12 months agovici: Remove unreachable code
Tobias Brunner [Fri, 7 Sep 2018 09:17:06 +0000 (11:17 +0200)]
vici: Remove unreachable code

If list is TRUE any type but VICI_LIST_END and VICI_LIST_ITEM (i.e.
including VICI_END) is already handled in the first block in this

12 months agovici: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:12:24 +0000 (11:12 +0200)]
vici: Lease enumerator is always defined

mem_pool_t always returns an enumerator.

12 months agostroke: Lease enumerator is always defined
Tobias Brunner [Fri, 7 Sep 2018 09:03:29 +0000 (11:03 +0200)]
stroke: Lease enumerator is always defined

This function is only called for existing pools (under the protection of
a read lock).

12 months agosmp: Remove unreachable initializer
Tobias Brunner [Fri, 7 Sep 2018 08:56:07 +0000 (10:56 +0200)]
smp: Remove unreachable initializer

Execution in this block will start with any of the case statements,
never with the initialization.

12 months agoeap-sim-pcsc: Fix leak in error case
Tobias Brunner [Fri, 7 Sep 2018 08:36:41 +0000 (10:36 +0200)]
eap-sim-pcsc: Fix leak in error case

12 months agotravis: Add sonarcloud build
Tobias Brunner [Mon, 10 Sep 2018 16:46:20 +0000 (18:46 +0200)]
travis: Add sonarcloud build

12 months agotravis: Automatically retry install steps
Tobias Brunner [Mon, 10 Sep 2018 10:22:20 +0000 (12:22 +0200)]
travis: Automatically retry install steps

There occasionally are network issues when fetching from Ubuntu/PPA
repos.  Let's see if this is a possible fix.

12 months agoswanctl: Allow passing a custom config file for each --load* command
Tobias Brunner [Mon, 28 May 2018 15:19:22 +0000 (17:19 +0200)]
swanctl: Allow passing a custom config file for each --load* command

Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.

12 months agoMerge branch 'ikev2-ppk'
Tobias Brunner [Mon, 10 Sep 2018 16:05:12 +0000 (18:05 +0200)]
Merge branch 'ikev2-ppk'

Adds support for Postquantum Preshared Keys for IKEv2.

Fixes #2710.

12 months agotesting: Add some PPK scenarios
Tobias Brunner [Thu, 30 Aug 2018 16:14:06 +0000 (18:14 +0200)]
testing: Add some PPK scenarios

12 months agoswanctl: Report the use of a PPK in --list-sas
Tobias Brunner [Fri, 27 Jul 2018 11:14:40 +0000 (13:14 +0200)]
swanctl: Report the use of a PPK in --list-sas

If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.

12 months agovici: Return PPK state of an IKE_SA
Tobias Brunner [Fri, 27 Jul 2018 10:50:22 +0000 (12:50 +0200)]
vici: Return PPK state of an IKE_SA

12 months agoikev2: Mark IKE_SAs that used PPK during authentication
Tobias Brunner [Fri, 27 Jul 2018 10:14:18 +0000 (12:14 +0200)]
ikev2: Mark IKE_SAs that used PPK during authentication

12 months agoeap-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 09:24:49 +0000 (11:24 +0200)]
eap-authenticator: Add support for authentication with PPK

12 months agopubkey-authenticator: Add support for authentication with PPK
Tobias Brunner [Fri, 27 Jul 2018 08:49:30 +0000 (10:49 +0200)]
pubkey-authenticator: Add support for authentication with PPK

12 months agopsk-authenticator: Add support for authentication with PPK
Tobias Brunner [Thu, 26 Jul 2018 14:25:02 +0000 (16:25 +0200)]
psk-authenticator: Add support for authentication with PPK

12 months agoike-auth: Add basic PPK support
Tobias Brunner [Thu, 26 Jul 2018 15:28:13 +0000 (17:28 +0200)]
ike-auth: Add basic PPK support

Some of the work will have to be done in the authenticators.

