4 years agoMerge commit 'derived-keys'
Tobias Brunner [Tue, 4 Oct 2016 08:02:12 +0000 (10:02 +0200)]
Merge commit 'derived-keys'

Adds new listener hooks that work similar to the existing ike|child_keys
hooks but receive the derived IKE and CHILD_SA keys.

4 years agoikev2: Send derived CHILD_SA keys to the bus
Tobias Brunner [Wed, 14 Sep 2016 13:59:32 +0000 (15:59 +0200)]
ikev2: Send derived CHILD_SA keys to the bus

4 years agoikev2: Send derived IKE_SA keys to bus
Tobias Brunner [Wed, 14 Sep 2016 13:42:11 +0000 (15:42 +0200)]
ikev2: Send derived IKE_SA keys to bus

4 years agoikev1: Send derived CHILD_SA keys to the bus
Tobias Brunner [Wed, 14 Sep 2016 13:57:21 +0000 (15:57 +0200)]
ikev1: Send derived CHILD_SA keys to the bus

4 years agoikev1: Send derived IKE_SA keys to bus
Tobias Brunner [Wed, 14 Sep 2016 13:40:36 +0000 (15:40 +0200)]
ikev1: Send derived IKE_SA keys to bus

4 years agobus: Add new hooks for derived IKE_SA and CHILD_SA keys
Tobias Brunner [Wed, 14 Sep 2016 10:07:33 +0000 (12:07 +0200)]
bus: Add new hooks for derived IKE_SA and CHILD_SA keys

4 years agonm: Remove dummy TUN device
Tobias Brunner [Tue, 20 Sep 2016 09:45:16 +0000 (11:45 +0200)]
nm: Remove dummy TUN device

Recent NM releases don't insist on getting a device back from VPN

4 years agonm: Fix comment in service file in /etc/NetworkManager/VPN
Tobias Brunner [Mon, 19 Sep 2016 13:03:10 +0000 (15:03 +0200)]
nm: Fix comment in service file in /etc/NetworkManager/VPN

4 years agonm: Remove generated service file in `make clean`
Tobias Brunner [Mon, 19 Sep 2016 12:56:51 +0000 (14:56 +0200)]
nm: Remove generated service file in `make clean`

4 years agonm: Don't add generated AppStream metadata to tarball
Tobias Brunner [Mon, 19 Sep 2016 12:53:19 +0000 (14:53 +0200)]
nm: Don't add generated AppStream metadata to tarball

4 years agobus: Fix maximum log levels when mixing log/vlog implementing loggers
Tobias Brunner [Thu, 22 Sep 2016 13:51:09 +0000 (15:51 +0200)]
bus: Fix maximum log levels when mixing log/vlog implementing loggers

The maximum would not get set correctly when a logger is removed and the
first remaining logger in the list (the one with the highest log level) does
e.g. only implement vlog() while there are other loggers that implement log().
This would result in only max_vlevel getting set correctly while max_level
would incorrectly get set to -1 so that log() would not get called for any
of the loggers anymore.

References #574.

4 years agokernel-netlink: Pass zero mark to kernel if mask is set
Tobias Brunner [Mon, 29 Aug 2016 14:39:18 +0000 (16:39 +0200)]
kernel-netlink: Pass zero mark to kernel if mask is set

The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark.  So to match only unmarked packets we
have to be able to set 0/0xffffffff.

4 years agokernel-netlink: Support configuring XFRM policy hashing thresholds
Tobias Brunner [Wed, 21 Sep 2016 08:16:00 +0000 (10:16 +0200)]
kernel-netlink: Support configuring XFRM policy hashing thresholds

If the number of flows over a gateway exceeds the flow cache size of the Linux
kernel, policy lookup gets very expensive. Policies covering more than a single
address don't get hash-indexed by default, which results in wasting most of
the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use.
Starting with several hundred policies the overhead gets inacceptable.

Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet
to perform indexed lookup. With correctly chosen netbits, this can completely
eliminate the performance impact of policy lookups, freeing the resources
for ESP crypto.

WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a
NULL pointer dereference if a socket policy is installed while hash thresholds
are changed.  And because the hashtable rebuild triggered by the threshold
change that causes this is scheduled it might also happen if the socket
policies are seemingly installed after setting the thresholds.
The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when
rebuilding hash tables") - is included since 4.8 (and might get backported).
As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled
to replace the socket policies that allow IKE traffic with port specific
bypass policies.

