3 months agoopenssl: Fix potential crash with ECDH on Windows
Tobias Brunner [Tue, 26 Jan 2021 18:33:24 +0000 (19:33 +0100)]
openssl: Fix potential crash with ECDH on Windows

Apparently, we should use OPENSSL_free() to release memory allocated by
OpenSSL.  While it generally maps to free() that's apparently not the
case on Windows, where the ECP test vectors caused `ACCESS_VIOLATION
exception` crashes (not always the same vector).

Fixes: 74e02ff5e624 ("openssl: Mainly use EVP interface for ECDH")

3 months agoopenssl: Avoid conflicts with wincrypt.h on Windows
Tobias Brunner [Tue, 26 Jan 2021 10:17:20 +0000 (11:17 +0100)]
openssl: Avoid conflicts with wincrypt.h on Windows

There are several conflicts with newer versions of OpenSSL (> 1.0).

3 months agoappveyor: Also build against newer OpenSSL versions
Tobias Brunner [Tue, 26 Jan 2021 09:25:03 +0000 (10:25 +0100)]
appveyor: Also build against newer OpenSSL versions

The original version is 1.0.2, which we keep as that version is not in
use on other platforms anymore.

3 months agoEnable Windows CI build of pkcs11 plugin
Michał Skalski [Sun, 24 Jan 2021 20:30:41 +0000 (21:30 +0100)]
Enable Windows CI build of pkcs11 plugin

3 months agopkcs11: Fix build on Windows
Michał Skalski [Sun, 24 Jan 2021 20:14:57 +0000 (21:14 +0100)]
pkcs11: Fix build on Windows

Windows provides CreateMutexA/W with an alias called CreateMutex that
selects one of the other two based on the UNICODE constant.

3 months agogithub: Enable farp plugin on macOS
Tobias Brunner [Tue, 19 Jan 2021 16:04:58 +0000 (17:04 +0100)]
github: Enable farp plugin on macOS

3 months agocirrus: Build farp plugin on FreeBSD
Tobias Brunner [Tue, 19 Jan 2021 16:03:56 +0000 (17:03 +0100)]
cirrus: Build farp plugin on FreeBSD

3 months agofarp: Add support for macOS and FreeBSD
Dan James [Sun, 20 Dec 2020 00:04:16 +0000 (19:04 -0500)]
farp: Add support for macOS and FreeBSD

Co-authored-by: Tobias Brunner <>
Closes strongswan/strongswan#189.
References #3498.

3 months agoMerge branch 'openssl-ecp'
Tobias Brunner [Wed, 20 Jan 2021 16:54:42 +0000 (17:54 +0100)]
Merge branch 'openssl-ecp'

Uses the EVP interface for ECDH with newer OpenSSL versions, which,
compared to the previous low-level use of EC_POINT_mul() supports
hardware offloading.  We used this because of the ecp_x_coordinate_only
option, which is now removed as it's been obsolete for a long time and
complicated the code.  There is still some legacy code for OpenSSL 1.0
and the old BoringSSL version we currently use for the Android app.

Closes strongswan/strongswan#186.

3 months agoopenssl: Mainly use EVP interface for ECDH
Tobias Brunner [Tue, 1 Dec 2020 10:45:05 +0000 (11:45 +0100)]
openssl: Mainly use EVP interface for ECDH

Functions like ECDH_compute_key() will be removed with OpenSSL 3 (which
will require additional changes as other functions will be deprecated or
removed too).

3 months agoopenssl: Extract helper function to derive a shared DH secret
Tobias Brunner [Tue, 1 Dec 2020 10:43:40 +0000 (11:43 +0100)]
openssl: Extract helper function to derive a shared DH secret

3 months agoRemove the ecp_x_coordinate_only option
Tobias Brunner [Tue, 1 Dec 2020 09:13:30 +0000 (10:13 +0100)]
Remove the ecp_x_coordinate_only option

This was for compatibility with very old releases and only complicates
things unnecessarily nowadays.

3 months agoopenssl: Use ECDH_compute_key() for 'x-coordinate only' setting
Mahantesh Salimath [Mon, 30 Nov 2020 22:03:03 +0000 (22:03 +0000)]
openssl: Use ECDH_compute_key() for 'x-coordinate only' setting

ECDH_compute_key() was not used because it only gives x-coordinate of
the result. However, the default setting, as per the errata mentioned,
is to use x-coordinate only.
Use ECDH_compute_key() for this setting as it additionally allows HW
offload of the computation using dynamic engine feature in OpenSSL.
EC_POINT_mul() doesn't allow HW offload.

