| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| | |
Since the TKM handles all relevant key material, charon-tkm must not
have access to it anymore. Thus the ike_dh_get_shared_secret operation
is not available anymore.
|
| | |
| |
| |
| |
| | |
Since the TKM completely handles key derivation and installation there
is no need for the keymat proxy anymore.
|
| | |
| |
| |
| |
| | |
The TKM is now able to manage simple child SAs, so there is no need for
the netlink proxy anymore.
|
| | |
| |
| |
| |
| | |
This is in preparation for the removal of the netlink kernel proxy. The
code is copied as-is from the kernel_netlink_ipsec plugin.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
ESP SAs are created when adding CHILD SAs via the kernel ipsec
interface.
The encr_i key is used to transfer the context id of the parent IKE SA
from the keymat to the TKM kernel ipsec interface.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
The existing kernel netlink ipsec interface is currently used as proxy
to perform the actual work. It will be gradually removed as the TKM
implements the needed features.
|
| | |
| |
| |
| |
| |
| | |
To make the chunk map more robust it now stores a clone of the data
chunk given on insertion. The entry struct is needed to properly free
the allocated chunk after use.
|
| | |
| |
| |
| | |
This exchange initiates the AUTH verification in the TKM.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Use the message hook to save the AUTHENTICATION payload of an incoming
IKE_AUTH message.
The AUTH payload will be passed on to the TKM ike_isa_auth operation in
the authorize hook.
|
| | |
| |
| |
| |
| | |
These functions are used in the TKM specific bus listener to
store/retrieve the AUTH payload chunk in the message/authorize hooks.
|
| | | |
|
| | |
| |
| |
| |
| | |
This listener gets informed about IKE authorization rounds and will be
used to call ike_isa_auth on a given ISA.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Return FALSE if peers try to use other algorithm combinations.
|
| | |
| |
| |
| | |
Get PSK signed AUTH octets from TKM in initiator case.
|
| | |
| |
| |
| |
| | |
Introduce static aead_create_from_keys function to initialize AEAD
transforms from key chunks.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Create and initialize AEAD transforms with keys derived by the TKM.
Return these transforms in the get_aead function.
IKE keys used by charon are derived by TKM now.
|
| | |
| |
| |
| |
| | |
Extract encryption and integrity algorithms from proposal and check them
before deriving IKE keys.
|
| | | |
|
| | |
| |
| |
| | |
This function converts a given chunk to a variable-length byte sequence.
|
| | |
| |
| |
| |
| | |
This function converts a given TKM variable-length byte sequence to
chunk.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
To derive IKE keys using TKM the nonce context id of the local nonce is needed.
Get the id for a given chunk using the chunk map.
|
| | | |
|
| | |
| |
| |
| |
| | |
This data structure allows to store mappings of chunks to ids. This will
be used to map nonces to their corresponding nonce context ids.
|
| | | |
|
| | |
| |
| |
| |
| | |
This way we don't need to manually initialize the slot status; free
slots are now indicated by 0 though.
|
| | |
| |
| |
| |
| |
| | |
Forward incoming calls to default ikev2 keymat instance. This is needed
to make a stepwise migration to TKM keymat possible. It will be removed
once the corresponding parts are implemented in the TKM.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Instead of storing the acquired context ids in a linked list, use an
array of booleans for the job. A boolean value of true in the array
designates an available context id.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The tkm_diffie_hellman_t plugin acquires a DH context from the Trusted
Key Manager and uses it to get a DH public value and the calculated
shared secret. Proper context handling is still missing though, the
plugin currently uses context ID 1.
The get_shared_secret function will be removed as soon as the TKM
specific keymat is ready.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Analogous to charon-nm the charon-tkm daemon is a specialized charon
instance used in combination with the trusted key manager (TKM) written
in Ada.
The charon-tkm is basically a copy of the charon-nm code which will
register it's own TKM specific plugins.
The daemon binary is built using the gprbuild utility. This is needed
because it uses the tkm-rpc Ada library and consequently the Ada
runtime. gprbuild takes care of the complete binding and linker steps
required to properly initialize the Ada runtime.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A daemon can be specified using the '--daemon' command line parameter. This
tells starter to invoke a daemon other than 'charon'.
Additionally the ipsec script uses the environment variable DAEMON_NAME to tell
the starter which daemon to use.
|