4 years agoinclude: Update xfrm.h to Linux v4.3
Martin Willi [Mon, 7 Dec 2015 09:55:25 +0000 (10:55 +0100)]
include: Update xfrm.h to Linux v4.3

We strip the newly introduced <linux/in6.h> include, as this clashes with the
<netinet/in6.h> include.

4 years agoMerge branch 'fwd-out-policies-optional'
Tobias Brunner [Wed, 28 Sep 2016 15:57:57 +0000 (17:57 +0200)]
Merge branch 'fwd-out-policies-optional'

This makes the FWD policies in the out direction  optional (disabled by
default).  They may be enabled (e.g. if conflicting drop policies are
used) via the policies_fwd_out swanctl.conf option.

4 years agochild-sa: Only install outbound FWD policies if explicitly configured
Tobias Brunner [Thu, 18 Aug 2016 13:09:08 +0000 (15:09 +0200)]
child-sa: Only install outbound FWD policies if explicitly configured

They are only required if drop policies would otherwise prevent
forwarding traffic.  This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.

4 years agotesting: Enable outbound FWD policies in swanctl/manual-prio scenario
Tobias Brunner [Thu, 18 Aug 2016 15:09:15 +0000 (17:09 +0200)]
testing: Enable outbound FWD policies in swanctl/manual-prio scenario

4 years agovici: Make installation of outbound FWD policies configurable
Tobias Brunner [Thu, 18 Aug 2016 14:22:51 +0000 (16:22 +0200)]
vici: Make installation of outbound FWD policies configurable

4 years agochild-cfg: Add setting that controls whether outbound FWD policies are installed
Tobias Brunner [Thu, 18 Aug 2016 14:11:34 +0000 (16:11 +0200)]
child-cfg: Add setting that controls whether outbound FWD policies are installed

4 years agokernel-netlink: Update cached reqid when updating policies
Tobias Brunner [Thu, 18 Aug 2016 11:00:41 +0000 (13:00 +0200)]
kernel-netlink: Update cached reqid when updating policies

4 years agotesting: Added swanctl/net2net-multicast scenario
Andreas Steffen [Tue, 27 Sep 2016 09:45:00 +0000 (11:45 +0200)]
testing: Added swanctl/net2net-multicast scenario

4 years agotesting: Added ikev2/net2net-multicast scenario
Andreas Steffen [Wed, 13 Jul 2016 21:50:51 +0000 (23:50 +0200)]
testing: Added ikev2/net2net-multicast scenario

4 years agotravis: Use a more recent OS X image
Tobias Brunner [Fri, 23 Sep 2016 08:08:13 +0000 (10:08 +0200)]
travis: Use a more recent OS X image

Using the xcode8 image does not work currently (libcurl is not found).

4 years agoVersion bump to 5.5.1dr5 5.5.1dr5
Andreas Steffen [Thu, 22 Sep 2016 15:36:37 +0000 (17:36 +0200)]
Version bump to 5.5.1dr5

4 years agotesting: Added swanctl/net2net-sha3-rsa-cert and swanctl/rw-eap-tls-sha3-rsa scenarios
Andreas Steffen [Thu, 22 Sep 2016 12:28:36 +0000 (14:28 +0200)]
testing: Added swanctl/net2net-sha3-rsa-cert and swanctl/rw-eap-tls-sha3-rsa scenarios

4 years agogmp: Support of SHA-3 RSA signatures
Andreas Steffen [Thu, 22 Sep 2016 06:50:43 +0000 (08:50 +0200)]
gmp: Support of SHA-3 RSA signatures

4 years agobliss sampler unit-test: Fixed enumeration type
Andreas Steffen [Thu, 22 Sep 2016 08:46:39 +0000 (10:46 +0200)]
bliss sampler unit-test: Fixed enumeration type

4 years agobliss: bliss_sampler expects XOF type
Andreas Steffen [Thu, 22 Sep 2016 07:23:47 +0000 (09:23 +0200)]
bliss: bliss_sampler expects XOF type

4 years agounit-tests: MGF1 tests depend on an XOF implementation not just a hash function
Tobias Brunner [Wed, 21 Sep 2016 16:36:28 +0000 (18:36 +0200)]
unit-tests: MGF1 tests depend on an XOF implementation not just a hash function

If the mgf1 plugin was not enabled (e.g. with the default configure
options) the tests failed.

