aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon-tkm
Commit message (Collapse)AuthorAgeFilesLines
...
* charon-tkm: Drop unnecessary includeAdrian-Ken Rueegsegger2013-12-031-1/+0
|
* charon-tkm: Don't run tests automatically during 'make check'Tobias Brunner2013-11-271-5/+5
| | | | | Due to the external dependencies these tests are quite inconvenient. They can be run from the charon-tkm directory with 'make check-tkm'.
* charon-tkm: Add Binder switches to test project to enable exception backtracesReto Buerki2013-11-271-0/+4
|
* charon-tkm: Migrate tests to our own test runnerTobias Brunner2013-11-2712-129/+227
| | | | | | Due to problems with the external libraries tkm_init/deinit can't be called for each test case. Because of this leak detective has to be disabled for these tests.
* charon-tkm: Support for out-of-tree build addedTobias Brunner2013-11-272-12/+12
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-1/+1
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-1/+1
|
* tkm: Properly refer to includes now that AM_CPPFLAGS is usedTobias Brunner2013-07-191-1/+1
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-1/+1
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-251-5/+5
|
* plugin-loader: Add method to print loaded plugins on a given log levelTobias Brunner2013-06-211-0/+1
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-252-2/+2
|
* Various stylistic fixesAdrian-Ken Rueegsegger2013-03-1912-123/+155
|
* Use network byte order for ESA SPIsAdrian-Ken Rueegsegger2013-03-191-6/+5
|
* Provide MODP-2048 through TKM DH pluginAdrian-Ken Rueegsegger2013-03-191-0/+1
|
* Add charon-tkm API documentationAdrian-Ken Rueegsegger2013-03-1917-16/+158
|
* Do not hardwire keys to KEY_RSAReto Buerki2013-03-193-12/+51
| | | | | Make the TKM private and public keys more easily extendable by determining the associated key type dynamically.
* Provide TKM credential encoderReto Buerki2013-03-195-26/+150
| | | | | | | | The TKM credential encoder creates fingerprints of type KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using CRED_PART_RSA_PUB_ASN1_DER. This makes the pkcs1 plugin unnecessary.
* Switch to openssl pluginReto Buerki2013-03-191-8/+1
|
* Don't manually register kernel_netlink_netReto Buerki2013-03-194-16/+11
| | | | | | | | | Load complete kernel_netlink plugin instead. Registering the TKM specific plugins first still ensures that the correct ipsec plugin is used. Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable soft dependency on startup.
* Move stroke plugin to the end of PLUGINS listReto Buerki2013-03-191-2/+2
| | | | | This fixes the problem of stroke being unable to load the ca certificates on startup.
* Make sure IP_XFRM_POLICY is definedReto Buerki2013-03-191-0/+5
|
* Call isa_skip_create_first when keeping IKE SAAdrian-Ken Rueegsegger2013-03-191-0/+20
| | | | | | | An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment fails but the corresponding IKE SA is not destroyed. To allow later creation of child SAs the ISA context must be signaled that the implicity first child SA creation was skipped.
* Make IKE and EES sockets configurableAdrian-Ken Rueegsegger2013-03-191-4/+15
| | | | | | | | | | | | The IKE and EES sockets are now read from strongswan.conf. They can be specified like this: charon-tkm { ike_socket = /tmp/tkm.rpc.ike ees_socket = /tmp/tkm.rpc.ees } The socket names given above are used by default if none are configured.
* Implement TKM-specific credential setReto Buerki2013-03-195-21/+206
| | | | | | | The TKM credential set extends the in-memory credential set. It provides a private key enumerator which is used to instantiate private key proxy objects on-demand. This allows the usage of private keys with arbitrary identifiers.
* Initialize libstrongswan in test_runner main()Reto Buerki2013-03-192-54/+41
|
* Set ri_id to reqid when setting user certificateAdrian-Ken Rueegsegger2013-03-191-2/+29
| | | | | | | | | Pass the reqid (of the first child config of an IKE SA) as remote identity id when calling cc_set_user_certificate. May lead to the usage of the wrong id in case an IKE SA has multiple child configurations/reqids. This must be replaced with a proper lookup once the configuration backend is implemented and provides remote identity ids to charon-tkm.
