| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Some of these are also understood by BoringSSL.
Fixes #1510.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.
|
| |
|
|
| |
This allows us to capture output written to stderr/stdout.
|
| |
|
|
|
|
| |
If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes how the interface for routes installed with policies is
determined. In most cases we now use the interface over which we reach the
other peer, not the interface on which the local address (or the source IP) is
installed. However, that might be the same interface depending on the
configuration (i.e. in practice there will often not be a change).
Routes are not installed anymore for drop policies and for policies with
protocol/port selectors.
Fixes #809, #824, #1347.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
This is the direction we actually need routes in and makes the code
easier to read.
|
| | |
| |
| |
| | |
are in the selector
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
are in the selector
We don't need them for drop policies and they might even mess with other
routes we install. Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.
|
| | |
| |
| |
| |
| | |
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
|
| | | |
|
| |/
|
|
|
| |
The returned name should be the interface over which the destination
address/net is reachable.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other threads are free to add/update/delete other policies.
This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel. For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA. This could have resulted in no policies being installed
eventually.
Fixes #1400.
|
| | |
|
| | |
|
| |
|
|
| |
#1467.
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
Fixes the comparison of ipsec_sa_cfg_t instances in case there is
padding that's not initialized to zero.
Fixes #1503.
|
| | | |
|
| | | |
|
| |/
|
|
|
|
| |
memeq() is currently used to compare these but if there is padding that
is not initialized the same for two instances the comparison fails.
Using this function ensures the objects are compared correctly.
|
| |
|
|
|
|
|
|
|
|
|
| |
If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed. This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.
Fixes strongswan/strongswan#46.
|
| |
|
|
|
|
| |
If two CHILD_SAs with mark=%unique are created concurrently they could
otherwise end up with either the same mark or different marks in both
directions.
|
| |
|
|
|
|
|
|
|
| |
This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which
are pre-generated in tasks as at least parts of it are used to generate
the AUTH payload. The IKE_SA_INIT message will never be fragmented, but
the IKEv1 messages might be, so we can't just call generate_message().
Fixes #1478.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
| |
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369.
|
| |
|
|
|
|
|
| |
If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which
we don't want the controller to detect as success.
Fixes #1449.
|
| |
|
|
|
|
|
|
|
|
| |
Some peers send an INITIAL_CONTACT notify after they received our XAuth
username. The XAuth task waiting for the third XAuth message handles
this incorrectly and closes the IKE_SA as no configuration payloads are
contained in the message. We queue the INFORMATIONAL until the XAuth
exchange is complete to avoid this issue.
Fixes #1434.
|
| |
|
|
|
|
| |
identities
References #1380.
|
| |
|
|
| |
Fixes #1380.
|
| |
|
|
|
|
|
| |
The correct encoding got lost in bdec2e4f5291 ("refactored openac and
its attribute certificate factory").
Fixes #1370.
|
| | |
|
| |
|
|
|
|
| |
If the af-alg plugin is enabled, but kernel support is missing, we get
an error line during startup for each probed algorithm. This is way too
verbose, so just skip probing if AF_ALG is unsupported.
|
| |
|
|
|
| |
Some pthread library variants depend on libdl, hence we must pass such a
library to successfully build against libpthread.
|
| |\ |
|
| | | |
|
| |/ |
|
| | |
|
