21 months agoikev2: Only send one certificate request for the same CA 2560-certreq-dups
Tobias Brunner [Wed, 28 Feb 2018 09:52:46 +0000 (10:52 +0100)]
ikev2: Only send one certificate request for the same CA

If multiple credential sets provide the same CA certificate (e.g. pkcs11
and vici) we could end up sending duplicate certificate requests.


21 months agoMerge branch 'incorrect-inval-ke'
Tobias Brunner [Fri, 23 Feb 2018 08:28:08 +0000 (09:28 +0100)]
Merge branch 'incorrect-inval-ke'

This improves the behavior during CREATE_CHILD_SA exchanges if the peer
sends an INVALID_KE_PAYLOAD with a DH group we didn't request or continues
to return the same notify even if we use the requested group.

Fixes #2536.

21 months agochild-rekey: Don't destroy IKE_SA if initiating CHILD_SA rekeying failed
Tobias Brunner [Mon, 19 Feb 2018 14:09:34 +0000 (15:09 +0100)]
child-rekey: Don't destroy IKE_SA if initiating CHILD_SA rekeying failed

This could happen if the peer e.g. selects an invalid DH group or
responds multiple time with an INVALID_KE_PAYLAOD notify.

21 months agochild-create: Fail if we already retried with a requested DH group
Tobias Brunner [Fri, 9 Feb 2018 14:27:50 +0000 (15:27 +0100)]
child-create: Fail if we already retried with a requested DH group

With faulty peers that always return the same unusable DH group in
INVALID_KE_PAYLOADs we'd otherwise get stuck in a loop.

21 months agochild-create: Make sure we actually propose the requested DH group
Tobias Brunner [Fri, 9 Feb 2018 14:16:24 +0000 (15:16 +0100)]
child-create: Make sure we actually propose the requested DH group

If we receive an INVALID_KE_PAYLOAD notify we should not just retry
with the requested DH group without checking first if we actually propose
the group (or any at all).

21 months agochild-create: Make sure the returned KE payload uses the proposed DH group
Tobias Brunner [Fri, 9 Feb 2018 14:13:54 +0000 (15:13 +0100)]
child-create: Make sure the returned KE payload uses the proposed DH group

21 months agochild-sa: Don't update outbound policies if they are not installed
Tobias Brunner [Wed, 21 Feb 2018 10:04:45 +0000 (11:04 +0100)]
child-sa: Don't update outbound policies if they are not installed

After a rekeying we keep the inbound SA and policies installed for a
while, but the outbound SA and policies are already removed.  Attempting
to update them could get the refcount in the kernel interface out of sync
as the additional policy won't be removed when the CHILD_SA object is
eventually destroyed.

21 months agochild-sa: Don't try to update outbound SA if it is not installed anymore
Tobias Brunner [Wed, 21 Feb 2018 09:58:39 +0000 (10:58 +0100)]
child-sa: Don't try to update outbound SA if it is not installed anymore

21 months agoMerge branch 'trap-manager-uninstall'
Tobias Brunner [Thu, 22 Feb 2018 10:31:14 +0000 (11:31 +0100)]
Merge branch 'trap-manager-uninstall'

This changes how trap policies are deleted in order to avoid conflicts if a
trap policy with changed peer config is concurrently removed and reinstalled
under a different name (the reqid will be the same, so the wrong policy
could have been deleted by the old code).

21 months agotrap-manager: Remove unused find_reqid() method
Tobias Brunner [Fri, 3 Nov 2017 10:51:36 +0000 (11:51 +0100)]
trap-manager: Remove unused find_reqid() method

It might actually have returned an incorrect result if there were child
configs for different peer configs sharing the same name.

21 months agochild-sa: No need to find reqid of existing trap policy
Tobias Brunner [Fri, 3 Nov 2017 10:49:45 +0000 (11:49 +0100)]
child-sa: No need to find reqid of existing trap policy

When initiating a trap policy we explicitly pass the reqid along.  I guess
the lookup was useful to get the same reqid if a trapped CHILD_SA is manually
initiated.  However, we now get the same reqid anyway if there is no
narrowing.  And if the traffic selectors do get narrowed the reqid will be
different but that shouldn't be a problem as that doesn't cause an issue with
any temporary SAs in the kernel (this is why we pass the reqid to the
triggered CHILD_SA, otherwise, no new acquire would get triggered for
traffic that doesn't match the wider trap policy).

