| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
| |
Don't make clients wait for the TCP connections to timeout by dropping
packets. By rejecting them the OCSP requests fail immediately.
|
| |
|
|
|
|
| |
ifdown calls bind's rndc, which tries to access TCP port 953 on lo.
If these packets are dropped by the firewall we have to wait for the TCP
connections to time out, which takes quite a while.
|
| |
|
|
|
|
| |
With -W we reduce timeouts when we don't expect a response. With -i the
interval between pings is reduced (mostly in case of auto=route where
the first ping yields no reply).
|
| |
|
|
|
| |
By consistently using the `expect-connection` helper we can avoid pretty
much all previously needed calls to sleep.
|
| |
|
|
|
| |
A DPD timeout job is queued whenever a DPD is sent, i.e. after the
DPD delay already has elapsed, so we have to compensate for that.
|
| | |
|
| |
|
|
|
|
|
| |
It rarely takes 1 second or longer to terminate the daemon. This
decreases the runtime of the post test step a lot where `ipsec stop`
is called for multiple hosts in each test case (10-15 minutes over all
test cases).
|
| |
|
|
| |
tests earlier
|
| |
|
|
|
|
| |
We will use this to set some defaults (e.g. timeouts to make testing
negative tests quicker). We don't want these settings to show up in the
configs of the actual scenarios though.
|
| |
|
|
| |
Fixes #1138.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This can be useful when writing custom plugins as typos or missing
linker flags that result in unresolved symbols in the shared object
could otherwise cause late crashes. In particular, if such a symbol
is used in a code path that is rarely executed. During development
and testing using RTLD_NOW instead of RTLD_LAZY will prevent the
plugin from getting loaded and makes the error visible immediately.
|
| | |
|
| |
|
|
|
|
| |
Obtained-from: pfSense
Sponsored-by: Rubicon Communications (Netgate)
Closes strongswan/strongswan#17.
|
| |
|
|
|
|
|
|
|
|
| |
The `nat-local` and `nat-remote` keys contain information on the NAT
status of the local and remote IKE endpoints, respectively. If a
responder did not detect a NAT but is configured to fake a NAT situation
this is indicated by `nat-fake` (if an initiator fakes a NAT situation
`nat-local` is set). If any NAT is detected or faked `nat-any` is set.
Closes strongswan/strongswan#16.
|
| |\
| |
| |
| |
| |
| | |
Fixes NULL encryption in libipsec.
Fixes #1174.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We don't need an IV for NULL encryption, so we wouldn't technically need
an IV generator. But some of the code currently relies on an IV
generator to be present. So we don't have to change that code and
handle IV size == 0 specially we use the new NULL IV generator, which
handles this transparently to the existing code.
Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms
with an explicit IV generator") iv_gen_rand_t was used for NULL
encryption, which would work too but this way it's clearer.
|
| |/
|
|
|
| |
This does not actually allocate an IV and only accepts requests
for size == 0.
|
| |
|
|
|
|
|
|
|
| |
If the openssl plugin is not enabled we need these to generate session
IDs and to authenticate the users.
The md4 plugin is not needed in the manager.
Fixes #1168.
|
| |
|
|
| |
Fixes #1191.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Adds XFRM state/policy flush when terminating which caused tests to fail
due to the check added with 9086f060d35a ("testing: Let test scenarios
fail if IPsec SAs or policies are not removed").
|
| | |
|
| |
|
|
| |
Like AES in CTR mode it includes a 4 byte nonce.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to the nonce, the ESP key material is four bytes longer than needed for
the actual AES key. The crypto plugins, however, register their AES-CTR
implementations with the AES key length, so the lookup here failed.
For IKEv2 the key material is allocated after creating a crypter instance
with the negotiated AES key size. The length of the actual key material is
retrieved via get_key_size(), which adds the four bytes to the AES key length.
Fixes #1124.
|
| |
|
|
|
|
| |
These might have changed by a peer-initiated MOBIKE address update.
Fixes #1125.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With these changes an INFORMATIONAL message (e.g. with an INITIAL_CONTACT
notify) that arrives while a responder is waiting for the last Aggressive
Mode request gets queued and delivered later. Previously such messages
caused the IKE_SA to fail as some tasks waiting for the last AM message
fail when trying to handle the INFORMATIONAL message. Therefore, all
other messages, such as TRANSACTION and QUICK_MODE requests, are now
dropped until AM is complete. These don't have to be cached as they get
retransmitted by the other peer.
Fixes #1130.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
| |
message
|
| |
|
|
|
|
| |
configurable
Fixes #1128.
|
| |
|
|
| |
Fixes 858148092d1e ("Replace usages of sigwait(3) with sigwaitinfo(2)")
|
| |
|
|
|
|
|
|
| |
If -1 was returned on the first call to read() `done` got SIZE_MAX
and the function returned TRUE even though no actual random data had
been allocated.
Fixes #1156.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
are handled delayed
If we haven't received the third QM message for multiple exchanges the
return value of NEED_MORE for passive tasks that are not responsible for
a specific exchange would trigger a fourth empty QM message.
Fixes: 4de361d92c54 ("ikev1: Fix handling of overlapping Quick Mode exchanges")
References #1076.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the current segment was held while checking for duplicate
SAs, which requires acquiring all segments. If multiple threads did this
concurrently this resulted in a deadlock as they couldn't acquire the
segments held by the other threads attempting to do the same. With the
default configuration only one segment is used, which prevents the problem
as only one thread can check in an IKE SA concurrently.
Fixes: a064eaa8a63a ("Handling of initial contact")
|
| |
|
|
|
|
|
| |
This is basically the same call, but it has the advantage of being
supported by FreeBSD's valgrind, which sigwait() is not.
References #1106.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scenario
The default of 56 bytes already exceeds the threshold of 90 bytes (8 bytes
ICMP + 40 bytes IPv6 = 104 bytes). By reducing the size we make sure the
packet is not compressed (40 + 8 + 40 = 88).
This also fixes a strange failure of this scenario due to the recently
added post-test `ip xfrm state` check. The kernel stores a reference to
the used SAs on the inbound skbuffs and since these are garbage collected
it could take a while until all references to an SA disappear and the SA
is finally destroyed. But while SAs might not get destroyed immediately
when we delete them, they are actually marked as dead and therefore won't
show up in `ip xfrm state`. However, that's not the case for the tunnel
SAs the kernel attaches to IPComp SAs, which we don't explicitly delete,
and which aren't modified by the kernel until the IPComp SA is destroyed.
So what happened when the last ping unintentionally got compressed is that
the skbuff had a reference to the IPComp SA and therefore the tunnel SA.
This skbuff often was destroyed after the `ip xfrm state` check ran and
because the tunnel SA would still get reported the test case failed.
|
| | |
|