Signed-off-by: Mahantesh Salimath <>
3 months agoRevert "nm: Remove dummy TUN device"
Tobias Brunner [Mon, 30 Nov 2020 10:48:07 +0000 (11:48 +0100)]
Revert "nm: Remove dummy TUN device"

This reverts commit a28c6269a4aeb5369fed8933fa1baf0cd8847622.

We add a dummy TUN device again because systemd-resolved insists on
managing DNS servers per interface.

Fixes #3615.

3 months agoload-tester: Correctly encode serial of generated client certificates
Tobias Brunner [Fri, 8 Jan 2021 09:06:06 +0000 (10:06 +0100)]
load-tester: Correctly encode serial of generated client certificates

The previous approach would lead to additional zero prefixes in the
encoding of the serial (which is a positive integer, not an arbitrary

Fixes #3667.

3 months agoidentification: Change abbreviation for surname/serialNumber RDNs
Коренберг Марк [Wed, 15 Jul 2020 08:25:56 +0000 (13:25 +0500)]
identification: Change abbreviation for surname/serialNumber RDNs

To align with RFC 4519, section 2.31/32, the abbreviation for surname
is changed to "SN" that was previously used for serialNumber, which does
not have an abbreviation.

This mapping had its origins in the X.509 patch for FreeS/WAN that was
started in 2000.  It was aligned with how OpenSSL did this in earlier
versions.  However, there it was changed already in March 2002 (commit
ffbe98b7630d604263cfb1118c67ca2617a8e222) to make it compatible with
RFC 2256 (predecessor of RFC 4519).

Co-authored-by: Tobias Brunner <>
Closes strongswan/strongswan#179.

3 months agovici: Decode error messages in Python bindings
Tobias Brunner [Wed, 13 Jan 2021 13:41:50 +0000 (14:41 +0100)]
vici: Decode error messages in Python bindings

Otherwise we might end up with b'<errmsg>' in the output.

3 months agomem-pool: Be less strict when reassigning existing online leases
Tobias Brunner [Tue, 24 Nov 2020 08:24:25 +0000 (09:24 +0100)]
mem-pool: Be less strict when reassigning existing online leases

Also assign online leases to a peer connecting from the same endpoint
when it requests any virtual IP.  This is mainly a workaround for
Windows clients that remember the virtual IPv6 address and re-request it
the next time the connection is initiated (even if it is not a
reauthentication) but don't do the same for virtual IPv4 addresses.
This can result in duplicate policies with different reqids because
these are allocated for unique sets of traffic selectors.

Fixes #3541.

3 months agoMerge branch 'ike-update-event'
Tobias Brunner [Mon, 18 Jan 2021 12:31:01 +0000 (13:31 +0100)]
Merge branch 'ike-update-event'

This modifies the signature of the listener_t::ike_update() callback so
that both addresses are passed and it's only called once if both
addresses change (e.g. for an address family switch).

The callback is now also triggered for MOBIKE updates and the event is
exposed via vici.

Fixes #3602.

3 months agovici: Expose ike-update event
Tobias Brunner [Thu, 22 Oct 2020 17:12:39 +0000 (19:12 +0200)]
vici: Expose ike-update event

3 months agoike-mobike: Use ike_sa_t::update_hosts() to trigger events
Tobias Brunner [Tue, 27 Oct 2020 16:18:41 +0000 (17:18 +0100)]
ike-mobike: Use ike_sa_t::update_hosts() to trigger events

We should trigger the ike_update() event for MOBIKE updates and since
update_hosts() updates the children we can reuse that code too.

3 months agoike-sa: Add flags to force updating hosts/CHILD_SAs
Tobias Brunner [Tue, 27 Oct 2020 18:06:21 +0000 (19:06 +0100)]
ike-sa: Add flags to force updating hosts/CHILD_SAs

This allows more fine grained control over what's updated and does not
require multiple calls of the method. Plus we'll be able to use it in
the ike-mobike task.

3 months agobus: Change ike_update() signature and only call it once
Tobias Brunner [Tue, 27 Oct 2020 16:02:21 +0000 (17:02 +0100)]
bus: Change ike_update() signature and only call it once

This avoids multiple events when both addresses change (e.g. switching
address families).