4 years agoVersion bump to 5.5.1dr4 5.5.1dr4
Andreas Steffen [Wed, 21 Sep 2016 12:14:42 +0000 (14:14 +0200)]
Version bump to 5.5.1dr4

4 years agomgf1: Refactored MGF1 as an XOF
Andreas Steffen [Tue, 20 Sep 2016 20:01:07 +0000 (22:01 +0200)]
mgf1: Refactored MGF1 as an XOF

4 years agoleak-detective: Fix compile warning due to unused variable if LD is disabled
Tobias Brunner [Tue, 20 Sep 2016 15:24:52 +0000 (17:24 +0200)]
leak-detective: Fix compile warning due to unused variable if LD is disabled

4 years agoMerge branch 'testing-leak-detective'
Tobias Brunner [Tue, 20 Sep 2016 14:26:58 +0000 (16:26 +0200)]
Merge branch 'testing-leak-detective'

Test scenarios now fail if any leaks are detected by the leak detective.
Several leaks found this way have been fixed.

4 years agoleak-detective: Whitelist thread ID getter
Tobias Brunner [Tue, 13 Sep 2016 15:28:21 +0000 (17:28 +0200)]
leak-detective: Whitelist thread ID getter

In case an external thread calls into our code and logs messages, a thread
object is allocated that will never be released.  Even if we try to clean
up the object via thread value destructor there is no guarantee that the
thread actually terminates before we check for leaks, which seems to be the
case for the Ada Tasking threads.

4 years agocharon-tkm: Build C code with debug information
Tobias Brunner [Tue, 13 Sep 2016 15:17:09 +0000 (17:17 +0200)]
charon-tkm: Build C code with debug information

4 years agoleak-detective: Whitelist functions of the Ada runtime related to Tasking
Tobias Brunner [Tue, 13 Sep 2016 14:28:01 +0000 (16:28 +0200)]
leak-detective: Whitelist functions of the Ada runtime related to Tasking

4 years agocharon-tkm: Free name of the PID file
Tobias Brunner [Tue, 13 Sep 2016 14:27:12 +0000 (16:27 +0200)]
charon-tkm: Free name of the PID file

4 years agocharon-tkm: Deinitialize tkm before libstrongswan
Tobias Brunner [Tue, 13 Sep 2016 14:24:30 +0000 (16:24 +0200)]
charon-tkm: Deinitialize tkm before libstrongswan

In particular because of leak-detective.

4 years agoleak-detective: Whitelist some glib/libsoup functions
Tobias Brunner [Tue, 13 Sep 2016 13:38:43 +0000 (15:38 +0200)]
leak-detective: Whitelist some glib/libsoup functions

Some of these are pretty broad, so maybe an alternative option is to
not use the soup plugin in the openssl-ikev2/rw-suite-b* scenarios.  But
the plugin is not tested anywhere else so lets go with this for now.

4 years agotesting: Use curl instead of soup plugin in libipsec/rw-suite-b scenario
Tobias Brunner [Tue, 13 Sep 2016 13:34:02 +0000 (15:34 +0200)]
testing: Use curl instead of soup plugin in libipsec/rw-suite-b scenario

The soup plugin is already used in the openssl-ikev2/rw-suite-b*

4 years agoeap-peap: Fix memory leaks when handling tunneled methods
Tobias Brunner [Tue, 13 Sep 2016 12:27:54 +0000 (14:27 +0200)]
eap-peap: Fix memory leaks when handling tunneled methods

4 years agoipseckey: Properly free enumerated certificates
Tobias Brunner [Tue, 13 Sep 2016 12:19:59 +0000 (14:19 +0200)]
ipseckey: Properly free enumerated certificates

4 years agoipseckey: Properly free public key after creating certificate
Tobias Brunner [Tue, 13 Sep 2016 12:15:41 +0000 (14:15 +0200)]
ipseckey: Properly free public key after creating certificate

4 years agodnscert: Properly free enumerated certificates
Tobias Brunner [Tue, 13 Sep 2016 12:13:47 +0000 (14:13 +0200)]
dnscert: Properly free enumerated certificates

