strongswan.git
7 years agoMerge branch 'ah'
Martin Willi [Fri, 11 Oct 2013 08:15:43 +0000 (10:15 +0200)]
Merge branch 'ah'

Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.

7 years agoipsec.conf: Add a description for the new 'ah' keyword.
Martin Willi [Thu, 10 Oct 2013 16:09:57 +0000 (18:09 +0200)]
ipsec.conf: Add a description for the new 'ah' keyword.

7 years agotesting: Add an IKEv1 host2host AH transport mode test case
Martin Willi [Wed, 9 Oct 2013 14:10:33 +0000 (16:10 +0200)]
testing: Add an IKEv1 host2host AH transport mode test case

7 years agotesting: Add an IKEv1 net2net AH test case
Martin Willi [Wed, 9 Oct 2013 14:10:08 +0000 (16:10 +0200)]
testing: Add an IKEv1 net2net AH test case

7 years agotesting: Add an IKEv2 host2host AH transport mode test case
Martin Willi [Wed, 9 Oct 2013 13:20:22 +0000 (15:20 +0200)]
testing: Add an IKEv2 host2host AH transport mode test case

7 years agotesting: Add an IKEv2 net2net AH test case
Martin Willi [Wed, 9 Oct 2013 13:10:40 +0000 (15:10 +0200)]
testing: Add an IKEv2 net2net AH test case

7 years agotesting: Allow AH packets in default INPUT/OUTPUT chains
Martin Willi [Wed, 9 Oct 2013 13:05:46 +0000 (15:05 +0200)]
testing: Allow AH packets in default INPUT/OUTPUT chains

7 years agoupdown: Install forwarding rules with the actually used protocol
Martin Willi [Wed, 9 Oct 2013 12:48:50 +0000 (14:48 +0200)]
updown: Install forwarding rules with the actually used protocol

7 years agoupdown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'
Martin Willi [Wed, 9 Oct 2013 12:48:25 +0000 (14:48 +0200)]
updown: Add a PLUTO_PROTO variable set to 'ah' or 'esp'

7 years agostarter: Reject connections having both 'ah' and 'esp' keywords set
Martin Willi [Wed, 9 Oct 2013 12:09:08 +0000 (14:09 +0200)]
starter: Reject connections having both 'ah' and 'esp' keywords set

We currently don't support mixed proposals or bundles, so don't create the
illusion we would.

7 years agoike: Define keylength for aescmac algorithm
Martin Willi [Fri, 21 Jun 2013 14:01:03 +0000 (16:01 +0200)]
ike: Define keylength for aescmac algorithm

7 years agoikev1: Support parsing of AH+IPComp proposals
Martin Willi [Fri, 21 Jun 2013 14:00:22 +0000 (16:00 +0200)]
ikev1: Support parsing of AH+IPComp proposals

7 years agostarter: Remove obsolete 'auth' option
Martin Willi [Thu, 20 Jun 2013 15:10:13 +0000 (17:10 +0200)]
starter: Remove obsolete 'auth' option

7 years agoikev1: Accept more than two certificate payloads
Martin Willi [Thu, 20 Jun 2013 15:07:27 +0000 (17:07 +0200)]
ikev1: Accept more than two certificate payloads

7 years agoikev1: Support en-/decoding of SA payloads with AH algorithms
Martin Willi [Thu, 20 Jun 2013 15:06:46 +0000 (17:06 +0200)]
ikev1: Support en-/decoding of SA payloads with AH algorithms

7 years agokernel-handler: Whitespace cleanups
Martin Willi [Thu, 20 Jun 2013 14:16:39 +0000 (16:16 +0200)]
kernel-handler: Whitespace cleanups

7 years agostroke: List proposals in statusall without leading '/' in AH SAs
Martin Willi [Thu, 20 Jun 2013 14:16:06 +0000 (16:16 +0200)]
stroke: List proposals in statusall without leading '/' in AH SAs

7 years agoikev1: Delete quick modes with the negotiated SA protocol
Martin Willi [Thu, 20 Jun 2013 14:15:31 +0000 (16:15 +0200)]
ikev1: Delete quick modes with the negotiated SA protocol

7 years agotrap-manager: Install trap with SA protocol of the first configured proposal
Martin Willi [Thu, 20 Jun 2013 14:14:52 +0000 (16:14 +0200)]
trap-manager: Install trap with SA protocol of the first configured proposal

7 years agochild-sa: Save protocol during SPI allocation
Martin Willi [Thu, 20 Jun 2013 14:13:35 +0000 (16:13 +0200)]
child-sa: Save protocol during SPI allocation

This allows us to properly delete the incomplete SA with the correct protocol
should negotiation fail.

