2 years agolibtpmtss: Support for TSS2 v2 libraries
Andreas Steffen [Tue, 17 Jul 2018 21:22:52 +0000 (23:22 +0200)]
libtpmtss: Support for TSS2 v2 libraries

2 years agotesting: Optionally build/install strongSwan only on a specific guest
Tobias Brunner [Wed, 11 Jul 2018 16:38:09 +0000 (18:38 +0200)]
testing: Optionally build/install strongSwan only on a specific guest

This may be used to test different strongSwan versions against each

2 years agoconf: Fix bench_time documentation
Tobias Brunner [Mon, 9 Jul 2018 16:10:07 +0000 (18:10 +0200)]
conf: Fix bench_time documentation

2 years agomessage: Report the size of the complete reassembled IKE message
Tobias Brunner [Thu, 5 Jul 2018 15:36:21 +0000 (17:36 +0200)]
message: Report the size of the complete reassembled IKE message

This way we see the same size on both ends, namely that of the complete
IKE message as if it was sent in a single packet (excluding UDP/IP headers).

2 years agoencrypted-payload: Change how the length for reassembled messages is calculated
Tobias Brunner [Thu, 5 Jul 2018 15:21:47 +0000 (17:21 +0200)]
encrypted-payload: Change how the length for reassembled messages is calculated

If we have an AEAD transform we add the overhead as if the data would have
been transported in a single encrypted payload.

2 years agoencrypted-payload: Add getter for the used AEAD transform
Tobias Brunner [Thu, 5 Jul 2018 15:20:52 +0000 (17:20 +0200)]
encrypted-payload: Add getter for the used AEAD transform

2 years agotesting: Fix checks after changing fragmentation log messages
Tobias Brunner [Thu, 5 Jul 2018 15:19:39 +0000 (17:19 +0200)]
testing: Fix checks after changing fragmentation log messages

2 years agocharon-nm: Parse any type of private key in need_secrets
SC Lee [Mon, 9 Jul 2018 09:54:25 +0000 (17:54 +0800)]
charon-nm: Parse any type of private key in need_secrets

Previously, when the user supplied an ECDSA key for public key authentication,
the user was always asked to provide a password, even if the key was not

Related: 954f73ea6e7e ("charon-nm: Parse any type of private key not only RSA")
Closes strongswan/strongswan#108.

2 years agokernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS
Tobias Brunner [Fri, 6 Jul 2018 08:17:52 +0000 (10:17 +0200)]
kernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS

2 years agokernel-pfkey: Enable macOS native AES_GCM_ICV16 support
Ruben Tytgat [Thu, 5 Jul 2018 15:54:42 +0000 (17:54 +0200)]
kernel-pfkey: Enable macOS native AES_GCM_ICV16 support

macOS supports AES_GCM_ICV16 natively using PF_KEYv2.

This change enables AES_GCM if the corresponding definition is detected
in the headers.

With this change it is no longer necessary to use the libipsec module to
use AES_GCM on macOS.

Closes strongswan/strongswan#107.

2 years agotesting: The dhcp plugin uses the DHCP client port again by default
Tobias Brunner [Thu, 5 Jul 2018 16:12:40 +0000 (18:12 +0200)]
testing: The dhcp plugin uses the DHCP client port again by default

This reverts parts of commit becf027cd9b0af162247015a9fff6c00e59fd6ce.

Fixes: 707b70725a7d ("dhcp: Only use DHCP server port if explicitly configured")

2 years agoandroid: New release after fixing EAP-PEAP issue and Autofill crash
Tobias Brunner [Wed, 4 Jul 2018 09:51:44 +0000 (11:51 +0200)]
android: New release after fixing EAP-PEAP issue and Autofill crash

2 years agoRevert "android: Enable the eap-ttls and eap-peap plugins"
Tobias Brunner [Wed, 4 Jul 2018 17:35:55 +0000 (19:35 +0200)]
Revert "android: Enable the eap-ttls and eap-peap plugins"

This reverts commit 064c97afaeabc341f98577eae67073641b1591db.

