec 2015 12:46:24 +0000 (13:46 +0100)]
vici: Use correct constant when checking for integrity algorithm

Currently both have the value 1024 so no real harm done.

3 years agovici: CHILD_SA proposals never contain a PRF
Tobias Brunner [Fri, 18 Dec 2015 12:45:58 +0000 (13:45 +0100)]
vici: CHILD_SA proposals never contain a PRF

3 years agostrongswan-swanctl.service.in: Match install used by strongswan.service
Chris Patterson [Fri, 18 Dec 2015 13:31:48 +0000 (08:31 -0500)]
strongswan-swanctl.service.in: Match install used by strongswan.service

Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
Closes strongswan/strongswan#25.

3 years agoconfigure: Support systemd >= 209
Chris Patterson [Fri, 18 Dec 2015 13:27:57 +0000 (08:27 -0500)]
configure: Support systemd >= 209

libsystemd-journal and libsystemd-daemon are now just
part of libsystemd.

Keep original systemd checks as a fallback.

Updates charon-systemd/Makefile.am accordingly.

Tested on:
- debian wheezy (systemd v44)
- ubuntu 15.10 (systemd v255).

Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
Closes strongswan/strongswan#24.

3 years agovici: allow legacy shortcuts in cert queries
Andreas Steffen [Sat, 19 Dec 2015 09:30:17 +0000 (10:30 +0100)]
vici: allow legacy shortcuts in cert queries

3 years agoVersion bump to 5.4.0dr2 5.4.0dr2
Andreas Steffen [Fri, 18 Dec 2015 14:25:50 +0000 (15:25 +0100)]
Version bump to 5.4.0dr2

3 years agotesting: Fixed description in swanctl/rw-ntru-bliss scenario
Andreas Steffen [Fri, 18 Dec 2015 14:24:59 +0000 (15:24 +0100)]
testing: Fixed description in swanctl/rw-ntru-bliss scenario

3 years agotesting: swanctl is enabled by default
Andreas Steffen [Fri, 18 Dec 2015 14:22:29 +0000 (15:22 +0100)]
testing:  swanctl is enabled by default

3 years agoUse 128 bit security in README.pod examples
Andreas Steffen [Fri, 18 Dec 2015 14:08:33 +0000 (15:08 +0100)]
Use 128 bit security in README.pod examples

3 years agoImprovements to the VICI Perl bindings by Andreas Hofmeister
Andreas Hofmeister [Fri, 18 Dec 2015 13:17:57 +0000 (14:17 +0100)]
Improvements to the VICI Perl bindings by Andreas Hofmeister

- Switch.pm, which was implemented as a source filter, has been deprecated in
  Perl 5.10 and was later removed from the core modules in Perl 5.14 or so.

  Unfortunately, its replacement, the given/when/default construct, has since
  been downgraded to "experimental" status because of problems with the underlying
  "smart-match" operator.

  Thus, as of Perl 5.22, Perl still has no actually usable "switch"-like construct.

  So just use boring, old and ugly "if/elsif/else" constructs instead, which are
  compatible with almost any Perl version.

- None of the Perl modules here does anything that would require "AutoLoader".

- "Exporter" can be used to export plain functions into another modules name
  space. But the things that were exported here are meant to be called as
  methods.  In this case, it is neither necessary nor advisable to export those
  symbols.

  Just export nothing (the POD documentation already said so).

- It is usually the calling script that enables (or does not enable) warnings
  globally. When a module says "use warnings;" however, the caller looses control
  over what warnings should be enabled in that module.

