| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If the TUN device gets recreated while another thread in handle_plain()
has not yet called select(2) but already stored the file descriptor of the
old TUN device in its FD set, select() will fail with EBADF.
Fixes #301.
|
| | |
|
| |\
| |
| |
| |
| |
| | |
Fixes the use of EAP methods in the non-first authentication round if the
initiator demands mutual EAP. Also mutual EAP can now be enforced when the
initiator sets rightauth=eap, not only with rightauth=any.
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | |
| | |
| | | |
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
This enables the daemon to select from multiple configured certificates
by building trustchains against the received certificate requests.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Constraints having multiple subject certs defined are fulfilled if
authentication used one of the listed certificates.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | | |
Add a systime-fix plugin allowing an embedded system to validate certificates
if the system time has not been synchronized after boot. Certificates of
established tunnels can be re-validated after the system time gets valid.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The system time can be periodically checked. If it gets valid, certificates get
rechecked with the current lifetime. If certificates are invalid, associated
IKE_SAs can be closed or reauthenticated.
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled.
The CHILD_SAs get migrated, but any associated route gets removed from the
kernel. Reinstall routes after adding the virtual IP again.
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Installs bypass policies for the physical address if a virtual address is
assigned, and installs a proper source route to actually use the physical
address for bypassed destinations.
Conflicts:
src/libcharon/plugins/unity/unity_handler.c
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
If we install a virtual IP, its source route would render the shunt policy
useless, as locally generated traffic wouldn't match. Having a route for each
shunt policy with higher priority chooses the correct source address for
bypassed destinations.
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | | |
If we use a virtual IP, having a shunt policy for just that wouldn't work, as
we want a shunt bypass using the local address.
|
| |\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | |/ / /
| |/| | | |
|
| | | | | | |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295.
|
| | | | | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if
kernel does not support it.
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | |/ / / /
| |/| | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
By using the default list enumerator and adding the rules with the public
add() method, clones of auth_cfg_t objects would return the values for
single-valued auth rules in the wrong order (i.e. the oldest instead of the
newest value was returned). Using the internal enumerator (which the comment
already suggested) fixes this, but the clone will not be a full clone as
it does not contain any old values for single-valued auth rules. Since
these will never be used anyway, this should be fine.
|
| | |_|_|_|/
|/| | | |
| | | | |
| | | | |
| | | | | |
In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
SIGRTMIN is defined as 32 while sigset_t is defined as
unsigned long (i.e. holds 32 signals). Hence, the signal
could never be blocked. Sending the signal still canceled
threads, but sometimes in situations where they shouldn't
have been canceled (e.g. while holding a lock).
Fixes #298.
|
