sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
16,729 Commits 101 Branches 327 Tags
Commit Graph

16729 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
71dca60c31 settings: Don't allow dots in section/key names anymore 
This requires config changes if filelog is used with a path that
contains dots. This path must now be defined in the `path` setting of an
arbitrarily named subsection of `filelog`.  Without that change the
whole strongswan.conf file will fail to load, which some users might
not notice immediately.
 2018-09-11 18:30:18 +02:00
Tobias Brunner
85afe81e1f ike-auth: Remove unnecessary case statement 2018-09-11 18:18:50 +02:00
Tobias Brunner
a0c302f878 vici: Remove unreachable code 
If list is TRUE any type but VICI_LIST_END and VICI_LIST_ITEM (i.e.
including VICI_END) is already handled in the first block in this
function.
 2018-09-11 18:18:50 +02:00
Tobias Brunner
954e75effa vici: Lease enumerator is always defined 
mem_pool_t always returns an enumerator.
 2018-09-11 18:18:50 +02:00
Tobias Brunner
55fb268b51 stroke: Lease enumerator is always defined 
This function is only called for existing pools (under the protection of
a read lock).
 2018-09-11 18:18:50 +02:00
Tobias Brunner
648709b392 smp: Remove unreachable initializer 
Execution in this block will start with any of the case statements,
never with the initialization.
 2018-09-11 18:18:49 +02:00
Tobias Brunner
23d756e4f0 eap-sim-pcsc: Fix leak in error case 2018-09-11 18:18:49 +02:00
Tobias Brunner
e2d8833f2b travis: Add sonarcloud build 2018-09-11 18:18:43 +02:00
Tobias Brunner
f5481496d6 travis: Automatically retry install steps 
There occasionally are network issues when fetching from Ubuntu/PPA
repos.  Let's see if this is a possible fix.
 2018-09-11 18:17:28 +02:00
Tobias Brunner
80e8845d36 swanctl: Allow passing a custom config file for each --load* command 
Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.
 2018-09-11 18:14:45 +02:00
Tobias Brunner
7257ba3b44 Merge branch 'ikev2-ppk' 
Adds support for Postquantum Preshared Keys for IKEv2.

Fixes #2710.
 2018-09-10 18:05:12 +02:00
Tobias Brunner
d1c5e6816d testing: Add some PPK scenarios 2018-09-10 18:04:23 +02:00
Tobias Brunner
755985867e swanctl: Report the use of a PPK in --list-sas 
If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.
 2018-09-10 18:03:30 +02:00
Tobias Brunner
c4d2fdd915 vici: Return PPK state of an IKE_SA 2018-09-10 18:03:27 +02:00
Tobias Brunner
e4d85011e4 ikev2: Mark IKE_SAs that used PPK during authentication 2018-09-10 18:03:18 +02:00
Tobias Brunner
6627706786 eap-authenticator: Add support for authentication with PPK 2018-09-10 18:03:03 +02:00
Tobias Brunner
18f8249415 pubkey-authenticator: Add support for authentication with PPK 2018-09-10 18:03:03 +02:00
Tobias Brunner
46bdeaf359 psk-authenticator: Add support for authentication with PPK 2018-09-10 18:03:03 +02:00
Tobias Brunner
a9e60c96dc ike-auth: Add basic PPK support 
Some of the work will have to be done in the authenticators.
 2018-09-10 18:03:02 +02:00
Tobias Brunner
94f9f421bc ike-auth: Replace == NULL with ! 2018-09-10 18:03:02 +02:00
Tobias Brunner
7150fa7065 authenticator: Add optional method to set PPK 2018-09-10 18:03:02 +02:00
Tobias Brunner
600b106852 ike-init: Send USE_PPK notify as appropriate 2018-09-10 18:03:02 +02:00
Tobias Brunner
1fb46f7119 swanctl: Report PPK configuration in --list-conns 2018-09-10 18:03:02 +02:00
Tobias Brunner
7f94528061 vici: Make PPK related options configurable 2018-09-10 18:03:02 +02:00
Tobias Brunner
a2ff8b654d peer-cfg: Add properties for PPK ID and whether PPK is required 2018-09-10 18:03:01 +02:00
Tobias Brunner
83dcc1f4cf ike-sa: Add flag for PPK extension 2018-09-10 18:03:01 +02:00
Tobias Brunner
3fbc95cf54 keymat_v2: Add support for PPKs 2018-09-10 18:03:01 +02:00
Tobias Brunner
3703dff2aa swanctl: Add support for PPKs 2018-09-10 18:03:01 +02:00
Tobias Brunner
1ec9382880 vici: Add support for PPKs 2018-09-10 18:03:01 +02:00
Tobias Brunner
bac3ca2324 shared-key: Add a new type for Postquantum Preshared Keys 
Using a separate type allows us to easily check if we have any PPKs
available at all.
 2018-09-10 18:03:01 +02:00
Tobias Brunner
0f423dda28 ikev2: Add notify types for Postquantum Preshared Keys 2018-09-10 18:03:00 +02:00
Tobias Brunner
5dff6de8eb unit-tests: Add tests for peer_cfg_t::replace_child_cfgs() 2018-09-10 17:45:23 +02:00
Tobias Brunner
40ed812442 peer-cfg: Replace equal child configs with newly added ones 
Otherwise, renamed child configs would still be known to the daemon
under their old name.

