]> git.ipfire.org Git - thirdparty/strongswan.git/log
thirdparty/strongswan.git
26 hours agotesting: Use alternative approach for retransmits in ikev1/dpd-restart scenario master
Tobias Brunner [Fri, 11 Jul 2025 09:45:37 +0000 (11:45 +0200)] 
testing: Use alternative approach for retransmits in ikev1/dpd-restart scenario

With a long delay, the retransmit might not get sent before further tests
are evaluated on faster machines, while more retransmits should still allow
the scenario to succeed on slower ones.

26 hours agochild-cfg: Actually force narrowing TS in transport mode only as initiator
Tobias Brunner [Fri, 11 Jul 2025 06:50:30 +0000 (08:50 +0200)] 
child-cfg: Actually force narrowing TS in transport mode only as initiator

Closes strongswan/strongswan#2830

Fixes: ad1ad2159f0b ("child-cfg: Use traffic selector list")
29 hours agoopenssl: Don't allocate salt if PRF/hash is unknown
Tobias Brunner [Fri, 11 Jul 2025 09:42:47 +0000 (11:42 +0200)] 
openssl: Don't allocate salt if PRF/hash is unknown

This can happen if e.g. AES-XCBC is selected.

Fixes: 2dbeecfc029b ("openssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1")
45 hours agogithub: Shorten name for crypto-plugin job and reverse matrix arguments
Tobias Brunner [Thu, 10 Jul 2025 17:07:13 +0000 (19:07 +0200)] 
github: Shorten name for crypto-plugin job and reverse matrix arguments

This gives us more readable names in the UI.  Instead of

  crypto-plugins (ubuntu-latest, b...
  crypto-plugins (ubuntu-latest, b...
  crypto-plugins (ubuntu-latest, ...
  crypto-plugins (ubuntu-latest, ...
  crypto-plugins (ubuntu-latest, o...
  crypto-plugins (ubuntu-latest, o...

we now get

  crypto (botan, ubuntu-latest, no)
  crypto (botan, ubuntu-latest, yes)
  crypto (wolfssl, ubuntu-latest, no)
  crypto (wolfssl, ubuntu-latest, yes)
  crypto (openssl, ubuntu-latest, no)
  crypto (openssl, ubuntu-latest, yes)

45 hours agoopenssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1
Tobias Brunner [Thu, 10 Jul 2025 16:11:19 +0000 (18:11 +0200)] 
openssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1

Setting the salt to NULL now fails, so we set it to hash length's zeroes,
which is the default value for HKDF-Extract if no salt is passed.

Fixes strongswan/strongswan#2828

4 days agoDoxyfile: Don't hide set_seed() method
Tobias Brunner [Tue, 8 Jul 2025 11:13:06 +0000 (13:13 +0200)] 
Doxyfile: Don't hide set_seed() method

4 days agoFixed some typos, courtesy of codespell
Tobias Brunner [Tue, 8 Jul 2025 08:54:49 +0000 (10:54 +0200)] 
Fixed some typos, courtesy of codespell

4 days agoVersion bump to 6.0.2rc1 6.0.2rc1
Andreas Steffen [Mon, 7 Jul 2025 08:57:25 +0000 (10:57 +0200)] 
Version bump to 6.0.2rc1

4 days agoNEWS: Add news for 6.0.2
Tobias Brunner [Mon, 7 Jul 2025 08:31:56 +0000 (10:31 +0200)] 
NEWS: Add news for 6.0.2

4 days agogithub: Use AWS-LC 1.55.0 for tests
Tobias Brunner [Tue, 1 Jul 2025 06:32:46 +0000 (08:32 +0200)] 
github: Use AWS-LC 1.55.0 for tests

4 days agogithub: Use OpenSSL 3.5.1 for tests
Tobias Brunner [Tue, 1 Jul 2025 12:16:49 +0000 (14:16 +0200)] 
github: Use OpenSSL 3.5.1 for tests

