5 years agoikev1: Don't call updown hook etc. when deleting redundant CHILD_SAs
Tobias Brunner [Wed, 20 Apr 2016 12:14:05 +0000 (14:14 +0200)]
ikev1: Don't call updown hook etc. when deleting redundant CHILD_SAs

Fixes #1421.

5 years agoandroid: New release after fixing a crash during certificate imports
Tobias Brunner [Fri, 6 May 2016 10:50:51 +0000 (12:50 +0200)]
android: New release after fixing a crash during certificate imports

5 years agoandroid: Avoid IllegalStateException when importing certificates
Tobias Brunner [Fri, 6 May 2016 10:41:33 +0000 (12:41 +0200)]
android: Avoid IllegalStateException when importing certificates

When certificates are imported via Storage Access Framework we did handle
the selection directly in onActivityResult().  However, at that point the
activity might apparently not yet be resumed.  So committing
FragmentTransactions could result in IllegalStateExceptions due to the
potential state loss.  To avoid that we cache the returned URI and wait
until onPostResume() to make sure the activity's state is fully restored
before showing the confirmation dialog.

5 years agoswanctl: Do not display rekey times for shunts
Andreas Steffen [Thu, 5 May 2016 12:53:22 +0000 (14:53 +0200)]
swanctl: Do not display rekey times for shunts

5 years agoMerge branch 'list-conns-plus'
Andreas Steffen [Wed, 4 May 2016 16:16:32 +0000 (18:16 +0200)]
Merge branch 'list-conns-plus'

5 years agotesting: Use reauthentication and set CHILD_SA rekey time, bytes and packets limits
Andreas Steffen [Tue, 3 May 2016 16:24:55 +0000 (18:24 +0200)]
testing: Use reauthentication and set CHILD_SA rekey time, bytes and packets limits

5 years agovici list-conns sends reauthentication and rekeying time information
Andreas Steffen [Tue, 3 May 2016 15:33:43 +0000 (17:33 +0200)]
vici list-conns sends reauthentication and rekeying time information

5 years agoswanctl: --list-conns shows eap_id, xauth_id and aaa_id
Andreas Steffen [Fri, 29 Apr 2016 15:33:57 +0000 (17:33 +0200)]
swanctl: --list-conns shows eap_id, xauth_id and aaa_id

5 years agotesting: uses xauth_id in swanctl/xauth-rsa scenario
Andreas Steffen [Fri, 29 Apr 2016 15:33:21 +0000 (17:33 +0200)]
testing: uses xauth_id in swanctl/xauth-rsa scenario

5 years agoandroid: New release after reducing number of DH groups in proposal
Tobias Brunner [Wed, 4 May 2016 10:07:36 +0000 (12:07 +0200)]
android: New release after reducing number of DH groups in proposal

5 years agoproposal: Remove some weaker and rarely used DH groups from the default proposal
Tobias Brunner [Wed, 4 May 2016 09:26:38 +0000 (11:26 +0200)]
proposal: Remove some weaker and rarely used DH groups from the default proposal

This fixes an interoperability issue with Windows Server 2012 R2 gateways.
They insist on using modp1024 for IKE, however, Microsoft's IKEv2
implementation seems only to consider the first 15 DH groups in the proposal.
Depending on the loaded plugins modp1024 is now at position 17 or even
later, causing the server to reject the proposal.  By removing some of
the weaker and rarely used DH groups from the default proposal we make
sure modp1024 is among the first 15 DH groups.  The removed groups may
still be used by configuring custom proposals.

5 years agoandroid: Use separate label strings for text fields in login dialog
Tobias Brunner [Tue, 3 May 2016 08:43:27 +0000 (10:43 +0200)]
android: Use separate label strings for text fields in login dialog

In the profile editor the password is now marked as optional in the
label, which looks a bit strange in the login dialog.

5 years agoandroid: New release after GUI changes/additions
Tobias Brunner [Mon, 2 May 2016 16:50:44 +0000 (18:50 +0200)]
android: New release after GUI changes/additions

5 years agoMerge branch 'android-gui-updates'
Tobias Brunner [Mon, 2 May 2016 16:39:26 +0000 (18:39 +0200)]
Merge branch 'android-gui-updates'

Removes the progress dialogs while connecting/disconnecting, updates
the VPN profile editor (floating labels, helper texts) and allows
configuration of the remote identity (disables loose identity matching),
and selection of the local identity if certificates are used.

