| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Requires an updated build script for Vstr.
|
| | |
|
| | |
|
| |
|
|
| |
This avoids huge warnings when building the native code.
|
| | |
|
| |
|
|
|
| |
This allows IPv6 over IPv4 but falls back nicely if we don't get a
virtual IPv6 (or IPv4) address.
|
| |
|
|
|
|
|
| |
This might happen on Android if sockets are bound to the physical IP
address but packets are still routed via TUN device. Since it seems to
happen quite often (or for stuff that requires regular traffic) this
hides these messages from the default log.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Seems to work correctly with recent MySQL versions.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This ensures the NM-specific credential set is unloaded before any
implementation of certificate/key objects, which causes a segmentation
fault during shutdown.
|
| |
|
|
|
|
| |
This is not required as we install our own (narrow) route(s) in our own
routing table. This should allow split tunneling if configured on the
gateway.
|
| |
|
|
| |
NM will install this address on the provided device.
|
| |
|
|
|
|
| |
NetworkManager modifies the addresses etc. on this interface so using
"lo" is not optimal. With the dummy interface NM is free to do its
thing.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When the monotonic timer is initialized to 0 right after the system is
booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s).
Since the COOKIE verification code actually produces an overflow for
COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs.
Checking for last_cookie makes sense anyway as that condition must only
apply if we actually sent a COOKIE before.
|
| |
|
|
|
|
| |
e0efd7c1 switches to automated job rescheduling for HA heartbeat. However,
send_status() is initially called directly, which will not reschedule the job
as required.
|
| | |
|
| |\
| |
| |
| |
| | |
This adds charon-tkm a special build of the charon IKEv2 daemon that delegates
security critical operations to a separate process (TKM = Trusted Key Manager).
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Make the TKM private and public keys more easily extendable by
determining the associated key type dynamically.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The TKM credential encoder creates fingerprints of type
KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using
CRED_PART_RSA_PUB_ASN1_DER.
This makes the pkcs1 plugin unnecessary.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Two transport connections to gateway sun are set up, one from client
carol and the other from client dave. The gateway sun uses the Trusted
Key Manager (TKM) and is the responder for both connections. The
authentication is based on X.509 certificates. In order to test the
connections, both carol and dave ping gateway sun.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
A connection between the hosts moon and sun is set up. The host moon
uses the Trusted Key Manager (TKM) and is the initiator of the transport
connection. The authentication is based on X.509 certificates.
|
| | |
| |
| |
| |
| | |
This script can be used in pretest.dat files to wait until a given file
appears.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Load complete kernel_netlink plugin instead. Registering the TKM
specific plugins first still ensures that the correct ipsec plugin
is used.
Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable
soft dependency on startup.
|
| | |
| |
| |
| |
| | |
This fixes the problem of stroke being unable to load the ca
certificates on startup.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment
fails but the corresponding IKE SA is not destroyed. To allow later creation
of child SAs the ISA context must be signaled that the implicity first child SA
creation was skipped.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The IKE and EES sockets are now read from strongswan.conf. They can be
specified like this:
charon-tkm {
ike_socket = /tmp/tkm.rpc.ike
ees_socket = /tmp/tkm.rpc.ees
}
The socket names given above are used by default if none are configured.
|
| | |
| |
| |
| |
| |
| |
| | |
The TKM credential set extends the in-memory credential set. It
provides a private key enumerator which is used to instantiate private
key proxy objects on-demand. This allows the usage of private keys with
arbitrary identifiers.
|
| | | |
|
