ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,934 Commits 7 Branches 233 Tags 88 MiB
Commit Graph

200 Commits

Author SHA1 Message Date
Stefan Berghofer d7a9e723f3 charon-tkm: Remove useless checks when deriving IKE keys 2021-06-17 09:53:51 +02:00
Stefan Berghofer 22e7900718 charon-tkm: Delegate encryption/decryption of IKE traffic to TKM 
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
 2021-06-17 09:53:51 +02:00
Tobias Brunner 16fcdb460a charon-tkm: Don't use starter/stroke with charon-tkm anymore 
For the tests, the unused init script that was used before switching to
charon-systemd is repurposed to manage the daemon.
 2021-01-11 15:28:01 +01:00
Tobias Brunner b322539ef5 charon-tkm: Deinitialize IKE tkm-rpc client 
This is necessary if tkm-rpc supports multiple parallel client requests.
 2021-01-08 17:22:37 +01:00
Tobias Brunner e637cf8b4a charon-tkm: Remove -gnat05 option not supported by newer compilers 2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger a0a0571bd1 charon-tkm: Reverse cert chain processing order 
Verify certificate chains starting from the root CA certificate and
moving towards the leaf/user certificate.

Also update TKM-RPC and TKM in testing scripts to version supporting the
reworked CC handling.
 2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger f8242127a2 charon-tkm: Add support for multiple CAs 
Load CA certificate id mapping from config and pass the correct CA ID to
TKM when checking certificate chains. The mapping of CA certificate to
CA ID is done via SHA-1 hash of the CA certificates subjectPublicKey.
 2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger 73d2a11aee charon-tkm: Register TKM cred encoder before init 
Make sure the credential encoder is available early to allow getting
public key fingerprints.
 2021-01-08 17:22:36 +01:00
Tobias Brunner 040608a48d Simplify handling of terminating signals in all libcharon wrappers 
Closes strongswan/strongswan#182.
 2020-09-30 12:47:39 +02:00
Josh Soref b3ab7a48cc Spelling fixes 
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
 2020-02-11 18:23:07 +01:00
Sheena Mira-ato fe3ae5be5d Add compile option to disable internal handling of fatal signals 
By default, charon and its derivatives internally handle the SIGSEGV,
SIGILL, and SIGBUS signals raised by threads (segv_handler).  Add a compile
option so that the signal handling can optionally be done externally.

Closes strongswan/strongswan#132.
 2019-05-28 10:44:48 +02:00
Tobias Brunner 62d43ea694 ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm 
Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.

Closes strongswan/strongswan#134.
 2019-04-11 09:51:02 +02:00
Tobias Brunner 3fbc95cf54 keymat_v2: Add support for PPKs 2018-09-10 18:03:01 +02:00
Tobias Brunner 1b67166921 Unify format of HSR copyright statements 2018-05-23 16:32:53 +02:00
Martin Willi 83187f3883 charon-tkm: Ignore an existing PID file if it references ourself 2018-03-21 10:25:49 +01:00
Tobias Brunner 2db6d5b8b3 Fixed some typos, courtesy of codespell 2018-02-13 12:19:54 +01:00
Adrian-Ken Rueegsegger fcff3808b4 charon-tkm: Update to latest Anet version 2018-02-08 17:01:38 +01:00
Tobias Brunner 2307bffe56 proposal: Move proposal_t from libcharon to libstrongswan 
This allows us to use it without having to initialize libcharon, which
was required for the logging (we probably could have included debug.h
instead of daemon.h to workaround that but this seems more correct).
 2017-11-17 18:09:54 +01:00
Tobias Brunner 42353849cb charon: Explicitly check return value of fileno() 
This is mainly for Coverity because fchown() can't take a negative
value, which the -1 check implies is possible.
 2017-11-15 14:37:43 +01:00
Tobias Brunner 291b02262d charon-tkm: Unlink PID file after deinit 
Same change as for charon in the previous commit.

