strongswan.git
2 years agovici: Add command to load a private key from a token
Tobias Brunner [Fri, 18 Nov 2016 14:01:18 +0000 (15:01 +0100)]
vici: Add command to load a private key from a token

PINs are stored in a "hidden" credential set, so that its shared
secrets are not exposed via VICI.  Since they are not explicitly loaded as
shared secrets via VICI a client might consider them as removed secrets and
remove them.

2 years agovici: List namespace/peer-cfg name with policies and allow filtering
Tobias Brunner [Mon, 13 Feb 2017 17:18:58 +0000 (18:18 +0100)]
vici: List namespace/peer-cfg name with policies and allow filtering

The two names are also transmitted in separate keys.

2 years agoswanctl: Pass optional connection name to --initiate/install/uninstall
Tobias Brunner [Tue, 11 Oct 2016 16:27:29 +0000 (18:27 +0200)]
swanctl: Pass optional connection name to --initiate/install/uninstall

2 years agovici: Explicitly use peer name when uninstalling trap and shunt policies
Tobias Brunner [Wed, 16 Nov 2016 17:13:59 +0000 (18:13 +0100)]
vici: Explicitly use peer name when uninstalling trap and shunt policies

Also adds an `ike` parameter to the `uninstall` command.

2 years agostroke: Use peer name as namespace for shunt policies
Tobias Brunner [Wed, 8 Feb 2017 15:13:32 +0000 (16:13 +0100)]
stroke: Use peer name as namespace for shunt policies

The same goes for the start-action-job.  When unrouting, we search for
the first policy with a matching child-cfg.

2 years agoshunt-manager: Add an optional namespace for each shunt
Tobias Brunner [Wed, 16 Nov 2016 16:59:22 +0000 (17:59 +0100)]
shunt-manager: Add an optional namespace for each shunt

This will allow us to reuse the names of child configs e.g. when they
are defined in different connections.

2 years agovici: Add support for NT Hash secrets
Tobias Brunner [Wed, 16 Nov 2016 16:12:33 +0000 (17:12 +0100)]
vici: Add support for NT Hash secrets

Fixes #1002.

2 years agovici: Add support for IPv6 Transport Proxy Mode
Tobias Brunner [Wed, 16 Nov 2016 14:58:34 +0000 (15:58 +0100)]
vici: Add support for IPv6 Transport Proxy Mode

2 years agovici: Add support for certificate policies
Tobias Brunner [Wed, 16 Nov 2016 14:37:23 +0000 (15:37 +0100)]
vici: Add support for certificate policies

2 years agovici: Add missing dscp setting for IKE_SAs
Tobias Brunner [Fri, 11 Nov 2016 09:40:53 +0000 (10:40 +0100)]
vici: Add missing dscp setting for IKE_SAs

Fixes #2170.

2 years agoswanctl: Automatically unload removed shared keys
Tobias Brunner [Wed, 9 Nov 2016 15:49:35 +0000 (16:49 +0100)]
swanctl: Automatically unload removed shared keys

2 years agovici: Add possibility to remove shared keys by a unique identifier
Tobias Brunner [Wed, 9 Nov 2016 15:27:01 +0000 (16:27 +0100)]
vici: Add possibility to remove shared keys by a unique identifier

This identifier can be set when adding/replacing a secret.  The unique
identifiers of all secrets may be enumerated.

2 years agomem-cred: Add methods to add/remove shared keys with unique identifiers
Tobias Brunner [Wed, 9 Nov 2016 15:20:03 +0000 (16:20 +0100)]
mem-cred: Add methods to add/remove shared keys with unique identifiers

Also added is a method to enumerate the unique identifiers.

2 years agoswanctl: Automatically unload removed private keys
Tobias Brunner [Wed, 9 Nov 2016 11:25:00 +0000 (12:25 +0100)]
swanctl: Automatically unload removed private keys

2 years agovici: Add commands to enumerate and remove private keys
Tobias Brunner [Wed, 9 Nov 2016 10:49:32 +0000 (11:49 +0100)]
vici: Add commands to enumerate and remove private keys

They are identified by their SHA-1 key identifier.

