aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* testing: Fix ALLOWED_HOSTS in strongTNC settings.iniTobias Brunner2017-02-162-2/+2
|
* testing: Fix swanctl/ocsp-disabled scenario after changing the log messagesTobias Brunner2017-02-161-2/+2
|
* revocation: More accurately describe the flags to disable OCSP/CRL validationTobias Brunner2017-02-152-10/+9
| | | | | | These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled.
* child-sa: Do not install mark on inbound kernel SAEyal Birger2017-02-141-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The SA ID (src, dst, proto, spi) is unique on ingress. As such, explicit inbound marking is not needed to match an SA. On the other hand, requiring inbound SAs to use marks forces the installation of a mechanism for marking traffic (e.g. iptables) based on some criteria. Defining the criteria becomes complicated, for example when required to support multiple SAs from the same src, especially when traffic is UDP encapsulated. This commit removes the assignment of the child_sa mark_in to the inbound SA. Policies can be arbitrated by existing means - e.g, via netfilter policy matching or using VTI interfaces - without the need to classify the flows prior to state matching. Since the reqid allocator regards the mark value, there is no risk of matching the wrong policy. And as explicit marking was required for route-based VPN to work before this change, it should not cause regressions in existing setups. Closes strongswan/strongswan#59.
* unit-tests: Allow default test timeout to be configured via compile optionThomas Egerer2017-02-141-0/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* tkm: Fix get_auth_octets() signatureTobias Brunner2017-02-131-1/+2
| | | | Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")
* kernel-netlink: Use RTA_SRC to specify route source in kernel-based lookupsMartin Willi2017-02-131-1/+8
| | | | | | | For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is what we do when doing userspace route calculations. For kernel-based route lookups, however, the RTA_PREFSRC attribute is ignored and we must specify RTA_SRC for policy based route lookups.
* kernel-netlink: Use kernel-based route lookup if we do not install routesMartin Willi2017-02-131-1/+11
| | | | | | | | | | | | For gateways with many connections, installing routes is often disabled, as we can use a static route configuration to achieve proper routing with a single rule. If this is the case, there is no need to dump all routes and do userspace route lookups, as there is no need to exclude routes we installed ourself. Doing kernel-based route lookups is not only faster with may routes, but also can use the full power of Linux policy based routing; something we can hardly rebuild in userspace when calculating routes.
* swanctl: List CHILD_SA marks, if setMartin Willi2017-02-131-0/+18
|
* vici: Include the Netfilter marks in listed CHILD_SAsMartin Willi2017-02-132-0/+19
|
* vici: Explicitly set the Python encoding typeMartin Willi2017-02-131-4/+4
| | | | | | | | | | When using vici over RPyC and its (awesome) splitbrain, encoding and decoding strings fails in vici, most likely because of the Monkey-Patch magic splitbrain uses. When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses the correct method to encode/decode the string, making vici useable in splitbrain contexts.
* Merge branch 'mid-sync'Tobias Brunner2017-02-0815-7/+1016
|\ | | | | | | | | | | Adds support for handling IKEV2_MESSAGE_ID_SYNC notifies as responder (usually the original initiator) as defined in RFC 6311. Some HA solutions use these notifies to set the new IKEv2 message IDs after a failover event.
| * unit-tests: Add test cases for MID sync exchangesTobias Brunner2017-02-083-0/+537
| |
| * ikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabledTobias Brunner2017-02-082-10/+37
| | | | | | | | | | | | | | | | | | | | If this is the first message by the peer, i.e. we expect MID 0, the message is not pre-processed in the task manager so we ignore it in the task. We also make sure to ignore such messages if the extension is disabled and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise consider the message with MID 0 as a retransmit).
| * ikev2: Don't increase expected MID after handling MID sync messageTobias Brunner2017-02-082-3/+4
| | | | | | | | | | | | | | | | If the responder never sent a message the expected MID is 0. While the sent MID (M1) SHOULD be increased beyond the known value, it's not necessarily the case. Since M2 - 1 would then equal UINT_MAX setting that MID would get ignored and while we'd return 0 in the notify we'd actually expect 1 afterwards.
| * ikev2: Don't cache response to MID sync requestTobias Brunner2017-02-081-1/+11
| |
| * ikev2: Accept INFORMATIONAL messages with MID 0 if used to sync MIDsTobias Brunner2017-02-081-3/+42
| | | | | | | | | | | | We are very picky to only allow MID 0 for these messages (while we currently don't support IPSEC_REPLAY_COUNTER_SYNC notifies we accept them).
| * ikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTHTobias Brunner2017-02-082-0/+12
| |
| * ikev2: Add task to handle IKEV2_MESSAGE_ID_SYNC notifies as responderTobias Brunner2017-02-087-0/+343
| |
| * ike: Publish getter for the current message ID on IKE_SATobias Brunner2017-02-082-1/+19
| |
| * ike: Add getter for the current message ID to task managerTobias Brunner2017-02-083-1/+23
|/
* Merge branch 'bypass-lan'Tobias Brunner2017-02-0814-0/+907
|\ | | | | | | | | | | | | Adds a new plugin that automatically installs and updates bypass policies for locally attached subnets. This is useful for laptops etc. that are used in different networks and prefer maintaining access to local hosts (e.g. network printers or NAS) while connected to a VPN.
