| 66d08f4f81c446015c03113bd86d1ef5121bab36 |
|
17-Sep-2012 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: fix the reconnecting issue by delaying closing sockets.
When upper layers die first, the server might send messages to purge
IPSec sessions. If the sockets are closed before consuming these messages,
the server might keep sending for several minutes. The next run might be
failed because of these messages.
Ideally messages for the previous run should be dropped. However, the
server might think sessions are being renewed, so it sends updated
messages to purge them. This change tries to fix the issue by delaying
for few seconds before exiting.
Bug: 6376948
Change-Id: If735a7a202a2ac7763966e300936bc6e6ba4a53c
/external/ipsec-tools/main.c
|
| c1b51d45a7363d6fa58b59bf6f12182993a7c1d0 |
|
15-Mar-2012 |
Kenny Root <kroot@google.com> |
Add support for OpenSSL ENGINE for keystore
keystore now has an OpenSSL ENGINE frontend that can be used to ask for
private keys or public keys to be loaded and also signing operations to
take place. Use that instead of the crazy byte-array marshalling of the
private key material that is used for the "privsep" stuff.
Change-Id: I6171ca1fb0e77e338c19f04d8c34ad7744984b63
/external/ipsec-tools/main.c
|
| c91307af2622f6625525f3c1f9c954376df950ad |
|
26-Mar-2012 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: back-port 0.7.3 to Android.
Lots of checks and features were added to ipsec-tools 0.8.0.
However, they broke the compatibility with existing VPN servers.
I was unable to fix all of them in 0.8.0, so I chose to port
0.7.3 back with the new VPN types we added in ICS release.
Bug: 6191668
Change-Id: I86a7218f7f5146d4a9b129d46c89839a82b0008f
/external/ipsec-tools/main.c
|
| cadace43df20e28cc98c2068b327ec3ebe119418 |
|
09-Dec-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: notify the death of racoon by touching a file.
Since racoon removes SPD policies when it dies, packets from upper
VPN layers might pass through without IPSec's protection. Here we
add a mechanism to close the gap as much as possible.
Bug: 5714296
Change-Id: If5ebdea3ee1444c18e062b24db724b1575dbdf2d
/external/ipsec-tools/main.c
|
| 3724e61c7fb7a792d36c4dbec826e06b1aabd039 |
|
22-Aug-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: update control protocol.
Now closing the control socket becomes a signal of termination.
Thus it is no longer closed after getting the arguments.
Change-Id: Ie042c97e0c50c949a7627b782d21edb872672de4
/external/ipsec-tools/main.c
|
| a9a07aca7cd1e611f2d73582f20623cd62b917ba |
|
20-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: slightly improve the security.
If racoon is running as a service, do not trust
the script passed from the control socket.
Change-Id: I8e0115848cd4fa865d68452c9ecab20f6eac0921
/external/ipsec-tools/main.c
|
| dc6f5b944434891dabd1aed297676349b58cb893 |
|
15-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: fix a bug of modifying envp directly.
Change-Id: I739af06314245a99121704647521c311e79d2653
/external/ipsec-tools/main.c
|
| 4dd8f6be6496fc7cb7b7351c79f6a90be7be8991 |
|
14-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: update control protocol.
Change-Id: I1ebaadb1ce5fe092336bc13713b021a20603b5d0
/external/ipsec-tools/main.c
|
| 12f449335c62c731f6eb33db7e27ce331f423f71 |
|
14-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: close the control socket after initialized.
It seems that the socket to be protected by IPSec needs to be created
after SPD policy is inserted. Otherwise the outgoing packets will just
pass through. We close the control socket to notify the framework that
initialization is done.
Change-Id: Ic29188f16333e41d201e0dfe439085e3e6079e39
/external/ipsec-tools/main.c
|
| 1070097bb11002f8b5e289982cee9e324ea2f153 |
|
13-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: create a TUN interface for internal network.
Assume that the interface with default route is eth0. There are at
least three different ways to setup internal network.
1. Set internal IP and routes with default gateway on eth0:1.
2. Add a host route on eth0. Set internal IP and direct routes on eth0:1.
3. Add a host route on eth0. Set internal IP and direct routes on tun0.
SPD is set to send all packets from internel IP through the tunnel. Packets
are encapsulated and the final destination is always the VPN server. The
kernel will re-route the packets after re-writing them.
In the first method, the kernel always gets the default gateway as all the
routing rules are added with it. In the second method, internal routes do
not need a gateway since packets will hit the host route after re-routing.
The third method pushes even further since packet will never reach tun0.
In Android, we use the third method for two reasons, easier to clean up
and monitor. The first method has the advantage of not using a host route.