3 months agotesting: Add scenarios that use a CA with two intermediate CA certificates
Tobias Brunner [Tue, 15 Dec 2020 17:07:28 +0000 (18:07 +0100)]
testing: Add scenarios that use a CA with two intermediate CA certificates

Mainly to test TKM's ability for handling multiple CAs and that the
received intermediate CA certificates are passed in the right order.
But also added a regular scenario where two intermediate CA certificates
are sent by one of the clients.

3 months agocharon-tkm: Don't use starter/stroke with charon-tkm anymore
Tobias Brunner [Tue, 24 Nov 2020 16:33:13 +0000 (17:33 +0100)]
charon-tkm: Don't use starter/stroke with charon-tkm anymore

For the tests, the unused init script that was used before switching to
charon-systemd is repurposed to manage the daemon.

4 months agocharon-tkm: Deinitialize IKE tkm-rpc client
Tobias Brunner [Mon, 9 Nov 2020 14:54:00 +0000 (15:54 +0100)]
charon-tkm: Deinitialize IKE tkm-rpc client

This is necessary if tkm-rpc supports multiple parallel client requests.

4 months agocharon-tkm: Remove -gnat05 option not supported by newer compilers
Tobias Brunner [Mon, 9 Nov 2020 14:52:54 +0000 (15:52 +0100)]
charon-tkm: Remove -gnat05 option not supported by newer compilers

4 months agocharon-tkm: Reverse cert chain processing order
Adrian-Ken Rueegsegger [Thu, 22 Oct 2020 17:11:32 +0000 (19:11 +0200)]
charon-tkm: Reverse cert chain processing order

Verify certificate chains starting from the root CA certificate and
moving towards the leaf/user certificate.

Also update TKM-RPC and TKM in testing scripts to version supporting the
reworked CC handling.

4 months agotesting: Use latest TKM RPC library
Adrian-Ken Rueegsegger [Wed, 21 Oct 2020 15:35:12 +0000 (17:35 +0200)]
testing: Use latest TKM RPC library

Brings some cleanups and minor improvements.

4 months agotesting: Use multi-CA aware TKM
Adrian-Ken Rueegsegger [Fri, 25 Sep 2020 16:36:34 +0000 (18:36 +0200)]
testing: Use multi-CA aware TKM

Also add CA ID to tkm_keymanager command.

4 months agotesting: Add CA ID mappings to TKM tests
Adrian-Ken Rueegsegger [Fri, 25 Sep 2020 08:47:46 +0000 (10:47 +0200)]
testing: Add CA ID mappings to TKM tests

Extend the build-certs-chroot script is to fill in the public key
fingerprint of the CA certificate in the appropriate strongswan.con

4 months agocharon-tkm: Add support for multiple CAs
Adrian-Ken Rueegsegger [Wed, 23 Sep 2020 16:59:23 +0000 (18:59 +0200)]
charon-tkm: Add support for multiple CAs

Load CA certificate id mapping from config and pass the correct CA ID to
TKM when checking certificate chains. The mapping of CA certificate to
CA ID is done via SHA-1 hash of the CA certificates subjectPublicKey.

4 months agocharon-tkm: Register TKM cred encoder before init
Adrian-Ken Rueegsegger [Mon, 28 Sep 2020 15:39:18 +0000 (17:39 +0200)]
charon-tkm: Register TKM cred encoder before init

Make sure the credential encoder is available early to allow getting
public key fingerprints.

4 months agotesting: Switch to https for codelabs recipes
Adrian-Ken Rueegsegger [Fri, 25 Sep 2020 16:36:25 +0000 (18:36 +0200)]
testing: Switch to https for codelabs recipes

4 months agotesting: Explicitly encode backing image format in metadata 5.9.2dr1
Tobias Brunner [Fri, 8 Jan 2021 10:08:49 +0000 (11:08 +0100)]
testing: Explicitly encode backing image format in metadata

Apparently, there is no probing anymore in newer versions of qemu due
to security considerations.

