sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-07 00:01:49 -04:00
Code Issues Projects Releases Wiki Activity
14,975 Commits 100 Branches 327 Tags
Commit Graph

14975 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andreas Steffen
278497f2ba testing: Use absolute path of imv_policy_manager 2016-04-26 17:15:37 +02:00
Andreas Steffen
ef84ad0e11 Updated products in IMV database 2016-04-26 17:15:37 +02:00
Andreas Steffen
afcd466192 swanctl: list EAP type in --list-conns 2016-04-26 17:15:37 +02:00
Andreas Steffen
b85422b90c testing: -D and -u options in sfdisk are not supported any more 2016-04-26 17:15:37 +02:00
Yannick Cann
49fa6ebf1c identification: Add support for dmdName RDN (2.5.4.54) 
It's listed in RFC 2256 but was later removed with RFC 4519, but there
are still some certs that use it.

Closes strongswan/strongswan#43.
 2016-04-25 17:06:04 +02:00
Andreas Steffen
c87f428836 leak-detective: added _IO_file_doallocate to whitelist 2016-04-24 23:34:44 +02:00
Andreas Steffen
4e3234afb4 swanctl: log errors to stderr 2016-04-24 23:33:23 +02:00
Andreas Steffen
029d3a0ce6 testing: updated testing.conf 2016-04-24 13:36:31 +02:00
Tobias Brunner
61587aa6fc pool: Use correct name to remove index for CHILD_SA TS in SQLite script 
Fixes #1415.
 2016-04-18 10:08:44 +02:00
Tobias Brunner
254726b59e kernel-pfkey: Add support for manual priorities 
Also orders policies with equals priorities by their automatic priority.
 2016-04-15 10:39:01 +02:00
Tobias Brunner
4e59618382 kernel-pfkey: Update priority calculation formula to the new one in kernel-netlink 
Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.
 2016-04-15 10:39:00 +02:00
Tobias Brunner
869f4e90b1 kernel-netlink: Order policies with equal priorities by their automatic priority 
This allows using manual priorities for traps, which have a lower
base priority than the resulting IPsec policies.  This could otherwise
be problematic if, for example, swanctl --install/uninstall is used while
an SA is established combined with e.g. IPComp, where the trap policy does
not look the same as the IPsec policy (which is now otherwise often the case
as the reqids stay the same).

It also orders policies by selector size if manual priorities are configured
and narrowing occurs.
 2016-04-15 10:39:00 +02:00
Tobias Brunner
ea27163ee1 Merge branch 'boringssl' 
Adds some fixes to the openssl plugin to build against BoringSSL.

Fixes #1374.
 2016-04-15 10:34:27 +02:00
Tobias Brunner
689bb34958 curl: Add TLS support if libcurl is built against BoringSSL 
We don't have to rely on the openssl plugin and its threading
initialization as BoringSSL is thread-safe out of the box.
 2016-04-15 10:32:53 +02:00
Tobias Brunner
47a46be597 openssl: BoringSSL does not support configuration 
The other initialization functions are still defined but many are
apparently no-ops (this is also true for the threading initialization).
 2016-04-15 10:32:53 +02:00
Tobias Brunner
c8a219a28d openssl: The member storing the DH exponent length has been renamed in BoringSSL 2016-04-15 10:32:53 +02:00
Tobias Brunner
77df573a95 openssl: Use proper EVP macro to determine size of a hash 2016-04-15 10:32:52 +02:00
Tobias Brunner
9b85a6853b android: Remove OPENSSL_NO_EC* defines 
Current versions of OpenSSL/BoringSSL shipped with Android support ECC.
 2016-04-15 10:32:52 +02:00
Tobias Brunner
cb65e95d4a android: OPENSSL_NO_ENGINE is now properly defined in the headers 2016-04-15 10:32:36 +02:00
Tobias Brunner
de9b3491ad curl: Handle LibreSSL like OpenSSL in regards to multi-threading 
LibreSSL is API compatible so our openssl plugin does not need any
changes and it works fine with the curl plugin.
 2016-04-15 10:31:19 +02:00
Tobias Brunner
e8c73c1cf0 configure: Replace two remaining usages of AC_HAVE_LIBRARY with AC_CHECK_LIB 2016-04-15 10:31:19 +02:00
Tobias Brunner
960632ffb0 thread: Don't hold mutex when calling cleanup handlers while terminating 
This could interfere with cleanup handlers that try to acquire
mutexes while other threads holding these try to e.g. cancel the threads.

As cleanup handlers are only queued by the threads themselves we don't need
any synchronization to access the list.