We have to make this optional and more configurable.  It seems some
commercial VPN providers use self-signed certificates for their AAA

2 years agoandroid: Move hint from TextInputEditText to TextInputLayout
Tobias Brunner [Wed, 4 Jul 2018 09:43:40 +0000 (11:43 +0200)]
android: Move hint from TextInputEditText to TextInputLayout

This avoids a NullPointerException on Android 8 related to the optional
Autofill functionality.  The bug has been fixed in Android 8.1 [1] but there
is no fix for Android 8.


2 years agoandroid: Don't enforce the server address as AAA identity for EAP-PEAP/TTLS
Tobias Brunner [Wed, 4 Jul 2018 09:17:04 +0000 (11:17 +0200)]
android: Don't enforce the server address as AAA identity for EAP-PEAP/TTLS

This is similar to EAP-TLS.  We could probably make this configurable

2 years agoandroid: New release after fixing cancelling connecting on older systems
Tobias Brunner [Tue, 3 Jul 2018 13:43:32 +0000 (15:43 +0200)]
android: New release after fixing cancelling connecting on older systems

2 years agoandroid: Poll dropper TUN device for data on older Android systems
Tobias Brunner [Tue, 3 Jul 2018 13:03:51 +0000 (15:03 +0200)]
android: Poll dropper TUN device for data on older Android systems

It seems that even the NIO version of read() is uninterruptible on
platforms < Android 7 (24).

2 years agoMerge branch 'android-updates'
Tobias Brunner [Tue, 3 Jul 2018 10:15:52 +0000 (12:15 +0200)]
Merge branch 'android-updates'

Lots of new features, e.g. Quick Settings tile, Always-on VPN, error
recovery, and lots of improvements under the hood.

2 years agoandroid: New version after adding lots of new features
Tobias Brunner [Thu, 21 Jun 2018 17:06:49 +0000 (19:06 +0200)]
android: New version after adding lots of new features

2 years agoandroid: Use ListView for log messages
Tobias Brunner [Mon, 2 Jul 2018 16:05:13 +0000 (18:05 +0200)]
android: Use ListView for log messages

This is hopefully a bit more efficient for large log files than the previous
single TextView.  The ListView widget also provides an auto-scroll mechanism.

2 years agoandroid: Simplify error handling in VPN state fragment
Tobias Brunner [Fri, 29 Jun 2018 14:42:18 +0000 (16:42 +0200)]
android: Simplify error handling in VPN state fragment

Always reset the error state when disconnecting via state service. This
way the error state is also cleared when the connection is terminated
directly via control activity.

2 years agoandroid: Remove MIME type filter when importing trusted certificates
Tobias Brunner [Fri, 29 Jun 2018 14:04:10 +0000 (16:04 +0200)]
android: Remove MIME type filter when importing trusted certificates

This way we should see files even if the MIME type has not been set
correctly while downloading it.

2 years agoandroid: Show date/thread prefix in log view if we have enough space
Tobias Brunner [Fri, 29 Jun 2018 10:50:31 +0000 (12:50 +0200)]
android: Show date/thread prefix in log view if we have enough space

This is the case for tablets or even phones in landscape orientation.
600dp is the breaking point for small tablets according to Google's

2 years agoandroid: Change log message when initializing the native code and add a divider
Tobias Brunner [Fri, 29 Jun 2018 10:07:17 +0000 (12:07 +0200)]
android: Change log message when initializing the native code and add a divider

We don't really start a daemon and the divider should make it easier to
identify retries.

2 years agoandroid: Don't use infinite keying tries on Android 5+
Tobias Brunner [Fri, 29 Jun 2018 09:41:41 +0000 (11:41 +0200)]
android: Don't use infinite keying tries on Android 5+

This way we get some feedback about the issue in the GUI (otherwise it
would just switch to connecting state) and also some delays between retries.

2 years agoandroid: Allow explicit termination of a profile without confirmation
Tobias Brunner [Mon, 25 Jun 2018 09:02:08 +0000 (11:02 +0200)]
android: Allow explicit termination of a profile without confirmation

2 years agoandroid: Handle restarts of the control Activity better
Tobias Brunner [Fri, 22 Jun 2018 11:57:51 +0000 (13:57 +0200)]
android: Handle restarts of the control Activity better

For instance, rotating a device will restart it and this previously
could have started the wrong profile or shown the system's VPN
confirmation dialog twice.

