| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.
This adds a flag to get_esa_id() that specifies the location of the
given SPI.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.
Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.
|
| |
|
|
|
| |
This fixes rekeying as the delayed installation of the outbound SA
caused the nonce context to be expired already.
|
| |
|
|
|
| |
When an expire is triggered while rekeying, the CHILD_SA might be deleted
while the returned host is still used to queue a rekey job for the CHILD_SA.
|
| |
|
|
| |
This avoids the unportable five pointer hack.
|
| |
|
|
| |
Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")
|
| |
|
|
|
| |
This way it is not necessary to pass the same values to reload the
loggers.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
In particular because of leak-detective.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This moves hydra->kernel_interface to charon->kernel.
|
| |
|
|
|
|
| |
in the set
Fixes #1213.
|
| |
|
|
| |
Set get_spi callback of IKE SA manager to TKM-specific implementation.
|
| |
|
|
|
| |
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
|
| |
|
|
|
|
|
| |
add_policy()
The additional data can be helpful to identify the exact policy to
delete.
|
| |
|
|
| |
Fixes 858148092d1e ("Replace usages of sigwait(3) with sigwaitinfo(2)")
|
| |
|
|
|
|
|
| |
This is basically the same call, but it has the advantage of being
supported by FreeBSD's valgrind, which sigwait() is not.
References #1106.
|
| |
|
|
|
| |
For some plugin features, such as crypters or AEADs, we have some additional
feature arguments, such as the key size.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the nonce generator detects a stale nonce upon destroy(), it resets
the context in the TKM and releases associated resources in the ID
manager and chunk map.
Also, do not acquire the nonce context ID in tkm_nonceg_create function
but rather when the nonce is actually created by get_nonce().
The nonces created with get_nonce must also be registered in the chunk map.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
In the case that multiple ESAs exist (e.g. rekey collision) for a
security policy, make sure to select one of the remaining ESAs.
|
| |
|
|
|
| |
The function gets the ESA id for another entry associated with the same
security policy as the specified ESA.
|
| |
|
|
|
|
| |
Use the new is_first boolean parameter of the
ALERT_KEEP_ON_CHILD_SA_FAILURE alert to determine if the failure was
caused by the first CHILD SA.
|
| |
|
|
|
| |
Commit f5fc592 added the reqid to the SAD. The insert call swapped the
order of the esa_id and reqid parameters.
|
| |
|
|
|
|
| |
Real AEADs directly provide a suitable IV generator, but traditional crypters
do not. For some (stream) ciphers, we should use sequential IVs, for which
we pass an appropriate generator to the AEAD wrapper.
|
| | |
|
| | |
|
| |
|
|
|
| |
While such a change is not unproblematic, keeping status_t makes the API
inconsistent once we introduce return values for the public value operations.
|
| |
|
|
|
|
|
|
|
|
|
| |
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
|
| |
|
|
|
| |
This was not available during initial implementation, but fits just fine to
avoid reconstructing the peer role.
|
| |
|
|
|
|
| |
TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.
|
| | |
|
| |
|
|
|
|
| |
Use the new get_dst_host getter to retrieve the destination host from
the SAD using the reqid, spi and protocol values received from the
xfrm-proxy.
|
| |
|
|
|
| |
This function returns the destination host of an SAD entry for given
reqid, spi and protocol arguments or NULL if not found.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Store the remote instead of the local SPI in the SAD when adding a new
entry in the kernel plugin's add_sa() function.
Since only one ESA context must be destroyed for an inbound/outbound
CHILD SA pair, it does not matter which SPI is used to retrieve it in
the del_sa function.
|
| |
|
|
|
| |
Make the CHILD/ESP SA database a public member of the global tkm_t
struct.
|
| |
|
|
| |
Change 'test_runner' to 'test-runner'.
|
| |
|
|
|
|
| |
Update the call to hydra->kernel_interface->expire to make
ees_callback.c compile again. The required destination host argument is
set to NULL for now.
|
| |
|
|
|
|
| |
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
|
| |
|
|
|
|
|
|
|
|
| |
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
|
