aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* encoding: Accept all exchange types for non IKEv1/IKEv2 major versionsMartin Willi2014-09-221-5/+11
|
* settings: Make loading a NULL or empty pattern a (nop-)successMartin Willi2014-09-221-1/+1
|
* settings: Use strongswan.conf used during library initialization for reloadMartin Willi2014-09-224-14/+4
| | | | | | | | Since 4b670a20 we require an explicit strongswan.conf to re-load configurations. However, the define was missing in the build, breaking SIGHUP based config reloading. Fixes #651.
* library: Store the used root strongswan.conf configurationMartin Willi2014-09-222-7/+12
|
* swanctl: Document --stats commandTobias Brunner2014-09-191-0/+3
|
* ikev2: Don't treat initial messages as MOBIKE exchangesTobias Brunner2014-09-161-6/+9
| | | | | The MOBIKE task is active during the initial exchanges but we don't want to treat them as actual MOBIKE exchanges (i.e. there is no path probing).
* ikev1: Don't cache last block of INFORMATIONAL messages as IVTobias Brunner2014-09-121-2/+2
| | | | | | | | | We don't expect a response with the same MID, but apparently some devices (e.g. FRITZ!Box) do that for DPDs, while still treating the response as a new exchange. By storing the last message block as IV we can't decrypt the first block of such a response. Fixes #661.
* ikev1: Log IV when encrypting messagesTobias Brunner2014-09-121-0/+1
|
* ikev1: Skip unusable IPComp proposalsTobias Brunner2014-09-121-1/+1
| | | | Fixes #661.
* ikev1: Properly handle different proposal numbering schemesTobias Brunner2014-09-121-5/+10
| | | | | | | | | | | | | | | | | | While the examples in RFC 2408 show proposal numbers starting at 1 and increasing by one for each subsequent proposal this is not mandatory. Actually, IKEv1 proposals may start at any number, the only requirement is that the proposal numbers increase monotonically they don't have to do so consecutively. Most implementations follow the examples and start numbering at 1 (charon, racoon, Shrew, Cisco, Windows XP, FRITZ!Box) but pluto was one of the implementations that started with 0 and there might be others out there. The previous assumption that implementations always start numbering proposals at 0 caused problems with clients that start numbering with 1 and whose first proposal consists of multiple protocols (e.g. ESP+IPComp). Fixes #661.
* kernel-netlink: Optionally install protocol and ports on transport mode SAsTobias Brunner2014-09-121-6/+18
|
* ikev2: Reduce timeout if path probing was enabledTobias Brunner2014-09-121-6/+13
|
* ikev2: Defer MOBIKE updates if no path is availableTobias Brunner2014-09-121-7/+14
|
* ike-mobike: Allow calling transmit() even when not currently path probingTobias Brunner2014-09-121-5/+17
| | | | Path probing is enabled if the current path is not available anymore.
* ikev2: Defer path probing if no path is currently availableTobias Brunner2014-09-121-1/+20
| | | | | We do the same before initiating the task, so we should probably do it too when we already initiated it, not just time out and destroy the SA.
* ike-mobike: Return FALSE in transmit() if no path was availableTobias Brunner2014-09-122-3/+7
|
* ikev2: Enable path probing for currently active MOBIKE taskTobias Brunner2014-09-121-0/+18
| | | | | | | This might not be the case if e.g. an address appeared but the old one is still available but not actually usable. Without this the MOBIKE task would eventually time out even though we might be able to switch to a working address.
* ike-mobike: Add method to enable path probingTobias Brunner2014-09-122-0/+12
|
* ike-mobike: Skip peer addresses we can't send packets to when checking pathsTobias Brunner2014-09-121-5/+18
|
* ikev2: Skip peer addresses we can't send packets to when looking for valid pathsTobias Brunner2014-09-121-0/+18
|
* ikev2: Insert MOBIKE tasks at the front of the queueTobias Brunner2014-09-121-1/+6
| | | | | In case we have no usable path to the other peer there is no point in initiating any other tasks (like rekeying).
* ikev2: Migrate number of pending MOBIKE updatesTobias Brunner2014-09-121-0/+5
| | | | | This will probably never be more than 1 since we only have one task queued at a time and we don't migrate running tasks.
* ikev2: Properly keep track of pending MOBIKE updatesTobias Brunner2014-09-121-8/+27
| | | | | | | | Because we only queue one MOBIKE task at a time, but destroy superfluous ones only after we already increased the counter for pending MOBIKE updates, we have to reduce the counter when such tasks are destroyed. Otherwise, the queued task would assume another task is queued when it is running and ignore any successful response.
* android: Reduce CHILD_SA lifetimeTobias Brunner2014-09-121-2/+2
|
* android: Add DH groups to ESP proposalsTobias Brunner2014-09-121-2/+12
|
* child-cfg: Ignore duplicate proposalsTobias Brunner2014-09-121-0/+11
| | | | | If ESP proposals are added once with and once without DH groups duplicates result during IKE_AUTH when DH groups are stripped.