2 years agoandroid: Properly handle pressing home when VPN confirmation dialog is shown
Tobias Brunner [Fri, 22 Jun 2018 09:22:23 +0000 (11:22 +0200)]
android: Properly handle pressing home when VPN confirmation dialog is shown

As documented, onActivityResult() is called right before onResume() when
the activity is reactivated.  However, if the system's VPN confirmation
dialog is shown and the home button is pressed, the activity is stopped
and not just paused, so its state is saved.  And onActivityResult() is
actually also called before onStart().  This means that no fragment
transactions may be committed (i.e. no dialog may be shown) when the
activity is later restarted (e.g. because there is another attempt to
connect the VPN) until onStart() has been called.  So if we'd try to show
the error dialog in onActivityResult() after returning to the launcher
it would result in an IllegalStateException.

However, showing the dialog for the previous confirmation dialog is not
ideal anyway, so we just ignore that result.

2 years agoandroid: Crudely catch exception if no file browser is available
Tobias Brunner [Thu, 21 Jun 2018 17:05:33 +0000 (19:05 +0200)]
android: Crudely catch exception if no file browser is available

Seen on Android TV in the emulator.

2 years agoandroid: Enable the eap-ttls and eap-peap plugins
Tobias Brunner [Thu, 21 Jun 2018 16:35:37 +0000 (18:35 +0200)]
android: Enable the eap-ttls and eap-peap plugins

2 years agoandroid: Pass UUID to VPN service to initiate profiles
Tobias Brunner [Thu, 21 Jun 2018 14:46:13 +0000 (16:46 +0200)]
android: Pass UUID to VPN service to initiate profiles

2 years agoandroid: Remove Suite B ESP proposals and reorder some algorithms
Tobias Brunner [Thu, 21 Jun 2018 12:49:22 +0000 (14:49 +0200)]
android: Remove Suite B ESP proposals and reorder some algorithms

2 years agoandroid: Make RSA/PSS flag configurable in the GUI
Tobias Brunner [Thu, 21 Jun 2018 10:51:51 +0000 (12:51 +0200)]
android: Make RSA/PSS flag configurable in the GUI

2 years agoandroid: Import RSA/PSS flag
Tobias Brunner [Thu, 21 Jun 2018 10:25:28 +0000 (12:25 +0200)]
android: Import RSA/PSS flag

2 years agoandroid: Add flag to enable RSA/PSS
Tobias Brunner [Thu, 21 Jun 2018 10:09:47 +0000 (12:09 +0200)]
android: Add flag to enable RSA/PSS

2 years agoandroid: Make fetching OCSP/CRL interruptible
Tobias Brunner [Thu, 21 Jun 2018 09:17:22 +0000 (11:17 +0200)]
android: Make fetching OCSP/CRL interruptible

This allows cancelling connecting if e.g. the OCSP server is not
reachable. Previously this caused some delay in disconnecting state but
even worse it cause an ANR if the user tried reconnecting during that
time as the main thread would get struck in setNextProfile() (we could
probably find a better solution there too in the future).

2 years agoandroid: Make CRL/OCSP/strict flags configurable in the GUI
Tobias Brunner [Wed, 20 Jun 2018 15:37:44 +0000 (17:37 +0200)]
android: Make CRL/OCSP/strict flags configurable in the GUI

2 years agoandroid: Import CRL/OCSP/strict flags
Tobias Brunner [Wed, 20 Jun 2018 15:25:18 +0000 (17:25 +0200)]
android: Import CRL/OCSP/strict flags

2 years agoandroid: Fix import of certificate request flag
Tobias Brunner [Wed, 20 Jun 2018 15:23:08 +0000 (17:23 +0200)]
android: Fix import of certificate request flag