7 years agoikev1: Negotiate SPI with the first/negotiated proposal protocol
Martin Willi [Thu, 20 Jun 2013 14:12:58 +0000 (16:12 +0200)]
ikev1: Negotiate SPI with the first/negotiated proposal protocol

7 years agoikev2: Allocate SPI with the protocol of the first/negotiated proposal
Martin Willi [Thu, 20 Jun 2013 14:12:14 +0000 (16:12 +0200)]
ikev2: Allocate SPI with the protocol of the first/negotiated proposal

7 years agoproposal: Strip redundant integrity algos for ESP proposals only
Martin Willi [Thu, 20 Jun 2013 14:10:55 +0000 (16:10 +0200)]
proposal: Strip redundant integrity algos for ESP proposals only

7 years agostroke: Configure proposal with AH protocol if 'ah' option set
Martin Willi [Thu, 20 Jun 2013 14:09:51 +0000 (16:09 +0200)]
stroke: Configure proposal with AH protocol if 'ah' option set

7 years agostarter: Add an 'ah' keyword for Authentication Header Security Associations
Martin Willi [Thu, 20 Jun 2013 14:08:23 +0000 (16:08 +0200)]
starter: Add an 'ah' keyword for Authentication Header Security Associations

7 years agoVersion bump to 5.1.1rc1
Andreas Steffen [Fri, 11 Oct 2013 07:53:42 +0000 (09:53 +0200)]
Version bump to 5.1.1rc1

7 years agoKeep a copy of the tnccs instance for PT-TLS handover
Andreas Steffen [Wed, 9 Oct 2013 17:03:07 +0000 (19:03 +0200)]
Keep a copy of the tnccs instance for PT-TLS handover

7 years agoxauth-pam: Make trimming of email addresses optional 5.1.1dr4
Tobias Brunner [Fri, 4 Oct 2013 08:49:54 +0000 (10:49 +0200)]
xauth-pam: Make trimming of email addresses optional

Fixes #430.

7 years agoikev1: Accept reauthentication attempts with a keep unique policy from same host
Martin Willi [Wed, 18 Sep 2013 12:11:40 +0000 (14:11 +0200)]
ikev1: Accept reauthentication attempts with a keep unique policy from same host

When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).

7 years agoikev1: Don't log a reauthentication detection message if no children adopted
Martin Willi [Wed, 18 Sep 2013 11:59:44 +0000 (13:59 +0200)]
ikev1: Don't log a reauthentication detection message if no children adopted

When a replace unique policy is in place, the children get adopted during
the uniqueness check. In this case the message is just misleading.

7 years agoikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
Martin Willi [Wed, 18 Sep 2013 11:56:45 +0000 (13:56 +0200)]
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy

Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.

With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.

7 years agoeap-radius: Increase buffer for attributes sent in RADIUS accounting messages
Tobias Brunner [Tue, 10 Sep 2013 14:51:20 +0000 (16:51 +0200)]
eap-radius: Increase buffer for attributes sent in RADIUS accounting messages

64 bytes might be too short for user names/identities.

7 years agoopenssl: Properly log FIPS mode when enabled via openssl.conf
Tobias Brunner [Fri, 27 Sep 2013 07:11:55 +0000 (09:11 +0200)]
openssl: Properly log FIPS mode when enabled via openssl.conf

Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).

Either way, we should log whether FIPS mode is enabled or not.

References #412.

7 years agoandroid: New release after fixing remediation instructions regression
Tobias Brunner [Thu, 26 Sep 2013 11:03:38 +0000 (13:03 +0200)]
android: New release after fixing remediation instructions regression

7 years agoandroid: Change progress dialog handling
Tobias Brunner [Thu, 26 Sep 2013 11:50:23 +0000 (13:50 +0200)]
android: Change progress dialog handling

With the previous code the dialog sometimes was hidden for a short while
before it got reopened.

