Martin Willi [Tue, 24 Feb 2015 15:00:38 +0000 (16:00 +0100)]
host-resolver: Do not cancel threads waiting for new queries during cleanup
While it is currently unclear why it happens, canceling threads waiting in the
new_query condvar does not work as expected. The behavior is not fully
reproducible: Either cancel(), join() or destroying the condvar hangs.
The issue has been seen in the http-fetcher unit tests, where the stream service
triggers the use of the resolver for "localhost" hosts. It is reproducible with
any cleanup following a host_create_from_dns() use on a Ubuntu 14.04 x64 system.
Further, the issue is related to the use of libunwind, as only builds with
--enable-unwind-backtraces are affected.
As we broadcast() the new_query condvar before destruction, a hard cancel() of
these threads is actually not required. Instead we let these threads clean up
themselves after receiving the condvar signal.
Martin Willi [Tue, 24 Feb 2015 10:27:53 +0000 (11:27 +0100)]
travis: Disable forecast/connmark plugins in monolithic builds
Ubuntu 12.04 does not seem to provide a sane pkg-config for libiptc or libip4tc.
The monolithic build fails due to missing symbols, so disable it until we have
a newer Ubuntu release.
Martin Willi [Tue, 24 Feb 2015 10:50:21 +0000 (11:50 +0100)]
plugin-loader: Do not unload libraries during dlclose(), if supported
Unloading libraries calls any library constructor/destructor functions. Some
libraries can't handle that in our excessive unit test use. GnuTLS leaks
a /dev/urandom file descriptor, letting unit tests fail with arbitrary
out-of-resources errors.
Martin Willi [Fri, 20 Feb 2015 15:01:44 +0000 (16:01 +0100)]
Merge branch 'forecast'
Implement a forecast plugin that supports forwarding of multi- and broadcast
messages between a LAN and clients or between connected clients. It uses
IPsec policy marks to send packets over multiple identical multi- and broadcast
policies.
Martin Willi [Fri, 20 Feb 2015 14:59:19 +0000 (15:59 +0100)]
Merge branch 'connmark'
Introduce a connmark plugin that uses Netfilter conntracks mark to select the
correct return-path SAs for client-initiated connections. This can be used
to distinguish transport mode clients behind the same NAT router.
Martin Willi [Tue, 18 Nov 2014 10:33:28 +0000 (11:33 +0100)]
testing: Add a connmark plugin test
In this test two hosts establish a transport mode connection from behind
moon. sun uses the connmark plugin to distinguish the flows.
This is an example that shows how one can terminate L2TP/IPsec connections
from two hosts behind the same NAT. For simplification of the test, we use
an SSH connection instead, but this works for any connection initiated flow
that conntrack can track.
Martin Willi [Fri, 14 Nov 2014 11:57:53 +0000 (12:57 +0100)]
connmark: Add CONNMARK rules to select correct output SA based on conntrack
Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.
To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.
The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.
Martin Willi [Tue, 27 Jan 2015 09:40:39 +0000 (10:40 +0100)]
load-tester: Support initiating XAuth authentication
As with other configuration backends, XAuth is activated with a two round
client authentication using pubkey and xauth. In load-tester, this is configured
with initiator_auth=pubkey|xauth.
Martin Willi [Wed, 12 Nov 2014 15:52:52 +0000 (16:52 +0100)]
testing: Update description and test evaluation of host2host-transport-nat
As we now reuse the reqid for identical SAs, the behavior changes for
transport connections to multiple peers behind the same NAT. Instead of
rejecting the SA, we now have two valid SAs active. For the reverse path,
however, sun sends traffic always over the newer SA, resembling the behavior
before we introduced explicit SA conflicts for different reqids.
Martin Willi [Tue, 4 Nov 2014 15:32:33 +0000 (16:32 +0100)]
mem-pool: Pass the remote IKE address, to re-acquire() an address during reauth
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
Martin Willi [Wed, 4 Feb 2015 10:38:58 +0000 (11:38 +0100)]
Merge branch 'attr-migrate'
Migrates the attribute framework and associated plugins from libhydra back
to libcharon. libcharon is the only user of this framework since pluto is gone.
With these changes, we can pass the full IKE_SA state to attribute providers
and handlers, bringing more flexibility to these plugins.
Martin Willi [Tue, 4 Nov 2014 14:00:15 +0000 (15:00 +0100)]
unit-tester: Drop the old unit-tester libcharon plugin
While it has some tests that we don't directly cover with the new unit tests,
most of them require special infrastructure and therefore have not been used
for a long time.
Reto Buerki [Thu, 18 Dec 2014 10:49:05 +0000 (11:49 +0100)]
testing: Add tkm xfrmproxy-expire test
This test asserts that the handling of XFRM expire messages from the
kernel are handled correctly by the xfrm-proxy and the Esa Event Service
(EES) in charon-tkm.
Reto Buerki [Thu, 18 Dec 2014 15:49:16 +0000 (16:49 +0100)]
charon-tkm: Store remote SPI in SAD
Store the remote instead of the local SPI in the SAD when adding a new
entry in the kernel plugin's add_sa() function.
