12 months agodaemon: Remove redundant assignment to time_format
Tobias Brunner [Fri, 14 Sep 2018 14:10:46 +0000 (16:10 +0200)]
daemon: Remove redundant assignment to time_format

12 months agoVersion bump to 5.7.0rc1 5.7.0rc1
Andreas Steffen [Sun, 16 Sep 2018 07:30:09 +0000 (09:30 +0200)]
Version bump to 5.7.0rc1

12 months agotesting: Extended Botan scenarios
Andreas Steffen [Wed, 12 Sep 2018 15:21:21 +0000 (17:21 +0200)]
testing: Extended Botan scenarios

13 months agoNEWS: Added some news for 5.7.0
Tobias Brunner [Wed, 12 Sep 2018 16:41:53 +0000 (18:41 +0200)]
NEWS: Added some news for 5.7.0

13 months agotravis: Silence `git checkout` for Botan
Tobias Brunner [Wed, 12 Sep 2018 15:18:15 +0000 (17:18 +0200)]
travis: Silence `git checkout` for Botan

13 months agoMerge branch 'botan-plugin'
Tobias Brunner [Wed, 12 Sep 2018 14:25:07 +0000 (16:25 +0200)]
Merge branch 'botan-plugin'

Adds a wrapper plugin for the Botan crypto library.

Closes strongswan/strongswan#109.

13 months agotravis: Use a fix revision for Botan and speed up subsequent builds via ccache
Tobias Brunner [Wed, 12 Sep 2018 13:51:08 +0000 (15:51 +0200)]
travis: Use a fix revision for Botan and speed up subsequent builds via ccache

13 months agotravis: Use amalgamation build for Botan and build outside our source tree
Tobias Brunner [Wed, 12 Sep 2018 11:12:44 +0000 (13:12 +0200)]
travis: Use amalgamation build for Botan and build outside our source tree

This merges all source files into botan_all.cpp, which reduces the build
time by almost 50%. Building outside the strongSwan tree avoids analyzing
Botan with sonarqube.

13 months agogcrypt: Make generic DH constructor static
Tobias Brunner [Wed, 12 Sep 2018 10:56:11 +0000 (12:56 +0200)]
gcrypt: Make generic DH constructor static

13 months agotravis: Build botan plugin also in the tests that build everything
Tobias Brunner [Wed, 12 Sep 2018 10:05:14 +0000 (12:05 +0200)]
travis: Build botan plugin also in the tests that build everything

13 months agotravis: Only add the sonarcloud addon for that build
Tobias Brunner [Wed, 12 Sep 2018 10:02:41 +0000 (12:02 +0200)]
travis: Only add the sonarcloud addon for that build

13 months agotesting: Added botan/rw-cert scenario
Andreas Steffen [Wed, 5 Sep 2018 06:07:06 +0000 (08:07 +0200)]
testing: Added botan/rw-cert scenario

13 months agotesting: Enable Botan and the plugin
Tobias Brunner [Thu, 30 Aug 2018 15:47:43 +0000 (17:47 +0200)]
testing: Enable Botan and the plugin

ldconfig is required, otherwise the library won't be found by
strongSwan in the same session.

Should later be changed to 2.8.0 or a newer stable release.

13 months agobotan: Add support for X25519
Tobias Brunner [Tue, 11 Sep 2018 09:05:21 +0000 (11:05 +0200)]
botan: Add support for X25519

13 months agobotan: Simplify DH/ECDH key derivation
Tobias Brunner [Tue, 11 Sep 2018 08:58:42 +0000 (10:58 +0200)]
botan: Simplify DH/ECDH key derivation

13 months agotest-vectors: Add the actual test vector from RFC 8031 for x25519
Tobias Brunner [Tue, 11 Sep 2018 08:32:50 +0000 (10:32 +0200)]
test-vectors: Add the actual test vector from RFC 8031 for x25519

The existing test vector is from RFC 8037.

13 months agoike-init: Fix leak if KE payload creation fails
Tobias Brunner [Thu, 30 Aug 2018 12:48:34 +0000 (14:48 +0200)]
ike-init: Fix leak if KE payload creation fails

13 months agoleak-detective: Add an option to ignore frees of unknown memory blocks
Tobias Brunner [Wed, 8 Aug 2018 15:06:15 +0000 (17:06 +0200)]
leak-detective: Add an option to ignore frees of unknown memory blocks

This also changes how unknown/corrupted memory is handled in the free()
and realloc() hooks in general.

