strongswan.git
3 months agotesting: Extended swanctl/rw-qske-l1 scenario ikev2-qske-notify
Andreas Steffen [Mon, 29 Oct 2018 11:34:26 +0000 (12:34 +0100)]
testing: Extended swanctl/rw-qske-l1 scenario

3 months agowip
Tobias Brunner [Mon, 23 Jul 2018 16:14:28 +0000 (18:14 +0200)]
wip

3 months agowip: unit-tests: Add QSKE exchange tests
Tobias Brunner [Mon, 16 Jul 2018 13:50:56 +0000 (15:50 +0200)]
wip: unit-tests: Add QSKE exchange tests

3 months agounit-tests: Add mock QSKE implementation
Tobias Brunner [Mon, 16 Jul 2018 13:50:09 +0000 (15:50 +0200)]
unit-tests: Add mock QSKE implementation

3 months agoike-sa-manager: Log SPIs when checking in an IKE_SA
Tobias Brunner [Mon, 16 Jul 2018 13:48:30 +0000 (15:48 +0200)]
ike-sa-manager: Log SPIs when checking in an IKE_SA

3 months agowip: CHILD_SA rekey and creation testing
Tobias Brunner [Fri, 13 Jul 2018 16:45:53 +0000 (18:45 +0200)]
wip: CHILD_SA rekey and creation testing

3 months agoikev2: Use hashes to detect retransmits
Tobias Brunner [Mon, 23 Jul 2018 15:49:15 +0000 (17:49 +0200)]
ikev2: Use hashes to detect retransmits

We avoid parsing messages with unexpected message IDs.  This allows us to
process and detect retransmits of messages for which we don't have the keys
anymore (i.e. IKE_AUX after IKE_SA_INIT and changing the keys).

This also changes how retransmits for fragmented messages are triggered,
previously we waited for all fragments and reconstructed the message
before retransmitting the response.  Now we only track the first
fragment and if we receive a retransmit of it respond immediately
without waiting for other fragments (which are now ignored).  This is in
compliance with RFC 7383, section 2.6.1.

3 months agochild-create: Change how DH group/QSKE mechanism is determined
Tobias Brunner [Fri, 20 Jul 2018 15:44:14 +0000 (17:44 +0200)]
child-create: Change how DH group/QSKE mechanism is determined

Either reuse algorithms previously used (rekeying) or use the IKE_SA's
proposal to determine a preferred group/mechanism.

3 months agochild-cfg: Add method to check if an algorithm is proposed
Tobias Brunner [Fri, 20 Jul 2018 15:43:24 +0000 (17:43 +0200)]
child-cfg: Add method to check if an algorithm is proposed

3 months agounit-tests: Fix CHILD_SA rekey tests after INVALID_KE_PAYLOAD handling changes
Tobias Brunner [Fri, 20 Jul 2018 12:12:48 +0000 (14:12 +0200)]
unit-tests: Fix CHILD_SA rekey tests after INVALID_KE_PAYLOAD handling changes

The responder doesn't create a CHILD_SA and allocate an SPI anymore
when responding with an INVALID_KE_PAYLOAD notify.

3 months agowip: child-create: Prototypical support for QSKE mechanisms
Tobias Brunner [Fri, 13 Jul 2018 14:07:43 +0000 (16:07 +0200)]
wip: child-create: Prototypical support for QSKE mechanisms

wip: For some errors a more specific notify might be preferable (e.g.
INVALID_SYNTAX if a QSKE payload is missing or an exchange other than
IKE_AUX follows CREATE_CHILD_SA if a QSKE mechanism was negotiated).

3 months agooqs: Allow different paths to generate/encapsulate the shared secret
Tobias Brunner [Fri, 20 Jul 2018 14:02:19 +0000 (16:02 +0200)]
oqs: Allow different paths to generate/encapsulate the shared secret

This way we don't have to generate the QSKE payload before we can query
the shared secret.

