aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Ignore 'compile' script which is generated by AM_PROG_CC_C_OTobias Brunner2013-03-191-0/+1
|
* Avoid returning COOKIEs right after system bootTobias Brunner2013-03-191-1/+1
| | | | | | | | | | | When the monotonic timer is initialized to 0 right after the system is booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s). Since the COOKIE verification code actually produces an overflow for COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs. Checking for last_cookie makes sense anyway as that condition must only apply if we actually sent a COOKIE before.
* Fix scheduling of heartbeat sending in HA pluginMartin Willi2013-03-191-2/+11
| | | | | | e0efd7c1 switches to automated job rescheduling for HA heartbeat. However, send_status() is initially called directly, which will not reschedule the job as required.
* Fix compiler warning in HA pluginMartin Willi2013-03-191-1/+1
|
* Merge branch 'tkm'Tobias Brunner2013-03-19136-42/+6567
|\ | | | | | | | | This adds charon-tkm a special build of the charon IKEv2 daemon that delegates security critical operations to a separate process (TKM = Trusted Key Manager).
| * Various stylistic fixesAdrian-Ken Rueegsegger2013-03-1912-123/+155
| |
| * Add NEWS about TKM separationReto Buerki2013-03-191-0/+8
| |
| * Use network byte order for ESA SPIsAdrian-Ken Rueegsegger2013-03-191-6/+5
| |
| * Provide MODP-2048 through TKM DH pluginAdrian-Ken Rueegsegger2013-03-191-0/+1
| |
| * Add charon-tkm API documentationAdrian-Ken Rueegsegger2013-03-1917-16/+158
| |
| * Do not hardwire keys to KEY_RSAReto Buerki2013-03-193-12/+51
| | | | | | | | | | Make the TKM private and public keys more easily extendable by determining the associated key type dynamically.
| * Provide TKM credential encoderReto Buerki2013-03-195-26/+150
| | | | | | | | | | | | | | | | The TKM credential encoder creates fingerprints of type KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using CRED_PART_RSA_PUB_ASN1_DER. This makes the pkcs1 plugin unnecessary.
| * Switch to openssl pluginReto Buerki2013-03-191-8/+1
| |
| * Implement multiple-clients integration testReto Buerki2013-03-1912-0/+158
| | | | | | | | | | | | | | | | Two transport connections to gateway sun are set up, one from client carol and the other from client dave. The gateway sun uses the Trusted Key Manager (TKM) and is the responder for both connections. The authentication is based on X.509 certificates. In order to test the connections, both carol and dave ping gateway sun.
| * Implement net2net-xfrmproxy integration testReto Buerki2013-03-1910-0/+108
| |
| * Implement net2net-initiator integration testReto Buerki2013-03-199-0/+104
| |
| * Add xfrm_proxy integration testReto Buerki2013-03-1910-0/+102
| |
| * Provide script to build Ada XFRM proxyReto Buerki2013-03-191-0/+21
| |
| * Add TKM responder integration testReto Buerki2013-03-1910-0/+97
| |
| * Add initial TKM integration testReto Buerki2013-03-1910-0/+96
| | | | | | | | | | | | A connection between the hosts moon and sun is set up. The host moon uses the Trusted Key Manager (TKM) and is the initiator of the transport connection. The authentication is based on X.509 certificates.
| * Add expect-file guest image scriptReto Buerki2013-03-191-0/+29
| | | | | | | | | | This script can be used in pretest.dat files to wait until a given file appears.
| * Add /usr/local/lib/ipsec to linker cacheReto Buerki2013-03-192-0/+3
| |
| * Provide recipes to build tkm and required librariesReto Buerki2013-03-196-1/+105
| |
| * Add GNAT compiler and Ada libs to base imageReto Buerki2013-03-191-0/+2
| |
| * Don't manually register kernel_netlink_netReto Buerki2013-03-194-16/+11
| | | | | | | | | | | | | | | | | | Load complete kernel_netlink plugin instead. Registering the TKM specific plugins first still ensures that the correct ipsec plugin is used. Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable soft dependency on startup.
| * Move stroke plugin to the end of PLUGINS listReto Buerki2013-03-191-2/+2
| | | | | | | | | | This fixes the problem of stroke being unable to load the ca certificates on startup.
| * Make sure IP_XFRM_POLICY is definedReto Buerki2013-03-191-0/+5
| |
| * Call isa_skip_create_first when keeping IKE SAAdrian-Ken Rueegsegger2013-03-191-0/+20
| | | | | | | | | | | | | | An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment fails but the corresponding IKE SA is not destroyed. To allow later creation of child SAs the ISA context must be signaled that the implicity first child SA creation was skipped.
