| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.
|
| |
|
|
|
|
|
| |
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
|
| | |
|
| |
|
|
|
|
|
| |
If two IKE configurations have CHILD configurations with the same name,
we have no control about the CHILD_SA that actually gets controlled. The
new "ike" parameter specifies the peer config name to find the "child" config
under.
|
| |
|
|
|
|
| |
In some situations the vici client is not interested in waiting for a
timeout at all, so don't register a logging callback if the timeout argument
is negative.
|
| |
|
|
|
| |
While it hardly makes sense to use none for negotiated SAs, it actually does
when installing shunt policies.
|
| |
|
|
|
| |
If two peer configs use the same child config names, potentailly delete
the wrong CHILD_SA. Check the peer config name as well to avoid that.
|
| | |
|
| |
|
|
|
| |
The previous approach stored a pointer to a volatile stack variable, which
works for a single ID, but not for multiple.
|
| | |
|
| |
|
|
|
| |
This is called when running `make distclean` (or indirectly via `make
distcheck`).
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Closes strongswan/strongswan#19.
|
| |
|
|
|
|
|
|
|
| |
prematurely
We can't allow a client to send us MSCHAPV2_SUCCESS messages before it
was authenticated successfully.
Fixes CVE-2015-8023.
|
| | |
|
| |
|
|
| |
add_crl() ensures that old CLRs are not stored in the credential set.
|
| |
|
|
|
|
|
|
|
| |
If we mistakenly detect a new IKE_SA as a reauthentication the client
won't request the previous virtual IP, but since we already migrated
it we already triggered the assign_vips() hook, so we should reassign
the migrated virtual IP.
Fixes #1152.
|
| |
|
|
|
|
|
| |
This also ensures that the actually released virtual IP is removed from
the list of claimed IPs.
Fixes #1199.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Since we don't use the kernel-netlink plugin anymore and the headers
in the NDK are reasonably recent, we don't need this anymore (at least
when building the app).
Fixes #1172.
|
| |
|
|
|
| |
Plugins must depend on `libcharon-sa-managers` to ensure the manager
exists.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We already did so during Phase 1 but because all three Quick Mode
message have the same message ID we occasionally dropped the third
message as retransmit, so we do it there too. For INFORMATIONAL
and TRANSACTION exchanges we don't expect more than one inbound message
with the same message ID so we still use them there.
Fixes #1198.
|
| |
|
|
|
|
|
| |
add_policy()
The additional data can be helpful to identify the exact policy to
delete.
|
| |
|
|
| |
Fixes #1201.
|
| | |
|
| |
|
|
|
| |
We could later perhaps add filter parameters similar to those of the
`ipsec leases` command (pool name/virtual IP).
|
| | |
|
| |
|
|
| |
Basically the same change as the one for the socket-default plugin.
|
| |
|
|
|
|
|
|
|
|
|
| |
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.
It also makes the code clearer than with all these ifdefs.
Fixes #1171.
|
| |
|
|
| |
This makes the code a bit clearer than with the interleaved ifdefs.
|
| |
|
|
|
|
|
|
| |
after timestamp
For this to look right time_format should end with %S or %T.
Closes strongswan/strongswan#18.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some scenarios an IKE_SA might get restarted multiple times (e.g.
due to retransmits and delayed INVALID_KE_PAYLOAD notifies) so that
two IKE_SA_INIT messages might be sent that only differ in the
previously randomly generated NAT_DETECTION_SOURCE_IP payload.
This could cause an authentication failure on the responder if the two
peers don't use the same IKE_SA_INIT message in their InitiatorSignedOctets.
While the payload is generated in a reproducible way it will still change
when the daemon is restarted, which should make detecting the payloads
as fake a bit harder (compared to e.g. just using 0.0.0.0:0 as address).
Fixes #1131.
|
| |
|
|
|
|
|
|
|
| |
If the job gets queued for a newly created IKE_SA it might not yet be
checked in when the job is running, reschedule the job in that case.
This should fix the two p2pnat test scenarios, which occasionally
failed because one of the peers did not initiate the connection to
the mediation server.
|
| |
|
|
|
|
|
|
|
| |
In some cases we call wait_for_entry() but don't actually check out the
entry afterwards (e.g. because it doesn't match certain criteria). So
there won't be a call to checkin() for such entries causing waiting
threads to get signaled. Instead, such threads would be blocked until
another thread properly checks out/in the entry (or does a blocking
enumeration).
|
| |
|
|
| |
Fixes 758b1caa0e75 ("ikev1: Prevent deadlock when checking for duplicate IKEv1 SAs")
|
| |
|
|
|
| |
A DPD timeout job is queued whenever a DPD is sent, i.e. after the
DPD delay already has elapsed, so we have to compensate for that.
|
| |
|
|
| |
Fixes #1138.
|
| |
|
|
|
|
|
|
|
|
| |
The `nat-local` and `nat-remote` keys contain information on the NAT
status of the local and remote IKE endpoints, respectively. If a
responder did not detect a NAT but is configured to fake a NAT situation
this is indicated by `nat-fake` (if an initiator fakes a NAT situation
`nat-local` is set). If any NAT is detected or faked `nat-any` is set.
Closes strongswan/strongswan#16.
|
| |
|
|
| |
Fixes #1191.
|
| | |
|
| |
|
|
| |
Like AES in CTR mode it includes a 4 byte nonce.
|