21 months agotrap-manager: Remove reqid parameter from install() and change return type
Tobias Brunner [Fri, 3 Nov 2017 10:32:04 +0000 (11:32 +0100)]
trap-manager: Remove reqid parameter from install() and change return type

Reqids for the same traffic selectors are now stable so we don't have to
pass reqids of previously installed CHILD_SAs.  Likewise, we don't need
to know the reqid of the newly installed trap policy as we now uninstall
by name.

21 months agotrap-manager: Compare peer config name during installation
Tobias Brunner [Fri, 3 Nov 2017 10:26:23 +0000 (11:26 +0100)]
trap-manager: Compare peer config name during installation

21 months agotrap-manager: Uninstall trap policies by name and not reqid
Tobias Brunner [Fri, 3 Nov 2017 10:10:16 +0000 (11:10 +0100)]
trap-manager: Uninstall trap policies by name and not reqid

If a trap policy is concurrently uninstalled and reinstalled under a
different name the reqid will be the same so the wrong trap might be

21 months agovici: Remove external enumeration to uninstall shunt policies
Tobias Brunner [Fri, 3 Nov 2017 09:55:05 +0000 (10:55 +0100)]
vici: Remove external enumeration to uninstall shunt policies

21 months agostroke: Remove external enumeration to unroute shunt policies
Tobias Brunner [Fri, 3 Nov 2017 09:53:04 +0000 (10:53 +0100)]
stroke: Remove external enumeration to unroute shunt policies

21 months agoshunt-manager: Remove first match if no namespace given during uninstall
Tobias Brunner [Fri, 3 Nov 2017 09:47:48 +0000 (10:47 +0100)]
shunt-manager: Remove first match if no namespace given during uninstall

Also makes namespace mandatory.

21 months agoappveyor: Allow events to trigger early in threading unit tests
Tobias Brunner [Fri, 16 Feb 2018 10:55:54 +0000 (11:55 +0100)]
appveyor: Allow events to trigger early in threading unit tests

The timed wait functions tested in the threading unit tests often but
randomly trigger a bit early on AppVeyor Windows containers.  We allow this
if it is not earlier than 5ms.

21 months agocharon-nm: Fix building list of DNS/MDNS servers with libnm
Tobias Brunner [Wed, 21 Feb 2018 10:53:55 +0000 (11:53 +0100)]
charon-nm: Fix building list of DNS/MDNS servers with libnm

g_variant_builder_add() creates a new GVariant using g_variant_new() and
then adds it to the builder.  Passing a GVariant probably adds the
pointer to the array, not the value.  I think an alternative fix would
be to use "@u" as type string for the g_variant_builder_add() call, then
the already allocated GVariant is adopted.

Fixes: 9a71b7219ca3 ("charon-nm: Port to libnm")

21 months agox509: Fix leak if a CRL contains multiple authorityKeyIdentifiers
Tobias Brunner [Wed, 21 Feb 2018 10:13:42 +0000 (11:13 +0100)]
x509: Fix leak if a CRL contains multiple authorityKeyIdentifiers

21 months agofuzzing: Add fuzzer for CRL parsing
Tobias Brunner [Tue, 20 Feb 2018 16:51:55 +0000 (17:51 +0100)]
fuzzing: Add fuzzer for CRL parsing

21 months agonm: Version bump to 1.4.3
Tobias Brunner [Mon, 19 Feb 2018 13:44:28 +0000 (14:44 +0100)]
nm: Version bump to 1.4.3

21 months agoVersion bump to 5.6.2 5.6.2
Andreas Steffen [Mon, 19 Feb 2018 11:59:37 +0000 (12:59 +0100)]
Version bump to 5.6.2

21 months agoNEWS: Add info about CVE-2018-6459
Tobias Brunner [Mon, 19 Feb 2018 09:37:04 +0000 (10:37 +0100)]
NEWS: Add info about CVE-2018-6459

21 months agosignature-params: Properly handle MGF1 algorithm identifier without parameters
Tobias Brunner [Mon, 4 Dec 2017 09:51:47 +0000 (10:51 +0100)]
signature-params: Properly handle MGF1 algorithm identifier without parameters

Credit to OSS-Fuzz.

