aboutsummaryrefslogtreecommitdiffstats
path: root/src/frontends/android/jni/libandroidbridge/backend
Commit message (Collapse)AuthorAgeFilesLines
* android: Reduce CHILD_SA lifetimeTobias Brunner2014-09-121-2/+2
|
* android: Add DH groups to ESP proposalsTobias Brunner2014-09-121-2/+12
|
* android: Reestablish IKE_SA if CHILD_SA rekeying failedTobias Brunner2014-09-121-3/+36
|
* android: Report error if CHILD_SA rekeying failsTobias Brunner2014-09-121-0/+6
|
* dns-proxy: Don't use proxy socket if we fail to bypass itTobias Brunner2014-07-301-0/+2
| | | | | | | | | This will result in an infinite loop as packets sent over that socket will again pass through the TUN device and the DNS proxy. Apparently, bypassing fails when airplane mode is enabled. Fixes #662.
* android: For keyingtries > 0 notify the GUI if the limit is reached when ↵Tobias Brunner2014-07-221-0/+17
| | | | | | | | | | reestablishing The IKE_SA is destroyed anyway, so letting the GUI remain in "connecting" state would be incorrect. We still use keyingtries=0 for now, though. And we still abort after the first failed attempt initially, in case there is a configuration error.
* android: Terminate IKE_SA if initial IKE_SA_INIT failsTobias Brunner2014-07-221-1/+23
| | | | | | | | | | Since VpnStateService.disconnect() is now not called until the error dialog is dismissed the daemon would continue to try connecting. So while the error dialog is shown the connection might actually be successfully established in the background, which is not intended. This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of the second connection attempt (due to keyingtries=0).
* android: Only allow DNS queries for the configured hostnameTobias Brunner2014-07-221-0/+2
|
* android: Add optional filter functionality to DNS proxyTobias Brunner2014-07-222-3/+119
| | | | | If specified only queries for a list of allowed host names will be proxied.
* android: Recreate the TUN device without DNS when reestablishing IKE_SAsTobias Brunner2014-07-221-0/+38
| | | | | This enables DNS resolution while reestablishing if the VPN gateway pushed DNS servers to the client that are only reachable via VPN.
* android: Use DNS proxy when reestablishing IKE_SAsTobias Brunner2014-07-221-4/+44
|
* bus: Add ike_reestablish_pre hook, called before DNS resolutionTobias Brunner2014-07-221-4/+5
| | | | | The old hook is renamed to ike_reestablish_post and is now also called when the initiation of the new IKE_SA failed.
* android: Add DNS proxy implementationTobias Brunner2014-07-222-0/+387
| | | | | | | This class proxies DNS requests over VPN-protected UDP sockets. It is not really Android specific and might be useful for kernel-libipsec or libipsec in general too, so we could maybe move it later to libipsec (might need some portability work).
* android: Set CHILD_STATE_DOWN when the IKE_SA gets reestablishedTobias Brunner2014-07-221-1/+7
|
* android: Set CHILD_STATE_DOWN whenever the CHILD_SA goes downTobias Brunner2014-07-221-6/+0
| | | | | | No matter what triggers it. We also don't close the TUN device, but we might handle that differently in the future to allow reestablishing the IKE_SA if host names have to be re-resolved via DNS.
* android: Add support for ECDSA private keysTobias Brunner2014-07-221-24/+99
| | | | With 4.4.4 these work fine now.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-041-2/+2
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-1/+1
|
* android: Add new VpnType to enable BYOD featuresTobias Brunner2013-07-081-3/+9
|
* android: Use stronger ESP proposal including AES-GCMTobias Brunner2013-05-031-0/+6
|
* android: Request and install an IPv6 DNS serverTobias Brunner2013-03-201-4/+16
|
* android: Also request a virtual IPv6 address and propose IPv6 TSTobias Brunner2013-03-201-7/+17
| | | | | This allows IPv6 over IPv4 but falls back nicely if we don't get a virtual IPv6 (or IPv4) address.
* android: Add support for combined certificate and EAP authenticationTobias Brunner2013-03-071-27/+50
| | | | | | This uses RFC 4739 multiple authentication rounds to first authenticate the client with a certificate followed by an EAP authentication round with username and password.
* Fixed Doxygen comments after scanning complete src directoryTobias Brunner2013-03-021-1/+1
|
* android: Mitigate race condition on reauthenticationTobias Brunner2013-03-011-0/+4
| | | | | | | | If the TUN device gets recreated while another thread in handle_plain() has not yet called select(2) but already stored the file descriptor of the old TUN device in its FD set, select() will fail with EBADF. Fixes #301.
* Add a DSCP configuration value to IKE configsMartin Willi2013-02-061-1/+1
|
* android: Moved chunk_from_byte_array and byte_array_from_chunk helper functionsTobias Brunner2013-01-141-24/+0
|
* Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-121-1/+2
|
* Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-241-1/+1
|
* android: Private key bug has been fixed with Android 4.2Tobias Brunner2012-11-191-1/+1
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-242-2/+2
|
* Remove version argument on peer_cfg constructor, use ike_cfg version insteadMartin Willi2012-10-241-1/+1
|
* Add IKE version information to ike_cfg_tMartin Willi2012-10-241-1/+1
|
* android: Ignore if peer is unreachable when reestablishing an SATobias Brunner2012-10-181-2/+7
|
* android: Use keyingtries=%forever and dpd|closeaction=restartTobias Brunner2012-10-181-3/+3
| | | | | | | We also ignore the CHILD_SA_DOWN event. This should allow us to keep the connection up as long as the user does not manually disconnect.
* android: Handle unreachable peers via alertTobias Brunner2012-10-161-17/+5
|
* android: Use 0.0.0.0/0 as local traffic selectorTobias Brunner2012-10-161-1/+2
| | | | | This is helpful if the responder also wants to tunnel e.g. multicast packages.
* android: Determine source address dynamicallyTobias Brunner2012-10-162-13/+5
|
* android: Don't use the default ESP proposal as it includes unsupported ↵Tobias Brunner2012-10-161-1/+4
| | | | algorithms
* android: Leak the private key reference on Jelly Bean to avoid a bug in the ↵Tobias Brunner2012-09-241-1/+10
| | | | | | | | | framework A bug in the framework on Android Jelly Bean causes a SIGSEGV when the private key object returned from KeyChain.getPrivateKey is garbage collected. Leaking the global reference to that object prevents the garbage collection and thereby the crash.
* android: Load the private key and certificates separately in android_creds_tTobias Brunner2012-09-241-27/+28
|
* android: Added a JNI backed private key implementationTobias Brunner2012-09-242-0/+323
| | | | | This is required because private keys are provided by an OpenSSL engine in Jelly Bean, which makes them inaccessible directly via getEncoding.
* android: Use AUTH_RULE_IDENTITY_LOOSETobias Brunner2012-09-181-0/+1
|
* android: Properly handle reauthentication initiated by the clientTobias Brunner2012-09-061-7/+42
|
* Merge branch 'android-client-cert'Tobias Brunner2012-09-044-13/+159
|\ | | | | | | Introduces IKEv2 client certificate authentication for the Android App.
| * android: Native parts handle ikev2-cert VPN typeTobias Brunner2012-08-312-10/+69
| |
| * android: android_creds_t can provide a user's private key and certificateTobias Brunner2012-08-312-3/+89
| |
* | Pass a list instead of a single virtual IP to attribute enumeratorsMartin Willi2012-08-301-1/+1
| |
* | Support multiple address pools configured on a peer_cfgMartin Willi2012-08-301-1/+1
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 22:24:22 +0000