sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity
11,026 Commits 101 Branches 327 Tags
Commit Graph

11026 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
fa1d3d39dc left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly 
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
 2013-05-07 15:38:28 +02:00
Tobias Brunner
cc4408abcb sshkey: Added builder for SSHKEY RSA keys 2013-05-07 15:38:28 +02:00
Tobias Brunner
584d656b77 Add sshkey plugin stub that will parse RFC 4253 public keys 2013-05-07 14:08:51 +02:00
Tobias Brunner
c0bbddfa42 Try to load raw keys from ipsec.conf as PKCS#1 blob first 
The DNSKEY builder is quite eager and parses pretty much anything
as RSA key, so this has to be done before.
 2013-05-07 14:08:51 +02:00
Tobias Brunner
ee7b73832c charon-cmd: Add --agent option to authenticate using ssh-agent(1) 
The socket path is read from the SSH_AUTH_SOCK environment variable.
So using this with sudo might require the -E command line (or an appropriate
sudoers config) to preserve the environment.
 2013-05-07 14:08:51 +02:00
Tobias Brunner
4dc50bf9de charon-cmd: Use loose matching of gateway identity 2013-05-07 13:53:48 +02:00
Tobias Brunner
8372b8fc54 charon-cmd: Load pubkey plugin to load raw keys 2013-05-07 13:46:02 +02:00
Tobias Brunner
e74bca9e19 testing: Don't run tests when building tkm 
The problem with XML/Ada described in 9c2aba27 actually occurs when
running the tests here.

Really fixes #336.
 2013-05-07 10:19:37 +02:00
Tobias Brunner
9c2aba2735 testing: Don't run tests when building tkm-rpc 
There are issues with some versions of the XML/Ada library on i386,
blocking the build of the testing environment when these tests are run.
TKM tests won't work in such a case but at least make-testing does not
block with this patch.

Fixes #336.
 2013-05-06 18:17:58 +02:00
Martin Willi
a8849e0713 Merge branch 'tun-vip' 
Beside some OS X love, this merge introduces virtual IP and route installation
support on the pfkey/pfroute kernel interfaces.

Each virtual IP gets installed on a dedicated TUN device. As Linux-like source
routes are not supported, routes for the negotiated traffic selectors get
installed using the TUN device.