3 months agokeymat_v2: Add optional qske_t argument to derive_child_keys()
Tobias Brunner [Fri, 13 Jul 2018 13:31:34 +0000 (15:31 +0200)]
keymat_v2: Add optional qske_t argument to derive_child_keys()

3 months agochild-cfg: Generalize get_dh_group() method
Tobias Brunner [Fri, 20 Jul 2018 09:11:00 +0000 (11:11 +0200)]
child-cfg: Generalize get_dh_group() method

3 months agochild-cfg: Strip QSKE mechanisms from ESP proposal when we strip DH groups
Tobias Brunner [Mon, 9 Jul 2018 14:59:05 +0000 (16:59 +0200)]
child-cfg: Strip QSKE mechanisms from ESP proposal when we strip DH groups

3 months agowip: keymat_v2: Cache initial IKE messages for auth octets
Tobias Brunner [Tue, 10 Jul 2018 14:26:58 +0000 (16:26 +0200)]
wip: keymat_v2: Cache initial IKE messages for auth octets

This avoids pre-generating the message to be sent and supports fragments
as used for IKE_AUX.

In scenarios with IKE_AUX this basically changes the auth octets as follows:

  InitiatorSignedOctets = RealMessage1(INIT) | RealMessage3(AUX) | ...
                          NonceRData | MACedIDForI

and

  ResponderSignedOctets = RealMessage2(INIT) | RealMessage4(AUX) | ...
                          NonceIData | MACedIDForR

wip: Since this requires keeping around quite some data, alternatives would
be to hash the message (with some negotiated or fixed hash function) or
applying the PRF (if it is QC-safe, e.g. with a zero key or the ones we
derived from DH).

3 months agotesting: Added swanctl/rw-qske-l1 and swanctl/rw-qske-l5 scenarios
Andreas Steffen [Mon, 18 Jun 2018 22:06:35 +0000 (00:06 +0200)]
testing: Added swanctl/rw-qske-l1 and swanctl/rw-qske-l5 scenarios

3 months agoike-rekey: Reset IKE_SA after processing CREATE_CHILD_SA request
Tobias Brunner [Tue, 10 Jul 2018 12:36:28 +0000 (14:36 +0200)]
ike-rekey: Reset IKE_SA after processing CREATE_CHILD_SA request

This probably didn't cause any problems, as there wasn't really anything
happening between the calls, but reset it anyway, just to be safe.

3 months agowip: ike-init: Prototypical (optional) IKE_AUX exchange for QSKE mechanisms
Tobias Brunner [Mon, 25 Jun 2018 15:19:39 +0000 (17:19 +0200)]
wip: ike-init: Prototypical (optional) IKE_AUX exchange for QSKE mechanisms

The QSKE payloads are, by default, exchanged in a separate IKE_AUX exchange
after IKE_SA_INIT to leverage IKEv2 fragmentation.  It would be possible
to do that directly in IKE_SA_INIT (DH is currently not optional, though).

Rekeying is always done with a single CREATE_CHILD_SA exchange (again,
DH is currently not optional).

The key material is derived by concatenating the DH and QSKE secrets.

wip: DH could theoretically be made optional if QSKE is used (only during
rekeying, or when not using IKE_AUX also during IKE_SA_INIT)

wip: HA and the ike_keys() hook on listener_t currently handle only
classic key derivation.

wip: Retransmits of IKE_AUX requests will fail after changing the keys?
We either have to keep the old keys around, or use hashes to detect
retransmits (tricky with fragments, unless we retransmit the message
even if we receive the retransmit of just one fragment).

3 months agonotify-payload: Add INVALID_QSKE_PAYLOAD notify type
Tobias Brunner [Thu, 19 Jul 2018 10:08:19 +0000 (12:08 +0200)]
notify-payload: Add INVALID_QSKE_PAYLOAD notify type

3 months agoike-cfg: Generalize get_dh_group() method
Tobias Brunner [Thu, 19 Jul 2018 14:53:01 +0000 (16:53 +0200)]
ike-cfg: Generalize get_dh_group() method

3 months agoproposal: Generalize DH methods
Tobias Brunner [Mon, 9 Jul 2018 14:27:04 +0000 (16:27 +0200)]
proposal: Generalize DH methods

3 months agokeymat_v2: Add optional qske_t argument to derive_ike_keys()
Tobias Brunner [Thu, 28 Jun 2018 09:40:49 +0000 (11:40 +0200)]
keymat_v2: Add optional qske_t argument to derive_ike_keys()

If given, its shared secret is appended to the secret provided by the
diffie_hellman_t implementation.