Also fixes an issue when redirected during IKE_AUTH and increases the
NAT-T keepalive interval.

Fixes #1403.

5 years agoandroid: Show selected user identity in profile list
Tobias Brunner [Sat, 30 Apr 2016 15:14:34 +0000 (17:14 +0200)]
android: Show selected user identity in profile list

This also readds the colons that were removed from the labels.

5 years agoandroid: Allow selection of user identity in GUI
Tobias Brunner [Sat, 30 Apr 2016 15:04:45 +0000 (17:04 +0200)]
android: Allow selection of user identity in GUI

5 years agoandroid: Add adapter for user ID selection
Tobias Brunner [Sat, 30 Apr 2016 14:59:00 +0000 (16:59 +0200)]
android: Add adapter for user ID selection

5 years agoandroid: Add helper function to TrustedCertificateEntry to get subjectAltNames
Tobias Brunner [Sat, 30 Apr 2016 14:11:45 +0000 (16:11 +0200)]
android: Add helper function to TrustedCertificateEntry to get subjectAltNames

Duplicates (e.g. with different types) are filtered.  If necessary we
could later perhaps add a prefix.

5 years agoandroid: Add auto-completion to remote ID and profile name
Tobias Brunner [Sat, 30 Apr 2016 11:11:49 +0000 (13:11 +0200)]
android: Add auto-completion to remote ID and profile name

This makes it easy to explicitly use the server's IP/hostname as remote
identity or use it in the profile name.

5 years agoandroid: Make remote identity configurable in the GUI
Tobias Brunner [Sat, 30 Apr 2016 10:25:49 +0000 (12:25 +0200)]
android: Make remote identity configurable in the GUI

5 years agoandroid: Use TextInputLayout in login dialog
Tobias Brunner [Mon, 2 May 2016 16:04:03 +0000 (18:04 +0200)]
android: Use TextInputLayout in login dialog

5 years agoandroid: Use TextInputLayoutHelper in profile editor
Tobias Brunner [Sat, 30 Apr 2016 08:42:00 +0000 (10:42 +0200)]
android: Use TextInputLayoutHelper in profile editor

This adds floating labels and helper texts to the form fields. It also
changed/added lots of strings in the editor.

5 years agoandroid: Add TextInputLayout child class that displays a helper text below the text...
Tobias Brunner [Fri, 29 Apr 2016 16:15:29 +0000 (18:15 +0200)]
android: Add TextInputLayout child class that displays a helper text below the text field

Also hides the error message if the text is changed.

5 years agoandroid: Use proper namespace for custom attribute
Tobias Brunner [Fri, 29 Apr 2016 14:20:55 +0000 (16:20 +0200)]
android: Use proper namespace for custom attribute

5 years agoandroid: Move profile name field to the bottom and use server address as hint
Tobias Brunner [Fri, 29 Apr 2016 13:37:35 +0000 (15:37 +0200)]
android: Move profile name field to the bottom and use server address as hint

5 years agoandroid: Use configured local identity in auth-cfgs
Tobias Brunner [Fri, 29 Apr 2016 11:00:43 +0000 (13:00 +0200)]
android: Use configured local identity in auth-cfgs

We still default to the username or subject DN if none is configured.
But we don't check if the local ID is contained in the configured

5 years agoandroid: Use configured remote ID in auth-cfg
Tobias Brunner [Fri, 29 Apr 2016 10:48:40 +0000 (12:48 +0200)]
android: Use configured remote ID in auth-cfg

If one is explicitly set we don't use loose identity matching and send it as
IDr to the server.

Closes #strongswan/strongswan#29.
Fixes #1268.