3 years agoconfigure: Enable vici plugin and swanctl by default
Andreas Steffen [Thu, 17 Dec 2015 16:48:09 +0000 (17:48 +0100)]
configure: Enable vici plugin and swanctl by default

3 years agotesting: Added swanctl/rw-ntru-bliss scenario
Andreas Steffen [Thu, 17 Dec 2015 14:45:35 +0000 (15:45 +0100)]
testing: Added swanctl/rw-ntru-bliss scenario

3 years agoApply pubkey and signature constraints in vici plugin
Andreas Steffen [Thu, 17 Dec 2015 12:41:19 +0000 (13:41 +0100)]
Apply pubkey and signature constraints in vici plugin

3 years ago128 bit default security strength for IKE and ESP algorithms
Andreas Steffen [Wed, 16 Dec 2015 06:32:36 +0000 (07:32 +0100)]
128 bit default security strength for IKE and ESP algorithms

The default ESP cipher suite is now
    AES_CBC-128/HMAC_SHA2_256_128
and requires SHA-2 HMAC support in the Linux kernel (correctly implemented
since 2.6.33).

The default IKE cipher suite is now
   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
if the openssl plugin is loaded or
   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
if ECC is not available.

The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been
deprecated and ENCR_CHACHA20_POLY1305 has been added to the default
IKE AEAD algorithms.

3 years agostroke: Fix --utc option for list* commands
Tobias Brunner [Thu, 17 Dec 2015 15:56:20 +0000 (16:56 +0100)]
stroke: Fix --utc option for list* commands

Fixes: dcb168413fa3 ("stroke: Add --daemon option")

3 years agoMerge branch 'command-max-lines'
Tobias Brunner [Wed, 16 Dec 2015 11:28:22 +0000 (12:28 +0100)]
Merge branch 'command-max-lines'

Make sure commands registered in pki and swanctl don't exceed the
maximum number of lines available for their usage summary.

Closes strongswan/strongswan#22.

3 years agoswanctl: Slightly change usage summary for --list-certs
Tobias Brunner [Wed, 16 Dec 2015 11:20:35 +0000 (12:20 +0100)]
swanctl: Slightly change usage summary for --list-certs

3 years agoswanctl: Never print more than MAX_LINES of usage summary
Tobias Brunner [Wed, 16 Dec 2015 10:56:44 +0000 (11:56 +0100)]
swanctl: Never print more than MAX_LINES of usage summary

Print a warning if a registered command exceeds that limit.

3 years agopki: Increase MAX_LINES
Tobias Brunner [Wed, 16 Dec 2015 10:55:14 +0000 (11:55 +0100)]
pki: Increase MAX_LINES

The --issue and --self commands both define 10 lines of usage summary
text.

3 years agopki: Never print more than MAX_LINES of usage summary
Tobias Brunner [Wed, 16 Dec 2015 10:53:01 +0000 (11:53 +0100)]
pki: Never print more than MAX_LINES of usage summary

Print a warning if a registered command exceeds that limit.

3 years agotravis: Enable IPv6 on build hosts
Tobias Brunner [Tue, 15 Dec 2015 09:10:30 +0000 (10:10 +0100)]
travis: Enable IPv6 on build hosts

Since the move to Google Compute Engine (GCE) IPv6 has been disabled
on the build hosts, causing several tests to fail.  Lets try to get at
least local IPv6 connectivity up again.

3 years agolibstrongswan: Updated Android.mk to current Makefile.am
Tobias Brunner [Mon, 14 Dec 2015 18:05:41 +0000 (19:05 +0100)]
libstrongswan: Updated Android.mk to current Makefile.am

3 years agoconfigure: Fix typo when enabling CPAN modules as dependency
Tobias Brunner [Mon, 14 Dec 2015 09:45:48 +0000 (10:45 +0100)]
configure: Fix typo when enabling CPAN modules as dependency

Fixes: a17b6d469c10 ("Built the CPAN file structure for the Vici::Session perl module")

3 years ago128 bit default security strength requires 3072 bit prime DH group
Andreas Steffen [Mon, 14 Dec 2015 09:39:40 +0000 (10:39 +0100)]
128 bit default security strength requires 3072 bit prime DH group

3 years agoswanctl --stats lists loaded plugins
Andreas Steffen [Sun, 13 Dec 2015 16:07:28 +0000 (17:07 +0100)]
swanctl --stats lists loaded plugins