* proposal: Fix equals()Tobias Brunner2014-09-121-5/+5
|
* android: Reestablish IKE_SA if CHILD_SA rekeying failedTobias Brunner2014-09-121-3/+36
|
* android: Report error if CHILD_SA rekeying failsTobias Brunner2014-09-121-0/+6
|
* kernel-netlink: Add global option to configure MSS-clamping on installed routesTobias Brunner2014-09-121-6/+26
|
* kernel-netlink: Add global option to set MTU on installed routesTobias Brunner2014-09-121-0/+19
|
* chunk: Fix Doxygen comments for chunk_internet_checksum[_inc]Tobias Brunner2014-09-111-2/+2
|
* auth-cfg: Fix crash after several reauthentications with multiple ↵Tobias Brunner2014-09-111-1/+1
| | | | | | | | | | authentication rounds Due to the issue described in c641974, purge() inadvertently destroyed CA certificates that should have been kept (while the pointer to these objects remained in the array). This lead to incorrect reference counts and after a few reauthentications with multiple authentication rounds, which cause calls to purge(TRUE), to crashes.
* array: Adjust negative index before calling remove_head|tail()Tobias Brunner2014-09-111-4/+4
| | | | For ARRAY_TAIL we most often want to call remove_tail() not remove_head().
* array: Warn about caveat with array_remove_at() and value based arraysTobias Brunner2014-09-111-0/+5
| | | | | | | | | | | | | | | | Because enumerate() for value based arrays returns a pointer directly to the internal array elements and because array_remove_at() or rather the called array_remove() may move elements over the element at the currently enumerated position, the pointer passed to enumerate() will point to a different array element after the array_remove_at() call. The caller will thus operate on the wrong element if that pointer is accessed again before calling enumerate(). For performance reasons we currently don't change the implementation to copy each array element during enumeration to a private member of the enumerator and return a pointer to that. Similarly, due to the danger of subtle bugs we don't remember the pointer passed to enumerate() to later redirect it to a copy created during the array_remove_at() call.
* asn1: Try to fill the available binary OID buffer if possibleTobias Brunner2014-09-091-11/+24
|
* unit-tests: Give worker threads time to clean up when testing thread_t.detach()Tobias Brunner2014-09-091-2/+4
|
* stream-service: Prevent race conditions due to blocking call to destroy()Tobias Brunner2014-09-091-5/+62
| | | | | | | | In the previous implementation queued jobs could prevent a service from getting destroyed. This could have lead to a deadlock when the processor is cancelled. Now destroy() still blocks, but waits only for actually running tasks. The service instance is reference counted so that queued jobs can safely be destroyed.
* stream-service: Do not accept or re-register when service is terminatedTobias Brunner2014-09-091-2/+10
|
* stream-service: Restart accepting without blockingTobias Brunner2014-09-091-2/+7
| | | | | | | | | | | | Calling on_accept() sometimes lead to deadlocks when service->destroy() was called concurrently. That is, two threads waiting in on_accept() but the last worker would only wake one due to the call to signal(). Calling broadcast() wouldn't help either as that could lead to crashes if the thread that called destroy() is woken first. This is also more efficient as a constant pool of concurrent workers can be maintained, otherwise peaks at the limit were followed by only a single worker being active.
* android: Add support for querying use stats of a CHILD_SATobias Brunner2014-09-091-1/+2
|
* eap-radius: Forward Cisco and Microsoft specific DNS/NBNS attributesTobias Brunner2014-09-091-0/+50
| | | | Fixes #677.
* ikev1: Make sure proposed IPsec mode matches our ownTobias Brunner2014-09-091-1/+2
| | | | References #557.
* ike: Reset IKE_SA in state CONNECTING instead of reauthenticatingTobias Brunner2014-09-091-0/+8
| | | | | | | | Due to how reauthentication works for IKEv1 we could get a second IKE_SA, which might cause problems, when connectivity problems arise when the connection is initially established. Fixes #670.
* asn1: Make sure not to exceed buffer for binary OIDTobias Brunner2014-09-091-1/+1
|
* kernel-pfroute: Delete interfaces on RTM_IFANNOUNCE/IFAN_DEPARTURE eventsTobias Brunner2014-09-091-0/+38
| | | | | | | | | | | | We actually never deleted cached interfaces. So if the kernel reuses interface indices events for newly created interfaces could have been associated with interface objects of deactivated and deleted interfaces. Since we also didn't update the interface name when such an interface got reactivated we ended up using the old name e.g. to install routes. A trigger for this was the deletion and recreation of TUN devices during reauthentication of SAs that use virtual IPs.
* ip-packet: Define our own structs to handle TCP/UDP headersTobias Brunner2014-09-091-2/+27
|
* kernel-pfkey: Report packet counts of IPsec SAsTobias Brunner2014-09-091-2/+2
| | | | | | Seems that packet counts can be retrieved after all. At least the Linux and FreeBSD kernels treat the number of allocations as number of packets. We actually installed packet limits in that field already.
* swanctl: Document how connections.*.unique affects initiatorsTobias Brunner2014-09-091-0/+5
|
* mutex: Use atomics to set current thread in recursive mutexTobias Brunner2014-09-091-9/+12
| | | | | | | | Because this->thread is also read by threads that don't hold the mutex the previous implementation was problematic (especially since pthread_t is an opaque type of unknown length). Fixes #654.