aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon-tkm
Commit message (Collapse)AuthorAgeFilesLines
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-091-48/+39
|
* Use standard unsigned integer typesAndreas Steffen2016-03-248-52/+52
|
* libhydra: Remove empty unused libraryTobias Brunner2016-03-033-19/+2
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-032-6/+3
| | | | This moves hydra->kernel_interface to charon->kernel.
* sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not ↵Tobias Brunner2015-11-231-5/+4
| | | | | | in the set Fixes #1213.
* charon-tkm: Register SPI generator callbackAdrian-Ken Rueegsegger2015-11-111-0/+4
| | | | Set get_spi callback of IKE SA manager to TKM-specific implementation.
* charon-tkm: Implement SPI generatorAdrian-Ken Rueegsegger2015-11-112-0/+134
| | | | | The get_spi callback returns a random SPI with a label encoded according to the spi_label and spi_mask parameters read from the strongswan.conf.
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-3/+4
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* Fix typo in error handling for sigwaitinfo() in charon-systemd and charon-tkmTobias Brunner2015-10-291-1/+1
| | | | Fixes 858148092d1e ("Replace usages of sigwait(3) with sigwaitinfo(2)")
* Replace usages of sigwait(3) with sigwaitinfo(2)Tobias Brunner2015-10-291-5/+5
| | | | | | | This is basically the same call, but it has the advantage of being supported by FreeBSD's valgrind, which sigwait() is not. References #1106.
* unit-tests: Forward variable argument list in TEST_SUITE_DEPENDMartin Willi2015-07-121-2/+2
| | | | | For some plugin features, such as crypters or AEADs, we have some additional feature arguments, such as the key size.
* charon-tkm: Also store local SPI in SADAdrian-Ken Rueegsegger2015-05-044-27/+36
|
* charon-tkm: Reset stale nonce contextsReto Buerki2015-05-042-18/+30
| | | | | | | | | | | If the nonce generator detects a stale nonce upon destroy(), it resets the context in the TKM and releases associated resources in the ID manager and chunk map. Also, do not acquire the nonce context ID in tkm_nonceg_create function but rather when the nonce is actually created by get_nonce(). The nonces created with get_nonce must also be registered in the chunk map.
* charon-tkm: Drop unneeded nonceg get_id functionReto Buerki2015-05-043-16/+0
|
* charon-tkm: Remove ESA nonce mappings from chunk mapAdrian-Ken Rueegsegger2015-05-041-0/+2
|
* charon-tkm: Drop obsolete TKM_LIMIT defineReto Buerki2015-05-041-2/+0
|
* charon-tkm: Select other ESA if any is present upon deletionAdrian-Ken Rueegsegger2015-05-041-1/+12
| | | | | In the case that multiple ESAs exist (e.g. rekey collision) for a security policy, make sure to select one of the remaining ESAs.
* charon-tkm: Add get_other_esa_id function to TKM kernel SADAdrian-Ken Rueegsegger2015-05-043-0/+103
| | | | | The function gets the ESA id for another entry associated with the same security policy as the specified ESA.
* charon-tkm: Only skip creation of first child SAAdrian-Ken Rueegsegger2015-05-041-0/+9
| | | | | | Use the new is_first boolean parameter of the ALERT_KEEP_ON_CHILD_SA_FAILURE alert to determine if the failure was caused by the first CHILD SA.
* charon-tkm: Fix SAD insertion when adding ESAAdrian-Ken Rueegsegger2015-05-041-1/+1
| | | | | Commit f5fc592 added the reqid to the SAD. The insert call swapped the order of the esa_id and reqid parameters.
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-131-4/+11
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-232-5/+3
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-233-3/+4
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-231-2/+2
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-091-1/+1
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* tkm: Use the inbound flag do determine peer role in CHILD_SA exchangeMartin Willi2015-03-091-5/+1
| | | | | This was not available during initial implementation, but fits just fine to avoid reconstructing the peer role.