5 days agovici: Allow backlog size configuration via compile option
Thomas Egerer [Wed, 2 Jul 2025 10:46:30 +0000 (12:46 +0200)] 
vici: Allow backlog size configuration via compile option

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
5 days agogithub: Make sure at least one run with the same content is not skipped
Tobias Brunner [Mon, 7 Jul 2025 09:55:01 +0000 (11:55 +0200)] 
github: Make sure at least one run with the same content is not skipped

9 days agoVersion bump to 6.0.2dr3 6.0.2dr3
Andreas Steffen [Thu, 3 Jul 2025 09:43:53 +0000 (11:43 +0200)] 
Version bump to 6.0.2dr3

11 days agonm: Don't set DL_LIBS to 'none required' in configure script
orbea [Tue, 5 Mar 2024 23:46:30 +0000 (15:46 -0800)] 
nm: Don't set DL_LIBS to 'none required' in configure script

This copies the AC_SEARCH_LIBS check from the main strongSwan
configure.ac.

When building networkmanager-strongswan with slibtool if fails.

  ld: cannot find none: No such file or directory
  ld: cannot find required: No such file or directory

This is because configure.ac uses AC_SEARCH_LIBS to find dlopen which
sets the value of $ac_cv_search_dlopen to 'none required' which then
gets set in DL_LIBS and passed to slibtool.

With GNU libtool it silently ignores the unknown arguments.

Gentoo issue: https://bugs.gentoo.org/914100

Closes strongswan/strongswan#2141

Signed-off-by: orbea <orbea@riseup.net>
2 weeks agoMerge branch 'android-http-proxy' android-2.5.6
Tobias Brunner [Fri, 27 Jun 2025 07:13:38 +0000 (09:13 +0200)] 
Merge branch 'android-http-proxy'

Adds support for HTTP proxy server.

Closes strongswan/strongswan#2789

2 weeks agoandroid: New release after adding HTTP proxy configuration
Tobias Brunner [Fri, 6 Jun 2025 09:11:34 +0000 (11:11 +0200)] 
android: New release after adding HTTP proxy configuration

2 weeks agoandroid: Apply proxy server setting when creating TUN device
Tobias Brunner [Thu, 5 Jun 2025 14:34:52 +0000 (16:34 +0200)] 
android: Apply proxy server setting when creating TUN device

This is only available with Android 10+ (SDK 29+).

2 weeks agoandroid: Avoid proxy settings in the internal fetcher
Tobias Brunner [Thu, 5 Jun 2025 14:31:16 +0000 (16:31 +0200)] 
android: Avoid proxy settings in the internal fetcher

2 weeks agoandroid: Allow setting proxy settings in managed profiles
Tobias Brunner [Thu, 5 Jun 2025 14:13:45 +0000 (16:13 +0200)] 
android: Allow setting proxy settings in managed profiles

2 weeks agoandroid: Import proxy server settings
Tobias Brunner [Thu, 5 Jun 2025 14:10:21 +0000 (16:10 +0200)] 
android: Import proxy server settings

2 weeks agoandroid: Make proxy server configurable
Tobias Brunner [Thu, 5 Jun 2025 14:09:50 +0000 (16:09 +0200)] 
android: Make proxy server configurable

2 weeks agoandroid: Add properties to VPN profiles for proxy server configuration
Tobias Brunner [Thu, 5 Jun 2025 13:15:04 +0000 (15:15 +0200)] 
android: Add properties to VPN profiles for proxy server configuration

2 weeks agoandroid: Don't mention IKEv1 and L2TP in app description
Tobias Brunner [Mon, 2 Jun 2025 12:58:36 +0000 (14:58 +0200)] 
android: Don't mention IKEv1 and L2TP in app description

Also removed on Play so the app does not show up when people search
for these keywords (they tend to not read the actual description and
then are surprised that neither protocol is supported).

