Tobias Brunner
dad4f6a178
charon-tkm: Return cloned host from tkm_kernel_sad_t::get_dst_host()
...
When an expire is triggered while rekeying, the CHILD_SA might be deleted
while the returned host is still used to queue a rekey job for the CHILD_SA.
2017-06-14 09:57:09 +02:00
Tobias Brunner
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner
3ff5de05b3
tkm: Fix get_auth_octets() signature
...
Fixes: 267c1f7083
("keymat: Allow keymat to modify signature scheme(s)")
2017-02-13 18:36:01 +01:00
Tobias Brunner
9665686bd8
daemon: Use separate method to set default loggers
...
This way it is not necessary to pass the same values to reload the
loggers.
2017-01-25 14:58:09 +01:00
Andreas Steffen
40f2589abf
gmp: Support of SHA-3 RSA signatures
2016-09-22 17:34:31 +02:00
Tobias Brunner
6250e813ca
charon-tkm: Build C code with debug information
2016-09-20 16:26:05 +02:00
Tobias Brunner
8bc2ddb2cc
charon-tkm: Free name of the PID file
2016-09-20 16:26:05 +02:00
Tobias Brunner
b71f5f9305
charon-tkm: Deinitialize tkm before libstrongswan
...
In particular because of leak-detective.
2016-09-20 16:26:05 +02:00
Tobias Brunner
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
88b85e022a
sigwaitinfo() may fail with EINTR if interrupted by an unblocked signal not in the set
...
Fixes #1213 .
2015-11-23 11:37:19 +01:00
Adrian-Ken Rueegsegger
e63589a7dc
charon-tkm: Register SPI generator callback
...
Set get_spi callback of IKE SA manager to TKM-specific implementation.
2015-11-11 15:39:49 +01:00
Adrian-Ken Rueegsegger
efff791675
charon-tkm: Implement SPI generator
...
The get_spi callback returns a random SPI with a label encoded according
to the spi_label and spi_mask parameters read from the strongswan.conf.
2015-11-11 15:39:49 +01:00
Tobias Brunner
a6e0f14fd2
kernel-interface: Pass the same data to del_policy() that was passed to add_policy()
...
The additional data can be helpful to identify the exact policy to
delete.
2015-11-10 16:42:52 +01:00
Tobias Brunner
3195650180
Fix typo in error handling for sigwaitinfo() in charon-systemd and charon-tkm
...
Fixes 858148092d
("Replace usages of sigwait(3) with sigwaitinfo(2)")
2015-10-29 17:40:31 +01:00
Tobias Brunner
858148092d
Replace usages of sigwait(3) with sigwaitinfo(2)
...
This is basically the same call, but it has the advantage of being
supported by FreeBSD's valgrind, which sigwait() is not.
References #1106 .
2015-10-29 15:38:37 +01:00
Martin Willi
ee9f691915
unit-tests: Forward variable argument list in TEST_SUITE_DEPEND
...
For some plugin features, such as crypters or AEADs, we have some additional
feature arguments, such as the key size.
2015-07-12 13:25:50 +02:00
Adrian-Ken Rueegsegger
38b65d7186
charon-tkm: Also store local SPI in SAD
2015-05-04 18:07:52 +02:00
Reto Buerki
8cdc563258
charon-tkm: Reset stale nonce contexts
...
If the nonce generator detects a stale nonce upon destroy(), it resets
the context in the TKM and releases associated resources in the ID
manager and chunk map.
Also, do not acquire the nonce context ID in tkm_nonceg_create function
but rather when the nonce is actually created by get_nonce().
The nonces created with get_nonce must also be registered in the chunk map.
2015-05-04 18:07:51 +02:00
Reto Buerki
a8ca50e635
charon-tkm: Drop unneeded nonceg get_id function
2015-05-04 18:07:51 +02:00
Adrian-Ken Rueegsegger
5460098cce
charon-tkm: Remove ESA nonce mappings from chunk map
2015-05-04 18:07:51 +02:00
Reto Buerki
a0cf92a650
charon-tkm: Drop obsolete TKM_LIMIT define
2015-05-04 18:07:51 +02:00
Adrian-Ken Rueegsegger
2783bd17a4
charon-tkm: Select other ESA if any is present upon deletion
...
In the case that multiple ESAs exist (e.g. rekey collision) for a
security policy, make sure to select one of the remaining ESAs.
2015-05-04 18:07:51 +02:00
Adrian-Ken Rueegsegger
c7ce0d96cd
charon-tkm: Add get_other_esa_id function to TKM kernel SAD
...
The function gets the ESA id for another entry associated with the same
security policy as the specified ESA.
2015-05-04 18:07:50 +02:00
Adrian-Ken Rueegsegger
ded14df603
charon-tkm: Only skip creation of first child SA
...
Use the new is_first boolean parameter of the
ALERT_KEEP_ON_CHILD_SA_FAILURE alert to determine if the failure was
caused by the first CHILD SA.
2015-05-04 18:07:50 +02:00
Adrian-Ken Rueegsegger
9ae6b507b9
charon-tkm: Fix SAD insertion when adding ESA
...
