aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon-tkm
Commit message (Collapse)AuthorAgeFilesLines
...
* tkm: Use the inbound flag do determine peer role in CHILD_SA exchangeMartin Willi2015-03-091-5/+1
| | | | | This was not available during initial implementation, but fits just fine to avoid reconstructing the peer role.
* tkm: Disable RFC 7427 signature authenticationTobias Brunner2015-03-091-0/+4
| | | | | | TKM can't verify such signatures so we'd fail in the authorize hook. Skipping the algorithm identifier doesn't help if the peer uses anything other than SHA-1, so config changes would be required.
* tkm: Implement hash algorithm storage methods of keymat_v2_t interfaceTobias Brunner2015-03-041-0/+29
|
* charon-tkm: Use get_dst_host getter in EES callbackReto Buerki2015-02-201-4/+14
| | | | | | Use the new get_dst_host getter to retrieve the destination host from the SAD using the reqid, spi and protocol values received from the xfrm-proxy.
* charon-tkm: Add get_dst_host getter to SADReto Buerki2015-02-203-0/+79
| | | | | This function returns the destination host of an SAD entry for given reqid, spi and protocol arguments or NULL if not found.
* charon-tkm: Improve SAD get_esa_id log messagesReto Buerki2015-02-201-4/+4
|
* charon-tkm: Store reqid in SADReto Buerki2015-02-204-15/+26
|
* charon-tkm: Store remote SPI in SADReto Buerki2015-02-201-1/+1
| | | | | | | | | Store the remote instead of the local SPI in the SAD when adding a new entry in the kernel plugin's add_sa() function. Since only one ESA context must be destroyed for an inbound/outbound CHILD SA pair, it does not matter which SPI is used to retrieve it in the del_sa function.
* charon-tkm: Make CHILD/ESP SA database publicReto Buerki2015-02-203-22/+15
| | | | | Make the CHILD/ESP SA database a public member of the global tkm_t struct.
* charon-tkm: Fix logger entity name in tests.cReto Buerki2015-02-201-2/+2
| | | | Change 'test_runner' to 'test-runner'.
* charon-tkm: Fix compilation of ees_callback.cReto Buerki2015-02-201-3/+5
| | | | | | Update the call to hydra->kernel_interface->expire to make ees_callback.c compile again. The required destination host argument is set to NULL for now.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-1/+1
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-3/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* crypto: Define MODP_CUSTOM outside of IKE DH rangeTobias Brunner2014-12-231-1/+1
| | | | | | | | | Before this fix it was possible to crash charon with an IKE_SA_INIT message containing a KE payload with DH group MODP_CUSTOM(1025). Defining MODP_CUSTOM outside of the two byte IKE DH identifier range prevents it from getting negotiated. Fixes CVE-2014-9221.
* charon-tkm: Properly reset CC context in listenerReto Buerki2014-10-311-7/+13
| | | | | | Make sure that the acquired CC context is correctly reset and the associated ID released in the authorize() function of the TKM bus listener.
* charon-tkm: Add missing comma to enumReto Buerki2014-10-311-1/+1
| | | | Add missing comma to tkm_context_kind_names enum definition.
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-223-3/+4
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-1/+1
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* libcharon: Remove unused charon->nameTobias Brunner2014-02-122-2/+2
|
* charon-tkm: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-5/+5
|
* libhydra: Remove unused hydra->daemonTobias Brunner2014-02-122-2/+2
|
* lib: Add global config namespaceTobias Brunner2014-02-121-1/+1
|
* unit-tests: Pass a test suite collection name to print during test executionMartin Willi2014-01-221-1/+1
| | | | | As we except to get more and more test runners for the different components, we add a name to easily identify them on the test output.
* charon-tkm: Implement IANA DH Id to TKM Id mappingAdrian-Ken Rueegsegger2013-12-035-9/+134
| | | | | | | | | | | | | | | The TKM Diffie-Hellman plugin now maps IANA DH identifiers to TKM DH algorithm identifiers. The mapping is specified in the daemon's 'dh_mapping' section in the strongswan.conf file: dh_mapping { iana_id1 = tkm_id1 iana_id2 = tkm_id2 iana_id3 = tkm_id3 ... } Only the mapped IANA IDs are registered as supported DH groups.
* charon-tkm: Drop unnecessary includeAdrian-Ken Rueegsegger2013-12-031-1/+0
|
* charon-tkm: Don't run tests automatically during 'make check'Tobias Brunner2013-11-271-5/+5
| | | | | Due to the external dependencies these tests are quite inconvenient. They can be run from the charon-tkm directory with 'make check-tkm'.
* charon-tkm: Add Binder switches to test project to enable exception backtracesReto Buerki2013-11-271-0/+4
|
* charon-tkm: Migrate tests to our own test runnerTobias Brunner2013-11-2712-129/+227
| | | | | | Due to problems with the external libraries tkm_init/deinit can't be called for each test case. Because of this leak detective has to be disabled for these tests.
* charon-tkm: Support for out-of-tree build addedTobias Brunner2013-11-272-12/+12
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-1/+1
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-1/+1
|
* tkm: Properly refer to includes now that AM_CPPFLAGS is usedTobias Brunner2013-07-191-1/+1
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-1/+1
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-251-5/+5
|
* plugin-loader: Add method to print loaded plugins on a given log levelTobias Brunner2013-06-211-0/+1
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-252-2/+2
|
* Various stylistic fixesAdrian-Ken Rueegsegger2013-03-1912-123/+155
|
* Use network byte order for ESA SPIsAdrian-Ken Rueegsegger2013-03-191-6/+5
|
* Provide MODP-2048 through TKM DH pluginAdrian-Ken Rueegsegger2013-03-191-0/+1
|
* Add charon-tkm API documentationAdrian-Ken Rueegsegger2013-03-1917-16/+158
|
* Do not hardwire keys to KEY_RSAReto Buerki2013-03-193-12/+51
| | | | | Make the TKM private and public keys more easily extendable by determining the associated key type dynamically.
* Provide TKM credential encoderReto Buerki2013-03-195-26/+150
| | | | | | | | The TKM credential encoder creates fingerprints of type KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using CRED_PART_RSA_PUB_ASN1_DER. This makes the pkcs1 plugin unnecessary.
* Switch to openssl pluginReto Buerki2013-03-191-8/+1
|
* Don't manually register kernel_netlink_netReto Buerki2013-03-194-16/+11
| | | | | | | | | Load complete kernel_netlink plugin instead. Registering the TKM specific plugins first still ensures that the correct ipsec plugin is used. Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable soft dependency on startup.
* Move stroke plugin to the end of PLUGINS listReto Buerki2013-03-191-2/+2
| | | | | This fixes the problem of stroke being unable to load the ca certificates on startup.
* Make sure IP_XFRM_POLICY is definedReto Buerki2013-03-191-0/+5
|
* Call isa_skip_create_first when keeping IKE SAAdrian-Ken Rueegsegger2013-03-191-0/+20
| | | | | | | An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment fails but the corresponding IKE SA is not destroyed. To allow later creation of child SAs the ISA context must be signaled that the implicity first child SA creation was skipped.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 16:56:22 +0000