4 months agoVersion bump to 5.9.2dr1
Andreas Steffen [Fri, 8 Jan 2021 09:34:48 +0000 (10:34 +0100)]
Version bump to 5.9.2dr1

4 months agoimc_attestation: Fixed double free of tpm_version_info chunk
Andreas Steffen [Thu, 7 Jan 2021 11:59:20 +0000 (12:59 +0100)]
imc_attestation: Fixed double free of tpm_version_info chunk

4 months agotpm: Intel FW TPM always uses locality 0
Andreas Steffen [Thu, 31 Dec 2020 15:00:59 +0000 (16:00 +0100)]
tpm: Intel FW TPM always uses locality 0

4 months agolibimcv: Support symlinks introduced by usrmerge
Andreas Steffen [Wed, 30 Dec 2020 09:16:57 +0000 (10:16 +0100)]
libimcv: Support symlinks introduced by usrmerge

Debian, Ubuntu, Fedora et. al. started to apply usrmerge to their
latest Linux distributions, i.e.  /bin, /sbin, and /lib are now
symbolical links to /usr/bin, /usr/sbin, and /usr/lib, respectively.
Since executables and libraries are contained only once in Linux
packages (e.g. /bin/cp in coreutils but not /usr/bin/cp) this leads
to missing file measurments due to the symlinks when doing remote

The new ita_attr_symlinks PA-TNC attribute fixes this problem by
collecting symbolic links pointing to directories on the client

4 months agolibimcv: Evaluate IMA SHA-256 measurements
Andreas Steffen [Thu, 17 Dec 2020 11:14:23 +0000 (12:14 +0100)]
libimcv: Evaluate IMA SHA-256 measurements

4 months agogithub: Bump wolfSSL to 4.6.0
Tobias Brunner [Mon, 4 Jan 2021 13:47:52 +0000 (14:47 +0100)]
github: Bump wolfSSL to 4.6.0

Also enables Brainpool curves (this only enables the BP curves, while
--enable-ecccustcurves=all would also enable several others we don't support).

4 months agowolfssl: Disable ECC curves based on minimum ECC key size
Tobias Brunner [Mon, 4 Jan 2021 14:24:54 +0000 (15:24 +0100)]
wolfssl: Disable ECC curves based on minimum ECC key size

wolfSSL 4.6.0 provides a new option to configure the minimum ECC key
size (--with-eccminsz), which currently defaults to 224 bits.

4 months agowolfssl: Correctly enable Brainpool curves
Tobias Brunner [Mon, 4 Jan 2021 14:58:59 +0000 (15:58 +0100)]
wolfssl: Correctly enable Brainpool curves

4 months agoconfigure: Fixed test for imv_swima
Andreas Steffen [Thu, 24 Dec 2020 12:08:49 +0000 (13:08 +0100)]
configure: Fixed test for imv_swima

4 months agocirrus: Build against tpm2-tss on FreeBSD
Tobias Brunner [Mon, 14 Dec 2020 14:01:38 +0000 (15:01 +0100)]
cirrus: Build against tpm2-tss on FreeBSD

This was enabled in the port too.

4 months agoIgnore verbose parser generator output file more generally
Tobias Brunner [Mon, 14 Dec 2020 16:52:06 +0000 (17:52 +0100)]
Ignore verbose parser generator output file more generally

Depending on from where bison is called, the file might not end up in
the same directory as the .y file, but the location of the Makefile.
This has been seen on FreeBSD.

4 months agoReplace two deprecated parser generator directives
Tobias Brunner [Mon, 14 Dec 2020 10:36:21 +0000 (11:36 +0100)]
Replace two deprecated parser generator directives

There is a conflict between Flex's bison-bridge and Bison's api.prefix
options.  Apparently, the former was added without consulting the Bison
devs and requires YYSTYPE, which is not added to the header anymore by
the latter.  Instead, we just provide the proper definition of yyflex()
manually (as recommended by the Bison docs), so the option is not
required anymore.

4 months agogithub: Prevent duplicate CI runs
Tobias Brunner [Fri, 11 Dec 2020 15:30:04 +0000 (16:30 +0100)]
github: Prevent duplicate CI runs

This cancels previous runs of the same branch and skips runs of the same
content (e.g. after merges or tags).

4 months agogithub: Migrate from Travis CI to Github Actions
Tobias Brunner [Thu, 26 Nov 2020 09:53:45 +0000 (10:53 +0100)]
github: Migrate from Travis CI to Github Actions

On ( will be discontinued by the end of the
year) we are now charged for each minute.  We only got 10000 credits in
a trial plan, which we used up with a few builds.  Minutes also cost a
different amount of credits on different platforms: 10 on Linux,
but 50 on macOS (installing the dependencies on macOS alone took 12-15
minutes on Travis for some reason, takes about half on Github's runners).

No native Windows build yet as we have the same issue as on AppVeyor where
threading/streaming tests might get stuck.  And there is also only a
single Windows platform to test on.  Plus building/testing on Windows is
very slow (and getting ccache to work seems tricky).