2 weeks agoandroid: Update dependencies
Tobias Brunner [Mon, 2 Jun 2025 12:55:19 +0000 (14:55 +0200)] 
android: Update dependencies

3 weeks agoidentification: Clarify that ID_USER_FQDN is just an alias for ID_RFC822_ADDR
Tobias Brunner [Mon, 16 Jun 2025 07:28:40 +0000 (09:28 +0200)] 
identification: Clarify that ID_USER_FQDN is just an alias for ID_RFC822_ADDR

This means userfqdn: is a valid prefix for regular expressions.

3 weeks agoswanctl: Document that IP-TFS mode is subject to mode negotiation
Tobias Brunner [Fri, 6 Jun 2025 12:19:09 +0000 (14:19 +0200)] 
swanctl: Document that IP-TFS mode is subject to mode negotiation

3 weeks agotesting: Make sure ML-KEM scenarios use our ml plugin
Tobias Brunner [Fri, 6 Jun 2025 09:17:38 +0000 (11:17 +0200)] 
testing: Make sure ML-KEM scenarios use our ml plugin

We now support OpenSSL's implementation in the openssl plugin.  This
makes sure our plugin is used on at least one of the hosts if we ever
switch to an OpenSSL version that supports ML-KEM.

In the ikev2/rw-mlkem scenario the logic is reversed.  There the ml plugin
is preferred on moon to test the responder side (and carol for the
initiator) and dave will switch to OpenSSL if it ever provides ML-KEM.

5 weeks agoVersion bump to 6.0.2dr2 6.0.2dr2
Andreas Steffen [Thu, 5 Jun 2025 11:43:21 +0000 (13:43 +0200)] 
Version bump to 6.0.2dr2

5 weeks agotesting: soup plugin removed from test environment
Andreas Steffen [Thu, 5 Jun 2025 11:42:41 +0000 (13:42 +0200)] 
testing: soup plugin removed from test environment

5 weeks agoVersion bump to 6.0.2dr1 6.0.2dr1
Andreas Steffen [Wed, 4 Jun 2025 17:45:05 +0000 (19:45 +0200)] 
Version bump to 6.0.2dr1

5 weeks agoMerge branch 'libsoup3'
Tobias Brunner [Wed, 4 Jun 2025 17:09:33 +0000 (19:09 +0200)] 
Merge branch 'libsoup3'

Ports the soup plugin to libsoup 3.

Closes strongswan/strongswan#2788

5 weeks agogithub: Use libsoup 3 for tests
Tobias Brunner [Wed, 4 Jun 2025 16:07:35 +0000 (18:07 +0200)] 
github: Use libsoup 3 for tests

Requires installing libxml2-dev explicitly for the alpine build as
libsoup-dev had a dependency on it.

5 weeks agoleak-detective: Remove whitelisted libsoup2.x functions
Tobias Brunner [Wed, 4 Jun 2025 15:51:55 +0000 (17:51 +0200)] 
leak-detective: Remove whitelisted libsoup2.x functions

As mentioned in 0f141fb095a41a9fdfe5c111269eb643dc643494, we can't
really whitelist the "leaks" in GLib, so don't even try to do anything
with libsoup3.x.

5 weeks agosoup: Port to libsoup 3
Mike Gorse [Tue, 3 Jun 2025 21:13:41 +0000 (16:13 -0500)] 
soup: Port to libsoup 3

5 weeks agofetcher: Remove unused FETCH_HTTP_VERSION_1_0 option
Tobias Brunner [Tue, 3 Jun 2025 15:37:24 +0000 (17:37 +0200)] 
fetcher: Remove unused FETCH_HTTP_VERSION_1_0 option

Was only used by the removed scepclient and does not serve any purpose
nowadays anyway.

5 weeks agounit-tests: Serial number tests depend on X.509 certificate parsing
Tobias Brunner [Wed, 4 Jun 2025 15:14:08 +0000 (17:14 +0200)] 
unit-tests: Serial number tests depend on X.509 certificate parsing

Requires additional plugin features, but if this is available, the
others are usually as well.

