| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
This allows proper initialization of the daemon and the helper object.
|
| | |
|
| |
|
|
| |
Provides predictable sequential SPIs.
|
| |
|
|
|
| |
This allows to retrieve packets sent by an IKE_SA and pass it to another
IKE_SA directly via process_message().
|
| |
|
|
|
|
|
| |
libcharon_deinit() already calls all the functions we called manually.
Unloading the plugins will not work if charon->initialize() is called
as charon's static plugin features would already be unloaded before the
destroyed members are accessed in destroy() to flush them.
|
| |
|
|
|
| |
It's not necessary and might waste memory. However, if ESN is used we set
the window to 1 as the kernel rejects the attribute otherwise.
|
| |
|
|
|
| |
It is not necessary for outbound SAs and might waste memory when large
window sizes are used.
|
| |
|
|
|
|
|
| |
If a called script interacts with the daemon or one of its plugins
another thread might have to acquire the write lock (e.g. to configure a
fallback or set a value). Holding the read lock prevents that, potentially
resulting in a deadlock.
|
| | |
|
| |
|
|
|
|
|
|
| |
fgetc() returns an int and EOF is usually -1 so when this gets casted to
a char the result depends on whether `char` means `signed char` or
`unsigned char` (the C standard does not specify it). If it is unsigned
then its value is 0xff so the comparison with EOF will fail as that is an
implicit signed int.
|
| |
|
|
|
| |
Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.
|
| |
|
|
|
|
| |
This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.
|
| |
|
|
| |
This allows us to capture output written to stderr/stdout.
|
| |
|
|
|
|
| |
If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).
|
| | |
|
| | |
|
| |
|
|
|
| |
This is the direction we actually need routes in and makes the code
easier to read.
|
| |
|
|
| |
are in the selector
|
| |
|
|
|
|
|
|
|
| |
are in the selector
We don't need them for drop policies and they might even mess with other
routes we install. Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.
|
| |
|
|
|
| |
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
|
| | |
|
| |
|
|
|
| |
The returned name should be the interface over which the destination
address/net is reachable.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other threads are free to add/update/delete other policies.
This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel. For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA. This could have resulted in no policies being installed
eventually.
Fixes #1400.
|
| | |
|
| | |
|
| |
|
|
| |
#1467.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed. This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.
Fixes strongswan/strongswan#46.
|
| |
|
|
|
|
| |
If two CHILD_SAs with mark=%unique are created concurrently they could
otherwise end up with either the same mark or different marks in both
directions.
|
| |
|
|
|
|
|
|
|
| |
This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which
are pre-generated in tasks as at least parts of it are used to generate
the AUTH payload. The IKE_SA_INIT message will never be fragmented, but
the IKEv1 messages might be, so we can't just call generate_message().
Fixes #1478.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
| |
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369.
|
| |
|
|
|
|
|
| |
If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which
we don't want the controller to detect as success.
Fixes #1449.
|
| |
|
|
|
|
|
|
|
|
| |
Some peers send an INITIAL_CONTACT notify after they received our XAuth
username. The XAuth task waiting for the third XAuth message handles
this incorrectly and closes the IKE_SA as no configuration payloads are
contained in the message. We queue the INFORMATIONAL until the XAuth
exchange is complete to avoid this issue.
Fixes #1434.
|
| |
|
|
| |
Fixes #1380.
|
| | |
|
| |
|
|
| |
This fixes the out-of-tree build.
|
| |
|
|
| |
package
|
| | |
|
| |
|
|
|
|
| |
The versioning scheme used by Python (PEP 440) supports the rcN suffix
but development releases have to be named devN, not drN, which are
not supported and considered legacy versions.
|
| | |
|
| |
|
|
|
|
|
| |
in Python
recv() will return less bytes than specified (as that's the buffer size)
if not as many are ready to be read from the socket.
|