2 years agoandroid: Add flags to control CRL/OCSP fetching and strict revocation
Tobias Brunner [Wed, 20 Jun 2018 15:18:03 +0000 (17:18 +0200)]
android: Add flags to control CRL/OCSP fetching and strict revocation

2 years agorevocation: Support en-/disabling CRL/OCSP at runtime
Tobias Brunner [Thu, 21 Jun 2018 06:59:40 +0000 (08:59 +0200)]
revocation: Support en-/disabling CRL/OCSP at runtime

2 years agoandroid: Use activity when reconnecting without (or a possibly wrong) password
Tobias Brunner [Wed, 20 Jun 2018 10:25:09 +0000 (12:25 +0200)]
android: Use activity when reconnecting without (or a possibly wrong) password

2 years agoandroid: Use startForegroundService() to start VpnService
Tobias Brunner [Tue, 19 Jun 2018 15:31:51 +0000 (17:31 +0200)]
android: Use startForegroundService() to start VpnService

This gives us some time to call startForeground() so we don't get

2 years agoandroid: Install a blocking TUN device until the VPN is established
Tobias Brunner [Tue, 19 Jun 2018 15:14:17 +0000 (17:14 +0200)]
android: Install a blocking TUN device until the VPN is established

It's reinstalled when reconnecting (or during error recovery) and
eventually uninstalled after disconnecting.

Only on Android 5+, otherwise we'd block our fetcher (and Android 4.4 is
stupid in regards to overlapping TUN devices anyway).

Note that Android 8's blocking feature blocks everything that passes by
the VPN, so this only works when tunneling everything (i.e. neither subnets,
nor apps can be excluded from the VPN if that feature is enabled).

2 years agoandroid: Exclude our own app from the VPN
Tobias Brunner [Tue, 19 Jun 2018 15:01:21 +0000 (17:01 +0200)]
android: Exclude our own app from the VPN

Otherwise, a blocking VPN interface would prevent our fetcher from working
as we currently rely on an interface that doesn't allow access to the
underlying socket/FD, which would be required to call VpnService.protect().

2 years agoandroid: Log retries to the same log file
Tobias Brunner [Tue, 19 Jun 2018 09:15:16 +0000 (11:15 +0200)]
android: Log retries to the same log file

It's cleared when a new connection is started or there is a manual

2 years agoandroid: Use capped exponential backoff for automatic retries
Tobias Brunner [Mon, 18 Jun 2018 17:04:03 +0000 (19:04 +0200)]
android: Use capped exponential backoff for automatic retries

2 years agoandroid: Show countdown and retry button in notification
Tobias Brunner [Mon, 18 Jun 2018 14:57:03 +0000 (16:57 +0200)]
android: Show countdown and retry button in notification

2 years agoandroid: Avoid IllegalStateException in state fragments
Tobias Brunner [Mon, 18 Jun 2018 14:45:37 +0000 (16:45 +0200)]
android: Avoid IllegalStateException in state fragments

This happened if the state service got connected while such a fragment was
not visible (anymore or at all).

2 years agoandroid: Don't hide the notification if we are connecting to a profile
Tobias Brunner [Mon, 18 Jun 2018 14:30:26 +0000 (16:30 +0200)]
android: Don't hide the notification if we are connecting to a profile

In particular, if we are reconnecting after an error.

2 years agoandroid: Add an automatic reconnect on errors
Tobias Brunner [Fri, 15 Jun 2018 12:40:01 +0000 (14:40 +0200)]
android: Add an automatic reconnect on errors

This way the connection will be attempted to be kept up even on "fatal"
errors like authentication failures.

2 years agoike-sa-manager: Fix races when changing initiator SPI of an IKE_SA
Tobias Brunner [Fri, 15 Jun 2018 10:34:15 +0000 (12:34 +0200)]
ike-sa-manager: Fix races when changing initiator SPI of an IKE_SA

Removing and readding the entry to a potentially different row/segment,
while driving out waiting and new threads, could prevent threads from
acquiring the SA even if they were waiting to check it out by unique
ID (which doesn't change), or if they were just trying to enumerate it.
With this change the row and segment doesn't change anymore and waiting
threads may acquire the SA. However, those looking for an IKE_SA by SPIs
might get one back that has a different SPI (but that's probably not
something that happens very often this early).