5 weeks agowolfssl: Fix build if wolfSSL was built in OpenSSL-compat mode
Tobias Brunner [Wed, 4 Jun 2025 16:25:22 +0000 (18:25 +0200)] 
wolfssl: Fix build if wolfSSL was built in OpenSSL-compat mode

5 weeks agoMerge branch 'wolfssl-fips'
Tobias Brunner [Mon, 2 Jun 2025 09:31:03 +0000 (11:31 +0200)] 
Merge branch 'wolfssl-fips'

Fixes various issues when building the wolfssl plugin against wolfSSL's
FIPS module.

References strongswan/strongswan#2603
Closes strongswan/strongswan#2771

5 weeks agowolfssl: Unlock keys if necessary when using FIPS module
Juliusz Sosinowicz [Wed, 23 Apr 2025 14:32:52 +0000 (16:32 +0200)] 
wolfssl: Unlock keys if necessary when using FIPS module

Wrap the functions that require it in PRIVATE_KEY_UNLOCK/PRIVATE_KEY_LOCK.
This can't be done at plugin initialization because it needs to be done
for every thread. strongSwan currently doesn't provide on-thread-create
callbacks for plugins so we need to wrap each direct call. Another reason
to do so is that some functions we call (e.g. wc_EccKeyToDer) internally
call PRIVATE_KEY_UNLOCK/PRIVATE_KEY_LOCK and would leave the keys locked
for that particular thread.

5 weeks agowolfssl: Properly initialize ECC private key object
Juliusz Sosinowicz [Wed, 23 Apr 2025 13:56:09 +0000 (15:56 +0200)] 
wolfssl: Properly initialize ECC private key object

5 weeks agowolfssl: Set a dummy key when testing KDF implementations
Tobias Brunner [Fri, 21 Feb 2025 07:09:31 +0000 (08:09 +0100)] 
wolfssl: Set a dummy key when testing KDF implementations

In FIPS mode, wolfSSL enforces a minimum key size for these algorithms.

5 weeks agotest-vectors: Remove HMAC PRF test vectors with key size 4
Tobias Brunner [Tue, 18 Feb 2025 13:24:08 +0000 (14:24 +0100)] 
test-vectors: Remove HMAC PRF test vectors with key size 4

Some implementations enforce a minimum key size (e.g. wolfSSL in FIPS
mode) and in practice, the keys will be longer anyway (e.g. our nonces
are 32 bytes).

5 weeks agowolfssl: Include settings.h in case WOLFSSL_USER_SETTINGS is defined
Tobias Brunner [Fri, 29 Nov 2024 07:45:53 +0000 (08:45 +0100)] 
wolfssl: Include settings.h in case WOLFSSL_USER_SETTINGS is defined

5 weeks agowolfssl: Use consistent defines for ECC public/private key loading
Tobias Brunner [Thu, 28 Nov 2024 08:28:28 +0000 (09:28 +0100)] 
wolfssl: Use consistent defines for ECC public/private key loading

HAVE_ECC_KEY_IMPORT can be defined while HAVE_ECC_SIGN is not.
So just use the same defines we use when defining the load functions.

5 weeks agowolfssl: Call wc_SetSeed_Cb() as required for FIPS-mode
Tobias Brunner [Tue, 26 Nov 2024 09:19:33 +0000 (10:19 +0100)] 
wolfssl: Call wc_SetSeed_Cb() as required for FIPS-mode

6 weeks agoMerge branch 'iptfs'
Tobias Brunner [Wed, 28 May 2025 14:48:42 +0000 (16:48 +0200)] 
Merge branch 'iptfs'

This adds basic support for IP-TFS/AGGFRAG (RFC 9347).  The Linux kernel,
since 6.14, only supports aggregation/fragmentation so far.  The actual
TFS features will get added later.