5 years agoandroid: Pass local and remote identities as settings of a connection
Tobias Brunner [Fri, 29 Apr 2016 10:34:59 +0000 (12:34 +0200)]
android: Pass local and remote identities as settings of a connection

5 years agoandroid: Add fields for local and remote identities to data model
Tobias Brunner [Fri, 29 Apr 2016 10:27:38 +0000 (12:27 +0200)]
android: Add fields for local and remote identities to data model

5 years agoandroid: Avoid races between FragmentManager and state saving
Tobias Brunner [Thu, 28 Apr 2016 17:35:56 +0000 (19:35 +0200)]
android: Avoid races between FragmentManager and state saving

onSaveInstanceState is apparently called after pausing the fragment and after
that committing any FragmentTransactions causes an IllegalStateException.
We could use commitAllowingStateLoss() but that's not really necessary
as we don't need to update when we are not active anyway.  We also don't
update the view directly after registration as this happens
asynchronously, i.e. we might be paused when it finishes.

5 years agoandroid: Increase the NAT-T keepalive interval to potentially save battery life
Tobias Brunner [Thu, 28 Apr 2016 15:06:03 +0000 (17:06 +0200)]
android: Increase the NAT-T keepalive interval to potentially save battery life

In case this doesn't work out we could probably make it configurable.

References #1326.

5 years agoandroid: Show confirmation dialog also when connecting
Tobias Brunner [Mon, 2 May 2016 16:19:26 +0000 (18:19 +0200)]
android: Show confirmation dialog also when connecting

5 years agoandroid: Avoid ProgressDialogs in VPN state fragment
Tobias Brunner [Thu, 28 Apr 2016 12:46:10 +0000 (14:46 +0200)]
android: Avoid ProgressDialogs in VPN state fragment

Instead we use a ProgressBar directly in the fragment and use the
existing button to cancel the process.

5 years agoandroid: Fix display of remediation instructions with support library
Tobias Brunner [Thu, 28 Apr 2016 15:00:27 +0000 (17:00 +0200)]
android: Fix display of remediation instructions with support library

Because the support library creates its own layout manually and uses
different IDs than the list_content layout we can't use the method we
used previously (and which is actually recommended in the docs).

5 years agoandroid: Use Fragment class from the support library to avoid deprecation warnings
Tobias Brunner [Thu, 28 Apr 2016 07:21:06 +0000 (09:21 +0200)]
android: Use Fragment class from the support library to avoid deprecation warnings

For instance, onAttach() with an Activitiy as first argument was deprecated
with API level 23.  However, the overload with a Context as first argument
does obviously not get called on older API levels.  Luckily, the classes
provided by the support library handle that for us.

5 years agoandroid: Update README.ndk
Tobias Brunner [Wed, 27 Apr 2016 13:21:03 +0000 (15:21 +0200)]
android: Update README.ndk

5 years agoandroid: Use relative path for strongSwan sources
Tobias Brunner [Wed, 27 Apr 2016 13:11:54 +0000 (15:11 +0200)]
android: Use relative path for strongSwan sources

This avoids issues with recursion, which could have happened if the
strongswan directory was a symlink.

5 years agoandroid: Fix handling of redirects during IKE_AUTH
Tobias Brunner [Wed, 27 Apr 2016 12:55:43 +0000 (14:55 +0200)]
android: Fix handling of redirects during IKE_AUTH

5 years agoMerge branch 'android-tabs'
Tobias Brunner [Wed, 27 Apr 2016 12:35:47 +0000 (14:35 +0200)]
Merge branch 'android-tabs'

This migrates some deprecated Android APIs to replacements provided by
the support library.  This also changes the theme slightly.

5 years agoandroid: Fix color of lists and buttons on older platforms
Tobias Brunner [Tue, 26 Apr 2016 14:29:35 +0000 (16:29 +0200)]
android: Fix color of lists and buttons on older platforms

This adds a workaround for an issue on older platforms where the list is
not properly styled with colorAccent.  Similarly applies to borderless buttons.

5 years agoandroid: Use Activity as context for VpnProfileAdapter to fix theme
Tobias Brunner [Fri, 15 Apr 2016 11:21:22 +0000 (13:21 +0200)]
android: Use Activity as context for VpnProfileAdapter to fix theme

When using the application context theme customizations wouldn't get
applied for some reason.

5 years agoandroid: Use "server" instead of "gateway" in profile editor
Tobias Brunner [Tue, 12 Apr 2016 16:33:14 +0000 (18:33 +0200)]
android: Use "server" instead of "gateway" in profile editor

The term "gateway" is unfamiliar for most new users (or they confuse it
with the default gateway of their network) but they usually know that
they want to connect to a "server".