2 years agomem-cred: Add method to remove a private key with a specific fingerprint
Tobias Brunner [Wed, 9 Nov 2016 10:22:11 +0000 (11:22 +0100)]
mem-cred: Add method to remove a private key with a specific fingerprint

2 years agoswanctl: Add possibility to query a specific pool by name
Tobias Brunner [Wed, 9 Nov 2016 09:37:56 +0000 (10:37 +0100)]
swanctl: Add possibility to query a specific pool by name

2 years agovici: Update get_pools() in Python and Ruby bindings
Tobias Brunner [Thu, 8 Dec 2016 17:14:40 +0000 (18:14 +0100)]
vici: Update get_pools() in Python and Ruby bindings

2 years agovici: Add option to query a specific pool
Tobias Brunner [Wed, 9 Nov 2016 09:18:01 +0000 (10:18 +0100)]
vici: Add option to query a specific pool

2 years agobypass-lan: Don't use interfaces in policies
Tobias Brunner [Mon, 13 Feb 2017 18:06:24 +0000 (19:06 +0100)]
bypass-lan: Don't use interfaces in policies

After an interface disappeared we can't remove the policies correctly as
the name doesn't resolve to the previous index anymore.
And making the policies so specific might not provide that much benefit.

To handle the interfaces on the policies correctly would require some
changes to the child-cfg, kernel-interface etc. so they'd take interface
indices directly so we could target the policies correctly even if an
interface disappeared (or reappeared and got a new index).

2 years agotesting: Fix ALLOWED_HOSTS in strongTNC settings.ini
Tobias Brunner [Thu, 16 Feb 2017 17:24:25 +0000 (18:24 +0100)]
testing: Fix ALLOWED_HOSTS in strongTNC settings.ini

2 years agotesting: Fix swanctl/ocsp-disabled scenario after changing the log messages
Tobias Brunner [Thu, 16 Feb 2017 16:51:16 +0000 (17:51 +0100)]
testing: Fix swanctl/ocsp-disabled scenario after changing the log messages

2 years agorevocation: More accurately describe the flags to disable OCSP/CRL validation
Tobias Brunner [Wed, 25 Jan 2017 15:17:38 +0000 (16:17 +0100)]
revocation: More accurately describe the flags to disable OCSP/CRL validation

These options disable validation as such, e.g. even from cached CRLs, not
only the fetching.  Also made the plugin's validate() implementation a
no-op if both options are disabled.

2 years agochild-sa: Do not install mark on inbound kernel SA
Eyal Birger [Wed, 25 Jan 2017 10:26:42 +0000 (12:26 +0200)]
child-sa: Do not install mark on inbound kernel SA

The SA ID (src, dst, proto, spi) is unique on ingress.

As such, explicit inbound marking is not needed to match an SA.

On the other hand, requiring inbound SAs to use marks forces the
installation of a mechanism for marking traffic (e.g. iptables) based
on some criteria.

Defining the criteria becomes complicated, for example when required to
support multiple SAs from the same src, especially when traffic is UDP
encapsulated.

This commit removes the assignment of the child_sa mark_in to the inbound SA.

Policies can be arbitrated by existing means - e.g, via netfilter policy
matching or using VTI interfaces - without the need to classify the flows prior
to state matching.

Since the reqid allocator regards the mark value, there is no risk of matching
the wrong policy.

And as explicit marking was required for route-based VPN to work before this
change, it should not cause regressions in existing setups.

Closes strongswan/strongswan#59.

2 years agounit-tests: Allow default test timeout to be configured via compile option
Thomas Egerer [Fri, 10 Feb 2017 14:27:11 +0000 (15:27 +0100)]
unit-tests: Allow default test timeout to be configured via compile option

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2 years agotkm: Fix get_auth_octets() signature
Tobias Brunner [Mon, 13 Feb 2017 17:36:01 +0000 (18:36 +0100)]
tkm: Fix get_auth_octets() signature

Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")

2 years agokernel-netlink: Use RTA_SRC to specify route source in kernel-based lookups
Martin Willi [Thu, 19 Jan 2017 10:23:45 +0000 (11:23 +0100)]
kernel-netlink: Use RTA_SRC to specify route source in kernel-based lookups

For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is
what we do when doing userspace route calculations. For kernel-based route
lookups, however, the RTA_PREFSRC attribute is ignored and we must specify
RTA_SRC for policy based route lookups.