Fixes: CVE-2018-6459

21 months agoVersion bump to 5.6.2rc1 5.6.2rc1
Andreas Steffen [Fri, 16 Feb 2018 12:37:00 +0000 (13:37 +0100)]
Version bump to 5.6.2rc1

21 months agotesting: Enable counters and save-keys plugins
Andreas Steffen [Fri, 16 Feb 2018 12:36:44 +0000 (13:36 +0100)]
testing: Enable counters and save-keys plugins

21 months agoNEWS: Added some news for 5.6.2
Tobias Brunner [Fri, 16 Feb 2018 10:02:06 +0000 (11:02 +0100)]
NEWS: Added some news for 5.6.2

21 months agovici: Also return close action
Tobias Brunner [Fri, 16 Feb 2018 08:55:22 +0000 (09:55 +0100)]
vici: Also return close action

21 months agosave-keys: Add warning message to log if keys are being saved
Tobias Brunner [Thu, 15 Feb 2018 09:04:47 +0000 (10:04 +0100)]
save-keys: Add warning message to log if keys are being saved

21 months agosave-keys: Add options to enable saving IKE and/or ESP keys
Tobias Brunner [Thu, 15 Feb 2018 09:03:08 +0000 (10:03 +0100)]
save-keys: Add options to enable saving IKE and/or ESP keys

21 months agosave-keys: Store derived CHILD_SA keys in Wireshark format
Codrut Cristian Grosu [Wed, 7 Sep 2016 09:00:04 +0000 (12:00 +0300)]
save-keys: Store derived CHILD_SA keys in Wireshark format

21 months agosave-keys: Store derived IKE_SA keys in Wireshark format
Codrut Cristian Grosu [Fri, 2 Sep 2016 12:22:29 +0000 (15:22 +0300)]
save-keys: Store derived IKE_SA keys in Wireshark format

The path has to be set first, otherwise, nothing is done.

21 months agosave-keys: Add save-keys plugin
Codrut Cristian Grosu [Fri, 2 Sep 2016 12:06:30 +0000 (15:06 +0300)]
save-keys: Add save-keys plugin

This plugin will export IKE_SA and CHILD_SA secret keys in the format used
by Wireshark.

It has to be loaded explicitly.

21 months agovici: list-conn reports DPD settings and swanctl displays them
Andreas Steffen [Tue, 6 Feb 2018 20:29:17 +0000 (21:29 +0100)]
vici: list-conn reports DPD settings and swanctl displays them

21 months agoproposal: Add modp6144 to the default proposal
Tobias Brunner [Wed, 14 Feb 2018 13:53:08 +0000 (14:53 +0100)]
proposal: Add modp6144 to the default proposal

We always had modp4096 and modp8192 included, not sure why this wasn't.

21 months agoha: Double receive buffer size for HA messages and make it configurable
Tobias Brunner [Wed, 14 Feb 2018 13:51:24 +0000 (14:51 +0100)]
ha: Double receive buffer size for HA messages and make it configurable

With IKEv1 we transmit both public DH factors (used to derive the initial
IV) besides the shared secret.  So these messages could get significantly
larger than 1024 bytes, depending on the DH group (modp2048 just about
fits into it).  The new default of 2048 bytes should be fine up to modp4096
and for larger groups the buffer size may be increased (an error is
logged should this happen).

21 months agoRevert "travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings"
Tobias Brunner [Tue, 13 Feb 2018 15:25:46 +0000 (16:25 +0100)]
Revert "travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings"

The Trusty image used by Travis was updated in December and now has Clang
5.0.0 installed.  So this workaround is not necessary anymore.

This reverts commit f4bd46764143744202b817cf7268aa9e6f4ab5f7.

21 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Tue, 13 Feb 2018 11:04:12 +0000 (12:04 +0100)]
Fixed some typos, courtesy of codespell

21 months agoMerge branch 'readme-errata'
Tobias Brunner [Mon, 12 Feb 2018 10:16:49 +0000 (11:16 +0100)]
Merge branch 'readme-errata'

Closes strongswan/strongswan#89.

21 months agoREADME: Fix paths to private keys
Liu Qun (liuqun) [Mon, 12 Feb 2018 03:39:00 +0000 (11:39 +0800)]
README: Fix paths to private keys

Since version 5.5.1, different keys can be put together in
* tobiasbrunner@7caba2eb5524be6b51943bcc3d2cb0e4c5ecc09a
  swanctl: Add 'private' directory/section to load any type of private key

Signed-off-by: Liu Qun (liuqun) <>
21 months agoREADME: Fix typo in pki --req example
刘群 [Mon, 12 Feb 2018 02:23:16 +0000 (10:23 +0800)]
README: Fix typo in pki --req example

Fix up one typo mistake in the example of "Generating a Host or User End
Entity Certificate"

Signed-off-by: Liu Qun (liuqun) <>
21 months agoMerge branch 'mobike-nat'
Tobias Brunner [Fri, 9 Feb 2018 14:54:36 +0000 (15:54 +0100)]
Merge branch 'mobike-nat'

These changes improve MOBIKE task queuing. In particular we don't
want to ignore the response to an update (with NAT-D payloads) if only
an address list update or DPD is queued as that could prevent use from
updating the UDP encapsulation in the kernel.

