Commit Graph

189 Commits

Author SHA1 Message Date
Tobias Brunner 62d43ea694 ike-sa-manager: Extract IKE SPI labeling feature from charon-tkm
Might be useful for users of other daemons too. Note that compared to the
previous implementation in charon-tkm, the mask/label are applied in
network order.

Closes strongswan/strongswan#134.
2019-04-11 09:51:02 +02:00
Tobias Brunner 3fbc95cf54 keymat_v2: Add support for PPKs 2018-09-10 18:03:01 +02:00
Tobias Brunner 1b67166921 Unify format of HSR copyright statements 2018-05-23 16:32:53 +02:00
Martin Willi 83187f3883 charon-tkm: Ignore an existing PID file if it references ourself 2018-03-21 10:25:49 +01:00
Tobias Brunner 2db6d5b8b3 Fixed some typos, courtesy of codespell 2018-02-13 12:19:54 +01:00
Adrian-Ken Rueegsegger fcff3808b4 charon-tkm: Update to latest Anet version 2018-02-08 17:01:38 +01:00
Tobias Brunner 2307bffe56 proposal: Move proposal_t from libcharon to libstrongswan
This allows us to use it without having to initialize libcharon, which
was required for the logging (we probably could have included debug.h
instead of daemon.h to workaround that but this seems more correct).
2017-11-17 18:09:54 +01:00
Tobias Brunner 42353849cb charon: Explicitly check return value of fileno()
This is mainly for Coverity because fchown() can't take a negative
value, which the -1 check implies is possible.
2017-11-15 14:37:43 +01:00
Tobias Brunner 291b02262d charon-tkm: Unlink PID file after deinit
Same change as for charon in the previous commit.

References #2460.
2017-11-10 10:56:13 +01:00
Tobias Brunner 024b979522 certificate: Return signature scheme and parameters from issued_by() method
This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.
2017-11-08 16:48:10 +01:00
Tobias Brunner de280c2e03 private-key: Add optional parameters argument to sign() method 2017-11-08 16:48:10 +01:00
Tobias Brunner a413571f3b public-key: Add optional parameters argument to verify() method 2017-11-08 16:48:10 +01:00
Adrian-Ken Rueegsegger fc08e6af8a charon-tkm: Reset ESA on child SA create failure
Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger 59e7298ff9 charon-tkm: Check for error when acquiring ESA ID 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger 8e823bb8b1 charon-tkm: Fix AE context life-cycle handling
Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger c198ddcb3f charon-tkm: Return current refcount when releasing ID 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger 1b2a8d963a charon-tkm: Add acquire_ref method to ID manager
The function acquires a reference to the given context reference id for
a specific context kind.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger fcde9686f6 charon-tkm: Store context ids as int instead of bool
This is in preparation of making context ids refcountable.
2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger d35ebfbce1 charon-tkm: Add missing whitespace log message 2017-09-15 12:16:57 +02:00
Adrian-Ken Rueegsegger c15dbfaf08 charon-tkm: Build fix for kernel SAD tests
Commit 7729577... added a flag to the get_esa_id function but the unit
tests were not adjusted.
2017-08-14 18:35:37 +02:00
Tobias Brunner 772957778c charon-tkm: Call esa_reset() when the inbound SA is deleted
After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.

This adds a flag to get_esa_id() that specifies the location of the
given SPI.
2017-08-07 10:46:00 +02:00
Tobias Brunner dbaeaaf605 charon-tkm: Remove unused get_other_esa_id() method 2017-08-07 10:46:00 +02:00
Tobias Brunner d24b831fe7 charon-tkm: Don't select new outbound SA until the policy is installed
This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.

Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.
2017-08-07 10:44:05 +02:00
Tobias Brunner 0d42a76275 charon-tkm: Claim to support SPIs on policies
This fixes rekeying as the delayed installation of the outbound SA
caused the nonce context to be expired already.
2017-08-07 10:44:05 +02:00
Tobias Brunner dad4f6a178 charon-tkm: Return cloned host from tkm_kernel_sad_t::get_dst_host()
When an expire is triggered while rekeying, the CHILD_SA might be deleted
while the returned host is still used to queue a rekey job for the CHILD_SA.
2017-06-14 09:57:09 +02:00
Tobias Brunner 2e4d110d1e linked-list: Change return value of find_first() and signature of its callback
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner 3ff5de05b3 tkm: Fix get_auth_octets() signature
Fixes: 267c1f7083 ("keymat: Allow keymat to modify signature scheme(s)")
2017-02-13 18:36:01 +01:00
Tobias Brunner 9665686bd8 daemon: Use separate method to set default loggers
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
Andreas Steffen 40f2589abf gmp: Support of SHA-3 RSA signatures 2016-09-22 17:34:31 +02:00
Tobias Brunner 6250e813ca charon-tkm: Build C code with debug information 2016-09-20 16:26:05 +02:00
Tobias Brunner 8bc2ddb2cc charon-tkm: Free name of the PID file 2016-09-20 16:26:05 +02:00
Tobias Brunner b71f5f9305 charon-tkm: Deinitialize tkm before libstrongswan
In particular because of leak-detective.
2016-09-20 16:26:05 +02:00
Tobias Brunner 89da06ace9 kernel: Use structs to pass information to the kernel-ipsec interface 2016-04-09 16:50:59 +02:00
Andreas Steffen b12c53ce77 Use standard unsigned integer types 2016-03-24 18:52:48 +01:00
Tobias Brunner 28649f6d91 libhydra: Remove empty unused library 2016-03-03 17:36:11 +01:00
Tobias Brunner 8394ea2a42 libhydra: Move kernel interface to libcharon
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner 88b85e022a sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set
Fixes #1213.
2015-11-23 11:37:19 +01:00
Adrian-Ken Rueegsegger e63589a7dc charon-tkm: Register SPI generator callback
Set get_spi callback of IKE SA manager to TKM-specific implementation.
2015-11-11 15:39:49 +01:00
Adrian-Ken Rueegsegger efff791675 charon-tkm: Implement SPI generator
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
2015-11-11 15:39:49 +01:00
Tobias Brunner a6e0f14fd2 kernel-interface: Pass the same data to del_policy() that was passed to add_policy()
The additional data can be helpful to identify the exact policy to
delete.
2015-11-10 16:42:52 +01:00
Tobias Brunner 3195650180 Fix typo in error handling for sigwaitinfo() in charon-systemd and charon-tkm
Fixes 858148092d ("Replace usages of sigwait(3) with sigwaitinfo(2)")
2015-10-29 17:40:31 +01:00
Tobias Brunner 858148092d Replace usages of sigwait(3) with sigwaitinfo(2)
This is basically the same call, but it has the advantage of being
supported by FreeBSD's valgrind, which sigwait() is not.

References #1106.
2015-10-29 15:38:37 +01:00
Martin Willi ee9f691915 unit-tests: Forward variable argument list in TEST_SUITE_DEPEND
For some plugin features, such as crypters or AEADs, we have some additional
feature arguments, such as the key size.
2015-07-12 13:25:50 +02:00
Adrian-Ken Rueegsegger 38b65d7186 charon-tkm: Also store local SPI in SAD 2015-05-04 18:07:52 +02:00
Reto Buerki 8cdc563258 charon-tkm: Reset stale nonce contexts
If the nonce generator detects a stale nonce upon destroy(), it resets
the context in the TKM and releases associated resources in the ID
manager and chunk map.

Also, do not acquire the nonce context ID in tkm_nonceg_create function
but rather when the nonce is actually created by get_nonce().

The nonces created with get_nonce must also be registered in the chunk map.
2015-05-04 18:07:51 +02:00
Reto Buerki a8ca50e635 charon-tkm: Drop unneeded nonceg get_id function 2015-05-04 18:07:51 +02:00
Adrian-Ken Rueegsegger 5460098cce charon-tkm: Remove ESA nonce mappings from chunk map 2015-05-04 18:07:51 +02:00
Reto Buerki a0cf92a650 charon-tkm: Drop obsolete TKM_LIMIT define 2015-05-04 18:07:51 +02:00
Adrian-Ken Rueegsegger 2783bd17a4 charon-tkm: Select other ESA if any is present upon deletion
In the case that multiple ESAs exist (e.g. rekey collision) for a
security policy, make sure to select one of the remaining ESAs.
2015-05-04 18:07:51 +02:00
Adrian-Ken Rueegsegger c7ce0d96cd charon-tkm: Add get_other_esa_id function to TKM kernel SAD
The function gets the ESA id for another entry associated with the same
security policy as the specified ESA.
2015-05-04 18:07:50 +02:00