The 'sw_collector' test case had to be disabled because we can't access
/usr/local/share on the Github build hosts (the process is just blocked
in readdir() and eventually times out).

Unfortunately, we can't test on different architectures anymore (in
particular ARM and the big-endian IBM Z/x390x).

5 months agoimv-scanner: Fix potentially unsafe port filter attribute destruction
Tobias Brunner [Thu, 3 Dec 2020 11:14:35 +0000 (12:14 +0100)]
imv-scanner: Fix potentially unsafe port filter attribute destruction

DESTROY_IF() checks if the given value is not NULL, before calling
destroy() on it, which does not work for sub-structs.  If
port_filter_attr is NULL, this could crash.

5 months agochild-rekey: Don't migrate child-create task if we already are deleting
Tobias Brunner [Tue, 1 Dec 2020 11:12:25 +0000 (12:12 +0100)]
child-rekey: Don't migrate child-create task if we already are deleting

If we are already deleting the old/redundant CHILD_SA, we must not
migrate the child-create task as that would destroy the new CHILD_SA we
already moved to the IKE_SA.

Fixes #3644.

5 months agohost-resolver: Don't wait for a reply if there are no threads
Tobias Brunner [Fri, 20 Nov 2020 14:02:30 +0000 (15:02 +0100)]
host-resolver: Don't wait for a reply if there are no threads

Without threads handling the resolution, there is no point waiting
for a reply.  If no subsequent resolution successfully starts a
thread (there might not even be one), we'd wait indefinitely.

Fixes #3634.

5 months agokernel-netlink: Make sure we successfully opened a Netlink socket
Tobias Brunner [Tue, 17 Nov 2020 16:55:24 +0000 (17:55 +0100)]
kernel-netlink: Make sure we successfully opened a Netlink socket

This is in addition to the fix in the destructor in 991e9e5dc9.

5 months agoidentification: Validate ASN.1 DN in from_data() constructor
Tobias Brunner [Mon, 2 Nov 2020 14:09:13 +0000 (15:09 +0100)]
identification: Validate ASN.1 DN in from_data() constructor

The DN is otherwise not parsed until compared/printed.  This avoids
false detections as ASN.1 DN if e.g. an email address starts with "0",
which is 0x30 = ASN.1 sequence tag, and the next character denotes
the exact length of the rest of the string (see the unit tests for an

5 months agoandroid: New release after avoiding marking VPN connections as metered
Tobias Brunner [Wed, 2 Dec 2020 15:06:48 +0000 (16:06 +0100)]
android: New release after avoiding marking VPN connections as metered

5 months agoandroid: Don't default to marking VPN connections as metered
Tobias Brunner [Tue, 1 Dec 2020 14:54:35 +0000 (15:54 +0100)]
android: Don't default to marking VPN connections as metered

For apps targeting Android 10, where a method to change this was added, the
default changed so that all VPN connections are marked as metered.  This means
certain background operations (e.g. syncing data) are not performed anymore
even when connected to a WiFi.  By setting this to false, the metered state
of the VPN connection reflects that of the underlying networks.

5 months agotesting: Use build-strongswan to implement build-rootimage
Tobias Brunner [Mon, 9 Nov 2020 14:30:29 +0000 (15:30 +0100)]
testing: Use build-strongswan to implement build-rootimage

5 months agotesting: Make building guest images after strongSwan optional
Tobias Brunner [Mon, 9 Nov 2020 15:15:20 +0000 (16:15 +0100)]
testing: Make building guest images after strongSwan optional

This is basically only for the build-rootimage use case.

5 months agotesting: Optionally build strongSwan from a release tarball
Tobias Brunner [Mon, 9 Nov 2020 14:18:50 +0000 (15:18 +0100)]
testing: Optionally build strongSwan from a release tarball

This will allow us to replace the build-rootimage script.

5 months agotesting: Optionally replace root image when building strongSwan
Tobias Brunner [Mon, 9 Nov 2020 13:55:46 +0000 (14:55 +0100)]
testing: Optionally replace root image when building strongSwan

5 months agotesting: Optionally use a new strongSwan build directory
Tobias Brunner [Mon, 9 Nov 2020 13:38:50 +0000 (14:38 +0100)]
testing: Optionally use a new strongSwan build directory

This can be useful when building completely different versions for the
first time to avoid issues with build artifacts of previous builds.

