| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From recvfrom(2) (which UDPSocket#recv backs into):
The return value will be 0 when the peer has performed an orderly
shutdown.
(i.e. it will return an empty string)
Previously in this scenario, Vici::Transport#recv_all would spin
forever trying to pull more data off the socket. I'm not entirely
clear what happened that caused strongSwan to shutdown the socket, but
it probably should not cause vici Ruby apps to spin.
Closes strongswan/strongswan#13.
|
| |
|
|
|
| |
If starter is not used we don't do that either. And this allows us to
move the stuff in libhydra back to libcharon.
|
| |
|
|
|
|
|
|
|
|
|
| |
We can't control which policies we flush, so if policies are installed
and used outside of strongSwan for other protocols we'd flush them too.
And if installpolicies=no is used we probably shouldn't flush policies
either. Luckily already existing policies are not treated as fatal
errors anymore, so not flushing policies should not be that much of an
issue (in case of a crash in dynamic setups, e.g. with virtual IPs,
policies could be left behind even after restarting the connections and
properly terminating the daemon).
|
| | |
|
| | |
|
| |
|
|
|
| |
If the init-limits parameter is set (disabled by default) init limits
will be checked and might prevent new SAs from getting initiated.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Actually, resolving addresses in `left` might be overkill as we'll assume
left=local anyway (the only difference is the log message).
|
| |
|
|
|
| |
In some scenarios it might be preferred to ensure left is always local
and no unintended swaps occur.
|
| | |
|
| |
|
|
| |
deleting the SA
|
| |
|
|
|
| |
This allows us to DELETE CHILD_SAs on failures that occur before we
retrieved the selected proposal.
|
| |
|
|
|
|
|
| |
information
Since we only support single protocols we could probably guess it and always
send a DELETE.
|
| |
|
|
|
|
|
| |
When retrying due to a DH group mismatch this is already done by the
child-create task itself. And in other cases where the task returns
NEED_MORE we actually will need access to a possible proposal to properly
delete it.
|
| |
|
|
|
|
|
|
|
|
| |
mismatch
If the responder declines our KE payload during a CHILD_SA rekeying migrate()
is called to reuse the child-create task. But the child-rekey task then
calls the same method again.
Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
|
| |
|
|
|
| |
Basically the same as e79b0e07e4ab. EAP_RADIUS is also a virtual method
that will identify itself as a different EAP method later.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since 11c14bd2f5 CA certificates referenced in ca sections were
enumerated by two credential sets if they were also stored in
ipsec.d/cacerts. This caused duplicate certificate requests to
get sent. All CA certificates, whether loaded automatically or
via a ca section, are now stored in stroke_ca_t.
Certificates referenced in ca sections are now also reloaded
when `ipsec rereadcacerts` is used.
|
| |
|
|
|
| |
Also use the right credential set for CA cert references loaded from
stroke_ca_t.
|
| |
|
|
|
| |
Previously it was possible that certificates were not found between the
time the credential sets were cleared and the certificates got readded.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases the third message of a Quick Mode exchange might arrive
after the first message of a subsequent Quick Mode exchange. Previously
these messages were handled incorrectly and the second Quick Mode
exchange failed.
Some implementations might even try to establish multiple Quick Modes
simultaneously, which is explicitly allowed in RFC 2409. We don't fully
support that, though, in particular in case of retransmits.
Fixes #1076.
|
| |
|
|
|
|
|
|
|
|
| |
The next release of FreeBSD will support this.
While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it. When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).
|
| |
|
|
|
| |
We now store the actual method on the auth config, which won't match
anymore if rightauth=eap-dynamic is configured.
|
| |
|
|
|
| |
We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.
|
| |
|
|
|
|
|
|
|
|
|
| |
While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.
We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since
17ec1c74de).
|
| |
|
|
|
|
|
|
|
| |
If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.
Fixes #1077.
|
| |
|
|
|
|
|
| |
This allows symmetric configuration of EAP methods (i.e. the same value
in leftauth and rightauth) when mutual EAP-only authentication is used.
Previously the client had to configure rightauth=eap or rightauth=any,
which prevented it from using this same config as responder.
|
| |
|
|
| |
This fixes the build on Windows.
|
| |
|
|
|
|
| |
When reestablishing the IKE_SA we should still use the original port
when right resolves to %any as some implementations might not like
initial IKE messages on port 4500 (especially for IKEv1).
|
| |
|
|
| |
Fixes #196.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The first segment only fit if the segmentation envelope attribute
was preceded by a Max Attribute Size Response attribute. The
improved implementation fills up the first PA-TNC message with
the first segment up to the maximum message size.
|
| |
|
|
|
|
|
|
|
|
|
| |
certain mark
If the routing rule we use to direct traffic to our own routing table
excludes traffic with a certain mark (fwmark = !<mark>) we can simplify
the route lookup and avoid dumping all routes by passing the mark to the
request. That way our own routes are ignored and we get the preferred
route back without having to dump and analyze all routes, which is quite a
burden on hosts with lots of routes.
|
