| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Fixes 858148092d1e ("Replace usages of sigwait(3) with sigwaitinfo(2)")
|
| |
|
|
|
|
|
|
| |
If -1 was returned on the first call to read() `done` got SIZE_MAX
and the function returned TRUE even though no actual random data had
been allocated.
Fixes #1156.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
are handled delayed
If we haven't received the third QM message for multiple exchanges the
return value of NEED_MORE for passive tasks that are not responsible for
a specific exchange would trigger a fourth empty QM message.
Fixes: 4de361d92c54 ("ikev1: Fix handling of overlapping Quick Mode exchanges")
References #1076.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the current segment was held while checking for duplicate
SAs, which requires acquiring all segments. If multiple threads did this
concurrently this resulted in a deadlock as they couldn't acquire the
segments held by the other threads attempting to do the same. With the
default configuration only one segment is used, which prevents the problem
as only one thread can check in an IKE SA concurrently.
Fixes: a064eaa8a63a ("Handling of initial contact")
|
| |
|
|
|
|
|
| |
This is basically the same call, but it has the advantage of being
supported by FreeBSD's valgrind, which sigwait() is not.
References #1106.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scenario
The default of 56 bytes already exceeds the threshold of 90 bytes (8 bytes
ICMP + 40 bytes IPv6 = 104 bytes). By reducing the size we make sure the
packet is not compressed (40 + 8 + 40 = 88).
This also fixes a strange failure of this scenario due to the recently
added post-test `ip xfrm state` check. The kernel stores a reference to
the used SAs on the inbound skbuffs and since these are garbage collected
it could take a while until all references to an SA disappear and the SA
is finally destroyed. But while SAs might not get destroyed immediately
when we delete them, they are actually marked as dead and therefore won't
show up in `ip xfrm state`. However, that's not the case for the tunnel
SAs the kernel attaches to IPComp SAs, which we don't explicitly delete,
and which aren't modified by the kernel until the IPComp SA is destroyed.
So what happened when the last ping unintentionally got compressed is that
the skbuff had a reference to the IPComp SA and therefore the tunnel SA.
This skbuff often was destroyed after the `ip xfrm state` check ran and
because the tunnel SA would still get reported the test case failed.
|
| | |
|
| |
|
|
|
|
|
|
| |
left|rightsubnet default to %dynamic, which is basically 0.0.0.0/0 until an
address is assigned to it. So if only one side was undefined and the other
traffic selector was IPv6 an address family mismatch would occur.
References #595.
|
| |
|
|
|
|
| |
protocol mismatch
References #595.
|
| |
|
|
|
|
|
|
| |
If OpenSSL is compiled with OPENSSL_NO_DEPRECATED some of the headers
we include don't include openssl/bn.h anymore. Therefore, we have to
explicitly include it ourselves where we use BN_* functions.
Fixes #1113.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
__kernel_sa_family_t is defined and used since Linux 3.1, so on systems
with older kernels (like CentOS 6.7, which still ships a 2.6.32 kernel) the
build with the current UAPI headers fails. And using the native headers on
such system does not really work either because we use structs, defines, and
enum values from the newer headers in the kernel-netlink plugin.
__kernel_sa_family_t is defined in linux/socket.h so we ship that too (in
particular the simplified UAPI version from Linux 3.7+).
Fixes #1099.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #487.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
side
If only one traffic selector had a port (type/code) the other side had
the port mask set to 0, which canceled out the applied type/code.
It also fixes the installation of ICMP type/code on big-endian hosts.
Fixes #1091.
References #595.
|
| |
|
|
| |
References #595.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
attributes
Fixes ec490e68ae37 ("eap-radius: Add support for some basic IPv6-specific RADIUS attributes").
References #1001.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This properly detects prefixes encoded as ranges.
|
| | |
|
| |
|
|
| |
whether COOKIEs are sent
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From recvfrom(2) (which UDPSocket#recv backs into):
The return value will be 0 when the peer has performed an orderly
shutdown.
(i.e. it will return an empty string)
Previously in this scenario, Vici::Transport#recv_all would spin
forever trying to pull more data off the socket. I'm not entirely
clear what happened that caused strongSwan to shutdown the socket, but
it probably should not cause vici Ruby apps to spin.
Closes strongswan/strongswan#13.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removes flushing of the IPsec state in the kernel when starter
terminates. We can't easily flush only the policies created for
IPsec SAs (and if installpolicies=no is used we don't want to flush
policies anyway). Also, since existing policies don't cause errors
anymore these aren't really an issue anymore (I think this was one of
the main reasons to flush the state). This behavior is also specific to
starter, so nothing is flushed when charon is used via systemd/swanctl.
This will also allow us to merge libhydra with libcharon in a future
release.
If the previous behavior is needed it can easily be replicated with some
external tools (we could also write a simple utility that does this).
Additional checks in the test environment make sure that the daemon
cleans up the state properly.
|
| | |
| |
| |
| |
| | |
The IKE daemon should delete all installed SAs and policies when
everything works properly, so we fail the test if that's not the case.
|
| | |
| |
| |
| | |
Similar to conntrack we make sure we are working on a clean slate.
|
| | |
| |
| |
| |
| | |
If starter is not used we don't do that either. And this allows us to
move the stuff in libhydra back to libcharon.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We can't control which policies we flush, so if policies are installed
and used outside of strongSwan for other protocols we'd flush them too.
And if installpolicies=no is used we probably shouldn't flush policies
either. Luckily already existing policies are not treated as fatal
errors anymore, so not flushing policies should not be that much of an
issue (in case of a crash in dynamic setups, e.g. with virtual IPs,
policies could be left behind even after restarting the connections and
properly terminating the daemon).
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| | |
IKE_SAs that are initiated are now counted towards the half-open IKE_SAs
limit. Optionally it is possible to enforce limits towards the number of
half-open IKE_SAs and the job load also when initiating SAs. This is
currently only possible via VICI.
|
