aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon-tkm
Commit message (Collapse)AuthorAgeFilesLines
* charon: Explicitly check return value of fileno()Tobias Brunner2017-11-151-1/+6
| | | | | This is mainly for Coverity because fchown() can't take a negative value, which the -1 check implies is possible.
* charon-tkm: Unlink PID file after deinitTobias Brunner2017-11-101-11/+31
| | | | | | Same change as for charon in the previous commit. References #2460.
* certificate: Return signature scheme and parameters from issued_by() methodTobias Brunner2017-11-082-0/+2
| | | | | This also required some include restructuring (avoid including library.h in headers) to avoid unresolvable circular dependencies.
* private-key: Add optional parameters argument to sign() methodTobias Brunner2017-11-081-1/+1
|
* public-key: Add optional parameters argument to verify() methodTobias Brunner2017-11-081-1/+1
|
* charon-tkm: Reset ESA on child SA create failureAdrian-Ken Rueegsegger2017-09-151-0/+1
| | | | | | Since we are also releasing the ESA ID we have to make sure that the ESA context is reset and in a clean state in order for it to be actually reusable.
* charon-tkm: Check for error when acquiring ESA IDAdrian-Ken Rueegsegger2017-09-151-0/+7
|
* charon-tkm: Fix AE context life-cycle handlingAdrian-Ken Rueegsegger2017-09-151-7/+10
| | | | | | Use new reference counting feature of ID manager for AE contexts and only perform reset if count is zero. Also, do not pass on AE ID as every IKE SA must decrement AE ID count once it is not used any longer.
* charon-tkm: Return current refcount when releasing IDAdrian-Ken Rueegsegger2017-09-153-23/+23
|
* charon-tkm: Add acquire_ref method to ID managerAdrian-Ken Rueegsegger2017-09-153-0/+108
| | | | | The function acquires a reference to the given context reference id for a specific context kind.
* charon-tkm: Store context ids as int instead of boolAdrian-Ken Rueegsegger2017-09-151-5/+8
| | | | This is in preparation of making context ids refcountable.
* charon-tkm: Add missing whitespace log messageAdrian-Ken Rueegsegger2017-09-151-1/+1
|
* charon-tkm: Build fix for kernel SAD testsAdrian-Ken Rueegsegger2017-08-141-2/+2
| | | | | Commit 7729577... added a flag to the get_esa_id function but the unit tests were not adjusted.
* charon-tkm: Call esa_reset() when the inbound SA is deletedTobias Brunner2017-08-074-16/+40
| | | | | | | | | After a rekeying the outbound SA and policy is deleted immediately, however, the inbound SA is not removed until a few seconds later, so delayed packets can still be processed. This adds a flag to get_esa_id() that specifies the location of the given SPI.
* charon-tkm: Remove unused get_other_esa_id() methodTobias Brunner2017-08-073-101/+0
|
* charon-tkm: Don't select new outbound SA until the policy is installedTobias Brunner2017-08-071-22/+40
| | | | | | | | | This tries to avoid packet loss during rekeying by delaying the usage of the new outbound IKE_SA until the old one is deleted. Note that esa_select() is a no-op in the current TKM implementation. And the implementation also doesn't benefit from the delayed deletion of the inbound SA as it calls esa_reset() when the outbound SA is deleted.
* charon-tkm: Claim to support SPIs on policiesTobias Brunner2017-08-071-0/+7
| | | | | This fixes rekeying as the delayed installation of the outbound SA caused the nonce context to be expired already.
* charon-tkm: Return cloned host from tkm_kernel_sad_t::get_dst_host()Tobias Brunner2017-06-143-2/+4
| | | | | When an expire is triggered while rekeying, the CHILD_SA might be deleted while the returned host is still used to queue a rekey job for the CHILD_SA.
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-261-50/+47
| | | | This avoids the unportable five pointer hack.
* tkm: Fix get_auth_octets() signatureTobias Brunner2017-02-131-1/+2
| | | | Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")
* daemon: Use separate method to set default loggersTobias Brunner2017-01-252-2/+2
| | | | | This way it is not necessary to pass the same values to reload the loggers.
