| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
This way we only have to pass the traffic selectors once.
|
| |
|
|
| |
Fixes #2146.
|
| |
|
|
| |
Fixes #1192.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To handle Phase 2 exchanges on the other HA host we need to sync the last
block of the last Phase 1 message (or the last expected IV). If the
gateway is the initiator of a Main Mode SA the last message is an
inbound message. When handling such messages the expected IV is not
updated until it is successfully decrypted so we can't sync the IV
when processing the still encrypted (!plain) message. However, as responder,
i.e. if the last message is an outbound message, the reverse applies, that
is, we get the next IV after successfully encrypting the message, not
while handling the plain message.
Fixes #1267.
|
| |
|
|
| |
References #1267.
|
| |
|
|
|
|
|
|
| |
It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.
Fixes #1267.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This may happen if something like `echo ... > /path/to/fifo` is used
before the plugin was able to create the FIFO. In that case we'd end
up in a loop always reading the same values from the static file.
|
| |
|
|
|
|
|
|
|
|
| |
If AEAD algorithms are used no integrity algorithm will be received from
the other HA node. But since AUTH_UNDEFINED is 1024 and not 0 this value
was incorrectly added to the proposal, resulting in a failure during key
derivation. The variables are now explicitly initialized to 0, as already
was the case for the IKE SAs.
Fixes #1051.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the IKE_SA is synced without the remote address, after a
reauthentication charon is not able to find it in its connected_peers
table since the destination host will be %any (it's missing in the
message, hence the default from the newly created ike_sa_t -- %any --
will be used).
By adding the value to the HA_IKE_ADD message, we should be able to
solve this problem.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This fixes support for the secret option, as otherwise the kernel interface
is not registered yet when the trap policy is installed.
|
| | |
|
| |
|
|
|
| |
While such a change is not unproblematic, keeping status_t makes the API
inconsistent once we introduce return values for the public value operations.
|
| | |
|
| |
|
|
|
|
|
|
| |
While this change results in the correct add/update flag during installation,
it exchanges all other values in the child_sa->install() call. We should pass
the correct flag, but determine the add/update flag by other means.
This reverts commit e722ee5d.
|
| |
|
|
|
|
|
|
|
| |
The inbound flag is used to determine if we have to install an update or a new
SA in the kernel. As we do not have allocated SPIs and therefore can't update
an existing SA in the HA plugin, always set the flag to FALSE.
Before 698ed656 we had extra logic for that case, but handling it directly in
the HA plugin is simpler.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
As we now use the same reqid for multiple CHILD_SAs with the same selectors,
having marks based on the reqid makes not that much sense anymore. Instead we
use unique marks that use a custom identifier. This identifier is reused during
rekeying, keeping the marks constant for any rule relying on it (for example
installed by updown).
This also simplifies handling of reqid allocation, as we do not have to query
the marks that is not yet assigned for an unknown reqid.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When rekey_child_sa is called while enumerating the children of an IKE_SA, and
the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a
QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas)
invalidating the current element of the child_sa_enumerator. The enumerate
function of linked_list_t will then advance to an element with unpredictable
contents most likely resulting in an segmentation violation. A similar behavior
should be observed when delete_child_sa is called.
This patch creates a list of protocol/spi values while holding the
child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren
after releasing the enumerator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
| |
The adopt_children_job_create() function is not available when IKEv1 support
is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1.
Fixes #690.
|
| | |
|
| |
|
|
|
|
|
| |
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
|
| | |
|
| | |
|
| |
|
|
|
| |
Simply using the pointer is not optimal for our hash table
implementation, which simply masks the key to determine the bucket.
|
| | |
|
| |
|
|
|
|
| |
Due to the previous negation the high bits of the mask were set, which
at least some versions of the Android build system prevent with a compile-time
check.
|
| |
|
|
|
|
|
| |
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
|
| |
|
|
|
| |
Not directly returning a linked list allows us to change the internals of
the CHILD_SA transparently.
|
| | |
|
| |
|
|
|
| |
But as the sockets will be created with the user/group of the running
process this might not be required as no change may be needed.
|
| | |
|
| | |
|
| | |
|
| | |
|
