sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
19,092 Commits 101 Branches 327 Tags
Commit Graph

19092 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
eff0c43a17 bus: Support multiple key exchanges in ike/child_keys() events 2024-08-07 16:20:18 +02:00
Tobias Brunner
c14e4ab2a8 keymat_v2: Support key derivation with multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
c36eaf42da key-exchange: Add helper to concatenate shared secrets of several key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
ec0ec55070 keymat_v2: Proper cleanup if derive_ike_keys() is called multiple times 2024-08-07 16:20:18 +02:00
Tobias Brunner
f6b2e6a21f ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges 
The message ID of the first IKE_AUTH exchange is a safe-guard against
potential truncation attacks if IKE_INTERMEDIATE exchanges are not used
for multiple key exchanges but some other future use where the number of
exchanges might not depend on the selected proposal.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
1212780b32 pubkey-authenticator: Handle IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
c4dac17d8c psk-authenticator: Handle IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
5c69262ce6 eap-authenticator: Handle IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
e5828d26ea keymat_v2: Include optional IntAuth in signed octets 2024-08-07 16:20:18 +02:00
Tobias Brunner
91f09b8d25 authenticator: Add optional method to set IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
515b9303de message: Store original encrypted payload when generating fragments 
If we don't do this, get_plain() will fail after generating the message
fragmented unless it was generated non-fragmented previously.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
b9c69f9080 message: Add method to generate data to authenticate IKE_INTERMEDIATE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
5c439bb8a3 generator: Make pointer to length field optional 
Only useful if we generate an IKE header.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
a24993213e keymat_v2: Add method to calculate IntAuth for IKE_INTERMEDIATE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
b8358936aa message: Add rules for IKE_FOLLOWUP_KE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
414db6cab1 ike-header: Add IKE_FOLLOWUP_KE exchange type 2024-08-07 16:20:18 +02:00
Tobias Brunner
041358976b notify-payload: Add notify types for multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
aedf73f7cf ikev2: Reject IKE_INTERMEDIATE requests after IKE_AUTH 
We currently only support these exchanges for additional key exchanges,
so once we have the final keys derived and the ike-init task is removed,
we don't expect any more of them.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
25f2cdfc56 message: Add rules for IKE_INTERMEDIATE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
a45d454e94 ike-header: Add IKE_INTERMEDIATE exchange type 2024-08-07 16:20:18 +02:00
Tobias Brunner
cc9ab450d6 notify-payload: Add notify type for IKE_INTERMEDIATE exchange 2024-08-07 16:20:18 +02:00
Tobias Brunner
3e0495745c proposal-substructure: Encode additional key exchange methods 2024-08-07 16:20:18 +02:00
Tobias Brunner
9cc5f4a511 proposal: Make all key exchange transforms optional in ESP/AH proposals 2024-08-07 16:20:18 +02:00
Tobias Brunner
fb6b8c833b proposal: Skip all KE transforms if PROPOSAL_SKIP_KE given 2024-08-07 16:20:18 +02:00
Tobias Brunner
2e059e0c27 transform: Add helper to check if transform type negotiates key exchange 2024-08-07 16:20:18 +02:00
Tobias Brunner
22550bd262 transform: Add additional key exchange transform types 2024-08-07 16:20:18 +02:00
Tobias Brunner
a7f617ab33 kernel-pfkey: Fix list of extension type names on FreeBSD 
The list was extended earlier this year.
 2024-08-07 15:09:45 +02:00
Tobias Brunner
abdc7878a4 Merge branch 'sa-dir' 
Configures the direction of IPsec SAs in the Linux kernel if
possible (6.10+).
 2024-08-07 15:00:56 +02:00
Tobias Brunner
22eded1da4 kernel-netlink: Set replay window 0 if kernel supports SA direction attribute 
The kernel now allows a 0 replay window with ESN for SAs that are
explicitly tagged as outbound SAs.  But not just that, it actually
rejects outbound SAs with replay windows > 0.  So we add a version check
to control the replay window size.  Note that adding the attribute
unconditionally would be fine even for older kernels, but if somebody
backports the direction patches, the installation of outbound SAs might
fail if the replay window is not adjusted accordingly.
 2024-08-07 14:41:28 +02:00
Tobias Brunner
661f6bd0ad kernel-netlink: Add SA direction attribute 2024-08-07 14:41:28 +02:00
Tobias Brunner
2601fabbb4 kernel-netlink: Only disable DF-flag copying on outbound SAs 
This will cause errors on inbound SAs if the SA direction attribute is
used.
 2024-08-07 14:41:28 +02:00
Tobias Brunner
dc8fa1b3e8 kernel-netlink: Add missing names for XFRM message types and attributes 2024-08-07 14:41:28 +02:00
Tobias Brunner
b05628dd2d include: Update XFRM header for SA direction attribute 2024-08-07 14:41:28 +02:00
Thomas Egerer
84bd011752 ike-sa: Add address family specific configuration of fragment size 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2024-08-07 14:19:41 +02:00
Tobias Brunner
9b9cf2001f android: Fix import of an already existing VPN profile 2024-08-07 08:58:12 +02:00
Tobias Brunner
740cbb2c0a Merge branch 'android-14' 
Updates target SDK to Android 14 (34) and fixes compatibility issues.
android-2.5.2 		2024-08-06 18:02:18 +02:00
Tobias Brunner
fe1c9dedb7 android: New release after updating target SDK and fixing some compatibility issues 2024-08-06 18:01:54 +02:00
Tobias Brunner
6064209872 android: Increase targetSdkVersion to 34 (Android 14) 2024-08-06 18:01:54 +02:00
Tobias Brunner
880e273985 android: Avoid using deprecated ViewCompat methods 2024-08-06 18:01:54 +02:00
Tobias Brunner
01c81ca15f android: Replace deprecated Observer/Observable with PropertyChangeListener etc. 
Kinda misusing the interface as there is no specific property, but
otherwise seems like a 1:1 replacement.
 2024-08-06 18:01:54 +02:00
Tobias Brunner
51f746161d android: Add workaround for a bug preventing background service starts from TileService 
When targeting Android 14, we get a "Background activity launch blocked!"
exception when trying to start the connection in the background (closing
the drawer works).  Which is apparently a bug:

