| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
Or the invoked script will get a broken value when `mark=%unique` is
used in a configuration.
Closes strongswan/strongswan#37.
|
| |
|
|
| |
Fixes #1365.
|
| | |
|
| |
|
|
|
|
|
| |
While building against this level in general would break our app on
older systems, the NDK will automatically use this level for 64-bit
ABI builds (which are not supported in older levels). So to build
against 64-bit ABIs we have to support this API level.
|
| |
|
|
| |
Not really relevant, just to make sure both file lists are the same.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
was called
A thread might check out a new IKE_SA via checkout_new() or
checkout_by_config() and start initiating it while the daemon is
terminating and the IKE_SA manager is flushed by the main thread.
That SA is not tracked yet so the main thread is not waiting for it and
the other thread is able to check it in and creating an entry after flush()
already terminated causing a memory leak.
Fixes #1348.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
| |
References #1347.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock. So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.
By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior. This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.
Fixes #1185.
|
| | |
|
| |
|
|
|
|
| |
Same as the change in the connmark plugin.
References #1229.
|
| |
|
|
|
|
|
|
|
| |
This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.
Fixes #1230.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).
Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.
Fixes #1229.
|
| | |
|
| |
|
|
|
|
| |
The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and
IPV6_ADDR_RANGE identities have been fully implemented and can be
used as owners of shared secrets (PSKs).
|
| |
|
|
| |
Numerically configured attributes are currently sent for both versions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
addresses
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do these checks after the SA is fully established.
When establishing an SA the responder is always able to install the
CHILD_SA created with the IKE_SA before the initiator can do so.
During make-before-break reauthentication this could cause traffic sent
by the responder to get dropped if the installation of the SA on the
initiator is delayed e.g. by OCSP/CRL checks.
In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g.
with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during
make-before-break reauthentication as it wouldn't be able to decrypt the
response that the responder sends using the new CHILD_SA.
By delaying the revocation checks until the make-before-break
reauthentication is completed we avoid the problems described above.
Since this only affects reauthentication, not the original IKE_SA, and the
delay until the checks are performed is usually not that long this
doesn't impose much of a reduction in the overall security.
|
| |
|
|
|
|
| |
On failure the SA is deleted and reestablished as configured. The task
is activated after the REAUTH_COMPLETE task so a make-before-break reauth
is completed before the new SA might get torn down.
|
| | |
|
| |
|
|
| |
We also update the auth config so the constraints are not enforced.
|
| |
|
|
| |
IKE_SA
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
enumerator
We already do this in the trusted public key enumerator (which
internally uses the trusted certificate enumerator) but should do so
also when this enumerator is used directly (since the public key
enumerator has the read lock the additional call will just be skipped
there).
|
| |
|
|
| |
enumerator
|
| |
|
|
| |
Same as with charon-systemd.
|
| |
|
|
|
|
|
|
| |
Our default config files are very charon specific. So to avoid
confusion when only charon-systemd is installed we just default to all
settings defined for charon. Since charon-systemd probably won't be used
together with charon this should not cause conflicts (settings may still
be overridden via the charon-systemd section).
|
| |
|
|
|
|
|
|
|
|
| |
library_init()
Because settings are already accessed in library_init(), calling
add_fallback() externally after calling library_init() is not ideal.
This way namespaces already serve as fallback while library_init() is
executed and they are also in the correct order so that libstrongswan is
always the last root section.
|
| |
|
|
| |
This also leaves unmodified configs as they are.
|
| | |
|
| | |
|
| |
|
|
| |
This also compares the complete lists not only the first two items.
|
| | |
|
| | |
|
| |
|
|
| |
in the request
|
| |
|
|
|
|
|
| |
Some implementations might otherwise not recognize the NAT-D payload
type. Also moves SIG and HASH payloads last in these messages.
Fixes #1239.
|