7 years agoandroid: Clear remediation instructions when starting a new connection
Tobias Brunner [Thu, 26 Sep 2013 11:00:45 +0000 (13:00 +0200)]
android: Clear remediation instructions when starting a new connection

7 years agostarter: Don't ignore keyingtries with rekey=no
Tobias Brunner [Thu, 26 Sep 2013 08:15:03 +0000 (10:15 +0200)]
starter: Don't ignore keyingtries with rekey=no

Since keyingtries also affects the number of retries initially or when
reestablishing an SA it should not be affected by the rekey option.

Fixes #418.

7 years agoload-tester: Fix crash if private key was not loaded successfully
Tobias Brunner [Tue, 24 Sep 2013 07:24:59 +0000 (09:24 +0200)]
load-tester: Fix crash if private key was not loaded successfully

Fixes #417.

7 years agoprintf-hook: Write to output stream instead of the FD directly when using Vstr
Tobias Brunner [Mon, 23 Sep 2013 15:01:53 +0000 (17:01 +0200)]
printf-hook: Write to output stream instead of the FD directly when using Vstr

This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.

7 years agoandroid: New release after improving recovery after connectivity changes
Tobias Brunner [Mon, 23 Sep 2013 12:33:29 +0000 (14:33 +0200)]
android: New release after improving recovery after connectivity changes

7 years agoandroid: Change state handling to display errors occurring while the app is hidden
Tobias Brunner [Fri, 20 Sep 2013 13:07:41 +0000 (15:07 +0200)]
android: Change state handling to display errors occurring while the app is hidden

A new connection ID allows listeners to track which errors they have
already shown to the user or were already dismissed by the user.

This was necessary because the state fragment is now unregistered from
state changes when it is not shown.

7 years agoandroid: Don't update state fragments when they are not displayed
Tobias Brunner [Fri, 20 Sep 2013 12:07:40 +0000 (14:07 +0200)]
android: Don't update state fragments when they are not displayed

Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState

7 years agoikev2: Force an update of the host addresses on the first response
Tobias Brunner [Fri, 20 Sep 2013 12:05:53 +0000 (14:05 +0200)]
ikev2: Force an update of the host addresses on the first response

This is especially useful on Android where we are able to send messages
even if we don't know the correct local address (this is possible
because we don't set source addresses in outbound messages).  This way
we may learn the correct local address if it e.g. changed right before
reestablishing an SA.

Updating the local address later is tricky without MOBIKE as the
responder might not update the associated IPsec SAs properly.

7 years agoike-sa: Resolve hosts before reestablishing an IKE_SA
Tobias Brunner [Fri, 20 Sep 2013 12:03:23 +0000 (14:03 +0200)]
ike-sa: Resolve hosts before reestablishing an IKE_SA

7 years agoandroid: Several plugins were moved from libcharon to libtnccs
Tobias Brunner [Fri, 20 Sep 2013 09:16:21 +0000 (11:16 +0200)]
android: Several plugins were moved from libcharon to libtnccs

These were moved in commits e8f65c5cde and 12b3db5006.

7 years agoandroid: Properly handle failures while initializing charon
Tobias Brunner [Fri, 20 Sep 2013 08:30:02 +0000 (10:30 +0200)]
android: Properly handle failures while initializing charon

7 years agokernel-netlink: Allow to override xfrm_acq_expires value
Ansis Atteka [Mon, 23 Sep 2013 04:21:39 +0000 (21:21 -0700)]
kernel-netlink: Allow to override xfrm_acq_expires value

When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.

This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
7 years agoImplemented TCG/PB-PDP_Referral message
Andreas Steffen [Tue, 17 Sep 2013 19:57:08 +0000 (21:57 +0200)]
Implemented TCG/PB-PDP_Referral message

7 years agoAllow vendor-specific PB-TNC messages
Andreas Steffen [Tue, 17 Sep 2013 09:19:11 +0000 (11:19 +0200)]
Allow vendor-specific PB-TNC messages

7 years agoignore *.1 manpage files
Andreas Steffen [Tue, 17 Sep 2013 08:58:53 +0000 (10:58 +0200)]
ignore *.1 manpage files

7 years agoVersion bump to 5.1.1dr4
Andreas Steffen [Tue, 17 Sep 2013 08:57:46 +0000 (10:57 +0200)]
Version bump to 5.1.1dr4

7 years agoMerge branch 'pubkeys'
Tobias Brunner [Fri, 13 Sep 2013 13:30:40 +0000 (15:30 +0200)]
Merge branch 'pubkeys'

Adds support to pki --pub to convert public keys to other formats
including SSH keys and DNSKEYs.  SSH public keys can also be read
from files in the format used by OpenSSH.

