aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* child-sa: Install "outbound" FWD policy with lower priorityTobias Brunner2016-05-061-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provides a fix if symmetrically overlapping policies are installed as e.g. the case in the ikev2/ip-two-pools-db scenario: carol 10.3.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon alice 10.4.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon Among others, the following FWD policies are installed on moon: src 10.3.0.1/32 dst 10.4.0.0/16 ... tmpl ... src 10.4.0.0/16 dst 10.3.0.1/32 ... src 10.4.0.1/32 dst 10.3.0.0/16 ... tmpl ... src 10.3.0.0/16 dst 10.4.0.1/32 ... Because the network prefixes are the same for all of these they all have the same priority. Due to that it depends on the install order which policy gets used. For instance, a packet from 10.3.0.1 to 10.4.0.1 will match the first as well as the last policy. However, when handling the inbound packet we have to use the first one as the packet will otherwise be dropped due to a template mismatch. And we can't install templates with the "outbound" FWD policies as that would prevent using different IPsec modes or e.g. IPComp on only one of multiple SAs. Instead we install the "outbound" FWD policies with a lower priority than the "inbound" FWD policies so the latter are preferred. But we use a higher priority than default drop policies would use (in case they'd be defined with the same subnets).
* kernel-netlink: Check proper watcher state in parallel modeTobias Brunner2016-05-061-1/+1
| | | | | | | | | | | | | After adding the read callback the state is WATCHER_QUEUED and it is switched to WATCHER_RUNNING only later by an asynchronous job. This means that a thread that sent a Netlink message shortly after registration might see the state as WATCHER_QUEUED. If it then tries to read the response and the watcher thread is quicker to actually read the message from the socket, it could block on recv() while still holding the lock. And the asynchronous job that actually read the message and tries to queue it will block while trying to acquire the lock, so we'd end up in a deadlock. This is probably mostly a problem in the unit tests.
* trap-manager: Allow local address to be unspecifiedTobias Brunner2016-05-061-3/+1
| | | | | | | | If there is currently no route to reach the other peer we just default to left=%any. The local address is only really used to resolve leftsubnet=%dynamic anyway (and perhaps for MIPv6 proxy transport mode). Fixes #1375.
* kernel-netlink: Order routes by prefix before comparing priority/metricTobias Brunner2016-05-061-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Metrics are basically defined to order routes with equal prefix, so ordering routes by metric first makes not much sense as that could prefer totally unspecific routes over very specific ones. For instance, the previous code did break installation of routes for passthrough policies with two routes like these in the main routing table: default via 192.168.2.1 dev eth0 proto static 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.10 metric 1 Because the default route has no metric set (0) it was used, instead of the more specific other one, to determine src and next hop when installing a route for a passthrough policy for 192.168.2.0/24. Therefore, the installed route in table 220 did then incorrectly redirect all local traffic to "next hop" 192.168.2.1. The same issue occurred when determining the source address while installing trap policies. Fixes 6b57790270fb ("kernel-netlink: Respect kernel routing priorities for IKE routes"). Fixes #1416.
* ikev1: Activate DELETE tasks before other tasks in state ESTABLISHEDTobias Brunner2016-05-061-7/+7
| | | | Fixes #1410.
* ikev1: Don't use rekeyed CHILD_SAs for rekey detectionTobias Brunner2016-05-061-4/+4
| | | | | | | | | | | | An old (already rekeyed) CHILD_SA would get switched back into CHILD_REKEYING state. And we actually want to change the currently installed CHILD_SA to that state and later CHILD_REKEYED and properly call e.g. child_rekey() and not do this again with an old CHILD_SA. Instead let's only check installed or currently rekeying CHILD_SAs (in case of a rekey collision). It's also uncommon that there is a CHILD_SA in state CHILD_REKEYED but none in state CHILD_INSTALLED or CHILD_REKEYING, which could happen if e.g. a peer deleted and recreated a CHILD_SA after a rekeying. But in that case we don't want to treat the new CHILD_SA as rekeying (e.g. in regards to events on the bus).