* gmp: Support of SHA-3 RSA signaturesAndreas Steffen2016-09-221-1/+1
|
* charon-tkm: Build C code with debug informationTobias Brunner2016-09-201-1/+2
|
* charon-tkm: Free name of the PID fileTobias Brunner2016-09-201-0/+1
|
* charon-tkm: Deinitialize tkm before libstrongswanTobias Brunner2016-09-201-1/+1
| | | | In particular because of leak-detective.
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-091-48/+39
|
* Use standard unsigned integer typesAndreas Steffen2016-03-248-52/+52
|
* libhydra: Remove empty unused libraryTobias Brunner2016-03-033-19/+2
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-032-6/+3
| | | | This moves hydra->kernel_interface to charon->kernel.
* sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not ↵Tobias Brunner2015-11-231-5/+4
| | | | | | in the set Fixes #1213.
* charon-tkm: Register SPI generator callbackAdrian-Ken Rueegsegger2015-11-111-0/+4
| | | | Set get_spi callback of IKE SA manager to TKM-specific implementation.
* charon-tkm: Implement SPI generatorAdrian-Ken Rueegsegger2015-11-112-0/+134
| | | | | The get_spi callback returns a random SPI with a label encoded according to the spi_label and spi_mask parameters read from the strongswan.conf.
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-3/+4
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* Fix typo in error handling for sigwaitinfo() in charon-systemd and charon-tkmTobias Brunner2015-10-291-1/+1
| | | | Fixes 858148092d1e ("Replace usages of sigwait(3) with sigwaitinfo(2)")
* Replace usages of sigwait(3) with sigwaitinfo(2)Tobias Brunner2015-10-291-5/+5
| | | | | | | This is basically the same call, but it has the advantage of being supported by FreeBSD's valgrind, which sigwait() is not. References #1106.
* unit-tests: Forward variable argument list in TEST_SUITE_DEPENDMartin Willi2015-07-121-2/+2
| | | | | For some plugin features, such as crypters or AEADs, we have some additional feature arguments, such as the key size.
* charon-tkm: Also store local SPI in SADAdrian-Ken Rueegsegger2015-05-044-27/+36
|
* charon-tkm: Reset stale nonce contextsReto Buerki2015-05-042-18/+30
| | | | | | | | | | | If the nonce generator detects a stale nonce upon destroy(), it resets the context in the TKM and releases associated resources in the ID manager and chunk map. Also, do not acquire the nonce context ID in tkm_nonceg_create function but rather when the nonce is actually created by get_nonce(). The nonces created with get_nonce must also be registered in the chunk map.
* charon-tkm: Drop unneeded nonceg get_id functionReto Buerki2015-05-043-16/+0
|
* charon-tkm: Remove ESA nonce mappings from chunk mapAdrian-Ken Rueegsegger2015-05-041-0/+2
|
* charon-tkm: Drop obsolete TKM_LIMIT defineReto Buerki2015-05-041-2/+0
|
* charon-tkm: Select other ESA if any is present upon deletionAdrian-Ken Rueegsegger2015-05-041-1/+12
| | | | | In the case that multiple ESAs exist (e.g. rekey collision) for a security policy, make sure to select one of the remaining ESAs.
* charon-tkm: Add get_other_esa_id function to TKM kernel SADAdrian-Ken Rueegsegger2015-05-043-0/+103
| | | | | The function gets the ESA id for another entry associated with the same security policy as the specified ESA.
* charon-tkm: Only skip creation of first child SAAdrian-Ken Rueegsegger2015-05-041-0/+9
| | | | | | Use the new is_first boolean parameter of the ALERT_KEEP_ON_CHILD_SA_FAILURE alert to determine if the failure was caused by the first CHILD SA.
* charon-tkm: Fix SAD insertion when adding ESAAdrian-Ken Rueegsegger2015-05-041-1/+1
| | | | | Commit f5fc592 added the reqid to the SAD. The insert call swapped the order of the esa_id and reqid parameters.
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-131-4/+11
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-232-5/+3
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-233-3/+4
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-231-2/+2
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-091-1/+1
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-30 05:21:58 +0000