Commit f5fc592
added the reqid to the SAD. The insert call swapped the
order of the esa_id and reqid parameters.
2015-05-04 17:23:51 +02:00
Martin Willi
3c81cb6fc3
aead: Create AEAD using traditional transforms with an explicit IV generator
...
Real AEADs directly provide a suitable IV generator, but traditional crypters
do not. For some (stream) ciphers, we should use sequential IVs, for which
we pass an appropriate generator to the AEAD wrapper.
2015-04-13 15:06:15 +02:00
Martin Willi
a777155ffe
diffie-hellman: Add a bool return value to set_other_public_value()
2015-03-23 17:54:03 +01:00
Martin Willi
42431690e0
diffie-hellman: Add a bool return value to get_my_public_value()
2015-03-23 17:54:03 +01:00
Martin Willi
bace1d6479
diffie-hellman: Use bool instead of status_t as get_shared_secret() return value
...
While such a change is not unproblematic, keeping status_t makes the API
inconsistent once we introduce return values for the public value operations.
2015-03-23 17:54:02 +01:00
Martin Willi
942797a5b5
kernel-interface: Add a separate "update" flag to add_sa()
...
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
2015-03-09 18:18:20 +01:00
Martin Willi
68e5ada005
tkm: Use the inbound flag do determine peer role in CHILD_SA exchange
...
This was not available during initial implementation, but fits just fine to
avoid reconstructing the peer role.
2015-03-09 18:18:20 +01:00
Tobias Brunner
ab65a3e8fc
tkm: Disable RFC 7427 signature authentication
...
TKM can't verify such signatures so we'd fail in the authorize hook.
Skipping the algorithm identifier doesn't help if the peer uses
anything other than SHA-1, so config changes would be required.
2015-03-09 16:59:07 +01:00
Tobias Brunner
1cbd34b9d4
tkm: Implement hash algorithm storage methods of keymat_v2_t interface
2015-03-04 13:54:11 +01:00
Reto Buerki
3fb42bc87f
charon-tkm: Use get_dst_host getter in EES callback
...
Use the new get_dst_host getter to retrieve the destination host from
the SAD using the reqid, spi and protocol values received from the
xfrm-proxy.
2015-02-20 13:34:54 +01:00
Reto Buerki
e12ff07c96
charon-tkm: Add get_dst_host getter to SAD
...
This function returns the destination host of an SAD entry for given
reqid, spi and protocol arguments or NULL if not found.
2015-02-20 13:34:53 +01:00
Reto Buerki
ba8aefd5f2
charon-tkm: Improve SAD get_esa_id log messages
2015-02-20 13:34:53 +01:00
Reto Buerki
f5fc592ae1
charon-tkm: Store reqid in SAD
2015-02-20 13:34:53 +01:00
Reto Buerki
e1e854bd0c
charon-tkm: Store remote SPI in SAD
...
Store the remote instead of the local SPI in the SAD when adding a new
entry in the kernel plugin's add_sa() function.
Since only one ESA context must be destroyed for an inbound/outbound
CHILD SA pair, it does not matter which SPI is used to retrieve it in
the del_sa function.
2015-02-20 13:34:53 +01:00
Reto Buerki
fa4f66cba3
charon-tkm: Make CHILD/ESP SA database public
...
Make the CHILD/ESP SA database a public member of the global tkm_t
struct.
2015-02-20 13:34:53 +01:00
Reto Buerki
e63cbb367c
charon-tkm: Fix logger entity name in tests.c
...
Change 'test_runner' to 'test-runner'.
2015-02-20 13:34:52 +01:00
Reto Buerki
84e391e08e
charon-tkm: Fix compilation of ees_callback.c
...
Update the call to hydra->kernel_interface->expire to make
ees_callback.c compile again. The required destination host argument is
set to NULL for now.
2015-02-20 13:34:51 +01:00
Martin Willi
d05d85fe65
kernel-interface: Pass full list of traffic selectors to add_sa()
...
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
2015-02-20 13:34:47 +01:00
Martin Willi
2a1c9e20bd
kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
...
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
2015-02-20 13:34:32 +01:00
Tobias Brunner
e13ef5c434
crypto: Define MODP_CUSTOM outside of IKE DH range
...
Before this fix it was possible to crash charon with an IKE_SA_INIT
message containing a KE payload with DH group MODP_CUSTOM(1025).
Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
prevents it from getting negotiated.
Fixes CVE-2014-9221.
2014-12-23 15:40:01 +01:00
Reto Buerki
1ec7ee65c5
charon-tkm: Properly reset CC context in listener
...
Make sure that the acquired CC context is correctly reset and the
associated ID released in the authorize() function of the TKM bus
listener.
2014-10-31 13:49:40 +01:00
Reto Buerki
a62d03d36b
charon-tkm: Add missing comma to enum
...
Add missing comma to tkm_context_kind_names enum definition.
2014-10-31 13:49:33 +01:00
Martin Willi
5421092b75
plugin-loader: Support a reload() callback for static features
2014-09-22 13:55:12 +02:00