| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
We already do this for the other kernel interfaces.
Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")
|
| |
|
|
|
|
|
|
| |
An example are the fallback drop policies installed when updating SAs.
We ignore such policies in add_policy() so there is no point in attempting
to remove them. Since they use different priorities than regular policies
this did not result in policies getting deleted unintentionally but there
was an irritating log message on level 2 that indicated otherwise.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
| |
Output is now identical to that of the IKEv2 pubkey authenticator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
| |
If DPD timeout is set but to a value smaller than the DPD delay the code
in task_manager_v1.c:queue_liveliness_check will run into an integer
underrun.
|
| |
|
|
|
|
|
|
|
| |
With IKEv1 we have to reuse IKE_SAs as otherwise the responder might
detect the new SA as reauthentication and will "adopt" the CHILD_SAs of
the original IKE_SA, while the initiator will not do so. This could
cause CHILD_SA rekeying to fail later.
Fixes #1236.
|
| |
|
|
|
|
|
|
|
|
|
| |
Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied.
This changed with db61c37690b5 ("kernel-interface: Return bool for
kernel interface registration") as the registration of further
kernel-ipsec implementations now fails and therefore even if other
plugins are loaded the dependency will not be satisfied anymore.
References #953.
|
| |
|
|
|
|
|
|
|
| |
When handling a rekey collision we might have to delete an already
installed redundant CHILD_SA (or expect the other peer to do so).
We don't want to trigger updown events for these as neither do we do
so for successfully rekeyed CHILD_SAs.
Fixes #853.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To handle Phase 2 exchanges on the other HA host we need to sync the last
block of the last Phase 1 message (or the last expected IV). If the
gateway is the initiator of a Main Mode SA the last message is an
inbound message. When handling such messages the expected IV is not
updated until it is successfully decrypted so we can't sync the IV
when processing the still encrypted (!plain) message. However, as responder,
i.e. if the last message is an outbound message, the reverse applies, that
is, we get the next IV after successfully encrypting the message, not
while handling the plain message.
Fixes #1267.
|
| |
|
|
| |
References #1267.
|
| |
|
|
|
|
|
|
| |
It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.
Fixes #1267.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the retransmit of an initial message is processed concurrently with the
original message it might not have been handled as intended as the
thread processing the retransmit might not have seen the correct value
of entry->processing set by the thread handling the original request.
For IKEv1, i.e. without proper message IDs, there might still be races e.g.
when receiving a retransmit of the initial IKE message while processing the
initiator's second request.
Fixes #1269.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Closes strongswan/strongswan#23.
|
| |
|
|
| |
Currently both have the value 1024 so no real harm done.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsystemd-journal and libsystemd-daemon are now just
part of libsystemd.
Keep original systemd checks as a fallback.
Updates charon-systemd/Makefile.am accordingly.
Tested on:
- debian wheezy (systemd v44)
- ubuntu 15.10 (systemd v255).
Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
Closes strongswan/strongswan#24.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Switch.pm, which was implemented as a source filter, has been deprecated in
Perl 5.10 and was later removed from the core modules in Perl 5.14 or so.
Unfortunately, its replacement, the given/when/default construct, has since
been downgraded to "experimental" status because of problems with the underlying
"smart-match" operator.
Thus, as of Perl 5.22, Perl still has no actually usable "switch"-like construct.
So just use boring, old and ugly "if/elsif/else" constructs instead, which are
compatible with almost any Perl version.
- None of the Perl modules here does anything that would require "AutoLoader".
- "Exporter" can be used to export plain functions into another modules name
space. But the things that were exported here are meant to be called as
methods. In this case, it is neither necessary nor advisable to export those
symbols.
Just export nothing (the POD documentation already said so).
- It is usually the calling script that enables (or does not enable) warnings
globally. When a module says "use warnings;" however, the caller looses control
over what warnings should be enabled in that module.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default ESP cipher suite is now
AES_CBC-128/HMAC_SHA2_256_128
and requires SHA-2 HMAC support in the Linux kernel (correctly implemented
since 2.6.33).
The default IKE cipher suite is now
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
if the openssl plugin is loaded or
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
if ECC is not available.
The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been
deprecated and ENCR_CHACHA20_POLY1305 has been added to the default
IKE AEAD algorithms.
|
| |
|
|
| |
Fixes: dcb168413fa3 ("stroke: Add --daemon option")
|
| | |
|
| |
|
|
| |
Print a warning if a registered command exceeds that limit.
|
| |
|
|
|
| |
The --issue and --self commands both define 10 lines of usage summary
text.
|
| |
|
|
| |
Print a warning if a registered command exceeds that limit.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.
|
| | |
|
| |
|
|
|
|
|
| |
The certificate_printer class allows the printing of certificate
information to a text file (usually stdout). This class is used
by the pki --print and swanctl --list-certs commands as well as
by the stroke plugin.
|