5 years agoandroid: Define a new color scheme
Tobias Brunner [Tue, 12 Apr 2016 15:46:53 +0000 (17:46 +0200)]
android: Define a new color scheme

This mainly changes the color of the appbar (colorPrimary), the color
of the status bar (colorPrimaryDark) is black like the default.
The accent color (colorAccent) used for controls like buttons and check
boxes is a slightly toned down version of the default.

5 years agoandroid: Get a warning on use of deprecated features
Tobias Brunner [Tue, 12 Apr 2016 15:43:39 +0000 (17:43 +0200)]
android: Get a warning on use of deprecated features

5 years agoandroid: Replace use of deprecate getColor() method overload
Tobias Brunner [Thu, 26 Nov 2015 17:07:23 +0000 (18:07 +0100)]
android: Replace use of deprecate getColor() method overload

5 years agoandroid: Make font in log view monospace again on Android 5+
Tobias Brunner [Thu, 26 Nov 2015 15:46:54 +0000 (16:46 +0100)]
android: Make font in log view monospace again on Android 5+

5 years agoandroid: Avoid deprecated tabs in the ActionBar in TrustedCertificatesActivity
Tobias Brunner [Thu, 26 Nov 2015 15:44:46 +0000 (16:44 +0100)]
android: Avoid deprecated tabs in the ActionBar in TrustedCertificatesActivity

Instead we use TabLayout and ViewPager from the support libraries.

5 years agoandroid: Automatically reload certificates if manager is reset
Tobias Brunner [Thu, 26 Nov 2015 15:33:08 +0000 (16:33 +0100)]
android: Automatically reload certificates if manager is reset

No need to manually reset the fragments anymore.

5 years agoandroid: Make TrustedCertificateManager an Observable
Tobias Brunner [Thu, 26 Nov 2015 15:22:43 +0000 (16:22 +0100)]
android: Make TrustedCertificateManager an Observable

Observers are notified when the manager is reset (and initially when the
certificates are first loaded).

5 years agoandroid: Switch to AppCompat/Material theme for dialogs
Tobias Brunner [Fri, 15 Apr 2016 15:36:31 +0000 (17:36 +0200)]
android: Switch to AppCompat/Material theme for dialogs

There is no AppCompatProgressDialog class as the use of ProgressDialog
is discouraged (instead progress bars should be placed in the layout directly).
To display the current ProgressDialog instances correctly on systems < 21 we
modify the window background color.

5 years agoandroid: Switch to AppCompat/Material theme and use custom Toolbar as AppBar
Tobias Brunner [Wed, 25 Nov 2015 16:05:56 +0000 (17:05 +0100)]
android: Switch to AppCompat/Material theme and use custom Toolbar as AppBar

Also includes some whitespace/formatting changes due to the switch to
Android Studio.

5 years agoandroid: Ignore build/ in project directory
Tobias Brunner [Fri, 15 Apr 2016 15:43:58 +0000 (17:43 +0200)]
android: Ignore build/ in project directory

5 years agoandroid: Update platform tools and pull in support libs
Tobias Brunner [Wed, 25 Nov 2015 15:07:55 +0000 (16:07 +0100)]
android: Update platform tools and pull in support libs

We'll have to change some stuff that Google deprecated (e.g. the tabs in
the ActionBar) and that requires changing the theme at least in activities.
Since that would look a bit inconsistent we'll change it globally and
use parts of the support library.

5 years agoandroid: Update Android Gradle plugin and wrapper
Tobias Brunner [Tue, 12 Apr 2016 15:10:11 +0000 (17:10 +0200)]
android: Update Android Gradle plugin and wrapper

5 years agotesting: Use absolute path of imv_policy_manager
Andreas Steffen [Tue, 26 Apr 2016 15:15:25 +0000 (17:15 +0200)]
testing: Use absolute path of imv_policy_manager

5 years agoUpdated products in IMV database
Andreas Steffen [Tue, 26 Apr 2016 15:13:49 +0000 (17:13 +0200)]
Updated products in IMV database

