aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* ipsec: Add function to compare two ipsec_sa_cfg_t instancesTobias Brunner2016-06-082-0/+25
| | | | | | memeq() is currently used to compare these but if there is padding that is not initialized the same for two instances the comparison fails. Using this function ensures the objects are compared correctly.
* eap-simaka-pseudonym: Properly store mappingsTobias Brunner2016-06-061-44/+38
| | | | | | | | | | | If a pseudonym changed a new entry was added to the table storing permanent identity objects (that are used as keys in the other table). However, the old mapping was not removed while replacing the mapping in the pseudonym table caused the old pseudonym to get destroyed. This eventually caused crashes when a new pseudonym had the same hash value as such a defunct entry and keys had to be compared. Fixes strongswan/strongswan#46.
* child-sa: Use non-static variable to store generated unique markTobias Brunner2016-06-061-1/+2
| | | | | | If two CHILD_SAs with mark=%unique are created concurrently they could otherwise end up with either the same mark or different marks in both directions.
* ike: Don't trigger message hook when fragmenting pre-generated messagesTobias Brunner2016-06-061-2/+10
| | | | | | | | | This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which are pre-generated in tasks as at least parts of it are used to generate the AUTH payload. The IKE_SA_INIT message will never be fragmented, but the IKEv1 messages might be, so we can't just call generate_message(). Fixes #1478.
* error-notify: Notify listeners upon IKE retransmitThomas Egerer2016-06-062-0/+6
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* task-manager: Add retransmit cleared alertTobias Brunner2016-06-063-0/+16
|
* task-manager: Add retransmit count to retransmit send alertThomas Egerer2016-06-063-4/+7
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* stroke: Permanently store PINs in credential setTobias Brunner2016-06-061-12/+35
| | | | | | | This fixes authentication with tokens that require the PIN for every signature. Fixes #1369.
* controller: Use separate callbacks to track termination and initiation of SAsTobias Brunner2016-06-061-8/+58
| | | | | | | If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which we don't want the controller to detect as success. Fixes #1449.
* ikev1: Queue INFORMATIONAL messages during XAuthTobias Brunner2016-06-061-5/+12
| | | | | | | | | | Some peers send an INITIAL_CONTACT notify after they received our XAuth username. The XAuth task waiting for the third XAuth message handles this incorrectly and closes the IKE_SA as no configuration payloads are contained in the message. We queue the INFORMATIONAL until the XAuth exchange is complete to avoid this issue. Fixes #1434.
* identification: Compare identity types when comparing ID_FQDN/ID_RFC822_ADDR ↵Tobias Brunner2016-06-061-3/+4
| | | | | | identities References #1380.
* ikev2: Handle INITIAL_CONTACT notifies also when peer is authenticated with EAPTobias Brunner2016-06-061-16/+5
| | | | Fixes #1380.
* x509: Properly wrap keyid in authorityKeyIdentifier in attribute certificatesTobias Brunner2016-06-061-1/+2
| | | | | | | The correct encoding got lost in bdec2e4f5291 ("refactored openac and its attribute certificate factory"). Fixes #1370.
* p-cscf: Remove libhydra reference in MakefileTobias Brunner2016-05-271-1/+0
|
* af-alg: Silently skip probing algorithms if AF_ALG is not supportedMartin Willi2016-05-191-0/+19
| | | | | | If the af-alg plugin is enabled, but kernel support is missing, we get an error line during startup for each probed algorithm. This is way too verbose, so just skip probing if AF_ALG is unsupported.
* vici: Put source distribution in the dist dir in the build directoryTobias Brunner2016-05-111-1/+3
| | | | This fixes the out-of-tree build.
* mem-cred: Fix memory leak when replacing existing CRLsTobias Brunner2016-05-111-0/+1
| | | | Fixes #1442.