Incorporates changes provided by Thomas Egerer who ran into a similar

13 months agotravis: Add Botan build
Tobias Brunner [Wed, 8 Aug 2018 09:35:46 +0000 (11:35 +0200)]
travis: Add Botan build

We build Botan directly from the master branch until 2.8.0 is released.

13 months agoleak-detective: Whitelist some Botan functions
Tobias Brunner [Wed, 8 Aug 2018 09:41:36 +0000 (11:41 +0200)]
leak-detective: Whitelist some Botan functions

Due to the mangled C++ function names it's tricky to be more specific.  The
"leaked" allocations are from a static hashtable containing EC groups.

There is another leak caused by the locking allocator singleton
(triggered by the first function that uses it, usually initialization of
 a cipher, but could be a hasher in other test runners), but we can avoid
that with a Botan config option.

13 months agobotan: Adhere to configured DH exponent length
Tobias Brunner [Fri, 10 Aug 2018 15:04:09 +0000 (17:04 +0200)]
botan: Adhere to configured DH exponent length

13 months agobotan: Encode private keys as PKCS#8
Tobias Brunner [Fri, 10 Aug 2018 07:02:26 +0000 (09:02 +0200)]
botan: Encode private keys as PKCS#8

Since we can now parse that encoding directly we can simplify the private
key export and stick to PKCS#8.

13 months agobotan: Load public/private keys generically
Tobias Brunner [Thu, 9 Aug 2018 11:00:50 +0000 (13:00 +0200)]
botan: Load public/private keys generically

Simplifies public key loading and this way unencrypted PKCS#8-encoded
keys can be loaded directly without pkcs8 plugin (code for encrypted
keys could probably later be added, if necessary).

It also simplifies the implementation of private_key_t::get_public_key()
a lot.

13 months agobotan: Encode curve OID and public key in EC private key
Tobias Brunner [Wed, 8 Aug 2018 16:23:11 +0000 (18:23 +0200)]
botan: Encode curve OID and public key in EC private key

Without OID we can't generate an algorithmIdentifier when loading the
key again. And older versions of OpenSSL insist on a public key when
e.g. converting a key to PKCS#8.

Simply unwrapping the ECPrivateKey structure avoids log messages when
parsing other keys in the KEY_ANY case.

13 months agopkcs1: Accept EC private keys without public key but make sure of an OID
Tobias Brunner [Thu, 9 Aug 2018 06:45:48 +0000 (08:45 +0200)]
pkcs1: Accept EC private keys without public key but make sure of an OID

13 months agobotan: Fixes, code style changes plus some refactorings
Tobias Brunner [Mon, 6 Aug 2018 15:46:54 +0000 (17:46 +0200)]
botan: Fixes, code style changes plus some refactorings

Some changes rely on newly added FFI functions in Botan's master

13 months agobotan: Add MD5 support to Botan hasher
René Korthaus [Fri, 27 Jul 2018 07:33:39 +0000 (09:33 +0200)]
botan: Add MD5 support to Botan hasher

Support MD5 in the Botan plugin if supported by Botan.
MD5 is required for RADIUS and obviously EAP-MD5,
and also for non-PKCS#8 encoded, encrypted private keys.

13 months agounit-tests: Remove 768 bits RSA gen test
René Korthaus [Thu, 26 Jul 2018 09:17:07 +0000 (11:17 +0200)]
unit-tests: Remove 768 bits RSA gen test

Botan only allows RSA generating keys >= 1,024 bits, which makes
the RSA test suite fail. It is questionable whether it makes
sense to test 768 bit RSA keys anymore. They are too weak
from today's perspective anyway.

13 months agobotan: Add Botan plugin to libstrongswan
René Korthaus [Wed, 25 Jul 2018 11:01:19 +0000 (13:01 +0200)]
botan: Add Botan plugin to libstrongswan

13 months agodumm: Remove the Dynamic UML Mesh Modeler framework
Tobias Brunner [Wed, 12 Sep 2018 09:02:32 +0000 (11:02 +0200)]
dumm: Remove the Dynamic UML Mesh Modeler framework

This has been pretty much defunct for several years (requires a
specially patched UML-enabled guest kernel).

