aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2/authenticators
Commit message (Collapse)AuthorAgeFilesLines
* ikev2: Add hash algorithm used for RSASSA-PSS signature to log messageTobias Brunner2017-11-171-11/+41
|
* ikev2: Use helpers to build signature auth dataTobias Brunner2017-11-081-40/+4
|
* ikev2: Enumerate RSA/PSS schemes and use them if enabledTobias Brunner2017-11-081-7/+11
|
* ikev2: Support signing with RSASSA-PSS via RFC 7427 signature authTobias Brunner2017-11-081-6/+21
|
* ikev2: Verify RSASSA-PSS signatures via RFC 7427 signature authTobias Brunner2017-11-081-19/+34
|
* keymat_v2: Pass/receive signature schemes as signature_param_t objectsTobias Brunner2017-11-081-26/+55
|
* auth-cfg: Store signature schemes as signature_params_t objectsTobias Brunner2017-11-081-16/+20
| | | | | Due to circular references the hasher_from_signature_scheme() helper does not take a signature_params_t object.
* private-key: Add optional parameters argument to sign() methodTobias Brunner2017-11-081-2/+2
|
* public-key: Add optional parameters argument to verify() methodTobias Brunner2017-11-081-1/+1
|
* ikev2: Don't use SHA-1 for RFC 7427 signature authenticationTobias Brunner2017-11-081-3/+1
| | | | | | RFC 8247 demoted it to MUST NOT. References #2427.
* keymat: Allow keymat to modify signature scheme(s)Thomas Egerer2017-02-081-9/+30
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* gmp: Support of SHA-3 RSA signaturesAndreas Steffen2016-09-221-2/+2
|
* Use standard unsigned integer typesAndreas Steffen2016-03-242-10/+10
|
* ikev2: Don't do online revocation checks in pubkey authenticator if requestedTobias Brunner2016-03-101-1/+8
| | | | We also update the auth config so the constraints are not enforced.
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-101-1/+1
| | | | enumerator
* ikev2: Always store signature scheme in auth-cfgTobias Brunner2016-03-041-12/+1
| | | | As we use a different rule we can always store the scheme.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-041-2/+3
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev2: Add debug message about failed IKE authenticationThomas Egerer2016-02-021-0/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev2: Store outer EAP method used to authenticate remote peer in auth-cfgTobias Brunner2015-08-191-0/+9
| | | | | | | This allows symmetric configuration of EAP methods (i.e. the same value in leftauth and rightauth) when mutual EAP-only authentication is used. Previously the client had to configure rightauth=eap or rightauth=any, which prevented it from using this same config as responder.
* Initialize variables that some compilers seem to warn aboutTobias Brunner2015-08-131-1/+1
|
* utils: Use chunk_equals_const() for all cryptographic purposesMartin Willi2015-04-142-2/+2
|
* ikev2: Move code in pubkey authenticator's build() method into separate ↵Tobias Brunner2015-03-091-85/+123
| | | | functions
* ikev2: Try all eligible signature schemesTobias Brunner2015-03-091-34/+71
| | | | | | Previously, we failed without recovery if a private key did not support a selected signature scheme (based on key strength and the other peer's supported hash algorithms).
* ikev2: Try all RSA signature schemes if none is configuredTobias Brunner2015-03-041-4/+19
|
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-1/+11
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Fall back to SHA-1 signatures for RSATobias Brunner2015-03-041-0/+7
| | | | | This is really just a fallback to "classic" IKEv2 authentication if the other peer supports no stronger hash algorithms.
* ikev2: Select a signature scheme appropriate for the given keyTobias Brunner2015-03-041-18/+13
| | | | | By enumerating hashes we'd use SHA-1 by default. This way stronger signature schemes are preferred.
* ikev2: Log the actual signature scheme used for RFC 7427 authenticationTobias Brunner2015-03-041-4/+6
|
* ikev2: Store signature scheme used to verify peer in auth_cfgTobias Brunner2015-03-041-0/+1
| | | | | | | | | | This enables late connection switching based on the signature scheme used for IKEv2 and allows to enforce stronger signature schemes. This may break existing connections with peers that don't support RFC 7427 if signature schemes are currently used in `rightauth` for certificate chain validation and if the configured schemes are stronger than the default used for IKE (e.g. SHA-1 for RSA).
* ikev2: Remove private AUTH_BLISS methodTobias Brunner2015-03-041-9/+0
| | | | | | We use the new signature authentication instead for this. This is not backward compatible but we only released one version with BLISS support, and the key format will change anyway with the next release.
* ikev2: Handle RFC 7427 signature authentication in pubkey authenticatorTobias Brunner2015-03-041-49/+178
|
* ikev2: Merge EAP client authentication details if EAP methods provides themMartin Willi2015-03-031-0/+7
|
* Implemented full BLISS support for IKEv2 public key authentication and the ↵Andreas Steffen2014-11-291-0/+9
| | | | pki tool
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-043-5/+5
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-261-0/+10
|
* Log the proper type for virtual EAP methodsTobias Brunner2012-08-311-1/+5
|
* Encode EAP-Naks in expanded format if we got an expanded type requestTobias Brunner2012-08-311-2/+2
| | | | | Since methods defined by the IETF (vendor ID 0) could also be encoded in expanded type format the previous check was insufficient.
* Allow clients to request a configured EAP method via EAP-NakTobias Brunner2012-08-311-4/+24
|
* Virtual EAP methods handle EAP-Naks themselvesTobias Brunner2012-08-311-5/+17
|
* Send EAP-Nak with supported types if requested type is unsupportedTobias Brunner2012-08-311-2/+4
|
* Add a return value to keymat_v2_t.get_auth_octets()Martin Willi2012-07-161-6/+9
|
* Add a return value to keymat_v2_t.get_psk_sig()Martin Willi2012-07-162-13/+27
|
* Use separate Doxygen groups for IKEv1 and IKEv2 entities (authenticators, ↵Tobias Brunner2012-05-183-3/+3
| | | | tasks etc.).
* Merge branch 'ikev1'Martin Willi2012-05-021-14/+3
| | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/encoding/generator.c src/libcharon/encoding/payloads/notify_payload.c src/libcharon/encoding/payloads/notify_payload.h src/libcharon/encoding/payloads/payload.c src/libcharon/network/receiver.c src/libcharon/sa/authenticator.c src/libcharon/sa/authenticator.h src/libcharon/sa/ikev2/tasks/ike_init.c src/libcharon/sa/task_manager.c src/libstrongswan/credentials/auth_cfg.c
* Moved eap/xauth classes out of protocol specific subdirectoriesMartin Willi2012-03-205-463/+1
|
* Separated libcharon/sa directory with ikev1 and ikev2 subfoldersMartin Willi2012-03-2010-0/+1877
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 22:24:03 +0000