4 years agoMerge branch 'child-deleted'
Tobias Brunner [Mon, 9 Apr 2018 15:15:24 +0000 (17:15 +0200)]
Merge branch 'child-deleted'

This adds a new state for CHILD_SAs that we deleted but still keep
around to process delayed packets (IKEv2 only).  This allows us to treat
them specially in some cases (e.g. to avoid triggering child_updown()
events as we already did that when we deleted such SAs).

Closes strongswan/strongswan#93.

4 years agobus: Don't trigger child_updown for deleted CHILD_SAs
Tobias Brunner [Tue, 20 Mar 2018 11:44:35 +0000 (12:44 +0100)]
bus: Don't trigger child_updown for deleted CHILD_SAs

These were rekeyed but have not been destroyed yet.

4 years agochild-sa: Add new state to track deleted but not yet destroyed CHILD_SAs
Tobias Brunner [Tue, 20 Mar 2018 11:43:13 +0000 (12:43 +0100)]
child-sa: Add new state to track deleted but not yet destroyed CHILD_SAs

This allows us to easily identify SAs we keep around after a rekeying to
process delayed packets.

4 years agoikev1: Unify child_updown calls when having duplicate QMs
Afschin Hormozdiary [Tue, 27 Mar 2018 14:55:59 +0000 (16:55 +0200)]
ikev1: Unify child_updown calls when having duplicate QMs

If a Quick mode is initiated for a CHILD_SA that is already installed
we can identify this situation and rekey the already installed CHILD_SA.

Otherwise we end up with several CHILD_SAs in state INSTALLED which
means multiple calls of child_updown are done. Unfortunately,
the deduplication code later does not call child_updown() (so up and down
were not even).

Closes strongswan/strongswan#95.

4 years agolibtpmtss: Properly initialize tabrmd tcti_context
Andreas Steffen [Mon, 9 Apr 2018 09:07:16 +0000 (11:07 +0200)]
libtpmtss: Properly initialize tabrmd tcti_context

4 years agotesting: Fix typo in sysctl.conf file
Matt Selsky [Fri, 30 Mar 2018 05:35:53 +0000 (01:35 -0400)]
testing: Fix typo in sysctl.conf file

Closes strongswan/strongswan#97.

4 years agopkcs11: Use unused return value of C_GetMechanismList
robinleander [Tue, 27 Mar 2018 20:50:28 +0000 (22:50 +0200)]
pkcs11: Use unused return value of C_GetMechanismList

Closes strongswan/strongswan#96.

4 years agokernel-pfkey: Add option to install routes via internal interface
Tobias Brunner [Thu, 8 Mar 2018 17:34:50 +0000 (18:34 +0100)]
kernel-pfkey: Add option to install routes via internal interface

On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.

4 years agoMerge branch 'hw-offload-auto'
Tobias Brunner [Wed, 21 Mar 2018 09:32:48 +0000 (10:32 +0100)]
Merge branch 'hw-offload-auto'

This lets IPsec SA installation explicitly fail if HW offload is enabled
but either the kernel or the device don't support it.  And it adds a new
configuration mode 'auto', which enables HW offload, if supported, but
does not fail the installation otherwise.

4 years agochild-cfg: Make HW offload auto mode configurable
Adi Nissim [Mon, 12 Mar 2018 14:34:21 +0000 (16:34 +0200)]
child-cfg: Make HW offload auto mode configurable

Until now the configuration available to user for HW offload were:
hw_offload = no
hw_offload = yes

With this commit users will be able to configure auto mode using:
hw_offload = auto

Signed-off-by: Adi Nissim <>
Reviewed-by: Aviv Heller <>
4 years agokernel-netlink: Cleanup and fix some HW offload code issues
Tobias Brunner [Fri, 16 Mar 2018 18:34:43 +0000 (19:34 +0100)]
kernel-netlink: Cleanup and fix some HW offload code issues

Besides some style issues there were some incorrect allocations
for ethtool requests.

4 years agokernel-netlink: Add new automatic hw_offload mode
Adi Nissim [Mon, 12 Mar 2018 14:34:20 +0000 (16:34 +0200)]
kernel-netlink: Add new automatic hw_offload mode

Until now there were 2 hw_offload modes: no/yes
* hw_offload = no  : Configure the SA without HW offload.
* hw_offload = yes : Configure the SA with HW offload.
                     In this case, if the device does not support
                     offloading, SA creation will fail.

