ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,464 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

68 Commits

Author SHA1 Message Date
Tobias Brunner d67a5b0c4d android: Use the default scheduler for short-term events 
Using AlarmManager has quite some overhead, so we use our regular
scheduler for events that are to be executed in the near future.
 2020-06-02 14:07:06 +02:00
Tobias Brunner 1b4c4123c2 android: Use Android-specific scheduler on Android 6 and later 2020-06-02 14:07:06 +02:00
Tobias Brunner b7d66ae2cd android: Add Android-specific implementation of scheduler_t 
This uses AlarmManager to schedule events in a way that ensures the app
is woken up (requires whitelisting when in Doze mode to be woken up at
the exact time, otherwise there are delays of up to 15 minutes).
 2020-06-02 14:07:06 +02:00
Tobias Brunner f3695d089b android: Change how initial log handler is registered 
Previously, if the two utility functions were called while the VPN
connection was established (i.e. charon was initialized) the logger for
libstrongswan would get reset to the initial log handler.  So certain
log messages would not get logged to the log file after the TUN device
was created (one of the helpers is used to convert IPs there).
 2020-06-02 14:07:06 +02:00
Tobias Brunner 070cd12dfb android: Check the current path using DPD after a roaming event 
A new NAT mapping might be created even if the IP stays the same.  Due to
the DPD fallback with NAT keep-alives this might only be necessary in
corner cases, if at all.
 2020-06-02 14:07:06 +02:00
Tobias Brunner 664389ebc4 android: Enable switch from NAT interval to DPDs after 20 seconds 2020-06-02 14:07:06 +02:00
Noel Kuntze 09f4bccfea kernel-netlink: Implement passthrough type routes and use them on Linux 
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.

Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.

Co-authored-by: Tobias Brunner <tobias@strongswan.org>
 2020-03-10 10:20:58 +01:00
Josh Soref b3ab7a48cc Spelling fixes 
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
 2020-02-11 18:23:07 +01:00
Tobias Brunner 07a6e59b1c android: Fix remote identity fallback after changing IKE config creation 
Fixes: 9486a2e5b0 ("ike-cfg: Pass arguments as struct")
 2019-06-18 10:22:57 +02:00
Tobias Brunner 44e74d9f3e android: Fix typo when building IKE config 
Fixes: 9486a2e5b0 ("ike-cfg: Pass arguments as struct")
 2019-06-18 10:21:07 +02:00
Tobias Brunner 9486a2e5b0 ike-cfg: Pass arguments as struct 2019-04-25 14:31:33 +02:00
Tobias Brunner 7028e9d31e android: Add helper to parse IP addresses from strings 
Using InetAddress.fromName() is not ideal as it might result in a DNS
resolution, which causes an exception if we do it from the main thread.
 2019-03-05 18:56:09 +01:00
Tobias Brunner ecfe67550d signature-params: Provide option for maximum RSA/PSS salt length 
However, the length now has to be resolved early, so we don't operate on
the negative constant values e.g. when generating the encoding.
 2018-10-26 09:03:26 +02:00
Tobias Brunner 7a6426082a android: Fix implementation of change_state() method in Android IMC 
The signature was changed with 731e043c8e ("libimcv: Reset of IMC state for
new measurement cycle").
 2018-09-21 10:55:34 +02:00
Tobias Brunner 948c42ab2e android: Properly set log file path 2018-09-12 11:44:57 +02:00
Tobias Brunner 485d202adc android: Don't enforce the server address as AAA identity for EAP-PEAP/TTLS 
This is similar to EAP-TLS.  We could probably make this configurable
later.
 2018-07-04 11:52:23 +02:00
Tobias Brunner 19c95c9bc4 android: Change log message when initializing the native code and add a divider 
We don't really start a daemon and the divider should make it easier to
identify retries.
 2018-07-03 11:31:44 +02:00
Tobias Brunner ef0f0cc839 android: Don't use infinite keying tries on Android 5+ 
This way we get some feedback about the issue in the GUI (otherwise it
would just switch to connecting state) and also some delays between retries.
 2018-07-03 11:31:43 +02:00
Tobias Brunner 163f752022 android: Remove Suite B ESP proposals and reorder some algorithms 2018-07-03 11:31:42 +02:00
Tobias Brunner 205ec47ddb android: Add flag to enable RSA/PSS 2018-07-03 11:31:42 +02:00
Tobias Brunner a706058118 android: Add flags to control CRL/OCSP fetching and strict revocation 2018-07-03 11:31:40 +02:00
Tobias Brunner fb3772ec95 android: Log retries to the same log file 
It's cleared when a new connection is started or there is a manual
retry.
 2018-07-03 11:31:39 +02:00
Tobias Brunner ab5dbbc4ab android: Show an error if client certificate is unavailable 
This can happen on systems (e.g. Android 7.x) where Always-on VPNs are
triggered right after booting before the KeyChain is unlocked by the user.
Retrieving the certificate chain or private key then fails with
"KeyChainException: IllegalStateException: keystore is LOCKED" until the
user unlocks the screen once.