| * kernel-pfroute: Implement enumeration of local subnetsTobias Brunner2017-02-081-0/+194
| |
| * bypass-lan: Allow ignoring or only considering subnets of specific interfacesTobias Brunner2017-02-085-6/+102
| | | | | | | | The config can also be reloaded by sending a SIGHUP to charon.
| * bypass-lan: Configure interface on bypass policyTobias Brunner2017-02-081-1/+6
| | | | | | | | | | Currently, only the kernel-netlink plugin supports this, the others will just ignore it.
| * kernel-netlink: Return interface name in local subnet enumeratorTobias Brunner2017-02-081-5/+15
| |
| * kernel-interface: Add interface name to local subnet enumeratorTobias Brunner2017-02-084-4/+10
| |
| * bypass-lan: Add plugin that installs bypass policies for locally attached ↵Tobias Brunner2017-02-087-0/+437
| | | | | | | | subnets
| * kernel-netlink: Implement enumerator for local subnetsTobias Brunner2017-02-081-0/+130
| |
| * kernel-interface: Add method to enumerate locally attached subnetsTobias Brunner2017-02-083-0/+29
|/
* kernel-pfkey: Use the same priority range for trap and regular policiesTobias Brunner2017-02-081-15/+15
| | | | Same as the change in the kernel-netlink plugin.
* kernel-netlink: Use the same priority range for trap and regular policiesTobias Brunner2017-02-081-14/+14
| | | | | | | | | | | | | While trap and regular policies now often look the same (mainly because reqids are kept constant) trap policies still need to have a lower priority than regular policies to handle unroute/route correctly if e.g. IPComp is used or the mode changes. But if we use a completely different priority range that's lower than that of regular policies it is not possible to install overlapping trap policies. By differentiating trap from regular policies via the priority's LSB this issue is avoided while still maintaining the proper ordering of trap and regular policies. Fixes #1243.
* kernel-netlink: Fix spacing in log message when policy is unchangedTobias Brunner2017-02-081-1/+1
|
* ikev1: Factor out IV and QM managementTobias Brunner2017-02-086-261/+500
| | | | This simplifies implementing a custom keymat_v1_t.
* keymat: Allow keymat to modify signature scheme(s)Thomas Egerer2017-02-089-20/+52
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* forecast: Mark correct port in UDP NAT-T ruleJames Laird-Wah2017-02-081-1/+1
| | | | Closes strongswan/strongswan#62.
* android: New release after adding translation for Simplified ChineseTobias Brunner2017-02-071-2/+2
|
* android: Add translation for Simplified ChineseTobias Brunner2017-02-076-4/+180
| | | | Courtesy of Yick Xie.
* settings: Fix purge if order differs from alphabetical orderTobias Brunner2017-02-071-1/+1
|
* eap-dynamic: Publish the get_auth() method of the wrapped EAP methodTobias Brunner2017-02-071-0/+12
| | | | Fixes #2238.
* pkcs11: Fix documentation of load_certs optionTobias Brunner2017-02-061-2/+8
| | | | This option is actually module-specific.
* ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcardsTobias Brunner2017-02-061-1/+2
| | | | | | Such an identity won't equal an actual peer's identity resulting in sending an INITIAL_CONTACT notify even if there might be an existing IKE_SA.
* proposal: Copy SPI and proposal number from correct proposal in select()Tobias Brunner2017-02-065-8/+47
| | | | | | | | If charon.prefer_configured_proposals is disabled select() is called on the received proposal. This incorrectly set the SPI to 0 as the configured proposal has no SPI set. Fixes #2190.
* kernel-netlink: Set NODAD flag for virtual IPv6 addressesTobias Brunner2017-02-061-10/+16
| | | | | | | The Optimistic Duplicate Address Detection (DAD) seems to fail in some cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable. Fixes #2183.
* kernel-netlink: Prefer matching label when selecting IPv6 source addressesTobias Brunner2017-02-061-3/+78
| | | | | | | | This implements rule 6 of RFC 6724 using the default priority table, so that e.g. global addresses are preferred over ULAs (which also have global scope) when the destination is a global address. Fixes #2138.
* kernel-netlink: Use correct 4 byte alignment for AH with IPv4Tobias Brunner2017-01-251-0/+5
| | | | | | | | By default, the kernel incorrectly uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4. For many algorithms this doesn't matter but that's not the case for HMAC_SHA2_256_128. Since 2.6.39 the kernel can be explicitly configured to use a 4 byte alignment.
* kernel-netlink: Allow change of Netlink socket receive buffer sizeThomas Egerer2017-01-252-0/+61
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAsTobias Brunner2017-01-251-0/+2
| | | | | | | Picky kernels might otherwise reject our messages as RFC 2367 explicitly mandates this. Fixes #2212.
* kernel-pfroute: Don't set a gateway if it is of a different address family ↵Tobias Brunner2017-01-251-1/+2
| | | | than the destination
* libipsec: Add support for AES and Camellia in CCM modeTobias Brunner2017-01-251-3/+16
| | | | Fixes #2172.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-13 10:47:11 +0000