Fixes #2746.
 2018-09-10 17:45:07 +02:00
Andreas Steffen
375dfb9076 crypto: References to RFCs 8410 and 8420 2018-09-04 07:24:20 +02:00
Tobias Brunner
53f8ac3d6a Normalize whitespace in boilerplate files 
Now all consistently use 2 or 4 (HACKING) spaces for indentation.
 2018-09-03 14:18:20 +02:00
Tobias Brunner
aad9021fd3 README: Fix indentation 2018-09-03 14:14:18 +02:00
Martin Willi
39bc437771 init: Reload configurations/credentials as well during systemctl reload 2018-08-31 16:57:48 +02:00
Tobias Brunner
8505c28289 swanctl: Add --reauth option to --rekey command 2018-08-31 12:39:46 +02:00
Tobias Brunner
a20527438a vici: Add option to reauthenticae instead of rekey an IKEv2 SA 2018-08-31 12:39:46 +02:00
Tobias Brunner
720a8bedaa Merge branch 'xfrm-set-mark' 
This adds the ability to configure marks the in- and/or outbound SA
should apply to packets after processing on Linux.  Configuring such a mark
for outbound SAs requires at least a 4.14 kernel.  The ability to set a mask
and configuring a mark/mask for inbound SAs will be added with the upcoming
4.19 kernel.
 2018-08-31 12:32:31 +02:00
Martin Willi
902dc29f7a child-sa: Use SA matching mark as SA set mark if the latter is %same 
For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.
 2018-08-31 12:26:40 +02:00
Martin Willi
ebd2d3877e ipsec-types: Restrict the use of %unique and other keywords when parsing marks 
%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.
 2018-08-31 12:26:40 +02:00
Martin Willi
b9aacf9adc vici: Document kernel requirements for set_mark_in/set_mark_out options 2018-08-31 12:26:40 +02:00
Tobias Brunner
60f7896923 vici: Make in-/outbound marks the SA should set configurable 2018-08-31 12:26:40 +02:00
Tobias Brunner
f59450fde6 child-sa: Configure in-/outbound mark the SA should set 2018-08-31 12:26:40 +02:00
Tobias Brunner
fa4d4012ae child-cfg: Add properties for in-/outbound mark the SA should set 2018-08-31 12:24:30 +02:00
Tobias Brunner
9cee688f78 kernel-netlink: Add support for setting mark/mask an SA should apply to processed traffic 2018-08-31 12:24:30 +02:00
Tobias Brunner
c5b94b2483 kernel-netlink: Use larger buffer for event messages 2018-08-31 12:15:12 +02:00
Tobias Brunner
9de3140dbf ikev1: Increase DPD sequence number only after receiving a response 
We don't retransmit DPD requests like we do requests for proper exchanges,
so increasing the number with each sent DPD could result in the peer's state
getting out of sync if DPDs are lost.  Because according to RFC 3706, DPDs
with an unexpected sequence number SHOULD be rejected (it does mention the
possibility of maintaining a window of acceptable numbers, but we currently
don't implement that).  We partially ignore such messages (i.e. we don't
update the expected sequence number and the inbound message stats, so we
might send a DPD when none is required).  However, we always send a response,
so a peer won't really notice this (it also ensures a reply for "retransmits"
caused by this change, i.e. multiple DPDs with the same number - hopefully,
other implementations behave similarly when receiving such messages).

Fixes #2714.
 2018-08-31 11:31:35 +02:00
Tobias Brunner
5c38a5ea83 Remove ITA references 2018-08-31 11:11:12 +02:00