5 months agotesting: Add option to build all software recipes when building strongSwan
Tobias Brunner [Thu, 29 Oct 2020 16:55:38 +0000 (17:55 +0100)]
testing: Add option to build all software recipes when building strongSwan

This is like building the root image but using a specific strongSwan
source tree, which is helpful if code changes depend on other software
packages (e.g. TKM-related or testing new crypto libraries).  If the script
is called and the root image does not exist, the new option is enabled

The option to build in a specific guest image is now also moved to an
explicit command line option so that the source dir path is the only
remaining positional argument (see --help for details).

5 months agotesting: Create root image if it does not exist yet when building strongSwan
Tobias Brunner [Thu, 29 Oct 2020 17:04:22 +0000 (18:04 +0100)]
testing: Create root image if it does not exist yet when building strongSwan

This allows running the script directly after building the base image.

5 months agoUse Botan 2.17.1 for tests
Tobias Brunner [Mon, 9 Nov 2020 09:55:46 +0000 (10:55 +0100)]
Use Botan 2.17.1 for tests

5 months agotesting: Improve building different revisions of Git-recipes
Tobias Brunner [Mon, 9 Nov 2020 09:51:56 +0000 (10:51 +0100)]
testing: Improve building different revisions of Git-recipes

If we check out and build a certain revision of a dependency in a branch and
switch to another that requires a different revision and then switch back,
the previous approach installed the wrong revision as it would incorrectly
assume the required revision was already built and ready to install.

5 months agopem: Make sure we actually parsed some data
Tobias Brunner [Tue, 10 Nov 2020 17:14:36 +0000 (18:14 +0100)]
pem: Make sure we actually parsed some data

This could happen if there is no separating empty line between header
and body.

References #3627.

5 months agoappveyor: Also build on Windows Server 2019
Tobias Brunner [Thu, 12 Nov 2020 11:06:32 +0000 (12:06 +0100)]
appveyor: Also build on Windows Server 2019

5 months agokernel-wfp: Declare constants explicitly as extern
Tobias Brunner [Fri, 13 Nov 2020 10:44:21 +0000 (11:44 +0100)]
kernel-wfp: Declare constants explicitly as extern

Newer compilers otherwise complain that there are multiple definitions
of these (in header and .c file).

5 months agolibimcv: Avoid compiler warning in segmentation unit test
Tobias Brunner [Thu, 12 Nov 2020 18:12:11 +0000 (19:12 +0100)]
libimcv: Avoid compiler warning in segmentation unit test

Newer versions of GCC complain that the variable may be used

5 months agowindows: Don't declare [v]asprintf()
Tobias Brunner [Thu, 12 Nov 2020 13:20:04 +0000 (14:20 +0100)]
windows: Don't declare [v]asprintf()

None of our build environments seem to require these declarations.  And
current versions of MinGW-w64 define them as inline functions in stdio.h
so these declarations clashed with that ("static declaration of '...'
follows non-static declaration").

5 months agoVersion bump to 5.9.1 5.9.1
Andreas Steffen [Tue, 10 Nov 2020 19:45:13 +0000 (20:45 +0100)]
Version bump to 5.9.1

6 months agocontroller: Always return SUCCESS when terminating IKE_SAs without callback
Shmulik Ladkani [Mon, 2 Nov 2020 12:54:48 +0000 (14:54 +0200)]
controller: Always return SUCCESS when terminating IKE_SAs without callback

If no callback is specified, terminate_ike_execute() is invoked without the
listener waiting on the IKE state change.

Now, if 'force' is false, then ike_sa->delete() just queues an
IKE_DELETE task, and returns SUCCESS - indicating successful task
manager initiation.

However, terminate_ike_execute() ignored this success and set the
status to FAILED.

This is not ideal, as it will be the overall return code of
terminate_ike(), although no failure did occur. This eventually leads
vici's "terminate" to return "Command failed: terminating SA failed",
as seen in this example:

    In [9]: list(session.terminate({'ike-id': 2960, 'timeout': -1}))
    CommandException                          Traceback (most recent call last)
    <ipython-input-9-5f95b5cea88f> in <module>()
    ----> 1 list(session.terminate({'ike-id': 2960, 'timeout': -1}))

    vici/session.pyc in streamed_request(self, command, event_stream_type, message)
        136                 raise CommandException(
        137                     "Command failed: {errmsg}".format(
    --> 138                         errmsg=command_response["errmsg"]
        139                     )
        140                 )

    CommandException: Command failed: terminating SA failed

If we consider both queueing the task and actually destroying the IKS_SA
a success, we can just always return SUCCESS if we don't have a
callback. There is also no need to explicitly set the status to FAILED
if a listener is waiting as that's the default anyway.

