| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Bring some minor improvements to unit testing, including more flexible
configuration.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
tests.load and tests.plugindir to allow the specification of the plugins
to be loaded and the directory to load them from.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
By setting the environment variable TESTS_STRONGSWAN_CONF, the unit tests can
be asked to load a configuration file, thus enabling the tester to make use of
the usual configuration settings.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | | |
|
| |/ |
|
| |
|
|
|
| |
By marking the string/blob arguments as transient, SQLite will copy and
free them automatically.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
We have to make sure we compare every selected traffic selector with every
other in the list.
Fixes #577.
|
| |
|
|
|
| |
Also links OpenSSL statically and doesn't limit the number of packets
during EAP-TTLS.
|
| | |
|
| | |
|
| |
|
|
|
| |
System.loadLibrary() searches in system directories first (at least in
recent releases), that is, our own build wouldn't actually get used.
|
| |
|
|
|
|
|
|
| |
FreeBSD 10 deprecated the SIOCSIFADDR etc. commands, so we use this
newer command to set the address and netmask. A destination address
is now also required.
Fixes #566.
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Adds support for GCC's __atomic* built-ins and improves the performance
of logging (for ignored log levels) and half-open IKE_SA checking under
high loads.
Also fixes two potential race conditions in the load-tester plugin.
|
| | |
| |
| |
| |
| |
| |
| | |
For some rwlock_t implementations acquiring the read lock could be quite
expensive even if there are no writers (e.g. because the implementation
requires acquiring a mutex to check for writers) particularly if the
lock is highly contended, like it is for the vlog() method.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to an unprotected incrementation, two load-tester initiators occasionally
use the same SPI under high load, and hence generate 2 IPsec SAs with the same
identifier. The responder IPsec stack will refuse to configure the second SA.
Use an atomic incrementation to avoid this race condition.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to an unprotected incrementation, two load-tester initiators occasionally
use the same identifier under high load. The responder typically drops one of
the connections.
Use an atomic incrementation to avoid this race condition.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch is based on one by Christoph Gouault.
Currently, to count the total number of half_open IKE_SAs,
get_half_open_count sums up the count of each segment in the SA hash
table (acquiring a lock for each segment). This procedure does not scale
well when the number of segments increases, as the method is called for
each new negotiation.
Instead, lets maintain a global atomic counter.
This optimization allows the use of big values for charon.ikesa_table_size
and charon.ikesa_table_segments.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
These are available since GCC 4.7 and will eventually replace the __sync
operations. They support the memory model defined by C++11. For instance,
by using __ATOMIC_RELAXED for some operations on the reference counters we
can avoid memory barriers, which are required by __sync operations (whose
memory model essentially is __ATOMIC_SEQ_CST).
|
| |/
|
|
|
|
|
|
|
|
| |
On many architectures it is safe to read the value directly (those
using cache coherency protocols, and with atomic loads for 32-bit
values) but it is not if that's not the case or if we ever decide to
make refcount_t 64-bit (load not atomic on x86).
So make sure the operation is actually atomic and that users do not
have to care about the size of refcount_t.
|
| | |
|
| |
|
|
|
|
| |
- get_cpi function was implemented to retrieve a CPI from the kernel.
- add_sa/update_sa/del_sa were updated to accommodate for IPComp SA.
- Updated add_policy_internal to update the SPD to support IPComp.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| | |
Fixes two collisions between IKE_SA re-authentication and CHILD_SA rekeying.
|
| | |
| |
| |
| |
| | |
If any other IKE or CHILD_SA operation takes places, we should not start
initiating reauthentication to avoid any potential races.
|
| |/
|
|
|
|
|
|
|
|
|
| |
If one peer starts reauthentication by deleting the IKE_SA, while the other
starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily
reject the rekey attempt while we are in the IKE_SA deleting state.
RFC 4306/5996 is not exactly clear about this collision, but it should be safe
to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the
CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry
establishing the CHILD_SA on the reauthenticated IKE_SA.
|
| |
|
|
|
|
| |
The extensions and conditions apply to the rekeyed IKE_SA as well, so we should
migrate them. Especially when using algorithms from private space, we need
EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in
unencrypted form, probably to allow PSK lookup based on the ID payloads. We
by default reject that, but accept it if the
charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf.
Initial patch courtesy of Paul Stewart.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change a reqid set on the create_child_t task was used as
indicator of the CHILD_SA being rekeyed. Only if that was not the case
would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we
don't know which virtual IP the gateway will eventually assign).
On the other hand, in case of a rekeying the VIP is expected to remain
the same, so the local TS would simply equal the VIP.
Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid
set. Which meant that the local TS would contain the previously
assigned VIP, basically rendering the gateway unable to assign a
different VIP to the client as the resulting TS would not match
the client's proposal anymore.
Fixes #553.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
On the occasion got rid of complicated functional component stuff
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