5 years agoswanctl: list EAP type in --list-conns
Andreas Steffen [Tue, 26 Apr 2016 15:13:20 +0000 (17:13 +0200)]
swanctl: list EAP type in --list-conns

5 years agotesting: -D and -u options in sfdisk are not supported any more
Andreas Steffen [Mon, 25 Apr 2016 17:31:12 +0000 (19:31 +0200)]
testing: -D and -u options in sfdisk are not supported any more

5 years agoidentification: Add support for dmdName RDN (
Yannick Cann [Mon, 25 Apr 2016 08:39:41 +0000 (10:39 +0200)]
identification: Add support for dmdName RDN (

It's listed in RFC 2256 but was later removed with RFC 4519, but there
are still some certs that use it.

Closes strongswan/strongswan#43.

5 years agoleak-detective: added _IO_file_doallocate to whitelist
Andreas Steffen [Sun, 24 Apr 2016 21:34:44 +0000 (23:34 +0200)]
leak-detective: added _IO_file_doallocate to whitelist

5 years agoswanctl: log errors to stderr
Andreas Steffen [Sun, 24 Apr 2016 21:33:23 +0000 (23:33 +0200)]
swanctl: log errors to stderr

5 years agotesting: updated testing.conf
Andreas Steffen [Sun, 24 Apr 2016 11:36:22 +0000 (13:36 +0200)]
testing: updated testing.conf

5 years agopool: Use correct name to remove index for CHILD_SA TS in SQLite script
Tobias Brunner [Mon, 18 Apr 2016 08:07:15 +0000 (10:07 +0200)]
pool: Use correct name to remove index for CHILD_SA TS in SQLite script

Fixes #1415.

5 years agokernel-pfkey: Add support for manual priorities
Tobias Brunner [Wed, 6 Apr 2016 13:17:06 +0000 (15:17 +0200)]
kernel-pfkey: Add support for manual priorities

Also orders policies with equals priorities by their automatic priority.

5 years agokernel-pfkey: Update priority calculation formula to the new one in kernel-netlink
Tobias Brunner [Mon, 11 Apr 2016 09:19:26 +0000 (11:19 +0200)]
kernel-pfkey: Update priority calculation formula to the new one in kernel-netlink

Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.

5 years agokernel-netlink: Order policies with equal priorities by their automatic priority
Tobias Brunner [Wed, 6 Apr 2016 12:40:28 +0000 (14:40 +0200)]
kernel-netlink: Order policies with equal priorities by their automatic priority

This allows using manual priorities for traps, which have a lower
base priority than the resulting IPsec policies.  This could otherwise
be problematic if, for example, swanctl --install/uninstall is used while
an SA is established combined with e.g. IPComp, where the trap policy does
not look the same as the IPsec policy (which is now otherwise often the case
as the reqids stay the same).

It also orders policies by selector size if manual priorities are configured
and narrowing occurs.

5 years agoMerge branch 'boringssl'
Tobias Brunner [Fri, 15 Apr 2016 08:33:23 +0000 (10:33 +0200)]
Merge branch 'boringssl'

Adds some fixes to the openssl plugin to build against BoringSSL.

Fixes #1374.

5 years agocurl: Add TLS support if libcurl is built against BoringSSL
Tobias Brunner [Mon, 11 Apr 2016 09:33:41 +0000 (11:33 +0200)]
curl: Add TLS support if libcurl is built against BoringSSL

We don't have to rely on the openssl plugin and its threading
initialization as BoringSSL is thread-safe out of the box.

5 years agoopenssl: BoringSSL does not support configuration
Tobias Brunner [Fri, 8 Apr 2016 13:56:25 +0000 (15:56 +0200)]
openssl: BoringSSL does not support configuration

The other initialization functions are still defined but many are
apparently no-ops (this is also true for the threading initialization).

5 years agoopenssl: The member storing the DH exponent length has been renamed in BoringSSL
Tobias Brunner [Fri, 8 Apr 2016 13:55:05 +0000 (15:55 +0200)]
openssl: The member storing the DH exponent length has been renamed in BoringSSL

5 years agoopenssl: Use proper EVP macro to determine size of a hash
Tobias Brunner [Fri, 8 Apr 2016 13:54:08 +0000 (15:54 +0200)]
openssl: Use proper EVP macro to determine size of a hash

5 years agoandroid: Remove OPENSSL_NO_EC* defines
Tobias Brunner [Wed, 13 Apr 2016 07:31:50 +0000 (09:31 +0200)]
android: Remove OPENSSL_NO_EC* defines

Current versions of OpenSSL/BoringSSL shipped with Android support ECC.

