| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
| |
|
| |
|
|
|
|
|
|
| |
On some systems (e.g. on Debian/kFreeBSD) that header is required when
including ipsec.h, on Linux we require it too when including pfkeyv2.h,
so to simplify things we just always include it.
|
|
|
|
|
| |
To allow enum.h to depend on utils.h definitions, avoid its direct inclusion.
Instead include utils.h, which includes enum.h as well.
|
| |
|
|
|
|
|
|
| |
- get_cpi function was implemented to retrieve a CPI from the kernel.
- add_sa/update_sa/del_sa were updated to accommodate for IPComp SA.
- Updated add_policy_internal to update the SPD to support IPComp.
|
|
|
|
|
|
|
|
|
|
| |
This is undefined behavior as per the C99 standard (sentence 1185):
"If the value of the right operand is negative or is greater or equal
to the width of the promoted left operand, the behavior is undefined."
Apparently shifts may be done modulo the width on some platforms so
a shift by 32 would not shift at all.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixes #500.
|
| |
|
|
|
|
|
|
| |
Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.
|
|
|
|
|
|
|
| |
The kernel does not allow them for transport mode SAs or IPComp SAs (and
of course not for AH SAs).
Fixes #446.
|
| |
|
|
|
|
|
|
| |
distribution
This reverts commit b0761f1f0a5abd225edc291c8285f99a538e6a66.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
|
|
|
|
|
|
|
|
|
| |
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.
Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.
Fixes #410.
|
|
|
|
|
|
|
|
|
|
| |
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 940e1b0f66dc04b0853414c1f4c45fa3f6e33bdd "Filter ignored
interfaces in kernel interfaces (for events, address enumeration,
etc.)" made charon to ignore routes with unusable interfaces.
Unusable interface is one where charon has not seen RTM_NEWLINK
message from the kernel.
Sometime RTM_NEWLINK message can be 1048 bytes large. This is
24 bytes more than currently allocated buffer of 1024 bytes.
If kernel sends such a large message, then it would be silently
ignored by charon and corresponding interface would never become
usable. Hence strongSwan might resolve invalid source IP address
in get_route() function. This would prevent IPsec tunnel to be
established.
To reproduce create a VLAN interface with following command:
vconfig add eth1 12
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The retry code introduced in dc8b083 got the memset() arguments wrong.
Fix this to ensure the buffer gets zeroed, for real.
It probably doesn't matter as we do reset the message length on retry, so
the stale data shouldn't be seen by anyone.
Found-by: git grep 'memset\s*\([^,]*,\s*[^,]*,\s*0\s*\)'
|
|
|
|
|
|
|
|
|
| |
Since f52cf07532 addresses on ignored, down or loopback interfaces were
not considered as valid addresses anymore when searching for an address
contained in the local traffic selector. This meant that route
installation failed, for instance, if charon.install_virtual_ip_on was
set to 'lo', or, on gateways, if internal interfaces were ignored with
the charon.interfaces_* options.
|
|
|
|
|
| |
While bmp_len stores the number of u_int32_t the allocated bitmap
actually consists of those integers.
|
|
|
|
|
|
|
| |
77d4a02 and 55da01f only updated the address flag when a job was created,
which obviously had the same limitation as the old code.
Fixes #374.
|
|
|
|
|
| |
There was no proper locking and the issue regarding the address
flag also existed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If multiple roam events are triggered within ROAM_DELAY, only one job is
created. The old code set the address flag to the value of the last
triggering call. So if a route change followed an address change within
ROAM_DELAY the address change was missed by the upper layers, e.g. causing
it not to update the list of addresses via MOBIKE.
The new code now keeps the state of the address flag until the job is
actually executed, which still has some issues. For instance, if an
address disappears and reappears within ROAM_RELAY, the flag would not
have to be set to TRUE. So address updates might occasionally get
triggered where none would actually be required.
Fixes #374.
|
|
|
|
|
|
|
|
|
|
|
| |
Mainly for reauthentication with third party implementations, we allowed to
reuse an online lease, but only for the same peer identity and when it
explicitly requested the same address.
This has always been problematic, because it changes the reqid of the CHILD_SA
with the same traffic selectors, breaking the old tunnel. As we now reject
such policy overwrites, this usually lets the installation of the new policies
fail. We therefore disable reassignment of online leases by default.
|
|
|
|
| |
This saves two lists per connected peer identity, up to 0.4KB.
|
|
|
|
|
|
|
| |
When we reassign an online lease for the same peer, we have to refcount it.
Otherwise we would set it offline if one of the tunnels goes down, but it is
actually still in use by a the second tunnel. This can finally lead in
assigning the same virtual IP to different peers.
|
| |
|
|
|
|
| |
Partially based on an old patch by Adrian-Ken Rueegsegger.
|
| |
|
| |
|
| |
|
| |
|