Co-authored-by: Tobias Brunner <>
Closes strongswan/strongswan#185.

6 months agogcrypt: Use a dummy buffer to initialize static allocations
Tobias Brunner [Tue, 3 Nov 2020 11:07:48 +0000 (12:07 +0100)]
gcrypt: Use a dummy buffer to initialize static allocations

In FIPS mode, libgcrypt uses a DRBG, which behaves differently when the
length passed to gcry_create_nonce() or gcry_randomize() is <= 0.  It
expects a struct and explicitly checks that the passed pointer is not

6 months agoparser-helper: Don't attempt to open anything but regular files
Tobias Brunner [Tue, 3 Nov 2020 09:59:38 +0000 (10:59 +0100)]
parser-helper: Don't attempt to open anything but regular files

A crash could be provoked e.g. via STRONGSWAN_CONF=. or any other
path to a directory.

6 months agokernel-netlink: Only attempt to remove routing rule if we have a socket
Tobias Brunner [Tue, 3 Nov 2020 09:38:38 +0000 (10:38 +0100)]
kernel-netlink: Only attempt to remove routing rule if we have a socket

6 months agoimv-attestation: Fix typo in default value for hash_algorithm option
Tobias Brunner [Mon, 2 Nov 2020 14:43:35 +0000 (15:43 +0100)]
imv-attestation: Fix typo in default value for hash_algorithm option

6 months agolibimcv: Remove empty 'swid' Doxygen group
Tobias Brunner [Mon, 2 Nov 2020 13:37:45 +0000 (14:37 +0100)]
libimcv: Remove empty 'swid' Doxygen group

The corresponding IMC/IMV were already removed with a31f9b7691ca ("libimcv:
Removed TCG SWID IMC/IMV support").

6 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 2 Nov 2020 13:32:27 +0000 (14:32 +0100)]
Fixed some typos, courtesy of codespell

6 months agoNEWS: Add news for 5.9.1
Tobias Brunner [Mon, 2 Nov 2020 13:03:45 +0000 (14:03 +0100)]
NEWS: Add news for 5.9.1

6 months agoVersion bump to 5.9.1rc1 5.9.1rc1
Andreas Steffen [Sun, 1 Nov 2020 17:45:34 +0000 (18:45 +0100)]
Version bump to 5.9.1rc1

6 months agochild-sa: Delete inbound SAs even if not installed to remove allocated SPIs
Tobias Brunner [Fri, 30 Oct 2020 12:06:07 +0000 (13:06 +0100)]
child-sa: Delete inbound SAs even if not installed to remove allocated SPIs

If we can't establish an SA, this should delete the allocated SPI.

6 months agovici: Send all queued messages during shutdown
Tobias Brunner [Tue, 20 Oct 2020 18:14:08 +0000 (20:14 +0200)]
vici: Send all queued messages during shutdown

This ensures that e.g. ike/child-updown messages are sent that were
queued but couldn't be sent (even the job to enable to on_write() callback
requires a worker thread that's not around anymore during shutdown).

References #3602.

6 months agoikev2: Clear fragments of a retransmitted message if we receive the next one
Tobias Brunner [Wed, 28 Oct 2020 14:50:59 +0000 (15:50 +0100)]
ikev2: Clear fragments of a retransmitted message if we receive the next one

The message_t object used for defragmentation was only cleared after
all fragments have been received and the message was delivered.  So
if we received only some fragments of a retransmitted message, the
fragments of the next message were not processed (message_t returns
INVALID_ARG if the message ID does not match causing the message to
get ignored).  This rendered the IKE_SA unusable as the client
obviously never retransmitted the fragments of that previous message
after it received our response.

6 months agoMerge branch 'android-ipv6-transport'
Tobias Brunner [Thu, 29 Oct 2020 10:23:48 +0000 (11:23 +0100)]
Merge branch 'android-ipv6-transport'

Adds support to use IPv6 as transport addresses for IKE and ESP and a
bunch of fixes.  On Linux servers, this requires at least a 5.8 kernel so
UDP encapsulation for IPv6 is supported.

Fixes #892.