7 years agosshkey: Add support for parsing keys from files
Tobias Brunner [Mon, 19 Aug 2013 11:15:28 +0000 (13:15 +0200)]
sshkey: Add support for parsing keys from files

7 years agosshkey: Add encoding for ECDSA keys
Tobias Brunner [Fri, 16 Aug 2013 11:13:49 +0000 (13:13 +0200)]
sshkey: Add encoding for ECDSA keys

7 years agoopenssl: Add support for generic encoding of EC public keys
Tobias Brunner [Fri, 16 Aug 2013 11:12:47 +0000 (13:12 +0200)]
openssl: Add support for generic encoding of EC public keys

7 years agopki: --pub also accepts public keys (i.e. to convert them to a different format)
Tobias Brunner [Thu, 15 Aug 2013 10:43:30 +0000 (12:43 +0200)]
pki: --pub also accepts public keys (i.e. to convert them to a different format)

7 years agopki: Add support to encode public keys in SSH key format
Tobias Brunner [Thu, 15 Aug 2013 10:43:01 +0000 (12:43 +0200)]
pki: Add support to encode public keys in SSH key format

7 years agosshkey: Add encoder for RSA keys
Tobias Brunner [Thu, 15 Aug 2013 10:42:09 +0000 (12:42 +0200)]
sshkey: Add encoder for RSA keys

7 years agoopenssl: Add generic RSA public key encoding
Tobias Brunner [Wed, 14 Aug 2013 16:23:00 +0000 (18:23 +0200)]
openssl: Add generic RSA public key encoding

7 years agoopenssl: Add helper function to convert BIGNUMs to chunks
Tobias Brunner [Thu, 15 Aug 2013 10:29:06 +0000 (12:29 +0200)]
openssl: Add helper function to convert BIGNUMs to chunks

7 years agopki: Load dnskey plugin to encode public keys in RFC 3110 format
Tobias Brunner [Wed, 14 Aug 2013 16:22:13 +0000 (18:22 +0200)]
pki: Load dnskey plugin to encode public keys in RFC 3110 format

7 years agoMerge branch 'man-pki'
Tobias Brunner [Fri, 13 Sep 2013 13:15:40 +0000 (15:15 +0200)]
Merge branch 'man-pki'

This adds man pages for all pki sub-commands and promotes pki to a
regular program installed in $prefix/bin.

The usage output of several commands was fixed too.

7 years agopki: Don't print an error if no arguments are given
Tobias Brunner [Fri, 13 Sep 2013 13:14:00 +0000 (15:14 +0200)]
pki: Don't print an error if no arguments are given

7 years agopki: Install pki(1) as utility directly in $prefix/bin
Tobias Brunner [Fri, 13 Sep 2013 12:52:14 +0000 (14:52 +0200)]
pki: Install pki(1) as utility directly in $prefix/bin

ipsec pki is maintained as alias.

7 years agopki: Add example commands to setup a simple CA
Tobias Brunner [Wed, 14 Aug 2013 14:00:28 +0000 (16:00 +0200)]
pki: Add example commands to setup a simple CA

7 years agopki: Add pki --verify man page
Tobias Brunner [Mon, 12 Aug 2013 15:52:28 +0000 (17:52 +0200)]
pki: Add pki --verify man page

7 years agopki: Add pki --pub man page
Tobias Brunner [Mon, 12 Aug 2013 15:46:40 +0000 (17:46 +0200)]
pki: Add pki --pub man page

7 years agopki: Add pki --print man page
Tobias Brunner [Mon, 12 Aug 2013 15:21:49 +0000 (17:21 +0200)]
pki: Add pki --print man page

