| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide
this on Windows.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Connections with auto=route might otherwise not work.
References #1188.
|
| |
|
|
|
|
| |
add_crl() ensures that old CLRs are not stored in the credential set.
|
|
|
|
|
|
|
|
|
| |
If we mistakenly detect a new IKE_SA as a reauthentication the client
won't request the previous virtual IP, but since we already migrated
it we already triggered the assign_vips() hook, so we should reassign
the migrated virtual IP.
Fixes #1152.
|
|
|
|
|
|
|
|
|
|
| |
Since the textual representation for a CRL is now standardized
in RFC 7468 one could argue that we should accept that too, even
though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to
be in DER format. But in particular for file URIs enforcing that
seems inconvenient.
Fixes #1203.
|
|
|
|
|
|
|
| |
For file:// URIs the code is 0 on success. We now do the same libcurl
would do with CURLOPT_FAILONERROR enabled.
Fixes #1203.
|
|
|
|
|
|
|
| |
This also ensures that the actually released virtual IP is removed from
the list of claimed IPs.
Fixes #1199.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This replaces the EAP-Identity with the EAP-MSCHAPv2 username, which
ensures the client is known with an authenticated identity. Previously
a client with a valid username could use a different identity (e.g. the
name of a different user) in the EAP-Identity exchange. Since we use
the EAP-Identity for uniqueness checks etc. this could be problematic.
The EAP-MSCHAPv2 username is now explicitly logged if it is different
from the EAP-Identity (or IKE identity).
Fixes #1182.
|
| | |
|
| | |
|
|/
|
|
|
|
| |
This is particularly important for single valued rules (e.g.
identities). When copying values this is already handled correctly
by the enumerator and add().
|
| |
|
|
|
|
|
|
|
|
| |
In Java all integer types are signed, when a negative integer is casted
to a larger type (e.g. int to long) then due to sign extension the upper
bytes are not 0. So writing that value to a byte array does not produce
the expected result. By overloading the putX() methods we make sure to
upcast the values correctly.
|
|
|
|
|
| |
This uses a manual way to trigger the NDK build (the default with
on-the-fly Android.mk files does not work for us).
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Since we don't use the kernel-netlink plugin anymore and the headers
in the NDK are reasonably recent, we don't need this anymore (at least
when building the app).
Fixes #1172.
|
|\
| |
| |
| |
| | |
Adds the charon-tkm.spi_label and charon-tkm.spi_mask options to encode
a specific value/label in otherwise randomly generated IKE SPIs.
|
| |
| |
| |
| | |
Set get_spi callback of IKE SA manager to TKM-specific implementation.
|
| |
| |
| |
| |
| | |
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
|
| | |
|
| |
| |
| |
| |
| | |
Plugins must depend on `libcharon-sa-managers` to ensure the manager
exists.
|
|/ |
|
|
|
|
|
|
|
|
|
|
| |
We already did so during Phase 1 but because all three Quick Mode
message have the same message ID we occasionally dropped the third
message as retransmit, so we do it there too. For INFORMATIONAL
and TRANSACTION exchanges we don't expect more than one inbound message
with the same message ID so we still use them there.
Fixes #1198.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Shunt policies don't have a reqid set, so we allow unequal reqids in
this particular case (i.e. if one of the reqids is 0).
|
| |
|
|
|
|
| |
entry
|
|
|
|
|
|
|
| |
add_policy()
The additional data can be helpful to identify the exact policy to
delete.
|
|
|
|
| |
This was used with pluto, which had its own policy tracking.
|
|
|
|
|
|
|
|
| |
If the (un)registering of a kernel interface (net or ipsec) fails, the
plugin loader will never know, since the appropriate functions always
returns TRUE. By making the (un)register functions return a boolean
value, the loader can detect a failure during initializing the kernel
interface and abort charon startup if desired.
|
|
|
|
| |
Fixes #1201.
|
| |
|
| |
|
|
|
|
|
| |
We could later perhaps add filter parameters similar to those of the
`ipsec leases` command (pool name/virtual IP).
|
| |
|
| |
|
|
|
|
| |
Basically the same change as the one for the socket-default plugin.
|
|
|
|
|
|
|
|
|
|
|
| |
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.
It also makes the code clearer than with all these ifdefs.
Fixes #1171.
|
|
|
|
| |
This makes the code a bit clearer than with the interleaved ifdefs.
|
|\
| |
| |
| |
| |
| |
| | |
Removes the outdated version of MooTools and actually all
JavaScript code as that stuff can now be done with CSS directly.
Fixes #1190.
|
| | |
|
|/ |
|
| |
|