3 years agotesting: swanctl/rw-cert scenario tests password-protected RSA key
Andreas Steffen [Sat, 12 Dec 2015 16:12:44 +0000 (17:12 +0100)]
testing: swanctl/rw-cert scenario tests password-protected RSA key

3 years agoUpgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security
Andreas Steffen [Sat, 12 Dec 2015 14:54:48 +0000 (15:54 +0100)]
Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security

3 years agoRefactored certificate management for the vici and stroke interfaces 5.4.0dr1
Andreas Steffen [Fri, 11 Dec 2015 17:24:58 +0000 (18:24 +0100)]
Refactored certificate management for the vici and stroke interfaces

3 years agoModified vici_cert_info class for use with load_creds and vici_cred
Andreas Steffen [Fri, 11 Dec 2015 16:53:40 +0000 (17:53 +0100)]
Modified vici_cert_info class for use with load_creds and vici_cred

3 years agoChanged some certificate_type_names and added x509_flag_names
Andreas Steffen [Wed, 9 Dec 2015 21:33:57 +0000 (22:33 +0100)]
Changed some certificate_type_names and added x509_flag_names

3 years agoRemoved VICI protocol versioning
Andreas Steffen [Wed, 9 Dec 2015 19:39:59 +0000 (20:39 +0100)]
Removed VICI protocol versioning

3 years agoUse of certificate_printer by swanctl --list-certs command
Andreas Steffen [Mon, 7 Dec 2015 20:24:27 +0000 (21:24 +0100)]
Use of certificate_printer by swanctl --list-certs command

3 years agoShare vici_cert_info.c with vici_cred.c
Andreas Steffen [Sat, 5 Dec 2015 22:15:47 +0000 (23:15 +0100)]
Share vici_cert_info.c with vici_cred.c

3 years agoAllow msSmartcardLogon EKU to be built
Andreas Steffen [Fri, 4 Dec 2015 05:55:33 +0000 (06:55 +0100)]
Allow msSmartcardLogon EKU to be built

3 years agoUse VICI 2.0 protocol version for certificate queries
Andreas Steffen [Thu, 3 Dec 2015 10:20:04 +0000 (11:20 +0100)]
Use VICI 2.0 protocol version for certificate queries

3 years agoSort certificate types during enumeration
Andreas Steffen [Thu, 3 Dec 2015 09:23:42 +0000 (10:23 +0100)]
Sort certificate types during enumeration

3 years agoDefine VICI protocol versions
Andreas Steffen [Thu, 3 Dec 2015 09:22:06 +0000 (10:22 +0100)]
Define VICI protocol versions

3 years agotesting: Added swanctl --list-algs output
Andreas Steffen [Tue, 1 Dec 2015 21:26:03 +0000 (22:26 +0100)]
testing: Added swanctl --list-algs output

3 years agotesting: Converted tnc scenarios to swanctl
Andreas Steffen [Mon, 23 Nov 2015 20:35:16 +0000 (21:35 +0100)]
testing: Converted tnc scenarios to swanctl

3 years agovici: Don't report memory usage via leak-detective
Tobias Brunner [Thu, 19 Nov 2015 16:56:06 +0000 (17:56 +0100)]
vici: Don't report memory usage via leak-detective

This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.

3 years agotesting: Use expect-connection in swanctl scenarios
Tobias Brunner [Thu, 19 Nov 2015 16:53:31 +0000 (17:53 +0100)]
testing: Use expect-connection in swanctl scenarios

Only in net2net-start do we have to use `sleep` to ensure the SA is
up when the tests are running.

3 years agotesting: The expect-connection helper may use swanctl to check for connections
Tobias Brunner [Thu, 19 Nov 2015 16:49:20 +0000 (17:49 +0100)]
testing: The expect-connection helper may use swanctl to check for connections

Depending on the plugin configuration in the test scenario either
`ipsec statusall` or `swanctl --list-conns` is used to check for a named
connection.