This commit introduces a new mode: hw_offload = auto
If the device and kernel support HW offload, configure
the SA with HW offload, but do not fail SA creation otherwise.

Signed-off-by: Adi Nissim <>
Reviewed-by: Aviv Heller <>
4 years agoipsec-types: Create new enum hw_offload_t
Adi Nissim [Mon, 12 Mar 2018 14:34:19 +0000 (16:34 +0200)]
ipsec-types: Create new enum hw_offload_t

Add the new enum in order to add HW offload auto mode.

Signed-off-by: Adi Nissim <>
Reviewed-by: Aviv Heller <>
4 years agostarter: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:26:06 +0000 (07:26 +0100)]
starter: Ignore an existing PID file if it references ourself

4 years agocharon-tkm: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:25:49 +0000 (07:25 +0100)]
charon-tkm: Ignore an existing PID file if it references ourself

4 years agocharon: Ignore an existing PID file if it references ourself
Martin Willi [Mon, 12 Mar 2018 06:16:52 +0000 (07:16 +0100)]
charon: Ignore an existing PID file if it references ourself

If a daemon PID file references the process that does the check, it is safe
to ignore it; no running process can have the same PID. While this is rather
unlikely to get restarted with the same PID under normal conditions, it is
quite common when running inside PID namespaced containers: If a container
gets stopped and restarted with a PID file remaining, it is very likely that
the PID namespace assigns the same PID to our service, as they are assigned
sequentially starting from 1.

4 years agodiffie-hellman: Remove unused exponent length initialization in get_params()
Tobias Brunner [Tue, 13 Mar 2018 11:18:56 +0000 (12:18 +0100)]
diffie-hellman: Remove unused exponent length initialization in get_params()

This isn't used anymore since 46184b07c163 ("diffie-hellman: Explicitly
initialize DH exponent sizes during initialization").

4 years agodiffie-hellman: Don't set exponent length for DH groups with prime order subgroups
Tobias Brunner [Tue, 13 Mar 2018 11:13:47 +0000 (12:13 +0100)]
diffie-hellman: Don't set exponent length for DH groups with prime order subgroups

According to RFC 5114 the exponent length for these groups should always equal
the size of their prime order subgroup.
This was handled correctly before the initialization was done during
library initialization.

Fixes: 46184b07c163 ("diffie-hellman: Explicitly initialize DH exponent sizes during initialization")

4 years agoproposal: Make sure non-AEAD IKE proposals contain integrity algorithms
Tobias Brunner [Thu, 8 Mar 2018 17:26:19 +0000 (18:26 +0100)]
proposal: Make sure non-AEAD IKE proposals contain integrity algorithms

4 years agoproposal: Compress arrays after removing transforms
Tobias Brunner [Thu, 8 Mar 2018 17:22:55 +0000 (18:22 +0100)]
proposal: Compress arrays after removing transforms

4 years agoikev2: Use correct type to check for selected signature scheme
Tobias Brunner [Tue, 6 Mar 2018 16:28:33 +0000 (17:28 +0100)]
ikev2: Use correct type to check for selected signature scheme

The previous code was obviously incorrect and caused strange side effects
depending on the compiler and its optimization flags (infinite looping seen
with GCC 4.8.4, segfault when destroying the private key in build() seen
with clang 4.0.0 on FreeBSD).

Fixes #2579.

4 years agovici: Make sure to read all requested data from socket in Perl binding
Tobias Brunner [Wed, 7 Mar 2018 09:31:11 +0000 (10:31 +0100)]
vici: Make sure to read all requested data from socket in Perl binding

Closes strongswan/strongswan#91.

4 years agolibimcv: Add Debian 8.10 to IMV database
Tobias Brunner [Tue, 20 Mar 2018 08:19:07 +0000 (09:19 +0100)]
libimcv: Add Debian 8.10 to IMV database

References #2582.

4 years agostroke: Ensure a minimum message length
Tobias Brunner [Tue, 13 Mar 2018 17:54:08 +0000 (18:54 +0100)]
stroke: Ensure a minimum message length

4 years agolibipsec: Fix ip_packet_create_from_data() version field in IPv6 header
Matus Fabian [Mon, 19 Mar 2018 09:19:45 +0000 (02:19 -0700)]
libipsec: Fix ip_packet_create_from_data() version field in IPv6 header

Closes strongswan/strongswan#92.