13 months agoandroid: Properly set log file path
Tobias Brunner [Wed, 12 Sep 2018 09:44:33 +0000 (11:44 +0200)]
android: Properly set log file path

13 months agoconf: Document new filelog configuration
Tobias Brunner [Wed, 12 Sep 2018 09:42:38 +0000 (11:42 +0200)]
conf: Document new filelog configuration

13 months agolibrary: Return FALSE from library_init() if loaded settings are invalid
Tobias Brunner [Tue, 11 Sep 2018 15:56:38 +0000 (17:56 +0200)]
library: Return FALSE from library_init() if loaded settings are invalid

This way daemons won't start with config files that contain errors.

13 months agosettings: Don't allow dots in section/key names anymore
Tobias Brunner [Thu, 31 May 2018 09:46:29 +0000 (11:46 +0200)]
settings: Don't allow dots in section/key names anymore

This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`.  Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.

13 months agoike-auth: Remove unnecessary case statement
Tobias Brunner [Tue, 11 Sep 2018 09:33:05 +0000 (11:33 +0200)]
ike-auth: Remove unnecessary case statement

13 months agovici: Remove unreachable code
Tobias Brunner [Fri, 7 Sep 2018 09:17:06 +0000 (11:17 +0200)]
vici: Remove unreachable code

If list is TRUE any type but VICI_LIST_END and VICI_LIST_ITEM (i.e.
including VICI_END) is already handled in the first block in this

13 months agovici: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:12:24 +0000 (11:12 +0200)]
vici: Lease enumerator is always defined

mem_pool_t always returns an enumerator.

13 months agostroke: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:03:29 +0000 (11:03 +0200)]
stroke: Lease enumerator is always defined

This function is only called for existing pools (under the protection of
a read lock).

13 months agosmp: Remove unreachable initializer
Tobias Brunner [Fri, 7 Sep 2018 08:56:07 +0000 (10:56 +0200)]
smp: Remove unreachable initializer

Execution in this block will start with any of the case statements,
never with the initialization.

13 months agoeap-sim-pcsc: Fix leak in error case
Tobias Brunner [Fri, 7 Sep 2018 08:36:41 +0000 (10:36 +0200)]
eap-sim-pcsc: Fix leak in error case

13 months agotravis: Add sonarcloud build
Tobias Brunner [Mon, 10 Sep 2018 16:46:20 +0000 (18:46 +0200)]
travis: Add sonarcloud build

13 months agotravis: Automatically retry install steps
Tobias Brunner [Mon, 10 Sep 2018 10:22:20 +0000 (12:22 +0200)]
travis: Automatically retry install steps

There occasionally are network issues when fetching from Ubuntu/PPA
repos.  Let's see if this is a possible fix.

13 months agoswanctl: Allow passing a custom config file for each --load* command
Tobias Brunner [Mon, 28 May 2018 15:19:22 +0000 (17:19 +0200)]
swanctl: Allow passing a custom config file for each --load* command

Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.

13 months agoMerge branch 'ikev2-ppk'
Tobias Brunner [Mon, 10 Sep 2018 16:05:12 +0000 (18:05 +0200)]
Merge branch 'ikev2-ppk'

Adds support for Postquantum Preshared Keys for IKEv2.

Fixes #2710.

13 months agotesting: Add some PPK scenarios
Tobias Brunner [Thu, 30 Aug 2018 16:14:06 +0000 (18:14 +0200)]
testing: Add some PPK scenarios

13 months agoswanctl: Report the use of a PPK in --list-sas
Tobias Brunner [Fri, 27 Jul 2018 11:14:40 +0000 (13:14 +0200)]
swanctl: Report the use of a PPK in --list-sas

If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.

13 months agovici: Return PPK state of an IKE_SA
Tobias Brunner [Fri, 27 Jul 2018 10:50:22 +0000 (12:50 +0200)]
vici: Return PPK state of an IKE_SA

13 months agoikev2: Mark IKE_SAs that used PPK during authentication
Tobias Brunner [Fri, 27 Jul 2018 10:14:18 +0000 (12:14 +0200)]
ikev2: Mark IKE_SAs that used PPK during authentication

13 months agoeap-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 09:24:49 +0000 (11:24 +0200)]
eap-authenticator: Add support for authentication with PPK

13 months agopubkey-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 08:49:30 +0000 (10:49 +0200)]
pubkey-authenticator: Add support for authentication with PPK

13 months agopsk-authenticator: Add support for authentication with PPK
Tobias Brunner [Thu, 26 Jul 2018 14:25:02 +0000 (16:25 +0200)]
psk-authenticator: Add support for authentication with PPK

13 months agoike-auth: Add basic PPK support
Tobias Brunner [Thu, 26 Jul 2018 15:28:13 +0000 (17:28 +0200)]
ike-auth: Add basic PPK support

Some of the work will have to be done in the authenticators.