4 years agounbound: Avoid unnecessary cloning of RR list that caused a memory leak
Tobias Brunner [Tue, 13 Sep 2016 12:12:49 +0000 (14:12 +0200)]
unbound: Avoid unnecessary cloning of RR list that caused a memory leak

4 years agounbound: Fix memory leak
Tobias Brunner [Tue, 13 Sep 2016 12:12:29 +0000 (14:12 +0200)]
unbound: Fix memory leak

4 years agopool: Fix (known) memory leak when querying leases
Tobias Brunner [Tue, 13 Sep 2016 10:33:27 +0000 (12:33 +0200)]
pool: Fix (known) memory leak when querying leases

4 years agoleak-detective: Whitelist leak in libldap
Tobias Brunner [Tue, 13 Sep 2016 10:27:33 +0000 (12:27 +0200)]
leak-detective: Whitelist leak in libldap

4 years agotesting: Fix totals if post test checks fail
Tobias Brunner [Tue, 13 Sep 2016 10:26:55 +0000 (12:26 +0200)]
testing: Fix totals if post test checks fail

4 years agotesting: Log leaks and fail tests if any are detected
Tobias Brunner [Tue, 13 Sep 2016 09:50:09 +0000 (11:50 +0200)]
testing: Log leaks and fail tests if any are detected

4 years agoleak-detective: Optionally write report to a log file
Tobias Brunner [Tue, 13 Sep 2016 08:06:28 +0000 (10:06 +0200)]
leak-detective: Optionally write report to a log file

4 years agovici: Fix indention of flush_certs() method in Python bindings
Tobias Brunner [Tue, 20 Sep 2016 11:26:03 +0000 (13:26 +0200)]
vici: Fix indention of flush_certs() method in Python bindings

4 years agotravis: Run 32-bit Windows build on precise (12.04) image
Tobias Brunner [Tue, 20 Sep 2016 12:30:22 +0000 (14:30 +0200)]
travis: Run 32-bit Windows build on precise (12.04) image

That's required due to a bug in MinGW 3.1.0 that's shipped with trusty.

4 years agotravis: Properly pass back result of make
Tobias Brunner [Tue, 20 Sep 2016 11:19:33 +0000 (13:19 +0200)]
travis: Properly pass back result of make

Fixes: 4e8f5a189cce ("travis: Add apidoc check")

4 years agotravis: Don't disable connmark and forecast plugins anymore
Tobias Brunner [Tue, 20 Sep 2016 09:51:59 +0000 (11:51 +0200)]
travis: Don't disable connmark and forecast plugins anymore

They build fine on Ubuntu 14.04.

4 years agoMerge branch 'maemo-bye-bye'
Tobias Brunner [Thu, 15 Sep 2016 16:35:53 +0000 (18:35 +0200)]
Merge branch 'maemo-bye-bye'

Removes the code and helper files related to the unused and unmaintained
Maemo port.

4 years agopackages: Remove obsolete Maemo packaging files
Tobias Brunner [Tue, 6 Sep 2016 14:15:31 +0000 (16:15 +0200)]
packages: Remove obsolete Maemo packaging files

4 years agomaemo: Remove unused plugin
Tobias Brunner [Tue, 6 Sep 2016 14:14:47 +0000 (16:14 +0200)]
maemo: Remove unused plugin

4 years agomaemo: Remove obsolete status/settings applet
Tobias Brunner [Tue, 6 Sep 2016 14:12:51 +0000 (16:12 +0200)]
maemo: Remove obsolete status/settings applet

4 years agoswanctl: Add man page entry for flush-certs command 5.5.1dr3
Tobias Brunner [Thu, 15 Sep 2016 09:58:51 +0000 (11:58 +0200)]
swanctl: Add man page entry for flush-certs command

4 years agoVersion bump to 5.5.1dr3
Andreas Steffen [Thu, 15 Sep 2016 09:45:17 +0000 (11:45 +0200)]
Version bump to 5.5.1dr3

4 years agoMerge branch 'flush-certs'
Andreas Steffen [Thu, 15 Sep 2016 09:39:16 +0000 (11:39 +0200)]
Merge branch 'flush-certs'

4 years agovici: flush-certs command flushes certificate cache
Andreas Steffen [Thu, 8 Sep 2016 09:59:02 +0000 (11:59 +0200)]
vici:  flush-certs command flushes certificate cache

When fresh CRLs are released with a high update frequency (e.g.
every 24 hours) or OCSP is used then the certificate cache gets
quickly filled with stale CRLs or OCSP responses. The new VICI
flush-certs command allows to flush e.g. cached CRLs or OCSP
responses only. Without the type argument all kind of certificates
(e.g. also received end entity and intermediate CA certificates)
are purged.