Signed-off-by: Matus Fabian <>
4 years agotesting: Use HA patch compatible with 4.15.6+
Tobias Brunner [Thu, 8 Mar 2018 09:07:33 +0000 (10:07 +0100)]
testing: Use HA patch compatible with 4.15.6+

4 years agotesting: Use a HA patch that's actually compatible with 4.15 kernels
Tobias Brunner [Wed, 7 Mar 2018 16:16:54 +0000 (17:16 +0100)]
testing: Use a HA patch that's actually compatible with 4.15 kernels

4 years agotesting: Revert typo fix in FreeRADIUS patch
Tobias Brunner [Wed, 7 Mar 2018 15:38:18 +0000 (16:38 +0100)]
testing: Revert typo fix in FreeRADIUS patch

Fixes: 2db6d5b8b378 ("Fixed some typos, courtesy of codespell")
Fixes #2582.

4 years agoload-tester: Start numbering IDs from 1 again
Tobias Brunner [Tue, 27 Feb 2018 09:31:49 +0000 (10:31 +0100)]
load-tester: Start numbering IDs from 1 again

ref_get() increments the number before returning it.

Fixes: 2cbaa632951d ("load-tester: Fix race condition issuing same identity")

4 years agoMerge branch 'pbkdf2-sha2'
Tobias Brunner [Wed, 7 Mar 2018 14:24:56 +0000 (15:24 +0100)]
Merge branch 'pbkdf2-sha2'

Adds support for common SHA-2 based PRFs in PKCS#5/PBKDF2 as used by
OpenSSL 1.1 when generating PKCS#8-encoded private keys.

Fixes #2574.

4 years agocharon-nm: Parse any type of private key not only RSA
Tobias Brunner [Mon, 5 Mar 2018 08:47:15 +0000 (09:47 +0100)]
charon-nm: Parse any type of private key not only RSA

4 years agopkcs5: Parse PRF algorithms if given in PBKDF2-params as defined in RFC 8018
Tobias Brunner [Mon, 5 Mar 2018 08:45:34 +0000 (09:45 +0100)]
pkcs5: Parse PRF algorithms if given in PBKDF2-params as defined in RFC 8018

We can't use ASN1_DEF, which would technically be more correct, as the
ASN.1 parser currently can't handle that.  For algorithm identifiers we
often use ASN1_EOC as type (with ASN1_RAW), however, that doesn't work with
ASN1_DEF because the element is assumed missing if the type doesn't match.
On the other hand, we can't set the type to ASN1_SEQUENCE because then the
parser skips the following rule if the element is missing (it does so for
all constructed types, but I guess is mainly intended for context tags),
which in this case overruns the parser rules array.

4 years agoprf: Add helper function to convert OIDs to algorithm identifiers
Tobias Brunner [Mon, 5 Mar 2018 08:43:07 +0000 (09:43 +0100)]
prf: Add helper function to convert OIDs to algorithm identifiers

4 years agoasn1: Add OIDs for HMAC-based PRFs as defined in RFC 8018
Tobias Brunner [Mon, 5 Mar 2018 08:42:41 +0000 (09:42 +0100)]
asn1: Add OIDs for HMAC-based PRFs as defined in RFC 8018

4 years agoMerge branch 'unknown-transform-types'
Tobias Brunner [Wed, 7 Mar 2018 13:25:48 +0000 (14:25 +0100)]
Merge branch 'unknown-transform-types'

This changes how unknown transform types are handled in proposals.  In
particular we make sure not to accept a proposal if it contains unknown
transform types (they were just ignored previously, which could have
resulted in an invalid selected proposal).

Fixes #2557.

4 years agoproposal: Compare algorithms of all transform types for equality
Tobias Brunner [Fri, 23 Feb 2018 08:59:38 +0000 (09:59 +0100)]
proposal: Compare algorithms of all transform types for equality

4 years agoproposal: Make sure to consider all transform types when selecting proposals
Tobias Brunner [Fri, 23 Feb 2018 08:02:49 +0000 (09:02 +0100)]
proposal: Make sure to consider all transform types when selecting proposals

This way there will be a mismatch if one of the proposals contains
transform types not contained in the other (the fix list of transform
types used previously resulted in a match if unknown transform types
were contained in one of the proposals).  Merging the sets of types
makes comparing proposals with optional transform types easier (e.g.
DH for ESP with MODP_NONE).