7 years agopki: Add pki --keyid man page
Tobias Brunner [Mon, 12 Aug 2013 15:14:17 +0000 (17:14 +0200)]
pki: Add pki --keyid man page

7 years agopki: Add pki --pkcs7 man page
Tobias Brunner [Mon, 12 Aug 2013 15:04:28 +0000 (17:04 +0200)]
pki: Add pki --pkcs7 man page

7 years agopki: Add pki --req man page
Tobias Brunner [Mon, 12 Aug 2013 14:49:13 +0000 (16:49 +0200)]
pki: Add pki --req man page

7 years agopki: Add pki --signcrl man page
Tobias Brunner [Mon, 12 Aug 2013 14:39:21 +0000 (16:39 +0200)]
pki: Add pki --signcrl man page

7 years agopki: Add pki --issue man page
Tobias Brunner [Mon, 12 Aug 2013 14:06:42 +0000 (16:06 +0200)]
pki: Add pki --issue man page

7 years agopki: Add pki --self man page
Tobias Brunner [Wed, 31 Jul 2013 17:48:45 +0000 (19:48 +0200)]
pki: Add pki --self man page

Can be opened with "man pki --self".

7 years agopki: Add pki --gen man page
Tobias Brunner [Wed, 31 Jul 2013 17:19:08 +0000 (19:19 +0200)]
pki: Add pki --gen man page

Can be opened with "man pki --gen".

7 years agopki: Add ipsec-pki(8) man page
Tobias Brunner [Wed, 31 Jul 2013 16:05:10 +0000 (18:05 +0200)]
pki: Add ipsec-pki(8) man page

Can be opened either with "man ipsec pki" or "man ipsec-pki".

Since man(1) only supports one level of subpages, the forthcoming man
pages for each command will have to be opened with "man pki --<command>".

7 years agostrongswan.conf: Use configured piddir for UNIX sockets
Tobias Brunner [Mon, 12 Aug 2013 13:13:20 +0000 (15:13 +0200)]
strongswan.conf: Use configured piddir for UNIX sockets

7 years agoBuild generated man pages via configure script
Tobias Brunner [Wed, 31 Jul 2013 15:30:40 +0000 (17:30 +0200)]
Build generated man pages via configure script

7 years agoresolve: Remove comment when using resolvconf(8)
Tobias Brunner [Fri, 13 Sep 2013 08:34:03 +0000 (10:34 +0200)]
resolve: Remove comment when using resolvconf(8)

Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.

Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.

Fixes #410.

7 years ago.gitignore: Add .dirstamp files touched by automake
Martin Willi [Fri, 13 Sep 2013 12:11:30 +0000 (14:11 +0200)]
.gitignore: Add .dirstamp files touched by automake

7 years agolibipsec: fix memory management when cloning ip_packet
Martin Willi [Fri, 6 Sep 2013 12:16:14 +0000 (14:16 +0200)]
libipsec: fix memory management when cloning ip_packet

7 years agolibipsec: check for a policy with the reqid of the SA on decapsulation
Martin Willi [Wed, 4 Sep 2013 15:12:23 +0000 (17:12 +0200)]
libipsec: check for a policy with the reqid of the SA on decapsulation

To prevent a client from sending a packet with a source address of a different
client, we require a policy bound via reqid to the decapsulating SA.

7 years agostroke: don't remove a matching peer config if used by other child configs
Martin Willi [Mon, 9 Sep 2013 08:43:44 +0000 (10:43 +0200)]
stroke: don't remove a matching peer config if used by other child configs

When configurations get merged during add, we should not remove peer configs
if other connection entries use the same peer config.

7 years agoconftest: Don't load plugins incrementally
Tobias Brunner [Tue, 3 Sep 2013 17:02:40 +0000 (19:02 +0200)]
conftest: Don't load plugins incrementally

This is not supported by the plugin loader, so we simply combine the
plugin lists and load them all at once.

7 years agoikev1: Fix double free when searching for redundant CHILD_SAs
Tobias Brunner [Fri, 13 Sep 2013 08:14:45 +0000 (10:14 +0200)]
ikev1: Fix double free when searching for redundant CHILD_SAs

Fixes #411.