* tkm: Disable RFC 7427 signature authenticationTobias Brunner2015-03-091-0/+4
| | | | | | TKM can't verify such signatures so we'd fail in the authorize hook. Skipping the algorithm identifier doesn't help if the peer uses anything other than SHA-1, so config changes would be required.
* tkm: Implement hash algorithm storage methods of keymat_v2_t interfaceTobias Brunner2015-03-041-0/+29
|
* charon-tkm: Use get_dst_host getter in EES callbackReto Buerki2015-02-201-4/+14
| | | | | | Use the new get_dst_host getter to retrieve the destination host from the SAD using the reqid, spi and protocol values received from the xfrm-proxy.
* charon-tkm: Add get_dst_host getter to SADReto Buerki2015-02-203-0/+79
| | | | | This function returns the destination host of an SAD entry for given reqid, spi and protocol arguments or NULL if not found.
* charon-tkm: Improve SAD get_esa_id log messagesReto Buerki2015-02-201-4/+4
|
* charon-tkm: Store reqid in SADReto Buerki2015-02-204-15/+26
|
* charon-tkm: Store remote SPI in SADReto Buerki2015-02-201-1/+1
| | | | | | | | | Store the remote instead of the local SPI in the SAD when adding a new entry in the kernel plugin's add_sa() function. Since only one ESA context must be destroyed for an inbound/outbound CHILD SA pair, it does not matter which SPI is used to retrieve it in the del_sa function.
* charon-tkm: Make CHILD/ESP SA database publicReto Buerki2015-02-203-22/+15
| | | | | Make the CHILD/ESP SA database a public member of the global tkm_t struct.
* charon-tkm: Fix logger entity name in tests.cReto Buerki2015-02-201-2/+2
| | | | Change 'test_runner' to 'test-runner'.
* charon-tkm: Fix compilation of ees_callback.cReto Buerki2015-02-201-3/+5
| | | | | | Update the call to hydra->kernel_interface->expire to make ees_callback.c compile again. The required destination host argument is set to NULL for now.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-1/+1
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-3/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* crypto: Define MODP_CUSTOM outside of IKE DH rangeTobias Brunner2014-12-231-1/+1
| | | | | | | | | Before this fix it was possible to crash charon with an IKE_SA_INIT message containing a KE payload with DH group MODP_CUSTOM(1025). Defining MODP_CUSTOM outside of the two byte IKE DH identifier range prevents it from getting negotiated. Fixes CVE-2014-9221.
* charon-tkm: Properly reset CC context in listenerReto Buerki2014-10-311-7/+13
| | | | | | Make sure that the acquired CC context is correctly reset and the associated ID released in the authorize() function of the TKM bus listener.
* charon-tkm: Add missing comma to enumReto Buerki2014-10-311-1/+1
| | | | Add missing comma to tkm_context_kind_names enum definition.
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-223-3/+4
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-1/+1
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* libcharon: Remove unused charon->nameTobias Brunner2014-02-122-2/+2
|
* charon-tkm: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-5/+5
|
* libhydra: Remove unused hydra->daemonTobias Brunner2014-02-122-2/+2
|
* lib: Add global config namespaceTobias Brunner2014-02-121-1/+1
|
* unit-tests: Pass a test suite collection name to print during test executionMartin Willi2014-01-221-1/+1
| | | | | As we except to get more and more test runners for the different components, we add a name to easily identify them on the test output.
* charon-tkm: Implement IANA DH Id to TKM Id mappingAdrian-Ken Rueegsegger2013-12-035-9/+134
| | | | | | | | | | | | | | | The TKM Diffie-Hellman plugin now maps IANA DH identifiers to TKM DH algorithm identifiers. The mapping is specified in the daemon's 'dh_mapping' section in the strongswan.conf file: dh_mapping { iana_id1 = tkm_id1 iana_id2 = tkm_id2 iana_id3 = tkm_id3 ... } Only the mapped IANA IDs are registered as supported DH groups.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 22:57:02 +0000