* ikev1: Don't call updown hook etc. when deleting redundant CHILD_SAsTobias Brunner2016-05-061-0/+1
| | | | Fixes #1421.
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-048-21/+43
|
* proposal: Remove some weaker and rarely used DH groups from the default proposalTobias Brunner2016-05-041-3/+5
| | | | | | | | | | | This fixes an interoperability issue with Windows Server 2012 R2 gateways. They insist on using modp1024 for IKE, however, Microsoft's IKEv2 implementation seems only to consider the first 15 DH groups in the proposal. Depending on the loaded plugins modp1024 is now at position 17 or even later, causing the server to reject the proposal. By removing some of the weaker and rarely used DH groups from the default proposal we make sure modp1024 is among the first 15 DH groups. The removed groups may still be used by configuring custom proposals.
* kernel-pfkey: Add support for manual prioritiesTobias Brunner2016-04-151-7/+24
| | | | Also orders policies with equals priorities by their automatic priority.
* kernel-pfkey: Update priority calculation formula to the new one in ↵Tobias Brunner2016-04-151-14/+25
| | | | | | | kernel-netlink Since the selectors are not exactly the same (no port masks, no interface) some small tweaks have been applied.
* kernel-netlink: Order policies with equal priorities by their automatic priorityTobias Brunner2016-04-151-11/+24
| | | | | | | | | | | | This allows using manual priorities for traps, which have a lower base priority than the resulting IPsec policies. This could otherwise be problematic if, for example, swanctl --install/uninstall is used while an SA is established combined with e.g. IPComp, where the trap policy does not look the same as the IPsec policy (which is now otherwise often the case as the reqids stay the same). It also orders policies by selector size if manual priorities are configured and narrowing occurs.
* Extended IPsec kernel policy schemeAndreas Steffen2016-04-091-18/+53
| | | | | | | | The kernel policy now considers src and dst port masks as well as restictions to a given network interface. The base priority is 100'000 for passthrough shunts, 200'000 for IPsec policies, 300'000 for IPsec policy traps and 400'000 for fallback drop shunts. The values 1..30'000 can be used for manually set priorities.
* Include manual policy priorities and restriction to interfaces in vici ↵Andreas Steffen2016-04-091-1/+14
| | | | list-conn command
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-097-14/+63
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-097-22/+77
|
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-0911-167/+220
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-0911-295/+293
|
* kernel-pfkey: Prefer policies with reqid over those withoutTobias Brunner2016-04-091-1/+7
|
* kernel-pfkey: Only install templates for regular IPsec policies with reqidTobias Brunner2016-04-091-32/+35
|
* shunt-manager: Install "outbound" FWD policyTobias Brunner2016-04-091-2/+8
| | | | | | If there is a default drop policy forwarded traffic might otherwise not be allowed by a specific passthrough policy (while local traffic is allowed).
* kernel-netlink: Prefer policies with reqid over those withoutTobias Brunner2016-04-091-1/+7
| | | | | | | This allows two CHILD_SAs with reversed subnets to install two FWD policies each. Since the outbound policy won't have a reqid set we will end up with the two inbound FWD policies installed in the kernel, with the correct templates to allow decrypted traffic.
* kernel-netlink: Only associate templates with inbound FWD policiesTobias Brunner2016-04-091-1/+1
| | | | | | We can't set a template on the outbound FWD policy (or we'd have to make it optional). Because if the traffic does not come from another (matching) IPsec tunnel it would get dropped due to the template mismatch.
* child-sa: Install "outbound" FWD policyTobias Brunner2016-04-091-0/+16
| | | | | | | If there is a DROP shunt that matches outbound forwarded traffic it would get dropped as the FWD policy we install only matches decrypted inbound traffic. That's because the Linux kernel first checks the FWD policies before looking up the OUT policy and SA to encrypt the packets.
* kernel-netlink: Associate routes with IN policies instead of FWD policiesTobias Brunner2016-04-091-21/+21
| | | | | | This allows us to install more than one FWD policy. We already do this in the kernel-pfkey plugin (there the original reason was that not all kernels support FWD policies).
