Unfortunately, setLockscreenVisibility() doesn't seem to have any
effect. So the full notification is shown unless the user manually
configures the notification settings.
This allows us to add tiles to Quick Settings and enabling the Always-on
VPN feature in the VPN settings (both require API level 24, but 26 will
be required as targetSdkVersion later this year).
Unless there are profiles created with old versions of the app (< 1.8.0)
that were never updated since, all profiles should already have a UUID
assigned. If not, we do that now with a DB migration.
This is either because a third-party VPN app has the always-on feature
enabled, or because the user denied the permission in the system's confirmation
dialog.
If the always-on feature is enabled for a connection of the built-in VPN
client we get an IllegalStateException, for which we show an updated and
clearer error message.
The type of the value was incorrect (void**) if NULL was passed to cas_ptr()
as expected value, which caused a compiler warning with Clang because
__atomic_compare_exchange_n() expects the types of the first two arguments
to be the same.
armeabi has been superseded by armeabi-v7a and the MIPS ABIs were removed
with the latest NDK (r17), after being marked deprecated for a while.
By not specifying APP_ABI we build for all non-deprecated ABIs.
This allows switching the originally selected IKE config (based on the
IPs and IKE version) to a different one if no matching proposal is found.
This way we don't rely that much on the order of configs anymore and it's
possible to configure separate configs for clients that require weak
algorithms.
Instead of logging the search parameters for IKE configs (which were already
before starting the lookup) we log the configured settings.
The peer config lookup is also changed slightly by doing the IKE config
match first and skipping some checks if that or the local peer identity
doesn't match.
Although being already logged on level 2, these messages are usually just
confusing if they pop up randomly in the log when e.g. querying the configs
or installing traps. So after this the log messages will only be logged when
actually proposing or selecting traffic selectors during IKE.
This way we don't rely on the order of equally matching configs as
heavily anymore (which is actually tricky in vici) and this also doesn't
require repeating weak algorithms in all configs that might potentially be
selected if there are some clients that require them.
There is currently no ordering, so an explicitly configured exactly matching
proposal isn't a better match than e.g. the default proposal that also
contains the proposed algorithms.
In some scenarios we might find multiple usable peer configs with different
IKE proposals. This is a problem if we use a config with non-matching
proposals that later causes IKE rekeying to fail. It might even be a problem
already when creating the CHILD_SA if the proposals of IKE and CHILD_SA
are consistent.
This adds the ability to reference existing sections to the settings parser.
Mainly for swanctl.conf, where this could simplify complex configs a lot
as redundant information has only to be specified once and may then be
included in other sections (there is an example in the man page and
there are some in the unit tests).
Also added is a new setting in filelog sections to specify the path of
the log file (in case it contains characters that are not allowed in section
names). We should encourage people to configure their log files that way
which might allow use to prohibit dots in section names in the future.
There was a potential chance for a race condition if the ensured section
was purged for some reason before using it later.
This also changes the behavior for NULL/empty strings via load_string*
with merge == FALSE, which now purges the config/section.
Similar to the `also` keyword in ipsec.conf, the new syntax allows adding
one or more references to other sections, which means all the settings and
subsections defined there are inherited (values may be overridden, even
with an empty value to clear it).
It's important to note that all subsections are inherited, so if this is
used to reference a connection in swanctl.conf all auth rounds and
children are inherited. There is currently no syntax to limit the
inclusion level or clear inherited sections (but as mentioned, settings
in those inherited sections may be overridden).
Another property is that inherited settings or sections always follow
explicitly defined entries in the current section when they are enumerated.
This is relevant if the order is important (e.g. for auth rounds if `round`
is not specified).
References are evaluated dynamically at runtime, so referring to
sections later in the config file or included via other files is no
problem.
The colon used as separator to reference other sections may be used in
section names by writing :: (e.g. for Windows log file paths).
This is based on a patch originally written in 2016.
This way we get early log messages during plugin loading (including
integrity check results).
Instead of the fallback we could also remove the `customlog` namespace,
which was added to avoid conflicts with other settings/sections.
This was quite confusing previously: While calling insert_before()
and then remove_at() properly replaced the current item, calling them the
other way around inserted the new item before the previous item because
remove_at() changed the enumerator's position to the previous item.
The behavior in corner cases (calling the methods before or after
enumeration) is also changed slightly.
Tobias Brunner