A new optional roam trigger is added to the kernel-netlink plugin based
on routing rule changes.  This only works properly, though, if the kernel
based route lookup is used as the kernel-netlink plugin does currently
not consider routing rules for its own route lookup.

Another change prevents acquires during address updates if we have to
update IPsec SAs by deleting and readding them.  Because the outbound policy
is still installed an acquire and temporary SA might get triggered in
the short time no IPsec SA is installed, which could subsequently prevent the
reinstallation of the SA.  To this end we install drop policies before
updating the policies and SAs.  These also replace the fallback drop policies
we previously used to prevent plaintext leaks during policy updates (which
reduces the overhead in cases where addresses never or rarely change as
additional policies will only have to be tracked during address updates).

Fixes #2518.

21 months agoike-mobike: Don't trigger update for NAT mapping change detected during an address...
Tobias Brunner [Fri, 9 Feb 2018 07:48:07 +0000 (08:48 +0100)]
ike-mobike: Don't trigger update for NAT mapping change detected during an address update

This is really only needed for other exchanges like DPDs not when we
just updated the addresses. The NAT-D payloads are only used here to
detect whether UDP encapsulation has to be enabled/disabled.

21 months agochild-sa: Install drop policies while updating IPsec SAs and policies
Tobias Brunner [Tue, 6 Feb 2018 17:07:34 +0000 (18:07 +0100)]
child-sa: Install drop policies while updating IPsec SAs and policies

If we have to remove and reinstall SAs for address updates (as with the
Linux kernel) there is a short time where there is no SA installed.  If
we keep the policies installed they (or any traps) might cause acquires
and temporary kernel states that could prevent the updated SA from
getting installed again.

This replaces the previous workaround to avoid plaintext traffic leaks
during policy updates, which used low-priority drop policies.

21 months agokernel-netlink: Optionally trigger roam events on routing rule changes
Tobias Brunner [Mon, 29 Jan 2018 14:26:17 +0000 (15:26 +0100)]
kernel-netlink: Optionally trigger roam events on routing rule changes

This can be useful if routing rules (instead of e.g. route metrics) are used
to switch from one to another interface (i.e. from one to another
routing table).  Since we currently don't evaluate routing rules when
doing the route lookup this is only useful if the kernel-based route
lookup is used.

Resolves strongswan/strongswan#88.

21 months agoike-sa: Remove unused counter for pending MOBIKE updates
Tobias Brunner [Mon, 29 Jan 2018 13:30:35 +0000 (14:30 +0100)]
ike-sa: Remove unused counter for pending MOBIKE updates

21 months agoike-mobike: Only ignore MOBIKE responses if an actual update is queued
Tobias Brunner [Mon, 29 Jan 2018 11:34:33 +0000 (12:34 +0100)]
ike-mobike: Only ignore MOBIKE responses if an actual update is queued

The counter does not tell us what task is actually queued, so we might
ignore the response to an update (with NAT-D payloads) if only an address
update is queued.

21 months agoikev2: Update currently queued MOBIKE task
Tobias Brunner [Mon, 29 Jan 2018 10:49:50 +0000 (11:49 +0100)]
ikev2: Update currently queued MOBIKE task

Instead of destroying the new task and keeping the existing one we
update any already queued task, so we don't loose any work (e.g. if a
DPD task is active and address update is queued and we'd actually like
to queue a roam task).

21 months agoike-mobike: Don't reset address update flag if set previously
Tobias Brunner [Mon, 29 Jan 2018 10:44:36 +0000 (11:44 +0100)]
ike-mobike: Don't reset address update flag if set previously

If we update a queued job we don't want to reset previously set task

21 months agoike: Add log message if host moves out of NAT
Tobias Brunner [Fri, 26 Jan 2018 13:03:33 +0000 (14:03 +0100)]
ike: Add log message if host moves out of NAT

21 months agotesting: Add ikev2/mobike-virtual-ip-nat scenario
Tobias Brunner [Fri, 26 Jan 2018 12:50:04 +0000 (13:50 +0100)]
testing: Add ikev2/mobike-virtual-ip-nat scenario

This tests moving from a public IP behind a NAT and back (with proper
changes of the UDP encapsulation).

