Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Implement sequence_to_chunk function | Reto Buerki | 2013-03-19 | 6 | -4/+107 | |
| | | | | | This function converts a given TKM variable-length byte sequence to chunk. | |||||
* | keymat: Log nonce and DH context ids | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -1/+5 | |
| | ||||||
* | Add context id getter to TKM DH implementation | Adrian-Ken Rueegsegger | 2013-03-19 | 3 | -0/+17 | |
| | ||||||
* | keymat: Get context id of local nonce | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -2/+22 | |
| | | | | | To derive IKE keys using TKM the nonce context id of the local nonce is needed. Get the id for a given chunk using the chunk map. | |||||
* | nonceg: Insert id mapping when allocating nonce | Adrian-Ken Rueegsegger | 2013-03-19 | 1 | -1/+6 | |
| | ||||||
* | Add chunk map | Adrian-Ken Rueegsegger | 2013-03-19 | 7 | -0/+278 | |
| | | | | | This data structure allows to store mappings of chunks to ids. This will be used to map nonces to their corresponding nonce context ids. | |||||
* | Add context id getter to TKM nonce generator | Adrian-Ken Rueegsegger | 2013-03-19 | 3 | -0/+17 | |
| | ||||||
* | id_manager: Use calloc instead of malloc | Reto Buerki | 2013-03-19 | 1 | -10/+4 | |
| | | | | | This way we don't need to manually initialize the slot status; free slots are now indicated by 0 though. | |||||
* | Use ikev2 keymat proxy | Reto Buerki | 2013-03-19 | 1 | -7/+18 | |
| | | | | | | Forward incoming calls to default ikev2 keymat instance. This is needed to make a stepwise migration to TKM keymat possible. It will be removed once the corresponding parts are implemented in the TKM. | |||||
* | Add skeleton for TKM keymat variant | Reto Buerki | 2013-03-19 | 3 | -0/+256 | |
| | ||||||
* | id_manager: Use limits given by TKM | Reto Buerki | 2013-03-19 | 1 | -5/+15 | |
| | ||||||
* | Pass context limits on to id manager | Reto Buerki | 2013-03-19 | 4 | -12/+21 | |
| | ||||||
* | Request limits from TKM on init | Reto Buerki | 2013-03-19 | 1 | -0/+15 | |
| | ||||||
* | id_manager: Use array of bool instead of list | Reto Buerki | 2013-03-19 | 2 | -41/+42 | |
| | | | | | | Instead of storing the acquired context ids in a linked list, use an array of booleans for the job. A boolean value of true in the array designates an available context id. | |||||
* | Use id manager to acquire DH context id | Reto Buerki | 2013-03-19 | 1 | -9/+23 | |
| | ||||||
* | Add TKM_CTX_DH (Diffie-Hellman context) to id manager | Reto Buerki | 2013-03-19 | 2 | -3/+6 | |
| | ||||||
* | Use id manager to acquire nonce context id | Reto Buerki | 2013-03-19 | 1 | -6/+16 | |
| | ||||||
* | Add initial TKM Diffie-Hellman implementation | Reto Buerki | 2013-03-19 | 7 | -2/+234 | |
| | | | | | | | | | | The tkm_diffie_hellman_t plugin acquires a DH context from the Trusted Key Manager and uses it to get a DH public value and the calculated shared secret. Proper context handling is still missing though, the plugin currently uses context ID 1. The get_shared_secret function will be removed as soon as the TKM specific keymat is ready. | |||||
* | charon-tkm: Register tkm nonce generator | Reto Buerki | 2013-03-19 | 2 | -1/+9 | |
| | ||||||
* | tkm_nonceg: Return nonce generated by TKM | Reto Buerki | 2013-03-19 | 1 | -1/+13 | |
| | ||||||
* | Initialize TKM client library in tkm.c | Reto Buerki | 2013-03-19 | 3 | -6/+37 | |
| | ||||||
* | Introduce TKM specific charon daemon (charon-tkm) | Reto Buerki | 2013-03-19 | 19 | -0/+1212 | |
| | | | | | | | | | | | | | | Analogous to charon-nm the charon-tkm daemon is a specialized charon instance used in combination with the trusted key manager (TKM) written in Ada. The charon-tkm is basically a copy of the charon-nm code which will register it's own TKM specific plugins. The daemon binary is built using the gprbuild utility. This is needed because it uses the tkm-rpc Ada library and consequently the Ada runtime. gprbuild takes care of the complete binding and linker steps required to properly initialize the Ada runtime. | |||||
* | starter: Make daemon name configurable | Adrian-Ken Rueegsegger | 2013-03-19 | 5 | -38/+126 | |
| | | | | | | | | A daemon can be specified using the '--daemon' command line parameter. This tells starter to invoke a daemon other than 'charon'. Additionally the ipsec script uses the environment variable DAEMON_NAME to tell the starter which daemon to use. | |||||