4 years agoproposal: Print all algorithms even those with currently unknown transform types
Tobias Brunner [Fri, 23 Feb 2018 07:43:07 +0000 (08:43 +0100)]
proposal: Print all algorithms even those with currently unknown transform types

4 years agoproposal: Keep track of contained transform types
Tobias Brunner [Fri, 23 Feb 2018 07:36:33 +0000 (08:36 +0100)]
proposal: Keep track of contained transform types

4 years agotransform: Move internal identifiers out of private range
Tobias Brunner [Fri, 23 Feb 2018 07:12:48 +0000 (08:12 +0100)]
transform: Move internal identifiers out of private range

Avoid any conflicts if implementations use transform types in the
private range.
Also removed the unused UNKNOWN_TRANSFORM_TYPE identifier.

4 years agounit-tests: Ignore binaries of renamed test runners
Tobias Brunner [Fri, 2 Mar 2018 16:10:33 +0000 (17:10 +0100)]
unit-tests: Ignore binaries of renamed test runners

Fixes: 9cc61baaf592 ("unit-tests: Rename targets for libstrongswan and kernel-netlink")

4 years agolibimcv: Fix typo in PTS hash algorithm mapping for 512-bit SHA-3
Tobias Brunner [Fri, 2 Mar 2018 07:29:34 +0000 (08:29 +0100)]
libimcv: Fix typo in PTS hash algorithm mapping for 512-bit SHA-3

Fixes: 40f2589abfc8 ("gmp: Support of SHA-3 RSA signatures")

4 years agokernel-netlink: Ignore local routes in any table
Tobias Brunner [Mon, 26 Feb 2018 14:07:15 +0000 (15:07 +0100)]
kernel-netlink: Ignore local routes in any table

Such routes seem to show up in tables other than local with recent kernels.

Fixes #2555.

4 years agokernel-netlink: Ignore routes with next hop during local subnet enumeration
Tobias Brunner [Thu, 22 Feb 2018 08:50:52 +0000 (09:50 +0100)]
kernel-netlink: Ignore routes with next hop during local subnet enumeration

These are not locally attached and we do the same already in kernel-pfroute.

Fixes #2554.

4 years agokernel-netlink: Simplify rt_entry_t initialization
Tobias Brunner [Thu, 22 Feb 2018 08:49:57 +0000 (09:49 +0100)]
kernel-netlink: Simplify rt_entry_t initialization

4 years agonm: Version bump to 1.4.4
Tobias Brunner [Fri, 23 Feb 2018 14:31:01 +0000 (15:31 +0100)]
nm: Version bump to 1.4.4

4 years agonm: Update German translation
Tobias Brunner [Fri, 23 Feb 2018 14:26:00 +0000 (15:26 +0100)]
nm: Update German translation

4 years agonm: Fix tooltips for proposal text fields
Tobias Brunner [Fri, 23 Feb 2018 14:25:23 +0000 (15:25 +0100)]
nm: Fix tooltips for proposal text fields

There is no ! syntax as the default proposal is only used if no custom
proposal is configured.

4 years agoMerge branch 'incorrect-inval-ke'
Tobias Brunner [Fri, 23 Feb 2018 08:28:08 +0000 (09:28 +0100)]
Merge branch 'incorrect-inval-ke'

This improves the behavior during CREATE_CHILD_SA exchanges if the peer
sends an INVALID_KE_PAYLOAD with a DH group we didn't request or continues
to return the same notify even if we use the requested group.

Fixes #2536.

4 years agochild-rekey: Don't destroy IKE_SA if initiating CHILD_SA rekeying failed
Tobias Brunner [Mon, 19 Feb 2018 14:09:34 +0000 (15:09 +0100)]
child-rekey: Don't destroy IKE_SA if initiating CHILD_SA rekeying failed

This could happen if the peer e.g. selects an invalid DH group or
responds multiple time with an INVALID_KE_PAYLAOD notify.