* vici: Add target to build a source package and universal wheel of the Python ↵Tobias Brunner2016-05-111-0/+6
| | | | package
* vici: Add README.rst to be used as description on PyPITobias Brunner2016-05-114-8/+28
|
* vici: Replace dr with dev in version numbers for the Python eggTobias Brunner2016-05-101-5/+5
| | | | | | The versioning scheme used by Python (PEP 440) supports the rcN suffix but development releases have to be named devN, not drN, which are not supported and considered legacy versions.
* vici: Update setup.pyTobias Brunner2016-05-101-4/+5
|
* vici: Ensure we read exactly the specified amount of bytes from the socket ↵Tobias Brunner2016-05-101-2/+9
| | | | | | | in Python recv() will return less bytes than specified (as that's the buffer size) if not as many are ready to be read from the socket.
* swanctl: indicate initiator and responder in --list-sasAndreas Steffen2016-05-071-2/+5
|
* child-sa: Install "outbound" FWD policy with lower priorityTobias Brunner2016-05-061-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provides a fix if symmetrically overlapping policies are installed as e.g. the case in the ikev2/ip-two-pools-db scenario: carol 10.3.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon alice 10.4.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon Among others, the following FWD policies are installed on moon: src 10.3.0.1/32 dst 10.4.0.0/16 ... tmpl ... src 10.4.0.0/16 dst 10.3.0.1/32 ... src 10.4.0.1/32 dst 10.3.0.0/16 ... tmpl ... src 10.3.0.0/16 dst 10.4.0.1/32 ... Because the network prefixes are the same for all of these they all have the same priority. Due to that it depends on the install order which policy gets used. For instance, a packet from 10.3.0.1 to 10.4.0.1 will match the first as well as the last policy. However, when handling the inbound packet we have to use the first one as the packet will otherwise be dropped due to a template mismatch. And we can't install templates with the "outbound" FWD policies as that would prevent using different IPsec modes or e.g. IPComp on only one of multiple SAs. Instead we install the "outbound" FWD policies with a lower priority than the "inbound" FWD policies so the latter are preferred. But we use a higher priority than default drop policies would use (in case they'd be defined with the same subnets).
* kernel-netlink: Check proper watcher state in parallel modeTobias Brunner2016-05-061-1/+1
| | | | | | | | | | | | | After adding the read callback the state is WATCHER_QUEUED and it is switched to WATCHER_RUNNING only later by an asynchronous job. This means that a thread that sent a Netlink message shortly after registration might see the state as WATCHER_QUEUED. If it then tries to read the response and the watcher thread is quicker to actually read the message from the socket, it could block on recv() while still holding the lock. And the asynchronous job that actually read the message and tries to queue it will block while trying to acquire the lock, so we'd end up in a deadlock. This is probably mostly a problem in the unit tests.
* trap-manager: Allow local address to be unspecifiedTobias Brunner2016-05-061-3/+1
| | | | | | | | If there is currently no route to reach the other peer we just default to left=%any. The local address is only really used to resolve leftsubnet=%dynamic anyway (and perhaps for MIPv6 proxy transport mode). Fixes #1375.
* kernel-netlink: Order routes by prefix before comparing priority/metricTobias Brunner2016-05-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Metrics are basically defined to order routes with equal prefix, so ordering routes by metric first makes not much sense as that could prefer totally unspecific routes over very specific ones. For instance, the previous code did break installation of routes for passthrough policies with two routes like these in the main routing table: default via 192.168.2.1 dev eth0 proto static 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.10 metric 1 Because the default route has no metric set (0) it was used, instead of the more specific other one, to determine src and next hop when installing a route for a passthrough policy for 192.168.2.0/24. Therefore, the installed route in table 220 did then incorrectly redirect all local traffic to "next hop" 192.168.2.1. The same issue occurred when determining the source address while installing trap policies. Fixes 6b57790270fb ("kernel-netlink: Respect kernel routing priorities for IKE routes"). Fixes #1416.
* ikev1: Activate DELETE tasks before other tasks in state ESTABLISHEDTobias Brunner2016-05-061-7/+7
| | | | Fixes #1410.
