| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |\ |
|
| | | |
|
| |/
|
|
|
|
|
| |
The Python VICI library does not check if the socket is closed.
If the daemon closes the connection, _recvall() spins forever.
Closes strongswan/strongswan#56.
|
| |
|
|
| |
The kernel apparently supports this since 3.10.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent research demonstrates that at least for 1024-bit DH groups, it is
possible to create specially crafted primes having a backdoor. From the
prime itself this is not detectable, creating a perfect NOBUS attack.
http://eprint.iacr.org/2016/961
For the primes defined in RFC 5114 no information is provided on how these
have been selected. In the default proposal we included one of the 2048-bit
primes only, where it is questionable if constructing a backdoored prime is
feasible. Nevertheless, this patch removes the group from the set of default
proposals as well.
|
| | |
|
| |
|
|
|
| |
Fixes: 4af02c6c61cf ("bus: Fix maximum log level for different groups
after removal of a logger")
|
| |
|
|
|
| |
Fixes: 622c2b2c3386 ("peer-cfg: Add method to atomically replace child
configs")
|
| |
|
|
|
|
|
| |
The log level was incorrectly set to the same value for all groups.
Fixes: dac15e03c828 ("bus: Fix maximum log levels when mixing log/vlog
implementing loggers")
|
| |
|
|
| |
Jump to BPF_STMT(BPF_RET+BPF_K, 0) if protocol_size != 4
|
| |
|
|
|
|
|
|
|
| |
Fix for "Permission denied (you must be root)" error when calling
iptc_init(), which opens a RAW socket to communicate with the kernel,
when built with "--with-capabilities=libcap".
Closes strongswan/strongswan#53.
Fixes #2157.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A wrong variable is used (route instead of best), so much that the
returned interface belongs to the last seen route instead of the best
choice route.
get_route() may therefore return mismatching interface and gateway.
Fixes: 66e9165bc686 ("kernel-netlink: Return outbound interface in get_nexthop()")
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
one retransmit
The counter is already increased when sending the original message.
Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")
|
| | |
|
| | |
|
| |
|
|
|
|
| |
We parse aes*gmac as encryption algorithm, which we have to map to an
integrity algorithm. We also make sure we remove all other encryption
algorithms and ensure there is an integrity algorithm.
|
| | |
|
| |
|
|
| |
But filter PRFs from ESP proposals.
|
| |
|
|
| |
References #2051.
|
| |
|
|
| |
Fixes #2051.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If a responder is natted it will usually be a static NAT (unless it's a
mediated connection) in which case adding these notifies makes not much
sense (if the initiator's NAT mapping had changed the responder wouldn't
be able to reach it anyway). It's also problematic as some clients refuse
to respond to DPDs if they contain such notifies.
Fixes #2126.
|
| |
|
|
| |
It does not have any CHILD_SAs attached at that point.
|
| |
|
|
|
| |
After the ISAKMP_DELETE task has been executed the IKE_SA is destroyed
so we wouldn't be able to send deletes for the Quick Mode SAs.
|
| |
|
|
|
|
| |
If we silently delete the IKE_SA the other peer might still use it even
if only to send DPDs. If we don't answer to DPDs that might result in the
deletion of the new IKE_SA too.
|
| | |
|
| |
|
|
|
|
| |
This is the minimum size an IPv6 implementation must support. This makes
it the default for IPv4 too, which presumably is also generally routable
(otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The maximum would not get set correctly when a logger is removed and the
first remaining logger in the list (the one with the highest log level) does
e.g. only implement vlog() while there are other loggers that implement log().
This would result in only max_vlevel getting set correctly while max_level
would incorrectly get set to -1 so that log() would not get called for any
of the loggers anymore.
References #574.
|
| |
|
|
|
|
| |
The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark. So to match only unmarked packets we
have to be able to set 0/0xffffffff.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the number of flows over a gateway exceeds the flow cache size of the Linux
kernel, policy lookup gets very expensive. Policies covering more than a single
address don't get hash-indexed by default, which results in wasting most of
the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use.
Starting with several hundred policies the overhead gets inacceptable.
Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet
to perform indexed lookup. With correctly chosen netbits, this can completely
eliminate the performance impact of policy lookups, freeing the resources
for ESP crypto.
WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a
NULL pointer dereference if a socket policy is installed while hash thresholds
are changed. And because the hashtable rebuild triggered by the threshold
change that causes this is scheduled it might also happen if the socket
policies are seemingly installed after setting the thresholds.
The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when
rebuilding hash tables") - is included since 4.8 (and might get backported).
As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled
to replace the socket policies that allow IKE traffic with port specific
bypass policies.
|
| |
|
|
|
|
| |
They are only required if drop policies would otherwise prevent
forwarding traffic. This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
