aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* swanctl: Fix documentation of options for send_cert settingTobias Brunner2014-07-281-4/+4
|
* android: New release after adding certificate import, DNS proxy and GUI changesTobias Brunner2014-07-221-2/+2
|
* Merge branch 'android-dns-proxy'Tobias Brunner2014-07-2216-30/+1215
|\ | | | | | | | | | | | | | | | | | | | | | | | | Adds a DNS proxy feature that uses VPN-protected sockets to resolve the VPN gateway's hostname while reestablishing the IKE_SA, which is required because we keep the TUN device up to avoid leaking plaintext traffic. The TUN device is recreated without DNS servers before reestablishing in case the VPN server pushed DNS servers to the client that are only reachable via VPN. Fixes #622.
| * android: For keyingtries > 0 notify the GUI if the limit is reached when ↵Tobias Brunner2014-07-221-0/+17
| | | | | | | | | | | | | | | | | | | | reestablishing The IKE_SA is destroyed anyway, so letting the GUI remain in "connecting" state would be incorrect. We still use keyingtries=0 for now, though. And we still abort after the first failed attempt initially, in case there is a configuration error.
| * android: Terminate IKE_SA if initial IKE_SA_INIT failsTobias Brunner2014-07-221-1/+23
| | | | | | | | | | | | | | | | | | | | Since VpnStateService.disconnect() is now not called until the error dialog is dismissed the daemon would continue to try connecting. So while the error dialog is shown the connection might actually be successfully established in the background, which is not intended. This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of the second connection attempt (due to keyingtries=0).
| * android: Only allow DNS queries for the configured hostnameTobias Brunner2014-07-221-0/+2
| |
| * android: Add optional filter functionality to DNS proxyTobias Brunner2014-07-222-3/+119
| | | | | | | | | | If specified only queries for a list of allowed host names will be proxied.
| * android: Recreate the TUN device without DNS when reestablishing IKE_SAsTobias Brunner2014-07-221-0/+38
| | | | | | | | | | This enables DNS resolution while reestablishing if the VPN gateway pushed DNS servers to the client that are only reachable via VPN.
| * android: Add method to BuilderAdapter to re-establish without DNS-related dataTobias Brunner2014-07-223-5/+113
| | | | | | | | | | | | Non-DNS data is cached in the BuilderAdapter so the TUN device can be recreated easily (since the CHILD_SA is gone we couldn't actually gather that information).
| * android: Use DNS proxy when reestablishing IKE_SAsTobias Brunner2014-07-221-4/+44
| |
| * bus: Add ike_reestablish_pre hook, called before DNS resolutionTobias Brunner2014-07-225-13/+74
| | | | | | | | | | The old hook is renamed to ike_reestablish_post and is now also called when the initiation of the new IKE_SA failed.
| * android: Add DNS proxy implementationTobias Brunner2014-07-223-0/+388
| | | | | | | | | | | | | | This class proxies DNS requests over VPN-protected UDP sockets. It is not really Android specific and might be useful for kernel-libipsec or libipsec in general too, so we could maybe move it later to libipsec (might need some portability work).
| * ip_packet: Add function to easily encode UDP packetsTobias Brunner2014-07-222-0/+29
| |
| * ip_packet: Apply transport protocol ports when encoding IP packetTobias Brunner2014-07-222-10/+30
| |
| * ip_packet: Add getter for IP payloadTobias Brunner2014-07-222-5/+25
| |
| * ip_packet: Allow creation of IP packets from dataTobias Brunner2014-07-222-1/+164
| |
| * chunk: Add function to calculate Internet Checksums according to RFC 1071Tobias Brunner2014-07-223-0/+105
| |
| * ip_packet: Parse ports from TCP and UDP headersTobias Brunner2014-07-221-7/+63
|/
* Merge branch 'android-state-updates'Tobias Brunner2014-07-223-12/+17
|\ | | | | | | | | | | | | | | The GUI reflects the state of the IKE daemon more closely by switching back to the "connecting" state when the IKE_SA or CHILD_SA is down and is getting reestablished. Fixes #616.
| * android: Delay disconnecting on errors until user dismisses themTobias Brunner2014-07-222-4/+6
| | | | | | | | | | If e.g. reauthentication fails we don't want to close the TUN device until the user acknowledged the error and is thus aware of the failure.
| * android: Set CHILD_STATE_DOWN when the IKE_SA gets reestablishedTobias Brunner2014-07-221-1/+7
| |
| * android: Set CHILD_STATE_DOWN whenever the CHILD_SA goes downTobias Brunner2014-07-221-6/+0
| | | | | | | | | | | | No matter what triggers it. We also don't close the TUN device, but we might handle that differently in the future to allow reestablishing the IKE_SA if host names have to be re-resolved via DNS.
| * android: Change to CONNECTING state if CHILD_SA goes downTobias Brunner2014-07-221-1/+4
|/ | | | | | Unless we are disconnecting. This currently triggers the connecting dialog, perhaps just updating the status text would do too (when switching from CONNECTED to CONNECTING, not from DISCONNECTED to CONNECTING).
