14 months agobotan: Encode curve OID and public key in EC private key
Tobias Brunner [Wed, 8 Aug 2018 16:23:11 +0000 (18:23 +0200)]
botan: Encode curve OID and public key in EC private key

Without OID we can't generate an algorithmIdentifier when loading the
key again. And older versions of OpenSSL insist on a public key when
e.g. converting a key to PKCS#8.

Simply unwrapping the ECPrivateKey structure avoids log messages when
parsing other keys in the KEY_ANY case.

14 months agopkcs1: Accept EC private keys without public key but make sure of an OID
Tobias Brunner [Thu, 9 Aug 2018 06:45:48 +0000 (08:45 +0200)]
pkcs1: Accept EC private keys without public key but make sure of an OID

14 months agobotan: Fixes, code style changes plus some refactorings
Tobias Brunner [Mon, 6 Aug 2018 15:46:54 +0000 (17:46 +0200)]
botan: Fixes, code style changes plus some refactorings

Some changes rely on newly added FFI functions in Botan's master

14 months agobotan: Add MD5 support to Botan hasher
René Korthaus [Fri, 27 Jul 2018 07:33:39 +0000 (09:33 +0200)]
botan: Add MD5 support to Botan hasher

Support MD5 in the Botan plugin if supported by Botan.
MD5 is required for RADIUS and obviously EAP-MD5,
and also for non-PKCS#8 encoded, encrypted private keys.

14 months agounit-tests: Remove 768 bits RSA gen test
René Korthaus [Thu, 26 Jul 2018 09:17:07 +0000 (11:17 +0200)]
unit-tests: Remove 768 bits RSA gen test

Botan only allows RSA generating keys >= 1,024 bits, which makes
the RSA test suite fail. It is questionable whether it makes
sense to test 768 bit RSA keys anymore. They are too weak
from today's perspective anyway.

14 months agobotan: Add Botan plugin to libstrongswan
René Korthaus [Wed, 25 Jul 2018 11:01:19 +0000 (13:01 +0200)]
botan: Add Botan plugin to libstrongswan

14 months agodumm: Remove the Dynamic UML Mesh Modeler framework
Tobias Brunner [Wed, 12 Sep 2018 09:02:32 +0000 (11:02 +0200)]
dumm: Remove the Dynamic UML Mesh Modeler framework

This has been pretty much defunct for several years (requires a
specially patched UML-enabled guest kernel).

14 months agoandroid: Properly set log file path
Tobias Brunner [Wed, 12 Sep 2018 09:44:33 +0000 (11:44 +0200)]
android: Properly set log file path

14 months agoconf: Document new filelog configuration
Tobias Brunner [Wed, 12 Sep 2018 09:42:38 +0000 (11:42 +0200)]
conf: Document new filelog configuration

14 months agolibrary: Return FALSE from library_init() if loaded settings are invalid
Tobias Brunner [Tue, 11 Sep 2018 15:56:38 +0000 (17:56 +0200)]
library: Return FALSE from library_init() if loaded settings are invalid

This way daemons won't start with config files that contain errors.

14 months agosettings: Don't allow dots in section/key names anymore
Tobias Brunner [Thu, 31 May 2018 09:46:29 +0000 (11:46 +0200)]
settings: Don't allow dots in section/key names anymore

This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`.  Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.

14 months agoike-auth: Remove unnecessary case statement
Tobias Brunner [Tue, 11 Sep 2018 09:33:05 +0000 (11:33 +0200)]
ike-auth: Remove unnecessary case statement

14 months agovici: Remove unreachable code
Tobias Brunner [Fri, 7 Sep 2018 09:17:06 +0000 (11:17 +0200)]
vici: Remove unreachable code

If list is TRUE any type but VICI_LIST_END and VICI_LIST_ITEM (i.e.
including VICI_END) is already handled in the first block in this

14 months agovici: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:12:24 +0000 (11:12 +0200)]
vici: Lease enumerator is always defined

mem_pool_t always returns an enumerator.

14 months agostroke: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:03:29 +0000 (11:03 +0200)]
stroke: Lease enumerator is always defined

This function is only called for existing pools (under the protection of
a read lock).

14 months agosmp: Remove unreachable initializer
Tobias Brunner [Fri, 7 Sep 2018 08:56:07 +0000 (10:56 +0200)]
smp: Remove unreachable initializer

Execution in this block will start with any of the case statements,
never with the initialization.

