sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity
17,658 Commits 101 Branches 327 Tags
Commit Graph

2187 Commits

Author SHA1 Message Date
Tobias Brunner
edc4279420 Rename diffie_hellman_t to key_exchange_t and change the interface etc. 
This makes it more generic so we can use it for QSKE methods.
 2020-12-07 13:28:34 +01:00
Tobias Brunner
9248f636b0 kernel-netlink: Make sure we successfully opened a Netlink socket 
This is in addition to the fix in the destructor in 991e9e5dc9.
 2020-12-03 08:34:18 +01:00
Tobias Brunner
ce433c9b29 kernel-wfp: Declare constants explicitly as extern 
Newer compilers otherwise complain that there are multiple definitions
of these (in header and .c file).
 2020-11-13 16:38:17 +01:00
Tobias Brunner
991e9e5dc9 kernel-netlink: Only attempt to remove routing rule if we have a socket 2020-11-04 10:06:46 +01:00
Tobias Brunner
a6f0e19bf5 Fixed some typos, courtesy of codespell 2020-11-04 10:06:46 +01:00
Tobias Brunner
ef636316d2 vici: Send all queued messages during shutdown 
This ensures that e.g. ike/child-updown messages are sent that were
queued but couldn't be sent (even the job to enable to on_write() callback
requires a worker thread that's not around anymore during shutdown).

References #3602.
 2020-10-30 09:58:42 +01:00
Tobias Brunner
a689e358e5 kernel-netlink: Ignore deprecated candidate source addresses 
The currently used address may get deprecated e.g. if an IPv6 prefix changes.
In this case we should switch to another address.

Fixes #3511.
 2020-10-29 09:46:14 +01:00
Tobias Brunner
2eb43ca405 kernel-netlink: Update cached address flags 
Note that manually adding an IPv6 address without disabling duplicate
address detection (DAD, e.g. via `nodad` when using iproute2) will cause
a roam event due to a flag change after about 1-2 seconds (TENTATIVE is
removed).  If this is a problem, we might have to ignore addresses with
TENTATIVE flag when we receive a RTM_NEWADDR message until that flag is
eventually removed.

Fixes #3511.
 2020-10-29 09:46:14 +01:00
Tobias Brunner
f3f93cade9 load-tester: Also request a virtual IPv6 address 
Fixes #3595.
 2020-10-27 16:40:38 +01:00
Tobias Brunner
1d232d4954 load-tester: Use appropriate family to request addresses from source IP pools 
Looks like this wasn't necessary before 40e90898895c ("Strictly enforce
address family match while acquiring mem_pool IPs").

Fixes #3595.
 2020-10-27 16:40:05 +01:00
Tobias Brunner
6839256773 vici: Support all defined key types 
References #3586.
 2020-10-27 11:17:21 +01:00
Tobias Brunner
0ce2e00d94 vici: Don't use pytest-pycodestyle with Python 3.5 
This causes problems due to a deprecation error during the Ubuntu Xenial
build on Travis.
 2020-08-17 15:22:34 +02:00
Tobias Brunner
61af9a3478 vici: Fix typos in comments 2020-07-23 14:50:17 +02:00
Tobias Brunner
3c5e7eaa88 vici: Keep track of all CA certificates in vici_authority_t 
This way we only have one reference for each CA certificate, whether it
is loaded in an authority section, a connection or via load-certs() command.
It also avoids enumerating CA certificates multiple times if they are
loaded in different ways.
 2020-07-20 14:05:39 +02:00
Tobias Brunner
d8a2c58229 vici: Make attribute certificates untrusted again 
Fixes: 334119b843d7 ("Share vici_cert_info.c with vici_cred.c")
 2020-07-20 14:05:39 +02:00
Tobias Brunner
6fc1b2c3d3 vici: Clear credential cache when unloading an authority section 2020-07-20 14:05:38 +02:00
Tobias Brunner
46ff268885 vici: Directly provide CA certificates in authority sections 
With the previous approach, CA certificates that were not re-loaded via
load-cert() (e.g. from tokens or via absolute paths) would not be available
anymore after the clear-creds() command was used.  This avoids this
issue, but can cause duplicate CA certificates to get stored and enumerated,
so there might be a scaling factor.
 2020-07-20 14:05:38 +02:00
Tobias Brunner
306c0c9f8e certificate: Extract helper function to filter certificates 2020-07-20 14:05:38 +02:00
Tobias Brunner
736fae4e6c vici: Store configs in a hashtable 
This makes updates more efficient if many configs are loaded. Configs
still have to be enumerated to select them.
 2020-07-20 13:50:11 +02:00
Tobias Brunner
d9944102f5 hashlist: Move get_match() and sorting into a separate class 
The main intention here is that we can change the hashtable_t
implementation without being impeded by the special requirements imposed
by get_match() and sorting the keys/items in buckets.
 2020-07-20 13:50:11 +02:00
Tobias Brunner
fd94c1301e kernel-netlink: Ignore preference for temporary addresses for IPv6 VIPs 
They are not marked as temporary addresses so make sure we always return
them whether temporary addresses are preferred as source addresses or not
as we need to enumerate them when searching for addresses in traffic selectors
to install routes.

Fixes: 9f12b8a61c47 ("kernel-netlink: Enumerate temporary IPv6 addresses according to config")
 2020-07-07 10:01:46 +02:00
Tobias Brunner
feda4a3d37 vici: With start_action=start, terminate IKE_SA without children on unload 
This includes IKE_SAs in CONNECTING state, which not yet have any
CHILD_SAs.

