Modularizes the generation of initialization vectors, which allows to use
different methods depending on the algorithms. For instance for AES-GCM
sequential IVs are now used instead of the earlier random IVs, which are
still used for other algorithms e.g. AES-CBC.
Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).
So if the following attributes would be configured for a RADIUS user
CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
CVPN3000-IPSec-Split-Tunneling-Policy := 1
A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.
The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.
Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers. As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.
The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.
Allows setting a mark on outbound packets and the routing rule
installed by charon. With those settings it is possible to setup
tunnels with kernel-libipsec where the remote peer is part of the remote
traffic selector.
The following example settings in strongswan.conf show how this can be
configured:
charon {
plugins {
kernel-netlink {
fwmark = !0x42
}
socket-default {
fwmark = 0x42
}
kernel-libipsec {
allow_peer_ts = yes
}
}
}
To make it work it is necessary to set
net.ipv4.conf.all.rp_filter
appropriately, otherwise the kernel drops the packets.
References #380.
This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
This adds support for transactions to the database_t interface and the two
current implementations.
The pool utility is also moved to its own directory in src/.
If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.
We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).
There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).
Transactions are more intended to revert multiple changes if anything
fails in the process.
Adds a custom printf hook implementation as a fallback if neither the glibc
style hooks nor vstr is available. This can avoid the Vstr dependency on some
systems at the cost of slower and less complete printf functions.
Tobias Brunner