13 months agoike-auth: Replace `== NULL` with `!`
Tobias Brunner [Thu, 26 Jul 2018 15:27:13 +0000 (17:27 +0200)]
ike-auth: Replace `== NULL` with `!`

13 months agoauthenticator: Add optional method to set PPK
Tobias Brunner [Thu, 26 Jul 2018 13:32:10 +0000 (15:32 +0200)]
authenticator: Add optional method to set PPK

13 months agoike-init: Send USE_PPK notify as appropriate
Tobias Brunner [Thu, 26 Jul 2018 13:20:30 +0000 (15:20 +0200)]
ike-init: Send USE_PPK notify as appropriate

13 months agoswanctl: Report PPK configuration in --list-conns
Tobias Brunner [Fri, 27 Jul 2018 10:34:23 +0000 (12:34 +0200)]
swanctl: Report PPK configuration in --list-conns

13 months agovici: Make PPK related options configurable
Tobias Brunner [Thu, 26 Jul 2018 15:57:36 +0000 (17:57 +0200)]
vici: Make PPK related options configurable

13 months agopeer-cfg: Add properties for PPK ID and whether PPK is required
Tobias Brunner [Thu, 26 Jul 2018 13:16:21 +0000 (15:16 +0200)]
peer-cfg: Add properties for PPK ID and whether PPK is required

13 months agoike-sa: Add flag for PPK extension
Tobias Brunner [Thu, 26 Jul 2018 09:47:46 +0000 (11:47 +0200)]
ike-sa: Add flag for PPK extension

13 months agokeymat_v2: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 14:43:01 +0000 (16:43 +0200)]
keymat_v2: Add support for PPKs

13 months agoswanctl: Add support for PPKs
Tobias Brunner [Thu, 26 Jul 2018 15:44:12 +0000 (17:44 +0200)]
swanctl: Add support for PPKs

13 months agovici: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 15:23:12 +0000 (17:23 +0200)]
vici: Add support for PPKs

13 months agoshared-key: Add a new type for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:30:05 +0000 (15:30 +0200)]
shared-key: Add a new type for Postquantum Preshared Keys

Using a separate type allows us to easily check if we have any PPKs
available at all.

13 months agoikev2: Add notify types for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:29:58 +0000 (15:29 +0200)]
ikev2: Add notify types for Postquantum Preshared Keys

13 months agounit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
Tobias Brunner [Thu, 6 Sep 2018 13:17:37 +0000 (15:17 +0200)]
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()

13 months agopeer-cfg: Replace equal child configs with newly added ones
Tobias Brunner [Thu, 6 Sep 2018 13:13:37 +0000 (15:13 +0200)]
peer-cfg: Replace equal child configs with newly added ones

Otherwise, renamed child configs would still be known to the daemon
under their old name.

Fixes #2746.

13 months agocrypto: References to RFCs 8410 and 8420
Andreas Steffen [Tue, 4 Sep 2018 05:24:20 +0000 (07:24 +0200)]
crypto: References to RFCs 8410 and 8420

13 months agoNormalize whitespace in boilerplate files
Tobias Brunner [Fri, 6 Jul 2018 12:07:39 +0000 (14:07 +0200)]
Normalize whitespace in boilerplate files

Now all consistently use 2 or 4 (HACKING) spaces for indentation.

13 months agoREADME: Fix indentation
Tobias Brunner [Fri, 6 Jul 2018 10:09:32 +0000 (12:09 +0200)]
README: Fix indentation

13 months agoinit: Reload configurations/credentials as well during systemctl reload
Martin Willi [Tue, 7 Mar 2017 16:29:45 +0000 (17:29 +0100)]
init: Reload configurations/credentials as well during systemctl reload

13 months agoswanctl: Add --reauth option to --rekey command
Tobias Brunner [Thu, 23 Aug 2018 14:20:06 +0000 (16:20 +0200)]
swanctl: Add --reauth option to --rekey command

13 months agovici: Add option to reauthenticae instead of rekey an IKEv2 SA
Tobias Brunner [Thu, 23 Aug 2018 14:16:47 +0000 (16:16 +0200)]
vici: Add option to reauthenticae instead of rekey an IKEv2 SA

13 months agoMerge branch 'xfrm-set-mark'
Tobias Brunner [Fri, 31 Aug 2018 10:27:40 +0000 (12:27 +0200)]
Merge branch 'xfrm-set-mark'

This adds the ability to configure marks the in- and/or outbound SA
should apply to packets after processing on Linux.  Configuring such a mark
for outbound SAs requires at least a 4.14 kernel.  The ability to set a mask
and configuring a mark/mask for inbound SAs will be added with the upcoming
4.19 kernel.