6 weeks agotesting: Add ikev2/net2net-iptfs scenario
Tobias Brunner [Fri, 16 May 2025 08:28:16 +0000 (10:28 +0200)] 
testing: Add ikev2/net2net-iptfs scenario

6 weeks agotesting: Add config for Linux 6.14
Tobias Brunner [Fri, 16 May 2025 08:22:20 +0000 (10:22 +0200)] 
testing: Add config for Linux 6.14

This has IP-TFS enabled.

6 weeks agoconf: Document global IP-TFS settings
Tobias Brunner [Thu, 15 May 2025 10:58:12 +0000 (12:58 +0200)] 
conf: Document global IP-TFS settings

6 weeks agochild-create: Negotiate IP-TFS mode if configured
Tobias Brunner [Thu, 15 May 2025 10:57:38 +0000 (12:57 +0200)] 
child-create: Negotiate IP-TFS mode if configured

6 weeks agonotify-payload: Add notify type for IP-TFS/AGGFRAG
Tobias Brunner [Thu, 15 May 2025 08:37:01 +0000 (10:37 +0200)] 
notify-payload: Add notify type for IP-TFS/AGGFRAG

6 weeks agokernel-netlink: Support IPTFS mode and attributes
Tobias Brunner [Thu, 15 May 2025 07:22:17 +0000 (09:22 +0200)] 
kernel-netlink: Support IPTFS mode and attributes

6 weeks agochild-sa: Allow disabling fragmenting packets across AGGFRAG payloads
Tobias Brunner [Thu, 15 May 2025 10:56:00 +0000 (12:56 +0200)] 
child-sa: Allow disabling fragmenting packets across AGGFRAG payloads

This is necessary if the peer isn't able to handle such fragments.

6 weeks agokernel-ipsec: Add flag to disable sending fragments across AGGFRAG payloads
Tobias Brunner [Thu, 15 May 2025 07:20:52 +0000 (09:20 +0200)] 
kernel-ipsec: Add flag to disable sending fragments across AGGFRAG payloads

We have to set this if the peer indicates that it doesn't support
handling such fragments in the notify.

6 weeks agovici: Make IP-TFS mode configurable
Tobias Brunner [Wed, 14 May 2025 08:13:44 +0000 (10:13 +0200)] 
vici: Make IP-TFS mode configurable

6 weeks agoinclude: Add XFRM mode and attributes for IP-TFS
Tobias Brunner [Wed, 14 May 2025 08:16:55 +0000 (10:16 +0200)] 
include: Add XFRM mode and attributes for IP-TFS

6 weeks agoipsec-types: Add new mode for IP-TFS
Tobias Brunner [Wed, 14 May 2025 08:11:12 +0000 (10:11 +0200)] 
ipsec-types: Add new mode for IP-TFS

Added at the end as the numeric mode is e.g. used in SQL databases.

6 weeks agoMerge branch 'per-cpu-sas'
Tobias Brunner [Wed, 28 May 2025 14:36:10 +0000 (16:36 +0200)] 
Merge branch 'per-cpu-sas'

This adds support for per-CPU SAs (RFC 9611).

6 weeks agotesting: Add ikev2/per-cpu-sas-encap-transport scenario
Tobias Brunner [Wed, 16 Jun 2021 07:45:57 +0000 (09:45 +0200)] 
testing: Add ikev2/per-cpu-sas-encap-transport scenario

Tests transport mode and UDP encapsulation with random source ports.
Interestingly, the responder always uses the same SA to respond (maybe
due to the cache on the policy).

6 weeks agotesting: Add ikev2/per-cpu-sas-encap scenario
Tobias Brunner [Tue, 15 Jun 2021 09:13:35 +0000 (11:13 +0200)] 
testing: Add ikev2/per-cpu-sas-encap scenario

Basically the same as the one without UDP encapsulation, but here the
outbound SAs use random source ports.