3 years agoPrint OCSP single responses
Andreas Steffen [Tue, 8 Dec 2015 20:25:37 +0000 (21:25 +0100)]
Print OCSP single responses

3 years agoStandardized printing of certificate information
Andreas Steffen [Sun, 6 Dec 2015 12:28:03 +0000 (13:28 +0100)]
Standardized printing of certificate information

The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.

3 years agoimv-attestation: Fix memory leaks when creating functional components
Tobias Brunner [Fri, 11 Dec 2015 14:18:38 +0000 (15:18 +0100)]
imv-attestation: Fix memory leaks when creating functional components

3 years agoipsec: Fix stop command on systems where sleep(1) only supports integers
Tobias Brunner [Thu, 10 Dec 2015 10:46:21 +0000 (11:46 +0100)]
ipsec: Fix stop command on systems where sleep(1) only supports integers

Fixes #1231.

3 years agoMerge branch 'vici-undo-on-unload'
Martin Willi [Mon, 7 Dec 2015 09:29:57 +0000 (10:29 +0100)]
Merge branch 'vici-undo-on-unload'

Undo start actions when unloading connections, and add some misc fixes and
extensions to vici connection handling.

3 years agovici: Fix documentation about the initiate/terminate timeout
Martin Willi [Tue, 1 Dec 2015 08:26:40 +0000 (09:26 +0100)]
vici: Fix documentation about the initiate/terminate timeout

3 years agovici: Honor an optionally passed IKE configuration name in initiate/install
Martin Willi [Thu, 5 Nov 2015 09:09:00 +0000 (10:09 +0100)]
vici: Honor an optionally passed IKE configuration name in initiate/install

If two IKE configurations have CHILD configurations with the same name,
we have no control about the CHILD_SA that actually gets controlled. The
new "ike" parameter specifies the peer config name to find the "child" config
under.

3 years agovici: Support completely asynchronous initiating and termination
Martin Willi [Thu, 5 Nov 2015 09:04:35 +0000 (10:04 +0100)]
vici: Support completely asynchronous initiating and termination

In some situations the vici client is not interested in waiting for a
timeout at all, so don't register a logging callback if the timeout argument
is negative.

3 years agovici: Use an empty local auth round if none given
Martin Willi [Wed, 4 Nov 2015 16:04:11 +0000 (17:04 +0100)]
vici: Use an empty local auth round if none given

While it hardly makes sense to use none for negotiated SAs, it actually does
when installing shunt policies.

3 years agovici: Limit start action undoing to IKE_SAs using the base peer config name
Martin Willi [Wed, 4 Nov 2015 15:03:14 +0000 (16:03 +0100)]
vici: Limit start action undoing to IKE_SAs using the base peer config name

If two peer configs use the same child config names, potentailly delete
the wrong CHILD_SA. Check the peer config name as well to avoid that.

3 years agovici: Close empty IKE_SAs after undoing CHILD_SA start actions
Martin Willi [Wed, 4 Nov 2015 12:25:51 +0000 (13:25 +0100)]
vici: Close empty IKE_SAs after undoing CHILD_SA start actions

3 years agovici: Use value based array to store CHILD_SA ids during restart
Martin Willi [Fri, 4 Dec 2015 08:05:31 +0000 (09:05 +0100)]
vici: Use value based array to store CHILD_SA ids during restart

The previous approach stored a pointer to a volatile stack variable, which
works for a single ID, but not for multiple.

3 years agoarray: Add an insert/create function for value based arrays
Martin Willi [Fri, 4 Dec 2015 08:02:28 +0000 (09:02 +0100)]
array: Add an insert/create function for value based arrays

3 years agovici: Undo start actions when unloading configs
Martin Willi [Wed, 4 Nov 2015 12:25:07 +0000 (13:25 +0100)]
vici: Undo start actions when unloading configs

3 years agoconf: Add support for escaping dots in section/option names
Tobias Brunner [Wed, 2 Dec 2015 17:09:29 +0000 (18:09 +0100)]
conf: Add support for escaping dots in section/option names

3 years agovici: Fix clean-local target for Perl bindings if they were not built
Tobias Brunner [Fri, 4 Dec 2015 10:21:19 +0000 (11:21 +0100)]
vici: Fix clean-local target for Perl bindings if they were not built

This is called when running `make distclean` (or indirectly via `make
distcheck`).

