aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-netlink: Use total retransmit timeout as acquire timeoutTobias Brunner2017-05-232-13/+23
| | | | | | | By using the total retransmit timeout, modifications of timeout settings automatically reflect on the value of xfrm_acq_expires. If set, the value of xfrm_acq_expires configured by the user takes precedence over the calculated value.
* task-manager: Add helper function to calculate the total retransmit timeoutTobias Brunner2017-05-232-1/+42
|
* ike: Use optional jitter to calculate retransmission timeoutsTobias Brunner2017-05-233-5/+57
| | | | | Also adds an optional limit to avoid very high retransmission timeouts with high numbers of retries.
* kernel-netlink: Try to add new inbound SA if update failsThomas Egerer2017-05-231-3/+12
| | | | | | | | | | | | | | | When establishing a traffic-triggered CHILD_SA involves the setup of an IKE_SA more than one exchange is required. As a result the temporary acquire state may have expired -- even if the acquire expiration (xfrm_acq_expires) time is set properly (165 by default). The expire message sent by the kernel is not processed in charon since no trap can be found by the trap manager. A possible solution could be to track allocated SPIs. But since this is a corner case and the tracking introduces quite a bit of overhead, it seems much more sensible to add a new state if the update of a state fails with NOT_FOUND. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Update SA addresses if supported by the kernelTobias Brunner2017-05-231-21/+16
| | | | | | Upcoming FreeBSD kernels will support updating the addresses of existing SAs with new SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for the SADB_UPDATE message.
* kernel-pfkey: Use new encap flag on Mac OS X when updating SAsTobias Brunner2017-05-231-1/+1
|
* receiver: Restrict init limit to half-open SAs as responderThomas Egerer2017-05-231-4/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-netlink: Update hardware offload attribute when SAs are updatedTobias Brunner2017-05-231-11/+37
|
* kernel-netlink: Base SA update on correct message in multi-message responseTobias Brunner2017-05-231-7/+7
|
* vici: Make hardware offload configurableTobias Brunner2017-05-231-0/+11
|
* child-sa: Optionally enable hardware offload for CHILD_SAsTobias Brunner2017-05-231-0/+1
|
* child-cfg: Add flag to enable hardware offloadTobias Brunner2017-05-231-0/+3
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-2311-152/+128
| | | | Makes it potentially easier to add new flags.
* kernel-netlink: Enable hardware offloading if configured for an SATobias Brunner2017-05-231-0/+25
|
* kernel-ipsec: Add flag to enable hardware offloading for an IPsec SATobias Brunner2017-05-231-0/+2
|
* kernel-netlink: Directly handle Netlink messages if thread pool is emptyTobias Brunner2017-05-231-1/+2
| | | | | | | | | During initialization of the plugins the thread pool is not yet initialized so there is no watcher thread that could handle the queued Netlink message and the main thread will wait indefinitely for a response. Fixes #2199.
* socket-default: Add an option to force the sending interface via IP_PKTINFOMartin Willi2017-05-231-7/+48
| | | | | | | | | | | | | | | | | | | | | | | | | On Linux, setting the source address is insufficient to force a packet to be sent over a certain path. The kernel uses the best route to select the outgoing interface, even if we set a source address of a lower priority interface. This is not only true for interfaces attaching to the same subnet, but also for unrelated interfaces; the kernel (at least on 4.7) sends out the packet on whatever interface it sees fit, even if that network does not expect packets from the source address we force to. When a better interface becomes available, strongSwan sends its MOBIKE address list update using the old source address. But the kernel sends that packet over the new best interface. If that network drops packets having the unexpected source address from the old path, the MOBIKE update fails and the SA finally times out. To enforce a specific interface for our packet, we explicitly set the interface index from the interface where the source address is installed. According to ip(7), this overrules the specified source address to the primary interface address. As this could have side effects to installations using multiple addresses on a single interface, we disable the option by default for now. This also allows using IPv6 link-local addresses, which won't work if the outbound interface is not set explicitly.
