| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
| |
This avoids huge warnings when building the native code.
|
| | |
|
| |
|
|
|
| |
This allows IPv6 over IPv4 but falls back nicely if we don't get a
virtual IPv6 (or IPv4) address.
|
| |
|
|
|
|
|
| |
This might happen on Android if sockets are bound to the physical IP
address but packets are still routed via TUN device. Since it seems to
happen quite often (or for stuff that requires regular traffic) this
hides these messages from the default log.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Seems to work correctly with recent MySQL versions.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This ensures the NM-specific credential set is unloaded before any
implementation of certificate/key objects, which causes a segmentation
fault during shutdown.
|
| |
|
|
|
|
| |
This is not required as we install our own (narrow) route(s) in our own
routing table. This should allow split tunneling if configured on the
gateway.
|
| |
|
|
| |
NM will install this address on the provided device.
|
| |
|
|
|
|
| |
NetworkManager modifies the addresses etc. on this interface so using
"lo" is not optimal. With the dummy interface NM is free to do its
thing.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When the monotonic timer is initialized to 0 right after the system is
booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s).
Since the COOKIE verification code actually produces an overflow for
COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs.
Checking for last_cookie makes sense anyway as that condition must only
apply if we actually sent a COOKIE before.
|
| |
|
|
|
|
| |
e0efd7c1 switches to automated job rescheduling for HA heartbeat. However,
send_status() is initially called directly, which will not reschedule the job
as required.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Make the TKM private and public keys more easily extendable by
determining the associated key type dynamically.
|
| |
|
|
|
|
|
|
| |
The TKM credential encoder creates fingerprints of type
KEYID_PUBKEY_INFO_SHA1 and KEYID_PUBKEY_SHA1 using
CRED_PART_RSA_PUB_ASN1_DER.
This makes the pkcs1 plugin unnecessary.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Load complete kernel_netlink plugin instead. Registering the TKM
specific plugins first still ensures that the correct ipsec plugin
is used.
Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable
soft dependency on startup.
|
| |
|
|
|
| |
This fixes the problem of stroke being unable to load the ca
certificates on startup.
|
| | |
|
| |
|
|
|
|
|
| |
An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment
fails but the corresponding IKE SA is not destroyed. To allow later creation
of child SAs the ISA context must be signaled that the implicity first child SA
creation was skipped.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The IKE and EES sockets are now read from strongswan.conf. They can be
specified like this:
charon-tkm {
ike_socket = /tmp/tkm.rpc.ike
ees_socket = /tmp/tkm.rpc.ees
}
The socket names given above are used by default if none are configured.
|
| |
|
|
|
|
|
| |
The TKM credential set extends the in-memory credential set. It
provides a private key enumerator which is used to instantiate private
key proxy objects on-demand. This allows the usage of private keys with
arbitrary identifiers.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Pass the reqid (of the first child config of an IKE SA) as remote identity id
when calling cc_set_user_certificate. May lead to the usage of the wrong id in
case an IKE SA has multiple child configurations/reqids.
This must be replaced with a proper lookup once the configuration backend is
implemented and provides remote identity ids to charon-tkm.
|
| |
|
|
| |
The reqid corresponds to the sp_id (security policy id) on the TKM side.
|
| |
|
|
| |
This tells the TKM which child SA is the currently active SA.
|
| | |
|
| |
|
|
| |
Error processing is done by the registered exception handler.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The key currently imitates the private key of alice@strongswan.org by
returning it's fingerprint in the get_fingerprint function.
This associates the private key with alice's X.509 cert and charon will
use it to create a signature over the local AUTH octets of the test
connection.
The private key serves as a proxy to the TKM ike_isa_sign operation and
extracts the required information from the auth octets chunk passed on
by the keymat.
|
| |
|
|
|
|
| |
Store the ISA context id and the initial message in the auth octets
chunk using the sign_info_t struct. Charon will pass on this information
to the TKM private key sign operation where it is extracted.
|
| |
|
|
|
| |
The sign_info_t type is used to transfer an ISA context id and the
initial message from the keymat to the TKM private key sign operation.
|
| | |
|
| |
|
|
|
|
|
| |
The key unconditionally returns TRUE for the verify operation if it is called
with a supported signature algorithm. All such verification operations are
performed by the TKM (e.g. trustchain or auth octets verification) anyway, so
this is safe.
|
| |
|
|
|
| |
The authentication of the ISA is now done using the certificate provided
by the peer.
|
| |
|
|
|
|
| |
The IKE init message sent to us by the peer is needed for authentication
in the authorization hook. Store the message as chunk in the keymat and
provide a getter to make it available.
|
| |
|
|
|
|
| |
Extract peer certificate information and build a TKM certificate chain
context in the authorize hook of the tkm_listener_t. The cc context will
be used for ISA authentication using certificates.
|