3 years agobyteorder: Provide a fallback for le32toh/htole32()
Martin Willi [Tue, 10 Nov 2015 07:12:35 +0000 (08:12 +0100)]
byteorder: Provide a fallback for le32toh/htole32()

Some older toolchains don't provide these macros, so implement them using
the gcc builtins. We also provide 64-bit variants as used by chapoly.

3 years agobyteorder: Add 32-bit unaligned little-endian conversion functions
Martin Willi [Tue, 10 Nov 2015 06:57:48 +0000 (07:57 +0100)]
byteorder: Add 32-bit unaligned little-endian conversion functions

3 years agoswanctl: Explicitly link against -lpthread and -ldl if required
Martin Willi [Mon, 9 Nov 2015 16:17:16 +0000 (17:17 +0100)]
swanctl: Explicitly link against -lpthread and -ldl if required

We already do this for charon, as some toolchains require an explicit
link even if libstrongswan already depends on it.

3 years agopki: Explicitly link against -lpthread and -ldl if required
Martin Willi [Mon, 9 Nov 2015 16:15:17 +0000 (17:15 +0100)]
pki: Explicitly link against -lpthread and -ldl if required

We already do this for charon, as some toolchains require an explicit
link even if libstrongswan already depends on it.

3 years agoconfigure: Link against potential -ldl when checking for OpenSSL libcrypto
Martin Willi [Mon, 9 Nov 2015 16:11:21 +0000 (17:11 +0100)]
configure: Link against potential -ldl when checking for OpenSSL libcrypto

3 years agowatcher: Check for cancellation if poll() fails with EINTR
Martin Willi [Tue, 10 Nov 2015 08:42:46 +0000 (09:42 +0100)]
watcher: Check for cancellation if poll() fails with EINTR

With LinuxThreads, poll() is unfortunately no cancellation point. It seems
that poll gets woken up after cancellation, but we actively must check
for cancellation before re-entering poll to properly shut down the watcher
thread.

3 years agoVersion bump to 5.4.0dr1
Andreas Steffen [Tue, 1 Dec 2015 14:06:23 +0000 (15:06 +0100)]
Version bump to 5.4.0dr1

3 years agoAdded Vici:Session Perl CPAN module to NEWS
Andreas Steffen [Tue, 1 Dec 2015 14:02:18 +0000 (15:02 +0100)]
Added Vici:Session Perl CPAN module to NEWS

3 years agoExtended and refactored vici perl implementation
Andreas Steffen [Tue, 17 Nov 2015 20:20:15 +0000 (21:20 +0100)]
Extended and refactored vici perl implementation

3 years agoBuilt the CPAN file structure for the Vici::Session perl module
Andreas Steffen [Tue, 17 Nov 2015 12:32:54 +0000 (13:32 +0100)]
Built the CPAN file structure for the Vici::Session perl module

3 years agoImplement vici Perl binding
Andreas Steffen [Mon, 16 Nov 2015 19:08:30 +0000 (20:08 +0100)]
Implement vici Perl binding

3 years agotesting: Some more timing fixes
Andreas Steffen [Thu, 26 Nov 2015 10:35:56 +0000 (11:35 +0100)]
testing: Some more timing fixes

3 years agoswanctl: Add --list-algs command to query loaded algorithms
Tobias Brunner [Thu, 19 Nov 2015 15:01:05 +0000 (16:01 +0100)]
swanctl:  Add --list-algs command to query loaded algorithms

