Stefan Berghofer
d7a9e723f3
charon-tkm: Remove useless checks when deriving IKE keys
2021-06-17 09:53:51 +02:00
Stefan Berghofer
22e7900718
charon-tkm: Delegate encryption/decryption of IKE traffic to TKM
...
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2021-06-17 09:53:51 +02:00
Tobias Brunner
16fcdb460a
charon-tkm: Don't use starter/stroke with charon-tkm anymore
...
For the tests, the unused init script that was used before switching to
charon-systemd is repurposed to manage the daemon.
2021-01-11 15:28:01 +01:00
Tobias Brunner
b322539ef5
charon-tkm: Deinitialize IKE tkm-rpc client
...
This is necessary if tkm-rpc supports multiple parallel client requests.
2021-01-08 17:22:37 +01:00
Tobias Brunner
e637cf8b4a
charon-tkm: Remove -gnat05 option not supported by newer compilers
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
a0a0571bd1
charon-tkm: Reverse cert chain processing order
...
Verify certificate chains starting from the root CA certificate and
moving towards the leaf/user certificate.
Also update TKM-RPC and TKM in testing scripts to version supporting the
reworked CC handling.
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
f8242127a2
charon-tkm: Add support for multiple CAs
...
Load CA certificate id mapping from config and pass the correct CA ID to
TKM when checking certificate chains. The mapping of CA certificate to
CA ID is done via SHA-1 hash of the CA certificates subjectPublicKey.
2021-01-08 17:22:36 +01:00
Adrian-Ken Rueegsegger
73d2a11aee
charon-tkm: Register TKM cred encoder before init
...
Make sure the credential encoder is available early to allow getting
public key fingerprints.
2021-01-08 17:22:36 +01:00
Tobias Brunner
040608a48d
Simplify handling of terminating signals in all libcharon wrappers
...
Closes strongswan/strongswan#182 .
2020-09-30 12:47:39 +02:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Sheena Mira-ato
fe3ae5be5d
Add compile option to disable internal handling of fatal signals
...
By default, charon and its derivatives internally handle the SIGSEGV,
SIGILL, and SIGBUS signals raised by threads (segv_handler). Add a compile
option so that the signal handling can optionally be done externally.
Closes strongswan/strongswan#132 .
2019-05-28 10:44:48 +02:00
Tobias Brunner
62d43ea694
ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm
...
Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.
Closes strongswan/strongswan#134 .
2019-04-11 09:51:02 +02:00
Tobias Brunner
3fbc95cf54
keymat_v2: Add support for PPKs
2018-09-10 18:03:01 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Martin Willi
83187f3883
charon-tkm: Ignore an existing PID file if it references ourself
2018-03-21 10:25:49 +01:00
Tobias Brunner
2db6d5b8b3
Fixed some typos, courtesy of codespell
2018-02-13 12:19:54 +01:00
Adrian-Ken Rueegsegger
fcff3808b4
charon-tkm: Update to latest Anet version
2018-02-08 17:01:38 +01:00
Tobias Brunner
2307bffe56
proposal: Move proposal_t from libcharon to libstrongswan
...
This allows us to use it without having to initialize libcharon, which
was required for the logging (we probably could have included debug.h
instead of daemon.h to workaround that but this seems more correct).
2017-11-17 18:09:54 +01:00
Tobias Brunner
42353849cb
charon: Explicitly check return value of fileno()
...
This is mainly for Coverity because fchown() can't take a negative
value, which the -1 check implies is possible.
2017-11-15 14:37:43 +01:00
Tobias Brunner
291b02262d
charon-tkm: Unlink PID file after deinit
...
Same change as for charon in the previous commit.
References #2460 .
2017-11-10 10:56:13 +01:00
Tobias Brunner
024b979522
certificate: Return signature scheme and parameters from issued_by() method
...
This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.
2017-11-08 16:48:10 +01:00
Tobias Brunner
de280c2e03
private-key: Add optional parameters argument to sign() method
2017-11-08 16:48:10 +01:00
Tobias Brunner
a413571f3b
public-key: Add optional parameters argument to verify() method
2017-11-08 16:48:10 +01:00
Adrian-Ken Rueegsegger
fc08e6af8a
charon-tkm: Reset ESA on child SA create failure
...
Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
59e7298ff9
charon-tkm: Check for error when acquiring ESA ID
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
8e823bb8b1
charon-tkm: Fix AE context life-cycle handling
...
Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
c198ddcb3f
charon-tkm: Return current refcount when releasing ID
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
1b2a8d963a
charon-tkm: Add acquire_ref method to ID manager
...
The function acquires a reference to the given context reference id for
a specific context kind.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
fcde9686f6
charon-tkm: Store context ids as int instead of bool
...
This is in preparation of making context ids refcountable.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
d35ebfbce1
charon-tkm: Add missing whitespace log message
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger
c15dbfaf08
charon-tkm: Build fix for kernel SAD tests
...
Commit 7729577... added a flag to the get_esa_id function but the unit
tests were not adjusted.
2017-08-14 18:35:37 +02:00
Tobias Brunner
772957778c
charon-tkm: Call esa_reset() when the inbound SA is deleted
...
After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.
This adds a flag to get_esa_id() that specifies the location of the
given SPI.
2017-08-07 10:46:00 +02:00
Tobias Brunner
dbaeaaf605
charon-tkm: Remove unused get_other_esa_id() method
2017-08-07 10:46:00 +02:00
Tobias Brunner
d24b831fe7
charon-tkm: Don't select new outbound SA until the policy is installed
...
This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.
Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.
2017-08-07 10:44:05 +02:00
Tobias Brunner
0d42a76275
charon-tkm: Claim to support SPIs on policies
...
This fixes rekeying as the delayed installation of the outbound SA
caused the nonce context to be expired already.
2017-08-07 10:44:05 +02:00
Tobias Brunner
dad4f6a178
charon-tkm: Return cloned host from tkm_kernel_sad_t::get_dst_host()
...
When an expire is triggered while rekeying, the CHILD_SA might be deleted
while the returned host is still used to queue a rekey job for the CHILD_SA.
2017-06-14 09:57:09 +02:00
Tobias Brunner
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner
3ff5de05b3
tkm: Fix get_auth_octets() signature
...
Fixes: 267c1f7083
("keymat: Allow keymat to modify signature scheme(s)")
2017-02-13 18:36:01 +01:00
Tobias Brunner
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
Andreas Steffen
40f2589abf
gmp: Support of SHA-3 RSA signatures
2016-09-22 17:34:31 +02:00
Tobias Brunner
6250e813ca
charon-tkm: Build C code with debug information
2016-09-20 16:26:05 +02:00
Tobias Brunner
8bc2ddb2cc
charon-tkm: Free name of the PID file
2016-09-20 16:26:05 +02:00
Tobias Brunner
b71f5f9305
charon-tkm: Deinitialize tkm before libstrongswan
...
In particular because of leak-detective.
2016-09-20 16:26:05 +02:00
Tobias Brunner
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
88b85e022a
sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set
...
Fixes #1213 .
2015-11-23 11:37:19 +01:00
Adrian-Ken Rueegsegger
e63589a7dc
charon-tkm: Register SPI generator callback
...
Set get_spi callback of IKE SA manager to TKM-specific implementation.
2015-11-11 15:39:49 +01:00
Adrian-Ken Rueegsegger
efff791675
charon-tkm: Implement SPI generator
...
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
2015-11-11 15:39:49 +01:00