The built-in client actually also fails in this situation (e.g. with XAuth
RSA), it tries three times then stops and shows an error notification.
 2018-07-03 11:31:37 +02:00
Tobias Brunner 1b67166921 Unify format of HSR copyright statements 2018-05-23 16:32:53 +02:00
Tobias Brunner 7b72909774 controller: Add option to force destruction of an IKE_SA 
It's optionally possible to wait for a timeout to destroy the SA.
 2018-05-22 10:06:07 +02:00
Tobias Brunner 2db6d5b8b3 Fixed some typos, courtesy of codespell 2018-02-13 12:19:54 +01:00
Tobias Brunner 6bafa2d346 android: Always send the client certificate 
In scenarios where the server accepts client certificates from dozens or
even hundreds of CAs it might be necessary to omit certificate request
payloads from the IKE_SA_INIT response to avoid fragmentation.

As it is rarely the case in road-warrior scenarios that the server
already has the client certificate installed it should not be a problem
to always send it.
 2018-02-08 12:15:36 +01:00
Tobias Brunner 0729be1bfe Merge branch 'android-proposals' 
Makes IKE and ESP proposals configurable.
 2017-11-28 16:23:41 +01:00
Tobias Brunner 4a79434b11 android: Remove modp1024 from the ESP proposals 2017-11-28 16:19:08 +01:00
Tobias Brunner 836a943804 android: Add utility JNI function to validate proposal strings 2017-11-17 18:11:39 +01:00
Tobias Brunner a7c43544dd android: Use optional custom proposals for IKE and ESP 
If the proposal is invalid we fall back to the defaults.
 2017-11-17 14:31:06 +01:00
Tobias Brunner 8b6c23342c android: Free settings string passed via JNI 2017-11-17 14:31:06 +01:00
Tobias Brunner 72b7c0ffd8 android: Add support for creating RSASSA-PSS signatures via JNI 2017-11-08 16:48:10 +01:00
Tobias Brunner de280c2e03 private-key: Add optional parameters argument to sign() method 2017-11-08 16:48:10 +01:00
Tobias Brunner 1fe71a50f1 android: Add log message if failed to retrieve user certificate encoding 2017-11-02 12:19:36 +01:00
Tobias Brunner 829cc56a53 android: Add support to POST data via SimpleFetcher 
That's required for OCSP verification.
 2017-09-04 10:41:29 +02:00
Tobias Brunner 0bebbae9e3 android: Cache CRLs in app directory 
Fixes #2405.
 2017-09-04 10:41:25 +02:00
Tobias Brunner 3fe9a436ee android: Pass absolute path to the app's data directory via JNI 2017-09-04 10:41:25 +02:00
Tobias Brunner ca280574ba Fixed some typos, courtesy of codespell 2017-08-07 17:22:01 +02:00
Tobias Brunner 3f0592d0fd android: Add flag to suppress sending certificate requests 2017-07-03 10:37:09 +02:00
Tobias Brunner db599d6b28 android: Use configured NAT-T keepalive interval 2017-07-03 10:33:29 +02:00
Tobias Brunner c5ba381757 android: Log some information about the Android version and the device 2017-07-03 10:27:51 +02:00
Tobias Brunner 7b4177578b android: Add a simple HTTP(S) fetcher for CRLs 2017-07-03 10:27:50 +02:00
Tobias Brunner 2e4d110d1e linked-list: Change return value of find_first() and signature of its callback 
This avoids the unportable five pointer hack.
 2017-05-26 13:56:44 +02:00
Tobias Brunner 8a2e4d4a8b linked-list: Change interface of callback for invoke_function() 
This avoids the unportable five pointer hack.
 2017-05-26 13:56:44 +02:00
Tobias Brunner 95a63bf281 Migrate all enumerators to venumerate() interface change 2017-05-26 13:56:44 +02:00
Tobias Brunner 94375d46dc android: Send network change events from a separate thread via JNI 
Doing this from the main UI thread (which delivers the broadcast) might
cause an ANR if there is a delay (e.g. while acquiring a mutex in the
native parts). There might also have been a race condition during
termination previously because Unregister() was not synchronized so there
might have been dangling events that got delivered while or after the mutex
in the native parts was destroyed.
 2017-02-17 13:07:30 +01:00
Tobias Brunner 9665686bd8 daemon: Use separate method to set default loggers 
This way it is not necessary to pass the same values to reload the
loggers.
 2017-01-25 14:58:09 +01:00
Tobias Brunner 9920824e70 android: Make sure libtpmtss is loaded on older systems 
On newer Android systems this seems to happen automatically (or does at
least not cause crashes if the library is not loaded).
 2016-12-09 11:16:42 +01:00
Tobias Brunner e03c936982 android: Log any installed DNS servers 2016-12-08 17:14:49 +01:00