| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Shunt policies don't have a reqid set, so we allow unequal reqids in
this particular case (i.e. if one of the reqids is 0).
|
| | |
|
| |
|
|
| |
entry
|
| |
|
|
|
|
|
| |
add_policy()
The additional data can be helpful to identify the exact policy to
delete.
|
| |
|
|
| |
This was used with pluto, which had its own policy tracking.
|
| |
|
|
|
|
|
|
| |
If the (un)registering of a kernel interface (net or ipsec) fails, the
plugin loader will never know, since the appropriate functions always
returns TRUE. By making the (un)register functions return a boolean
value, the loader can detect a failure during initializing the kernel
interface and abort charon startup if desired.
|
| |
|
|
| |
Fixes #1201.
|
| | |
|
| | |
|
| |
|
|
|
| |
We could later perhaps add filter parameters similar to those of the
`ipsec leases` command (pool name/virtual IP).
|
| | |
|
| | |
|
| |
|
|
| |
Basically the same change as the one for the socket-default plugin.
|
| |
|
|
|
|
|
|
|
|
|
| |
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.
It also makes the code clearer than with all these ifdefs.
Fixes #1171.
|
| |
|
|
| |
This makes the code a bit clearer than with the interleaved ifdefs.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
after timestamp
For this to look right time_format should end with %S or %T.
Closes strongswan/strongswan#18.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some scenarios an IKE_SA might get restarted multiple times (e.g.
due to retransmits and delayed INVALID_KE_PAYLOAD notifies) so that
two IKE_SA_INIT messages might be sent that only differ in the
previously randomly generated NAT_DETECTION_SOURCE_IP payload.
This could cause an authentication failure on the responder if the two
peers don't use the same IKE_SA_INIT message in their InitiatorSignedOctets.
While the payload is generated in a reproducible way it will still change
when the daemon is restarted, which should make detecting the payloads
as fake a bit harder (compared to e.g. just using 0.0.0.0:0 as address).
Fixes #1131.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If the job gets queued for a newly created IKE_SA it might not yet be
checked in when the job is running, reschedule the job in that case.
This should fix the two p2pnat test scenarios, which occasionally
failed because one of the peers did not initiate the connection to
the mediation server.
|
| |
|
|
|
|
|
|
|
| |
In some cases we call wait_for_entry() but don't actually check out the
entry afterwards (e.g. because it doesn't match certain criteria). So
there won't be a call to checkin() for such entries causing waiting
threads to get signaled. Instead, such threads would be blocked until
another thread properly checks out/in the entry (or does a blocking
enumeration).
|
| |
|
|
| |
Fixes 758b1caa0e75 ("ikev1: Prevent deadlock when checking for duplicate IKEv1 SAs")
|
| |
|
|
|
| |
A DPD timeout job is queued whenever a DPD is sent, i.e. after the
DPD delay already has elapsed, so we have to compensate for that.
|
| |
|
|
|
|
|
| |
It rarely takes 1 second or longer to terminate the daemon. This
decreases the runtime of the post test step a lot where `ipsec stop`
is called for multiple hosts in each test case (10-15 minutes over all
test cases).
|
| |
|
|
| |
Fixes #1138.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This can be useful when writing custom plugins as typos or missing
linker flags that result in unresolved symbols in the shared object
could otherwise cause late crashes. In particular, if such a symbol
is used in a code path that is rarely executed. During development
and testing using RTLD_NOW instead of RTLD_LAZY will prevent the
plugin from getting loaded and makes the error visible immediately.
|
| | |
|
| |
|
|
|
|
| |
Obtained-from: pfSense
Sponsored-by: Rubicon Communications (Netgate)
Closes strongswan/strongswan#17.
|
| |
|
|
|
|
|
|
|
|
| |
The `nat-local` and `nat-remote` keys contain information on the NAT
status of the local and remote IKE endpoints, respectively. If a
responder did not detect a NAT but is configured to fake a NAT situation
this is indicated by `nat-fake` (if an initiator fakes a NAT situation
`nat-local` is set). If any NAT is detected or faked `nat-any` is set.
Closes strongswan/strongswan#16.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We don't need an IV for NULL encryption, so we wouldn't technically need
an IV generator. But some of the code currently relies on an IV
generator to be present. So we don't have to change that code and
handle IV size == 0 specially we use the new NULL IV generator, which
handles this transparently to the existing code.
Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms
with an explicit IV generator") iv_gen_rand_t was used for NULL
encryption, which would work too but this way it's clearer.
|
| |
|
|
|
| |
This does not actually allocate an IV and only accepts requests
for size == 0.
|
| |
|
|
| |
Fixes #1191.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Like AES in CTR mode it includes a 4 byte nonce.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to the nonce, the ESP key material is four bytes longer than needed for
the actual AES key. The crypto plugins, however, register their AES-CTR
implementations with the AES key length, so the lookup here failed.
For IKEv2 the key material is allocated after creating a crypter instance
with the negotiated AES key size. The length of the actual key material is
retrieved via get_key_size(), which adds the four bytes to the AES key length.
Fixes #1124.
|
| |
|
|
|
|
| |
These might have changed by a peer-initiated MOBIKE address update.
Fixes #1125.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
message
|