7 years agoBuild all IMC/IMVs with -no-undefined
Tobias Brunner [Wed, 4 Sep 2013 14:26:27 +0000 (16:26 +0200)]
Build all IMC/IMVs with -no-undefined

7 years agopt-tls-client: Report loaded plugins
Tobias Brunner [Wed, 4 Sep 2013 12:34:02 +0000 (14:34 +0200)]
pt-tls-client: Report loaded plugins

7 years agopt-tls-client: Abort if no tnccs-manager is available
Tobias Brunner [Wed, 4 Sep 2013 12:31:46 +0000 (14:31 +0200)]
pt-tls-client: Abort if no tnccs-manager is available

7 years agoBuild all shared libraries with -no-undefined and link them properly
Tobias Brunner [Wed, 4 Sep 2013 12:25:22 +0000 (14:25 +0200)]
Build all shared libraries with -no-undefined and link them properly

The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.

For plugins this is currently not done, so only the monolithic build is
supported.  The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.

7 years agoconfigure: libtls and libtnccs etc. all require libstrongswan
Tobias Brunner [Wed, 4 Sep 2013 11:51:37 +0000 (13:51 +0200)]
configure: libtls and libtnccs etc. all require libstrongswan

7 years agotun_device: Add warning if TUN devices are not supported by platform
Tobias Brunner [Wed, 4 Sep 2013 11:40:35 +0000 (13:40 +0200)]
tun_device: Add warning if TUN devices are not supported by platform

7 years agoMake sure libstrongswan is initialized first in IMCs and IMVs
Andreas Steffen [Wed, 11 Sep 2013 18:58:18 +0000 (20:58 +0200)]
Make sure libstrongswan is initialized first in IMCs and IMVs

7 years agosockets: Initialize the whole ancillary data buffer not only the actual struct
Tobias Brunner [Tue, 10 Sep 2013 11:40:16 +0000 (13:40 +0200)]
sockets: Initialize the whole ancillary data buffer not only the actual struct

This avoids uninitialized bytes that Valgrind seems to notice otherwise.

Fixes #395.

7 years agoikev1: For PFS prefer DH group from IKE_SA over first configured
Thomas Egerer [Fri, 23 Aug 2013 12:15:44 +0000 (14:15 +0200)]
ikev1: For PFS prefer DH group from IKE_SA over first configured

If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.

7 years agokernel-netlink: increase buffer size for RT netlink messages
Ansis Atteka [Mon, 9 Sep 2013 22:42:55 +0000 (15:42 -0700)]
kernel-netlink: increase buffer size for RT netlink messages

Commit 940e1b0f66dc04b0853414c1f4c45fa3f6e33bdd "Filter ignored
interfaces in kernel interfaces (for events, address enumeration,
etc.)" made charon to ignore routes with unusable interfaces.
Unusable interface is one where charon has not seen RTM_NEWLINK
message from the kernel.

Sometime RTM_NEWLINK message can be 1048 bytes large. This is
24 bytes more than currently allocated buffer of 1024 bytes.
If kernel sends such a large message, then it would be silently
ignored by charon and corresponding interface would never become
usable. Hence strongSwan might resolve invalid source IP address
in get_route() function. This would prevent IPsec tunnel to be
established.

To reproduce create a VLAN interface with following command:

vconfig add eth1 12

7 years agoFixed double free causing swapped ends to crash 5.1.1dr3
Andreas Steffen [Sat, 7 Sep 2013 06:25:10 +0000 (08:25 +0200)]
Fixed double free causing swapped ends to crash

7 years agoAdded ikev1/config-payload-push scenario
Andreas Steffen [Sat, 7 Sep 2013 06:23:58 +0000 (08:23 +0200)]
Added ikev1/config-payload-push scenario

7 years agoMinor performance tuning
Andreas Steffen [Sat, 7 Sep 2013 05:39:03 +0000 (07:39 +0200)]
Minor performance tuning

7 years agoCompleted NEWS for 5.1.1dr3
Andreas Steffen [Fri, 6 Sep 2013 20:11:33 +0000 (22:11 +0200)]
Completed NEWS for 5.1.1dr3

7 years agoImplemented targeted SWID request
Andreas Steffen [Fri, 6 Sep 2013 20:06:39 +0000 (22:06 +0200)]
Implemented targeted SWID request