| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
| |
Referencing $(srcdir) in the gemspec is not really an option, as "gem build"
includes the full path in the gem, so we need to build in $(srcdir). As there
does not seem to be a way to control the output of "gem build", we manually
move the gem to $(builddir) in OOT builds.
|
| |
|
|
|
|
|
|
|
| |
The inbound flag is used to determine if we have to install an update or a new
SA in the kernel. As we do not have allocated SPIs and therefore can't update
an existing SA in the HA plugin, always set the flag to FALSE.
Before 698ed656 we had extra logic for that case, but handling it directly in
the HA plugin is simpler.
|
| | |
|
| | |
|
| |
|
|
|
| |
The default is SHA512 since this hash function is also
used for the c_indices random oracle.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While it is currently unclear why it happens, canceling threads waiting in the
new_query condvar does not work as expected. The behavior is not fully
reproducible: Either cancel(), join() or destroying the condvar hangs.
The issue has been seen in the http-fetcher unit tests, where the stream service
triggers the use of the resolver for "localhost" hosts. It is reproducible with
any cleanup following a host_create_from_dns() use on a Ubuntu 14.04 x64 system.
Further, the issue is related to the use of libunwind, as only builds with
--enable-unwind-backtraces are affected.
As we broadcast() the new_query condvar before destruction, a hard cancel() of
these threads is actually not required. Instead we let these threads clean up
themselves after receiving the condvar signal.
|
| |
|
|
|
| |
The default of new threads is cancellable, but the host-resolver thread code
clearly expects the opposite.
|
| | |
|
| |
|
|
|
|
|
| |
Unloading libraries calls any library constructor/destructor functions. Some
libraries can't handle that in our excessive unit test use. GnuTLS leaks
a /dev/urandom file descriptor, letting unit tests fail with arbitrary
out-of-resources errors.
|
| | |
|
| |
|
|
| |
On Travis we compile with -Werror.
|
| |
|
|
|
| |
This ensures the library is available. On Debian/Ubuntu it is a dynamic
library provided by the iptables-dev package.
|
| |
|
|
|
|
|
| |
For instance, the NULL cipher has a block size of 1 but an IV length
of 0.
Fixes #854.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.
To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.
The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
As with other configuration backends, XAuth is activated with a two round
client authentication using pubkey and xauth. In load-tester, this is configured
with initiator_auth=pubkey|xauth.
Fixes #835.
|
| |
|
|
|
|
|
|
|
|
|
| |
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
While it has some tests that we don't directly cover with the new unit tests,
most of them require special infrastructure and therefore have not been used
for a long time.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Since pluto is gone, all existing users build upon libcharon.
|
| |
|
|
|
|
| |
Use the new get_dst_host getter to retrieve the destination host from
the SAD using the reqid, spi and protocol values received from the
xfrm-proxy.
|
| |
|
|
|
| |
This function returns the destination host of an SAD entry for given
reqid, spi and protocol arguments or NULL if not found.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Store the remote instead of the local SPI in the SAD when adding a new
entry in the kernel plugin's add_sa() function.
Since only one ESA context must be destroyed for an inbound/outbound
CHILD SA pair, it does not matter which SPI is used to retrieve it in
the del_sa function.
|
| |
|
|
|
| |
Make the CHILD/ESP SA database a public member of the global tkm_t
struct.
|
| |
|
|
| |
Change 'test_runner' to 'test-runner'.
|
| | |
|
| |
|
|
|
| |
When handling thousands of IKE_SAs, the unique ID based lookup is rather slow,
as we have no indexing.
|
| | |
|
| | |
|
| | |
|
