sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
19,497 Commits 101 Branches 327 Tags
Commit Graph

19497 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
9a6aa2530e testing: Make sure ML-KEM scenarios use our ml plugin 
We now support OpenSSL's implementation in the openssl plugin.  This
makes sure our plugin is used on at least one of the hosts if we ever
switch to an OpenSSL version that supports ML-KEM.

In the ikev2/rw-mlkem scenario the logic is reversed.  There the ml plugin
is preferred on moon to test the responder side (and carol for the
initiator) and dave will switch to OpenSSL if it ever provides ML-KEM.
 2025-06-20 10:37:24 +02:00
Andreas Steffen
faf7ad2331 Version bump to 6.0.2dr2 6.0.2dr2 2025-06-05 13:43:21 +02:00
Andreas Steffen
f9985d72e4 testing: soup plugin removed from test environment 2025-06-05 13:42:41 +02:00
Andreas Steffen
2fa8f4a90f Version bump to 6.0.2dr1 6.0.2dr1 2025-06-04 19:58:23 +02:00
Tobias Brunner
b39311e19e Merge branch 'libsoup3' 
Ports the soup plugin to libsoup 3.

Closes strongswan/strongswan#2788
 2025-06-04 19:09:33 +02:00
Tobias Brunner
b8108a4c3c github: Use libsoup 3 for tests 
Requires installing libxml2-dev explicitly for the alpine build as
libsoup-dev had a dependency on it.
 2025-06-04 19:08:57 +02:00
Tobias Brunner
9dbb15dea9 leak-detective: Remove whitelisted libsoup2.x functions 
As mentioned in 0f141fb095a41a9fdfe5c111269eb643dc643494, we can't
really whitelist the "leaks" in GLib, so don't even try to do anything
with libsoup3.x.
 2025-06-04 19:08:57 +02:00
Mike Gorse
6ddabf52d5 soup: Port to libsoup 3 2025-06-04 19:08:07 +02:00
Tobias Brunner
e864b8a8b1 fetcher: Remove unused FETCH_HTTP_VERSION_1_0 option 
Was only used by the removed scepclient and does not serve any purpose
nowadays anyway.
 2025-06-04 19:07:22 +02:00
Tobias Brunner
82adb5ce0f unit-tests: Serial number tests depend on X.509 certificate parsing 
Requires additional plugin features, but if this is available, the
others are usually as well.
 2025-06-04 19:07:22 +02:00
Tobias Brunner
71f1091129 wolfssl: Fix build if wolfSSL was built in OpenSSL-compat mode 2025-06-04 19:07:13 +02:00
Tobias Brunner
3d426cbfee Merge branch 'wolfssl-fips' 
Fixes various issues when building the wolfssl plugin against wolfSSL's
FIPS module.