* Set sp_id to reqid when creating ESAAdrian-Ken Rueegsegger2013-03-191-3/+3
| | | | The reqid corresponds to the sp_id (security policy id) on the TKM side.
* Call Esa_Select after creation of child SAAdrian-Ken Rueegsegger2013-03-191-0/+10
| | | | This tells the TKM which child SA is the currently active SA.
* Check that chunk fits into sequence when convertingAdrian-Ken Rueegsegger2013-03-191-1/+13
|
* Remove result out parameter from EES InitReto Buerki2013-03-193-21/+4
| | | | Error processing is done by the registered exception handler.
* Drop support for pre-shared key authenticationAdrian-Ken Rueegsegger2013-03-191-23/+1
|
* charon-tkm: Register TKM private key on startupReto Buerki2013-03-191-0/+13
|
* Add TKM private key implementationReto Buerki2013-03-192-0/+206
| | | | | | | | | | | | | The key currently imitates the private key of alice@strongswan.org by returning it's fingerprint in the get_fingerprint function. This associates the private key with alice's X.509 cert and charon will use it to create a signature over the local AUTH octets of the test connection. The private key serves as a proxy to the TKM ike_isa_sign operation and extracts the required information from the auth octets chunk passed on by the keymat.
* keymat: Store signature info in auth octetsReto Buerki2013-03-191-2/+14
| | | | | | Store the ISA context id and the initial message in the auth octets chunk using the sign_info_t struct. Charon will pass on this information to the TKM private key sign operation where it is extracted.
* Add AUTH signature info data structureReto Buerki2013-03-191-0/+26
| | | | | The sign_info_t type is used to transfer an ISA context id and the initial message from the keymat to the TKM private key sign operation.
* charon-tkm: Register TKM public key on startupAdrian-Ken Rueegsegger2013-03-191-0/+5
|
* Add TKM public key implementationAdrian-Ken Rueegsegger2013-03-192-0/+213
| | | | | | | The key unconditionally returns TRUE for the verify operation if it is called with a supported signature algorithm. All such verification operations are performed by the TKM (e.g. trustchain or auth octets verification) anyway, so this is safe.
* Authenticate ISA using certificatesAdrian-Ken Rueegsegger2013-03-191-1/+11
| | | | | The authentication of the ISA is now done using the certificate provided by the peer.
* Store peer IKE init messageAdrian-Ken Rueegsegger2013-03-192-0/+26
| | | | | | The IKE init message sent to us by the peer is needed for authentication in the authorization hook. Store the message as chunk in the keymat and provide a getter to make it available.
* Build cc context in tkm listener authorize hookAdrian-Ken Rueegsegger2013-03-191-0/+143
| | | | | | Extract peer certificate information and build a TKM certificate chain context in the authorize hook of the tkm_listener_t. The cc context will be used for ISA authentication using certificates.
* Add TKM_CTX_CC (Certificate chain context id)Adrian-Ken Rueegsegger2013-03-194-2/+5
|
* Add typelen parameter to chunk_to_sequence functionAdrian-Ken Rueegsegger2013-03-196-10/+14
| | | | The parameter is used to initialize the given sequence to zero.
* Implement Ada exception processingReto Buerki2013-03-198-1/+146
| | | | | Register a global exception action with the Ada runtime to log uncaught exceptions to the daemon log and terminate.
* Implement Esa Event Service (EES)Reto Buerki2013-03-1910-7/+272
| | | | | | The Esa Event Service can be used to trigger ESP SA (ESA) events such as acquire or expire. The incoming events are forwarded to the hydra kernel interface for processing.
* Conditionally reset AE context in keymat destroyAdrian-Ken Rueegsegger2013-03-192-12/+66
| | | | | | | The responsibility to reset an authenticated endpoint context is passed from a parent IKE SA keymat to the new keymat by including it in the ISA info data contained in the skd chunk. The last IKE SA to be destroyed will also reset the associated AE context.
* Let tkm_keymat_t extend keymat_v2_tAdrian-Ken Rueegsegger2013-03-193-102/+31
|
* Implement IKE SA rekeyingAdrian-Ken Rueegsegger2013-03-191-9/+29
| | | | | Use the TKM ike_isa_create_child exchange to rekey an IKE SA. The isa context id is passed on (ab)using the rekey_skd chunk.