12 months agoike-auth: Replace `== NULL` with `!`
Tobias Brunner [Thu, 26 Jul 2018 15:27:13 +0000 (17:27 +0200)]
ike-auth: Replace `== NULL` with `!`

12 months agoauthenticator: Add optional method to set PPK
Tobias Brunner [Thu, 26 Jul 2018 13:32:10 +0000 (15:32 +0200)]
authenticator: Add optional method to set PPK

12 months agoike-init: Send USE_PPK notify as appropriate
Tobias Brunner [Thu, 26 Jul 2018 13:20:30 +0000 (15:20 +0200)]
ike-init: Send USE_PPK notify as appropriate

12 months agoswanctl: Report PPK configuration in --list-conns
Tobias Brunner [Fri, 27 Jul 2018 10:34:23 +0000 (12:34 +0200)]
swanctl: Report PPK configuration in --list-conns

12 months agovici: Make PPK related options configurable
Tobias Brunner [Thu, 26 Jul 2018 15:57:36 +0000 (17:57 +0200)]
vici: Make PPK related options configurable

12 months agopeer-cfg: Add properties for PPK ID and whether PPK is required
Tobias Brunner [Thu, 26 Jul 2018 13:16:21 +0000 (15:16 +0200)]
peer-cfg: Add properties for PPK ID and whether PPK is required

12 months agoike-sa: Add flag for PPK extension
Tobias Brunner [Thu, 26 Jul 2018 09:47:46 +0000 (11:47 +0200)]
ike-sa: Add flag for PPK extension

12 months agokeymat_v2: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 14:43:01 +0000 (16:43 +0200)]
keymat_v2: Add support for PPKs

12 months agoswanctl: Add support for PPKs
Tobias Brunner [Thu, 26 Jul 2018 15:44:12 +0000 (17:44 +0200)]
swanctl: Add support for PPKs

12 months agovici: Add support for PPKs
Tobias Brunner [Wed, 25 Jul 2018 15:23:12 +0000 (17:23 +0200)]
vici: Add support for PPKs

12 months agoshared-key: Add a new type for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:30:05 +0000 (15:30 +0200)]
shared-key: Add a new type for Postquantum Preshared Keys

Using a separate type allows us to easily check if we have any PPKs
available at all.

12 months agoikev2: Add notify types for Postquantum Preshared Keys
Tobias Brunner [Wed, 25 Jul 2018 13:29:58 +0000 (15:29 +0200)]
ikev2: Add notify types for Postquantum Preshared Keys

12 months agounit-tests: Add tests for peer_cfg_t::replace_child_cfgs()
Tobias Brunner [Thu, 6 Sep 2018 13:17:37 +0000 (15:17 +0200)]
unit-tests: Add tests for peer_cfg_t::replace_child_cfgs()

12 months agopeer-cfg: Replace equal child configs with newly added ones
Tobias Brunner [Thu, 6 Sep 2018 13:13:37 +0000 (15:13 +0200)]
peer-cfg: Replace equal child configs with newly added ones

Otherwise, renamed child configs would still be known to the daemon
under their old name.

Fixes #2746.

12 months agocrypto: References to RFCs 8410 and 8420
Andreas Steffen [Tue, 4 Sep 2018 05:24:20 +0000 (07:24 +0200)]
crypto: References to RFCs 8410 and 8420

12 months agoNormalize whitespace in boilerplate files
Tobias Brunner [Fri, 6 Jul 2018 12:07:39 +0000 (14:07 +0200)]
Normalize whitespace in boilerplate files

Now all consistently use 2 or 4 (HACKING) spaces for indentation.