13 months agochild-sa: Use SA matching mark as SA set mark if the latter is %same
Martin Willi [Wed, 9 May 2018 11:40:36 +0000 (13:40 +0200)]
child-sa: Use SA matching mark as SA set mark if the latter is %same

For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.

13 months agoipsec-types: Restrict the use of %unique and other keywords when parsing marks
Martin Willi [Mon, 14 May 2018 11:42:53 +0000 (13:42 +0200)]
ipsec-types: Restrict the use of %unique and other keywords when parsing marks

%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.

13 months agovici: Document kernel requirements for set_mark_in/set_mark_out options
Martin Willi [Mon, 14 May 2018 10:55:27 +0000 (12:55 +0200)]
vici: Document kernel requirements for set_mark_in/set_mark_out options

13 months agovici: Make in-/outbound marks the SA should set configurable
Tobias Brunner [Fri, 20 Apr 2018 12:12:48 +0000 (14:12 +0200)]
vici: Make in-/outbound marks the SA should set configurable

13 months agochild-sa: Configure in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:08:35 +0000 (14:08 +0200)]
child-sa: Configure in-/outbound mark the SA should set

13 months agochild-cfg: Add properties for in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:02:57 +0000 (14:02 +0200)]
child-cfg: Add properties for in-/outbound mark the SA should set

13 months agokernel-netlink: Add support for setting mark/mask an SA should apply to processed...
Tobias Brunner [Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)]
kernel-netlink: Add support for setting mark/mask an SA should apply to processed traffic

13 months agokernel-netlink: Use larger buffer for event messages
Tobias Brunner [Fri, 10 Aug 2018 12:41:16 +0000 (14:41 +0200)]
kernel-netlink: Use larger buffer for event messages

13 months agoikev1: Increase DPD sequence number only after receiving a response
Tobias Brunner [Mon, 6 Aug 2018 15:01:20 +0000 (17:01 +0200)]
ikev1: Increase DPD sequence number only after receiving a response

We don't retransmit DPD requests like we do requests for proper exchanges,
so increasing the number with each sent DPD could result in the peer's state
getting out of sync if DPDs are lost.  Because according to RFC 3706, DPDs
with an unexpected sequence number SHOULD be rejected (it does mention the
possibility of maintaining a window of acceptable numbers, but we currently
don't implement that).  We partially ignore such messages (i.e. we don't
update the expected sequence number and the inbound message stats, so we
might send a DPD when none is required).  However, we always send a response,
so a peer won't really notice this (it also ensures a reply for "retransmits"
caused by this change, i.e. multiple DPDs with the same number - hopefully,
other implementations behave similarly when receiving such messages).

Fixes #2714.

13 months agoRemove ITA references
Tobias Brunner [Fri, 31 Aug 2018 09:11:12 +0000 (11:11 +0200)]
Remove ITA references

13 months agoikev1: Signal IKE_SA connection failure via bus
Tobias Brunner [Thu, 23 Aug 2018 15:54:29 +0000 (17:54 +0200)]
ikev1: Signal IKE_SA connection failure via bus

This is mainly for HA where a passive SA was already created when the
IKE keys were derived.  If e.g. an authentication error occurs later that
SA wouldn't get cleaned up.

13 months agoaggressive-mode: Trigger alerts for authentication failures
Tobias Brunner [Thu, 23 Aug 2018 15:25:08 +0000 (17:25 +0200)]
aggressive-mode: Trigger alerts for authentication failures

13 months agomain-mode: Local identity is always defined
Tobias Brunner [Thu, 23 Aug 2018 15:31:50 +0000 (17:31 +0200)]
main-mode: Local identity is always defined

13 months agomain-mode: Also trigger a PEER_AUTH_FAILED alert if authorize() fails
Tobias Brunner [Thu, 23 Aug 2018 15:24:26 +0000 (17:24 +0200)]
main-mode: Also trigger a PEER_AUTH_FAILED alert if authorize() fails

13 months agomain-mode: Signal local/peer auth failure via bus
Thomas Egerer [Tue, 14 Aug 2018 11:56:58 +0000 (13:56 +0200)]
main-mode: Signal local/peer auth failure via bus

Signed-off-by: Thomas Egerer <>
13 months agocustom-logger: Add optional reload method
Thomas Egerer [Wed, 29 Aug 2018 11:14:59 +0000 (13:14 +0200)]
custom-logger: Add optional reload method

The reload of the configuration of the loggers so far only included
the log levels. In order to support the reload of all other options,
a reload function may be implemented.