14 months agoeap-sim-pcsc: Fix leak in error case
Tobias Brunner [Fri, 7 Sep 2018 08:36:41 +0000 (10:36 +0200)]
eap-sim-pcsc: Fix leak in error case

14 months agotravis: Add sonarcloud build
Tobias Brunner [Mon, 10 Sep 2018 16:46:20 +0000 (18:46 +0200)]
travis: Add sonarcloud build

14 months agotravis: Automatically retry install steps
Tobias Brunner [Mon, 10 Sep 2018 10:22:20 +0000 (12:22 +0200)]
travis: Automatically retry install steps

There occasionally are network issues when fetching from Ubuntu/PPA
repos.  Let's see if this is a possible fix.

14 months agoswanctl: Allow passing a custom config file for each --load* command
Tobias Brunner [Mon, 28 May 2018 15:19:22 +0000 (17:19 +0200)]
swanctl: Allow passing a custom config file for each --load* command

Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.

14 months agoMerge branch 'ikev2-ppk'
Tobias Brunner [Mon, 10 Sep 2018 16:05:12 +0000 (18:05 +0200)]
Merge branch 'ikev2-ppk'

Adds support for Postquantum Preshared Keys for IKEv2.

Fixes #2710.

14 months agotesting: Add some PPK scenarios
Tobias Brunner [Thu, 30 Aug 2018 16:14:06 +0000 (18:14 +0200)]
testing: Add some PPK scenarios

14 months agoswanctl: Report the use of a PPK in --list-sas
Tobias Brunner [Fri, 27 Jul 2018 11:14:40 +0000 (13:14 +0200)]
swanctl: Report the use of a PPK in --list-sas

If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.

14 months agovici: Return PPK state of an IKE_SA
Tobias Brunner [Fri, 27 Jul 2018 10:50:22 +0000 (12:50 +0200)]
vici: Return PPK state of an IKE_SA

14 months agoikev2: Mark IKE_SAs that used PPK during authentication
Tobias Brunner [Fri, 27 Jul 2018 10:14:18 +0000 (12:14 +0200)]
ikev2: Mark IKE_SAs that used PPK during authentication

14 months agoeap-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 09:24:49 +0000 (11:24 +0200)]
eap-authenticator: Add support for authentication with PPK

14 months agopubkey-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 08:49:30 +0000 (10:49 +0200)]
pubkey-authenticator: Add support for authentication with PPK

14 months agopsk-authenticator: Add support for authentication with PPK
Tobias Brunner [Thu, 26 Jul 2018 14:25:02 +0000 (16:25 +0200)]
psk-authenticator: Add support for authentication with PPK

14 months agoike-auth: Add basic PPK support
Tobias Brunner [Thu, 26 Jul 2018 15:28:13 +0000 (17:28 +0200)]
ike-auth: Add basic PPK support

Some of the work will have to be done in the authenticators.

14 months agoike-auth: Replace `== NULL` with `!`
Tobias Brunner [Thu, 26 Jul 2018 15:27:13 +0000 (17:27 +0200)]
ike-auth: Replace `== NULL` with `!`

14 months agoauthenticator: Add optional method to set PPK
Tobias Brunner [Thu, 26 Jul 2018 13:32:10 +0000 (15:32 +0200)]
authenticator: Add optional method to set PPK

14 months agoike-init: Send USE_PPK notify as appropriate
Tobias Brunner [Thu, 26 Jul 2018 13:20:30 +0000 (15:20 +0200)]
ike-init: Send USE_PPK notify as appropriate

14 months agoswanctl: Report PPK configuration in --list-conns
Tobias Brunner [Fri, 27 Jul 2018 10:34:23 +0000 (12:34 +0200)]
swanctl: Report PPK configuration in --list-conns

14 months agovici: Make PPK related options configurable
Tobias Brunner [Thu, 26 Jul 2018 15:57:36 +0000 (17:57 +0200)]
vici: Make PPK related options configurable

14 months agopeer-cfg: Add properties for PPK ID and whether PPK is required
Tobias Brunner [Thu, 26 Jul 2018 13:16:21 +0000 (15:16 +0200)]
peer-cfg: Add properties for PPK ID and whether PPK is required

14 months agoike-sa: Add flag for PPK extension
Tobias Brunner [Thu, 26 Jul 2018 09:47:46 +0000 (11:47 +0200)]
ike-sa: Add flag for PPK extension

14 months agokeymat_v2: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 14:43:01 +0000 (16:43 +0200)]
keymat_v2: Add support for PPKs

14 months agoswanctl: Add support for PPKs
Tobias Brunner [Thu, 26 Jul 2018 15:44:12 +0000 (17:44 +0200)]
swanctl: Add support for PPKs

14 months agovici: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 15:23:12 +0000 (17:23 +0200)]
vici: Add support for PPKs

14 months agoshared-key: Add a new type for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:30:05 +0000 (15:30 +0200)]
shared-key: Add a new type for Postquantum Preshared Keys

Using a separate type allows us to easily check if we have any PPKs
available at all.