21 months agoikev1: Properly handle fragmented Quick Mode messages
Tobias Brunner [Tue, 30 Jan 2018 10:33:15 +0000 (11:33 +0100)]
ikev1: Properly handle fragmented Quick Mode messages

21 months agolibradius: Pad received MSK to at least 64 bytes
Tobias Brunner [Fri, 26 Jan 2018 08:51:07 +0000 (09:51 +0100)]
libradius: Pad received MSK to at least 64 bytes

According to RFC 3748 MSKs must be at least 64 bytes, however, that's
not the case for the MSK derived via EAP-MSCHAPv2.  The two key parts
received are only 16 bytes each (derived according to RFC 3079,
section 3.3), so we end up with an MSK of only 32 bytes. The eap-mschapv2
plugin, on the other hand, pads these two parts with 32 zeros.

Interestingly, this is not a problem in many cases as the SHA1/2 based
PRFs used later use a block size that's >= 64 bytes, so the shorter MSK
is just padded with zeros then.  However, with AES-XCBC-PRF-128, for
instance, which uses a block size of 16 bytes, the different MSKs are an
issue as XCBC is applied to both to shorten them, with different results.
This eventually causes the authentication to fail if the client uses a
zero-padded MSK produced by the eap-mschapv2 plugin and the server the 32
byte MSK received via RADIUS.

21 months agoman: Fix documentation of pubkey constraints
Tobias Brunner [Tue, 23 Jan 2018 10:35:03 +0000 (11:35 +0100)]
man: Fix documentation of pubkey constraints

Hash algorithms have to be repeated for multiple key types.

References #2514.

21 months agoMerge branch 'dh-group-rekey'
Tobias Brunner [Fri, 9 Feb 2018 09:28:44 +0000 (10:28 +0100)]
Merge branch 'dh-group-rekey'

These changes improve rekeying after the peer initially selected a
different DH group than we proposed.  Instead of using the configured DH
group again, and causing another INVALID_KE_PAYLOAD notify, we now reuse
the previously negotiated group.  We also send the selected DH group
first in the proposals (and move proposals that don't contain the group
to the back) so that implementations that select the proposal first and
without consulting the KE payload (e.g. strongSwan when preferring the
client's proposals) will see the preferred group first.

Fixes #2526.

21 months agochild-create: Promote selected DH group, demote proposals that don't contain it
Tobias Brunner [Fri, 2 Feb 2018 11:04:18 +0000 (12:04 +0100)]
child-create: Promote selected DH group, demote proposals that don't contain it

21 months agoike-init: Promote selected DH group and demote proposals that don't contain it
Tobias Brunner [Fri, 2 Feb 2018 10:49:18 +0000 (11:49 +0100)]
ike-init: Promote selected DH group and demote proposals that don't contain it

21 months agoproposal: Add method to move a given DH group to the front
Tobias Brunner [Fri, 2 Feb 2018 10:32:39 +0000 (11:32 +0100)]
proposal: Add method to move a given DH group to the front

This way a responder (like strongSwan) selecting a proposal first and
then checking if the KE payload matches sees the peer's preferred group

21 months agounit-tests: Make sure we reuse the DH group during CHILD_SA rekeying
Tobias Brunner [Fri, 2 Feb 2018 10:11:38 +0000 (11:11 +0100)]
unit-tests: Make sure we reuse the DH group during CHILD_SA rekeying

21 months agoike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling
Tobias Brunner [Fri, 2 Feb 2018 09:59:25 +0000 (10:59 +0100)]
ike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling

This is currently not an issue for CHILD_SA rekeying tests as these only
check rekeyings of the CHILD_SA created with the IKE_SA, i.e. there is
no previous DH group to reuse.

21 months agochild-rekey: Use previously negotiated DH group when rekeying CHILD_SAs
Tobias Brunner [Fri, 2 Feb 2018 09:48:21 +0000 (10:48 +0100)]
child-rekey: Use previously negotiated DH group when rekeying CHILD_SAs

For the CHILD_SA created with the IKE_SA the group won't be set in the
proposal, so we will use the first one configure just as if the SA was
created new with a CREATE_CHILD_SA exchange.  I guess we could
theoretically try to use the DH group negotiated for IKE but then this
would get a lot more complicated as we'd have to check if that group is
actually contained in any of the CHILD_SA's configured proposals.