12 months agoREADME: Fix indentation
Tobias Brunner [Fri, 6 Jul 2018 10:09:32 +0000 (12:09 +0200)]
README: Fix indentation

12 months agoinit: Reload configurations/credentials as well during systemctl reload
Martin Willi [Tue, 7 Mar 2017 16:29:45 +0000 (17:29 +0100)]
init: Reload configurations/credentials as well during systemctl reload

12 months agoswanctl: Add --reauth option to --rekey command
Tobias Brunner [Thu, 23 Aug 2018 14:20:06 +0000 (16:20 +0200)]
swanctl: Add --reauth option to --rekey command

12 months agovici: Add option to reauthenticae instead of rekey an IKEv2 SA
Tobias Brunner [Thu, 23 Aug 2018 14:16:47 +0000 (16:16 +0200)]
vici: Add option to reauthenticae instead of rekey an IKEv2 SA

12 months agoMerge branch 'xfrm-set-mark'
Tobias Brunner [Fri, 31 Aug 2018 10:27:40 +0000 (12:27 +0200)]
Merge branch 'xfrm-set-mark'

This adds the ability to configure marks the in- and/or outbound SA
should apply to packets after processing on Linux.  Configuring such a mark
for outbound SAs requires at least a 4.14 kernel.  The ability to set a mask
and configuring a mark/mask for inbound SAs will be added with the upcoming
4.19 kernel.

12 months agochild-sa: Use SA matching mark as SA set mark if the latter is %same
Martin Willi [Wed, 9 May 2018 11:40:36 +0000 (13:40 +0200)]
child-sa: Use SA matching mark as SA set mark if the latter is %same

For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.

12 months agoipsec-types: Restrict the use of %unique and other keywords when parsing marks
Martin Willi [Mon, 14 May 2018 11:42:53 +0000 (13:42 +0200)]
ipsec-types: Restrict the use of %unique and other keywords when parsing marks

%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.

12 months agovici: Document kernel requirements for set_mark_in/set_mark_out options
Martin Willi [Mon, 14 May 2018 10:55:27 +0000 (12:55 +0200)]
vici: Document kernel requirements for set_mark_in/set_mark_out options

12 months agovici: Make in-/outbound marks the SA should set configurable
Tobias Brunner [Fri, 20 Apr 2018 12:12:48 +0000 (14:12 +0200)]
vici: Make in-/outbound marks the SA should set configurable

12 months agochild-sa: Configure in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:08:35 +0000 (14:08 +0200)]
child-sa: Configure in-/outbound mark the SA should set

12 months agochild-cfg: Add properties for in-/outbound mark the SA should set
Tobias Brunner [Fri, 20 Apr 2018 12:02:57 +0000 (14:02 +0200)]
child-cfg: Add properties for in-/outbound mark the SA should set

12 months agokernel-netlink: Add support for setting mark/mask an SA should apply to processed...
Tobias Brunner [Fri, 20 Apr 2018 12:01:12 +0000 (14:01 +0200)]
kernel-netlink: Add support for setting mark/mask an SA should apply to processed traffic

12 months agokernel-netlink: Use larger buffer for event messages
Tobias Brunner [Fri, 10 Aug 2018 12:41:16 +0000 (14:41 +0200)]
kernel-netlink: Use larger buffer for event messages

12 months agoikev1: Increase DPD sequence number only after receiving a response
Tobias Brunner [Mon, 6 Aug 2018 15:01:20 +0000 (17:01 +0200)]
ikev1: Increase DPD sequence number only after receiving a response

We don't retransmit DPD requests like we do requests for proper exchanges,
so increasing the number with each sent DPD could result in the peer's state
getting out of sync if DPDs are lost.  Because according to RFC 3706, DPDs
with an unexpected sequence number SHOULD be rejected (it does mention the
possibility of maintaining a window of acceptable numbers, but we currently
don't implement that).  We partially ignore such messages (i.e. we don't
update the expected sequence number and the inbound message stats, so we
might send a DPD when none is required).  However, we always send a response,
so a peer won't really notice this (it also ensures a reply for "retransmits"
caused by this change, i.e. multiple DPDs with the same number - hopefully,
other implementations behave similarly when receiving such messages).

Fixes #2714.