6 weeks agokernel-netlink: Suppress NAT mapping updates for per-CPU SAs
Tobias Brunner [Tue, 22 Apr 2025 09:19:34 +0000 (11:19 +0200)] 
kernel-netlink: Suppress NAT mapping updates for per-CPU SAs

As we set the remote port to 0, we'd get a mapping change message with
every packet. Setting the threshold avoids all kernel messages after the
first, which we suppress explicitly as well.

6 weeks agochild-sa: Configure UDP encapsulation for per-CPU SAs
Tobias Brunner [Tue, 15 Jun 2021 09:11:14 +0000 (11:11 +0200)] 
child-sa: Configure UDP encapsulation for per-CPU SAs

As the kernel does not support processing UDP-encapsulated and plain ESP
for the same SA, we require forcing UDP encapsulation if there is no NAT.

6 weeks agovici: Make UDP encapsulation for per-CPU SAs configurable
Tobias Brunner [Tue, 15 Jun 2021 09:10:40 +0000 (11:10 +0200)] 
vici: Make UDP encapsulation for per-CPU SAs configurable

6 weeks agochild-cfg: Add flag to enable UDP encapsulation for per-CPU SAs
Tobias Brunner [Tue, 15 Jun 2021 07:46:31 +0000 (09:46 +0200)] 
child-cfg: Add flag to enable UDP encapsulation for per-CPU SAs

6 weeks agotesting: Add per-CPU SA test scenario
Tobias Brunner [Wed, 2 Jun 2021 15:07:01 +0000 (17:07 +0200)] 
testing: Add per-CPU SA test scenario

6 weeks agotesting: Configure multiple virtual CPUs for moon and sun
Tobias Brunner [Mon, 31 May 2021 14:46:41 +0000 (16:46 +0200)] 
testing: Configure multiple virtual CPUs for moon and sun

This allows testing per-CPU SAs by e.g. pinging over a specific CPU
via taskset.

6 weeks agotesting: Enable SMP support for latest kernels
Tobias Brunner [Mon, 31 May 2021 15:09:28 +0000 (17:09 +0200)] 
testing: Enable SMP support for latest kernels

6 weeks agoswanctl: Report per-CPU information in --list-sas
Tobias Brunner [Thu, 20 May 2021 08:32:09 +0000 (10:32 +0200)] 
swanctl: Report per-CPU information in --list-sas

6 weeks agovici: Report per-CPU SA information
Tobias Brunner [Thu, 20 May 2021 08:19:41 +0000 (10:19 +0200)] 
vici: Report per-CPU SA information

6 weeks agovici: Make per-CPU CHILD_SAs configurable
Tobias Brunner [Thu, 20 May 2021 08:12:30 +0000 (10:12 +0200)] 
vici: Make per-CPU CHILD_SAs configurable

6 weeks agokernel-netlink: Forward CPU ID from acquires
Tobias Brunner [Thu, 20 May 2021 08:04:46 +0000 (10:04 +0200)] 
kernel-netlink: Forward CPU ID from acquires

6 weeks agotrap-manager: Add support to handle acquires for per-CPU SAs
Tobias Brunner [Thu, 20 May 2021 07:46:55 +0000 (09:46 +0200)] 
trap-manager: Add support to handle acquires for per-CPU SAs

6 weeks agokernel-handler: Log CPU ID that's passed with an acquire
Tobias Brunner [Mon, 26 Sep 2022 14:55:00 +0000 (16:55 +0200)] 
kernel-handler: Log CPU ID that's passed with an acquire

6 weeks agokernel-interface: Optionally pass CPU ID for which an acquire was triggered
Tobias Brunner [Mon, 26 Sep 2022 14:47:46 +0000 (16:47 +0200)] 
kernel-interface: Optionally pass CPU ID for which an acquire was triggered

6 weeks agoike-sa: Accept optional CPU ID when initiating CHILD_SAs
Tobias Brunner [Wed, 19 May 2021 13:11:53 +0000 (15:11 +0200)] 
ike-sa: Accept optional CPU ID when initiating CHILD_SAs

6 weeks agoike-sa: Sort CHILD_SAs by CPU ID
Tobias Brunner [Thu, 20 May 2021 07:41:54 +0000 (09:41 +0200)] 
ike-sa: Sort CHILD_SAs by CPU ID

This might make debugging easier and also ensures that a possible
fallback SA without CPU ID is established first when reestablishing
an IKE_SA.  Because even if such an SA is established first initially,
that might change later depending on when per-CPU SAs are rekeyed.