4 years agochild-create: Fail if we already retried with a requested DH group
Tobias Brunner [Fri, 9 Feb 2018 14:27:50 +0000 (15:27 +0100)]
child-create: Fail if we already retried with a requested DH group

With faulty peers that always return the same unusable DH group in
INVALID_KE_PAYLOADs we'd otherwise get stuck in a loop.

4 years agochild-create: Make sure we actually propose the requested DH group
Tobias Brunner [Fri, 9 Feb 2018 14:16:24 +0000 (15:16 +0100)]
child-create: Make sure we actually propose the requested DH group

If we receive an INVALID_KE_PAYLOAD notify we should not just retry
with the requested DH group without checking first if we actually propose
the group (or any at all).

4 years agochild-create: Make sure the returned KE payload uses the proposed DH group
Tobias Brunner [Fri, 9 Feb 2018 14:13:54 +0000 (15:13 +0100)]
child-create: Make sure the returned KE payload uses the proposed DH group

4 years agochild-sa: Don't update outbound policies if they are not installed
Tobias Brunner [Wed, 21 Feb 2018 10:04:45 +0000 (11:04 +0100)]
child-sa: Don't update outbound policies if they are not installed

After a rekeying we keep the inbound SA and policies installed for a
while, but the outbound SA and policies are already removed.  Attempting
to update them could get the refcount in the kernel interface out of sync
as the additional policy won't be removed when the CHILD_SA object is
eventually destroyed.

4 years agochild-sa: Don't try to update outbound SA if it is not installed anymore
Tobias Brunner [Wed, 21 Feb 2018 09:58:39 +0000 (10:58 +0100)]
child-sa: Don't try to update outbound SA if it is not installed anymore

4 years agoMerge branch 'trap-manager-uninstall'
Tobias Brunner [Thu, 22 Feb 2018 10:31:14 +0000 (11:31 +0100)]
Merge branch 'trap-manager-uninstall'

This changes how trap policies are deleted in order to avoid conflicts if a
trap policy with changed peer config is concurrently removed and reinstalled
under a different name (the reqid will be the same, so the wrong policy
could have been deleted by the old code).

4 years agotrap-manager: Remove unused find_reqid() method
Tobias Brunner [Fri, 3 Nov 2017 10:51:36 +0000 (11:51 +0100)]
trap-manager: Remove unused find_reqid() method

It might actually have returned an incorrect result if there were child
configs for different peer configs sharing the same name.

4 years agochild-sa: No need to find reqid of existing trap policy
Tobias Brunner [Fri, 3 Nov 2017 10:49:45 +0000 (11:49 +0100)]
child-sa: No need to find reqid of existing trap policy

When initiating a trap policy we explicitly pass the reqid along.  I guess
the lookup was useful to get the same reqid if a trapped CHILD_SA is manually
initiated.  However, we now get the same reqid anyway if there is no
narrowing.  And if the traffic selectors do get narrowed the reqid will be
different but that shouldn't be a problem as that doesn't cause an issue with
any temporary SAs in the kernel (this is why we pass the reqid to the
triggered CHILD_SA, otherwise, no new acquire would get triggered for
traffic that doesn't match the wider trap policy).

4 years agotrap-manager: Remove reqid parameter from install() and change return type
Tobias Brunner [Fri, 3 Nov 2017 10:32:04 +0000 (11:32 +0100)]
trap-manager: Remove reqid parameter from install() and change return type

Reqids for the same traffic selectors are now stable so we don't have to
pass reqids of previously installed CHILD_SAs.  Likewise, we don't need
to know the reqid of the newly installed trap policy as we now uninstall
by name.

4 years agotrap-manager: Compare peer config name during installation
Tobias Brunner [Fri, 3 Nov 2017 10:26:23 +0000 (11:26 +0100)]
trap-manager: Compare peer config name during installation

4 years agotrap-manager: Uninstall trap policies by name and not reqid
Tobias Brunner [Fri, 3 Nov 2017 10:10:16 +0000 (11:10 +0100)]
trap-manager: Uninstall trap policies by name and not reqid

If a trap policy is concurrently uninstalled and reinstalled under a
different name the reqid will be the same so the wrong trap might be