21 months agochild-create: Add an option to set the DH group to be used
Tobias Brunner [Fri, 2 Feb 2018 09:43:17 +0000 (10:43 +0100)]
child-create: Add an option to set the DH group to be used

21 months agoike-init: Reuse the DH group of the previous IKE_SA when rekeying
Tobias Brunner [Fri, 2 Feb 2018 09:29:35 +0000 (10:29 +0100)]
ike-init: Reuse the DH group of the previous IKE_SA when rekeying

21 months agoike-init: Move creation of DH instance after INVALID_KE_PAYLOAD to build_i()
Tobias Brunner [Fri, 2 Feb 2018 09:26:36 +0000 (10:26 +0100)]
ike-init: Move creation of DH instance after INVALID_KE_PAYLOAD to build_i()

This way we get proper error handling if the DH group the peer requested
is not actually supported for some reason (otherwise we'd just retry to
initiate with the configured group and get back another notify).

21 months agochild-cfg: Strip DH groups from both compared proposals
Tobias Brunner [Mon, 22 Jan 2018 13:33:40 +0000 (14:33 +0100)]
child-cfg: Strip DH groups from both compared proposals

This fixes two issues, one is a bug if a DH group is configured for the
local ESP proposals and charon.prefer_configured_proposals is disabled.
This would cause the DH groups to get stripped not from the configured but
from the supplied proposal, which usually already has them stripped.  So
the proposals wouldn't match.  We'd have to always strip them from the local
proposal.  Since there are apparently implementations that, incorrectly, don't
remove the DH groups in the IKE_AUTH exchange (e.g. WatchGuard XTM25
appliances) we just strip them from both proposals.  It's a bit more lenient
that way and we don't have to complicate the code to only clone and strip the
local proposal, which would depend on a flag.

References #2503.

21 months agoike: Don't handle roam events if no IKE config is available
Tobias Brunner [Wed, 20 Dec 2017 11:32:52 +0000 (12:32 +0100)]
ike: Don't handle roam events if no IKE config is available

IKE_SAs newly created via HA_IKE_ADD message don't have any IKE or peer
config assigned yet (this happens later with an HA_IKE_UPDATE message).
And because the state is initially set to IKE_CONNECTING the roam() method
does not immediately return, as it later would for passive HA SAs. This
might cause the check for explicitly configured local addresses to crash
the daemon with a segmentation fault.

Fixes #2500.

21 months agocharon-tkm: Update to latest Anet version
Adrian-Ken Rueegsegger [Tue, 6 Feb 2018 17:46:27 +0000 (18:46 +0100)]
charon-tkm: Update to latest Anet version

21 months agoandroid: New release after changing cert sending policy
Tobias Brunner [Thu, 8 Feb 2018 11:26:11 +0000 (12:26 +0100)]
android: New release after changing cert sending policy

21 months agoandroid: Always send the client certificate
Tobias Brunner [Thu, 8 Feb 2018 11:15:36 +0000 (12:15 +0100)]
android: Always send the client certificate

In scenarios where the server accepts client certificates from dozens or
even hundreds of CAs it might be necessary to omit certificate request
payloads from the IKE_SA_INIT response to avoid fragmentation.

As it is rarely the case in road-warrior scenarios that the server
already has the client certificate installed it should not be a problem
to always send it.

21 months agoauth-cfg: Classify key strengths as multi value rules
Tobias Brunner [Tue, 23 Jan 2018 11:01:02 +0000 (12:01 +0100)]
auth-cfg: Classify key strengths as multi value rules

If that's not the case only the last value added would be considered
not all the keys of a trust chain.

Fixes #2515.

21 months agocharon-nm: Remove unused variable
Tobias Brunner [Mon, 5 Feb 2018 14:11:03 +0000 (15:11 +0100)]
charon-nm: Remove unused variable

22 months agoVersion bump to 5.6.2dr4 5.6.2dr4
Andreas Steffen [Sat, 3 Feb 2018 10:05:21 +0000 (11:05 +0100)]
Version bump to 5.6.2dr4

22 months agotesting: Ignore IP-in-IP SAs created with IPComp SAs that remain in the kernel
Tobias Brunner [Thu, 1 Feb 2018 16:10:19 +0000 (17:10 +0100)]
testing: Ignore IP-in-IP SAs created with IPComp SAs that remain in the kernel

The kernel creates such SAs to handle uncompressed small packets.  They
are implicitly created and deleted with IPComp SAs.  The problem is that
when we delete an IPComp SA only that state is deleted and removed from
the SA lists immediately, the IP-in-IP state is not removed until the IPComp
state is eventually destroyed.  This could take a while if there are still
references to it around.  So the IP-in-IP states will keep getting reported
by ip xfrm state until that happens (we also can't flush or explicitly delete
such kernel-created states).