2 years agokernel-netlink: Use kernel-based route lookup if we do not install routes
Martin Willi [Thu, 19 Jan 2017 10:03:55 +0000 (11:03 +0100)]
kernel-netlink: Use kernel-based route lookup if we do not install routes

For gateways with many connections, installing routes is often disabled,
as we can use a static route configuration to achieve proper routing with
a single rule. If this is the case, there is no need to dump all routes and
do userspace route lookups, as there is no need to exclude routes we installed
ourself.

Doing kernel-based route lookups is not only faster with may routes, but also
can use the full power of Linux policy based routing; something we can hardly
rebuild in userspace when calculating routes.

2 years agoswanctl: List CHILD_SA marks, if set
Martin Willi [Fri, 6 Jan 2017 12:01:34 +0000 (13:01 +0100)]
swanctl: List CHILD_SA marks, if set

2 years agovici: Include the Netfilter marks in listed CHILD_SAs
Martin Willi [Fri, 6 Jan 2017 11:42:04 +0000 (12:42 +0100)]
vici: Include the Netfilter marks in listed CHILD_SAs

2 years agovici: Explicitly set the Python encoding type
Martin Willi [Tue, 8 Dec 2015 16:13:59 +0000 (17:13 +0100)]
vici: Explicitly set the Python encoding type

When using vici over RPyC and its (awesome) splitbrain, encoding and decoding
strings fails in vici, most likely because of the Monkey-Patch magic splitbrain
uses.

When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses
the correct method to encode/decode the string, making vici useable in
splitbrain contexts.

2 years agoMerge branch 'mid-sync'
Tobias Brunner [Wed, 8 Feb 2017 14:11:20 +0000 (15:11 +0100)]
Merge branch 'mid-sync'

Adds support for handling IKEV2_MESSAGE_ID_SYNC notifies as responder
(usually the original initiator) as defined in RFC 6311.  Some HA solutions
use these notifies to set the new IKEv2 message IDs after a failover event.

2 years agounit-tests: Add test cases for MID sync exchanges
Tobias Brunner [Tue, 4 Oct 2016 17:35:51 +0000 (19:35 +0200)]
unit-tests: Add test cases for MID sync exchanges

2 years agoikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabled
Tobias Brunner [Tue, 4 Oct 2016 15:07:30 +0000 (17:07 +0200)]
ikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabled

If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the
task.

We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).

2 years agoikev2: Don't increase expected MID after handling MID sync message
Tobias Brunner [Tue, 4 Oct 2016 13:15:36 +0000 (15:15 +0200)]
ikev2: Don't increase expected MID after handling MID sync message

If the responder never sent a message the expected MID is 0.  While
the sent MID (M1) SHOULD be increased beyond the known value, it's
not necessarily the case.
Since M2 - 1 would then equal UINT_MAX setting that MID would get ignored
and while we'd return 0 in the notify we'd actually expect 1 afterwards.

2 years agoikev2: Don't cache response to MID sync request
Tobias Brunner [Mon, 19 Sep 2016 09:16:06 +0000 (11:16 +0200)]
ikev2: Don't cache response to MID sync request

2 years agoikev2: Accept INFORMATIONAL messages with MID 0 if used to sync MIDs
Tobias Brunner [Fri, 16 Sep 2016 15:44:39 +0000 (17:44 +0200)]
ikev2: Accept INFORMATIONAL messages with MID 0 if used to sync MIDs

We are very picky to only allow MID 0 for these messages (while we
currently don't support IPSEC_REPLAY_COUNTER_SYNC notifies we accept
them).

2 years agoikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTH
Tobias Brunner [Fri, 16 Sep 2016 15:37:59 +0000 (17:37 +0200)]
ikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTH

2 years agoikev2: Add task to handle IKEV2_MESSAGE_ID_SYNC notifies as responder
Tobias Brunner [Fri, 16 Sep 2016 15:26:41 +0000 (17:26 +0200)]
ikev2: Add task to handle IKEV2_MESSAGE_ID_SYNC notifies as responder

2 years agoike: Publish getter for the current message ID on IKE_SA
Tobias Brunner [Fri, 16 Sep 2016 14:19:25 +0000 (16:19 +0200)]
ike: Publish getter for the current message ID on IKE_SA

2 years agoike: Add getter for the current message ID to task manager
Tobias Brunner [Fri, 16 Sep 2016 14:18:32 +0000 (16:18 +0200)]
ike: Add getter for the current message ID to task manager

2 years agoMerge branch 'bypass-lan'
Tobias Brunner [Wed, 8 Feb 2017 09:47:33 +0000 (10:47 +0100)]
Merge branch 'bypass-lan'

Adds a new plugin that automatically installs and updates bypass policies
for locally attached subnets.  This is useful for laptops etc. that are
used in different networks and prefer maintaining access to local hosts
(e.g. network printers or NAS) while connected to a VPN.