To prevent IKE packets from using those routes, special exclude routes get
installed to the IKE gateway. This works for most road-warrior deployments, but
certainly does not for some more exotic configurations, such as those using
virtual-IP-to-host. Mobility is not yet supported, either.
 2013-05-06 17:07:36 +02:00
Martin Willi
c9a323c1d9 kernel-pfroute: allow only one thread to do a route look up simultaneously 
Otherwise we mess up the sequence number another thread is waiting for.
 2013-05-06 17:01:13 +02:00
Martin Willi
5c12700f9a kernel-interface: query SAD for last use time if SPD query didn't yield one 2013-05-06 17:01:13 +02:00
Martin Willi
bdaf9f97e6 child-sa: query SAD/SPD just for what we actually need to update statistics 2013-05-06 17:01:13 +02:00
Martin Willi
470aad7e0c kernel-pfkey: be less verbose about unexpected sequence numbers 2013-05-06 17:01:13 +02:00
Martin Willi
df919d50d0 kernel-pfkey: install exclude routes if kernel-net requires them 2013-05-06 17:01:13 +02:00
Martin Willi
580b768d03 kernel-pfroute: add a feature flag requesting "exclude" routes 
If routes installed along with policies covering the peer address affect local
IKE/ESP packets, they won't get routed correctly. To work around this issue,
the kernel interface can install "exclude" routes for the IKE peer. Not all
networking backends require this workaround, hence we export a flag for it
if it is required.
 2013-05-06 17:01:13 +02:00
Martin Willi
bd520193a4 kernel-pfroute: remove unused interface address refcounting 2013-05-06 17:01:13 +02:00
Martin Willi
77b6f19694 kernel-pfroute: mark IPs installed on tun device as virtual 2013-05-06 17:00:55 +02:00
Martin Willi
2a2d7a4dc8 kernel-pfroute: install virtual IPs using dedicated tun devices 2013-05-06 16:10:13 +02:00
Martin Willi
ca4a14ae83 kernel-pfkey: when installing a route for a virtual IP, use its interface 
When installing a route over a tun device for a virtual IP, the route must
be set over the tun, not the IKE interface.
 2013-05-06 16:10:13 +02:00
Martin Willi
f52cf07532 kernel-interface: get_address_by_ts() can tell if a returned IP is virtual 2013-05-06 16:10:13 +02:00
Martin Willi
1a2a8bffed kernel-interface: support enumeration of virtual-only IPs 2013-05-06 16:10:13 +02:00
Martin Willi
5f7f8c92ca kernel-pfkey: refactor route installation to a dedicate function 2013-05-06 16:10:13 +02:00
Martin Willi
121783035c kernel-pfroute: split /0 routes to avoid conflict with default route 2013-05-06 16:10:13 +02:00
Martin Willi
f8646dd65e kernel-pfkey: check if we have a gateway before comparing them 2013-05-06 16:10:13 +02:00
Martin Willi
d4260c5f7f kernel-pfkey: install route along with input, not forward policies 
As forwarding policies are not available on all systems (OS X), using the
forward policy to attach the route is a bad pick. Using input policies allows
OS X to install routes.
 2013-05-06 16:10:13 +02:00
Martin Willi
6e879a59fc kernel-pfroute: rescan address list for an interface if its state changes 
It seems that we don't get address notifications if the interface is down
on OS X.
 2013-05-06 16:10:13 +02:00
Martin Willi
0fd409db77 kernel-pfroute: add newly appearing interfaces to the interface cache 2013-05-06 16:10:12 +02:00
Martin Willi
9bc342eae4 kernel-pfroute: implement get_nexthop() 2013-05-06 16:10:12 +02:00
Martin Willi
272bcac894 kernel-pfroute: install and uninstall routes 2013-05-06 16:10:12 +02:00
Martin Willi
3a7f4b5c8d kernel-pfroute: collect replies received for our own queries 2013-05-06 16:10:12 +02:00
Martin Willi
b1c6b68e4c kernel-pfroute: refactor PF_ROUTE message processing, use an enumerator 2013-05-06 16:10:12 +02:00
Martin Willi
889efae4cf kernel-pfkey: use an int to set esp_port with a sysctl on OS X 2013-05-06 16:10:12 +02:00
Martin Willi
9650bf3cc7 kernel-pfroute: use INIT() macro for allocations 2013-05-06 16:10:12 +02:00
Martin Willi
0e107f03ac kernel-pfroute: use only a single PF_ROUTE socket for both events and queries 2013-05-06 16:10:12 +02:00
Martin Willi
e8002956c9 kernel-pfroute: fix length check when receiving PF_ROUTE messages 2013-05-06 16:10:12 +02:00
Martin Willi
64f309e735 kernel-pfkey: remove obsolete pluto specific behavior 2013-05-06 16:10:12 +02:00
Martin Willi
bc6275d21c kernel-netlink: remove obsolete pluto specific behavior 2013-05-06 16:10:11 +02:00
Martin Willi
2af65b26d9 tun_device: add a getter for the address previously passed to set_address() 2013-05-06 16:10:11 +02:00
Martin Willi
60babe0236 tun_device: add a getter for the underlying file descriptor 2013-05-06 16:10:11 +02:00
Martin Willi
d947d0d61a tun-device: use host_create_netmask() to calculate interface netmask 2013-05-06 16:10:11 +02:00
Martin Willi
2d8a01d1c6 host: add a netmask constructor taking the number of network bits 2013-05-06 16:10:11 +02:00
Martin Willi
4dc83e9fac host: remove unused host_t.get_differences() method 2013-05-06 16:10:11 +02:00
Martin Willi
7749eb0d2a host: print %#H format specifiers not as %any, but with the port 2013-05-06 16:10:11 +02:00
Martin Willi
344a4e54be host: initialize sockaddr->sa_len if it is available 2013-05-06 16:10:11 +02:00
Martin Willi
60ed88b2c7 child-sa: pass traffic selector to add_sa() regardless of IPsec mode 
This lets the kernel backend decide what to do with it, and in fact all kernel
interfaces already handle this correctly.
 2013-05-06 16:10:11 +02:00
Martin Willi
dc35d097b3 socket-default: to bind to one dynamic port on OS X, create v4 socket before v6 
It seems that the order of binding sockets of different address families to the
same dynamic port must be v6-before-v4 on Linux, but v4-before-v6 on OS X.
 2013-05-06 16:10:11 +02:00
Martin Willi
a30727fe2b socket-default: refactor socket pair opening to a function 2013-05-06 16:10:11 +02:00
Martin Willi
6948df3220 socket-default: Don't try to send packet if we haven't a socket for given family 2013-05-06 16:10:10 +02:00
Martin Willi
e9326eba13 socket-default: Use -1 if socket is not available, as 0 is actually a valid fd 2013-05-06 16:10:10 +02:00