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-0910-894/+1066
|
* vici: Fix documentation of some dictionary keys of two request messagesCameron McCord2016-03-311-3/+3
| | | | Closes strongswan/strongswan#40.
* Use standard unsigned integer typesAndreas Steffen2016-03-24233-1711/+1711
|
* updown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SAShota Fukumori2016-03-231-2/+2
| | | | | | | Or the invoked script will get a broken value when `mark=%unique` is used in a configuration. Closes strongswan/strongswan#37.
* connmark: Explicitly include xt_mark.h for older kernelsTobias Brunner2016-03-231-0/+1
| | | | Fixes #1365.
* libcharon: Add missing header file to Android.mkTobias Brunner2016-03-231-0/+1
| | | | Not really relevant, just to make sure both file lists are the same.
* ike-sa-manager: Avoid memory leak if IKE_SAs get checked in after flush() ↵Tobias Brunner2016-03-231-23/+38
| | | | | | | | | | | | | was called A thread might check out a new IKE_SA via checkout_new() or checkout_by_config() and start initiating it while the daemon is terminating and the IKE_SA manager is flushed by the main thread. That SA is not tracked yet so the main thread is not waiting for it and the other thread is able to check it in and creating an entry after flush() already terminated causing a memory leak. Fixes #1348.
* ha: Delete cache entry inside the locked mutexThomas Egerer2016-03-231-0/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-netlink: Fix lookup of next hops for destinations with prefixTobias Brunner2016-03-211-1/+2
| | | | References #1347.
* Fix some Doxygen issuesTobias Brunner2016-03-111-1/+1
|
* vici: Don't hold write lock while running or undoing start actionsTobias Brunner2016-03-111-27/+63
| | | | | | | | | | | | | | Running or undoing start actions might require enumerating IKE_SAs, which in turn might have to enumerate peer configs concurrently, which requires acquiring a read lock. So if we keep holding the write lock while enumerating the SAs we provoke a deadlock. By preventing other threads from acquiring the write lock while handling actions, and thus preventing the modification of the configs, we largely maintain the current synchronous behavior. This way we also don't need to acquire additional refs for config objects as they won't get modified/removed. Fixes #1185.
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* forecast: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | Same as the change in the connmark plugin. References #1229.
* connmark: Don't restore CONNMARK for packets that already have a mark setTobias Brunner2016-03-101-2/+17
| | | | | | | | | This allows e.g. modified versions of xl2tpd to set the mark in situations where two clients are using the same source port behind the same NAT, which CONNMARK can't restore properly as only one conntrack entry will exist with the mark set to that of the client that sent the last packet. Fixes #1230.
* connmark: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | | | | | | | By settings a matchmask that covers the complete rule we ensure that the correct rule is deleted (i.e. matches and targets with potentially different marks are also compared). Since data after the passed pointer is actually dereferenced when comparing we definitely have to pass an array that is at least as long as the ipt_entry. Fixes #1229.
* Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-102-7/+27
|
* attr: Only enumerate attributes matching the IKE version of the current IKE_SATobias Brunner2016-03-101-19/+49
| | | | Numerically configured attributes are currently sent for both versions.
* attr: Add p-cscf keyword for P-CSCF server addressesTobias Brunner2016-03-101-0/+1
|
* p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-101-2/+6
|
* p-cscf: Only send requests if virtual IPs of the same family are requestedTobias Brunner2016-03-101-2/+18
|
* p-cscf: Add attribute handler for P-CSCF server addressesTobias Brunner2016-03-104-1/+243
|
* p-cscf: Add plugin stubTobias Brunner2016-03-105-0/+132
|
* payloads: Verify P-CSCF configuration attributes like others carrying IP ↵Tobias Brunner2016-03-101-0/+2
| | | | addresses
* attributes: Define P-CSCF address attributes described in RFC 7651Tobias Brunner2016-03-102-6/+13
|
* ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checksTobias Brunner2016-03-101-26/+37
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 20:04:11 +0000