2 years agokernel-pfroute: Implement enumeration of local subnets
Tobias Brunner [Wed, 12 Oct 2016 16:32:14 +0000 (18:32 +0200)]
kernel-pfroute: Implement enumeration of local subnets

2 years agobypass-lan: Allow ignoring or only considering subnets of specific interfaces
Tobias Brunner [Wed, 12 Oct 2016 13:56:12 +0000 (15:56 +0200)]
bypass-lan: Allow ignoring or only considering subnets of specific interfaces

The config can also be reloaded by sending a SIGHUP to charon.

2 years agobypass-lan: Configure interface on bypass policy
Tobias Brunner [Wed, 12 Oct 2016 10:28:18 +0000 (12:28 +0200)]
bypass-lan: Configure interface on bypass policy

Currently, only the kernel-netlink plugin supports this, the others will
just ignore it.

2 years agokernel-netlink: Return interface name in local subnet enumerator
Tobias Brunner [Wed, 12 Oct 2016 10:22:42 +0000 (12:22 +0200)]
kernel-netlink: Return interface name in local subnet enumerator

2 years agokernel-interface: Add interface name to local subnet enumerator
Tobias Brunner [Wed, 12 Oct 2016 10:11:24 +0000 (12:11 +0200)]
kernel-interface: Add interface name to local subnet enumerator

2 years agobypass-lan: Add plugin that installs bypass policies for locally attached subnets
Tobias Brunner [Wed, 12 Oct 2016 08:05:10 +0000 (10:05 +0200)]
bypass-lan: Add plugin that installs bypass policies for locally attached subnets

2 years agokernel-netlink: Implement enumerator for local subnets
Tobias Brunner [Wed, 12 Oct 2016 07:52:45 +0000 (09:52 +0200)]
kernel-netlink: Implement enumerator for local subnets

2 years agokernel-interface: Add method to enumerate locally attached subnets
Tobias Brunner [Wed, 12 Oct 2016 07:24:49 +0000 (09:24 +0200)]
kernel-interface: Add method to enumerate locally attached subnets

2 years agokernel-pfkey: Use the same priority range for trap and regular policies
Tobias Brunner [Tue, 11 Oct 2016 13:14:27 +0000 (15:14 +0200)]
kernel-pfkey: Use the same priority range for trap and regular policies

Same as the change in the kernel-netlink plugin.

2 years agokernel-netlink: Use the same priority range for trap and regular policies
Tobias Brunner [Tue, 11 Oct 2016 12:30:21 +0000 (14:30 +0200)]
kernel-netlink: Use the same priority range for trap and regular policies

While trap and regular policies now often look the same (mainly because
reqids are kept constant) trap policies still need to have a lower priority
than regular policies to handle unroute/route correctly if e.g. IPComp
is used or the mode changes.  But if we use a completely different
priority range that's lower than that of regular policies it is not possible
to install overlapping trap policies.  By differentiating trap from
regular policies via the priority's LSB this issue is avoided while
still maintaining the proper ordering of trap and regular policies.

Fixes #1243.

2 years agokernel-netlink: Fix spacing in log message when policy is unchanged
Tobias Brunner [Tue, 11 Oct 2016 13:10:16 +0000 (15:10 +0200)]
kernel-netlink: Fix spacing in log message when policy is unchanged

2 years agoikev1: Factor out IV and QM management
Tobias Brunner [Wed, 14 Dec 2016 14:54:39 +0000 (15:54 +0100)]
ikev1: Factor out IV and QM management

This simplifies implementing a custom keymat_v1_t.