14 months agoikev2: Add notify types for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:29:58 +0000 (15:29 +0200)]
ikev2: Add notify types for Postquantum Preshared Keys

14 months agounit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
Tobias Brunner [Thu, 6 Sep 2018 13:17:37 +0000 (15:17 +0200)]
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()

14 months agopeer-cfg: Replace equal child configs with newly added ones
Tobias Brunner [Thu, 6 Sep 2018 13:13:37 +0000 (15:13 +0200)]
peer-cfg: Replace equal child configs with newly added ones

Otherwise, renamed child configs would still be known to the daemon
under their old name.

Fixes #2746.

15 months agocrypto: References to RFCs 8410 and 8420
Andreas Steffen [Tue, 4 Sep 2018 05:24:20 +0000 (07:24 +0200)]
crypto: References to RFCs 8410 and 8420

15 months agoNormalize whitespace in boilerplate files
Tobias Brunner [Fri, 6 Jul 2018 12:07:39 +0000 (14:07 +0200)]
Normalize whitespace in boilerplate files

Now all consistently use 2 or 4 (HACKING) spaces for indentation.

15 months agoREADME: Fix indentation
Tobias Brunner [Fri, 6 Jul 2018 10:09:32 +0000 (12:09 +0200)]
README: Fix indentation

15 months agoinit: Reload configurations/credentials as well during systemctl reload
Martin Willi [Tue, 7 Mar 2017 16:29:45 +0000 (17:29 +0100)]
init: Reload configurations/credentials as well during systemctl reload

15 months agoswanctl: Add --reauth option to --rekey command
Tobias Brunner [Thu, 23 Aug 2018 14:20:06 +0000 (16:20 +0200)]
swanctl: Add --reauth option to --rekey command

15 months agovici: Add option to reauthenticae instead of rekey an IKEv2 SA
Tobias Brunner [Thu, 23 Aug 2018 14:16:47 +0000 (16:16 +0200)]
vici: Add option to reauthenticae instead of rekey an IKEv2 SA

15 months agoMerge branch 'xfrm-set-mark'
Tobias Brunner [Fri, 31 Aug 2018 10:27:40 +0000 (12:27 +0200)]
Merge branch 'xfrm-set-mark'

This adds the ability to configure marks the in- and/or outbound SA
should apply to packets after processing on Linux.  Configuring such a mark
for outbound SAs requires at least a 4.14 kernel.  The ability to set a mask
and configuring a mark/mask for inbound SAs will be added with the upcoming
4.19 kernel.

15 months agochild-sa: Use SA matching mark as SA set mark if the latter is %same
Martin Willi [Wed, 9 May 2018 11:40:36 +0000 (13:40 +0200)]
child-sa: Use SA matching mark as SA set mark if the latter is %same

For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.

15 months agoipsec-types: Restrict the use of %unique and other keywords when parsing marks
Martin Willi [Mon, 14 May 2018 11:42:53 +0000 (13:42 +0200)]
ipsec-types: Restrict the use of %unique and other keywords when parsing marks

%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.

15 months agovici: Document kernel requirements for set_mark_in/set_mark_out options
Martin Willi [Mon, 14 May 2018 10:55:27 +0000 (12:55 +0200)]
vici: Document kernel requirements for set_mark_in/set_mark_out options

15 months agovici: Make in-/outbound marks the SA should set configurable
Tobias Brunner [Fri, 20 Apr 2018 12:12:48 +0000 (14:12 +0200)]
vici: Make in-/outbound marks the SA should set configurable

15 months agochild-sa: Configure in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:08:35 +0000 (14:08 +0200)]
child-sa: Configure in-/outbound mark the SA should set

15 months agochild-cfg: Add properties for in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:02:57 +0000 (14:02 +0200)]
child-cfg: Add properties for in-/outbound mark the SA should set