12 months agoRemove ITA references
Tobias Brunner [Fri, 31 Aug 2018 09:11:12 +0000 (11:11 +0200)]
Remove ITA references

12 months agoikev1: Signal IKE_SA connection failure via bus
Tobias Brunner [Thu, 23 Aug 2018 15:54:29 +0000 (17:54 +0200)]
ikev1: Signal IKE_SA connection failure via bus

This is mainly for HA where a passive SA was already created when the
IKE keys were derived.  If e.g. an authentication error occurs later that
SA wouldn't get cleaned up.

12 months agoaggressive-mode: Trigger alerts for authentication failures
Tobias Brunner [Thu, 23 Aug 2018 15:25:08 +0000 (17:25 +0200)]
aggressive-mode: Trigger alerts for authentication failures

12 months agomain-mode: Local identity is always defined
Tobias Brunner [Thu, 23 Aug 2018 15:31:50 +0000 (17:31 +0200)]
main-mode: Local identity is always defined

12 months agomain-mode: Also trigger a PEER_AUTH_FAILED alert if authorize() fails
Tobias Brunner [Thu, 23 Aug 2018 15:24:26 +0000 (17:24 +0200)]
main-mode: Also trigger a PEER_AUTH_FAILED alert if authorize() fails

12 months agomain-mode: Signal local/peer auth failure via bus
Thomas Egerer [Tue, 14 Aug 2018 11:56:58 +0000 (13:56 +0200)]
main-mode: Signal local/peer auth failure via bus

Signed-off-by: Thomas Egerer <>
12 months agocustom-logger: Add optional reload method
Thomas Egerer [Wed, 29 Aug 2018 11:14:59 +0000 (13:14 +0200)]
custom-logger: Add optional reload method

The reload of the configuration of the loggers so far only included
the log levels. In order to support the reload of all other options,
a reload function may be implemented.

Signed-off-by: Thomas Egerer <>
12 months agoike-sa-manager: Log message when scheduling delete for reauthenticated IKE_SA
Tobias Brunner [Tue, 28 Aug 2018 15:11:13 +0000 (17:11 +0200)]
ike-sa-manager: Log message when scheduling delete for reauthenticated IKE_SA

12 months agoMerge branch 'ip-header-fields'
Tobias Brunner [Wed, 29 Aug 2018 09:46:13 +0000 (11:46 +0200)]
Merge branch 'ip-header-fields'

Adds new options that allow configuring how/whether certain fields in
the IP headers are copied during IPsec processing. Currently only allows
configuration on Linux.

Closes strongswan/strongswan#104.

12 months agokernel: Add option to control DS field behavior
Tobias Brunner [Mon, 11 Jun 2018 10:07:48 +0000 (12:07 +0200)]
kernel: Add option to control DS field behavior

12 months agokernel: Add options to control DF and ECN header bits/fields via XFRM
Tobias Brunner [Mon, 11 Jun 2018 08:49:16 +0000 (10:49 +0200)]
kernel: Add options to control DF and ECN header bits/fields via XFRM

The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.

Note: This implementation only works with Linux/Netlink/XFRM.

Based on a patch by Markus Sattler.

12 months agovici: Add error handling to message parsing in Perl bindings
Tobias Brunner [Tue, 5 Jun 2018 15:49:42 +0000 (17:49 +0200)]
vici: Add error handling to message parsing in Perl bindings

12 months agovici: Improve message parsing performance in Perl bindings
Afschin Hormozdiary [Tue, 5 Jun 2018 13:10:43 +0000 (15:10 +0200)]
vici: Improve message parsing performance in Perl bindings

During a test with ~12000 established SAs it was noted that vici
related operations hung.
The operations took over 16 minutes to finish. The time was spent in
the vici message parser, which was assigning the message over and over
again, to get rid of the already parsed portions.

First fixed by cutting the consumed parts off without copying the message.
Runtime for ~12000 SAs is now around 20 seconds.