4 years agovici: Remove external enumeration to uninstall shunt policies
Tobias Brunner [Fri, 3 Nov 2017 09:55:05 +0000 (10:55 +0100)]
vici: Remove external enumeration to uninstall shunt policies

4 years agostroke: Remove external enumeration to unroute shunt policies
Tobias Brunner [Fri, 3 Nov 2017 09:53:04 +0000 (10:53 +0100)]
stroke: Remove external enumeration to unroute shunt policies

4 years agoshunt-manager: Remove first match if no namespace given during uninstall
Tobias Brunner [Fri, 3 Nov 2017 09:47:48 +0000 (10:47 +0100)]
shunt-manager: Remove first match if no namespace given during uninstall

Also makes namespace mandatory.

4 years agoappveyor: Allow events to trigger early in threading unit tests
Tobias Brunner [Fri, 16 Feb 2018 10:55:54 +0000 (11:55 +0100)]
appveyor: Allow events to trigger early in threading unit tests

The timed wait functions tested in the threading unit tests often but
randomly trigger a bit early on AppVeyor Windows containers.  We allow this
if it is not earlier than 5ms.

4 years agocharon-nm: Fix building list of DNS/MDNS servers with libnm
Tobias Brunner [Wed, 21 Feb 2018 10:53:55 +0000 (11:53 +0100)]
charon-nm: Fix building list of DNS/MDNS servers with libnm

g_variant_builder_add() creates a new GVariant using g_variant_new() and
then adds it to the builder.  Passing a GVariant probably adds the
pointer to the array, not the value.  I think an alternative fix would
be to use "@u" as type string for the g_variant_builder_add() call, then
the already allocated GVariant is adopted.

Fixes: 9a71b7219ca3 ("charon-nm: Port to libnm")

4 years agox509: Fix leak if a CRL contains multiple authorityKeyIdentifiers
Tobias Brunner [Wed, 21 Feb 2018 10:13:42 +0000 (11:13 +0100)]
x509: Fix leak if a CRL contains multiple authorityKeyIdentifiers

4 years agofuzzing: Add fuzzer for CRL parsing
Tobias Brunner [Tue, 20 Feb 2018 16:51:55 +0000 (17:51 +0100)]
fuzzing: Add fuzzer for CRL parsing

4 years agonm: Version bump to 1.4.3
Tobias Brunner [Mon, 19 Feb 2018 13:44:28 +0000 (14:44 +0100)]
nm: Version bump to 1.4.3

4 years agoVersion bump to 5.6.2 5.6.2
Andreas Steffen [Mon, 19 Feb 2018 11:59:37 +0000 (12:59 +0100)]
Version bump to 5.6.2

4 years agoNEWS: Add info about CVE-2018-6459
Tobias Brunner [Mon, 19 Feb 2018 09:37:04 +0000 (10:37 +0100)]
NEWS: Add info about CVE-2018-6459

4 years agosignature-params: Properly handle MGF1 algorithm identifier without parameters
Tobias Brunner [Mon, 4 Dec 2017 09:51:47 +0000 (10:51 +0100)]
signature-params: Properly handle MGF1 algorithm identifier without parameters

Credit to OSS-Fuzz.

Fixes: CVE-2018-6459

4 years agoVersion bump to 5.6.2rc1 5.6.2rc1
Andreas Steffen [Fri, 16 Feb 2018 12:37:00 +0000 (13:37 +0100)]
Version bump to 5.6.2rc1

4 years agotesting: Enable counters and save-keys plugins
Andreas Steffen [Fri, 16 Feb 2018 12:36:44 +0000 (13:36 +0100)]
testing: Enable counters and save-keys plugins

4 years agoNEWS: Added some news for 5.6.2
Tobias Brunner [Fri, 16 Feb 2018 10:02:06 +0000 (11:02 +0100)]
NEWS: Added some news for 5.6.2

4 years agovici: Also return close action
Tobias Brunner [Fri, 16 Feb 2018 08:55:22 +0000 (09:55 +0100)]
vici: Also return close action

4 years agosave-keys: Add warning message to log if keys are being saved
Tobias Brunner [Thu, 15 Feb 2018 09:04:47 +0000 (10:04 +0100)]
save-keys: Add warning message to log if keys are being saved

