Martin Willi [Wed, 17 Jul 2013 12:45:39 +0000 (14:45 +0200)]
automake: replace INCLUDES by AM_CPPFLAGS
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
Martin Willi [Wed, 17 Jul 2013 12:04:41 +0000 (14:04 +0200)]
autoconf: rename configure.in to configure.ac
configure.ac has been the recommended name for autoconf input for several
years now. Newer autotools start to complain about the configure.in, so we
finally change it.
Martin Willi [Thu, 18 Jul 2013 10:18:32 +0000 (12:18 +0200)]
Merge branch 'charon-xpc'
Implement a charon daemon controlled by the Apple specific XPC mechanism,
acting as a backend for a yet to build unprivileged GUI. The keychain plugin
coming with this merge provides certificates from the OS X keychain service.
Martin Willi [Wed, 1 May 2013 08:37:49 +0000 (10:37 +0200)]
keychain: use SearchCopyNext keychain enumeration for System certs as well
SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.
Martin Willi [Thu, 18 Jul 2013 08:31:52 +0000 (10:31 +0200)]
ike-sa: uninstall CHILD_SAs before removing virtual IPs
a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.
Oliver Smith [Fri, 28 Jun 2013 16:41:19 +0000 (09:41 -0700)]
ikev1: Support closeaction of CHILD_SA.
When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.
This improves the behavior of the kernel-pfroute plugin (and sometimes
the kernel-pfkey plugin) in case of mobility, mostly when used as as
client but also as gateway, if clients are mobile.
kernel-pfroute: Make sure source addresses are not virtual and usable
It seems we sometimes get the virtual IP as source (with
rightsubnet=0.0.0.0/0) even if the exclude route is already
installed. Might be a timing issue because shortly afterwards the
lookup seems to succeed.
kernel-pfkey: Remove latest IPsec SA mapping when deleting a policy
If IPsec SAs are rekeyed due to an address change (e.g. because
update_sa is not supported) the exact same policy with the same reqid
will be installed, but with different addresses. After the rekeying the
old SA and its policies are removed, using the first matching mapping
breaks the mapping between the policies and the new SA (at least on
FreeBSD, the Linux kernel might only use the reqid for this). Using the
oldest matching SA is still an approximation but it solves the above
issue.
This required some refactoring when handling encrypted payloads.
Also changed log messages so that "encrypted payload" is logged instead
of "encryption payload" (even if we internally still call it that) as
that's the name used in RFC 5996.
Its functionality can be replicated by calling insert_before() followed
by remove_at(). Not the other way around, though, because remove_at()
changes the enumerator position.
Martin Willi [Wed, 17 Jul 2013 15:28:18 +0000 (17:28 +0200)]
Merge branch 'array'
Introduces a new lightweight array collection having minimal memory overhead.
The new class replaces various linked lists that are used during the full
lifetime of an SA, reducing memory requirements by about 5KB or more per tunnel.
Martin Willi [Wed, 10 Jul 2013 12:16:46 +0000 (14:16 +0200)]
proposal: use a single list to store all transforms
Beside that it makes the code actually simpler, it reduces the number of lists
stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.
Martin Willi [Thu, 11 Jul 2013 09:44:33 +0000 (11:44 +0200)]
array: introduce an array collection storing elements very efficiently
Currently we use the very versatile linked-list collection to store elements
with variable count. This is fine, but very inefficient: Due to the many
methods in the linked list, on 64-bit platforms an empty list alone is more
than 200 bytes. As we currently have about 50 lists per IKE_SA/CHILD_SA pair,
this takes up to 10KB just for managing the empty lists. This is about the
half of memory used by an IKE_SA/CHILD_SA pair, and obviously way too much.
The new array type is not an object, but a collection of functions on an
abstract type.
The following lists are per IKE_SA and should be considered for a replacement
with more efficient arrays (this uses load-testers on-demand created dynamic
configurations, other scenarios have different lists):