4 years agoauth-cfg-wrapper: Fix memory leak with hash-and-URL certificates
Tobias Brunner [Mon, 12 Sep 2016 09:54:49 +0000 (11:54 +0200)]
auth-cfg-wrapper: Fix memory leak with hash-and-URL certificates

We wrap the auth-cfg object and its contents, so there is no need to get
an additional reference for the enumerated certificate.

Fixes a44bb9345f04 ("merged multi-auth branch back into trunk")

4 years agotesting: Add output of iptables-save
Tobias Brunner [Fri, 9 Sep 2016 16:04:48 +0000 (18:04 +0200)]
testing: Add output of iptables-save

This might be helpful to get the complete picture of the installed
rules.  `-c` is currently not used as the counters that are added in
front of every rule make the output quite hard to read and the counters
are already provided in the accompanying `iptables -v -L` output.

Fixes #2111.

4 years agotesting: List `nat` and `mangle` tables in addition to the `filter` table
Tobias Brunner [Fri, 9 Sep 2016 15:24:05 +0000 (17:24 +0200)]
testing: List `nat` and `mangle` tables in addition to the `filter` table

This is useful in scenarios that e.g. use NAT and/or marks.

References #2111.

4 years agotesting: Ignore comments (lines starting with #) in pre-/eval-/posttest.dat
Tobias Brunner [Fri, 9 Sep 2016 10:18:34 +0000 (12:18 +0200)]
testing: Ignore comments (lines starting with #) in pre-/eval-/posttest.dat

4 years agoikev2: (Re-)Queue tasks used to establish an IKE_SA in reset()
Tobias Brunner [Wed, 24 Aug 2016 09:34:36 +0000 (11:34 +0200)]
ikev2: (Re-)Queue tasks used to establish an IKE_SA in reset()

Some tasks might get removed immediately once the IKE_SA_INIT response has
been handled even if there were notifies that require a restart of the
IKE_SA (e.g. COOKIE or INVALID_KE_PAYLOAD).  Such a task is ike_vendor,
which caused vendor IDs not to get sent in a retry.  This change ensures
all required tasks are queued after the reset, which some callers did
already anyway.

4 years agoikev2: Store proposal on IKE_SA before creating DH object
Tobias Brunner [Tue, 5 Jul 2016 12:56:25 +0000 (14:56 +0200)]
ikev2: Store proposal on IKE_SA before creating DH object

This might be useful for custom implementations of keymat_t.

4 years agotravis: Add apidoc check
Tobias Brunner [Thu, 30 Jun 2016 08:34:54 +0000 (10:34 +0200)]
travis: Add apidoc check

This requires at least Ubuntu 14.04 (the Doxygen version in 12.04 has some
issues with our Doxyfile and prints lots of warnings).

4 years agotravis: Use Trusty beta image
Tobias Brunner [Thu, 25 Aug 2016 12:04:22 +0000 (14:04 +0200)]
travis: Use Trusty beta image

4 years agonm: Updated NEWS
Tobias Brunner [Mon, 5 Sep 2016 14:01:25 +0000 (16:01 +0200)]
nm: Updated NEWS

4 years agoMerge branch 'nm-1.2'
Tobias Brunner [Mon, 5 Sep 2016 13:41:51 +0000 (15:41 +0200)]
Merge branch 'nm-1.2'

Provides fixes and changes for compatibility with current NM releases.

Closes strongswan/strongswan#15.
Fixes #797.

4 years agonm: Pass external gateway to NM
Tobias Brunner [Mon, 5 Sep 2016 12:34:07 +0000 (14:34 +0200)]
nm: Pass external gateway to NM

This seems to be required by newer versions.

4 years agonm: Update auth-dialog
Tobias Brunner [Mon, 5 Sep 2016 08:58:16 +0000 (10:58 +0200)]
nm: Update auth-dialog

This updates the auth dialog so that passwords are properly retrieved
(e.g. for the nm-applet).  It also adds support for external UI mode and
properly handles secret flags.