4 years agosave-keys: Add options to enable saving IKE and/or ESP keys
Tobias Brunner [Thu, 15 Feb 2018 09:03:08 +0000 (10:03 +0100)]
save-keys: Add options to enable saving IKE and/or ESP keys

4 years agosave-keys: Store derived CHILD_SA keys in Wireshark format
Codrut Cristian Grosu [Wed, 7 Sep 2016 09:00:04 +0000 (12:00 +0300)]
save-keys: Store derived CHILD_SA keys in Wireshark format

4 years agosave-keys: Store derived IKE_SA keys in Wireshark format
Codrut Cristian Grosu [Fri, 2 Sep 2016 12:22:29 +0000 (15:22 +0300)]
save-keys: Store derived IKE_SA keys in Wireshark format

The path has to be set first, otherwise, nothing is done.

4 years agosave-keys: Add save-keys plugin
Codrut Cristian Grosu [Fri, 2 Sep 2016 12:06:30 +0000 (15:06 +0300)]
save-keys: Add save-keys plugin

This plugin will export IKE_SA and CHILD_SA secret keys in the format used
by Wireshark.

It has to be loaded explicitly.

4 years agovici: list-conn reports DPD settings and swanctl displays them
Andreas Steffen [Tue, 6 Feb 2018 20:29:17 +0000 (21:29 +0100)]
vici: list-conn reports DPD settings and swanctl displays them

4 years agoproposal: Add modp6144 to the default proposal
Tobias Brunner [Wed, 14 Feb 2018 13:53:08 +0000 (14:53 +0100)]
proposal: Add modp6144 to the default proposal

We always had modp4096 and modp8192 included, not sure why this wasn't.

4 years agoha: Double receive buffer size for HA messages and make it configurable
Tobias Brunner [Wed, 14 Feb 2018 13:51:24 +0000 (14:51 +0100)]
ha: Double receive buffer size for HA messages and make it configurable

With IKEv1 we transmit both public DH factors (used to derive the initial
IV) besides the shared secret.  So these messages could get significantly
larger than 1024 bytes, depending on the DH group (modp2048 just about
fits into it).  The new default of 2048 bytes should be fine up to modp4096
and for larger groups the buffer size may be increased (an error is
logged should this happen).

4 years agoRevert "travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings"
Tobias Brunner [Tue, 13 Feb 2018 15:25:46 +0000 (16:25 +0100)]
Revert "travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings"

The Trusty image used by Travis was updated in December and now has Clang
5.0.0 installed.  So this workaround is not necessary anymore.

This reverts commit f4bd46764143744202b817cf7268aa9e6f4ab5f7.

4 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Tue, 13 Feb 2018 11:04:12 +0000 (12:04 +0100)]
Fixed some typos, courtesy of codespell

4 years agoMerge branch 'readme-errata'
Tobias Brunner [Mon, 12 Feb 2018 10:16:49 +0000 (11:16 +0100)]
Merge branch 'readme-errata'

Closes strongswan/strongswan#89.

4 years agoREADME: Fix paths to private keys
Liu Qun (liuqun) [Mon, 12 Feb 2018 03:39:00 +0000 (11:39 +0800)]
README: Fix paths to private keys

Since version 5.5.1, different keys can be put together in
* tobiasbrunner@7caba2eb5524be6b51943bcc3d2cb0e4c5ecc09a
  swanctl: Add 'private' directory/section to load any type of private key

Signed-off-by: Liu Qun (liuqun) <>
4 years agoREADME: Fix typo in pki --req example
刘群 [Mon, 12 Feb 2018 02:23:16 +0000 (10:23 +0800)]
README: Fix typo in pki --req example

Fix up one typo mistake in the example of "Generating a Host or User End
Entity Certificate"

Signed-off-by: Liu Qun (liuqun) <>
4 years agoMerge branch 'mobike-nat'
Tobias Brunner [Fri, 9 Feb 2018 14:54:36 +0000 (15:54 +0100)]
Merge branch 'mobike-nat'

These changes improve MOBIKE task queuing. In particular we don't
want to ignore the response to an update (with NAT-D payloads) if only
an address list update or DPD is queued as that could prevent use from
updating the UDP encapsulation in the kernel.

A new optional roam trigger is added to the kernel-netlink plugin based
on routing rule changes.  This only works properly, though, if the kernel
based route lookup is used as the kernel-netlink plugin does currently
not consider routing rules for its own route lookup.