Closes strongswan/strongswan#175.
 2020-07-01 15:59:41 +02:00
Boris Vanhoof
6870a9b590 eap-radius: Small spelling fix 
Closes strongswan/strongswan#174.
 2020-06-29 09:44:19 +02:00
Tobias Brunner
33412158f5 ike: Send AEAD ESP default proposal first 
We generally prefer AEAD nowadays.

References #3461.
 2020-06-12 13:47:13 +02:00
Tobias Brunner
3d92cff726 lookip: Use line buffering for stdout 
Otherwise, the output is buffered when e.g. piping the output to another
command (or file).  And it avoids having to call fflush() in the
interactive mode.

Fixes #3404.
 2020-05-07 15:05:55 +02:00
Thomas Egerer
d2c15b7bf9 vici: Allow maximum vici message size configuration via compile option 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2020-04-14 16:55:49 +02:00
Tobias Brunner
dfd261d2de kernel-netlink: Extract shared route handling code in net/ipsec 2020-03-10 10:30:39 +01:00
Tobias Brunner
e23708bdf3 kernel-netlink: Don't require an interface name for passthrough policies 2020-03-10 10:26:42 +01:00
Tobias Brunner
b0b6bd2470 kernel-netlink: Allow blank source address in routes for passthrough policies 2020-03-10 10:25:19 +01:00
Noel Kuntze
09f4bccfea kernel-netlink: Implement passthrough type routes and use them on Linux 
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.

Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.

Co-authored-by: Tobias Brunner <tobias@strongswan.org>
 2020-03-10 10:20:58 +01:00
Josh Soref
b3ab7a48cc Spelling fixes 
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
 2020-02-11 18:23:07 +01:00
Tobias Brunner
f78dfb7e28 vici: Options are optional in get_pools() of Python bindings 
Fixes #3319.
 2020-02-03 10:52:31 +01:00
Tobias Brunner
18a3e6d80f systime-fix: Replace asctime() with thread-safe asctime_r() 
According to the man page, the buffer should have room for at least
26 characters.
 2020-01-28 15:32:43 +01:00
Tobias Brunner
584e8197fe load-tester: Avoid naming conflict with local certificate variables 2020-01-28 15:32:43 +01:00
Tobias Brunner
f168f5782b eap-aka-3gpp2: Fix a bunch of typos 2020-01-28 15:32:43 +01:00
Tobias Brunner
378fe7a4bf eap-aka-3gpp2: Avoid naming conflict with parameters of crypto functions 2020-01-28 15:32:43 +01:00
Tobias Brunner
719cfc7846 eap-aka-3gpp2: Avoid naming conflict with local AMF variable 2020-01-28 15:32:43 +01:00
Tobias Brunner
c584a6b2dc vici: Remove unused import in Python bindings 2020-01-28 15:29:40 +01:00
Tobias Brunner
df4274171e vici: Remove unnecessary pass statement 2020-01-28 15:29:40 +01:00
Tobias Brunner
ecf161e517 vici: Move Python test dir and include it in sdist 
This is the recommended location and import config as it allows running the
tests against installed versions of the package.  And while the test file
itself is automatically included in the source distribution this way, the
__init__.py file is not, so we still have to update MANIFEST.in.
 2020-01-14 16:53:19 +01:00
Tobias Brunner
b723431540 vici: Run Python tests via tox if available 
Since we use the serial test harness we can't use AM_TESTS_ENVIRONMENT.
The script is necessary for out-of-tree builds.
 2020-01-14 15:26:52 +01:00
Tobias Brunner
574621d80a vici: Fix several PEP8 issues 2020-01-14 15:26:32 +01:00
Tobias Brunner
d5153c5897 vici: Add tox.ini to run tests with tox 
Some of the interpreters might not be available on the host system, use
--skip-missing-interpreters to not fail in that case.
 2020-01-14 15:26:29 +01:00
Tobias Brunner
c170bb593b vici: List newer Python versions in setup.py 2020-01-14 10:48:53 +01:00
Tobias Brunner
a3166c8188 kernel-netlink: Use correct config option name for HW offloading check 
Fixes: a605452c038e ("kernel-netlink: Check for offloading support in constructor")
 2019-12-13 17:20:51 +01:00
Tobias Brunner
d3ca9fcda4 attr: Remove unused/undeclared argument in provider constructor 2019-12-09 11:05:25 +01:00
Tobias Brunner
c81a8a8f36 kernel-netlink: Properly compare routes for policies without gateway/netxhop 
This happened when installing a duplicate bypass policy for a locally
connected subnet.  The destructor and the kernel-net part already
handle this correctly.
 2019-12-06 10:28:13 +01:00
Tobias Brunner
ae9b748a77 vici: Log certificate constraints for loaded configs 2019-12-06 10:07:47 +01:00
Martin Willi
3c71a3201f vici: Introduce a ca_id option identity based CA certificate constraints 2019-12-06 10:07:46 +01:00
Tobias Brunner
7035340b21 farp: Ignore SAs with 0.0.0.0/0 remote traffic selector 
This is mostly to avoid hijacking the local LAN if the farp plugin is
inadvertently active on a roadwarrior.

Fixes #3116.
 2019-12-06 10:06:16 +01:00