aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon-tkm
Commit message (Collapse)AuthorAgeFilesLines
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-223-3/+4
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-1/+1
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* libcharon: Remove unused charon->nameTobias Brunner2014-02-122-2/+2
|
* charon-tkm: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-5/+5
|
* libhydra: Remove unused hydra->daemonTobias Brunner2014-02-122-2/+2
|
* lib: Add global config namespaceTobias Brunner2014-02-121-1/+1
|
* unit-tests: Pass a test suite collection name to print during test executionMartin Willi2014-01-221-1/+1
| | | | | As we except to get more and more test runners for the different components, we add a name to easily identify them on the test output.
* charon-tkm: Implement IANA DH Id to TKM Id mappingAdrian-Ken Rueegsegger2013-12-035-9/+134
| | | | | | | | | | | | | | | The TKM Diffie-Hellman plugin now maps IANA DH identifiers to TKM DH algorithm identifiers. The mapping is specified in the daemon's 'dh_mapping' section in the strongswan.conf file: dh_mapping { iana_id1 = tkm_id1 iana_id2 = tkm_id2 iana_id3 = tkm_id3 ... } Only the mapped IANA IDs are registered as supported DH groups.
* charon-tkm: Drop unnecessary includeAdrian-Ken Rueegsegger2013-12-031-1/+0
|
* charon-tkm: Don't run tests automatically during 'make check'Tobias Brunner2013-11-271-5/+5
| | | | | Due to the external dependencies these tests are quite inconvenient. They can be run from the charon-tkm directory with 'make check-tkm'.
* charon-tkm: Add Binder switches to test project to enable exception backtracesReto Buerki2013-11-271-0/+4
|
* charon-tkm: Migrate tests to our own test runnerTobias Brunner2013-11-2712-129/+227
| | | | | | Due to problems with the external libraries tkm_init/deinit can't be called for each test case. Because of this leak detective has to be disabled for these tests.
* charon-tkm: Support for out-of-tree build addedTobias Brunner2013-11-272-12/+12
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-1/+1
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-1/+1
|
* tkm: Properly refer to includes now that AM_CPPFLAGS is usedTobias Brunner2013-07-191-1/+1
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-1/+1
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-251-5/+5
|
* plugin-loader: Add method to print loaded plugins on a given log levelTobias Brunner2013-06-211-0/+1
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-252-2/+2
|
* Various stylistic fixesAdrian-Ken Rueegsegger2013-03-1912-123/+155
|
* Use network byte order for ESA SPIsAdrian-Ken Rueegsegger2013-03-191-6/+5
|
* Provide MODP-2048 through TKM DH pluginAdrian-Ken Rueegsegger2013-03-191-0/+1
|
* Add charon-tkm API documentationAdrian-Ken Rueegsegger2013-03-1917-16/+158
|
* Do not hardwire keys to KEY_RSAReto Buerki2013-03-193-12/+51
| | | | | Make the TKM private and public keys more easily extendable by determining the associated key type dynamically.
* Provide TKM credential encoderReto Buerki2013-03-195-26/+150
| | | | | | | | The TKM credential encoder creates fingerprints of type KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using CRED_PART_RSA_PUB_ASN1_DER. This makes the pkcs1 plugin unnecessary.
* Switch to openssl pluginReto Buerki2013-03-191-8/+1
|
* Don't manually register kernel_netlink_netReto Buerki2013-03-194-16/+11
| | | | | | | | | Load complete kernel_netlink plugin instead. Registering the TKM specific plugins first still ensures that the correct ipsec plugin is used. Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable soft dependency on startup.
* Move stroke plugin to the end of PLUGINS listReto Buerki2013-03-191-2/+2
| | | | | This fixes the problem of stroke being unable to load the ca certificates on startup.
* Make sure IP_XFRM_POLICY is definedReto Buerki2013-03-191-0/+5
|
* Call isa_skip_create_first when keeping IKE SAAdrian-Ken Rueegsegger2013-03-191-0/+20
| | | | | | | An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment fails but the corresponding IKE SA is not destroyed. To allow later creation of child SAs the ISA context must be signaled that the implicity first child SA creation was skipped.
* Make IKE and EES sockets configurableAdrian-Ken Rueegsegger2013-03-191-4/+15
| | | | | | | | | | | | The IKE and EES sockets are now read from strongswan.conf. They can be specified like this: charon-tkm { ike_socket = /tmp/tkm.rpc.ike ees_socket = /tmp/tkm.rpc.ees } The socket names given above are used by default if none are configured.
* Implement TKM-specific credential setReto Buerki2013-03-195-21/+206
| | | | | | | The TKM credential set extends the in-memory credential set. It provides a private key enumerator which is used to instantiate private key proxy objects on-demand. This allows the usage of private keys with arbitrary identifiers.
* Initialize libstrongswan in test_runner main()Reto Buerki2013-03-192-54/+41
|
* Set ri_id to reqid when setting user certificateAdrian-Ken Rueegsegger2013-03-191-2/+29
| | | | | | | | | Pass the reqid (of the first child config of an IKE SA) as remote identity id when calling cc_set_user_certificate. May lead to the usage of the wrong id in case an IKE SA has multiple child configurations/reqids. This must be replaced with a proper lookup once the configuration backend is implemented and provides remote identity ids to charon-tkm.
* Set sp_id to reqid when creating ESAAdrian-Ken Rueegsegger2013-03-191-3/+3
| | | | The reqid corresponds to the sp_id (security policy id) on the TKM side.
* Call Esa_Select after creation of child SAAdrian-Ken Rueegsegger2013-03-191-0/+10
| | | | This tells the TKM which child SA is the currently active SA.
* Check that chunk fits into sequence when convertingAdrian-Ken Rueegsegger2013-03-191-1/+13
|
* Remove result out parameter from EES InitReto Buerki2013-03-193-21/+4
| | | | Error processing is done by the registered exception handler.
* Drop support for pre-shared key authenticationAdrian-Ken Rueegsegger2013-03-191-23/+1
|
* charon-tkm: Register TKM private key on startupReto Buerki2013-03-191-0/+13
|
* Add TKM private key implementationReto Buerki2013-03-192-0/+206
| | | | | | | | | | | | | The key currently imitates the private key of alice@strongswan.org by returning it's fingerprint in the get_fingerprint function. This associates the private key with alice's X.509 cert and charon will use it to create a signature over the local AUTH octets of the test connection. The private key serves as a proxy to the TKM ike_isa_sign operation and extracts the required information from the auth octets chunk passed on by the keymat.
* keymat: Store signature info in auth octetsReto Buerki2013-03-191-2/+14
| | | | | | Store the ISA context id and the initial message in the auth octets chunk using the sign_info_t struct. Charon will pass on this information to the TKM private key sign operation where it is extracted.
* Add AUTH signature info data structureReto Buerki2013-03-191-0/+26
| | | | | The sign_info_t type is used to transfer an ISA context id and the initial message from the keymat to the TKM private key sign operation.
* charon-tkm: Register TKM public key on startupAdrian-Ken Rueegsegger2013-03-191-0/+5
|
* Add TKM public key implementationAdrian-Ken Rueegsegger2013-03-192-0/+213
| | | | | | | The key unconditionally returns TRUE for the verify operation if it is called with a supported signature algorithm. All such verification operations are performed by the TKM (e.g. trustchain or auth octets verification) anyway, so this is safe.
* Authenticate ISA using certificatesAdrian-Ken Rueegsegger2013-03-191-1/+11
| | | | | The authentication of the ISA is now done using the certificate provided by the peer.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 16:48:03 +0000