| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The key currently imitates the private key of alice@strongswan.org by
returning it's fingerprint in the get_fingerprint function.
This associates the private key with alice's X.509 cert and charon will
use it to create a signature over the local AUTH octets of the test
connection.
The private key serves as a proxy to the TKM ike_isa_sign operation and
extracts the required information from the auth octets chunk passed on
by the keymat.
|
| |
|
|
|
|
| |
Store the ISA context id and the initial message in the auth octets
chunk using the sign_info_t struct. Charon will pass on this information
to the TKM private key sign operation where it is extracted.
|
| |
|
|
|
| |
The sign_info_t type is used to transfer an ISA context id and the
initial message from the keymat to the TKM private key sign operation.
|
| | |
|
| |
|
|
|
|
|
| |
The key unconditionally returns TRUE for the verify operation if it is called
with a supported signature algorithm. All such verification operations are
performed by the TKM (e.g. trustchain or auth octets verification) anyway, so
this is safe.
|
| |
|
|
|
| |
The authentication of the ISA is now done using the certificate provided
by the peer.
|
| |
|
|
|
|
| |
The IKE init message sent to us by the peer is needed for authentication
in the authorization hook. Store the message as chunk in the keymat and
provide a getter to make it available.
|
| |
|
|
|
|
| |
Extract peer certificate information and build a TKM certificate chain
context in the authorize hook of the tkm_listener_t. The cc context will
be used for ISA authentication using certificates.
|
| | |
|
| |
|
|
| |
The parameter is used to initialize the given sequence to zero.
|
| |
|
|
|
| |
Register a global exception action with the Ada runtime to log uncaught
exceptions to the daemon log and terminate.
|
| |
|
|
|
|
| |
The Esa Event Service can be used to trigger ESP SA (ESA) events such as
acquire or expire. The incoming events are forwarded to the hydra kernel
interface for processing.
|
| |
|
|
|
|
|
| |
The responsibility to reset an authenticated endpoint context is passed
from a parent IKE SA keymat to the new keymat by including it in the ISA
info data contained in the skd chunk. The last IKE SA to be destroyed
will also reset the associated AE context.
|
| | |
|
| |
|
|
|
| |
Use the TKM ike_isa_create_child exchange to rekey an IKE SA. The isa context id
is passed on (ab)using the rekey_skd chunk.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
A child SA is being rekeyed if the esa information passed to the add_sa
function contains nonces. If it also contains a valid Diffie-Hellman
context id PFS is used.
The fact that the encr_r encryption key is passed to add_sa in the
inbound case can be used to determine if we are initiator or not by
inspecting the is_encr_r flag of the esa information struct.
|
| |
|
|
|
|
|
|
|
|
| |
Add additional fields to the esa_info_t struct so the necessary data can
be passed from the keymat to the kernel ipsec interface, where ESA
creation and key generation using the TKM takes place.
The information is used during the inbound add_sa call to create an ESP
SA. This makes the hack of storing the local SPI in a kernel interface
variable between subsequent add_sa calls unnecessary.
|
| |
|
|
|
|
| |
An SAD entry is added after successfull creation of a TKM ESA context
in the add_sa() function. The corresponding entry is removed in
del_sa() using the SAD, src, dst, spi and protocol parameters.
|
| |
|
|
|
| |
The TKM kernel SAD (security association database) stores information
about CHILD SAs.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Explicitly register kernel netlink net implementation and avoid loading
the whole kernel-netlink plugin since the kernel netlink ipsec part is
unwanted.
|
| |
|
|
|
|
| |
Since the TKM handles all relevant key material, charon-tkm must not
have access to it anymore. Thus the ike_dh_get_shared_secret operation
is not available anymore.
|
| |
|
|
|
| |
Since the TKM completely handles key derivation and installation there
is no need for the keymat proxy anymore.
|
| |
|
|
|
| |
The TKM is now able to manage simple child SAs, so there is no need for
the netlink proxy anymore.
|
| |
|
|
|
| |
This is in preparation for the removal of the netlink kernel proxy. The
code is copied as-is from the kernel_netlink_ipsec plugin.
|
| |
|
|
|
|
|
|
| |
ESP SAs are created when adding CHILD SAs via the kernel ipsec
interface.
The encr_i key is used to transfer the context id of the parent IKE SA
from the keymat to the TKM kernel ipsec interface.
|
| | |
|
| |
|
|
|
|
| |
The existing kernel netlink ipsec interface is currently used as proxy
to perform the actual work. It will be gradually removed as the TKM
implements the needed features.
|
| |
|
|
|
|
| |
To make the chunk map more robust it now stores a clone of the data
chunk given on insertion. The entry struct is needed to properly free
the allocated chunk after use.
|
| |
|
|
| |
This exchange initiates the AUTH verification in the TKM.
|
| |
|
|
|
|
|
|
| |
Use the message hook to save the AUTHENTICATION payload of an incoming
IKE_AUTH message.
The AUTH payload will be passed on to the TKM ike_isa_auth operation in
the authorize hook.
|
| |
|
|
|
| |
These functions are used in the TKM specific bus listener to
store/retrieve the AUTH payload chunk in the message/authorize hooks.
|
| | |
|
| |
|
|
|
| |
This listener gets informed about IKE authorization rounds and will be
used to call ike_isa_auth on a given ISA.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Return FALSE if peers try to use other algorithm combinations.
|
| |
|
|
| |
Get PSK signed AUTH octets from TKM in initiator case.
|
| |
|
|
|
| |
Introduce static aead_create_from_keys function to initialize AEAD
transforms from key chunks.
|
| | |
|
| |
|
|
|
|
|
| |
Create and initialize AEAD transforms with keys derived by the TKM.
Return these transforms in the get_aead function.
IKE keys used by charon are derived by TKM now.
|
| |
|
|
|
| |
Extract encryption and integrity algorithms from proposal and check them
before deriving IKE keys.
|
| | |
|
| |
|
|
| |
This function converts a given chunk to a variable-length byte sequence.
|