This was noticed because we check out SAs by unique ID in the Android
app to terminate them after failed retransmits if we are not reestablishing
the SA (otherwise we continue), and this sometimes failed.

Fixes: eaedcf8c0054 ("ike-sa-manager: Add method to change the initiator SPI of an IKE_SA")

2 years agoandroid: Show a retry button in the error banner
Tobias Brunner [Fri, 15 Jun 2018 09:00:08 +0000 (11:00 +0200)]
android: Show a retry button in the error banner

The button to view the log is now below the status info.  And since the
IMC results are just below that we don't need a special handling for
that anymore.

2 years agoandroid: Add function to quickly reconnect the current profile
Tobias Brunner [Fri, 15 Jun 2018 08:58:59 +0000 (10:58 +0200)]
android: Add function to quickly reconnect the current profile

2 years agoandroid: Use Java 8 features
Tobias Brunner [Thu, 14 Jun 2018 16:13:44 +0000 (18:13 +0200)]
android: Use Java 8 features

2 years agoandroid: Show an error if client certificate is unavailable
Tobias Brunner [Thu, 14 Jun 2018 13:20:57 +0000 (15:20 +0200)]
android: Show an error if client certificate is unavailable

This can happen on systems (e.g. Android 7.x) where Always-on VPNs are
triggered right after booting before the KeyChain is unlocked by the user.
Retrieving the certificate chain or private key then fails with
"KeyChainException: IllegalStateException: keystore is LOCKED" until the
user unlocks the screen once.

The built-in client actually also fails in this situation (e.g. with XAuth
RSA), it tries three times then stops and shows an error notification.

2 years agoandroid: Show an error if a profile without a password is initiated
Tobias Brunner [Thu, 14 Jun 2018 13:16:45 +0000 (15:16 +0200)]
android: Show an error if a profile without a password is initiated

This could happen if an incomplete profile is used with Always-on VPN.

2 years agoandroid: Use modern shortcuts on Android 8+
Tobias Brunner [Tue, 19 Jun 2018 10:32:55 +0000 (12:32 +0200)]
android: Use modern shortcuts on Android 8+

2 years agoandroid: Add an adaptive launcher icon
Tobias Brunner [Thu, 14 Jun 2018 12:02:22 +0000 (14:02 +0200)]
android: Add an adaptive launcher icon

Using <inset> in a mipmap folder apparently is not fully valid, at least
Android Studio complains about it (it seems to work fine, though).

2 years agoandroid: Show the actual error description in the notification
Tobias Brunner [Wed, 13 Jun 2018 14:31:41 +0000 (16:31 +0200)]
android: Show the actual error description in the notification

2 years agoandroid: Change format for error strings
Tobias Brunner [Wed, 13 Jun 2018 14:42:24 +0000 (16:42 +0200)]
android: Change format for error strings

Place the dot in the main message not the descriptions of the individual

2 years agoandroid: Collapse Quick Settings drawer if password entry is required
Tobias Brunner [Wed, 13 Jun 2018 14:07:28 +0000 (16:07 +0200)]
android: Collapse Quick Settings drawer if password entry is required

2 years agoandroid: Initiate configured default profile when triggered as Always-on VPN
Tobias Brunner [Tue, 12 Jun 2018 15:46:08 +0000 (17:46 +0200)]
android: Initiate configured default profile when triggered as Always-on VPN

With Android 8.1 this isn't triggered after a reboot until the device
has been unlocked once (solving the issue with the key store) and traffic
may optionally be blocked by the user until the VPN is established.

There are still some issues (e.g. password prompts and fatal errors), and we
might need some workaround for older Android releases.

2 years agoandroid: Just reconnect if the tile is clicked even if there was an error
Tobias Brunner [Tue, 12 Jun 2018 15:06:28 +0000 (17:06 +0200)]
android: Just reconnect if the tile is clicked even if there was an error

A long press click on the tile (or a click on the notification) will open
the main activity if more information about the error are necessary.