| * Make IKE and EES sockets configurableAdrian-Ken Rueegsegger2013-03-191-4/+15
| | | | | | | | | | | | | | | | | | | | | | | | The IKE and EES sockets are now read from strongswan.conf. They can be specified like this: charon-tkm { ike_socket = /tmp/tkm.rpc.ike ees_socket = /tmp/tkm.rpc.ees } The socket names given above are used by default if none are configured.
| * Implement TKM-specific credential setReto Buerki2013-03-195-21/+206
| | | | | | | | | | | | | | The TKM credential set extends the in-memory credential set. It provides a private key enumerator which is used to instantiate private key proxy objects on-demand. This allows the usage of private keys with arbitrary identifiers.
| * Initialize libstrongswan in test_runner main()Reto Buerki2013-03-192-54/+41
| |
| * Set ri_id to reqid when setting user certificateAdrian-Ken Rueegsegger2013-03-191-2/+29
| | | | | | | | | | | | | | | | | | Pass the reqid (of the first child config of an IKE SA) as remote identity id when calling cc_set_user_certificate. May lead to the usage of the wrong id in case an IKE SA has multiple child configurations/reqids. This must be replaced with a proper lookup once the configuration backend is implemented and provides remote identity ids to charon-tkm.
| * Set sp_id to reqid when creating ESAAdrian-Ken Rueegsegger2013-03-191-3/+3
| | | | | | | | The reqid corresponds to the sp_id (security policy id) on the TKM side.
| * Call Esa_Select after creation of child SAAdrian-Ken Rueegsegger2013-03-191-0/+10
| | | | | | | | This tells the TKM which child SA is the currently active SA.
| * Check that chunk fits into sequence when convertingAdrian-Ken Rueegsegger2013-03-191-1/+13
| |
| * Remove result out parameter from EES InitReto Buerki2013-03-193-21/+4
| | | | | | | | Error processing is done by the registered exception handler.
| * Drop support for pre-shared key authenticationAdrian-Ken Rueegsegger2013-03-191-23/+1
| |
| * charon-tkm: Register TKM private key on startupReto Buerki2013-03-191-0/+13
| |
| * Add TKM private key implementationReto Buerki2013-03-192-0/+206
| | | | | | | | | | | | | | | | | | | | | | | | | | The key currently imitates the private key of alice@strongswan.org by returning it's fingerprint in the get_fingerprint function. This associates the private key with alice's X.509 cert and charon will use it to create a signature over the local AUTH octets of the test connection. The private key serves as a proxy to the TKM ike_isa_sign operation and extracts the required information from the auth octets chunk passed on by the keymat.
| * keymat: Store signature info in auth octetsReto Buerki2013-03-191-2/+14
| | | | | | | | | | | | Store the ISA context id and the initial message in the auth octets chunk using the sign_info_t struct. Charon will pass on this information to the TKM private key sign operation where it is extracted.
| * Add AUTH signature info data structureReto Buerki2013-03-191-0/+26
| | | | | | | | | | The sign_info_t type is used to transfer an ISA context id and the initial message from the keymat to the TKM private key sign operation.
| * charon-tkm: Register TKM public key on startupAdrian-Ken Rueegsegger2013-03-191-0/+5
| |
| * Add TKM public key implementationAdrian-Ken Rueegsegger2013-03-192-0/+213
| | | | | | | | | | | | | | The key unconditionally returns TRUE for the verify operation if it is called with a supported signature algorithm. All such verification operations are performed by the TKM (e.g. trustchain or auth octets verification) anyway, so this is safe.
| * Authenticate ISA using certificatesAdrian-Ken Rueegsegger2013-03-191-1/+11
| | | | | | | | | | The authentication of the ISA is now done using the certificate provided by the peer.
| * Store peer IKE init messageAdrian-Ken Rueegsegger2013-03-192-0/+26
| | | | | | | | | | | | The IKE init message sent to us by the peer is needed for authentication in the authorization hook. Store the message as chunk in the keymat and provide a getter to make it available.
| * Build cc context in tkm listener authorize hookAdrian-Ken Rueegsegger2013-03-191-0/+143
| | | | | | | | | | | | Extract peer certificate information and build a TKM certificate chain context in the authorize hook of the tkm_listener_t. The cc context will be used for ISA authentication using certificates.
| * Add TKM_CTX_CC (Certificate chain context id)Adrian-Ken Rueegsegger2013-03-194-2/+5
| |
| * Add typelen parameter to chunk_to_sequence functionAdrian-Ken Rueegsegger2013-03-196-10/+14
| | | | | | | | The parameter is used to initialize the given sequence to zero.
| * Implement Ada exception processingReto Buerki2013-03-198-1/+146
| | | | | | | | | | Register a global exception action with the Ada runtime to log uncaught exceptions to the daemon log and terminate.
| * Implement Esa Event Service (EES)Reto Buerki2013-03-1910-7/+272
| | | | | | | | | | | | The Esa Event Service can be used to trigger ESP SA (ESA) events such as acquire or expire. The incoming events are forwarded to the hydra kernel interface for processing.