| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Because this->thread is also read by threads that don't hold the
mutex the previous implementation was problematic (especially since
pthread_t is an opaque type of unknown length).
Fixes #654.
|
| |
|
|
| |
It seems libcurl does not always return an error message.
|
| |
|
|
|
| |
Listing test suites in TESTS_SUITES_EXCLUDE allows excluding specific
test suites from running.
|
| |
|
|
| |
Fixes #688.
|
| |
|
|
|
|
|
|
|
| |
This won't hurt as long as sets and validators are of the same class.
But as soon as one of the object's class is changed this will cause
either a compile error (best option), or result (most likely) in a
crash.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
|
|
|
| |
The adopt_children_job_create() function is not available when IKEv1 support
is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1.
Fixes #690.
|
| | |
|
| |
|
|
|
|
|
| |
When having the unity plugin enabled and both peers send the Unity Vendor ID,
we proposed 0.0.0.0/0 as traffic selector, even if no Split-Include has been
received on the SA. This can break compatibility with some responders, as
they don't narrow the TS themselves, but expect the configured TS.
|
| |
|
|
|
|
| |
Since the narrow hook types reflect the roles in the Quick Mode exchange
the plugin behaved incorrectly if the server initiated the CHILD_SA
rekeying.
|
| |\
| |
| |
| |
| | |
Fixes IKEv1 re-authentication when using push mode by reassigning the same
IP lease to the client.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
When an initiator starts reauthentication on a connection that uses push
mode to assign a virtual IP, we can't execute the Mode Config before releasing
the virtual IP. Otherwise we would request a new and different lease, which
the client probably can't handle. Defer Mode Config execution, so the same IP
gets first released then reassigned during reauthentication.
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
| |
If a peer immediately sends DELETE messages when completing Quick Mode rekeying,
the third Quick Mode message and the DELETE are sent simultaneously. This
implies that DELETE messages may arrive before the completing third Quick Mode
message.
Handle this case by ignoring the DELETE INFORMATIONAL in Quick Mode and let
the delete task handle it.
|
| |
|
|
| |
This should avoid errors such as the one fixed with 118b2879.
|
| |
|
|
|
| |
These are useful to assert constants during build time. We evaluate the
expression to 0 when valid, so we can safely use the evaluated value.
|
| |
|
|
|
|
|
|
| |
As we use libstrongswan and expect that it still works after the fork, we
can't just closefrom() all file descriptors. Watcher, for example, uses
a pipe to notify FDSET changes, which must be kept open.
Reverts 652ddf5ce2fad08f6569096dd56a821500cc5ba4.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To check if a received IKE_SA_INIT request is a new request or a
retransmit, charon maintains hashes of the pending IKE_SA_INIT
exchanges.
However, the hash calculation is not reentrant because a single hasher
is used for the whole IKE SA manager. It leads to bogus calculations
under high load and hence dropped messages on responder
(IkeInInvalidSpi incremented).
Don't share a single hasher in the IKE SA manager, create a transient
one whenever a message must be hashed.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
|
| |
|
|
|
|
|
|
| |
To avoid any race conditions when multiple threads call and initialize
diffie_hellman_get_params(), explicitly examine the optimum DH exponent size
during library initialization.
Fixes #655.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The condvar is signaled for every handled message received from the
kernel not only for replies (this changed with 2a2d7a4dc8). This may
cause segfaults because this->reply is not set when the waiting thread is
woken due to an IP address change.
Since this->reply is only set when it is actually the expected reply (and
only one request is sent at a time, thanks to c9a323c1d9) we only have
to make sure the reply is there (and clear it once we handled it).
Using separate condvars could also be an option in the future.
|
| |
|
|
| |
This seems to be required on Cent OS 6.5.
|
| |
|
|
|
| |
This makes sure the user has time to set break points etc. before it runs
charon under gdb.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The package/library is called libjson-c on recent distributions.
Some like Ubuntu 14.04 provide symlinks with the old name but these
will eventually disappear. Using pkg-config allows us to easily check
for it (with a fallback) and configure the proper compiler flags.
Fixes #663.
|
| |
|
|
|
|
|
|
|
| |
This will result in an infinite loop as packets sent over that socket
will again pass through the TUN device and the DNS proxy.
Apparently, bypassing fails when airplane mode is enabled.
Fixes #662.
|
| | |
|
| | |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds a DNS proxy feature that uses VPN-protected sockets to resolve the
VPN gateway's hostname while reestablishing the IKE_SA, which is
required because we keep the TUN device up to avoid leaking plaintext
traffic.
The TUN device is recreated without DNS servers before reestablishing in
case the VPN server pushed DNS servers to the client that are only
reachable via VPN.
Fixes #622.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
reestablishing
The IKE_SA is destroyed anyway, so letting the GUI remain in
"connecting" state would be incorrect.
We still use keyingtries=0 for now, though. And we still abort after the
first failed attempt initially, in case there is a configuration error.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since VpnStateService.disconnect() is now not called until the error
dialog is dismissed the daemon would continue to try connecting.
So while the error dialog is shown the connection might actually be
successfully established in the background, which is not intended.
This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of
the second connection attempt (due to keyingtries=0).
|
| | | |
|
| | |
| |
| |
| |
| | |
If specified only queries for a list of allowed host names will be
proxied.
|
| | |
| |
| |
| |
| | |
This enables DNS resolution while reestablishing if the VPN gateway pushed
DNS servers to the client that are only reachable via VPN.
|
| | |
| |
| |
| |
| |
| | |
Non-DNS data is cached in the BuilderAdapter so the TUN device can be
recreated easily (since the CHILD_SA is gone we couldn't actually gather
that information).
|
| | | |
|
| | |
| |
| |
| |
| | |
The old hook is renamed to ike_reestablish_post and is now also called
when the initiation of the new IKE_SA failed.
|
| | |
| |
| |
| |
| |
| |
| | |
This class proxies DNS requests over VPN-protected UDP sockets.
It is not really Android specific and might be useful for
kernel-libipsec or libipsec in general too, so we could maybe move it later
to libipsec (might need some portability work).
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| |
| | |
The GUI reflects the state of the IKE daemon more closely by switching
back to the "connecting" state when the IKE_SA or CHILD_SA is down and
is getting reestablished.
Fixes #616.
|
| | |
| |
| |
| |
| | |
If e.g. reauthentication fails we don't want to close the TUN device
until the user acknowledged the error and is thus aware of the failure.
|
| | | |
|