Signed-off-by: Thomas Egerer <>
13 months agoike-sa-manager: Log message when scheduling delete for reauthenticated IKE_SA
Tobias Brunner [Tue, 28 Aug 2018 15:11:13 +0000 (17:11 +0200)]
ike-sa-manager: Log message when scheduling delete for reauthenticated IKE_SA

13 months agoMerge branch 'ip-header-fields'
Tobias Brunner [Wed, 29 Aug 2018 09:46:13 +0000 (11:46 +0200)]
Merge branch 'ip-header-fields'

Adds new options that allow configuring how/whether certain fields in
the IP headers are copied during IPsec processing. Currently only allows
configuration on Linux.

Closes strongswan/strongswan#104.

13 months agokernel: Add option to control DS field behavior
Tobias Brunner [Mon, 11 Jun 2018 10:07:48 +0000 (12:07 +0200)]
kernel: Add option to control DS field behavior

13 months agokernel: Add options to control DF and ECN header bits/fields via XFRM
Tobias Brunner [Mon, 11 Jun 2018 08:49:16 +0000 (10:49 +0200)]
kernel: Add options to control DF and ECN header bits/fields via XFRM

The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.

Note: This implementation only works with Linux/Netlink/XFRM.

Based on a patch by Markus Sattler.

13 months agovici: Add error handling to message parsing in Perl bindings
Tobias Brunner [Tue, 5 Jun 2018 15:49:42 +0000 (17:49 +0200)]
vici: Add error handling to message parsing in Perl bindings

13 months agovici: Improve message parsing performance in Perl bindings
Afschin Hormozdiary [Tue, 5 Jun 2018 13:10:43 +0000 (15:10 +0200)]
vici: Improve message parsing performance in Perl bindings

During a test with ~12000 established SAs it was noted that vici
related operations hung.
The operations took over 16 minutes to finish. The time was spent in
the vici message parser, which was assigning the message over and over
again, to get rid of the already parsed portions.

First fixed by cutting the consumed parts off without copying the message.
Runtime for ~12000 SAs is now around 20 seconds.

Further optimization brought the runtime down to roughly 1-2 seconds
by using an fd to read through the message variable.

Closes strongswan/strongswan#103.

13 months agokernel-netlink: Align concatenated Netlink responses
Thomas Egerer [Thu, 16 Aug 2018 07:12:37 +0000 (09:12 +0200)]
kernel-netlink: Align concatenated Netlink responses

The code to support parallel Netlink queries (commit 3c7193f) made use
of nlmsg_len member from struct nlmsghdr to allocate and copy the
responses. Since NLMSG_NEXT is later used to parse these responses, they
must be aligned, or the results are undefined.

Signed-off-by: Thomas Egerer <>
14 months agolibimcv: Fix
Tobias Brunner [Fri, 10 Aug 2018 08:09:07 +0000 (10:09 +0200)]
libimcv: Fix

14 months agolibtpmtss: Fixed
Vishal Rana [Thu, 9 Aug 2018 05:28:03 +0000 (22:28 -0700)]
libtpmtss: Fixed

Closes strongswan/strongswan#111

Signed-off-by: Vishal Rana <>
14 months agoREADME: Fix typos
Tom Schlenkhoff [Mon, 6 Aug 2018 11:24:18 +0000 (13:24 +0200)]
README: Fix typos

Closes strongswan/strongswan#110.

14 months agotravis: Fix vici Python tests when using Clang
Tobias Brunner [Mon, 6 Aug 2018 09:54:24 +0000 (11:54 +0200)]
travis: Fix vici Python tests when using Clang

For some reason the clang binary that's installed in an uncommon
directory could not be found anymore when installing packages via pip for
the last couple of builds. While the directory is obviously contained in PATH,
using `sudo -E` didn't help. So we now install the Python packages in the
user's home directory to avoid having to use sudo.