diff options
| author | Reto Buerki <reet@codelabs.ch> | 2012-08-29 09:44:17 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2013-03-19 15:23:46 +0100 |
| commit | 3290b9995c2de88979bb6a4dd1fc8b743f2080eb (patch) | |
| tree | 597702b551aacee77b4b66b4181ee28f261795d8 /src | |
| parent | 4c38878db529442d4a3b86f716687a365157d7f7 (diff) | |
| download | strongswan-3290b9995c2de88979bb6a4dd1fc8b743f2080eb.tar.bz2 strongswan-3290b9995c2de88979bb6a4dd1fc8b743f2080eb.tar.xz | |
keymat: Create inbound and outbound AEAD transforms
Create and initialize AEAD transforms with keys derived by the TKM.
Return these transforms in the get_aead function.
IKE keys used by charon are derived by TKM now.
Diffstat (limited to 'src')
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_keymat.c | 88 |
1 files changed, 85 insertions, 3 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index 43c180b8a..ab78994ec 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -42,10 +42,20 @@ struct private_tkm_keymat_t { keymat_v2_t *proxy; /** - * IKE_SA Role, initiator or responder + * IKE_SA Role, initiator or responder. */ bool initiator; + /** + * Inbound AEAD. + */ + aead_t *aead_in; + + /** + * Outbound AEAD. + */ + aead_t *aead_out; + }; METHOD(keymat_t, get_version, ike_version_t, @@ -135,6 +145,76 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool, return FALSE; } + /* Initialize AEAD with crypters and signers */ + signer_t * const signer_i = lib->crypto->create_signer(lib->crypto, int_alg); + signer_t * const signer_r = lib->crypto->create_signer(lib->crypto, int_alg); + if (signer_i == NULL || signer_r == NULL) + { + DBG1(DBG_IKE, "%N %N not supported!", + transform_type_names, INTEGRITY_ALGORITHM, + integrity_algorithm_names, int_alg); + return FALSE; + } + crypter_t * const crypter_i = lib->crypto->create_crypter(lib->crypto, + enc_alg, key_size / 8); + crypter_t * const crypter_r = lib->crypto->create_crypter(lib->crypto, + enc_alg, key_size / 8); + if (crypter_i == NULL || crypter_r == NULL) + { + signer_i->destroy(signer_i); + signer_r->destroy(signer_r); + DBG1(DBG_IKE, "%N %N (key size %d) not supported!", + transform_type_names, ENCRYPTION_ALGORITHM, + encryption_algorithm_names, enc_alg, key_size); + return FALSE; + } + + chunk_t key; + sequence_to_chunk(sk_ai.data, sk_ai.size, &key); + DBG4(DBG_IKE, "Sk_ai %B", &key); + if (!signer_i->set_key(signer_i, key)) + { + return FALSE; + } + chunk_clear(&key); + + sequence_to_chunk(sk_ar.data, sk_ar.size, &key); + DBG4(DBG_IKE, "Sk_ar %B", &key); + if (!signer_r->set_key(signer_r, key)) + { + return FALSE; + } + chunk_clear(&key); + + sequence_to_chunk(sk_ei.data, sk_ei.size, &key); + DBG4(DBG_IKE, "Sk_ei %B", &key); + if (!crypter_i->set_key(crypter_i, key)) + { + return FALSE; + } + chunk_clear(&key); + + sequence_to_chunk(sk_er.data, sk_er.size, &key); + DBG4(DBG_IKE, "Sk_er %B", &key); + if (!crypter_r->set_key(crypter_r, key)) + { + return FALSE; + } + chunk_clear(&key); + + if (this->initiator) + { + this->aead_in = aead_create(crypter_r, signer_r); + this->aead_out = aead_create(crypter_i, signer_i); + } + else + { + this->aead_in = aead_create(crypter_i, signer_i); + this->aead_out = aead_create(crypter_r, signer_r); + } + + /* TODO: Add failure handler (see keymat_v2.c) */ + if (this->proxy->derive_ike_keys(this->proxy, proposal, dh, nonce_i, nonce_r, id, rekey_function, rekey_skd)) { @@ -163,8 +243,7 @@ METHOD(tkm_keymat_t, derive_child_keys, bool, METHOD(keymat_t, get_aead, aead_t*, private_tkm_keymat_t *this, bool in) { - DBG1(DBG_IKE, "returning aead transform"); - return this->proxy->keymat.get_aead(&this->proxy->keymat, in); + return in ? this->aead_in : this->aead_out; } METHOD(tkm_keymat_t, get_auth_octets, bool, @@ -195,6 +274,9 @@ METHOD(tkm_keymat_t, get_psk_sig, bool, METHOD(keymat_t, destroy, void, private_tkm_keymat_t *this) { + DESTROY_IF(this->aead_in); + DESTROY_IF(this->aead_out); + this->proxy->keymat.destroy(&this->proxy->keymat); free(this); } |