aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * Add TKM specific bus listener skeletonReto Buerki2013-03-192-0/+124
| | | | | | | | | | This listener gets informed about IKE authorization rounds and will be used to call ike_isa_auth on a given ISA.
| * Add ISA context id getter to TKM keymatReto Buerki2013-03-193-0/+16
| |
| * keymat: Acquire AE context ID on initializationReto Buerki2013-03-191-3/+9
| |
| * Add TKM_CTX_AE (Authenticated Endpoint context)Reto Buerki2013-03-194-5/+8
| |
| * keymat: Acquire ISA context ID on initializationReto Buerki2013-03-191-2/+22
| |
| * Add TKM_CTX_ISA (IKE SA context)Reto Buerki2013-03-194-6/+8
| |
| * Use remote PSK signature computed by TKMReto Buerki2013-03-191-25/+19
| |
| * keymat: Check for aes256-sha512 in derive_ike_keysReto Buerki2013-03-191-0/+8
| | | | | | | | Return FALSE if peers try to use other algorithm combinations.
| * keymat: Call ike_isa_sign_psk in get_psk_sigAdrian-Ken Rueegsegger2013-03-191-1/+26
| | | | | | | | Get PSK signed AUTH octets from TKM in initiator case.
| * Factor out AEAD transform creationReto Buerki2013-03-191-61/+92
| | | | | | | | | | Introduce static aead_create_from_keys function to initialize AEAD transforms from key chunks.
| * Add keymat IKE key derivation test caseReto Buerki2013-03-193-0/+105
| |
| * keymat: Create inbound and outbound AEAD transformsReto Buerki2013-03-191-3/+85
| | | | | | | | | | | | | | Create and initialize AEAD transforms with keys derived by the TKM. Return these transforms in the get_aead function. IKE keys used by charon are derived by TKM now.
| * keymat: Extract enc,inc algorithms from proposalReto Buerki2013-03-191-0/+26
| | | | | | | | | | Extract encryption and integrity algorithms from proposal and check them before deriving IKE keys.
| * keymat: Call TKM Isa_Create procedureReto Buerki2013-03-191-4/+39
| |
| * Implement chunk_to_sequence functionReto Buerki2013-03-193-0/+40
| | | | | | | | This function converts a given chunk to a variable-length byte sequence.
| * Implement sequence_to_chunk functionReto Buerki2013-03-196-4/+107
| | | | | | | | | | This function converts a given TKM variable-length byte sequence to chunk.
| * keymat: Log nonce and DH context idsAdrian-Ken Rueegsegger2013-03-191-1/+5
| |
| * Add context id getter to TKM DH implementationAdrian-Ken Rueegsegger2013-03-193-0/+17
| |
| * keymat: Get context id of local nonceAdrian-Ken Rueegsegger2013-03-191-2/+22
| | | | | | | | | | To derive IKE keys using TKM the nonce context id of the local nonce is needed. Get the id for a given chunk using the chunk map.
| * nonceg: Insert id mapping when allocating nonceAdrian-Ken Rueegsegger2013-03-191-1/+6
| |
| * Add chunk mapAdrian-Ken Rueegsegger2013-03-197-0/+278
| | | | | | | | | | This data structure allows to store mappings of chunks to ids. This will be used to map nonces to their corresponding nonce context ids.
| * Add context id getter to TKM nonce generatorAdrian-Ken Rueegsegger2013-03-193-0/+17
| |
| * id_manager: Use calloc instead of mallocReto Buerki2013-03-191-10/+4
| | | | | | | | | | This way we don't need to manually initialize the slot status; free slots are now indicated by 0 though.
| * Use ikev2 keymat proxyReto Buerki2013-03-191-7/+18
| | | | | | | | | | | | Forward incoming calls to default ikev2 keymat instance. This is needed to make a stepwise migration to TKM keymat possible. It will be removed once the corresponding parts are implemented in the TKM.
| * Add skeleton for TKM keymat variantReto Buerki2013-03-193-0/+256
| |
| * id_manager: Use limits given by TKMReto Buerki2013-03-191-5/+15
| |
| * Pass context limits on to id managerReto Buerki2013-03-194-12/+21
| |
| * Request limits from TKM on initReto Buerki2013-03-191-0/+15
| |
| * id_manager: Use array of bool instead of listReto Buerki2013-03-192-41/+42
| | | | | | | | | | | | Instead of storing the acquired context ids in a linked list, use an array of booleans for the job. A boolean value of true in the array designates an available context id.