3 years agovici: Add get-algorithms command to query loaded algorithms and implementations
Tobias Brunner [Thu, 19 Nov 2015 15:00:19 +0000 (16:00 +0100)]
vici: Add get-algorithms command to query loaded algorithms and implementations

3 years agoNEWS: Added changes since 5.3.4 5.3.5
Tobias Brunner [Thu, 26 Nov 2015 07:13:54 +0000 (08:13 +0100)]
NEWS: Added changes since 5.3.4

3 years agoVersion bump to 5.3.5
Andreas Steffen [Thu, 26 Nov 2015 08:56:10 +0000 (09:56 +0100)]
Version bump to 5.3.5

3 years agotesting: Updated expired mars.strongswan.org certificate
Andreas Steffen [Thu, 26 Nov 2015 08:55:28 +0000 (09:55 +0100)]
testing: Updated expired mars.strongswan.org certificate

3 years agotravis: Enable OS X build
Tobias Brunner [Mon, 16 Nov 2015 15:44:03 +0000 (16:44 +0100)]
travis: Enable OS X build

3 years agosigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set
Tobias Brunner [Thu, 19 Nov 2015 10:21:48 +0000 (11:21 +0100)]
sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set

Fixes #1213.

3 years agokernel-pfkey: Enable ENCR_CAMELLIA_CBC when it's available
Tobias Brunner [Mon, 23 Nov 2015 10:17:02 +0000 (11:17 +0100)]
kernel-pfkey: Enable ENCR_CAMELLIA_CBC when it's available

Fixes #1214.

3 years agoman: Update description of the actions performed for different dpdaction values
Tobias Brunner [Wed, 18 Nov 2015 13:51:13 +0000 (14:51 +0100)]
man: Update description of the actions performed for different dpdaction values

For instance, charon does not unroute `auto=route` connections with
`dpdaction=clear`.

3 years agoutils: Use the more low-level __NR_ prefix to refer to the syscall number
Tobias Brunner [Tue, 17 Nov 2015 16:21:36 +0000 (17:21 +0100)]
utils: Use the more low-level __NR_ prefix to refer to the syscall number

The __NR_ constants are also defined in the Android headers.

3 years agoeap-radius: Add ability to configure RADIUS retransmission behavior
Thom Troy [Sat, 7 Nov 2015 17:53:50 +0000 (17:53 +0000)]
eap-radius: Add ability to configure RADIUS retransmission behavior

Closes strongswan/strongswan#19.

3 years agoVersion bump to 5.4.0dr1
Andreas Steffen [Mon, 16 Nov 2015 15:36:50 +0000 (16:36 +0100)]
Version bump to 5.4.0dr1

3 years agoVersion bump to 5.3.4 5.3.4
Andreas Steffen [Mon, 16 Nov 2015 12:22:25 +0000 (13:22 +0100)]
Version bump to 5.3.4

3 years agoNEWS: Add info about CVE-2015-8023
Tobias Brunner [Thu, 12 Nov 2015 14:35:52 +0000 (15:35 +0100)]
NEWS: Add info about CVE-2015-8023

3 years agoeap-mschapv2: Keep internal state to prevent authentication from succeeding prematurely
Tobias Brunner [Thu, 29 Oct 2015 10:23:33 +0000 (11:23 +0100)]
eap-mschapv2: Keep internal state to prevent authentication from succeeding prematurely

We can't allow a client to send us MSCHAPV2_SUCCESS messages before it
was authenticated successfully.

Fixes CVE-2015-8023.

4 years agoandroid: Suppress compiler warnings about missing field initializers
Tobias Brunner [Fri, 13 Nov 2015 17:22:48 +0000 (18:22 +0100)]
android: Suppress compiler warnings about missing field initializers

Triggered by -Wextra for many INIT usages where we only partially
initialize a struct.

4 years agoutils: Provide a fallback for sigwaitinfo() if needed
Tobias Brunner [Fri, 13 Nov 2015 14:46:27 +0000 (15:46 +0100)]
utils: Provide a fallback for sigwaitinfo() if needed

Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide
this on Windows.