2 years agokeymat: Allow keymat to modify signature scheme(s)
Thomas Egerer [Thu, 1 Dec 2016 13:40:25 +0000 (14:40 +0100)]
keymat: Allow keymat to modify signature scheme(s)

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2 years agoforecast: Mark correct port in UDP NAT-T rule
James Laird-Wah [Wed, 8 Feb 2017 08:20:52 +0000 (19:20 +1100)]
forecast: Mark correct port in UDP NAT-T rule

Closes strongswan/strongswan#62.

2 years agoandroid: New release after adding translation for Simplified Chinese
Tobias Brunner [Tue, 7 Feb 2017 15:01:25 +0000 (16:01 +0100)]
android: New release after adding translation for Simplified Chinese

2 years agoandroid: Add translation for Simplified Chinese
Tobias Brunner [Mon, 23 Jan 2017 17:39:47 +0000 (18:39 +0100)]
android: Add translation for Simplified Chinese

Courtesy of Yick Xie.

2 years agosettings: Fix purge if order differs from alphabetical order
Tobias Brunner [Tue, 25 Oct 2016 08:46:36 +0000 (10:46 +0200)]
settings: Fix purge if order differs from alphabetical order

2 years agoeap-dynamic: Publish the get_auth() method of the wrapped EAP method
Tobias Brunner [Wed, 1 Feb 2017 10:16:42 +0000 (11:16 +0100)]
eap-dynamic: Publish the get_auth() method of the wrapped EAP method

Fixes #2238.

2 years agopkcs11: Fix documentation of load_certs option
Tobias Brunner [Mon, 5 Dec 2016 14:34:48 +0000 (15:34 +0100)]
pkcs11: Fix documentation of load_certs option

This option is actually module-specific.

2 years agoike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards
Tobias Brunner [Mon, 14 Nov 2016 14:39:17 +0000 (15:39 +0100)]
ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards

Such an identity won't equal an actual peer's identity resulting in
sending an INITIAL_CONTACT notify even if there might be an existing
IKE_SA.

2 years agoproposal: Copy SPI and proposal number from correct proposal in select()
Tobias Brunner [Thu, 15 Dec 2016 17:22:11 +0000 (18:22 +0100)]
proposal: Copy SPI and proposal number from correct proposal in select()

If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.

Fixes #2190.

2 years agokernel-netlink: Set NODAD flag for virtual IPv6 addresses
Tobias Brunner [Tue, 13 Dec 2016 16:27:26 +0000 (17:27 +0100)]
kernel-netlink: Set NODAD flag for virtual IPv6 addresses

The Optimistic Duplicate Address Detection (DAD) seems to fail in some
cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable.

Fixes #2183.

2 years agokernel-netlink: Prefer matching label when selecting IPv6 source addresses
Tobias Brunner [Mon, 10 Oct 2016 08:00:19 +0000 (10:00 +0200)]
kernel-netlink: Prefer matching label when selecting IPv6 source addresses

This implements rule 6 of RFC 6724 using the default priority table,
so that e.g. global addresses are preferred over ULAs (which also have
global scope) when the destination is a global address.

Fixes #2138.

2 years agokernel-netlink: Use correct 4 byte alignment for AH with IPv4
Tobias Brunner [Fri, 4 Nov 2016 09:14:30 +0000 (10:14 +0100)]
kernel-netlink: Use correct 4 byte alignment for AH with IPv4

By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4.  For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.

2 years agokernel-netlink: Allow change of Netlink socket receive buffer size
Thomas Egerer [Thu, 17 Nov 2016 16:00:37 +0000 (17:00 +0100)]
kernel-netlink: Allow change of Netlink socket receive buffer size

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2 years agokernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
Tobias Brunner [Mon, 16 Jan 2017 16:01:33 +0000 (17:01 +0100)]
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs

Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.

Fixes #2212.

2 years agokernel-pfroute: Don't set a gateway if it is of a different address family than the...
Tobias Brunner [Fri, 7 Oct 2016 10:12:15 +0000 (12:12 +0200)]
kernel-pfroute: Don't set a gateway if it is of a different address family than the destination

2 years agolibipsec: Add support for AES and Camellia in CCM mode
Tobias Brunner [Wed, 16 Nov 2016 14:11:41 +0000 (15:11 +0100)]
libipsec: Add support for AES and Camellia in CCM mode

Fixes #2172.