In kernels before 4.14 this wasn't really a problem but since
ec30d78c14a8 ("xfrm: add xdst pcpu cache") the kernel seems to keep the
references to the last used SAs around a lot longer.

Also, usually a test scenario following an IPComp scenario will create
and use new SAs and thus the cached SAs will disappear before the kernel
state is checked again.  However, if a following scenario uses different
hosts the states might remain, which caused some unrelated scenarios to
fail before adding this fix.

22 months agotesting: Added Linux 4.14 and 4.15 config files
Andreas Steffen [Wed, 31 Jan 2018 20:32:45 +0000 (21:32 +0100)]
testing: Added Linux 4.14 and 4.15 config files

22 months agogmp: Fix compatibility with older libgmp releases
Tobias Brunner [Tue, 23 Jan 2018 08:51:52 +0000 (09:51 +0100)]
gmp: Fix compatibility with older libgmp releases

Older releases don't have mpz_powm_sec() and mpz_inits() yet.

Fixes #2505.

22 months agorevocation: Skip any zero bytes when comparing serials in CRLs
Tobias Brunner [Wed, 24 Jan 2018 13:42:28 +0000 (14:42 +0100)]
revocation: Skip any zero bytes when comparing serials in CRLs

Depending on the plugins that eventually parse the certificate and CRL,
serials with MSB set (i.e. negative numbers that have a zero byte prefixed
when encoded as ASN.1 INTEGER) might have (x509 plugin) or not have
(openssl plugin) a zero byte prefix when returned by get_serial() or
enumerated from the CRL.  Strip them before doing the comparison or
revocation checking might fail if not both credentials are parsed by the
same plugin (which should be rare and only happen if parsing of either
cert or CRL fails with one of the plugins and there is a fallback to the
implementation provided by the other plugin).

Fixes #2509.

22 months agoeap: Reset errno before calling strtoul() to parse EAP type
Reinhard Pfau [Tue, 23 Jan 2018 09:09:14 +0000 (10:09 +0100)]
eap: Reset errno before calling strtoul() to parse EAP type

Reset errno to 0 before calling strtoul() since it sets errno only on
error cases. So the following test fails even on correct conversions if
errno had a value != 0.

Fixes #2506.

22 months agolibtpmtss: Return after failure
Andreas Steffen [Tue, 9 Jan 2018 15:12:40 +0000 (16:12 +0100)]
libtpmtss: Return after failure

23 months agotravis: Disable NM build until we run on a newer image that provides libnm
Tobias Brunner [Fri, 22 Dec 2017 09:41:12 +0000 (10:41 +0100)]
travis: Disable NM build until we run on a newer image that provides libnm

Ubuntu 16.04 (xenial) might soon be available but it's not yet supported

23 months agoikev1: Default remote identity to %any for PSK lookup if not configured
Tobias Brunner [Wed, 20 Dec 2017 09:28:31 +0000 (10:28 +0100)]
ikev1: Default remote identity to %any for PSK lookup if not configured

Otherwise, the remote identity is ignored when matching owner identities
of PSKs and this way matching PSKs that explicitly have %any assigned is

Fixes #2497.

23 months agostroke: Don't ignore %any as owner of shared secrets
Tobias Brunner [Wed, 20 Dec 2017 09:13:39 +0000 (10:13 +0100)]
stroke: Don't ignore %any as owner of shared secrets

If users want to associate secrets with any identity, let 'em. This is
also possible with vici and might help if e.g. the remote identity is
actually %any as that would match a PSK with local IP and %any better
than one with local and different remote IP.

Fixes #2497.

23 months agokernel-netlink: Fix compilation on old kernels not defining IFA_F_NODAD
Tobias Brunner [Mon, 11 Dec 2017 09:35:30 +0000 (10:35 +0100)]
kernel-netlink: Fix compilation on old kernels not defining IFA_F_NODAD

Fixes #2490.

23 months agoMerge branch 'testing-route-based'
Tobias Brunner [Fri, 22 Dec 2017 09:23:46 +0000 (10:23 +0100)]
Merge branch 'testing-route-based'

This adds several route-based VPN scenarios (using VTI or GRE interfaces).

It also fixes several swanctl --list-sas checks in other scenarios.

Closes strongswan/strongswan#84.

23 months agotesting: Fix swanctl --list-sas checks in some scenarios
Tobias Brunner [Wed, 6 Dec 2017 11:57:06 +0000 (12:57 +0100)]
testing: Fix swanctl --list-sas checks in some scenarios

::YES was missing (or written as ::YES]) rendering those checks void.
Turns out some of them actually were wrong.