  https://issuetracker.google.com/issues/305035828

The workaround here is kinda ugly.  In particular, because it's not
possible anymore since a few versions to open a dialog that allows users
to directly grant the required permission to the app.  We can only open
the generic settings dialog where users have to search for the app and
grant the permission themselves (we could add a dialog with an explanation
similar to the one for the power whitelist if necessary).  Hopefully this
gets fixed at some point (the current beta of Android 15 still has the
same bug, though).
 2024-08-06 18:01:54 +02:00
Tobias Brunner
3286f75ffe android: Use PendingIntent-version of startActivityAndCollapse() 
The other version has been deprecated and throws an exception when
targeting Android 14+.
 2024-08-06 18:01:54 +02:00
Tobias Brunner
38160c5cb7 android: Explicitly mark receiver as not exported during registration 2024-08-06 18:01:54 +02:00
Tobias Brunner
9c4ceced1c android: Declare foreground service type for VpnService instance 
Required for Android 14 (34).  Since no other type fits we use specialUse,
which also requires a new permission and a description for why we use it.
 2024-08-06 18:01:54 +02:00
Tobias Brunner
4f2e65f3d0 android: Fix label for name field in managed profiles 
The field is not actually optional.
 2024-08-06 18:01:54 +02:00
Tobias Brunner
81041b55d2 android: Fix crash when opening list of apps for new profiles 
Fixes: 150dc5ab6401 ("android: Make selected apps read-only")
 2024-08-06 18:01:54 +02:00
Tobias Brunner
8a14c20ec7 android: Update dependencies 2024-08-06 18:01:54 +02:00
Tobias Brunner
7b78e35ff6 android: Update Gradle plugin 2024-08-06 18:01:54 +02:00
Matteo Carnelos
bed04baf21 init: Add Wants= dependencies to systemd units 
If no other units have dependencies on network-online.target or
syslog.target they might not get initialized resulting in a possibly
non-ideal startup order.

Closes strongswan/strongswan#2279
 2024-08-06 15:16:30 +02:00
Tobias Brunner
59a4c9c416 ike-auth: Default IDi/IDr to subject DN instead of IP if a certificate is available 
This avoids sending a likely unconfirmed identity if no identity is
configured and received (in case of IDr).

Closes strongswan/strongswan#2353
 2024-07-30 14:27:15 +02:00