Either use the sequence number from the kernel (and potentially update
it if the acquire was retriggered), or generate our own sequence
numbers, which simplifies matching acquires to established/destroyed
CHILD_SAs.
When cross-compiling for Windows on Ubuntu, we don't have POSIX regular
expressions available (there does not seem to be any alternative libraries
either), but since the tests are not executed that's OK. On AppVeyor,
MSYS2 has libgnurx installed, which works fine but requires explicit
linking with `-lregex`.
This is loosely based on a patch by Thomas Egerer.
Threads initiating SAs can get stuck on the semaphore in
wait_for_listener() during shutdown if the corresponding job is never
executed. A particular case when this can happen is if more initiations
are triggered than worker threads are available. This causes a (known)
deadlock as no workers are free anymore to process jobs (for inbound
messages or timeouts etc.), including the one to initiate an SA.
This change at least allows a proper shutdown.
The plugin was apparently broken for years because it uses functions that
don't exist anymore. It was quite limited anyway, so it was never really
used in OpenWrt to begin with (instead they generate configs in a custom
init script).
The `crypt` functions defined here conflict with the `crypt` function
defined in `unistd.h` and trigger compilation errors when building
against the latest version of AWS-LC, which introduced a new transitive
include of `unistd.h` via `bio.h`.
This simply renames the function to avoid the error.
Closesstrongswan/strongswan#2786
A recent gettext release (0.25 via Homebrew) installs the M4 macros in a
different location (<prefix>/share/gettext/m4 instead of
<prefix>/share/aclocal). According to the commit messages to avoid "bad
interactions between autoreconf and autopoint". Since we only depend
on gettext for that macro and this move makes it complicated, we can also
just integrate the macro from gnulib directly (which gettext 0.18+ relies
on anyway).
This changes how EAP identities are used from the config. Instead of
setting a statically configured identity != %any, an EAP-Identity
exchange is now always initiated (and required). If the received identity
doesn't match, the peer config is switched to one with a matching
identity (wildcards are supported for that match). This allows switching
to a config with a different EAP method or child settings based on the
EAP identity.
There is currently no "best" match. The configs are evaluated based on
the order returned from the initial peer config lookup.
References strongswan/strongswan#2702
Newer NDKs have RISC-V as experimental ABI (not enabled by default, see
next commit). If we don't have a mapping for a specific target, OpenSSL
falls back to 'android-arm', so that won't really work (interestingly,
it does build).
These sockets are closed immediately again, so no need to re-protect them
during roaming events.
References strongswan/strongswan#1691
Fixes: 6d87a8651068 ("android: Use new sockets to determine source IP")
If this is not set, it looks like NM shuts down the VPN connection and
calls disconnect() if there is any connectivity change.
References strongswan/strongswan#2707
This enables GRO offload for inbound ESP-in-UDP packets if the
esp4|6_offload modules are loaded. Note that inbound ESP or ESP-in-UDP
packets won't be visible on layer 3 in Netfilter or tcpdump.
Increase buffer to 32 bytes to hold uint64_t completely and check for
overflows after multiplication with size modifiers.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
This allows accepting clients that send proposals with non-optional KE
methods during rekeying, while still accepting clients that use the
previous non-KE default proposals.
This requires a new protocol version as private extensions would enable
unrelated regular extensions, even when sending the private extension
as second attribute (which would work for conditions as they are
explicitly enabled/disabled).
This was originally added with b0e40caafbd7 ("NAT-T conditions were not
inherited during IKE_SA rekeying") in 2008 when there was only a single
inherit() method. Later the inherit_pre() method was added and then
with 094963d1b160 ("ikev2: Apply extensions and conditions before
starting rekeying") in 2014 the extensions and conditions were set
already there.