6 months agoandroid: New release after adding IPv6 support and several fixes
Tobias Brunner [Thu, 29 Oct 2020 09:55:09 +0000 (10:55 +0100)]
android: New release after adding IPv6 support and several fixes

6 months agoandroid: Throw an exception if UUID can't get parsed
Tobias Brunner [Mon, 19 Oct 2020 15:52:15 +0000 (17:52 +0200)]
android: Throw an exception if UUID can't get parsed

The parser is quite picky and e.g. doesn't accept UUIDs without dashes.
Even without a specific error, this at least points the users into the
right direction.

Fixes #3583.

6 months agoandroid: Prevent illegalStateException when showing power whitelist dialog
Tobias Brunner [Mon, 19 Oct 2020 15:41:52 +0000 (17:41 +0200)]
android: Prevent illegalStateException when showing power whitelist dialog

If the activity is not active when the service connection is
established and handleIntent() is called, the activity's state is already
saved and any fragment transaction would result in an illegalStateException
due to state loss.  We just ignore this and wait for another initiation
attempt (via onNewIntent()).

6 months agoandroid: Handle restarts of control activity with power whitelist dialog better
Tobias Brunner [Mon, 19 Oct 2020 14:46:22 +0000 (16:46 +0200)]
android: Handle restarts of control activity with power whitelist dialog better

With the flag set, we basically ignore the resent intent, which is not
ideal if we have not yet actually started another activity.  The information
dialog we show first would disappear when closing and reopening the app
or even just rotating it (we hide all dialogs when receiving an intent),
but since the flag was restored, the dialog was not shown again even
when attempting to start other connections.

6 months agoandroid: Make IPv6 transport flag configurable in the GUI
Tobias Brunner [Thu, 15 Oct 2020 16:00:09 +0000 (18:00 +0200)]
android: Make IPv6 transport flag configurable in the GUI

6 months agoandroid: Import IPv6 transport flag
Tobias Brunner [Thu, 15 Oct 2020 15:49:53 +0000 (17:49 +0200)]
android: Import IPv6 transport flag

6 months agoandroid: Add flag to enable IPv6 transport addresses
Tobias Brunner [Thu, 15 Oct 2020 15:28:46 +0000 (17:28 +0200)]
android: Add flag to enable IPv6 transport addresses

6 months agoandroid: IPV6_PKTINFO is supported (i.e. struct in6_pktinfo is available)
Tobias Brunner [Tue, 13 Oct 2020 09:39:40 +0000 (11:39 +0200)]
android: IPV6_PKTINFO is supported (i.e. struct in6_pktinfo is available)

6 months agoandroid: Add ability to lookup IPv6 source addresses
Tobias Brunner [Thu, 4 Feb 2016 10:27:48 +0000 (11:27 +0100)]
android: Add ability to lookup IPv6 source addresses

6 months agoandroid: Fix port scanning IMC
Tobias Brunner [Thu, 8 Oct 2020 14:42:37 +0000 (16:42 +0200)]
android: Fix port scanning IMC

Since 9e88bb987d65 ("Subscribed Scanner IMC/IMV to IETF_FIREWALL PA subtype")
the port filter attribute is requested with a different message type.

6 months agoandroid: Ignore deprecation warning for legacy code in NetworkManager
Tobias Brunner [Tue, 6 Oct 2020 13:08:39 +0000 (15:08 +0200)]
android: Ignore deprecation warning for legacy code in NetworkManager

6 months agoandroid: Replace deprecated getFragmentManager() in TNC-related Fragments
Tobias Brunner [Tue, 6 Oct 2020 12:28:05 +0000 (14:28 +0200)]
android: Replace deprecated getFragmentManager() in TNC-related Fragments

6 months agoandroid: Consistently use PreferenceManager from AndroidX
Tobias Brunner [Tue, 6 Oct 2020 11:47:06 +0000 (13:47 +0200)]
android: Consistently use PreferenceManager from AndroidX

android.preference.PreferenceManager has been deprecated.  The one from
AndroidX was already in use in some places.

6 months agoandroid: Update dependencies
Tobias Brunner [Tue, 6 Oct 2020 11:43:40 +0000 (13:43 +0200)]
android: Update dependencies

6 months agoandroid: Set compile-/targetSdkVersion to 29
Tobias Brunner [Tue, 6 Oct 2020 11:42:10 +0000 (13:42 +0200)]
android: Set compile-/targetSdkVersion to 29

This will be mandatory for existing apps on Nov 2, 2020.

6 months agoandroid: Update Gradle plugin
Tobias Brunner [Mon, 5 Oct 2020 13:59:47 +0000 (15:59 +0200)]
android: Update Gradle plugin