Further optimization brought the runtime down to roughly 1-2 seconds
by using an fd to read through the message variable.

Closes strongswan/strongswan#103.

12 months agokernel-netlink: Align concatenated Netlink responses
Thomas Egerer [Thu, 16 Aug 2018 07:12:37 +0000 (09:12 +0200)]
kernel-netlink: Align concatenated Netlink responses

The code to support parallel Netlink queries (commit 3c7193f) made use
of nlmsg_len member from struct nlmsghdr to allocate and copy the
responses. Since NLMSG_NEXT is later used to parse these responses, they
must be aligned, or the results are undefined.

Signed-off-by: Thomas Egerer <>
13 months agolibimcv: Fix
Tobias Brunner [Fri, 10 Aug 2018 08:09:07 +0000 (10:09 +0200)]
libimcv: Fix

13 months agolibtpmtss: Fixed
Vishal Rana [Thu, 9 Aug 2018 05:28:03 +0000 (22:28 -0700)]
libtpmtss: Fixed

Closes strongswan/strongswan#111

Signed-off-by: Vishal Rana <>
13 months agoREADME: Fix typos
Tom Schlenkhoff [Mon, 6 Aug 2018 11:24:18 +0000 (13:24 +0200)]
README: Fix typos

Closes strongswan/strongswan#110.

13 months agotravis: Fix vici Python tests when using Clang
Tobias Brunner [Mon, 6 Aug 2018 09:54:24 +0000 (11:54 +0200)]
travis: Fix vici Python tests when using Clang

For some reason the clang binary that's installed in an uncommon
directory could not be found anymore when installing packages via pip for
the last couple of builds. While the directory is obviously contained in PATH,
using `sudo -E` didn't help. So we now install the Python packages in the
user's home directory to avoid having to use sudo.

13 months agoVersion bump to 5.7.0dr8 5.7.0dr8
Andreas Steffen [Thu, 2 Aug 2018 05:30:05 +0000 (07:30 +0200)]
Version bump to 5.7.0dr8

13 months agoMerge branch 'swima-subscriptions'
Andreas Steffen [Thu, 2 Aug 2018 05:28:52 +0000 (07:28 +0200)]
Merge branch 'swima-subscriptions'

13 months agotnccs-20: Defer handshake retry when sending SRETRY batch
Andreas Steffen [Sat, 28 Jul 2018 12:57:49 +0000 (14:57 +0200)]
tnccs-20: Defer handshake retry when sending SRETRY batch

Set a retry_handshake flag on a TNC server when sending a SRETRY
batch and do the retry only after receiving the next CDATA batch
from the TNC client.

13 months agolibimcv: Reset of IMC state for new measurement cycle
Andreas Steffen [Tue, 31 Jul 2018 12:06:21 +0000 (14:06 +0200)]
libimcv: Reset of IMC state for new measurement cycle

13 months agolibimcv: Reset of IMV state for new measurement cycle
Andreas Steffen [Thu, 26 Jul 2018 15:24:32 +0000 (17:24 +0200)]
libimcv: Reset of IMV state for new measurement cycle

13 months agoimv-swima: Support subscriptions
Andreas Steffen [Wed, 25 Jul 2018 06:41:05 +0000 (08:41 +0200)]
imv-swima: Support subscriptions

13 months agoimc-swima: Support subscriptions
Andreas Steffen [Tue, 24 Jul 2018 20:35:55 +0000 (22:35 +0200)]
imc-swima: Support subscriptions

13 months agolibimcv: Missing comma in pa_tnc_error_code_names
Andreas Steffen [Tue, 24 Jul 2018 18:43:31 +0000 (20:43 +0200)]
libimcv: Missing comma in pa_tnc_error_code_names

13 months agoVersion bump to 5.7.0dr6 5.7.0dr6
Andreas Steffen [Sat, 21 Jul 2018 07:30:53 +0000 (09:30 +0200)]
Version bump to 5.7.0dr6