3 months agokeymat_v2: Proper cleanup if derive_ike_keys() is called multiple times
Tobias Brunner [Thu, 28 Jun 2018 13:33:35 +0000 (15:33 +0200)]
keymat_v2: Proper cleanup if derive_ike_keys() is called multiple times

3 months agokeymat_v2: Add method to create QSKE implementation
Tobias Brunner [Thu, 28 Jun 2018 09:38:54 +0000 (11:38 +0200)]
keymat_v2: Add method to create QSKE implementation

3 months agoikev2: Allow tasks to do work after generating requests/responses
Tobias Brunner [Thu, 28 Jun 2018 08:44:40 +0000 (10:44 +0200)]
ikev2: Allow tasks to do work after generating requests/responses

3 months agotask: Add optional post_build() method
Tobias Brunner [Thu, 28 Jun 2018 08:44:03 +0000 (10:44 +0200)]
task: Add optional post_build() method

This will allow tasks to do some work after the message has been
generated.

3 months agounit-tests: Use a simple default IKE proposal to avoid issues with IKE_AUX
Tobias Brunner [Tue, 26 Jun 2018 08:13:05 +0000 (10:13 +0200)]
unit-tests: Use a simple default IKE proposal to avoid issues with IKE_AUX

The exchange tests don't expect an IKE_AUX exchange so we don't want any
QSKE methods getting negotiated (in case they are proposed in the default
proposal).

3 months agoike-auth: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 12:27:16 +0000 (14:27 +0200)]
ike-auth: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

3 months agochild-create: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 12:14:59 +0000 (14:14 +0200)]
child-create: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

Handling of IKE_AUX when creating new CHILD_SAs or rekeying is not yet
implemented.

3 months agoike-mobike: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 12:03:56 +0000 (14:03 +0200)]
ike-mobike: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

This changes the MID of the first IKE_AUTH message.

3 months agoike-config: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 10:32:27 +0000 (12:32 +0200)]
ike-config: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

This changes the MID of the first IKE_AUTH message.

3 months agoike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 10:23:50 +0000 (12:23 +0200)]
ike-cert-post: Make absolutely sure certificates are only added to IKE_AUTH

The AUTH payload check should be fine, but add some extra checks just to make
really sure and also for clarification.

3 months agoike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH
Tobias Brunner [Mon, 25 Jun 2018 10:07:50 +0000 (12:07 +0200)]
ike-cert-pre: Support IKE_AUX exchange between IKE_SA_INIT and IKE_AUTH

The first IKE_AUTH does not have MID 1 if that's the case.

3 months agostatus: Add return_need_more() utility function
Tobias Brunner [Fri, 13 Jul 2018 12:52:05 +0000 (14:52 +0200)]
status: Add return_need_more() utility function

3 months agotest-vectors: Added QSKE vectors
Andreas Steffen [Tue, 10 Jul 2018 07:31:26 +0000 (09:31 +0200)]
test-vectors: Added QSKE vectors

3 months agoscripts: nist-kam-kat generates KEM KAT test data
Andreas Steffen [Fri, 6 Jul 2018 06:06:16 +0000 (08:06 +0200)]
scripts: nist-kam-kat generates KEM KAT test data

The script converts the Known-Answers-Test data (KAT) for the NIST
post-quantum round 1 submission Key Encapsulation Mechanism (KEM)
candidates into a C struct amenable for our unit-tests.