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-232-3/+6
| | | | fragments
* vici: Return key ID from load-key commandTobias Brunner2017-05-232-4/+13
| | | | | We already do this for load-token and this should simplify client implementations.
* ikev1: Send NAT-D payloads after HASH payloads in Aggressive Mode requestsTobias Brunner2017-05-191-1/+1
| | | | | | | Some implementations seem to have problems if the third AM message contains NAT-D payloads before the HASH payload. Fixes #2314.
* ike-sa-manager: Improve scalability of IKE_SA count checkingThomas Egerer2017-05-191-19/+10
| | | | | | | | Much like in commit a68454b, we now use a global atomic counter to keep track of the number of IKE_SAs currently registered. This should improve scalability for a large number of segments even more. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* attr-sql: Make release of online leases during startup optionalTobias Brunner2017-05-191-8/+12
| | | | This cleanup prevents sharing the same DB between multiple VPN gateways.
* eap-simaka-sql: Fixed database column from use to usedAndreas Steffen2017-04-261-4/+7
|
* vici: Fix type error exception in Python bindingsodi792017-04-191-1/+1
| | | | | | | | | | Line 66 yields "TypeError: can't concat bytes to str" using Python 3.4. "requestdata" was introduced in 22f08609f1b6 but is not actually used. Since the original "request" is not used anywhere else this can be changed to be similar to the other UTF-8 encoding changes in that commit. Fixes: 22f08609f1b6 ("vici: Explicitly set the Python encoding type"). Closes strongswan/strongswan#66.
* kernel-netlink: Avoid O(n^2) copy operations when concatenating Netlink ↵Jiri Horky2017-03-271-7/+13
| | | | | | | | | | | | | | | | | | | | responses When constructing the result, all responses from Netlink were concatenated iteratively, i.e. for each response, the previously acquired result was copied to newly allocated memory and the current response appended to it. This results in O(n^2) copy operations. Instead, we now check for the total final length of the result and copy the individual responses to it in one pass, i.e. in O(n) copy operations. In particular, this issue caused very high CPU usage in memcpy() function as the result is copied over and over. Common way how to hit the issue is when having 1000+ routes and 5+ connecting clients a second. In that case, the memcpy() function can take 50%+ of one CPU thread on a decent CPU and the whole charon daemon is stuck just reading routes and concatenating them together (connecting clients are blocked in that particular case as this is done under mutex). Closes strongswan/strongswan#65. References #2055.
* addrblock: Narrow selectors when rekeying a CHILD_SA as original responderMartin Willi2017-03-241-0/+1
| | | | | | | | | | | | If a the original responder narrows the selectors of its peer in addrblock, the peer gets a subset of that selectors. However, once the original responder initiates rekeying of that CHILD_SA, it sends the full selectors to the peer, and then narrows the received selectors locally for the installation, only. This is insufficient, as the peer ends up with wider selectors, sending traffic that the original responder will reject to the stricter IPsec policy. So additionally narrow the selectors when rekeying CHILD_SAs before sending the TS list to the peer.
* kernel-wfp: Don't redefine IPPROTO_IP* if already definedTobias Brunner2017-03-231-0/+4
|
* vici: Don't fall back to uninstalling traps if a matching shunt was foundTobias Brunner2017-03-231-3/+7
| | | | | | | This is different if `ike` and `child` are provided and uninstall() fails as we call that without knowing whether a matching shunt exists. But if `ike` is not provided we explicitly search for a matching shunt and if found don't need to look for a trap policy.
* Fixed some typos, courtesy of codespellTobias Brunner2017-03-234-4/+4
|
* vici: Document how we pronounce the vici protocol and pluginMartin Willi2017-03-201-3/+3
|
* ikev1: First do PSK lookups based on identities then fallback to IPsTobias Brunner2017-03-201-36/+34
| | | | | | | | This provides a solution for configs where there is e.g. a catch-all %any PSK, while more specific PSKs would be found by the identities of configs that e.g. use FQDNs as local/remote addresses. Fixes #2223.