13 months agolibtpmss: Configure TCTI device options
Andreas Steffen [Thu, 19 Jul 2018 15:53:31 +0000 (17:53 +0200)]
libtpmss: Configure TCTI device options

13 months agoVersion bump to 5.7.0dr5 5.7.0dr5
Andreas Steffen [Thu, 19 Jul 2018 12:13:09 +0000 (14:13 +0200)]
Version bump to 5.7.0dr5

13 months agolibimcv: Added Debian 8.11 and Ubunut 18.04 to IMV database
Andreas Steffen [Thu, 19 Jul 2018 12:11:44 +0000 (14:11 +0200)]
libimcv: Added Debian 8.11 and Ubunut 18.04 to IMV database

13 months agolibtpmtss: Support of RSAPSS signature scheme
Andreas Steffen [Wed, 18 Jul 2018 20:55:27 +0000 (22:55 +0200)]
libtpmtss: Support of RSAPSS signature scheme

13 months agolibtpmtss: Support for TSS2 v2 libraries
Andreas Steffen [Tue, 17 Jul 2018 21:22:52 +0000 (23:22 +0200)]
libtpmtss: Support for TSS2 v2 libraries

14 months agotesting: Optionally build/install strongSwan only on a specific guest
Tobias Brunner [Wed, 11 Jul 2018 16:38:09 +0000 (18:38 +0200)]
testing: Optionally build/install strongSwan only on a specific guest

This may be used to test different strongSwan versions against each

14 months agoconf: Fix bench_time documentation
Tobias Brunner [Mon, 9 Jul 2018 16:10:07 +0000 (18:10 +0200)]
conf: Fix bench_time documentation

14 months agomessage: Report the size of the complete reassembled IKE message
Tobias Brunner [Thu, 5 Jul 2018 15:36:21 +0000 (17:36 +0200)]
message: Report the size of the complete reassembled IKE message

This way we see the same size on both ends, namely that of the complete
IKE message as if it was sent in a single packet (excluding UDP/IP headers).

14 months agoencrypted-payload: Change how the length for reassembled messages is calculated
Tobias Brunner [Thu, 5 Jul 2018 15:21:47 +0000 (17:21 +0200)]
encrypted-payload: Change how the length for reassembled messages is calculated

If we have an AEAD transform we add the overhead as if the data would have
been transported in a single encrypted payload.

14 months agoencrypted-payload: Add getter for the used AEAD transform
Tobias Brunner [Thu, 5 Jul 2018 15:20:52 +0000 (17:20 +0200)]
encrypted-payload: Add getter for the used AEAD transform

14 months agotesting: Fix checks after changing fragmentation log messages
Tobias Brunner [Thu, 5 Jul 2018 15:19:39 +0000 (17:19 +0200)]
testing: Fix checks after changing fragmentation log messages

14 months agocharon-nm: Parse any type of private key in need_secrets
SC Lee [Mon, 9 Jul 2018 09:54:25 +0000 (17:54 +0800)]
charon-nm: Parse any type of private key in need_secrets

Previously, when the user supplied an ECDSA key for public key authentication,
the user was always asked to provide a password, even if the key was not

Related: 954f73ea6e7e ("charon-nm: Parse any type of private key not only RSA")
Closes strongswan/strongswan#108.

14 months agokernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS
Tobias Brunner [Fri, 6 Jul 2018 08:17:52 +0000 (10:17 +0200)]
kernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS

14 months agokernel-pfkey: Enable macOS native AES_GCM_ICV16 support
Ruben Tytgat [Thu, 5 Jul 2018 15:54:42 +0000 (17:54 +0200)]
kernel-pfkey: Enable macOS native AES_GCM_ICV16 support

macOS supports AES_GCM_ICV16 natively using PF_KEYv2.

This change enables AES_GCM if the corresponding definition is detected
in the headers.

With this change it is no longer necessary to use the libipsec module to
use AES_GCM on macOS.