3 months agounit-tests: Tests for oqs plugin
Andreas Steffen [Wed, 4 Jul 2018 17:15:41 +0000 (19:15 +0200)]
unit-tests: Tests for oqs plugin

3 months agounit-tests: Fixed newhope plugin test
Andreas Steffen [Wed, 4 Jul 2018 17:12:19 +0000 (19:12 +0200)]
unit-tests: Fixed newhope plugin test

3 months agooqs: Created QSKE plugin based on OQS library
Andreas Steffen [Wed, 27 Jun 2018 11:22:58 +0000 (13:22 +0200)]
oqs: Created QSKE plugin based on OQS library

3 months agoqske-newhope: Created NewHope QSKE plugin
Andreas Steffen [Wed, 20 Jun 2018 12:51:07 +0000 (14:51 +0200)]
qske-newhope: Created NewHope QSKE plugin

3 months agostroke: Support for QSKE mechanisms
Andreas Steffen [Thu, 21 Jun 2018 08:23:52 +0000 (10:23 +0200)]
stroke: Support for QSKE mechanisms

3 months agoswanctl: Support for QSKE mechanisms
Andreas Steffen [Mon, 18 Jun 2018 22:30:11 +0000 (00:30 +0200)]
swanctl: Support for QSKE mechanisms

3 months agovici: Support for QSKE mechanisms
Andreas Steffen [Mon, 18 Jun 2018 22:29:39 +0000 (00:29 +0200)]
vici: Support for QSKE mechanisms

3 months agoencoding: Transport of QSKE payload via IKE_AUX
Andreas Steffen [Mon, 18 Jun 2018 15:48:04 +0000 (17:48 +0200)]
encoding: Transport of QSKE payload via IKE_AUX

3 months agocrypto: Support for QSKE mechanisms
Andreas Steffen [Mon, 18 Jun 2018 15:43:11 +0000 (17:43 +0200)]
crypto: Support for QSKE mechanisms

A new transform type for Quantum-Safe Key Encapsulation (QSKE)
mechanisms is defined.

3 months agonm: Version bump to 1.4.5
Tobias Brunner [Tue, 14 May 2019 08:38:12 +0000 (10:38 +0200)]
nm: Version bump to 1.4.5

3 months agoVersion bump to 5.8.0rc1 5.8.0rc1
Andreas Steffen [Fri, 10 May 2019 10:55:48 +0000 (12:55 +0200)]
Version bump to 5.8.0rc1

3 months agotesting: Use strongswan systemd service
Andreas Steffen [Fri, 10 May 2019 10:55:09 +0000 (12:55 +0200)]
testing: Use strongswan systemd service

3 months agotesting: Load PEM keys in ikev2/net2-net-rsa scenario
Andreas Steffen [Fri, 10 May 2019 10:54:28 +0000 (12:54 +0200)]
testing: Load PEM keys in ikev2/net2-net-rsa scenario

3 months agotesting: Copy keys and certs to swanctl/rw-newhope-bliss scenario
Andreas Steffen [Fri, 10 May 2019 10:53:33 +0000 (12:53 +0200)]
testing: Copy keys and certs to swanctl/rw-newhope-bliss scenario

3 months agokeymat_v1: Avoid memory leak during IKE key derivation in some error cases
SophieK [Thu, 9 May 2019 07:20:30 +0000 (15:20 +0800)]
keymat_v1: Avoid memory leak during IKE key derivation in some error cases

Closes strongswan/strongswan#138.

3 months agoMerge branch 'build-certs'
Tobias Brunner [Wed, 8 May 2019 12:57:03 +0000 (14:57 +0200)]
Merge branch 'build-certs'

Adds a script to generate the keys and certificates used for regression
tests dynamically.  They are built with the pki version installed in the
root image so it's not necessary to have an up-to-date version with all
required plugins installed on the host system.

3 months agotesting: Return an error if any command in the certificate build script fails
Tobias Brunner [Wed, 8 May 2019 12:36:27 +0000 (14:36 +0200)]
testing: Return an error if any command in the certificate build script fails

3 months agotesting: Build certificates before guests after building strongSwan
Tobias Brunner [Tue, 7 May 2019 17:21:21 +0000 (19:21 +0200)]
testing: Build certificates before guests after building strongSwan

If the script is run on a clean working copy, building the guests will
fail if the certificates don't exist.

3 months agotesting: Automatically build guest images after generating certificates
Tobias Brunner [Tue, 7 May 2019 17:20:04 +0000 (19:20 +0200)]
testing: Automatically build guest images after generating certificates

This (re-)generates the CRLs on winnetou.