However, it cannot be cleaned up by simply shutting down eth0:1 because
routing rules might stay. The other methods do not have this problem. They
need to handle the host route, but that is much easier. When racoon dies,
tun0 goes away and posts an netlink event, but eth0:1 does not. Therefore,
the third method is much easier to monitor since it gives us the same
behavior with other VPN types.
Change-Id: I0a6eeef471b5a64de39a907f4f4428e86c0b2484
/external/ipsec-tools/main.c
|
| 8f3b38855d8849959825acc45dd11144adc7d862 |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: use pname instead of lcconf->chroot for the android magic.
Change-Id: Id62ce8de798389d9a6504d436a15317a4127ffb8
/external/ipsec-tools/main.c
|
| e9fc376dc7e9ee22358b872c3eb2808fa42160f0 |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Support IPSec RSA sessions again.
This change supports command-line usage and android service at
the same time. It also removes the access to native keystore.
Change-Id: Ia3d931b0ba8f83624d668de97c9dfc10280bef3b
/external/ipsec-tools/main.c
|
| f8a6a7636d53a5730c58ae041e4e09ae12e1657c |
|
05-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Update to 0.8.0.
This change updates ipsec-tools to 0.8.0. However, a quick test reveals
a regression in IPSec PSK sessions. The server rejects the first packet
of phase 2 negotiation with INVALID-ID-INFORMATION error. After testing
files one by one, it turns out that using the old ipsec_doi.c fixes the
problem. Then the next error shows that identity check is failed. This
can be fixed by marking few lines in isakmp_quick.c just like 0.7.3.
This change adds ipsec_doi-0.7.3.c as a temporary fix. I will come back
and see if I can find the real problem. IPSec RSA sessions will be
covered in the next change.
Change-Id: I48f0026c3be07f506b3901b59202081bf88f41c9
/external/ipsec-tools/main.c
|
| c9ac7d2fae3a233f928fd3f643ffa20b6ea602d3 |
|
29-Jun-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: switch to use the new control protocol.
Now ipsec pre-shared key is passed via control socket.
Change-Id: I0147c90eaab626a217fc71dce4a6f3d79ae46cc7
/external/ipsec-tools/main.c
|
| b2f80fde2d9ba7f7747873623ca7f6f969b40033 |
|
08-Mar-2010 |
Chia-chi Yeh <chiachi@android.com> |
modify according to the change of keystore interface.
Change-Id: I110aadb17235a9ce240636371ce457c880b63968
/external/ipsec-tools/main.c
|
| 4fa9505300a7249a6c216da88a3180a3a37ef078 |
|
18-Sep-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: switch to multi-user keystore.
/external/ipsec-tools/main.c
|
| 051f86dfca525c160855397f7b6a4fb5ef8df2b5 |
|
02-Sep-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: updated to 0.7.3.
/external/ipsec-tools/main.c
|
| 9d271b685df5830e92a789119fe9b908da2f6c78 |
|
30-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Minor performance tuning.
/external/ipsec-tools/main.c
|
| c454954382b81262dc81ac54e147f4dc7fc0af75 |
|
22-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Some fixes for rekeying.
Bind sockets to proper interface in order to avoid using host routes.
Rewrite a part of sockmisc.c to work around the ipi_ifindex bug in linux kernel.
Enable policy generating when responding to phase 2 negotiation.
Reduce the executable size about 4KB by simplifying some functions.
/external/ipsec-tools/main.c
|
| 7197eb77ef21feeedc5a47de31ded3a19c2af021 |
|
13-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Find local address automatically.
/external/ipsec-tools/main.c
|
| bd5fa3c99638830d3fa1ae5b4fc4988de5ee0f4d |
|
07-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Get pre-shared key from keystore after setuid(AID_VPN).
/external/ipsec-tools/main.c
|
| b880c6609b0f748abe0ce19fea3b1b2fdfd991be |
|
06-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Get certificates, private keys, and pre-shared keys from keystore.
/external/ipsec-tools/main.c
|
| ac4023a6627737df5866f2c773059ba42e14a357 |
|
01-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Drop root privilege after getting necessary resources.
Note that GIDs will be configured in init.rc so they are unchanged.
/external/ipsec-tools/main.c
|
| 458fe1ef88671dfe580c488973d5573194839087 |
|
26-Jun-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Integrate racoon with Android framework.
/external/ipsec-tools/main.c
|
| 837a1c77bab77bd62cccb33a15163a962f8dfb97 |
|
26-Jun-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Make racoon an easy-to-use command line tool and reduce its size.
The original executable is ~350KB and now it is ~160KB.
Removing debug messages reduces about 20KB.
Others are mainly contributed by removing lex/yacc generated code,
which was used to parse configuration files.
/external/ipsec-tools/main.c
|