| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
|
| |
|
|
|
|
| |
As under vanilla Linux the kernel can't handle parallel dump queries and returns
EBUSY, it makes not much sense to use them. Disable parallel queries by default
to basically restore original behavior, improving performance.
|
| |
|
|
|
|
|
|
| |
Besides that it can improve throughput, it avoids a deadlock situation. If
all threads are busy, watcher will invoke the FD notification for NEWADDR
events itself. If the lock is held, it gets locked up. As watcher is not
dispatching anymore, it can't signal Netlink socket send() completion, and
the send() operation does not return and keeps the lock.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If the kernel can't execute a Netlink query because a different query is already
active, it returns EBUSY. As this can happen now as we support parallel queries,
retry on this error condition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of locking the socket exclusively to wait for replies, use watcher
to wait for and read in responses asynchronously. This allows multiple parallel
Netlink queries, which can significantly improve performance if the kernel
Netlink layer has longer latencies and supports parallel queries.
For vanilla Linux, parallel queries don't make much sense, as it usually returns
EBUSY for the relevant dump requests. This requires a retry, and in the end
makes queries more expensive under high load.
Instead of checking the Netlink message sequence number to detect multi-part
messages, this code now relies on the NLM_F_MULTI flag to detect them. This
has previously been avoided (by 1d51abb7). It is unclear if the flag did not
work correctly on very old Linux kernels, or if the flag was not used
appropriately by strongSwan. The flag seems to work just fine back to 2.6.18,
which is a kernel still in use by RedHat/CentOS 5.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no offline leases are available for the current client and assigning online
leases is disabled, and if all IPs of the pool have already been assigned to
clients we look for offline leases that previously were assigned to other
clients.
In case the current client has online leases the previous code would
replace the existing mapping entry and besides resulting in a memory leak
the online leases would be lost forever (even if the client later releases
the addresses). If this happens repeatedly the number of available addresses
would decrease even though the total number of online and offline leases seen
in `ipsec leases` would indicate that there are free addresses available.
Fixes #764.
|
| |
|
|
|
| |
Also enables support for IKEv2 fragmentation, provides improved MOBIKE
handling and optionally enables PFS for CHILD_SAs.
|
| | |
|
| |
|
|
| |
We use the same value we use as MTU on TUN devices.
|
| | |
|
| |
|
|
|
|
|
| |
Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway. So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Make sure that the acquired CC context is correctly reset and the
associated ID released in the authorize() function of the TKM bus
listener.
|
| |
|
|
| |
Add missing comma to tkm_context_kind_names enum definition.
|
| |
|
|
| |
algorithms
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Previously one more than the first and last address was ignored.
And if the base address is not the network ID of the subnet we
should not skip it. But we should adjust the size as it does not
represent the actual number of IP addresses assignable.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
|
|
| |
We currently send the notify in Main Mode only, as it is explicitly not allowed
by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make
that work, we'd need to handle that notify in Aggressive Mode, which could
allow a MitM to inject such notifies and do some harm.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
| |
As email constraints may be for a specific host, it is not clear from the
name itself if it is a DNS or email constraint.
|
| | |
|
| |
|
|
|
|
|
| |
While RFC 5280 is not very specific about the matching rules of subjectAltNames,
it has some examples how to match email and FQDN constraints. We try to follow
these examples, and restrict DNS names to subdomain matching and email to
full email, host or domain matching.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of rejecting the certificate completely if a certificate has a policy
OID that is actually not allowed by the issuer CA, we accept it. However, the
certificate policy itself is still considered invalid, and is not returned
in the auth config resulting from trust chain operations.
A user must make sure to rely on the returned auth config certificate policies
instead of the policies contained in the certificate; even if the certificate
is valid, the policy OID itself in the certificate are not to be trusted
anymore.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This
issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer
toolchain works fine.
While try_write_lock() obviously can fail, not supporting it is not really an
option, as some algorithms depend on occasionally successful calls. Certificate
caching in the certificate manager and the cred_set cache rely on successful
try_write_lock()ing.
|
