Tobias Brunner [Fri, 11 Oct 2013 13:33:06 +0000 (15:33 +0200)]
Merge branch 'fwmarks'
Allows setting a mark on outbound packets and the routing rule
installed by charon. With those settings it is possible to setup
tunnels with kernel-libipsec where the remote peer is part of the remote
traffic selector.
The following example settings in strongswan.conf show how this can be
configured:
Tobias Brunner [Thu, 10 Oct 2013 13:41:29 +0000 (15:41 +0200)]
kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC
This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).
attr-sql: Don't use database transactions in create_attribute_enumerator
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
Martin Willi [Fri, 11 Oct 2013 09:12:38 +0000 (11:12 +0200)]
Merge branch 'printf-hook'
Adds a custom printf hook implementation as a fallback if neither the glibc
style hooks nor vstr is available. This can avoid the Vstr dependency on some
systems at the cost of slower and less complete printf functions.
Martin Willi [Fri, 11 Oct 2013 09:06:02 +0000 (11:06 +0200)]
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
Martin Willi [Fri, 11 Oct 2013 08:24:27 +0000 (10:24 +0200)]
Merge branch 'libipsec-usestats'
Brings SA usage statistics and volume based expiration to libipsec and the
associated kernel-libipsec plugin. Additionally removes any ESPv3 style TFC
padding found in incoming packets.
Martin Willi [Fri, 11 Oct 2013 08:15:43 +0000 (10:15 +0200)]
Merge branch 'ah'
Brings support for Security Associations integrity protected by the
Authentication Header protocol, both to IKEv1 and IKEv2. Currently only plain
AH is supported, but no (now deprecated) RFC2401 style AH+ESP bundles.
Martin Willi [Wed, 18 Sep 2013 12:11:40 +0000 (14:11 +0200)]
ikev1: Accept reauthentication attempts with a keep unique policy from same host
When we have a "keep" unique policy in place, we have to be less strict in
rejecting Main/Aggressive Modes to enforce it. If the host/port equals to
that of an existing ISAKMP SA, we assume it is a reauthentication attempt
and accept the new SA (to replace the old).
Martin Willi [Wed, 18 Sep 2013 11:56:45 +0000 (13:56 +0200)]
ikev1: Delay a potential delete for a duplicate IKE_SA having a replace policy
Sending a DELETE for the replaced SA immediately is problematic during
reauthentication, as the peer might have associated the Quick Modes to the
old SA, and also delete them.
With this change the delete for the old ISAKMP SA is usually omitted, as it
is gets implicitly deleted by the reauth.
android: Don't update state fragments when they are not displayed
Besides that updates don't make much sense when the fragments are not
displayed this fixes the following exception:
java.lang.IllegalStateException: Can not perform this action after
onSaveInstanceState
ikev2: Force an update of the host addresses on the first response
This is especially useful on Android where we are able to send messages
even if we don't know the correct local address (this is possible
because we don't set source addresses in outbound messages). This way
we may learn the correct local address if it e.g. changed right before
reestablishing an SA.
Updating the local address later is tricky without MOBIKE as the
responder might not update the associated IPsec SAs properly.
kernel-netlink: Allow to override xfrm_acq_expires value
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Adds support to pki --pub to convert public keys to other formats
including SSH keys and DNSKEYs. SSH public keys can also be read
from files in the format used by OpenSSH.