23 months agotesting: Add route-based/net2net-gre scenario
Tobias Brunner [Wed, 6 Dec 2017 11:54:35 +0000 (12:54 +0100)]
testing: Add route-based/net2net-gre scenario

23 months agotesting: Enable GRE support in 4.13 config
Tobias Brunner [Wed, 6 Dec 2017 11:14:11 +0000 (12:14 +0100)]
testing: Enable GRE support in 4.13 config

Also enables IPv6 support for VTI devices.

23 months agotesting: Add route-based/net2net-vti scenario
Robin McCorkell [Sun, 3 Dec 2017 13:42:57 +0000 (13:42 +0000)]
testing: Add route-based/net2net-vti scenario

23 months agotesting: Added route-based/rw-shared-vti-ip6-in-ip4 scenario
Robin McCorkell [Wed, 29 Nov 2017 12:39:24 +0000 (12:39 +0000)]
testing: Added route-based/rw-shared-vti-ip6-in-ip4 scenario

23 months agotesting: Added route-based/rw-shared-vti scenario
Robin McCorkell [Wed, 29 Nov 2017 11:55:49 +0000 (11:55 +0000)]
testing: Added route-based/rw-shared-vti scenario

23 months agotesting: Enable VTI module in kernel config
Robin McCorkell [Wed, 29 Nov 2017 11:31:13 +0000 (11:31 +0000)]
testing: Enable VTI module in kernel config

23 months agotesting: Override user environment PATH in chroot
Robin McCorkell [Mon, 27 Nov 2017 16:46:22 +0000 (16:46 +0000)]
testing: Override user environment PATH in chroot

chroot will capture the user environment's PATH variable, which may be
wrong (e.g. not include /bin:/sbin, as it is on Arch). We should set a
known-working PATH variable in the chroot.

23 months agokernel-pfkey: Fix extended replay configuration on FreeBSD 11.1
Tobias Brunner [Mon, 4 Dec 2017 09:01:14 +0000 (10:01 +0100)]
kernel-pfkey: Fix extended replay configuration on FreeBSD 11.1

Fixes: 88a8fba1c76e ("kernel-pfkey: Support anti-replay windows > 2k")
Fixes #2501.

23 months agoswanctl: Allow dots in authority/shared secret/pool names
Tobias Brunner [Thu, 30 Nov 2017 08:09:39 +0000 (09:09 +0100)]
swanctl: Allow dots in authority/shared secret/pool names

Use argument evaluation provided by settings_t instead of using strings
to enumerate key/values.

If section names contain dots the latter causes the names to get split
and interpreted as non-existing sections and subsections.

This currently doesn't work for connections and their subsections due to
the recursion.

23 months agovici: Document NTLM secrets in
Tobias Brunner [Wed, 29 Nov 2017 13:33:21 +0000 (14:33 +0100)]
vici: Document NTLM secrets in

Fixes #2481.

23 months agovici: Accept XAUTH as shared key type too
Tobias Brunner [Wed, 29 Nov 2017 13:21:56 +0000 (14:21 +0100)]
vici: Accept XAUTH as shared key type too

Fixes #2481.

23 months agocharon-nm: Port to libnm
Lubomir Rintel [Thu, 30 Nov 2017 12:02:02 +0000 (13:02 +0100)]
charon-nm: Port to libnm

libnm-glib is deprecated for several years and reaching the end of its
life. Let's switch to the more up-to-date library.

Closes strongswan/strongswan#85.

23 months agotravis: Disable warning that causes a false positive in Xcode 8.3+
Tobias Brunner [Fri, 8 Dec 2017 08:59:13 +0000 (09:59 +0100)]
travis: Disable warning that causes a false positive in Xcode 8.3+

Xcode 8.3, to which there recently was a switch, spits out a warning for
the potentially unaligned access to ip6_plen in ip-packet.c, which we
explicitly read via untoh16() hence the access to that pointer is not
actually unaligned.  It seems the compiler is not able to determine that
there is no unaligned access even though the function is defined in the
header and marked inline.

23 months agoVersion bump to 5.6.2dr3 5.6.2dr3
Andreas Steffen [Wed, 13 Dec 2017 07:54:54 +0000 (08:54 +0100)]
Version bump to 5.6.2dr3

23 months agotpm_extendpcr: Extend digests into a TPM PCR
Andreas Steffen [Tue, 12 Dec 2017 16:42:08 +0000 (17:42 +0100)]
tpm_extendpcr: Extend digests into a TPM PCR