Another change prevents acquires during address updates if we have to
update IPsec SAs by deleting and readding them.  Because the outbound policy
is still installed an acquire and temporary SA might get triggered in
the short time no IPsec SA is installed, which could subsequently prevent the
reinstallation of the SA.  To this end we install drop policies before
updating the policies and SAs.  These also replace the fallback drop policies
we previously used to prevent plaintext leaks during policy updates (which
reduces the overhead in cases where addresses never or rarely change as
additional policies will only have to be tracked during address updates).

Fixes #2518.

4 years agoike-mobike: Don't trigger update for NAT mapping change detected during an address...
Tobias Brunner [Fri, 9 Feb 2018 07:48:07 +0000 (08:48 +0100)]
ike-mobike: Don't trigger update for NAT mapping change detected during an address update

This is really only needed for other exchanges like DPDs not when we
just updated the addresses. The NAT-D payloads are only used here to
detect whether UDP encapsulation has to be enabled/disabled.

4 years agochild-sa: Install drop policies while updating IPsec SAs and policies
Tobias Brunner [Tue, 6 Feb 2018 17:07:34 +0000 (18:07 +0100)]
child-sa: Install drop policies while updating IPsec SAs and policies

If we have to remove and reinstall SAs for address updates (as with the
Linux kernel) there is a short time where there is no SA installed.  If
we keep the policies installed they (or any traps) might cause acquires
and temporary kernel states that could prevent the updated SA from
getting installed again.

This replaces the previous workaround to avoid plaintext traffic leaks
during policy updates, which used low-priority drop policies.

4 years agokernel-netlink: Optionally trigger roam events on routing rule changes
Tobias Brunner [Mon, 29 Jan 2018 14:26:17 +0000 (15:26 +0100)]
kernel-netlink: Optionally trigger roam events on routing rule changes

This can be useful if routing rules (instead of e.g. route metrics) are used
to switch from one to another interface (i.e. from one to another
routing table).  Since we currently don't evaluate routing rules when
doing the route lookup this is only useful if the kernel-based route
lookup is used.

Resolves strongswan/strongswan#88.

4 years agoike-sa: Remove unused counter for pending MOBIKE updates
Tobias Brunner [Mon, 29 Jan 2018 13:30:35 +0000 (14:30 +0100)]
ike-sa: Remove unused counter for pending MOBIKE updates

4 years agoike-mobike: Only ignore MOBIKE responses if an actual update is queued
Tobias Brunner [Mon, 29 Jan 2018 11:34:33 +0000 (12:34 +0100)]
ike-mobike: Only ignore MOBIKE responses if an actual update is queued

The counter does not tell us what task is actually queued, so we might
ignore the response to an update (with NAT-D payloads) if only an address
update is queued.

4 years agoikev2: Update currently queued MOBIKE task
Tobias Brunner [Mon, 29 Jan 2018 10:49:50 +0000 (11:49 +0100)]
ikev2: Update currently queued MOBIKE task

Instead of destroying the new task and keeping the existing one we
update any already queued task, so we don't loose any work (e.g. if a
DPD task is active and address update is queued and we'd actually like
to queue a roam task).

4 years agoike-mobike: Don't reset address update flag if set previously
Tobias Brunner [Mon, 29 Jan 2018 10:44:36 +0000 (11:44 +0100)]
ike-mobike: Don't reset address update flag if set previously

If we update a queued job we don't want to reset previously set task

4 years agoike: Add log message if host moves out of NAT
Tobias Brunner [Fri, 26 Jan 2018 13:03:33 +0000 (14:03 +0100)]
ike: Add log message if host moves out of NAT

4 years agotesting: Add ikev2/mobike-virtual-ip-nat scenario
Tobias Brunner [Fri, 26 Jan 2018 12:50:04 +0000 (13:50 +0100)]
testing: Add ikev2/mobike-virtual-ip-nat scenario

This tests moving from a public IP behind a NAT and back (with proper
changes of the UDP encapsulation).

4 years agoikev1: Properly handle fragmented Quick Mode messages
Tobias Brunner [Tue, 30 Jan 2018 10:33:15 +0000 (11:33 +0100)]
ikev1: Properly handle fragmented Quick Mode messages