* Merge branch 'android-cert-import'Tobias Brunner2014-07-2228-186/+1243
|\ | | | | | | | | | | | | | | | | Adds support to import CA and server certificate directly in the app. On Android 4.4 and newer the SAF allows users to easily browse for such files, on older systems they have to open them from file manager or the download app (only works if the MIME type is correctly detected). Also adds support for ECDSA keys on recent Android systems.
| * android: Do not use deprecated TwoLineListItemTobias Brunner2014-07-223-27/+28
| |
| * android: Add support for ECDSA private keysTobias Brunner2014-07-221-24/+99
| | | | | | | | With 4.4.4 these work fine now.
| * android: Show a confirmation dialog before importing certificatesTobias Brunner2014-07-222-14/+123
| | | | | | | | | | | | | | | | | | | | | | | | Since the import activity can be triggered by any other app on the system we shouldn't just import every certificate we get. Also, in some situations (e.g. if no passphrase has been set yet for the system-wide certificate store) we are the only application that can open certificate files. So if a user clicked on a certificate file she would just get a confirmation Toast about a successful import, with no indication whatsoever where the certificate was actually imported. The new dialog shows the app icon to indicate that strongSwan is involved.
| * android: Use Storage Access Framework to import certificatesTobias Brunner2014-07-223-17/+106
| | | | | | | | | | | | | | Thanks to the SAF, introduced with Android 4.4, browsing and opening files on the system is very easy to implement. On older systems the menu option is removed.
| * android: Add activity to import certificate filesTobias Brunner2014-07-227-0/+89
| | | | | | | | | | Such files can e.g. be opened from the Download view, if they are associated with one of the supported mime-types.
| * android: Imported certificates may be clicked to delete themTobias Brunner2014-07-227-1/+124
| |
| * android: Reload CA certificates without AsyncTaskTobias Brunner2014-07-222-26/+39
| | | | | | | | We already use loaders in the GUI that can handle this asynchronously.
| * android: Change how CA certificate reloads are initiatedTobias Brunner2014-07-222-9/+9
| |
| * android: Add option to reload CA certificates to TrustedCertificatesActivityTobias Brunner2014-07-227-5/+65
| |
| * android: Replace option to reload CA certificates with CA certificate viewTobias Brunner2014-07-222-13/+10
| | | | | | | | The reload option will be added there.
| * android: Only close TrustedCertificatesActivity on click when selecting a ↵Tobias Brunner2014-07-221-6/+11
| | | | | | | | certificate
| * android: Set action when using TrustedCertificatesActivity to select a ↵Tobias Brunner2014-07-222-0/+3
| | | | | | | | certificate
| * android: Allow selection of local certificatesTobias Brunner2014-07-227-19/+31
| |
| * android: Change how CA certificates from different sources are accessedTobias Brunner2014-07-222-32/+25
| |
| * android: Cache certificates from multiple KeyStoresTobias Brunner2014-07-221-40/+60
| | | | | | | | Including the new local one.
| * android: Register local certificate store provider when the app is initializedTobias Brunner2014-07-221-0/+8
| |
| * android: Add Provider for the local certificate storeTobias Brunner2014-07-221-0/+29
| |
| * android: Add KeyStoreSpi implementation that uses LocalCertificateStoreTobias Brunner2014-07-221-0/+139
| |
| * android: Add local certificate storeTobias Brunner2014-07-221-0/+230
| | | | | | | | | | The class manages certificates stored in files within the app's private data directory.
| * android: Move TrustedCertificateEntry to a new packageTobias Brunner2014-07-225-5/+5
| |
| * android: Subclass Application to provide static access to the application ↵Tobias Brunner2014-07-222-0/+41
| | | | | | | | context
| * android: Target latest SDK versionTobias Brunner2014-07-222-2/+2
| |
| * android: Add utility method to convert a byte array to a hex stringTobias Brunner2014-07-221-0/+40
| |
| * android: Remove unused hash argument from getTrustedCertificates()Tobias Brunner2014-07-222-25/+6
| |
| * android: Use correct tag to define category for CREATE_SHORTCUT intent-filterTobias Brunner2014-07-221-1/+1
|/
* starter: Fix memory leaks and warn if conn/ca sections are ignored due to ↵Tobias Brunner2014-07-181-2/+8
| | | | parse errors
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 03:24:46 +0000