* | Load arbitrary (non-host) attributes from strongswan.conf | Tobias Brunner | 2013-03-19 | 1 | -21/+32 | |
| | | | | This allows to e.g. load Cisco-specific attributes that contain FQDNs. | |||||
* | Don't try to mmap() empty ipsec.secret files | Martin Willi | 2013-03-19 | 1 | -1/+5 | |
| | ||||||
* | Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵ | Tobias Brunner | 2013-03-19 | 3 | -3/+27 | |
| | | | | certain time frame | |||||
* | Make sure that xauth-noauth is not used accidentally | Tobias Brunner | 2013-03-19 | 1 | -2/+5 | |
| | | | | It has to be selected explicitly with rightauth2=xauth-noauth. | |||||
* | Added xauth-noauth plugin | Tobias Brunner | 2013-03-19 | 7 | -29/+305 | |
| | | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication. | |||||
* | In stroke counters, check if we have an IKE_SA before getting the name from it | Martin Willi | 2013-03-19 | 1 | -3/+6 | |
| | | | | | Fixes a segfault when receiving an invalid IKE SPI, where we don't have an IKE_SA for the raised alert. | |||||
* | Add an "esp" load-tester option to configure custom CHILD_SA ESP proposal | Martin Willi | 2013-03-18 | 1 | -3/+16 | |
| | ||||||
* | Algorithms are not really specific to an IKE version | Tobias Brunner | 2013-03-18 | 1 | -1/+1 | |
| | | | | | | But not all of them can be used with IKEv1. Fixes #314. | |||||
* | Merge branch 'radius-ext' | Martin Willi | 2013-03-18 | 31 | -114/+1333 | |
|\ | | | | | | | | | | | Bring some extensions to eap-radius, namely a virtual IP address provider based on received Framed-IPs, forwarding of Cisco Unity banners, Interim Accounting updates and the reporting of sent/received packets. | |||||
| * | Don't create interim update entries if RADIUS accounting is disabled | Martin Willi | 2013-03-14 | 2 | -7/+7 | |
| | | ||||||
| * | Add support for RADIUS Interim accounting updates | Martin Willi | 2013-03-14 | 3 | -39/+269 | |
| | | ||||||
| * | Add an option to delete any established IKE_SA if RADIUS server is not ↵ | Martin Willi | 2013-03-14 | 4 | -7/+67 | |
| | | | | | | | | responding | |||||
| * | Make check whether to use IKEv1 fragmentation more readable | Martin Willi | 2013-03-14 | 1 | -5/+14 | |
| | | ||||||
| * | Send Acct-Terminate-Cause based on some alerts catched on the bus | Martin Willi | 2013-03-14 | 1 | -0/+62 | |
| | | | | | | | | | | Currently supported are user disconnects, session timeouts and if the peer does not respond on IKE packets or DPDs. | |||||
| * | When IKEv1 DPD times out, raise missing SEND_RETRANSMIT_TIMOUT alert | Martin Willi | 2013-03-14 | 2 | -1/+2 | |
| | | ||||||
| * | Raise an alert if an IKE_SA could not have been reauthenticated and expires | Martin Willi | 2013-03-14 | 2 | -0/+6 | |
| | | ||||||
| * | Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Accounting-Requests | Martin Willi | 2013-03-14 | 1 | -4/+33 | |
| | | ||||||
| * | Support RADIUS accounting of sent/received packets | Martin Willi | 2013-03-14 | 1 | -13/+23 | |
| | | ||||||
| * | Report the number of processed packets in "ipsec statusall" | Martin Willi | 2013-03-14 | 1 | -5/+9 | |
| | | ||||||
| * | child_sa_t.get_usestats() can additionally return the number of processed ↵ | Martin Willi | 2013-03-14 | 9 | -16/+20 | |
| | | | | | | | | packets | |||||
| * | Pass correclty sized pointer to lookup_algorithm() in PF_KEY | Martin Willi | 2013-03-14 | 1 | -1/+1 | |
| | | ||||||
| * | kernel_ipsec_t.query_sa() additionally returns the number of processed packets | Martin Willi | 2013-03-14 | 9 | -16/+50 | |
| | | ||||||
| * | Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Access-Request | Martin Willi | 2013-03-13 | 2 | -10/+56 | |
| | | ||||||
| * | Forward Cisco Banner received from RADIUS to Unity capable clients | Martin Willi | 2013-03-12 | 3 | -5/+176 | |
| | | ||||||
| * | Add a radius message method to enumerate vendor specific attributes | Martin Willi | 2013-03-12 | 2 | -0/+92 | |
| | | ||||||
| * | Add Altiga Private Enterprise Numbers that Cisco uses in VPN 3000 | Martin Willi | 2013-03-12 | 2 | -1/+4 | |
| | | ||||||
| * | In eap-radius, hand out received Framed-IP-Address attributes as virtual IP | Martin Willi | 2013-03-12 | 5 | -2/+460 | |
| | |