References strongswan/strongswan#2603
Closes strongswan/strongswan#2771
 2025-06-02 11:31:03 +02:00
Juliusz Sosinowicz
f38bb91654 wolfssl: Unlock keys if necessary when using FIPS module 
Wrap the functions that require it in PRIVATE_KEY_UNLOCK/PRIVATE_KEY_LOCK.
This can't be done at plugin initialization because it needs to be done
for every thread. strongSwan currently doesn't provide on-thread-create
callbacks for plugins so we need to wrap each direct call. Another reason
to do so is that some functions we call (e.g. wc_EccKeyToDer) internally
call PRIVATE_KEY_UNLOCK/PRIVATE_KEY_LOCK and would leave the keys locked
for that particular thread.
 2025-06-02 09:15:05 +02:00
Juliusz Sosinowicz
85eb5c7812 wolfssl: Properly initialize ECC private key object 2025-06-02 09:15:05 +02:00
Tobias Brunner
879e3ce05a wolfssl: Set a dummy key when testing KDF implementations 
In FIPS mode, wolfSSL enforces a minimum key size for these algorithms.
 2025-06-02 09:15:05 +02:00
Tobias Brunner
757e00c0ae test-vectors: Remove HMAC PRF test vectors with key size 4 
Some implementations enforce a minimum key size (e.g. wolfSSL in FIPS
mode) and in practice, the keys will be longer anyway (e.g. our nonces
are 32 bytes).
 2025-06-02 09:15:05 +02:00
Tobias Brunner
d0292a6f50 wolfssl: Include settings.h in case WOLFSSL_USER_SETTINGS is defined 2025-06-02 09:15:05 +02:00
Tobias Brunner
217049606b wolfssl: Use consistent defines for ECC public/private key loading 
HAVE_ECC_KEY_IMPORT can be defined while HAVE_ECC_SIGN is not.
So just use the same defines we use when defining the load functions.
 2025-06-02 09:15:04 +02:00
Tobias Brunner
7bfd81d78a wolfssl: Call wc_SetSeed_Cb() as required for FIPS-mode 2025-06-02 09:15:04 +02:00
Tobias Brunner
3a5f203958 Merge branch 'iptfs' 
This adds basic support for IP-TFS/AGGFRAG (RFC 9347).  The Linux kernel,
since 6.14, only supports aggregation/fragmentation so far.  The actual
TFS features will get added later.
 2025-05-28 16:48:42 +02:00
Tobias Brunner
dc4fef146a testing: Add ikev2/net2net-iptfs scenario 2025-05-28 16:37:47 +02:00
Tobias Brunner
b4a0eb3603 testing: Add config for Linux 6.14 
This has IP-TFS enabled.
 2025-05-28 16:37:46 +02:00
Tobias Brunner
a7a3c4a22a conf: Document global IP-TFS settings 2025-05-28 16:37:46 +02:00
Tobias Brunner
46525cdc4f child-create: Negotiate IP-TFS mode if configured 2025-05-28 16:37:46 +02:00
Tobias Brunner
f5f7424e1d notify-payload: Add notify type for IP-TFS/AGGFRAG 2025-05-28 16:37:46 +02:00
Tobias Brunner
6372b2890f kernel-netlink: Support IPTFS mode and attributes 2025-05-28 16:37:46 +02:00
Tobias Brunner
f32773b3a8 child-sa: Allow disabling fragmenting packets across AGGFRAG payloads 
This is necessary if the peer isn't able to handle such fragments.
 2025-05-28 16:37:46 +02:00
Tobias Brunner
33db7a200f kernel-ipsec: Add flag to disable sending fragments across AGGFRAG payloads 
We have to set this if the peer indicates that it doesn't support
handling such fragments in the notify.
 2025-05-28 16:37:46 +02:00
Tobias Brunner
1afc76dd56 vici: Make IP-TFS mode configurable 2025-05-28 16:37:46 +02:00
Tobias Brunner
e175abaf89 include: Add XFRM mode and attributes for IP-TFS 2025-05-28 16:37:46 +02:00
Tobias Brunner
419528f2ac ipsec-types: Add new mode for IP-TFS 
Added at the end as the numeric mode is e.g. used in SQL databases.
 2025-05-28 16:37:27 +02:00
Tobias Brunner
72e3b7dcc8 Merge branch 'per-cpu-sas' 
This adds support for per-CPU SAs (RFC 9611).
 2025-05-28 16:36:10 +02:00
Tobias Brunner
b7d3349000 testing: Add ikev2/per-cpu-sas-encap-transport scenario 
Tests transport mode and UDP encapsulation with random source ports.
Interestingly, the responder always uses the same SA to respond (maybe
due to the cache on the policy).
 2025-05-28 16:35:27 +02:00
Tobias Brunner
3b2f8cf282 testing: Add ikev2/per-cpu-sas-encap scenario 
Basically the same as the one without UDP encapsulation, but here the
outbound SAs use random source ports.
 2025-05-28 16:35:27 +02:00
Tobias Brunner
d83fbe82e4 kernel-netlink: Suppress NAT mapping updates for per-CPU SAs 
As we set the remote port to 0, we'd get a mapping change message with
every packet. Setting the threshold avoids all kernel messages after the
first, which we suppress explicitly as well.
 2025-05-28 16:35:27 +02:00
Tobias Brunner
14e1ec2b77 child-sa: Configure UDP encapsulation for per-CPU SAs 
As the kernel does not support processing UDP-encapsulated and plain ESP
for the same SA, we require forcing UDP encapsulation if there is no NAT.
 2025-05-28 16:35:27 +02:00
Tobias Brunner
73083503f2 vici: Make UDP encapsulation for per-CPU SAs configurable 2025-05-28 16:35:27 +02:00
Tobias Brunner
d594171d9e child-cfg: Add flag to enable UDP encapsulation for per-CPU SAs 2025-05-28 16:35:27 +02:00
Tobias Brunner
bf34484d24 testing: Add per-CPU SA test scenario 2025-05-28 16:35:27 +02:00
Tobias Brunner
e24edb2991 testing: Configure multiple virtual CPUs for moon and sun 
This allows testing per-CPU SAs by e.g. pinging over a specific CPU
via taskset.
 2025-05-28 16:35:27 +02:00
Tobias Brunner
0edaadfc94 testing: Enable SMP support for latest kernels 2025-05-28 16:35:27 +02:00
Tobias Brunner
f95bdb6fb0 swanctl: Report per-CPU information in --list-sas 2025-05-28 16:35:27 +02:00
Tobias Brunner
c176d32a73 vici: Report per-CPU SA information 2025-05-28 16:35:27 +02:00
Tobias Brunner
fbfae44dd1 vici: Make per-CPU CHILD_SAs configurable 2025-05-28 16:35:27 +02:00
Tobias Brunner
a950ca3ec2 kernel-netlink: Forward CPU ID from acquires 2025-05-28 16:35:27 +02:00
Tobias Brunner
4a595508b7 trap-manager: Add support to handle acquires for per-CPU SAs 2025-05-28 16:35:27 +02:00
Tobias Brunner
65b7f9d563 kernel-handler: Log CPU ID that's passed with an acquire 2025-05-28 16:35:27 +02:00
Tobias Brunner
d6eed3979b kernel-interface: Optionally pass CPU ID for which an acquire was triggered 2025-05-28 16:35:27 +02:00
Tobias Brunner
2082fa5dd2 ike-sa: Accept optional CPU ID when initiating CHILD_SAs 2025-05-28 16:35:26 +02:00
Tobias Brunner
8e7f379f71 ike-sa: Sort CHILD_SAs by CPU ID 
This might make debugging easier and also ensures that a possible
fallback SA without CPU ID is established first when reestablishing
an IKE_SA.  Because even if such an SA is established first initially,
that might change later depending on when per-CPU SAs are rekeyed.
 2025-05-28 16:35:26 +02:00