* ikev1: Don't use rekeyed CHILD_SAs for rekey detectionTobias Brunner2016-05-061-4/+4
| | | | | | | | | | | | An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING state. And we actually want to change the currently installed CHILD_SA to that state and later CHILD_REKEYED and properly call e.g. child_rekey() and not do this again with an old CHILD_SA. Instead let's only check installed or currently rekeying CHILD_SAs (in case of a rekey collision). It's also uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted and recreated a CHILD_SA after a rekeying. But in that case we don't want to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).
* ikev1: Don't call updown hook etc. when deleting redundant CHILD_SAsTobias Brunner2016-05-061-0/+1
| | | | Fixes #1421.
* android: New release after fixing a crash during certificate importsTobias Brunner2016-05-061-2/+2
|
* android: Avoid IllegalStateException when importing certificatesTobias Brunner2016-05-061-2/+14
| | | | | | | | | | When certificates are imported via Storage Access Framework we did handle the selection directly in onActivityResult(). However, at that point the activity might apparently not yet be resumed. So committing FragmentTransactions could result in IllegalStateExceptions due to the potential state loss. To avoid that we cache the returned URI and wait until onPostResume() to make sure the activity's state is fully restored before showing the confirmation dialog.
* swanctl: Do not display rekey times for shuntsAndreas Steffen2016-05-051-3/+5
|
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-049-23/+114
|
* swanctl: --list-conns shows eap_id, xauth_id and aaa_idAndreas Steffen2016-05-041-0/+13
|
* android: New release after reducing number of DH groups in proposalTobias Brunner2016-05-041-2/+2
|
* proposal: Remove some weaker and rarely used DH groups from the default proposalTobias Brunner2016-05-041-3/+5
| | | | | | | | | | | This fixes an interoperability issue with Windows Server 2012 R2 gateways. They insist on using modp1024 for IKE, however, Microsoft's IKEv2 implementation seems only to consider the first 15 DH groups in the proposal. Depending on the loaded plugins modp1024 is now at position 17 or even later, causing the server to reject the proposal. By removing some of the weaker and rarely used DH groups from the default proposal we make sure modp1024 is among the first 15 DH groups. The removed groups may still be used by configuring custom proposals.
* android: Use separate label strings for text fields in login dialogTobias Brunner2016-05-036-2/+12
| | | | | In the profile editor the password is now marked as optional in the label, which looks a bit strange in the login dialog.
* android: New release after GUI changes/additionsTobias Brunner2016-05-021-2/+2
|
* android: Show selected user identity in profile listTobias Brunner2016-05-021-3/+9
| | | | This also readds the colons that were removed from the labels.
* android: Allow selection of user identity in GUITobias Brunner2016-05-022-2/+52
|
* android: Add adapter for user ID selectionTobias Brunner2016-05-026-0/+80
|
* android: Add helper function to TrustedCertificateEntry to get subjectAltNamesTobias Brunner2016-05-021-4/+43
| | | | | Duplicates (e.g. with different types) are filtered. If necessary we could later perhaps add a prefix.
* android: Add auto-completion to remote ID and profile nameTobias Brunner2016-05-022-6/+83
| | | | | This makes it easy to explicitly use the server's IP/hostname as remote identity or use it in the profile name.
* android: Make remote identity configurable in the GUITobias Brunner2016-05-027-2/+43
|
* android: Use TextInputLayout in login dialogTobias Brunner2016-05-021-26/+30
|
* android: Use TextInputLayoutHelper in profile editorTobias Brunner2016-05-027-148/+212
| | | | | This adds floating labels and helper texts to the form fields. It also changed/added lots of strings in the editor.
* android: Add TextInputLayout child class that displays a helper text below ↵Tobias Brunner2016-05-022-2/+185
| | | | | | the text field Also hides the error message if the text is changed.
* android: Use proper namespace for custom attributeTobias Brunner2016-05-021-2/+2
|
* android: Move profile name field to the bottom and use server address as hintTobias Brunner2016-05-022-16/+41
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 01:04:31 +0000