Since only one ESA context must be destroyed for an inbound/outbound
CHILD SA pair, it does not matter which SPI is used to retrieve it in
the del_sa function.
Martin Willi [Thu, 19 Feb 2015 17:18:51 +0000 (18:18 +0100)]
Merge branch 'reqid-alloc'
With these changes, charon dynamically allocates reqids for CHILD_SAs. This
allows the reuse of reqids for identical policies, and basically allows multiple
CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA,
a new unique identifier for CHILD_SAs is introduced, and the kernel backends
use a proto/dst/SPI tuple to identify CHILD_SAs.
charon-tkm is not yet updated and expires are actually broken with this merge.
As some significant refactorings are required, this is fixed using a separate
merge.
Reto Buerki [Mon, 17 Nov 2014 14:15:19 +0000 (15:15 +0100)]
charon-tkm: Fix compilation of ees_callback.c
Update the call to hydra->kernel_interface->expire to make
ees_callback.c compile again. The required destination host argument is
set to NULL for now.
Martin Willi [Thu, 23 Oct 2014 13:42:21 +0000 (15:42 +0200)]
child-sa-manager: Add a global manager storing CHILD_SA relations
To quickly check out IKE_SAs and find associated CHILD_SAs, the
child_sa_manager stores relations between CHILD_SAs and IKE_SAs. It provides
CHILD_SA specific IKE_SA checkout functions wrapping the ike_sa_manager.
Martin Willi [Thu, 13 Nov 2014 14:26:10 +0000 (15:26 +0100)]
child-sa: Replace reqid based marks by "unique" marks
As we now use the same reqid for multiple CHILD_SAs with the same selectors,
having marks based on the reqid makes not that much sense anymore. Instead we
use unique marks that use a custom identifier. This identifier is reused during
rekeying, keeping the marks constant for any rule relying on it (for example
installed by updown).
This also simplifies handling of reqid allocation, as we do not have to query
the marks that is not yet assigned for an unknown reqid.
Martin Willi [Wed, 12 Nov 2014 16:22:45 +0000 (17:22 +0100)]
kernel-interface: Add reqid allocation and release functions
To reassign reqids where appropriate, we explicitly allocate or confirm them
centrally on the kernel-interface.
Currently the state is stored in the kernel-interface wrapper for all
backends, but we may add appropriate methods to each backend to implement
a custom reqid allocation logic, if required.
Martin Willi [Fri, 17 Oct 2014 13:44:06 +0000 (15:44 +0200)]
child-sa: Remove the obsolete update logic
The kernel backend uses an inbound parameter these days, where it makes
no sense to pass the update flag. The kernel backend decides itself how
it handles SA installation based on the inbound flag.
Martin Willi [Wed, 15 Oct 2014 16:03:31 +0000 (18:03 +0200)]
kernel-interface: Pass full list of traffic selectors to add_sa()
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
Martin Willi [Wed, 15 Oct 2014 15:22:55 +0000 (17:22 +0200)]
kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
Martin Willi [Thu, 5 Feb 2015 08:13:57 +0000 (09:13 +0100)]
libtls: Don't send TLS close notifies in EAP after application succeeds
With the introduction of PT-TLS, we started sending TLS close notifies after
the application layer completes (7bbf7aa9). While this makes sense for TCP based
transports, it is not required in EAP methods. In EAP, handshake completion
can be directly signaled using the outer EAP-SUCCESS message. This also saves
one round-trip in the EAP exchange.
Windows 7/8 does not seem to like TLS close notifies at all in EAP, and either
stalls (EAP-TTLS) or disconnects (PEAP).
Thomas Egerer [Wed, 4 Feb 2015 11:47:03 +0000 (12:47 +0100)]
ha: Perform child rekeying outside of CHILD_SA enumerator
When rekey_child_sa is called while enumerating the children of an IKE_SA, and
the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a
QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas)
invalidating the current element of the child_sa_enumerator. The enumerate
function of linked_list_t will then advance to an element with unpredictable
contents most likely resulting in an segmentation violation. A similar behavior
should be observed when delete_child_sa is called.
This patch creates a list of protocol/spi values while holding the
child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren
after releasing the enumerator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Tobias Brunner [Tue, 10 Feb 2015 15:08:09 +0000 (16:08 +0100)]
configure: Load SQL backends after crypto plugins
If the MySQL client library is linked against OpenSSL the mysql plugin
will cause a segmentation fault when it is unloaded after the openssl
plugin has already been deinitialized. This is very similar to the issues
with curl (see 44b6a34d438f).
Martin Willi [Thu, 8 Jan 2015 10:06:45 +0000 (11:06 +0100)]
libtls: Check for CHANGE_CIPHER_SPEC type only if upper layer returns NEED_MORE
A type is returned only if upper layers successfully created a record, that is
returns NEED_MORE. If we do not check for the return value, we might check a
previous record or the uninitialized type variable and falsely reset the
sequence number.
projects / thirdparty / strongswan.git / log