5 years agoandroid: OPENSSL_NO_ENGINE is now properly defined in the headers
Tobias Brunner [Fri, 8 Apr 2016 13:52:58 +0000 (15:52 +0200)]
android: OPENSSL_NO_ENGINE is now properly defined in the headers

5 years agocurl: Handle LibreSSL like OpenSSL in regards to multi-threading
Tobias Brunner [Fri, 8 Apr 2016 12:37:21 +0000 (14:37 +0200)]
curl: Handle LibreSSL like OpenSSL in regards to multi-threading

LibreSSL is API compatible so our openssl plugin does not need any
changes and it works fine with the curl plugin.

5 years agoconfigure: Replace two remaining usages of AC_HAVE_LIBRARY with AC_CHECK_LIB
Tobias Brunner [Fri, 8 Apr 2016 12:35:47 +0000 (14:35 +0200)]
configure: Replace two remaining usages of AC_HAVE_LIBRARY with AC_CHECK_LIB

5 years agothread: Don't hold mutex when calling cleanup handlers while terminating
Tobias Brunner [Wed, 13 Apr 2016 09:58:32 +0000 (11:58 +0200)]
thread: Don't hold mutex when calling cleanup handlers while terminating

This could interfere with cleanup handlers that try to acquire
mutexes while other threads holding these try to e.g. cancel the threads.

As cleanup handlers are only queued by the threads themselves we don't need
any synchronization to access the list.

Fixes #1401.

5 years agotesting: Added swanctl/rw-multi-ciphers-ikev1 scenario
Andreas Steffen [Tue, 12 Apr 2016 16:50:58 +0000 (18:50 +0200)]
testing: Added swanctl/rw-multi-ciphers-ikev1 scenario

5 years agoIgnore Qt Creator project files
Tobias Brunner [Mon, 11 Apr 2016 14:11:16 +0000 (16:11 +0200)]
Ignore Qt Creator project files

Closes strongswan/strongswan#32.

5 years agoVersion bump to 5.4.1dr1 5.4.1dr1
Andreas Steffen [Mon, 11 Apr 2016 08:24:12 +0000 (10:24 +0200)]
Version bump to 5.4.1dr1

5 years agoMerge branch 'kernel-policies'
Andreas Steffen [Mon, 11 Apr 2016 08:19:21 +0000 (10:19 +0200)]
Merge branch 'kernel-policies'

5 years agoExtended IPsec kernel policy scheme
Andreas Steffen [Sat, 9 Apr 2016 14:46:37 +0000 (16:46 +0200)]
Extended IPsec kernel policy scheme

The kernel policy now considers src and dst port masks as well as
restictions to a given network interface. The base priority is
100'000 for passthrough shunts, 200'000 for IPsec policies,
300'000 for IPsec policy traps and 400'000 for fallback drop shunts.
The values 1..30'000 can be used for manually set priorities.

5 years agotesting: Added swanctl/manual_prio scenario
Andreas Steffen [Wed, 6 Apr 2016 14:08:38 +0000 (16:08 +0200)]
testing: Added swanctl/manual_prio scenario

5 years agoInclude manual policy priorities and restriction to interfaces in vici list-conn...
Andreas Steffen [Mon, 28 Mar 2016 07:03:21 +0000 (09:03 +0200)]
Include manual policy priorities and restriction to interfaces in vici list-conn command

5 years agoImplemented IPsec policies restricted to given network interface
Andreas Steffen [Sun, 27 Mar 2016 08:18:19 +0000 (10:18 +0200)]
Implemented IPsec policies restricted to given network interface

5 years agoSupport manually-set IPsec policy priorities
Andreas Steffen [Thu, 24 Mar 2016 17:35:27 +0000 (18:35 +0100)]
Support manually-set IPsec policy priorities