2 years agoandroid: Allow reconnecting without confirmation in case of an error
Tobias Brunner [Tue, 12 Jun 2018 15:05:00 +0000 (17:05 +0200)]
android: Allow reconnecting without confirmation in case of an error

2 years agoandroid: Show connection errors as banner, not as modal dialog
Tobias Brunner [Fri, 8 Jun 2018 13:41:46 +0000 (15:41 +0200)]
android: Show connection errors as banner, not as modal dialog

2 years agoandroid: Add Quick Settings tile to toggle VPN state
Tobias Brunner [Fri, 8 Jun 2018 12:22:52 +0000 (14:22 +0200)]
android: Add Quick Settings tile to toggle VPN state

Only if there is no currently active (or previously active) profile does
this currently operate on the configured (or stored most recently used)
profile.  This way it's possible to use a different connection and
quickly disable and re-enable it again.  When unlocked the profile name
is shown, when locked a generic text is used (this detection doesn't seem
to work 100% reliably).  To disconnect, the user is forced to unlock the
device, connecting is possible without, if the credentials are available
and no fatal error occurs (it even works with the system credential store,
at least on Android 8.1).

Note that the tile is not available right after a reboot.  It seems that
the system has to be unlocked once to activate third-party tiles (will
be interesting to see how this works together with Always-on VPN).

2 years agoandroid: Store the ID of the most recently used profile as preference
Tobias Brunner [Fri, 8 Jun 2018 11:54:46 +0000 (13:54 +0200)]
android: Store the ID of the most recently used profile as preference

2 years agoandroid: Add settings activity and default profile selection
Tobias Brunner [Fri, 8 Jun 2018 09:57:38 +0000 (11:57 +0200)]
android: Add settings activity and default profile selection

The default profile can then be used for a Quick Settings tile or the
Always-on VPN feature.

2 years agoandroid: Reset error state after user confirmed it
Tobias Brunner [Fri, 8 Jun 2018 09:23:05 +0000 (11:23 +0200)]
android: Reset error state after user confirmed it

This allows other listeners to change their display.

2 years agoandroid: Use specific icon when connecting to the VPN
Tobias Brunner [Fri, 8 Jun 2018 09:22:21 +0000 (11:22 +0200)]
android: Use specific icon when connecting to the VPN

2 years agoandroid: Use a handler to show/remove notification from main UI thread
Tobias Brunner [Fri, 8 Jun 2018 09:17:26 +0000 (11:17 +0200)]
android: Use a handler to show/remove notification from main UI thread

This avoids races that were previously seen (e.g. when disconnecting
while connecting, which sometimes showed a "Disconnecting..."

2 years agoandroid: Use separate activity to control VPN connections
Tobias Brunner [Thu, 7 Jun 2018 16:00:16 +0000 (18:00 +0200)]
android: Use separate activity to control VPN connections

This way we don't have to open the main window, but only show a dialog
if necessary (or nothing in many cases).

2 years agoandroid: Migrate onAttach() from deprecated version
Tobias Brunner [Thu, 7 Jun 2018 15:57:41 +0000 (17:57 +0200)]
android: Migrate onAttach() from deprecated version

2 years agoandroid: Make certificate import activity properly transparent
Tobias Brunner [Thu, 7 Jun 2018 15:12:56 +0000 (17:12 +0200)]
android: Make certificate import activity properly transparent

2 years agoandroid: Remove deprecated progress indicator in MainActivity
Tobias Brunner [Thu, 7 Jun 2018 12:44:22 +0000 (14:44 +0200)]
android: Remove deprecated progress indicator in MainActivity

Support for this was already removed with API level 21. On modern
devices loading CA certs should be quick enough anyway.

2 years agoandroid: Replace deprecated ProgressDialog during profile import
Tobias Brunner [Thu, 7 Jun 2018 12:42:40 +0000 (14:42 +0200)]
android: Replace deprecated ProgressDialog during profile import

2 years agoandroid: Add notification channel for API level 26+
Tobias Brunner [Wed, 6 Jun 2018 16:55:45 +0000 (18:55 +0200)]
android: Add notification channel for API level 26+

Unfortunately, setLockscreenVisibility() doesn't seem to have any
effect. So the full notification is shown unless the user manually
configures the notification settings.

