| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
stroke up-nb and stroke down-nb do not block until the command has
finished. Instead, they return right after initiating the respective
operation.
|
| | |
|
| | |
|
| |
|
|
| |
Depending on the failure, the protocol might not yet be set on the CHILD_SA.
|
| |
|
|
|
| |
When cancelling a connection that gets established, cmd_connection_t gets
freed before terminate() is called. This results in kill()ing invalid PID.
|
| | |
|
| | |
|
| |\
| |
| |
| |
| |
| | |
Enable transport mode in NAT situations when using IKEv2. Additionally brings
an extended leftsubnet format, where each subnet can take a separate protocol
and port.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
This has the same meaning as omitting left/rightsubnet, i.e. replace it
by the IKE address. Supporting %dynamic allows configurations with multiple
dynamic selectors in a left/rightsubnet, each with potentially different
proto/port selectors.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
proto/port
If a transport/BEET SA has different selectors for different proto/ports,
installing just the proto/port of the first SA would break any additional
selector.
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Checks if a trap policy exists when installing a CHILD_SA as responder,
reuse that reqid and keeping the trap untouched. This makes auto=route on
both sides more reliable.
In addition, we no prevent to refcount an existing policy if the reqid differs;
this should not happen anymore. We now can properly reject new CHILD_SAs in
such conflicts, instead of silently breaking an existing policy.
|
| | |
| |
| |
| |
| |
| |
| | |
When we have a trap installed, but a CHILD_SA gets established for the same
config from the peer, we should reuse the same reqid. Otherwise we would have
two identical policies using different reqids, what we can't handle in our
kernel backend.
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we silently replaced an existing policy with a new one if the
reqid changed for the same selectors. This will break an old policy in the
favour of the new one (for example if two clients behind the same NAT use
transport mode).
With this change any new policy gets rejected if the reqid differs. This will
make sure we break no existing policy. For rekeying and acquires we still can
have overlapping policies (as we use the same reqid), but for unrelated
connections this is not true anymore (it wasn't actually before, we just
silently broke the existing policy).
|
| |
|
|
|
| |
The new commands either export a single end entity certificate or the
full trust chain for a specific connection name.
|
| | |
|
| |
|
|
| |
fails
|
| |
|
|
|
| |
It's not really required anymore (if it ever was) and may cause compiler
warnings when using the non atomic versions of ref_get/ref_put.
|
| |
|
|
|
|
| |
When a connection has a single pool that queries recursively the DHCP backend,
we shouldn't return any attributes directly from DHCP when queried for that
pool.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
If one selector has a wider IP range than the other, but the other has a
wider port/protocol selector than the first one, none is completely contained
in the other. The check for a match using is_contained_in() therefore would
fail. Using get_subset() can handle such cases, fixing configuration selection.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
|
| |\
| |
| |
| | |
Makes IKE_SA unique ID and CHILD_SA reqid counters atomic.
|
| | | |
|
| | | |
|
| |/
|
|
| |
This allows us to use ref_get() for getting unique values.
|
| |
|
|
| |
Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
|
| |\
| |
| |
| |
| | |
Properly notifies the responder if authentication of an IKE_SA or installation
of a CHILD_SA fails as initiator, keeping SA state on peers consistent.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
RFC 5996 compatible implementations MAY send an INFORMATIONAL message
with an AUTHENTICATION_FAILED if the initiator failed to authenticate us.
Handle such a message like a DELETE for an IKE_SA.
|
| |/
|
|
|
|
|
| |
According to RFC 5996, we MAY send an INFORMATIONAL message having an
AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close
the IKE_SA after one message has been sent, avoiding the danger that an
unauthenticated IKE_SA stays alive.
|
| |\
| |
| |
| |
| | |
Extend fetcher interface by an option to specify a source IP, implement
it in the curl plugin and provide a --bind option in scepclient.
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
| |
While this was problematic in earlier releases, it seems that it works just
fine the way we handle compression now. So there is no need to disable it over
NATed connections or when using forceencaps.
|
| |
|
|
|
|
|
|
|
| |
If uses of dlopen(), e.g. when loading plugins, produce errors an error
string could get allocated dynamically. At this point realloc() might not
yet be resolved and when dlsym() is later called by leak detective to do
so the error string might get freed while leak detective is disabled and
real_free() will be called with a pointer into one of leak detective's
memory blocks instead of a pointer to the block itself, causing a SIGSEGV.
|
| |
|
|
|
|
|
| |
The previous code did not properly check for the situation when the
DELETE for a redundant CHILD_SA created by a responder during a
CHILD_SA rekey collision arrives before the responder's answer to the
initiator's winning CREATE_CHILD_SA request.
|