4 years agonm: Enforce min. length for PSKs in backend
Tobias Brunner [Mon, 5 Sep 2016 08:54:07 +0000 (10:54 +0200)]
nm: Enforce min. length for PSKs in backend

4 years agonm: Add minimum length constraint for PSK passwords in connection editor
Tobias Brunner [Thu, 21 Apr 2016 15:46:02 +0000 (17:46 +0200)]
nm: Add minimum length constraint for PSK passwords in connection editor

We already have this restriction in the auth-dialog.

4 years agonm: Bump minor version to 1.4.0
Lubomir Rintel [Wed, 21 Oct 2015 11:06:42 +0000 (13:06 +0200)]
nm: Bump minor version to 1.4.0

This is probably a good idea to do to signal there's significant changes in
dependencies to the distro package maintainers with libnm port and associated

4 years agonm: Bump to GTK+ 3.0
Lubomir Rintel [Wed, 21 Oct 2015 11:04:14 +0000 (13:04 +0200)]
nm: Bump to GTK+ 3.0

It's been released years ago; we depend on newer stuff than that now.

4 years agonm: Replace libgnomeui with libnma for password dialog
Lubomir Rintel [Wed, 21 Oct 2015 09:29:25 +0000 (11:29 +0200)]
nm: Replace libgnomeui with libnma for password dialog

libgnomeui is long deprecated.

There's one functional difference: the choice to save the passwords is gone.
The password flags and saved password should be set in the preferences dialog,
but this commit does not fix that.

4 years agonm: Grey out the unneeded authentication options
Lubomir Rintel [Tue, 29 Mar 2016 20:33:30 +0000 (22:33 +0200)]
nm: Grey out the unneeded authentication options

Hiding and showing the items is not ideal, since it leaves the spacing
in place and the layout gets really messy.

4 years agonm: Add a widget for setting a password
Lubomir Rintel [Tue, 29 Mar 2016 18:07:04 +0000 (20:07 +0200)]
nm: Add a widget for setting a password

It was only possible to set the password from the authentication dialog,
which is not ideal; as it requires a connection attempt.

This adds an input entry along with a primary icon from libnma/libnm-gtk
which allows selecting the backend and flags for the password (system, session
agent, always ask or empty).

4 years agonm: Port to libnm
Lubomir Rintel [Wed, 21 Oct 2015 09:23:57 +0000 (11:23 +0200)]
nm: Port to libnm

4 years agonm: Check for libnm
Lubomir Rintel [Wed, 21 Oct 2015 08:56:23 +0000 (10:56 +0200)]
nm: Check for libnm

libnm replaces libnm-glib. This will make sense with port to libnm and is done
to reduce line noise in that commit.

4 years agonm: Build two plugin binaries from the single source
Lubomir Rintel [Wed, 21 Oct 2015 08:36:54 +0000 (10:36 +0200)]
nm: Build two plugin binaries from the single source

They're both the same now. We'll port the new one to libnm in follow-up commits.

NetworkManager 1.2 (which is currently versioned as 1.1.0) is going to bring
some new ABI while still supporting the old one. There's new VPN service and
UI plugin APIs in libnm.

There's one difficulty though -- the connection editor 1.2 will be linked
against libnm and a new libnma library it will provide (as opposed to
libnm-glib and libnm-gtk), thus will be incapable of loading of property
plugins that are linked with the old libraries (due to glib type system

However, we must not break support for other connection editors (GNOME control
center, older versions of nm-connection-editor, etc.) therefore we need
to build two versions of the property plugin. NetworkManager 1.2's libnm will
provide a shim that makes it easy.

4 years agoMerge branch 'nm-updates'
Tobias Brunner [Mon, 5 Sep 2016 13:33:40 +0000 (15:33 +0200)]
Merge branch 'nm-updates'

Provides several fixes and cleanups for the NM build (does not include
fixes for recent NM versions).

Closes strongswan/strongswan#39.

4 years agonm: Version bumb to 1.3.2
Tobias Brunner [Wed, 6 Apr 2016 16:20:12 +0000 (18:20 +0200)]
nm: Version bumb to 1.3.2

4 years agonm: Remove incorrect top-level GtkWindow
Tobias Brunner [Wed, 6 Apr 2016 16:18:29 +0000 (18:18 +0200)]
nm: Remove incorrect top-level GtkWindow

Fixes #1013.