2 years agolibipsec: Fix Windows build via MinGW
Tobias Brunner [Fri, 23 Sep 2016 06:52:17 +0000 (08:52 +0200)]
libipsec: Fix Windows build via MinGW

Fixes #2118.

2 years agostroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
Tobias Brunner [Wed, 18 Jan 2017 13:51:57 +0000 (14:51 +0100)]
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet

Otherwise, we'd end up with an empty TS list, which is not valid.

Because end->tohost is set to !end->subnets in starter the removed branch was
never used.

2 years agoinit: Let systemd restart daemons if they get terminated unexpectedly
Tobias Brunner [Wed, 18 Jan 2017 12:54:56 +0000 (13:54 +0100)]
init: Let systemd restart daemons if they get terminated unexpectedly

Fixes #2205.

2 years agoinit: Depend on network-online.target instead of network.target in systemd units
Tobias Brunner [Wed, 18 Jan 2017 12:52:59 +0000 (13:52 +0100)]
init: Depend on network-online.target instead of network.target in systemd units

This makes sure the network is "up" before connections are
loaded/initiated.

Fixes #2205.

2 years agoMerge branch 'charon-systemd-reload-loggers'
Tobias Brunner [Wed, 25 Jan 2017 13:58:24 +0000 (14:58 +0100)]
Merge branch 'charon-systemd-reload-loggers'

Allows reloading strongswan.conf, the loggers, and the plugins in
charon-systemd by sending a SIGHUP (as already supported by charon).

Loggers are now also reloaded by VICI's `reload-settings` command (works
with both daemons).

Fixes #2222.

2 years agovici: Reload loggers after reloading strongswan.conf via reload-setting command
Tobias Brunner [Mon, 23 Jan 2017 16:25:28 +0000 (17:25 +0100)]
vici: Reload loggers after reloading strongswan.conf via reload-setting command

2 years agodaemon: Use separate method to set default loggers
Tobias Brunner [Mon, 23 Jan 2017 16:14:01 +0000 (17:14 +0100)]
daemon: Use separate method to set default loggers

This way it is not necessary to pass the same values to reload the
loggers.

2 years agocharon-systemd: Handle SIGHUP the same way charon does
Tobias Brunner [Mon, 16 Jan 2017 16:20:10 +0000 (17:20 +0100)]
charon-systemd: Handle SIGHUP the same way charon does

That is, reload strongswan.conf, the loggers and the plugins.

2 years agoha: Fix assignment of IP addresses if multiple pools are defined
Tobias Brunner [Thu, 13 Oct 2016 16:39:09 +0000 (18:39 +0200)]
ha: Fix assignment of IP addresses if multiple pools are defined

Fixes #2146.

2 years agoha: Delete passive IKE_SA on other node after half-open timeout
Tobias Brunner [Tue, 30 Aug 2016 12:30:19 +0000 (14:30 +0200)]
ha: Delete passive IKE_SA on other node after half-open timeout

Fixes #1192.

2 years agokernel-netlink: Return const pointer from lookup_algorithm()
Thomas Egerer [Mon, 23 Jan 2017 15:04:38 +0000 (16:04 +0100)]
kernel-netlink: Return const pointer from lookup_algorithm()

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2 years agoMerge branch 'android-import'
Tobias Brunner [Fri, 20 Jan 2017 10:55:48 +0000 (11:55 +0100)]
Merge branch 'android-import'

Adds a VPN profile import feature.

2 years agoandroid: New release after adding profile import functionality
Tobias Brunner [Fri, 20 Jan 2017 10:53:43 +0000 (11:53 +0100)]
android: New release after adding profile import functionality

2 years agoandroid: Handle profile file names with dots in them
Tobias Brunner [Tue, 17 Jan 2017 13:43:57 +0000 (14:43 +0100)]
android: Handle profile file names with dots in them

2 years agoandroid: Handle errors when fetching profile in more detail
Tobias Brunner [Tue, 17 Jan 2017 10:14:33 +0000 (11:14 +0100)]
android: Handle errors when fetching profile in more detail

2 years agoandroid: Add activity to import VPN profiles from JSON-encoded files
Tobias Brunner [Thu, 29 Dec 2016 16:35:57 +0000 (17:35 +0100)]
android: Add activity to import VPN profiles from JSON-encoded files

The file format is documented on the wiki.