3 months agotesting: Use custom plugin configuration to build SHA-3 CA
Tobias Brunner [Tue, 7 May 2019 17:07:51 +0000 (19:07 +0200)]
testing: Use custom plugin configuration to build SHA-3 CA

3 months agopki: Plugins to load may be defined via PKI_PLUGINS env variable
Tobias Brunner [Tue, 7 May 2019 16:34:49 +0000 (18:34 +0200)]
pki: Plugins to load may be defined via PKI_PLUGINS env variable

3 months agotesting: Fix ikev2/net2net-rsa scenario
Tobias Brunner [Tue, 7 May 2019 14:06:28 +0000 (16:06 +0200)]
testing: Fix ikev2/net2net-rsa scenario

3 months agotesting: Add wrapper script to build certificates in root image
Tobias Brunner [Thu, 18 Apr 2019 13:10:10 +0000 (15:10 +0200)]
testing: Add wrapper script to build certificates in root image

This does not modify the root image but uses the strongSwan version
installed there (avoids build dependencies on version installed on the
host to use pki to generate all the keys and certificates).

3 months agotesting: Upgrade to Linux 5.1 kernel
Andreas Steffen [Mon, 6 May 2019 14:58:44 +0000 (16:58 +0200)]
testing: Upgrade to Linux 5.1 kernel

3 months agopki: Allow inclusion of [unsupported] critical X.509 extension
Andreas Steffen [Mon, 6 May 2019 12:33:49 +0000 (14:33 +0200)]
pki: Allow inclusion of [unsupported] critical X.509 extension

3 months agotesting: Updated build-certs script
Andreas Steffen [Sun, 5 May 2019 16:07:43 +0000 (18:07 +0200)]
testing: Updated build-certs script

3 months agotesting: Deleting dynamic test keys and certificates
Andreas Steffen [Sat, 4 May 2019 13:23:57 +0000 (15:23 +0200)]
testing: Deleting dynamic test keys and certificates

3 months agotesting: Exclude files that are ignored in Git from the distribution
Tobias Brunner [Mon, 29 Apr 2019 12:53:28 +0000 (14:53 +0200)]
testing: Exclude files that are ignored in Git from the distribution

Since the complete hosts and tests directories are part of the tarball
this would include generated certificates and keys.

3 months agotesting: Remove dynamic keys and certs from repository
Andreas Steffen [Sun, 28 Apr 2019 18:39:26 +0000 (20:39 +0200)]
testing: Remove dynamic keys and certs from repository

3 months agotesting: Build data.sql files for SQL test cases
Andreas Steffen [Sun, 28 Apr 2019 15:16:59 +0000 (17:16 +0200)]
testing: Build data.sql files for SQL test cases

3 months agopki: Add different output options for --keyid
Tobias Brunner [Thu, 18 Apr 2019 14:14:16 +0000 (16:14 +0200)]
pki: Add different output options for --keyid

Makes machine-processing these identifiers easier.

3 months agotesting: Build CERT and IPSECKEY RRs for strongswan.org zone
Tobias Brunner [Mon, 15 Apr 2019 16:25:13 +0000 (18:25 +0200)]
testing: Build CERT and IPSECKEY RRs for strongswan.org zone

Also copy generated keys to DNSSEC test cases.

3 months agotesting: Rename public keys in DNSSEC scenarios
Tobias Brunner [Mon, 15 Apr 2019 16:20:20 +0000 (18:20 +0200)]
testing: Rename public keys in DNSSEC scenarios

We will generate PEM-encoded public keys with the script.

