Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.
Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.
Build all shared libraries with -no-undefined and link them properly
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
Thomas Egerer [Fri, 23 Aug 2013 12:15:44 +0000 (14:15 +0200)]
ikev1: For PFS prefer DH group from IKE_SA over first configured
If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.
kernel-netlink: increase buffer size for RT netlink messages
Commit 940e1b0f66dc04b0853414c1f4c45fa3f6e33bdd "Filter ignored
interfaces in kernel interfaces (for events, address enumeration,
etc.)" made charon to ignore routes with unusable interfaces.
Unusable interface is one where charon has not seen RTM_NEWLINK
message from the kernel.
Sometime RTM_NEWLINK message can be 1048 bytes large. This is
24 bytes more than currently allocated buffer of 1024 bytes.
If kernel sends such a large message, then it would be silently
ignored by charon and corresponding interface would never become
usable. Hence strongSwan might resolve invalid source IP address
in get_route() function. This would prevent IPsec tunnel to be
established.
To reproduce create a VLAN interface with following command:
Martin Willi [Wed, 4 Sep 2013 08:43:35 +0000 (10:43 +0200)]
Merge branch 'ike-address-ranges'
Adds support for multiple subnets and address ranges in left/right ipsec.conf
options. As responder the connection is acceptable if the address is in one of
the ranges/subnets. To initiate connections, at least one single IP or hostname
is required for the peer address.
Martin Willi [Thu, 25 Jul 2013 13:37:13 +0000 (15:37 +0200)]
ike: support multiple addresses, ranges and subnets in IKE address config
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
Martin Willi [Tue, 3 Sep 2013 13:44:43 +0000 (15:44 +0200)]
stroke: ignore a leftsourceip if a rightsourceip is given as well
As we always negotiate virtual IPs in charon, having both left- and
rightsourceip is not allowed. Both in IKEv1 and IKEv2 we support a single
configuration payload exchange only.
Martin Willi [Tue, 3 Sep 2013 14:32:27 +0000 (16:32 +0200)]
Merge branch 'xauth-radius-multi'
Introduces multiple rounds in the eap-radius XAuth backend, concatenating
answers to a single password to verify using a RADIUS User-Password attribute.
This is known to work fine with iOS and OS X clients, allowing two-factor
authentication with proper dialogs.
Different XAuth "profiles" for each backend can be selected using a generic
colon sperated suffix for the XAuth string.
Martin Willi [Tue, 23 Jul 2013 12:24:58 +0000 (14:24 +0200)]
xauth: add a configuration string option to be passed to XAuth instances
The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.
Tobias Brunner [Fri, 30 Aug 2013 17:33:22 +0000 (19:33 +0200)]
conftest: Fix hook constructor resolution via dlsym()
AM_CPPFLAGS only takes preprocessor flags like -I or -D, so it did not
forward -rdynamic to the linker (--export-dynamic), which meant that the
symbols defined in the executable itself were not resolvable via dlsym().
Martin Willi [Fri, 23 Aug 2013 12:22:29 +0000 (14:22 +0200)]
stroke: stop enumerating IKE_SAs in statusall if output stream gets closed
If the output stream is not interested in more information, it can close the
the stream. Checking for stream errors avoids useless enumeration of IKE_SAs,
saving resources. This allows to use "ipsec statusall | head" to monitor the
daemon, or stop enumerating IKE_SAs after a specific entry has been found.
Tobias Brunner [Wed, 21 Aug 2013 14:52:19 +0000 (16:52 +0200)]
kernel: Restore enumeration of all addresses when searching for address in TS
Since f52cf07532 addresses on ignored, down or loopback interfaces were
not considered as valid addresses anymore when searching for an address
contained in the local traffic selector. This meant that route
installation failed, for instance, if charon.install_virtual_ip_on was
set to 'lo', or, on gateways, if internal interfaces were ignored with
the charon.interfaces_* options.