| * Use id manager to acquire DH context idReto Buerki2013-03-191-9/+23
| |
| * Add TKM_CTX_DH (Diffie-Hellman context) to id managerReto Buerki2013-03-192-3/+6
| |
| * Use id manager to acquire nonce context idReto Buerki2013-03-191-6/+16
| |
| * Add initial TKM Diffie-Hellman implementationReto Buerki2013-03-197-2/+234
| | | | | | | | | | | | | | | | | | | | The tkm_diffie_hellman_t plugin acquires a DH context from the Trusted Key Manager and uses it to get a DH public value and the calculated shared secret. Proper context handling is still missing though, the plugin currently uses context ID 1. The get_shared_secret function will be removed as soon as the TKM specific keymat is ready.
| * charon-tkm: Register tkm nonce generatorReto Buerki2013-03-192-1/+9
| |
| * tkm_nonceg: Return nonce generated by TKMReto Buerki2013-03-191-1/+13
| |
| * Initialize TKM client library in tkm.cReto Buerki2013-03-193-6/+37
| |
| * Introduce TKM specific charon daemon (charon-tkm)Reto Buerki2013-03-1920-3/+1222
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Analogous to charon-nm the charon-tkm daemon is a specialized charon instance used in combination with the trusted key manager (TKM) written in Ada. The charon-tkm is basically a copy of the charon-nm code which will register it's own TKM specific plugins. The daemon binary is built using the gprbuild utility. This is needed because it uses the tkm-rpc Ada library and consequently the Ada runtime. gprbuild takes care of the complete binding and linker steps required to properly initialize the Ada runtime.
| * starter: Make daemon name configurableAdrian-Ken Rueegsegger2013-03-195-38/+126
| | | | | | | | | | | | | | | | A daemon can be specified using the '--daemon' command line parameter. This tells starter to invoke a daemon other than 'charon'. Additionally the ipsec script uses the environment variable DAEMON_NAME to tell the starter which daemon to use.
| * Add configure option --enable-unit-testsAdrian-Ken Rueegsegger2013-03-192-0/+11
|/ | | | | | | | | | | | This configure option enables check-based unit testing. Check is a unit test framework for C [1]. The unit tests can be executed by issuing the following command in the toplevel build directory: make check [1] - http://check.sourceforge.net/
* Load arbitrary (non-host) attributes from strongswan.confTobias Brunner2013-03-191-21/+32
| | | | This allows to e.g. load Cisco-specific attributes that contain FQDNs.
* Don't try to mmap() empty ipsec.secret filesMartin Willi2013-03-191-1/+5
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-193-3/+27
| | | | certain time frame
* testing: Rename interfaces and bridges so they are easier to identifyTobias Brunner2013-03-1912-5/+16
| | | | | | | This simplifies capturing traffic with Wireshark on the host as each of the guest's interfaces is clearly identified. The three bridges were previously numbered starting from 0, this scheme is restored here.
* testing: Don't use a specific version for the QEMU machine typeTobias Brunner2013-03-198-8/+8
| | | | | The previously used pc-1.1 is not yet available on e.g. Ubuntu 12.04. With 'pc' the most current supported version of that type is used.
* NEWS about xauth-noauth addedTobias Brunner2013-03-191-0/+6
|
* Make sure that xauth-noauth is not used accidentallyTobias Brunner2013-03-191-2/+5
| | | | It has to be selected explicitly with rightauth2=xauth-noauth.
* Added xauth-noauth pluginTobias Brunner2013-03-198-29/+309
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* In stroke counters, check if we have an IKE_SA before getting the name from itMartin Willi2013-03-191-3/+6
| | | | | Fixes a segfault when receiving an invalid IKE SPI, where we don't have an IKE_SA for the raised alert.
* Add an "esp" load-tester option to configure custom CHILD_SA ESP proposalMartin Willi2013-03-181-3/+16
|
* Algorithms are not really specific to an IKE versionTobias Brunner2013-03-181-1/+1
| | | | | | But not all of them can be used with IKEv1. Fixes #314.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 03:58:05 +0000