* ike-sa-manager: Remove superfluous assignmentThomas Egerer2017-03-161-4/+0
| | | | | | | Memory is allocated with calloc, hence set to zero, thus assigning the numerical value 0 is not required. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Log remote IP when deleting half-open IKE_SAsTobias Brunner2017-03-151-1/+2
|
* quick-mode: Correctly prepare NAT-OA payloads as responderTobias Brunner2017-03-061-8/+13
| | | | | | The initiator's address was sent back twice previously. Fixes #2268.
* controller: Don't listen for CHILD_SA state changes when terminating IKE_SAsTobias Brunner2017-03-021-1/+0
| | | | | | | | We actually want to wait until the IKE_SA is destroyed, not any of the CHILD_SAs (even though there might not be that much of a difference depending on the number of CHILD_SAs). Fixes #2261.
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-023-6/+26
|
* addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SAMartin Willi2017-03-021-43/+28
| | | | | | | | Previously, the client had to propose no wider selectors than the certificate permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2 we can dynamically narrow the selectors to what the certificate allows. This makes client and gateway configurations very simple by just proposing 0.0.0.0/0, narrowed to selectors the client is permitted to route into the network.
* addrblock: Support an optional non-strict mode accepting certs without addrblockMartin Willi2017-03-021-3/+11
| | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
* child-cfg: Always apply hosts to traffic selectors if proposing transport modeTobias Brunner2017-02-271-14/+19
| | | | | | | | | | | | | | Usually, %dynamic is used as traffic selector for transport mode SAs, however, if wildcard traps are used then the remote TS will be a subnet. With strongSwan at the remote end that usually works fine as the local %dynamic TS narrows the proposed TS appropriately. But some implementations reject non-host TS for transport mode SAs. Another problem could be if several distinct subnets are configured for a wildcard trap, as we'd then propose unrelated subnets on that transport mode SA, which might be problematic even for strongSwan (switch to tunnel mode and duplicate policies). Closes strongswan/strongswan#61.
* ikev1: Respond to DPDs for rekeyed IKE_SAsTobias Brunner2017-02-172-0/+10
| | | | | | | | | Some devices always use the oldest IKE_SA to send DPDs and will delete all IKE_SAs when there is no response. If uniqueness is not enforced rekeyed IKE_SAs might not get deleted until they expire so we should respond to DPDs. References #2090.
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-1/+23
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* ikev2: Ignore roam events without MOBIKE but static local addressTobias Brunner2017-02-171-0/+10
| | | | | | | | | | | | | | | Disabling MOBIKE and statically configuring a local address should be enough indication that the user doesn't want to roam to a different address. There might not be any routes that indicate we can use the current address but it might still work (e.g. if the address is on an interface that is not referenced in any routes and the address itself is neither). This way we avoid switching to another address for routes that might be available on the system. We currently don't make much use of COND_STALE anyway when MOBIKE is not enabled, e.g. to avoid sending DPDs if the connection is seemingly down. With MOBIKE enabled we don't exactly check that state but we do don't send DPDs if there is no route/source address available.
* ike-cfg: Add helper function to determine if a given IP address was configuredTobias Brunner2017-02-172-2/+46
|
* vici: Only log messages if there actually is a listenerTobias Brunner2017-02-161-0/+7
|
* vici: Let has_event_listeners() actually check if clients are registeredTobias Brunner2017-02-161-2/+4
| | | | | Fixes: 8d96f90a7983 ("vici: Add function to test if an event should be generated")
* vici: Add support for mediation extensionTobias Brunner2017-02-161-1/+85
|
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-166-68/+95
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* vici: Include uniqueness policy in list-connsTobias Brunner2017-02-161-0/+2
|
* vici: Add command to initiate SA rekeyingTobias Brunner2017-02-162-2/+118
|
* vici: Use unique names for CHILD_SAs in the list-sas commandTobias Brunner2017-02-162-2/+7
| | | | | | | | | The original name is returned in the new "name" attribute. This fixes an issue with bindings that map VICI messages to dictionaries. For instance, in roadwarrior scenarios where every CHILD_SA has the same name only the information of the last CHILD_SA would end up in the dictionary for that name.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 00:10:53 +0000