| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This properly detects prefixes encoded as ranges.
|
| | |
|
| |
|
|
| |
whether COOKIEs are sent
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From recvfrom(2) (which UDPSocket#recv backs into):
The return value will be 0 when the peer has performed an orderly
shutdown.
(i.e. it will return an empty string)
Previously in this scenario, Vici::Transport#recv_all would spin
forever trying to pull more data off the socket. I'm not entirely
clear what happened that caused strongSwan to shutdown the socket, but
it probably should not cause vici Ruby apps to spin.
Closes strongswan/strongswan#13.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removes flushing of the IPsec state in the kernel when starter
terminates. We can't easily flush only the policies created for
IPsec SAs (and if installpolicies=no is used we don't want to flush
policies anyway). Also, since existing policies don't cause errors
anymore these aren't really an issue anymore (I think this was one of
the main reasons to flush the state). This behavior is also specific to
starter, so nothing is flushed when charon is used via systemd/swanctl.
This will also allow us to merge libhydra with libcharon in a future
release.
If the previous behavior is needed it can easily be replicated with some
external tools (we could also write a simple utility that does this).
Additional checks in the test environment make sure that the daemon
cleans up the state properly.
|
| | |
| |
| |
| |
| | |
The IKE daemon should delete all installed SAs and policies when
everything works properly, so we fail the test if that's not the case.
|
| | |
| |
| |
| | |
Similar to conntrack we make sure we are working on a clean slate.
|
| | |
| |
| |
| |
| | |
If starter is not used we don't do that either. And this allows us to
move the stuff in libhydra back to libcharon.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We can't control which policies we flush, so if policies are installed
and used outside of strongSwan for other protocols we'd flush them too.
And if installpolicies=no is used we probably shouldn't flush policies
either. Luckily already existing policies are not treated as fatal
errors anymore, so not flushing policies should not be that much of an
issue (in case of a crash in dynamic setups, e.g. with virtual IPs,
policies could be left behind even after restarting the connections and
properly terminating the daemon).
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| | |
IKE_SAs that are initiated are now counted towards the half-open IKE_SAs
limit. Optionally it is possible to enforce limits towards the number of
half-open IKE_SAs and the job load also when initiating SAs. This is
currently only possible via VICI.
|
| | |
| |
| |
| |
| | |
If the init-limits parameter is set (disabled by default) init limits
will be checked and might prevent new SAs from getting initiated.
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
| |
Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).
|
| |
|
|
|
| |
In some scenarios it might be preferred to ensure left is always local
and no unintended swaps occur.
|
| | |
|
| | |
|
| |
|
|
| |
deleting the SA
|
| |
|
|
|
| |
This allows us to DELETE CHILD_SAs on failures that occur before we
retrieved the selected proposal.
|
| |
|
|
|
|
|
| |
information
Since we only support single protocols we could probably guess it and always
send a DELETE.
|
| |
|
|
|
|
|
| |
When retrying due to a DH group mismatch this is already done by the
child-create task itself. And in other cases where the task returns
NEED_MORE we actually will need access to a possible proposal to properly
delete it.
|
| |
|
|
|
|
|
|
|
|
| |
mismatch
If the responder declines our KE payload during a CHILD_SA rekeying migrate()
is called to reuse the child-create task. But the child-rekey task then
calls the same method again.
Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
|
| |
|
|
|
| |
Basically the same as e79b0e07e4ab. EAP_RADIUS is also a virtual method
that will identify itself as a different EAP method later.
|
| | |
|
| | |
|
| |
|
|
| |
References #1078.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| | |
This resolves the duplicate CERTREQ issue when certificates in
ipsec.d/cacerts were referenced in ca sections. It also ensures CA
certificates are reloaded atomically, so there is never a time when
an unchanged CA certificate is not available.
References #842.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since 11c14bd2f5 CA certificates referenced in ca sections were
enumerated by two credential sets if they were also stored in
ipsec.d/cacerts. This caused duplicate certificate requests to
get sent. All CA certificates, whether loaded automatically or
via a ca section, are now stored in stroke_ca_t.
Certificates referenced in ca sections are now also reloaded
when `ipsec rereadcacerts` is used.
|
| | |
| |
| |
| |
| | |
Also use the right credential set for CA cert references loaded from
stroke_ca_t.
|
| | |
| |
| |
| |
| | |
Previously it was possible that certificates were not found between the
time the credential sets were cleared and the certificates got readded.
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases the third message of a Quick Mode exchange might arrive
after the first message of a subsequent Quick Mode exchange. Previously
these messages were handled incorrectly and the second Quick Mode
exchange failed.
Some implementations might even try to establish multiple Quick Modes
simultaneously, which is explicitly allowed in RFC 2409. We don't fully
support that, though, in particular in case of retransmits.
Fixes #1076.
|
| |
|
|
|
|
|
|
|
|
| |
The next release of FreeBSD will support this.
While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it. When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).
|
| |
|
|
|
| |
We now store the actual method on the auth config, which won't match
anymore if rightauth=eap-dynamic is configured.
|