Closes strongswan/strongswan#107.

14 months agotesting: The dhcp plugin uses the DHCP client port again by default
Tobias Brunner [Thu, 5 Jul 2018 16:12:40 +0000 (18:12 +0200)]
testing: The dhcp plugin uses the DHCP client port again by default

This reverts parts of commit becf027cd9b0af162247015a9fff6c00e59fd6ce.

Fixes: 707b70725a7d ("dhcp: Only use DHCP server port if explicitly configured")

14 months agoandroid: New release after fixing EAP-PEAP issue and Autofill crash
Tobias Brunner [Wed, 4 Jul 2018 09:51:44 +0000 (11:51 +0200)]
android: New release after fixing EAP-PEAP issue and Autofill crash

14 months agoRevert "android: Enable the eap-ttls and eap-peap plugins"
Tobias Brunner [Wed, 4 Jul 2018 17:35:55 +0000 (19:35 +0200)]
Revert "android: Enable the eap-ttls and eap-peap plugins"

This reverts commit 064c97afaeabc341f98577eae67073641b1591db.

We have to make this optional and more configurable.  It seems some
commercial VPN providers use self-signed certificates for their AAA

14 months agoandroid: Move hint from TextInputEditText to TextInputLayout
Tobias Brunner [Wed, 4 Jul 2018 09:43:40 +0000 (11:43 +0200)]
android: Move hint from TextInputEditText to TextInputLayout

This avoids a NullPointerException on Android 8 related to the optional
Autofill functionality.  The bug has been fixed in Android 8.1 [1] but there
is no fix for Android 8.


14 months agoandroid: Don't enforce the server address as AAA identity for EAP-PEAP/TTLS
Tobias Brunner [Wed, 4 Jul 2018 09:17:04 +0000 (11:17 +0200)]
android: Don't enforce the server address as AAA identity for EAP-PEAP/TTLS

This is similar to EAP-TLS.  We could probably make this configurable

14 months agoandroid: New release after fixing cancelling connecting on older systems
Tobias Brunner [Tue, 3 Jul 2018 13:43:32 +0000 (15:43 +0200)]
android: New release after fixing cancelling connecting on older systems

14 months agoandroid: Poll dropper TUN device for data on older Android systems
Tobias Brunner [Tue, 3 Jul 2018 13:03:51 +0000 (15:03 +0200)]
android: Poll dropper TUN device for data on older Android systems

It seems that even the NIO version of read() is uninterruptible on
platforms < Android 7 (24).

14 months agoMerge branch 'android-updates'
Tobias Brunner [Tue, 3 Jul 2018 10:15:52 +0000 (12:15 +0200)]
Merge branch 'android-updates'

Lots of new features, e.g. Quick Settings tile, Always-on VPN, error
recovery, and lots of improvements under the hood.

14 months agoandroid: New version after adding lots of new features
Tobias Brunner [Thu, 21 Jun 2018 17:06:49 +0000 (19:06 +0200)]
android: New version after adding lots of new features

14 months agoandroid: Use ListView for log messages
Tobias Brunner [Mon, 2 Jul 2018 16:05:13 +0000 (18:05 +0200)]
android: Use ListView for log messages

This is hopefully a bit more efficient for large log files than the previous
single TextView.  The ListView widget also provides an auto-scroll mechanism.

14 months agoandroid: Simplify error handling in VPN state fragment
Tobias Brunner [Fri, 29 Jun 2018 14:42:18 +0000 (16:42 +0200)]
android: Simplify error handling in VPN state fragment

Always reset the error state when disconnecting via state service. This
way the error state is also cleared when the connection is terminated
directly via control activity.

14 months agoandroid: Remove MIME type filter when importing trusted certificates
Tobias Brunner [Fri, 29 Jun 2018 14:04:10 +0000 (16:04 +0200)]
android: Remove MIME type filter when importing trusted certificates

This way we should see files even if the MIME type has not been set
correctly while downloading it.