References #2460.
 2017-11-10 10:56:13 +01:00
Tobias Brunner 024b979522 certificate: Return signature scheme and parameters from issued_by() method 
This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.
 2017-11-08 16:48:10 +01:00
Tobias Brunner de280c2e03 private-key: Add optional parameters argument to sign() method 2017-11-08 16:48:10 +01:00
Tobias Brunner a413571f3b public-key: Add optional parameters argument to verify() method 2017-11-08 16:48:10 +01:00
Adrian-Ken Rueegsegger fc08e6af8a charon-tkm: Reset ESA on child SA create failure 
Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.
 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger 59e7298ff9 charon-tkm: Check for error when acquiring ESA ID 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger 8e823bb8b1 charon-tkm: Fix AE context life-cycle handling 
Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.
 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger c198ddcb3f charon-tkm: Return current refcount when releasing ID 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger 1b2a8d963a charon-tkm: Add acquire_ref method to ID manager 
The function acquires a reference to the given context reference id for
a specific context kind.
 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger fcde9686f6 charon-tkm: Store context ids as int instead of bool 
This is in preparation of making context ids refcountable.
 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger d35ebfbce1 charon-tkm: Add missing whitespace log message 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger c15dbfaf08 charon-tkm: Build fix for kernel SAD tests 
Commit 7729577... added a flag to the get_esa_id function but the unit
tests were not adjusted.
 2017-08-14 18:35:37 +02:00
Tobias Brunner 772957778c charon-tkm: Call esa_reset() when the inbound SA is deleted 
After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.

This adds a flag to get_esa_id() that specifies the location of the
given SPI.
 2017-08-07 10:46:00 +02:00
Tobias Brunner dbaeaaf605 charon-tkm: Remove unused get_other_esa_id() method 2017-08-07 10:46:00 +02:00
Tobias Brunner d24b831fe7 charon-tkm: Don't select new outbound SA until the policy is installed 
This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.

Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.
 2017-08-07 10:44:05 +02:00
Tobias Brunner 0d42a76275 charon-tkm: Claim to support SPIs on policies 
This fixes rekeying as the delayed installation of the outbound SA
caused the nonce context to be expired already.
 2017-08-07 10:44:05 +02:00
Tobias Brunner dad4f6a178 charon-tkm: Return cloned host from tkm_kernel_sad_t::get_dst_host() 
When an expire is triggered while rekeying, the CHILD_SA might be deleted
while the returned host is still used to queue a rekey job for the CHILD_SA.
 2017-06-14 09:57:09 +02:00
Tobias Brunner 2e4d110d1e linked-list: Change return value of find_first() and signature of its callback 
This avoids the unportable five pointer hack.
 2017-05-26 13:56:44 +02:00
Tobias Brunner 3ff5de05b3 tkm: Fix get_auth_octets() signature 
Fixes: 267c1f7083 ("keymat: Allow keymat to modify signature scheme(s)")
 2017-02-13 18:36:01 +01:00
Tobias Brunner 9665686bd8 daemon: Use separate method to set default loggers 
This way it is not necessary to pass the same values to reload the
loggers.
 2017-01-25 14:58:09 +01:00
Andreas Steffen 40f2589abf gmp: Support of SHA-3 RSA signatures 2016-09-22 17:34:31 +02:00
Tobias Brunner 6250e813ca charon-tkm: Build C code with debug information 2016-09-20 16:26:05 +02:00
Tobias Brunner 8bc2ddb2cc charon-tkm: Free name of the PID file 2016-09-20 16:26:05 +02:00
Tobias Brunner b71f5f9305 charon-tkm: Deinitialize tkm before libstrongswan 
In particular because of leak-detective.
 2016-09-20 16:26:05 +02:00
Tobias Brunner 89da06ace9 kernel: Use structs to pass information to the kernel-ipsec interface 2016-04-09 16:50:59 +02:00
Andreas Steffen b12c53ce77 Use standard unsigned integer types 2016-03-24 18:52:48 +01:00
Tobias Brunner 28649f6d91 libhydra: Remove empty unused library 2016-03-03 17:36:11 +01:00
Tobias Brunner 8394ea2a42 libhydra: Move kernel interface to libcharon 
This moves hydra->kernel_interface to charon->kernel.
 2016-03-03 17:36:11 +01:00
Tobias Brunner 88b85e022a sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set 
Fixes #1213.
 2015-11-23 11:37:19 +01:00
Adrian-Ken Rueegsegger e63589a7dc charon-tkm: Register SPI generator callback 
Set get_spi callback of IKE SA manager to TKM-specific implementation.
 2015-11-11 15:39:49 +01:00
Adrian-Ken Rueegsegger efff791675 charon-tkm: Implement SPI generator 
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
 2015-11-11 15:39:49 +01:00