Fixes #1401.
 2016-04-13 13:55:20 +02:00
Andreas Steffen
0ff486f507 testing: Added swanctl/rw-multi-ciphers-ikev1 scenario 2016-04-12 18:50:58 +02:00
Tobias Brunner
4af7aa18f0 Ignore Qt Creator project files 
Closes strongswan/strongswan#32.
 2016-04-11 16:16:57 +02:00
Andreas Steffen
c407f163e6 Version bump to 5.4.1dr1 5.4.1dr1 2016-04-11 10:24:12 +02:00
Andreas Steffen
b1c89bb0f9 Merge branch 'kernel-policies' 2016-04-11 10:19:21 +02:00
Andreas Steffen
d3af3b799f Extended IPsec kernel policy scheme 
The kernel policy now considers src and dst port masks as well as
restictions to a given network interface. The base priority is
100'000 for passthrough shunts, 200'000 for IPsec policies,
300'000 for IPsec policy traps and 400'000 for fallback drop shunts.
The values 1..30'000 can be used for manually set priorities.
 2016-04-09 16:51:02 +02:00
Andreas Steffen
d3edc8aa0f testing: Added swanctl/manual_prio scenario 2016-04-09 16:51:02 +02:00
Andreas Steffen
e9704e90cf Include manual policy priorities and restriction to interfaces in vici list-conn command 2016-04-09 16:51:02 +02:00
Andreas Steffen
c26e4330e7 Implemented IPsec policies restricted to given network interface 2016-04-09 16:51:02 +02:00
Andreas Steffen
7f57c4f9fb Support manually-set IPsec policy priorities 2016-04-09 16:51:01 +02:00
Tobias Brunner
2ba5dadb12 peer-cfg: Use struct to pass data to constructor 2016-04-09 16:51:01 +02:00
Tobias Brunner
8a00a8452d child-cfg: Use struct to pass data to constructor 2016-04-09 16:51:01 +02:00
Tobias Brunner
fd8f1194f3 kernel-pfkey: Prefer policies with reqid over those without 2016-04-09 16:51:01 +02:00
Tobias Brunner
0ff8ce9452 kernel-pfkey: Only install templates for regular IPsec policies with reqid 2016-04-09 16:51:01 +02:00
Tobias Brunner
638b4638e3 testing: Add swanctl/net2net-gw scenario 2016-04-09 16:51:00 +02:00
Tobias Brunner
23f25f9647 shunt-manager: Install "outbound" FWD policy 
If there is a default drop policy forwarded traffic might otherwise not
be allowed by a specific passthrough policy (while local traffic is
allowed).
 2016-04-09 16:51:00 +02:00
Tobias Brunner
83312ee5e4 kernel-netlink: Prefer policies with reqid over those without 
This allows two CHILD_SAs with reversed subnets to install two FWD
policies each.  Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
 2016-04-09 16:51:00 +02:00
Tobias Brunner
f7e9e6a3fd kernel-netlink: Only associate templates with inbound FWD policies 
We can't set a template on the outbound FWD policy (or we'd have to make
it optional).  Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.
 2016-04-09 16:51:00 +02:00
Tobias Brunner
9c12635252 child-sa: Install "outbound" FWD policy 
If there is a DROP shunt that matches outbound forwarded traffic it
would get dropped as the FWD policy we install only matches decrypted
inbound traffic.  That's because the Linux kernel first checks the FWD
policies before looking up the OUT policy and SA to encrypt the packets.
 2016-04-09 16:51:00 +02:00
Tobias Brunner
c4387e991a kernel-netlink: Associate routes with IN policies instead of FWD policies 
This allows us to install more than one FWD policy.  We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).
 2016-04-09 16:50:59 +02:00
Tobias Brunner
89da06ace9 kernel: Use structs to pass information to the kernel-ipsec interface 2016-04-09 16:50:59 +02:00
Tobias Brunner
ea3a4d3f72 testing: List conntrack table on sun in ikev2/host2host-transport-connmark scenario 2016-04-06 14:01:18 +02:00
Tobias Brunner
aa65b8c147 testing: Version bump to 5.4.0 
References #1382.
 2016-04-06 11:17:40 +02:00
Tobias Brunner
76397efa21 testing: Disable leak detective when generating CRLs 
GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing.  This causes invalid frees if
leak detective is active.  Other invalid frees are related to time
conversions (tzset).

References #1382.
 2016-04-06 11:16:59 +02:00
Tobias Brunner
7316a13bd1 pkcs11: Skip zero-padding of r and s when preparing EC signature 
They are zero padded to fill the buffer.

Fixes #1377.
 2016-04-05 16:17:10 +02:00
Tobias Brunner
b82b5f6398 chunk: Skip all leading zero bytes in chunk_skip_zero() not just the first 2016-04-04 15:39:42 +02:00
Tobias Brunner
85597f2983 string: Gracefully handle NULL in str*eq() macros 2016-04-04 10:43:46 +02:00
Tobias Brunner
90c8cf6819 byteorder: Explicitly check for htoXeXX macros 
Some platforms have XetohXX macros instead of XeXXtoh macros, in which
case we'd redefine the htoXeXX macros.
 2016-03-31 19:47:31 +02:00
Cameron McCord
be41d5cba2 vici: Fix documentation of some dictionary keys of two request messages 
Closes strongswan/strongswan#40.
 2016-03-31 11:26:44 +02:00