6 weeks agochild-rekey: Maintain per-CPU values during rekeying
Tobias Brunner [Wed, 19 May 2021 10:00:39 +0000 (12:00 +0200)] 
child-rekey: Maintain per-CPU values during rekeying

6 weeks agochild-create: Add support to negotiate per-CPU SAs
Tobias Brunner [Wed, 19 May 2021 08:59:03 +0000 (10:59 +0200)] 
child-create: Add support to negotiate per-CPU SAs

6 weeks agoupdown: Don't call the script for per-CPU SAs
Tobias Brunner [Mon, 31 May 2021 14:12:27 +0000 (16:12 +0200)] 
updown: Don't call the script for per-CPU SAs

Rules are installed for the fallback SA that has no CPU ID assigned.

6 weeks agoha: Ignore per-CPU CHILD_SAs
Tobias Brunner [Mon, 31 May 2021 13:26:27 +0000 (15:26 +0200)] 
ha: Ignore per-CPU CHILD_SAs

These only work on initiators (with trap policies), which is something
the plugin doesn't support.

6 weeks agoforecast: Ignore per-CPU CHILD_SAs
Tobias Brunner [Mon, 31 May 2021 13:21:46 +0000 (15:21 +0200)] 
forecast: Ignore per-CPU CHILD_SAs

Not sure if this combination does make sense as the plugin itself would
be a major bottleneck.

Similar to the connmark plugin, PREROUTING rules list SPIs or UDP ports,
which would be necessary for all SAs while the OUTPUT rules would only be
required once.

6 weeks agoconnmark: Ignore per-CPU CHILD_SAs
Tobias Brunner [Mon, 31 May 2021 13:06:41 +0000 (15:06 +0200)] 
connmark: Ignore per-CPU CHILD_SAs

The combination probably doesn't make much sense.

The OUTPUT rules would definitely only be required once, while the INPUT
and PREROUTING rules list individual SPIs and/or UDP ports, which would
be necessary for all SAs.

By the way, the rules in PREROUTING might actually not be necessary
anymore if the set_mark_in option was used for such SAs.

6 weeks agochild-sa: Add support for per-CPU SAs
Tobias Brunner [Tue, 11 May 2021 15:55:21 +0000 (17:55 +0200)] 
child-sa: Add support for per-CPU SAs

The CPU ID is also set on inbound SAs as it can be used to configure RSS
or some eBPF program.

6 weeks agokernel-netlink: Add support to enable per-CPU acquires on policies
Tobias Brunner [Tue, 11 May 2021 14:24:38 +0000 (16:24 +0200)] 
kernel-netlink: Add support to enable per-CPU acquires on policies

6 weeks agokernel-netlink: Add support to set CPU ID on SA
Tobias Brunner [Tue, 11 May 2021 14:07:39 +0000 (16:07 +0200)] 
kernel-netlink: Add support to set CPU ID on SA

6 weeks agoipsec-types: Add identifier for the maximum (=no) CPU ID
Tobias Brunner [Mon, 10 May 2021 14:28:15 +0000 (16:28 +0200)] 
ipsec-types: Add identifier for the maximum (=no) CPU ID

6 weeks agoinclude: Add XFRM identifiers for per-CPU SAs/acquires
Tobias Brunner [Mon, 10 May 2021 14:23:20 +0000 (16:23 +0200)] 
include: Add XFRM identifiers for per-CPU SAs/acquires

6 weeks agochild-cfg: Add flag to enable per-CPU SAs
Tobias Brunner [Tue, 11 May 2021 12:46:29 +0000 (14:46 +0200)] 
child-cfg: Add flag to enable per-CPU SAs