5 years agopeer-cfg: Use struct to pass data to constructor
Tobias Brunner [Mon, 4 Apr 2016 16:41:17 +0000 (18:41 +0200)]
peer-cfg: Use struct to pass data to constructor

5 years agochild-cfg: Use struct to pass data to constructor
Tobias Brunner [Mon, 4 Apr 2016 14:09:23 +0000 (16:09 +0200)]
child-cfg: Use struct to pass data to constructor

5 years agokernel-pfkey: Prefer policies with reqid over those without
Tobias Brunner [Mon, 4 Apr 2016 13:06:44 +0000 (15:06 +0200)]
kernel-pfkey: Prefer policies with reqid over those without

5 years agokernel-pfkey: Only install templates for regular IPsec policies with reqid
Tobias Brunner [Mon, 4 Apr 2016 13:06:11 +0000 (15:06 +0200)]
kernel-pfkey: Only install templates for regular IPsec policies with reqid

5 years agotesting: Add swanctl/net2net-gw scenario
Tobias Brunner [Fri, 1 Apr 2016 17:05:02 +0000 (19:05 +0200)]
testing: Add swanctl/net2net-gw scenario

5 years agoshunt-manager: Install "outbound" FWD policy
Tobias Brunner [Mon, 4 Apr 2016 08:49:35 +0000 (10:49 +0200)]
shunt-manager: Install "outbound" FWD policy

If there is a default drop policy forwarded traffic might otherwise not
be allowed by a specific passthrough policy (while local traffic is

5 years agokernel-netlink: Prefer policies with reqid over those without
Tobias Brunner [Fri, 1 Apr 2016 15:06:10 +0000 (17:06 +0200)]
kernel-netlink: Prefer policies with reqid over those without

This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.

5 years agokernel-netlink: Only associate templates with inbound FWD policies
Tobias Brunner [Fri, 1 Apr 2016 14:51:51 +0000 (16:51 +0200)]
kernel-netlink: Only associate templates with inbound FWD policies

We can't set a template on the outbound FWD policy (or we'd have to make
it optional).  Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.

5 years agochild-sa: Install "outbound" FWD policy
Tobias Brunner [Fri, 1 Apr 2016 14:41:05 +0000 (16:41 +0200)]
child-sa: Install "outbound" FWD policy

If there is a DROP shunt that matches outbound forwarded traffic it
would get dropped as the FWD policy we install only matches decrypted
inbound traffic.  That's because the Linux kernel first checks the FWD
policies before looking up the OUT policy and SA to encrypt the packets.

5 years agokernel-netlink: Associate routes with IN policies instead of FWD policies
Tobias Brunner [Fri, 1 Apr 2016 14:26:07 +0000 (16:26 +0200)]
kernel-netlink: Associate routes with IN policies instead of FWD policies

This allows us to install more than one FWD policy.  We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).

5 years agokernel: Use structs to pass information to the kernel-ipsec interface
Tobias Brunner [Thu, 31 Mar 2016 14:01:40 +0000 (16:01 +0200)]
kernel: Use structs to pass information to the kernel-ipsec interface

5 years agotesting: List conntrack table on sun in ikev2/host2host-transport-connmark scenario
Tobias Brunner [Wed, 6 Apr 2016 11:56:36 +0000 (13:56 +0200)]
testing: List conntrack table on sun in ikev2/host2host-transport-connmark scenario

5 years agotesting: Version bump to 5.4.0
Tobias Brunner [Wed, 6 Apr 2016 09:17:27 +0000 (11:17 +0200)]
testing: Version bump to 5.4.0

References #1382.

5 years agotesting: Disable leak detective when generating CRLs
Tobias Brunner [Tue, 24 Nov 2015 14:28:11 +0000 (15:28 +0100)]
testing: Disable leak detective when generating CRLs

GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing.  This causes invalid frees if
leak detective is active.  Other invalid frees are related to time
conversions (tzset).

References #1382.

5 years agopkcs11: Skip zero-padding of r and s when preparing EC signature
Tobias Brunner [Mon, 4 Apr 2016 13:35:43 +0000 (15:35 +0200)]
pkcs11: Skip zero-padding of r and s when preparing EC signature

They are zero padded to fill the buffer.

Fixes #1377.