4 years agonm: Replace libgnomekeyring with libsecret
Lubomir Rintel [Tue, 29 Mar 2016 17:33:26 +0000 (19:33 +0200)]
nm: Replace libgnomekeyring with libsecret

The former is deprecated and the newer API is nicer anyway.

4 years agonm: Drop useless calls to AC_SUBST
Lubomir Rintel [Wed, 21 Oct 2015 08:54:18 +0000 (10:54 +0200)]
nm: Drop useless calls to AC_SUBST

PKG_CHECK_MODULES does the substitutions.

4 years agonm: Drop some unneeded dependencies
Lubomir Rintel [Wed, 21 Oct 2015 10:35:59 +0000 (12:35 +0200)]
nm: Drop some unneeded dependencies

4 years agonm: Install the .name file into /usr/lib/NetworkManager/VPN
Lubomir Rintel [Fri, 23 Oct 2015 09:29:42 +0000 (11:29 +0200)]
nm: Install the .name file into /usr/lib/NetworkManager/VPN

It's the preferred location for system-provided plugins.

A compatible file in /etc is still kept. Also, the compatibility /etc
file needs to use a full path due to a bug in GNOME Shell.

The full path to a arch-dependent file in a supposedly arch-independent
file is a sin and a multilib violation in some distributions. However.
some pre-release versions of NetworkManager-1.2 as shipped by
distributions require a full path. Let's keep a configure-time option
for that.

4 years agonm: Automatically determine NM plugin directory
Tobias Brunner [Fri, 29 Jul 2016 16:22:19 +0000 (18:22 +0200)]
nm: Automatically determine NM plugin directory

4 years agonm: Automatically determine path to the auth dialog
Lubomir Rintel [Sat, 23 Apr 2016 08:51:43 +0000 (10:51 +0200)]
nm: Automatically determine path to the auth dialog

4 years agonm: Don't do <deny send_interface="..." /> in dbus service file
Lubomir Rintel [Sat, 16 Apr 2016 18:39:45 +0000 (20:39 +0200)]
nm: Don't do <deny send_interface="..." /> in dbus service file

It does more than intended; apart from denying messages to that
particular interface it also denies all messages non-qualified with an
interface globally. This blocks messages completely unrelated to
strongSwan's VPN plugin, such as NetworkManager communication with the
VPN plugins.

From the dbus-daemon manual:

  Be careful with send_interface/receive_interface, because the
  interface field in messages is optional. In particular, do NOT
  specify <deny send_interface=""/>! This will cause
  no-interface messages to be blocked for all services, which is
  almost certainly not what you intended. Always use rules of the form:

  <deny send_interface="" send_destination=""/>

We can just safely remove those rules, since we're sufficiently
protected by the send_destination matches and method calls are
disallowed by default anyway.

Closes strongswan/strongswan#42.

4 years agonm: Move the D-Bus policy to charon-nm
Lubomir Rintel [Wed, 21 Oct 2015 10:55:03 +0000 (12:55 +0200)]
nm: Move the D-Bus policy to charon-nm

It's needed for useful use of charon-nm, unlike the GUI.

4 years agonm: Add AppStream metadata
Lubomir Rintel [Thu, 14 Apr 2016 11:59:34 +0000 (13:59 +0200)]
nm: Add AppStream metadata

This will ensure the strongSwan NetworkManager plugin will be easily
installable from the app stores such as GNOME Software.

Closes strongswan/strongswan#41.

4 years agopt-tls-client: Added support of ECDSA keys
Andreas Steffen [Wed, 31 Aug 2016 15:06:47 +0000 (17:06 +0200)]
pt-tls-client: Added support of ECDSA keys

4 years agolibimcv: No need to load AIK pubkey if AIK certificate is available
Andreas Steffen [Wed, 31 Aug 2016 14:12:47 +0000 (16:12 +0200)]
libimcv: No need to load AIK pubkey if AIK certificate is available

4 years agoswanctl: Document how DH groups in CHILD_SA proposals are applied
Tobias Brunner [Wed, 31 Aug 2016 09:44:11 +0000 (11:44 +0200)]
swanctl: Document how DH groups in CHILD_SA proposals are applied

References #1039.