4 years agotesting: Error messages of curl plugin have changed 5.3.4rc1
Andreas Steffen [Fri, 13 Nov 2015 12:59:39 +0000 (13:59 +0100)]
testing: Error messages of curl plugin have changed

4 years agotesting: Fixed another timing issue
Andreas Steffen [Fri, 13 Nov 2015 12:58:57 +0000 (13:58 +0100)]
testing: Fixed another timing issue

4 years agoVersion bump to 5.3.4rc1
Andreas Steffen [Fri, 13 Nov 2015 11:18:28 +0000 (12:18 +0100)]
Version bump to 5.3.4rc1

4 years agoinit: Make sure basic networking is up in systemd unit
Tobias Brunner [Fri, 13 Nov 2015 09:20:11 +0000 (10:20 +0100)]
init: Make sure basic networking is up in systemd unit

Connections with auto=route might otherwise not work.

References #1188.

4 years agovici: Attribute certificates are not trusted
Tobias Brunner [Tue, 10 Nov 2015 14:24:07 +0000 (15:24 +0100)]
vici: Attribute certificates are not trusted

4 years agovici: Properly add CRLs to the credential set
Tobias Brunner [Tue, 10 Nov 2015 14:20:16 +0000 (15:20 +0100)]
vici: Properly add CRLs to the credential set

add_crl() ensures that old CLRs are not stored in the credential set.

4 years agomode-config: Reassign migrated virtual IP if client requests %any
Tobias Brunner [Tue, 13 Oct 2015 10:10:42 +0000 (12:10 +0200)]
mode-config: Reassign migrated virtual IP if client requests %any

If we mistakenly detect a new IKE_SA as a reauthentication the client
won't request the previous virtual IP, but since we already migrated
it we already triggered the assign_vips() hook, so we should reassign
the migrated virtual IP.

Fixes #1152.

4 years agorevocation: Allow CRLs to be encoded in PEM format
Tobias Brunner [Wed, 11 Nov 2015 13:26:00 +0000 (14:26 +0100)]
revocation: Allow CRLs to be encoded in PEM format

Since the textual representation for a CRL is now standardized
in RFC 7468 one could argue that we should accept that too, even
though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to
be in DER format.  But in particular for file URIs enforcing that
seems inconvenient.

Fixes #1203.

4 years agocurl: Be less strict when considering status codes as errors
Tobias Brunner [Wed, 11 Nov 2015 14:20:00 +0000 (15:20 +0100)]
curl: Be less strict when considering status codes as errors

For file:// URIs the code is 0 on success. We now do the same libcurl
would do with CURLOPT_FAILONERROR enabled.

Fixes #1203.

4 years agoeap-radius: Compare address family when handing out virtual IPs
Tobias Brunner [Tue, 10 Nov 2015 08:42:23 +0000 (09:42 +0100)]
eap-radius: Compare address family when handing out virtual IPs

This also ensures that the actually released virtual IP is removed from
the list of claimed IPs.

Fixes #1199.

4 years agoMerge branch 'eap-mschapv2-eap-identity'
Tobias Brunner [Thu, 12 Nov 2015 13:22:28 +0000 (14:22 +0100)]
Merge branch 'eap-mschapv2-eap-identity'

This replaces the EAP-Identity with the EAP-MSCHAPv2 username, which
ensures the client is known with an authenticated identity.  Previously
a client with a valid username could use a different identity (e.g. the
name of a different user) in the EAP-Identity exchange.  Since we use
the EAP-Identity for uniqueness checks etc. this could be problematic.
The EAP-MSCHAPv2 username is now explicitly logged if it is different
from the EAP-Identity (or IKE identity).

Fixes #1182.

4 years agoeap-mschapv2: Report username if different from EAP-Identity (or IKE identity)
Tobias Brunner [Thu, 5 Nov 2015 13:07:49 +0000 (14:07 +0100)]
eap-mschapv2: Report username if different from EAP-Identity (or IKE identity)