15 months agokernel-netlink: Add support for setting mark/mask an SA should apply to processed...
Tobias Brunner [Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)]
kernel-netlink: Add support for setting mark/mask an SA should apply to processed traffic

15 months agokernel-netlink: Use larger buffer for event messages
Tobias Brunner [Fri, 10 Aug 2018 12:41:16 +0000 (14:41 +0200)]
kernel-netlink: Use larger buffer for event messages

15 months agoikev1: Increase DPD sequence number only after receiving a response
Tobias Brunner [Mon, 6 Aug 2018 15:01:20 +0000 (17:01 +0200)]
ikev1: Increase DPD sequence number only after receiving a response

We don't retransmit DPD requests like we do requests for proper exchanges,
so increasing the number with each sent DPD could result in the peer's state
getting out of sync if DPDs are lost.  Because according to RFC 3706, DPDs
with an unexpected sequence number SHOULD be rejected (it does mention the
possibility of maintaining a window of acceptable numbers, but we currently
don't implement that).  We partially ignore such messages (i.e. we don't
update the expected sequence number and the inbound message stats, so we
might send a DPD when none is required).  However, we always send a response,
so a peer won't really notice this (it also ensures a reply for "retransmits"
caused by this change, i.e. multiple DPDs with the same number - hopefully,
other implementations behave similarly when receiving such messages).

Fixes #2714.

15 months agoRemove ITA references
Tobias Brunner [Fri, 31 Aug 2018 09:11:12 +0000 (11:11 +0200)]
Remove ITA references

15 months agoikev1: Signal IKE_SA connection failure via bus
Tobias Brunner [Thu, 23 Aug 2018 15:54:29 +0000 (17:54 +0200)]
ikev1: Signal IKE_SA connection failure via bus

This is mainly for HA where a passive SA was already created when the
IKE keys were derived.  If e.g. an authentication error occurs later that
SA wouldn't get cleaned up.

15 months agoaggressive-mode: Trigger alerts for authentication failures
Tobias Brunner [Thu, 23 Aug 2018 15:25:08 +0000 (17:25 +0200)]
aggressive-mode: Trigger alerts for authentication failures

15 months agomain-mode: Local identity is always defined
Tobias Brunner [Thu, 23 Aug 2018 15:31:50 +0000 (17:31 +0200)]
main-mode: Local identity is always defined

15 months agomain-mode: Also trigger a PEER_AUTH_FAILED alert if authorize() fails
Tobias Brunner [Thu, 23 Aug 2018 15:24:26 +0000 (17:24 +0200)]
main-mode: Also trigger a PEER_AUTH_FAILED alert if authorize() fails

15 months agomain-mode: Signal local/peer auth failure via bus
Thomas Egerer [Tue, 14 Aug 2018 11:56:58 +0000 (13:56 +0200)]
main-mode: Signal local/peer auth failure via bus

Signed-off-by: Thomas Egerer <>
15 months agocustom-logger: Add optional reload method
Thomas Egerer [Wed, 29 Aug 2018 11:14:59 +0000 (13:14 +0200)]
custom-logger: Add optional reload method

The reload of the configuration of the loggers so far only included
the log levels. In order to support the reload of all other options,
a reload function may be implemented.

Signed-off-by: Thomas Egerer <>
15 months agoike-sa-manager: Log message when scheduling delete for reauthenticated IKE_SA
Tobias Brunner [Tue, 28 Aug 2018 15:11:13 +0000 (17:11 +0200)]
ike-sa-manager: Log message when scheduling delete for reauthenticated IKE_SA

15 months agoMerge branch 'ip-header-fields'
Tobias Brunner [Wed, 29 Aug 2018 09:46:13 +0000 (11:46 +0200)]
Merge branch 'ip-header-fields'

Adds new options that allow configuring how/whether certain fields in
the IP headers are copied during IPsec processing. Currently only allows
configuration on Linux.

Closes strongswan/strongswan#104.

15 months agokernel: Add option to control DS field behavior
Tobias Brunner [Mon, 11 Jun 2018 10:07:48 +0000 (12:07 +0200)]
kernel: Add option to control DS field behavior

15 months agokernel: Add options to control DF and ECN header bits/fields via XFRM
Tobias Brunner [Mon, 11 Jun 2018 08:49:16 +0000 (10:49 +0200)]
kernel: Add options to control DF and ECN header bits/fields via XFRM

The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.