6 weeks agonotify-payload: Add notify types for per-resource CHILD_SAs
Tobias Brunner [Tue, 11 May 2021 12:21:25 +0000 (14:21 +0200)] 
notify-payload: Add notify types for per-resource CHILD_SAs

6 weeks agotesting: Include the kernel build number
Tobias Brunner [Thu, 17 Apr 2025 08:03:56 +0000 (10:03 +0200)] 
testing: Include the kernel build number

6 weeks agoMerge branch 'acquires-seq'
Tobias Brunner [Wed, 28 May 2025 14:30:56 +0000 (16:30 +0200)] 
Merge branch 'acquires-seq'

This uses the sequence number from acquires when installing the SA. This
allows handling narrowing properly by changing the reqid and still
removing the temporary state in the kernel.  It also changes that
traffic selectors are reused during rekeying/recreation/reauthentication,
so narrowed selectors won't return to the wider configured TS because
there won't be any TS from triggering packets to narrow again.

6 weeks agotesting: Add ikev2/net2net-route-narrow scenario
Tobias Brunner [Mon, 24 Mar 2025 13:02:25 +0000 (14:02 +0100)] 
testing: Add ikev2/net2net-route-narrow scenario

6 weeks agochild-create: Consider previous TS when checking for duplicates
Tobias Brunner [Wed, 2 Apr 2025 12:49:58 +0000 (14:49 +0200)] 
child-create: Consider previous TS when checking for duplicates

6 weeks agochild-sa: Add helper to check if a list of TS match negotiated TS
Tobias Brunner [Wed, 2 Apr 2025 12:39:38 +0000 (14:39 +0200)] 
child-sa: Add helper to check if a list of TS match negotiated TS

6 weeks agochild-create: Maintain traffic selectors during rekeying/reauthentication
Tobias Brunner [Tue, 1 Apr 2025 15:33:35 +0000 (17:33 +0200)] 
child-create: Maintain traffic selectors during rekeying/reauthentication

If we don't do this, narrowed SAs would default to the wide configured
traffic selectors and the peer won't know if/how to narrow.

6 weeks agochild-create: Use more generic method to pass information from previous SA
Tobias Brunner [Tue, 1 Apr 2025 15:28:28 +0000 (17:28 +0200)] 
child-create: Use more generic method to pass information from previous SA

Besides the previous key exchange method, this will allow us to also
reuse the previous traffic selectors.  Some data is still passed in
separate methods as some are set even when there is no previous SA and
others are not set in all cases.

The interface for queue_child() now optionally takes the previous
Child SA to handle both recreations and initiations from scratch.

6 weeks agochild-cfg: Use traffic selector list
Tobias Brunner [Tue, 1 Apr 2025 08:02:31 +0000 (10:02 +0200)] 
child-cfg: Use traffic selector list

6 weeks agotraffic-selector-list: Add helper class to manage a collection of TS
Tobias Brunner [Tue, 25 Mar 2025 11:43:26 +0000 (12:43 +0100)] 
traffic-selector-list: Add helper class to manage a collection of TS

Provides functions to optionally resolve dynamic TS and to narrow
them based on a list of supplied TS.

6 weeks agotrap-manager: Set seq. no. for CHILD_SAs not initiated by an acquire
Tobias Brunner [Mon, 24 Mar 2025 17:03:42 +0000 (18:03 +0100)] 
trap-manager: Set seq. no. for CHILD_SAs not initiated by an acquire

This fixes cases where `start_action = trap|start` is used and an acquire
is triggered while the SA is initiated (granted if narrowing is expected,
that's not a recommended configuration as the responder can only use
the first config when there is no packet TS).  The resulting second
create-child task will potentially get dropped by the duplicate check,
so the temporary state won't get removed and traffic is blocked until
that expires, neither can acquires get triggered for traffic that doesn't
match the initial SA's policies.