2 years agoandroid: Set compile-/targetSdkVersion to 26
Tobias Brunner [Wed, 6 Jun 2018 14:57:31 +0000 (16:57 +0200)]
android: Set compile-/targetSdkVersion to 26

This allows us to add tiles to Quick Settings and enabling the Always-on
VPN feature in the VPN settings (both require API level 24, but 26 will
be required as targetSdkVersion later this year).

2 years agoandroid: Show profile ID at bottom of advanced settings
Tobias Brunner [Wed, 6 Jun 2018 14:38:26 +0000 (16:38 +0200)]
android: Show profile ID at bottom of advanced settings

Can be selected and copied to the clipboard to use in automation
software that doesn't support the shortcut.

2 years agoandroid: Accept a profile's UUID when initiating
Tobias Brunner [Wed, 6 Jun 2018 14:29:02 +0000 (16:29 +0200)]
android: Accept a profile's UUID when initiating

2 years agoandroid: Add additional Intent filter for import Activity with MIME type mask
Tobias Brunner [Wed, 6 Jun 2018 13:35:00 +0000 (15:35 +0200)]
android: Add additional Intent filter for import Activity with MIME type mask

Chrome creates such an Intent when opening downloaded files (not when
directly opening them), a MIME type is set, but apparently not ours.

2 years agoandroid: UUID is now mandatory
Tobias Brunner [Tue, 5 Jun 2018 13:42:09 +0000 (15:42 +0200)]
android: UUID is now mandatory

Unless there are profiles created with old versions of the app (< 1.8.0)
that were never updated since, all profiles should already have a UUID
assigned.  If not, we do that now with a DB migration.

2 years agoandroid: Show an error dialog if we can't get permission for VPNs
Tobias Brunner [Mon, 4 Jun 2018 14:46:25 +0000 (16:46 +0200)]
android: Show an error dialog if we can't get permission for VPNs

This is either because a third-party VPN app has the always-on feature
enabled, or because the user denied the permission in the system's confirmation

If the always-on feature is enabled for a connection of the built-in VPN
client we get an IllegalStateException, for which we show an updated and
clearer error message.

2 years agoandroid: Suppress self-assign warnings with clang
Tobias Brunner [Mon, 4 Jun 2018 13:39:25 +0000 (15:39 +0200)]
android: Suppress self-assign warnings with clang

These are triggered by the little endian functions in byteorder.h.

2 years agoatomics: Use type of destination in CAS implementation
Tobias Brunner [Fri, 22 Jun 2018 08:25:25 +0000 (10:25 +0200)]
atomics: Use type of destination in CAS implementation

The type of the value was incorrect (void**) if NULL was passed to cas_ptr()
as expected value, which caused a compiler warning with Clang because
__atomic_compare_exchange_n() expects the types of the first two arguments
to be the same.

2 years agoatomics: Define HAVE_GCC_ATOMIC_OPERATIONS when building with clang
Tobias Brunner [Tue, 5 Jun 2018 13:58:08 +0000 (15:58 +0200)]
atomics: Define HAVE_GCC_ATOMIC_OPERATIONS when building with clang

We should probably check for stdatomic.h and use the c11 functions if

2 years agoandroid: Build native libraries for all non-deprecated ABIs
Tobias Brunner [Mon, 4 Jun 2018 13:36:20 +0000 (15:36 +0200)]
android: Build native libraries for all non-deprecated ABIs

armeabi has been superseded by armeabi-v7a and the MIPS ABIs were removed
with the latest NDK (r17), after being marked deprecated for a while.
By not specifying APP_ABI we build for all non-deprecated ABIs.

2 years agoandroid: Update Gradle plugin and wrapper
Tobias Brunner [Mon, 4 Jun 2018 10:09:32 +0000 (12:09 +0200)]
android: Update Gradle plugin and wrapper

2 years agoike: Include length of reassembled IKE message in log message
Tobias Brunner [Mon, 2 Jul 2018 10:18:18 +0000 (12:18 +0200)]
ike: Include length of reassembled IKE message in log message

Also simplify wording a bit when fragmenting.