3 months agotesting: Convert keys and certificates for all TKM scenarios
Tobias Brunner [Wed, 10 Apr 2019 09:27:11 +0000 (11:27 +0200)]
testing: Convert keys and certificates for all TKM scenarios

3 months agotesting: Disable leak detective in build-certs script
Tobias Brunner [Wed, 10 Apr 2019 07:34:26 +0000 (09:34 +0200)]
testing: Disable leak detective in build-certs script

3 months agotesting: Script building fresh certificates
Andreas Steffen [Mon, 1 Apr 2019 14:21:10 +0000 (16:21 +0200)]
testing: Script building fresh certificates

3 months agosmp: Use correct printf specifier to print SPIs
Tobias Brunner [Tue, 7 May 2019 12:50:11 +0000 (14:50 +0200)]
smp: Use correct printf specifier to print SPIs

3 months agofast: Use correct printf specifier to print content length
Tobias Brunner [Tue, 7 May 2019 12:48:19 +0000 (14:48 +0200)]
fast: Use correct printf specifier to print content length

3 months agolibimcv: Use proper printf specifier for unsigned issuer and responder IDs
Tobias Brunner [Tue, 7 May 2019 12:43:30 +0000 (14:43 +0200)]
libimcv: Use proper printf specifier for unsigned issuer and responder IDs

3 months agoswima-collector: Use proper type for field precision
Tobias Brunner [Tue, 7 May 2019 12:40:58 +0000 (14:40 +0200)]
swima-collector: Use proper type for field precision

3 months agoopenssl: Fix build with OpenSSL 1.1.1 without compatibility layer
Tobias Brunner [Tue, 7 May 2019 09:44:34 +0000 (11:44 +0200)]
openssl: Fix build with OpenSSL 1.1.1 without compatibility layer

If OpenSSL is built with --api, defines for deprecated functions in
OpenSSL's header files are not visible anymore.

Fixes #3045.

3 months agotravis: Build OpenSSL 1.1.1 without compatibility layer for older versions
Tobias Brunner [Tue, 7 May 2019 09:28:29 +0000 (11:28 +0200)]
travis: Build OpenSSL 1.1.1 without compatibility layer for older versions

Configuring 1.1.1 is not actually possible with 1.1.1b, not sure if
that's on purpose.

3 months agotravis: Make sure crypto plugins are actually loaded
Tobias Brunner [Tue, 7 May 2019 11:43:45 +0000 (13:43 +0200)]
travis: Make sure crypto plugins are actually loaded

3 months agostarter: Remove IPsec stack detection
Tobias Brunner [Tue, 7 May 2019 09:03:23 +0000 (11:03 +0200)]
starter: Remove IPsec stack detection

Checking specifically for /proc/net/pfkey is not ideal as af_key will
eventually be removed in Linux kernels.  Support for KLIPS is long gone.
The detection also wasn't used for anything anymore (failures were just
ignored since the ports to BSD-based systems).  And modprobing doesn't seem
to be necessary either (charon-systemd doesn't do that, for instance).

3 months agovici: Add Python command wrappers to tarball
Tobias Brunner [Mon, 6 May 2019 13:51:05 +0000 (15:51 +0200)]
vici: Add Python command wrappers to tarball

Fixes: e0f7da864481 ("vici: Extract command wrappers in Python bindings")

3 months agopki: Fix memory leaks in --signcrl if signature scheme is not found
Tobias Brunner [Tue, 30 Apr 2019 08:25:56 +0000 (10:25 +0200)]
pki: Fix memory leaks in --signcrl if signature scheme is not found

Fixes: dd4bd21c5a22 ("pki: Query private key for supported signature schemes")

3 months agotesting: Update documentation in headers of all updown scripts
Tobias Brunner [Mon, 29 Apr 2019 15:43:04 +0000 (17:43 +0200)]
testing: Update documentation in headers of all updown scripts

3 months agoswanctl: Move documentation of if_id_in/out after all mark-related options
Tobias Brunner [Mon, 29 Apr 2019 15:37:30 +0000 (17:37 +0200)]
swanctl: Move documentation of if_id_in/out after all mark-related options

Also fix a typo.

3 months agoFixed some typos, courtesy of codespell
Tobias Brunner [Mon, 29 Apr 2019 13:07:25 +0000 (15:07 +0200)]
Fixed some typos, courtesy of codespell

3 months agononce: Allow overriding the RNG quality used to generate nonces
Tobias Brunner [Tue, 23 Apr 2019 09:14:44 +0000 (11:14 +0200)]
nonce: Allow overriding the RNG quality used to generate nonces

Usually, changing this won't be necessary (actually, some plugins
specifically use different DRGBs for RNG_WEAK in order to separate
the public nonces from random data used for e.g. DH).
But for experts with special plugin configurations this might be
more flexible and avoids code changes.

