Two transport connections to gateway sun are set up, one from client
carol and the other from client dave. The gateway sun uses the Trusted
Key Manager (TKM) and is the responder for both connections. The
authentication is based on X.509 certificates. In order to test the
connections, both carol and dave ping gateway sun.
A connection between the hosts moon and sun is set up. The host moon
uses the Trusted Key Manager (TKM) and is the initiator of the transport
connection. The authentication is based on X.509 certificates.
Load complete kernel_netlink plugin instead. Registering the TKM
specific plugins first still ensures that the correct ipsec plugin
is used.
Lazy initialize the RNG_WEAK plugin to avoid the unsatisfiable
soft dependency on startup.
An ALERT_KEEP_ON_CHILD_SA_FAILURE alert is issued when child SA establishment
fails but the corresponding IKE SA is not destroyed. To allow later creation
of child SAs the ISA context must be signaled that the implicity first child SA
creation was skipped.
The IKE and EES sockets are now read from strongswan.conf. They can be
specified like this:
charon-tkm {
ike_socket = /tmp/tkm.rpc.ike
ees_socket = /tmp/tkm.rpc.ees
}
The socket names given above are used by default if none are configured.
The TKM credential set extends the in-memory credential set. It
provides a private key enumerator which is used to instantiate private
key proxy objects on-demand. This allows the usage of private keys with
arbitrary identifiers.
Pass the reqid (of the first child config of an IKE SA) as remote identity id
when calling cc_set_user_certificate. May lead to the usage of the wrong id in
case an IKE SA has multiple child configurations/reqids.
This must be replaced with a proper lookup once the configuration backend is
implemented and provides remote identity ids to charon-tkm.
The key currently imitates the private key of alice@strongswan.org by
returning it's fingerprint in the get_fingerprint function.
This associates the private key with alice's X.509 cert and charon will
use it to create a signature over the local AUTH octets of the test
connection.
The private key serves as a proxy to the TKM ike_isa_sign operation and
extracts the required information from the auth octets chunk passed on
by the keymat.
Store the ISA context id and the initial message in the auth octets
chunk using the sign_info_t struct. Charon will pass on this information
to the TKM private key sign operation where it is extracted.
The key unconditionally returns TRUE for the verify operation if it is called
with a supported signature algorithm. All such verification operations are
performed by the TKM (e.g. trustchain or auth octets verification) anyway, so
this is safe.
The IKE init message sent to us by the peer is needed for authentication
in the authorization hook. Store the message as chunk in the keymat and
provide a getter to make it available.
Extract peer certificate information and build a TKM certificate chain
context in the authorize hook of the tkm_listener_t. The cc context will
be used for ISA authentication using certificates.
The Esa Event Service can be used to trigger ESP SA (ESA) events such as
acquire or expire. The incoming events are forwarded to the hydra kernel
interface for processing.
The responsibility to reset an authenticated endpoint context is passed
from a parent IKE SA keymat to the new keymat by including it in the ISA
info data contained in the skd chunk. The last IKE SA to be destroyed
will also reset the associated AE context.
A child SA is being rekeyed if the esa information passed to the add_sa
function contains nonces. If it also contains a valid Diffie-Hellman
context id PFS is used.
The fact that the encr_r encryption key is passed to add_sa in the
inbound case can be used to determine if we are initiator or not by
inspecting the is_encr_r flag of the esa information struct.
Add additional fields to the esa_info_t struct so the necessary data can
be passed from the keymat to the kernel ipsec interface, where ESA
creation and key generation using the TKM takes place.
The information is used during the inbound add_sa call to create an ESP
SA. This makes the hack of storing the local SPI in a kernel interface
variable between subsequent add_sa calls unnecessary.
An SAD entry is added after successfull creation of a TKM ESA context
in the add_sa() function. The corresponding entry is removed in
del_sa() using the SAD, src, dst, spi and protocol parameters.
Explicitly register kernel netlink net implementation and avoid loading
the whole kernel-netlink plugin since the kernel netlink ipsec part is
unwanted.
Since the TKM handles all relevant key material, charon-tkm must not
have access to it anymore. Thus the ike_dh_get_shared_secret operation
is not available anymore.