2 years agodhcp: Only use DHCP server port if explicitly configured
Tobias Brunner [Tue, 26 Jun 2018 13:48:07 +0000 (15:48 +0200)]
dhcp: Only use DHCP server port if explicitly configured

If a DHCP server is running on the same host it isn't necessary to
bind the server port and might even cause conflicts.

2 years agokernel-pfkey: Avoid updating policies if nothing significant changed
Tobias Brunner [Fri, 1 Jun 2018 09:15:22 +0000 (11:15 +0200)]
kernel-pfkey: Avoid updating policies if nothing significant changed

The FreeBSD kernel doesn't update policies atomically, causing
unnecessary traffic loss during simple rekeyings.

Fixes #2677.

2 years agosettings: Fix compilation with newer versions of Clang
Tobias Brunner [Fri, 29 Jun 2018 09:30:31 +0000 (11:30 +0200)]
settings: Fix compilation with newer versions of Clang

Depending on the actual va_list definition it's not valid to compare it
directly or assign NULL.

2 years agoMerge branch 'ike-proposal-switch'
Tobias Brunner [Thu, 28 Jun 2018 16:47:15 +0000 (18:47 +0200)]
Merge branch 'ike-proposal-switch'

This allows switching the originally selected IKE config (based on the
IPs and IKE version) to a different one if no matching proposal is found.

This way we don't rely that much on the order of configs anymore and it's
possible to configure separate configs for clients that require weak

2 years agotesting: Fix IKE proposal in swanctl/net2net-gw scenario
Tobias Brunner [Thu, 28 Jun 2018 16:03:57 +0000 (18:03 +0200)]
testing: Fix IKE proposal in swanctl/net2net-gw scenario

Also simplify config by using references.

2 years agobackend-manager: Change how IKE/peer config matches are logged
Tobias Brunner [Wed, 27 Jun 2018 15:59:54 +0000 (17:59 +0200)]
backend-manager: Change how IKE/peer config matches are logged

Instead of logging the search parameters for IKE configs (which were already
before starting the lookup) we log the configured settings.

The peer config lookup is also changed slightly by doing the IKE config
match first and skipping some checks if that or the local peer identity
doesn't match.

2 years agoReplace 'inacceptable' with the more common 'unacceptable'
Tobias Brunner [Tue, 29 May 2018 16:27:16 +0000 (18:27 +0200)]
Replace 'inacceptable' with the more common 'unacceptable'

2 years agochild-cfg: Allow suppressing log messages when selecting traffic selectors
Tobias Brunner [Tue, 29 May 2018 16:12:16 +0000 (18:12 +0200)]
child-cfg: Allow suppressing log messages when selecting traffic selectors

Although being already logged on level 2, these messages are usually just
confusing if they pop up randomly in the log when e.g. querying the configs
or installing traps.  So after this the log messages will only be logged when
actually proposing or selecting traffic selectors during IKE.

2 years agoike-init: Switch to an alternative config if proposals don't match
Tobias Brunner [Tue, 29 May 2018 15:04:12 +0000 (17:04 +0200)]
ike-init: Switch to an alternative config if proposals don't match

This way we don't rely on the order of equally matching configs as
heavily anymore (which is actually tricky in vici) and this also doesn't
require repeating weak algorithms in all configs that might potentially be
selected if there are some clients that require them.

There is currently no ordering, so an explicitly configured exactly matching
proposal isn't a better match than e.g. the default proposal that also
contains the proposed algorithms.

2 years agoike-auth: Consider negotiated IKE proposal when selecting peer configs
Tobias Brunner [Tue, 29 May 2018 14:57:49 +0000 (16:57 +0200)]
ike-auth: Consider negotiated IKE proposal when selecting peer configs

In some scenarios we might find multiple usable peer configs with different
IKE proposals.  This is a problem if we use a config with non-matching
proposals that later causes IKE rekeying to fail.  It might even be a problem
already when creating the CHILD_SA if the proposals of IKE and CHILD_SA
are consistent.