3 months agounit-tests: Fix skipping of some ECDSA signature schemes
SophieK [Mon, 29 Apr 2019 06:33:47 +0000 (14:33 +0800)]
unit-tests: Fix skipping of some ECDSA signature schemes

Closes strongswan/strongswan#137.

3 months agoNEWS: Added some news for 5.8.0
Tobias Brunner [Fri, 26 Apr 2019 16:54:58 +0000 (18:54 +0200)]
NEWS: Added some news for 5.8.0

3 months agoMerge branch 'update-vici-bindings'
Tobias Brunner [Fri, 26 Apr 2019 08:19:21 +0000 (10:19 +0200)]
Merge branch 'update-vici-bindings'

Updates the command wrappers in all the bindings and simplifies calling
new commands (i.e. not yet wrapped) with the Python and Ruby bindings.

Fixes #3028.

3 months agovici: Update command wrappers in the Perl bindings
Tobias Brunner [Thu, 25 Apr 2019 09:09:20 +0000 (11:09 +0200)]
vici: Update command wrappers in the Perl bindings

Note that load_key() now returns the complete response (to get the key
identifier).

3 months agovici: Update some data in the Ruby gemspec
Tobias Brunner [Thu, 25 Apr 2019 08:26:11 +0000 (10:26 +0200)]
vici: Update some data in the Ruby gemspec

3 months agovici: Some code style fixes in the Ruby bindings
Tobias Brunner [Wed, 24 Apr 2019 16:05:11 +0000 (18:05 +0200)]
vici: Some code style fixes in the Ruby bindings

As reported by rubocop (some issues were not fixed, in particular
related to class/method length metrics).

3 months agovici: Update command wrappers of the Ruby bindings
Tobias Brunner [Wed, 24 Apr 2019 14:37:11 +0000 (16:37 +0200)]
vici: Update command wrappers of the Ruby bindings

Also reorder them to match README.md.

3 months agovici: Refactor how commands are called in the Ruby bindings
Tobias Brunner [Wed, 24 Apr 2019 14:05:12 +0000 (16:05 +0200)]
vici: Refactor how commands are called in the Ruby bindings

Also expose a method to call arbitrary commands, which allows calling not
yet wrapped commands. Exceptions are raised for all commands if the response
includes a negative "success" key (similar to how it's done in the Python
bindings).

3 months agovici: Fix formatting of return values for load-conn and load-authority commands
Tobias Brunner [Tue, 23 Apr 2019 17:56:22 +0000 (19:56 +0200)]
vici: Fix formatting of return values for load-conn and load-authority commands

3 months agovici: Add missing command wrappers for Python bindings
Tobias Brunner [Tue, 23 Apr 2019 14:13:19 +0000 (16:13 +0200)]
vici: Add missing command wrappers for Python bindings

Also change some for which the return value became relevant.

3 months agovici: Extract command wrappers in Python bindings
Tobias Brunner [Thu, 18 Apr 2019 08:56:15 +0000 (10:56 +0200)]
vici: Extract command wrappers in Python bindings

This simplifies the interface and allows calling not yet wrapped
commands more easily.

3 months agoeap-aka-3gpp2: Increase SQN after each authentication
Tobias Brunner [Wed, 24 Apr 2019 09:30:14 +0000 (11:30 +0200)]
eap-aka-3gpp2: Increase SQN after each authentication

3 months agoMerge branch 'childless'
Tobias Brunner [Thu, 25 Apr 2019 13:32:02 +0000 (15:32 +0200)]
Merge branch 'childless'

Adds support for childless initiation of IKE_SAs (RFC 6023) e.g. to
force a separate DH exchange for all CHILD_SAs including the first one.

Also allows the initiation of only the IKE_SA via swanctl --initiate if
the peer supports this extension.

Closes strongswan/strongswan#99.