URLs to .sswan files may be intercepted and downloaded files with a media
type of application/vnd.strongswan.profile may also be opened (the file
extension doesn't matter in that case).  Whether downloaded files for which
the media type is not correct but the extension is .sswan can be opened
depends on the app that issues the Intent.  For instance, from the default
Downloads app it won't work due to the content:// URLs that do not contain
the file name but when opening the downloaded file from within Chrome's
Downloads view it works as these Intents use file:// URLs, which contain
the complete file name (the latter requires a new permission).

2 years agoandroid: Use a local broadcast to notify about profile changes
Tobias Brunner [Thu, 29 Dec 2016 16:02:22 +0000 (17:02 +0100)]
android: Use a local broadcast to notify about profile changes

This allows other components to modify the profiles and notify about
changes.

2 years agoandroid: Add a UUID property to the VPN profiles
Tobias Brunner [Tue, 27 Dec 2016 14:17:49 +0000 (15:17 +0100)]
android: Add a UUID property to the VPN profiles

All new or edited profiles get a random UUID.  We currently don't
enforce one, though.  Later we might change that and use the UUID as
primary key.

2 years agoMerge branch 'ipsec-commands'
Tobias Brunner [Thu, 19 Jan 2017 17:40:00 +0000 (18:40 +0100)]
Merge branch 'ipsec-commands'

Fixes an issue with the ipsec script when used with sudo.

I'd usually rebase this but the commit ID was already referenced
elsewhere.

2 years agoipsec: Only allow specific commands to be executed via ipsec script
Tobias Brunner [Wed, 18 Jan 2017 14:44:06 +0000 (15:44 +0100)]
ipsec: Only allow specific commands to be executed via ipsec script

The previous fallback allowed running any executable as root if executing
ipsec via sudo was allowed, by using e.g. `sudo ipsec ../../../bin/sh`.

2 years agobliss: Increase timeout for sampler unit test
Tobias Brunner [Mon, 16 Jan 2017 10:28:10 +0000 (11:28 +0100)]
bliss: Increase timeout for sampler unit test

Fixes #2204.

2 years agoandroid: Include ref10 subdirectory for curve25519 plugin
Tobias Brunner [Tue, 27 Dec 2016 13:43:44 +0000 (14:43 +0100)]
android: Include ref10 subdirectory for curve25519 plugin

Fixes #2201.

2 years agoVersion bump to 5.5.2dr4 5.5.2dr4
Andreas Steffen [Mon, 2 Jan 2017 14:46:27 +0000 (15:46 +0100)]
Version bump to 5.5.2dr4

2 years agoMerge branch 'disable_ocsp'
Andreas Steffen [Mon, 2 Jan 2017 13:35:39 +0000 (14:35 +0100)]
Merge branch 'disable_ocsp'

2 years agotesting: Added swanctl/ocsp-disabled scenario
Andreas Steffen [Mon, 2 Jan 2017 13:32:46 +0000 (14:32 +0100)]
testing: Added swanctl/ocsp-disabled scenario

2 years agotesting: Added swanctl/ocsp-signer-cert scenario
Andreas Steffen [Mon, 2 Jan 2017 13:08:21 +0000 (14:08 +0100)]
testing: Added swanctl/ocsp-signer-cert scenario

2 years agorevocation: OCSP and/or CRL fetching can be disabled
Andreas Steffen [Fri, 30 Dec 2016 17:12:53 +0000 (18:12 +0100)]
revocation: OCSP and/or CRL fetching can be disabled

2 years agotesting: Convert swanctl scenarios to curve-25519
Andreas Steffen [Thu, 29 Dec 2016 10:48:42 +0000 (11:48 +0100)]
testing: Convert swanctl scenarios to curve-25519

2 years agoVersion bump to 5.5.2dr3 and Linux kernel 4.9 5.5.2dr3
Andreas Steffen [Sat, 17 Dec 2016 17:10:13 +0000 (18:10 +0100)]
Version bump to 5.5.2dr3 and Linux kernel 4.9

2 years agotesting: strongTNC does not come with django.db any more
Andreas Steffen [Sat, 17 Dec 2016 17:09:20 +0000 (18:09 +0100)]
testing: strongTNC does not come with django.db any more