| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| | |
Migrates the attribute framework and associated plugins from libhydra back
to libcharon. libcharon is the only user of this framework since pluto is gone.
With these changes, we can pass the full IKE_SA state to attribute providers
and handlers, bringing more flexibility to these plugins.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
While it has some tests that we don't directly cover with the new unit tests,
most of them require special infrastructure and therefore have not been used
for a long time.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
| |
Since pluto is gone, all existing users build upon libcharon.
|
| |\
| |
| |
| |
| | |
Fixes expires raised by charon-tkm to actually use a proto/dst/SPI tuple to
identify CHILD_SAs.
|
| | |
| |
| |
| |
| |
| | |
This test asserts that the handling of XFRM expire messages from the
kernel are handled correctly by the xfrm-proxy and the Esa Event Service
(EES) in charon-tkm.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Use the new get_dst_host getter to retrieve the destination host from
the SAD using the reqid, spi and protocol values received from the
xfrm-proxy.
|
| | |
| |
| |
| |
| | |
This function returns the destination host of an SAD entry for given
reqid, spi and protocol arguments or NULL if not found.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Store the remote instead of the local SPI in the SAD when adding a new
entry in the kernel plugin's add_sa() function.
Since only one ESA context must be destroyed for an inbound/outbound
CHILD SA pair, it does not matter which SPI is used to retrieve it in
the del_sa function.
|
| | |
| |
| |
| |
| | |
Make the CHILD/ESP SA database a public member of the global tkm_t
struct.
|
| | |
| |
| |
| | |
Change 'test_runner' to 'test-runner'.
|
| |/
|
|
|
| |
Extend the tkm/host2host-initiator testcase by asserting proper ESA
deletion after connection shutdown.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With these changes, charon dynamically allocates reqids for CHILD_SAs. This
allows the reuse of reqids for identical policies, and basically allows multiple
CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA,
a new unique identifier for CHILD_SAs is introduced, and the kernel backends
use a proto/dst/SPI tuple to identify CHILD_SAs.
charon-tkm is not yet updated and expires are actually broken with this merge.
As some significant refactorings are required, this is fixed using a separate
merge.
References #422, #431, #463.
|
| | | |
|
| | |
| |
| |
| |
| | |
When handling thousands of IKE_SAs, the unique ID based lookup is rather slow,
as we have no indexing.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Update the call to hydra->kernel_interface->expire to make
ees_callback.c compile again. The required destination host argument is
set to NULL for now.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
To quickly check out IKE_SAs and find associated CHILD_SAs, the
child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides
CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As we now use the same reqid for multiple CHILD_SAs with the same selectors,
having marks based on the reqid makes not that much sense anymore. Instead we
use unique marks that use a custom identifier. This identifier is reused during
rekeying, keeping the marks constant for any rule relying on it (for example
installed by updown).
This also simplifies handling of reqid allocation, as we do not have to query
the marks that is not yet assigned for an unknown reqid.
|
| | |
| |
| |
| |
| | |
As the reqid is not that unique even among multiple IKE_SAs anymore, we need
an identifier to uniquely identify a specific CHILD_SA instance.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
To reassign reqids where appropriate, we explicitly allocate or confirm them
centrally on the kernel-interface.
Currently the state is stored in the kernel-interface wrapper for all
backends, but we may add appropriate methods to each backend to implement
a custom reqid allocation logic, if required.
|
| | | |
|
| | |
| |
| |
| | |
Having traffic selectors sorted properly makes comparing them much simpler.
|
| | | |
|
| | | |
|