Note: This implementation only works with Linux/Netlink/XFRM.

Based on a patch by Markus Sattler.

15 months agovici: Add error handling to message parsing in Perl bindings
Tobias Brunner [Tue, 5 Jun 2018 15:49:42 +0000 (17:49 +0200)]
vici: Add error handling to message parsing in Perl bindings

15 months agovici: Improve message parsing performance in Perl bindings
Afschin Hormozdiary [Tue, 5 Jun 2018 13:10:43 +0000 (15:10 +0200)]
vici: Improve message parsing performance in Perl bindings

During a test with ~12000 established SAs it was noted that vici
related operations hung.
The operations took over 16 minutes to finish. The time was spent in
the vici message parser, which was assigning the message over and over
again, to get rid of the already parsed portions.

First fixed by cutting the consumed parts off without copying the message.
Runtime for ~12000 SAs is now around 20 seconds.

Further optimization brought the runtime down to roughly 1-2 seconds
by using an fd to read through the message variable.

Closes strongswan/strongswan#103.

15 months agokernel-netlink: Align concatenated Netlink responses
Thomas Egerer [Thu, 16 Aug 2018 07:12:37 +0000 (09:12 +0200)]
kernel-netlink: Align concatenated Netlink responses

The code to support parallel Netlink queries (commit 3c7193f) made use
of nlmsg_len member from struct nlmsghdr to allocate and copy the
responses. Since NLMSG_NEXT is later used to parse these responses, they
must be aligned, or the results are undefined.

Signed-off-by: Thomas Egerer <>
16 months agolibimcv: Fix
Tobias Brunner [Fri, 10 Aug 2018 08:09:07 +0000 (10:09 +0200)]
libimcv: Fix

16 months agolibtpmtss: Fixed
Vishal Rana [Thu, 9 Aug 2018 05:28:03 +0000 (22:28 -0700)]
libtpmtss: Fixed

Closes strongswan/strongswan#111

Signed-off-by: Vishal Rana <>
16 months agoREADME: Fix typos
Tom Schlenkhoff [Mon, 6 Aug 2018 11:24:18 +0000 (13:24 +0200)]
README: Fix typos

Closes strongswan/strongswan#110.

16 months agotravis: Fix vici Python tests when using Clang
Tobias Brunner [Mon, 6 Aug 2018 09:54:24 +0000 (11:54 +0200)]
travis: Fix vici Python tests when using Clang

For some reason the clang binary that's installed in an uncommon
directory could not be found anymore when installing packages via pip for
the last couple of builds. While the directory is obviously contained in PATH,
using `sudo -E` didn't help. So we now install the Python packages in the
user's home directory to avoid having to use sudo.

16 months agoVersion bump to 5.7.0dr8 5.7.0dr8
Andreas Steffen [Thu, 2 Aug 2018 05:30:05 +0000 (07:30 +0200)]
Version bump to 5.7.0dr8

16 months agoMerge branch 'swima-subscriptions'
Andreas Steffen [Thu, 2 Aug 2018 05:28:52 +0000 (07:28 +0200)]
Merge branch 'swima-subscriptions'

16 months agotnccs-20: Defer handshake retry when sending SRETRY batch
Andreas Steffen [Sat, 28 Jul 2018 12:57:49 +0000 (14:57 +0200)]
tnccs-20: Defer handshake retry when sending SRETRY batch

Set a retry_handshake flag on a TNC server when sending a SRETRY
batch and do the retry only after receiving the next CDATA batch
from the TNC client.

16 months agolibimcv: Reset of IMC state for new measurement cycle
Andreas Steffen [Tue, 31 Jul 2018 12:06:21 +0000 (14:06 +0200)]
libimcv: Reset of IMC state for new measurement cycle

16 months agolibimcv: Reset of IMV state for new measurement cycle
Andreas Steffen [Thu, 26 Jul 2018 15:24:32 +0000 (17:24 +0200)]
libimcv: Reset of IMV state for new measurement cycle

16 months agoimv-swima: Support subscriptions
Andreas Steffen [Wed, 25 Jul 2018 06:41:05 +0000 (08:41 +0200)]
imv-swima: Support subscriptions

16 months agoimc-swima: Support subscriptions
Andreas Steffen [Tue, 24 Jul 2018 20:35:55 +0000 (22:35 +0200)]
imc-swima: Support subscriptions

