| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
We already do this for load-token and this should simplify client
implementations.
|
| |
|
|
|
| |
Invert set enumeration order to first enumerate local and then global
credential sets.
|
| |
|
|
|
|
|
| |
Some implementations seem to have problems if the third AM message
contains NAT-D payloads before the HASH payload.
Fixes #2314.
|
| |
|
|
|
|
|
|
| |
Much like in commit a68454b, we now use a global atomic counter to keep
track of the number of IKE_SAs currently registered. This should improve
scalability for a large number of segments even more.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
While this API is documented as legacy (and there is a sysctl option to
disable it) the documentation also mentions that it will probably stay
enabled by default due to compatibility issues with existing applications.
With the previous approach only 255 devices could be opened then the
daemon had to be restarted.
Fixes #2313.
|
| | |
|
| |
|
|
| |
This cleanup prevents sharing the same DB between multiple VPN gateways.
|
| |
|
|
| |
Fixes: af16b5afb0ee ("Use random ports in NetworkManager backend")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename the crypt() method to avoid conflict with POSIX crypt(). Fixes the
following build failure with musl libc:
In file included from ../../../../src/libstrongswan/utils/utils.h:53:0,
from ../../../../src/libstrongswan/library.h:101,
from af_alg_ops.h:24,
from af_alg_ops.c:16:
af_alg_ops.c:110:22: error: conflicting types for 'crypt'
METHOD(af_alg_ops_t, crypt, bool,
^
../../../../src/libstrongswan/utils/utils/object.h:99:13: note: in definition of macro 'METHOD'
static ret name(union {iface *_public; this;} \
^
In file included from af_alg_ops.c:18:0:
.../host/usr/x86_64-buildroot-linux-musl/sysroot/usr/include/unistd.h:144:7: note: previous declaration of 'crypt' was here
char *crypt(const char *, const char *);
^
Closes strongswan/strongswan#72.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The secret storage flag wasn't being saved when using smartcard
authentication, resulting in the PIN being stored.
Fixes #2166.
|
| |
|
|
| |
Closes strongswan/strongswan#70.
|
| |
|
|
| |
Closes strongswan/strongswan#69.
|
| | |
|
| |
|
|
|
| |
The plugin provides ed25519 public key support, and is required to generate
keys or sign certificates with pki.
|
| | |
|
| |
|
|
| |
This test scenario tests the eap-simaka-sql plugin.
|
| | |
|
| |
|
|
|
| |
If we jump to `end` without this we crash (not necessarily visibly) due
to a double free and the actual error message is not printed.
|
| |
|
|
|
|
|
|
|
|
| |
Line 66 yields "TypeError: can't concat bytes to str" using Python 3.4.
"requestdata" was introduced in 22f08609f1b6 but is not actually used.
Since the original "request" is not used anywhere else this can be changed
to be similar to the other UTF-8 encoding changes in that commit.
Fixes: 22f08609f1b6 ("vici: Explicitly set the Python encoding type").
Closes strongswan/strongswan#66.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
responses
When constructing the result, all responses from Netlink were concatenated
iteratively, i.e. for each response, the previously acquired result was
copied to newly allocated memory and the current response appended to it.
This results in O(n^2) copy operations. Instead, we now check for the
total final length of the result and copy the individual responses to it
in one pass, i.e. in O(n) copy operations. In particular, this issue caused
very high CPU usage in memcpy() function as the result is copied over and
over. Common way how to hit the issue is when having 1000+ routes and 5+
connecting clients a second. In that case, the memcpy() function can
take 50%+ of one CPU thread on a decent CPU and the whole charon daemon
is stuck just reading routes and concatenating them together (connecting
clients are blocked in that particular case as this is done under mutex).
Closes strongswan/strongswan#65.
References #2055.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Only the tests with client authentication failed, the client accepted
the trusted self-signed certificate even when it was expired. On the
server the lookup (based on the pre-configured SAN) first found the ECDSA
cert, which it dismissed for the RSA authentication the client used, and
since only the first "pretrusted" cert is considered the following RSA
cert was verified more thoroughly.
The lookup on the client always uses the full DN of the server certificate
not the pre-configured identity so it found the correct certificate on
the first try.
|
| |
|
|
|
| |
Fixes: 05ccde0a8bd9 ("pki: Add generic 'priv' key type that loads any
type of private key")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a the original responder narrows the selectors of its peer in addrblock,
the peer gets a subset of that selectors. However, once the original responder
initiates rekeying of that CHILD_SA, it sends the full selectors to the peer,
and then narrows the received selectors locally for the installation, only.
This is insufficient, as the peer ends up with wider selectors, sending traffic
that the original responder will reject to the stricter IPsec policy. So
additionally narrow the selectors when rekeying CHILD_SAs before sending the
TS list to the peer.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
The plugins can only be built on x64 as the MinGW headers on Ubuntu 12.04,
which we have to use for x86 due to another issue with MinGW, are too old.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is different if `ike` and `child` are provided and uninstall()
fails as we call that without knowing whether a matching shunt exists.
But if `ike` is not provided we explicitly search for a matching shunt
and if found don't need to look for a trap policy.
|
| |
|
|
|
|
|
|
|
|
|
| |
Most functions in libunwind.h are actually mapped via macros to obscure
function names, so checking for these would require some elaborate test
via AC_LINK_IFELSE(). However, unw_backtrace() seems to be one of the few
actual functions so lets use this for now, even though we don't call it
ourselves later.
Fixes: 016228c15843 ("configure: Check for actual functions in libraries
with AC_CHECK_LIB")
|
| | |
|
| |
|
|
| |
narrowing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The tpm plugin can be used to derive true random numbers from a
TPM 2.0 device. The get_random method must be explicitly enabled
in strongswan.conf with the plugin.tpm.use_rng = yes option.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This provides a solution for configs where there is e.g. a catch-all %any
PSK, while more specific PSKs would be found by the identities of configs
that e.g. use FQDNs as local/remote addresses.
Fixes #2223.
|
| | |
|