16 months agolibimcv: Missing comma in pa_tnc_error_code_names
Andreas Steffen [Tue, 24 Jul 2018 18:43:31 +0000 (20:43 +0200)]
libimcv: Missing comma in pa_tnc_error_code_names

16 months agoVersion bump to 5.7.0dr6 5.7.0dr6
Andreas Steffen [Sat, 21 Jul 2018 07:30:53 +0000 (09:30 +0200)]
Version bump to 5.7.0dr6

16 months agolibtpmss: Configure TCTI device options
Andreas Steffen [Thu, 19 Jul 2018 15:53:31 +0000 (17:53 +0200)]
libtpmss: Configure TCTI device options

16 months agoVersion bump to 5.7.0dr5 5.7.0dr5
Andreas Steffen [Thu, 19 Jul 2018 12:13:09 +0000 (14:13 +0200)]
Version bump to 5.7.0dr5

16 months agolibimcv: Added Debian 8.11 and Ubunut 18.04 to IMV database
Andreas Steffen [Thu, 19 Jul 2018 12:11:44 +0000 (14:11 +0200)]
libimcv: Added Debian 8.11 and Ubunut 18.04 to IMV database

16 months agolibtpmtss: Support of RSAPSS signature scheme
Andreas Steffen [Wed, 18 Jul 2018 20:55:27 +0000 (22:55 +0200)]
libtpmtss: Support of RSAPSS signature scheme

16 months agolibtpmtss: Support for TSS2 v2 libraries
Andreas Steffen [Tue, 17 Jul 2018 21:22:52 +0000 (23:22 +0200)]
libtpmtss: Support for TSS2 v2 libraries

16 months agotesting: Optionally build/install strongSwan only on a specific guest
Tobias Brunner [Wed, 11 Jul 2018 16:38:09 +0000 (18:38 +0200)]
testing: Optionally build/install strongSwan only on a specific guest

This may be used to test different strongSwan versions against each

17 months agoconf: Fix bench_time documentation
Tobias Brunner [Mon, 9 Jul 2018 16:10:07 +0000 (18:10 +0200)]
conf: Fix bench_time documentation

17 months agomessage: Report the size of the complete reassembled IKE message
Tobias Brunner [Thu, 5 Jul 2018 15:36:21 +0000 (17:36 +0200)]
message: Report the size of the complete reassembled IKE message

This way we see the same size on both ends, namely that of the complete
IKE message as if it was sent in a single packet (excluding UDP/IP headers).

17 months agoencrypted-payload: Change how the length for reassembled messages is calculated
Tobias Brunner [Thu, 5 Jul 2018 15:21:47 +0000 (17:21 +0200)]
encrypted-payload: Change how the length for reassembled messages is calculated

If we have an AEAD transform we add the overhead as if the data would have
been transported in a single encrypted payload.

17 months agoencrypted-payload: Add getter for the used AEAD transform
Tobias Brunner [Thu, 5 Jul 2018 15:20:52 +0000 (17:20 +0200)]
encrypted-payload: Add getter for the used AEAD transform

17 months agotesting: Fix checks after changing fragmentation log messages
Tobias Brunner [Thu, 5 Jul 2018 15:19:39 +0000 (17:19 +0200)]
testing: Fix checks after changing fragmentation log messages

17 months agocharon-nm: Parse any type of private key in need_secrets
SC Lee [Mon, 9 Jul 2018 09:54:25 +0000 (17:54 +0800)]
charon-nm: Parse any type of private key in need_secrets

Previously, when the user supplied an ECDSA key for public key authentication,
the user was always asked to provide a password, even if the key was not

Related: 954f73ea6e7e ("charon-nm: Parse any type of private key not only RSA")
Closes strongswan/strongswan#108.

17 months agokernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS
Tobias Brunner [Fri, 6 Jul 2018 08:17:52 +0000 (10:17 +0200)]
kernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS

17 months agokernel-pfkey: Enable macOS native AES_GCM_ICV16 support
Ruben Tytgat [Thu, 5 Jul 2018 15:54:42 +0000 (17:54 +0200)]
kernel-pfkey: Enable macOS native AES_GCM_ICV16 support

macOS supports AES_GCM_ICV16 natively using PF_KEYv2.

This change enables AES_GCM if the corresponding definition is detected
in the headers.

With this change it is no longer necessary to use the libipsec module to
use AES_GCM on macOS.

Closes strongswan/strongswan#107.